REVIEW: Top application delivery controllers

Actual users offer comments on these ADCs: F5 BIG-IP, Citrix NetScaler ADC, HAProxy,, KEMP LoadMaster and NGINX.

on premises applications

Enterprise applications are subjected to intense but unpredictable loads. Ensuring consistent application delivery, in line with Quality of Service (QoS) guarantees, requires sophisticated load balancing and related capabilities for clustering, performance management and so forth. Application Delivery Controllers perform these tasks, helping application owners deliver a reliable, fast application user experience.

This article offers insights into some of the top Application Delivery Controllers. According to online reviews by enterprise users in the IT Central Station user community, this includes F5 BIG-IP, Citrix NetScaler ADC, HAProxy,, KEMP LoadMaster and NGINX.

What do enterprise users actually think about these top Application Delivery Controllers? Here, users offer their opinions about their favorite application delivery features from each solution while also sharing some thoughts on “room for improvement.”


Valuable Features
“The most valuable feature is the F5 LTM (Local Traffic Manager). This is the part of the product most organizations will be using most. It provides the core functionality to be able to load balance services and the means and the intelligence to be able to load balance based on advanced logic, e.g., TCL scripting. The F5 GTM/BIG-IP DNS (Global Traffic Manager) is another valuable feature. This feature allows for DNS load balancing, which means that high availability and load sharing can be done across services locally, as well as across data centers with advanced capabilities.”
Nathan T., Network Analyst at a financial services firm
“iRule: It's a great feature that helped us multiple times have an advantage over our competition (during PoCs) by performing traffic control/management functions that are not supported out of the box. Use Case: One client was deploying a new web app, where video/chat traffic is configured over the SOCKS protocol. We used iRule to disable the WAF Inspection when a SOCKS protocol packet passed through (because it is not supported), and enable the WAF Inspection for all other URLs on the same Web page.”

ProductSpec1492, Security Solutions Specialist at a tech services company
Room for Improvement
“Active-Standby sync has to be made automatic. All of the F5 boxes have an Active-Standby configuration. Users need to make changes in the Active box, but often users by mistake make changes in the Standby box. This creates problems when syncing between Active and Standby. There should be some indication from the F5 tool to avoid such mistakes.”
Sri C., User at a tech company

“The ASM [Application Security Manager] administration is quite complex. I am a technical GUI expert (not UI). They did improve the ASM administration in each version, but added new features, too. The topic itself is pretty complex, so it is not easy to provide a nice, clean interface. There are a lot of references and dependencies in-between the different subareas.”
TLMainframeWebSrvcs324, Team Leader Mainframe & Webservices at a financial services firm

Citrix Netscaler

Valuable Features

“Web Application Firewall; Content Switching Applications; SSL Handling. Deployment of NetScalers on our DMZ enables our organization to implement a secured gateway for our Web Portal, Inbound/Outbound application-web-service calls across our partners/clients, security and Traffic management.”
Michael R., Senior Systems Administrator at a financial services firm
“Load Balancing: Why? Availability/Performance: Those are the core features of the product and the main reason for the purchase of an ADC in my company. These features bring a lot of resources that improve the experience of the users.

NetScaler Gateway: Why? Availability/Security: We delivered more than 200 applications thru XenApp. This feature gives us the possibility to deliver the applications anywhere. Currently, 30% of access is through our NetScaler Gateway (internet connections).

Global Server Load Balancing: Why? Availability: Bring us the possibility to load balance our ISP’s links, delivering DNS responses thru available ISP providers.

Reverse Proxy/AAA Authentication: Why? Availability/Security: Many local websites/applications are now available through the internet, with NetScaler acting as reverse proxy, and through AAA authentication in order to authenticate only necessary users.”
Vitor A., IT Infrastructure Analyst at a manufacturing company
Room for Improvement
“The web management console uses a Java plugin. Some improvements are needed on the web management console.”
Michael R., Senior Systems Administrator at a financial services firm
“I think there is always room for improvement in this type of solution. For example, I think the GUI should be easy to understand.”
Joao A., System Administrator at a comms service provider


