WAN Load Balancing by Elfiq Networks is a perfect fit for the Citrix WanScaler WAN Optimization Engine product. The Citrix NetScaler already performs Server Load Balancing on inbound connections, and can even perform Link Load Balancing on outbound connections. However, when it comes to managing link resiliency directly at the WAN Links, at layer 2, this is where Elfiq shines. The Elfiq Layer 2 implementation allows the insertion of the Elfiq unit between the firewall and the primary link router without any change to their configuration for an easy deployment. For private WAN Links, Elfiq will redirect packets to all links at Layer 2 on a per session basis. Another great advantage with Elfiq is the low price point to get this type of functionality. When connectivity is being deployed to multiple sites with multiple links, Elfiq SitePathMTPX can be used with IPSec VPN Tunnels and VoIP along side of enterprise applications for greater performance and resilience.
Citrix & Elfiq Networks Deployment Guide!
WAN Failover Video Tip:
WAN Load Balancing Video Tip:
The St.Bernard iPrism works with Citrix's Application Virtualization platform - XenApp, and works quite well. Seen as a perfect complement to each other the Citrix NetScaler and XenApp products were tested with the St.Bernard iPrism Web Filter. Both companies offer architectures of one-arm (out-of-band) and two-arm (in-band) deployments. At Citrixlabs in Santa Clara, CA, USA, we tested both the out-of-band and in-band configuration of the iPrism Web Filter. We loved the fact that the iPrism is auto-discovered by the management software, so no console cable was needed.
With NetScaler:
We deployed the iPrism Web Filter behind the NetScaler in our proof of concept datacenter in Santa Clara, CA, USA, and configured the NetScaler for NAT (Reverse NAT) for outbound connections to the Internet. NAT is often performed by the Firewall. The Web Application Firewall, also part of the Citrix NetScaler, was configured for protection of inbound security threats to websites and web applications.
The iPrism was configured to monitor outbound traffic from the internal subnet of 172.16.104.0/24, and block all traffic to offensive websites, and monitor traffic to all other websites. The Real-Time monitor in iPrism gave us a detailed report on the users and IP Addresses that were going out to which sites on the internet. We could see who was accessing what, and which content was being blocked. Particularly nice, was the fact that the iPrism automatically authenticated each user to the Citrixlabs domain controller, every time they surfed a new website, without them knowing it. This was very useful for keeping a tight grip on security and for compliance reporting.
With XenApp:
The powerful value is in the integration with XenApp. We plugged the iPrism in as an in-line device, and configured it to work with Citrix XenApp©, formerly known as Citrix Presentation Server. One of the key questions that will arise in this situation is with all of those Citrix XenApp thin clients logging into the XenApp and then launching browsers to the internet, how does iPrism keep track of them. By adding the XenApp IP Address to the iPrism configuration, the users are tracked using "Session Based Authentication" - this catches each individual user and IP Address in each browser session and in the reports. We were impressed by this and determined the iPrism to be an excellent fit into a datacenter outfitted with Citrix.
Citrix & St.Bernard Deployment Guide!
Network Diagram:
Watch this video tip:
AppExpert is now a useful tag used by Citrix Systems, Inc., to qualify articles and content on the web as that which pertains to the art of delivering applications to an end user. Becoming an "Application Expert" is not only an art, but as with anything else in the internet industry, takes time to learn. Becoming an Application Expert and using the knowledge takes time, drive and patience. In an effort to make this art easier, Citrix embarked on a series of product enhancements targeted toward the Application Expert, which started with the use of the NetScaler Policy Engine.
The first in many enhancements directed toward making application delivery easier for the individual using the product. Other product nomenclature was created for other features such as "AppCompress" and "AppCache", but "AppExpert" seemed to stick and a community website was born to promote the development of policies and expressions used in the course of business on the NetScaler at customer sites, by partners and in the labs at Citrix Systems.
The concept of the community site grew with favor as a much needed interactive forum for the exchange of ideas, policies, blogs, video tips and information to expand the knowledge of those using the Citrix products. Thus, the AppExpert community site was born to express this direction of growth in knowledge.
