"During times of universal deceit, telling the truth becomes a revolutionary act."  Those are the words of the infamous George Orwell.  The same guy who wrote Animal Farm and forever changed our views about social behaviors.  Orwell developed a farm full of animals to imitate the behaviors of humans in their most despicable forms.  For those of you who have read the book (and for those of you who are less enlightened) you'll remember that the Pigs wield the power of deceit to convince the rest of the "animals" that their situation is much better than it really is... creating a power base from which they (the Pigs) rule.

Well, with all of the hype around what Clouds are and are not, I've got some great news for you.  There is a storm on the horizon and it's full of Clouds that have applications pouring out of them.  That's right, it's an application fest and Citrix is seeding the cloud with a form of "silver iodide and frozen carbon dioxide" (oops, dare I say that with Cap and Trade on the horizon). We want it to rain applications and give service providers the means to successfully pull additional revenues by supplying their customers with applications that run better and give a High Definition User eXperience (HDX).

Wouldn't it also be awesome if you could manage your entire data center and have a fully optimized workload management capability that provided high availability and flexibility.  Well then... you need to look at how server virtualization works with application delivery as well for a highly profitable approach to the Cloud.

So tell all of your friends that might want to know more about how to make this happen by registering for the Citrix Service Provider Business Webinar and you won't be fooled by the Pigs.

Registration Information 

Citrix Service Provider Business Overview -

EMEA (https://www1.gotomeeting.com/register/527632217)

Americas (https://www1.gotomeeting.com/register/822345865)

APAC (https://www1.gotomeeting.com/register/826234609)

Twitter

One hundred and fifty billion dollars! That's $150,000,000,000 or €107,635,000,000 or ¥14,458,000,000,000. In any currency we are talking about a lot of money. According to some estimates this represents the total projected revenues for Cloud Computing by 2013.  Don't you wish you could capture just a small percentage of that total market?  Just think, a 2% capture rate would yield $3,000,000,000 or €2,152,700,000 or ¥289,160,000,000... still a lot of money. 

Well we may be on our way as we see the evolution of Amazon S3 and EC2, Google Apps, Microsoft Azure and IBM's LotusLive Connections.  Even though Larry Ellison has been quoted as stating Cloud Computing is "gibberish", now Oracle has even entered the mix.  How are we to make heads or tails out of all this?  What is the breakdown of the Cloud from a business perspective and what is the evolution from where we are today. 

It all starts with two basic descriptions, "private" and "public" Clouds.  There is a very important distinction here in that the road to implementation will be markedly different in each area.  How Information Technology evolves between now and 2013 has everything to do with these terms.  Kind of scary but even the U.S. Government is involved as the National Institute of Standards and Technology has published their definitions and findings.

In the Private Cloud world, large enterprise businesses will be looking for ways to evolve their current IT environment.  And like a wave similar to electronic miniaturization when microchip technology finally came of age, IT will be changed forever.  Enterprises will be trying to figure out how to model their internal IT operations after the Web and web based applications.  There are a few model companies today who have already done the math, understand the value proposition of working this way and are full steam ahead in implementation. 

Bechtel is one such large enterprise.  In an article entitled "Around the Clock, Around the World", they talk about how they are changing the future by using virtualization infrastructure today, "Bechtel's Information Systems and Technology group developed a "virtual company" of dedicated servers, firewalls, and software programs to enable massive transfers of engineering data..."  As a result of this progressive approach to managing information using private cloud technology, "Bechtel's intranet, combined with work-sharing software and advanced network security, is making it possible for far-flung team members to communicate and tap securely into linked databases, CAD models, and other tools."  Bechtel relies on technology from Citrix to achieve this state.

The second and possibly more controversial category is the Public Cloud.  The companies given the most publicity in this area are those highlighted at the beginning of this blog.  Amazon, Google, Microsoft and IBM have the most notoriety.  However, companies like RackSpace are emerging as well.  There is quite a bit of swirl around how these monoliths will shake out in terms of winning the space.  The end goal for these companies is to produce utility based Information Technology.  Some would say that this is the commoditization of services heretofore called the IT organization.  The truth is that there will be a mix of virtualized data center infrastructure (IaaS) and application delivery platforms (PaaS) starting with non-mission critical workloads and services.

