Reducing application pay-per-request costs with Citrix NetScaler

In today’s cloud-first landscape, where applications are frequently billed on a pay-per-request basis, every incoming request carries a direct cost. Not all requests are legitimate or necessary and many are redundant, malicious, or outright abusive. Letting these through not only inflates operating expenses and degrades performance, but can also introduce serious security threats to your business applications.

That’s where Citrix NetScaler steps in as your trusted cost-saving partner. By intelligently processing, filtering, and blocking unwanted traffic right at the edge, NetScaler dramatically reduces backend load and eliminates the expenses associated with handling non-essential requests. In this article, we explore practical strategies for leveraging NetScaler’s advanced capabilities, such as IP Reputation, GEO blocking, and caching—to cut your application’s pay-per-request costs, while strengthening your security posture.

Integrated Caching

Integrated caching utilizes in-memory storage on the NetScaler appliance to deliver web content to users without requiring a round trip to the origin server. Since cached objects are stored in memory, the first step is to set a global memory limit for caching. Citrix recommends allocating less than half of the total available memory for this purpose.

Example:

• grep "memory" /var/nslog/dmesg.boot

• sh cache parameter

Objects are organized into content groups, and you can create custom groups for specific content types. Configure selectors and apply them to content groups for efficient caching. Once configured, attach caching policies, based on rule expressions, to your virtual servers for fine-grained control.

Basic setup:

A few settings explained that might be considered:

• Do not cache - if size is less than : prevents caching objects that are to small

• Do not cache - if size exceeds : prevents caching objects that are to large

• Do not cache - if hits are less than : prevents caching objects that are not accessed frequently

• Maximum memory usage limit for the content group : limits memory usage for the content group

• Prefetch : attempt to refresh objects that are about to go stale

• Flash cache : queues requests that arrive simultaneously, NetScaler sends only one request to the backend server, retrieves the response, and distributes it to all the clients whose requests are in the queue.

To verify the caching statistics run: stat cache detail

IP Reputation (IPREP)

IPREP uses real-time threat intelligence to identify and block traffic from known malicious IP addresses. NetScaler uses Webroot by OpenText to categorize IPs based on behaviour, such as botnets, scanners, spammers, or attackers—and enables you to take automated actions like blocking, redirecting, or logging based on the IP’s reputation score.

• To access the Webroot database, the NetScaler appliance must be able to connect to api.bcti.brightcloud.com on port 443.

• BrightCloud (OpenText) provides a IP lookup tool: https://www.brightcloud.com/tools/url-ip-lookup.php

• NetScaler is storing logs in the following location: /var/log/iprep.log

CLI Example to block all malicious identified clients on a CS server:

• Note: Required URLs for NetScaler database updates:

  • localdb-ip-daily.brightcloud.com:443

  • localdb-ip-rtu.brightcloud.com:443

  • api.bcti.brightcloud.com:443

  • localdb-ipv6-daily.brightcloud.com:443

  • ipce-daily.brightcloud.com:443

  • ipce-rtu.brightcloud.com:443

GEO Location

Citrix NetScaler ships with built-in GEO IP databases, found at /var/netscaler/inbuilt_db/ (powered by MaxMind GeoLite2), but these are not regularly updated by Citrix. To ensure accuracy, you can download and import updated databases:

• MaxMind GeoLite2: Download Here

• IP2Location Lite: Download Here

IPv4 IP2Location integration example:

1. Download IP2LOCATION-LITE-DB3.CSV and place it at /var/netscaler/locdb on your appliance.

Issue the below command:

Verify that the database are correctly loaded using:

Functionality can easily be tested on the NetScaler by going into the shell and using:

By default the GOE location databases are not loaded:

To load build in databases:

Advanced: BOT Management

Already handling bots? We previously covered effective bot management with NetScaler on our blog page.

Takeaway

Today, cost control is security and vice versa. Citrix NetScaler arms you with actionable tools (caching, IP reputation, GEO rules) to ensure you pay only for what matters and keep your cloud app safe, fast, and efficient.

Ready to cut costs and secure your cloud applications? Click here to schedule a direct call with one of our top NetScaler experts and get tailored advice for your business.