Valuable Features

“Reliability. HAProxy is the most reliable product I have ever used.  It is stable. Period. Will not fail unless you do something wrong. These features are why I give it a 10 out of 10. In some environments we are handling millions of requests per minute in a high-availability HAProxy cluster.”
Haim A., a SysOps Manager at a marketing services firm
“The heavily tuned full stack (NIC, kerne and user space) produces excellent performance. Their support is available for advanced troubleshooting. We have been able to achieve extremely high-performance load balancing in a short amount of time. As an example, using L4 mode, we routinely return more than 100GB/sec of MySQL traffic from a cluster of about 10 replicas.”
Alex D., Production Engineering at a financial services firm
Room for Improvement
“I would improve the web-based UI, but it’s a matter of personal preference.”
Gary G., Information Technology / Software Development
“HAProxy running in multiple cores, for example one for HTTP and another for HTTPS, requires the use of ‘nbproc’. So if nbproc = 2, you will have two processes of HAProxy running. However, the stats of HAProxy are not aggregated, meaning you don't really know the collective status in a single point of view. Each process has its own socket, and it's up to you to aggregate them, and then your stats become less accurate. Also, having multiple HAProxy nodes in High Availability mode requires the use of clustering software such as Pacemaker and Corosync which are very complex.”

Haim A., a SysOps Manager at a marketing services firm

Valuable Features

“Ease of use and support. The user interface precludes the need to be well versed with Linux IPVS command line. This makes it easy for junior team members to participate in managing load-balancing needs. The support especially helps us with quick remote fixes. With a remote fix, I can view the fix in real time and yet ease security concerns for my supervisor. We had a few issues and they responded immediately. They came in remotely and fixed them. Everything is really good from the customer service point of view, which is what we expected it to be.”
SystemIn6aa4, System Integrator

“Most important for us is that it makes sure that the load is distributed and that we always have access to the end-servers that they're connected to. We need that to make sure that we have a consistent, high level of service that the schools can rely on.”
Richard M., User at a government agency
Room for Improvement
“They could add an automated configuration backup to an FTP location (or something similar) so you don’t have to manually do it. I don’t see this as a problem, of course, as the configuration rarely changes and we only need one backup, but maybe for other users this feature would be handy.”
George P., IT Support at a government agency

“They're mostly designed to balance a particular type of traffic. I wanted to load balance DNS, and they just don't do it the way that we wanted to. So they're not used as DNS load balancers, whereas the previous ones were. In terms of balancing other traffic that they don't already balance, that would be a useful thing.”
reviewer830994, Senior ICT Support Officer at a government agency

KEMP Loadmaster

Valuable Features
“Most interesting features are geo-redundancy, support of important Microsoft applications like Exchange, Lync, SharePoint, Skype for business, etc. It also integrated with Azure, which is unique about this tool.”
messagin435144, Messaging Architect at a financial services firm
“Ease of Deployment. Application delivery controllers are not my company's strong suit. We needed a Microsoft Threat Management Gateway server replacement solution for a customer and were impressed with the simplified deployment of the Kemp LoadMasters.”
Alex C., CEO | Owner at a tech services company 

 “Skype for Business; Reverse proxy; Web application firewall; Multi-factor authentication—
There is a Forefront TMG replacement together with Skype for Business which even Microsoft recommends for DNS LB. However, customers require uptime, and my tests show that DNS for external users will have quite long time downtimes versus HLB.”

Kai S., Chief Consultant a tech company

Room for Improvement
“It needs to offer support for more business applications.”
messagin435144, Messaging Architect at a financial services firm
“Some of the support documentation seems to make assumptions that the person installing or configuring is experienced with the product or concepts. Further research got us through the installation and configuration without any issues.”
Alex C., CEO | Owner at a tech services company 


Valuable Features

“Simplicity, stability, and modularity. Because, if you are familiar with Apache, you will know why my first reason is simplicity. NGINX is simple to configure, very stable in a highly utilized environment and very modular, allowing DevOps to create its own modules for interactive use with NGINX.”
Goran P., Lead Engineer at a tech services company
“NGINX is extremely efficient in terms of the connection-rate-to-CPU cycles ratio, and in terms of the bandwidth-to-CPU cycles. It is configurable enough so smart engineers (which my team consists of) can configure virtually anything which a product manager (say "business") is able to imagine. Even more because businesses do not always know all the quirks of DevOps and operations.”
Andrii S., Startup Founder
Room for Improvement
“I would say ModSecurity 3.0 for NGINX Core, but they just released that. The biggest room for improvement would be to allow NGINX Core machines to cluster for memory zones in some way with a plug-and-play module.”
Derek D., Director of Architecture at a tech services company

“Only improvement needed that I would point to is scalability. With it, I mean clusterized organization on a low level. At the moment, the best alternative is RHEL HA.”
Goran P., Lead Engineer at a tech services company

Copyright © 2018 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022