Within this "Public Cloud" category is a subset that currently services the Small and Medium Business segment.  These are the companies who have seen the hype and latched onto the taxonomy.  What were at one time "Hosting Service Providers" now look at themselves as Cloud Providers.  And why not?  They have very similar business goals as the Amazons and Googles of the world... namely, the portability of services from on-premise to off-premise using a time based subscription model.  Most of these companies are part of the Microsoft eco-system driving revenue for themselves and for Microsoft through the Service Provider Licensing Program.  Why is this important to those who would play in the Cloud space?  Because there are over 5 Million SMBs in this target market worldwide with an average employee count of 100.  In each of these SMBs, a percentage would be considered knowledge workers who require business productivity applications.

Nasstar, a "cloud provider" in Europe is taking advantage of this new ideology and technology approach.  They boast subscriptions for SMBs in London and the surrounding area with a growing contingent of customers.

Now to round out the discussion.  With a typical subscription rate of $50 per month for productivity apps in the SMB, the projected worldwide annual revenues for the Hosting Service Provider community could be $30,000,000,000 or €21,577,000,000 or ¥2,891,000,000,000. And that is a lot of money too!

Whether Private or Public, Large Monolithic or Hoster (for SMB) one thing is agreed upon by all who are in the market....namely, there is only one way to achieve the scale needed to capture these revenues....Virtualize!

Twitter

In the first part of this blog series we looked at specific details on Citrix Delivery Center and the Disaster Recovery demonstration for SAP NetWeaver. In this posting we will cover different High Availability solutions also demonstrated at SAP. In addition to this blog series, please refer the Reference Architecture document that provides all the technical details about Citrix and Marathon solutions implemented for SAP.

Getting back to High Availability, Citrix XenServer and Marathon Technologies everRun VM for XenServer provide solutions that covers a broad spectrum of High Availability requirements  ranging from maintenance to complete system-level fault tolerance. Given the breadth of High Availability solutions, IT administrators are bound to find a Citrix XenServer High Availability solution to meet their application availability needs.  

When looking for an HA solution, various factors such as application criticality and business impact must be considered before choosing a particular solution for an application. A more detailed report on determining availability requirements can be found here.  
In our Proof Of Concept environment at SAP, we showcased all levels of High Availability offered by XenServer and everRun VM. First let's look at the out-of-the-box High Availability solutions that XenServer alone delivers:

• XenMotion: XenMotion supports live migration of running virtual machines from one XenServer to another. The primary purpose of XenMotion is to prepare for planned server maintenance.  The end user will not experience any interruption in application performance in XenMotion.
• XenServer High Availability (HA) - Level 1: XenServer HA provides High Availability by automatically restarting failed virtual machines on a different XenServer host within the same resource pool.  The end user will experience an interruption in service as the virtual machine restarts.

In addition, Marathon Technologies everRun VM for XenServer provides High and Continuous Availability for critical virtual machines hosting business applications like SAP NetWeaver Portal:

• everRun VM for XenServer-- Level 2: Marathon Technologies everRun VM Level 2 delivers High Availability from component-level fault tolerance, eliminating downtime caused by I/O component failures and guaranteeing recovery from system failures. The solution identifies faulty I/O pathways before they become a problem and responds to a wide range of I/O and component failures. Active validation of all components on primary and secondary hosts ensures smooth recovery following any primary host component failure.  
• everRun VM for XenServer - Level 3: Marathon Technologies everRun VM Level 3 provides Continuous Availability from system-level fault tolerance, eliminating data loss, downtime and transaction loss. It offers all of the benefits of Level 2 and adds two important attributes:
  a.    Zero downtime, even with complete XenServer host failure.
  b.    Preservation of application and memory states during failure.

The following video features the Marathon everRun VM Level 3 High Availability solution demonstrated at SAP Co-Innovation Labs, Palo Alto. Again, for more technical details on the implementation, please take a look at the Reference Architecture.

Part - 3

In this entry of the series, I am going to answer a few questions we asked ourselves while planning our BYOC program at Citrix.

In the Citrix BYOC program (I named it Citrix Choice), I was on the steering commitee and we had a few questions to ask ourselves.