In an effort to create a community site that is both practical and useful for our customers, and in keeping aligned with the principles of ease of use and name recognition, the community site formerly named "AppExpert", has been renamed to "NetScaler Developer Network" to allow for a more easier fit among other Citrix product lines, as the Citrix community continues to grow.
NetScaler Developer Network!
The #1 Web Filter by St.Bernard is now Citrix Ready. The Highest Performance Web Application Solution from Citrix Systems can now be deployed with the the #1 Web Filter by St. Berdard. IDC ranked them #1, SC Magazine gives them high ratings, and you will agree when you plug this thing in. The Citrix Web Application Firewall protects inbound traffic destined to Web and Application Servers without degrading throughput or response time. Now, with St.Bernard's iPrism h-Series high performance appliances, you can also do outbound Web filtering, IM/P2P filtering, and antivirus detection. The iPrism Web Filter is optimized for the datacenter infrastructure and sits behind the firewall while it monitors traffic. St. Bernard's platforms are hybrid so that Web filtering, antivirus and IM/P2P filtering are all contained within one box - unlike other point solutions.
St.Bernard's iPrism Web Filter is easy to use and easy to manage. If fact, it's so easy, we had the device up and running in Proxy mode and then in Bridge mode in a matter of seconds. The management software auto-discovers the box, so you don't have to plug in a console cable - very nice!
It is far better than a transparent proxy because St.Bernard has engineered their filtering technology at the kernel level, so their bridge mode really is a bridge between interfaces, and not just a transparent proxy like other solutions in the market.
We deployed the iPrism Web Filter behind our NetScaler, and had the NetScaler perform NAT (Reverse NAT) for outbound connections to the Internet. The iPrism Web Filter adds another level of security that IT organizations sometimes look for to complement their existing base of high-performance Citrix Gear.
Citrix & St.Bernard Deployment Guide!
You can try this product for free.
The product demo is awesome.
As a hybrid unit, this is a steal.
NetScaler Developer Network!
Load Balancing
A crucial piece of knowledge to being an Application Expert is providing availability and offload of the backend servers across any TCP port number. Most web applications run on port 80 and 443. Some enterprise applications use custom ports. Either way, if you want to optimize the performance and keep clients connected when one of the servers or applications starts to fail, you will need a Load Balancer such as the Citrix Application Switch.
Load balancing allows you to distribute incoming requests to a particular virtual server (vserver or VIP) evenly across several backend physical servers. This is also known as Server Load Balancing (SLB). The virtual server runs load balancing algorithms within the Citrix Application Switch.
A vserver consists of a combination of an IP address, port, and protocol that accepts incoming the traffic. The vserver is bound to a number of physical services running on physical servers in the backend server farm. Typical physical servers range from apache web servers to high-end enterprise applications such as SAP and Oracle.
The way it works is a client sends a request to the virtual server, which selects a physical server in the backend server farm and directs the request to the selected physical server. Load balancing allows the Citrix Application Switch to choose the physical server with the lowest load and greatest available resources and directs the incoming request to that server. The Citrix Application Switch can select from many different algorithms for balancing the load, the most common being Round Robin.
Different virtual servers can be configured for different sets of physical services, for example TCP and UDP services. The Citrix Load Balancer supports protocol/application specific vservers for HTTP, HTTPS, FTP, SSL, SSL BRIDGE, SSLTCP, NNTP, DNS, SIP and SNMP services.
To with with your understanding and first time configuration, this deployment guide speaks directly to configuring Load Balancing and SSL Offload on a Citrix Application Switch. It was developed for the SAP Application, but the concepts apply to any Web Application.
Citrix Load Balancing Deployment Guide.
Watch this Load Balancing Tip:
Tap into the power of AppExpert!
Read about the Citrix Load Balancer here.
Buy the Citrix Load Balancer here.
Border Gateway Protocol, open-source and it's para-virtualized. No more proprietary software and hardware, you can run as many copies of this as needed on one physical XenServer machine. As a proof point, we used the Vyatta Open Source router to build out our Link Load Balancing network in Santa Clara. The Open Source Vyatta is running on a Dell server. We configured the BGP routing protocol, but could have have also configured OSPF or RIP and redistributed the routes. This configuration has been proven to outperform the incumbents, and is less costly by a wide margin. Reduce opex and capex and start rolling this out today.