Here were some of the questions we asked:

"How much of a stipend should we pay per user?"
We chose $2100 because we asked the users to get a new computer with a 3 year warranty. Of course this amount varies from company to company depending on budgets, etc.

"Should we have system requirements?"
We went with the fact that most of the computers coming out had respectable performance. We also mandated that the users with a BYOC computer have an anti-virus solution, the Citrix Receiver and related plug-ins. We set up an AWESOME internal website that had guides on configuring the wireless connections, Citrix Access Gateway, Citrix Receiver, and other settings the user might want. We leveraged our partnerships to get discounts on Microsoft Office, anti-virus, and other hardware and software needs.

"What OS's should we allow?"
We had clients and software for Windows Vista, XP, and Mac OS. We might do Linux later, but we wanted to go with the three mainstream operating systems with our initial roll-out.

"Why should we do this?"
Users wanted the latest a greatest hardware and wished IT could keep up with the curve. On a standards scale, it is hard to do that, but if you are a self-supported user then that makes it feasible. If you are a Hardware geek (like me), you like to change out your equipment quicker than the IT timeline for refresh. BYOC gives that flexibility to do this. We also wanted to leverage our own solutions

"Are there HR concerns?"
This was a big question for us. We debated on this for a few meetings and took a few weeks on this part of the process. We wanted to make sure we were compliant with regulatory items. We leveraged our current policies for much of answers. Most of our policies already addressed most of our concerns. Most companies already have these types of policies in place. Check out your company's data, email, and technology policies and you will find out that most of your concerns are already covered. Legal departments usually cover all possible bases when they make these policies.

"Should there be a term?"
Of course every company, country, and department has different requirements and wants/needs for this area. It is a very difficult question to answer , but we chose 3 years at Citrix. So when the warranty is up, the term is up. This way the user does not have to pay premium prices for any repairs or parts after the warranty has expired. The user can then "opt in/out" for the next three years.

"How can we do this and maintain compliance?"
We leveraged our own products (XenServer, XenDesktop, Access Gateway) to keep in compliance. With Citrix solutions, we are able to keep data secure and encapsulated within our secure corporate environment. All of the users work related documents are stored in a home folder on the network.

"How much freedom do we give the users?"
We give the users the freedom they have been demanding while keeping compliance. We give them the freedom to use any computer they want. We also give them the freedom to have one computer for work and play. With the company data secure on our internal network and documents stored in network home drives, the user has carte blanche to do whatever they want on their computer.

Hopefully, this helps answer some of your questions and can help you in implementing your own BYOC programs. If you have any other questions, please feel free to email me at tedd<at>citrix<dot>com and I will try to address them in future posts.

More later...

Several Citrix products have been nominated for the 2009 Information Security Magazine / SearchSecurity.com Readers Choice Awards:

• NetScaler, Application security: Web application firewall, application/code vulnerability assessment/QA, Web services security
• Access Gateway, Remote access: IPsec, SSL VPNs and other remote access products
• Branch Repeater, Other: Branch optimization/application acceleration solution

Thanks to your support, last year we won the Bronze Award under the 'remote access' category for Citrix Access Gateway and the Bronze Award under the 'application security' category for Citrix App Firewall.

While technically not a security product, Branch Repeater does play a role in building a secure IT infrastructure. Branch optimization allows businesses to centralize applications and data in secure datacenters without sacrificing end-user performance.

Surveys have already gone out to readers of Information Security and SearchSecurity.com via e-mail. If you received one of these surveys please take a few minutes and vote.

As the Cloud evolves, critical technology enhancements will also have to evolve to meet the challenge regarding mass delivery of applications or applications/software as a service.

In phase II, Enterprises will continue to expand the use of Cloud Computing through their own Private Clouds and the continuing extension of data centers to the larger cloud providers.  This will require Cloud providers to enhance their storage and application delivery models and provide a seamless provisioning scheme for both server farm management and end user subscriptions.  Citrix is aiding this evolution by providing a testing ground for service providers and enterprises alike to begin proof of concept work for Cloud integration.

During this phase, Tier 1 managed service providers (MSPs) will also enter the space using the Tier 2 MSPs as proving grounds through white label offerings.  Tier 2 MSPs will need the ability to provide multitenancy by managing multiple server farms both on premise and off.  Tier 2 MSPs will also have to grapple with the integration of back office billing to the large service provider Operations (OSS) and Billing (BSS) systems.

Deutsche Telekom through its Managed Services group, T-Systems, has already begun to develop this market approach.  Note that the Cloud will be used in this phase to continue expansive growth of existing data centers and not to displace them entirely either in the MSP or the Enterprise.  As with Phase I, the Cloud Bridge is the essential component to provide integration between the Cloud Center and Enterprise or MSP data centers.

Part 2

In our last installment of this series, I touched on the paradigm of the BYOC (Bring Your Own Computer) concept. In many cases, this concept can scare the IT departments of the world because it is giving some very important control back to the user because the user decides on the equipment and the software they will use.

In the old realm of IT:

The technicians and/or the respective departments owned the actual hardware and software. Hardware ownership can be a double-edged sword. Yes, the department has the control of standardization to help with supporting the machines, but the company is now responsible for the actual financial asset, , spare parts, book keeping, and "end-of-life-ing" the machines when they are old or fail. Some may see this as a small item and I may agree there, but there is a disadvantage to this scenario.

Support costs money:

Each time a user submits a trouble ticket for hardware issues, it has a fee attached to it. Every time a technician attends to hardware troubleshooting, it has a fee attached to it. Service agreements with hardware vendors has a big fee attached to it.

We (IT) are in the business of saving the company money, right? If IT is busy supporting the hardware, when will IT get cycles to innovate, optimize, and simplify other processes and procedures (a.k.a. save money)?

In the BYOC world:

Users OWN the laptop and the support agreements for the hardware and OS's themselves. When the user obtains the laptop, they would get the three year support agreement (like AppleCare). When a user has an issue, they call the vendor to troubleshoot the hardware and/or OS. If there is a problem, the user sends the laptop off to the manufacture for repair (or brings it to a local repair depot). If the customer has to send in or leave the laptop, IT can help in this case with a loaner pool during the down time. IT would only need a small loaner pool for this support. This saves IT cycles and IT money over the spectrum of a whole company because they are not being billed for service calls, contracts for support, or personnel hours. Saving support dollars and support time is a major part of the BYOC concept. Thus, making the bean counters happier

What IT would own:

IT would own the corporate software (MicroSoft Office, SAP, etc.). IT would own the security of those applications and any data that is being accessed and stored via those applications. With Citrix XenApp, all of the company software resides on the XenApp servers. This ensures the license compliance is in IT's control and the updates, patches, and administration is under IT's control. XenApp does not care about hardware vendor, OS (Macintosh, Windows, Linux), or connection. If the user wants software locally installed (not via XenApp), the user would purchase the software, install it, and support themselves without IT support. Some users may want this option, but the number is not large. The users usually like having the software support that IT provides.

It is all about having a choice for today's tech-savvy workers!

At Citrix, we leverage our partnerships and vendors to offer employee discounts on certain software, but this method is not imperative for a BYOC program to work since the user still has access to these applications via XenApp.

Of course there are a couple of other AWESOME Citrix solutions that can be implemented in the BYOC world and we will talk about those in future installments of this series.

Today, most of the "new workforce" has grown up with computers, TiVo(tm), social networking, instant messaging, blogging, texting, Twitter, and the Internet. In most cases, these people are tech-savvy and they have an understanding of newer technologies. They all carry a cell phone and use it as a main point-of-contact. They have, and will, leverage new technology just to see "what it does."

When new workers join the workforce, they expect a similar computing experience. If the "Echo-Boomers" have a company computer, they expect it to behave and be comparable to the laptop they use for personal computing needs. They expect a choice of computers based on merit, aesthetics,and function, but do not see the reason for standard issue laptops that are not as advanced as the personal computer they use at home. They want a small selection to choose from and want to customize it to make it "their own."

IT, on the other hand, looks at the standardization of equipment as a "must have" to support the hardware. What if IT did not have to support the hardware and just the digital assets? What if the user took care of the hardware?