What is needed:
- Vyatta Open Source Networking Software
- A Dell Server that supports Virtualization
- XenServer Enterprise 4.1
The Network:
Watch this Video:
Tap into the power of AppExpert!
We are all used to the familiar commands to configure IP Addressing on *nix and *dows types of systems, however there is a little bit of a trick involved with XenServer.
Imagine if you had built your XenServer in one location and then transported it to another location where a different IP Addressing scheme was being used. In order to have XenCenter come in contact with the XenServer again, you will need to re-configure the Management IP Address. Since you probably won't RTM, and you don't want to rip your hair out trying to figure it out, the steps are outlined in this XenServer Tip.
Tap into the power of AppExpert!
Rewrite
Performing content rewrite at milli-speed is key to providing a front-end device for application delivery. Most important is the capability to rewrite both request and response headers & body content which the Citrix Application Switch does and it is an easy 3-step process to configure. Not only is it easy, it scales to Enterprise class applications, which we demonstrated here with the Oracle Enterprise Business Suite v12 in our lab in Santa Clara, CA, USA.
This Content Rewrite Deployment Guide walks through the steps necessary to quickly profile an application and configure the Citrix Application Switch for content rewrite. This deployment guide can be used as a reference for other Enterprise applications, in addition to Oracle. Some typical examples of how customers use the Citrix Application Swtich for content rewrite are to Insert the Client-IP as an HTTP Header, Delete old X-Forwarded-For headers, Tag SSL and non-SSL Connections, Mask the HTTP server type (Server Obfuscation), Redirect external URLs to Internal URLs (Application Obfuscation), Migrate Apache rewrite module rules, Redirect marketing keyword requests, Redirect old home pages and Redirect queries to the appropriate server.
The Citrix Rewrite Deployment Guide.
Watch this Rewrite Tip:
Tap into the power of AppExpert!
Read about the Citrix Application Switch here.
Buy the Citrix Application Switch here.
In the Application Expert series part 2, Caching, I released a Deployment Guide discussing Static and Dynamic Caching. As we are partners with Microsoft, we recently did some work here internally setting up some Dynamic Caching for an ASP.NET application and thought we would share the knowledge. This Caching Deployment Guide for ASP.NET Web Applications discusses the way an Application Expert would find out the potential caching scenarios that a web application can benefit from, and shows how to create and test the NetScaler caching policies and settings to put these scenarios into effect.
Tap into the power of AppExpert!
And it's FREE! Throw away those behemoths that suck power from every grid in the state and drain your budget. This baby is Free, Open Source and VIRTUAL, meaning you can run as many instances of this router as you want on your choice of hardware. What is even more gratifying is it's faster than the old router technology.
Vyatta has commoditized router, firewall and VPN deployment in the same way that Linux commoditized the operating system market. Vyatta open-source networking offers you an alternative to over-priced, inflexible products from proprietary vendors.
Vyatta software enables customers to build routing and security solutions using standard x86-based hardware of their choosing, ensuring networks will always meet performance requirements. Vyatta open-source software delivers the unique advantage of allowing customers to scale networks from the simplest LAN configurations to large BGP WAN edge configurations using a single software package.
Vyatta software includes support for most commonly used network interfaces, industry standard routing and management protocols, and all of these features are configurable via a single command-line interface (CLI) or web-based graphical user interface (GUI) - avail Q3'08. The integrated features and functionality make Vyatta software ideal for SMB, Branch Office, Enterprise and Service Provider deployments.
Summary of features:
BGP, OSPF, RIP, DHCP, QoS, IPSec VPN, VRRP, PPP, 802.1Q, Complete List.
This open source router is already running on XenServer in a large service provider in Europe. We are using it in our Citrix Ready program as a multi-link Intranet with connections to the Internet along with high availability link load balancing.
This para-virtualized Vyatta image runs as a virtual appliance in XenServer v3.2.1 and v4.1.
The XenServer Platform we are using:
- Dell Poweredge 2950 server.