There is a "middle-ground" in this battle between IT and "new generation." It is called Bring Your Own Computer (BYOC). Citrix has been in the news over the last year with this concept and I have received many emails asking me to explain this "new school of thought." In this series of blog posts I will demystify the BYOC paradigm and show you how users can have a choice of computers and devices whilst IT retains control over digital assets that are paramount to company success. Stay tuned...

HDX MediaStream does a fantastic job of reducing the network bandwidth requirements for streamed video compared with rending the video on the server. When using HDX MediaStream your bandwidth requirements roughly equal the bit rate of the source video file. For lower quality clips, like those found on YouTube, this is around 256Kbps. For full HD content the bandwidth requirements can be as high as 8Mbps.

While this works great over a high speed LAN, trying to push that amount of data over typical branch office T-1 is another story. This problem is magnified even more when you have multiple users in the branch office who are repeatedly pulling down the same video content. In this situation, the video quality suffers and other business applications can be impacted. This issue has nothing to do with XenApp or XenDesktop. It is purely a function of the size of video file and the limited amount of available network bandwidth.

What can you do about this? Well if the culprit is the latest viral video making its way around the Internet you could attempt to block access to sites like YouTube. However, what if the video is for legitimate business purposes? I talked to one customer at Synergy who is rolling out a corporate compliance training video to their entire company using XenApp but is worried about the impact to network bandwidth.

Enter Citrix Branch Repeater and HDX IntelliCache. With Branch Repeater 5 we now participate in the ICA session and accelerate the ICA virtual channel used by HDX MediaStream. The first time the video is streamed to the branch office, Branch Repeater caches the content locally. The next time the video is requested, Branch Repeater serves the content from its local cache rather than pulling it across the WAN. Using branch caching, you can reduce the bandwidth requirements for on-demand videos by up to 90%.

Don't just take my word for it. You can see a demo if this in action on the latest edition of Brian Madden TV. (If you don't want to watch the entire episode you can jump ahead to 5:49 into the clip).

When we talk about the Citrix Delivery Center, we are talking about an end-to-end application delivery infrastructure solution. A solution which represents a family of Citrix product lines: Citrix XenServer, Citrix XenApp, Citrix NetScaler and Citrix XenDesktop. It also represents products that add integrated security, management and networking functions, products such as: Citrix Access Gateway, Citrix Branch Repeater and Citrix Desktop Receiver. Overall, the Citrix Delivery Center gives customers the power to adopt virtualization that meets their specific requirements. Customers can choose to optimize delivery of their Web Applications, Windows Applications, Desktop Delivery, Data Center Optimization - individually or in combination. How about all of them?

So how did we do it....First we virtualized every Citrix Delivery Center component and the backend SAP NetWeaver application servers using Citrix XenServer. Then we showcased what a remote SAP NetWeaver user would experience accessing the SAP NetWeaver Portal via Citrix Delivery Center while focusing on the high availability/fault tolerant solutions Citrix and Marathon provide. Finally, we simulated a complete failure in the primary site and used the combined NetScaler Global Server Load Balancing feature in conjunction with Marathon's everRun DR product to failover SAP to a secondary data center.

Let's go through the steps that describe the demonstrated user experience:

• Remote SAP NetWeaver Portal user securely connects to the SSL VPN provided by Citrix Access Gateway Enterprise Edition.
• All connections from the remote user client are accelerated using Citrix Branch Repeater Plug-in.
• Remote user is seamlessly presented with the Citrix Web Interface website with on-demand access to virtual desktops, applications, bookmarks and other corporate resources.
• From the Citrix Web Interface page, the remote user launches a virtual Windows XP desktop hosted by Citrix XenDesktop. This desktop is a private virtual image of Windows XP running within a secure data center and maintained from a centralized Windows XP image provisioned dynamically with Citrix Provisioning Server.
• From the secure virtual Windows XP desktop, the remote user launches a published SAP NetWeaver Portal delivered by Citrix XenApp. The published NetWeaver Portal application is separated from the virtual Windows XP Operating System allowing optimal user performance.
• As the remote user navigates the application, all SAP NetWeaver Portal connections pass through a Citrix NetScaler configured to optimize SAP NetWeaver Portal application delivery.