- 2 x Intel 64-bit Quad-Core Xeon Processors, Model E5335 @ 2.00 GHz each, for a total of 8 CPUs.
- 2 Intel 82571EB Gigabit Ethernet (on-board)
- 2 Broadcom NetXtremeII Gigabit Ethernet
- 16 GB of memory.
- 300 GB of Storage.
- XenServer v4.1
- *note: CPU's must support virtualization technology.
Virtual Router - Install:
Virtual Router - Config:
Tap into the power of AppExpert.
Application Delivery is at the top of the list of any organization's priorities. Keeping up with those priorities requires a move to dynamic application delivery and virtualization. The Citrix NetScaler Application Switch is a powerful step in that direction.
Compressing content at the server level can be done, but is tedious, and with the number of hosted servers on the backend growing proportionally with virtualization, it is better suited to a frontend tool.
As an Application Expert, determining what type of content is compressible vs. that which is not compressible should be at the tip of your tongue, or at least you should be able to reference this post or document. The thing is, while some content types remain compressible/non-compressible across many applications, you might run across an application that requires some content be treated uniquely. For example, the SAP application requires that pdf files should not be compressed when sent back to the clients. Either way, you should know how to dynamically configure rules to accommodate for the applications content. This Compression Deployment Guide shows you how.
Watch this Compression Tip:
Buy the Citrix NetScaler Application Switch here.
Tap into the power of AppExpert.
Hundreds of Thousands of Web Servers have been getting hacked, including several at the United Nations. The appearance is that the hack exploits a vulnerability in Microsoft IIS because of a Microsoft SQL Specific injection payload, however the attack is capable of infecting any type of web server open to SQL Injection and Cross Site Scriting (XSS) attacks.
Microsoft released some security bulletins (951306, MS08-006) stating vulnerabilities in their IIS web server, alluding to the vulnerabilities recently brought to light. A script homed at nihaorr1.com based in China was found to be infecting many servers, and spreading quickly. Further research into the problem indicates that non-Microsoft types of servers may also be affected by the attack.
As of May 12, 2008, Google's Index had 1,700,000 infected pages. The domains currently being injected that contain the malicious Javascript are:
- nihaorr1.com
- 2117966.net
- aspder.com
- haoliuliang.net
- nmidahena.com
- free.hostpinoy.info
- xprmn4u.info
- winzipices.cn
- wowgm1.cn
- killwow1.cn
- wowyeye.cn
- wowgm1.cn
- winzipices.cn
This vulnerability and others like it can easily be stopped with a Citrix Web Application Firewall using default policies to block SQL injection and Cross Site Scripting. We setup a demo in our lab, to show how easy it is to configure and block this type of threat.
See the mailicious script in action:
Watch how Citrix Web App Firewall blocks the malicious script:
See how easy it is to configure the Citrix Web App Firewall:
Read about the Citrix Application Firewall here.
Buy the Citrix Application Firewall here.
Tap into the power of AppExpert
As an addendum to the Citrix NetScaler Policy Engine post I wrote recently, I pulled together some Frequently Asked Questions (FAQ) pertaining to the Policy Engine (PE). Policies are used to configure various Citrix NetScaler Application Switch features, and are executed in the order of their priorities. The priorities are configurable and increment in units of 10.
Watch this Policy Priority Tip:
Tap into the power of AppExpert!
Policies are used to configure various Citrix NetScaler Application Switch features. For example, the parameters for compressing content are defined in a compression policy.
The features that use policies are:
- Load Balancing
- Content Switching
- Content Filtering
- AppCompress
- Cache Redirection
- SSL VPN
- Priority Queuing
- DoS Protection
- Sure Connect
Policy expressions are applied to content that enters the switch. Expressions are shared among features, but actions are feature-specific. For example, you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress those files. The Policy Engine (PE) refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x. The architecture for Policy Engine and the manner in which it operates is presented in this Deployment Guide. Did you know that each feature in the Citrix NetScaler Application Switch is processed in a certain order, and the Policy Engine (PE) applies policy according to that order. That order is represented in this diagram and discussed in the Deployment Guide for Policy Engine (PE).
Watch this Policy Engine Tip:
Tap into the power of AppExpert!