We also demonstrated the following high availability and recoverability solutions provided by Citrix XenServer and Marathon everRun software:

• Level 1: XenServer delivers out-of-the-box high availability, including cost-effective core failover, recovery and restart capabilities for SAP applications running in the virtual environment.
• Level 2: Marathon everRun VM delivers high availability of component-level fault tolerance, eliminating downtime caused by I/O component failures and guaranteeing recovery from system failures.
• Level 3: Marathon everRun VM's Lockstep Technology delivers continuous availability from system-level fault tolerance, eliminating data loss, downtime and transaction loss.
• Disaster Recovery: Marathon everRun DR provides a robust and flexible remote disaster recovery solution providing automated and reliable long-distance protection for critical data and applications, in this case, SAP.

Each piece of the demonstration was broken down into small video segments for this blog. The first video features the Citrix Delivery Center environment for SAP from top to bottom including the remote user login, virtual desktop access, and SAP NetWeaver Portal launch. Then a complete site failure is simulated and the secondary site recovery is shown using Marathon's everRun DR solution with Citrix NetScaler's Global Server Load Balancing feature.

Stay tuned for a detailed reference architecture and video blogs on different High Availability scenarios including everRun VM also demonstrated at SAP Co-Innovation Lab.

Here's the video:

Securing Web Applications with an Application Firewall

I have been working with Application Firewalls for quite a few years - many times to protect web applications published in languages and character sets that I didn't understand. Frequently, I have seen these Application Firewall deployment projects get bogged down in pursuit of the perfect policy set.

I have also seen many situations in which this process and application changes actually break these applications.

The NetScaler Application Firewall deployment can also be subject to these issues since the appliance provides extensive application firewall features. Even with the learning capabilities, creating the ideal set of security policies for any application can be a trial and error process that can take significant time.

In this blog, I would like to share an implementation methodology that shortens the deployment, and helps avoid breaking the applications to be protected. Experience has shown that approaching the configuration of the Application Firewall in stages is the key to timely success. This methodology is effective for all types of applications and their needs.

To alleviate the time and risk of varying degrees of policy complexity, break the task into stages. That is, separate the policy configuration into groups of ascending risk.  While some may raise the point that a simplified protection policy set is not complete, it must be remembered that protection stages will build upon each other, and will be better than allowing unfiltered access while all policies are in learning or logging/warning mode.

The benefit of staging is that a basic set of policies are made operational.  Then, the following stages will consist of conducting a repeatable process of "policy tightening" procedures as required by the application.

Stage I

When configuring the NetScaler Application firewall policies, start with some of the basic protections.  Activating the simple, generic policies almost never produce false positives.  These typically include:

• Protect against Cross Site Scripting (XSS) attacks
• Protect against SQL Injection attacks
• Protect against Buffer Overflow attacks
• Prevent Credit Card Leakage
• Prevent access to system files
• Alter the contents of the server headers

Activating these policies will typically not break applications.  As such, a small user community - with etc/hosts overrides - can be used to validate the configuration over a fairly brief validation period.

More importantly, this is a great start. These policies create security effectiveness that can typically be rated as a level seven on scale of zero though nine (you can never get to a perfect "10" in security).

Stage II

The next stage will include applying policies that require more application validation to determine the application specific relaxation adjustments ("policy overrides").

But first, don't forget to ask yourself if this application actually requires tightened policies.

If so, Stage II protections should be sequenced - Cookie Tampering prevention should be blocked first. Then, move on to blocking tampering with the values of parameter and/or hidden form fields.

Start with cookie poisoning prevention ("Cookie Consistency"). It will be likely require the least number of relaxations. This will build on the Stage I successes most rapidly.

To do this, use the learning process to identify the cookies that are legitimately altered between the response and request process. Minimally, relaxations will be required for cookies that are set and modified by third party monitoring services. Again, because of the staging, this learning can happen while the basic policies are in place and actively applying their protection mechanisms.

If further tightening is required, focus on creating policies that prevent users from tampering with the values of parameter and hidden form fields. This is achieved by activating "Field Consistency" learning in the NetScaler application firewall. Depending on the architecture of the application or a frequent use of client side scripting, these policies carry a higher risk of blocking legitimate requests. These policies thus require a more extensive learning period and associated relaxation overrides.

It should also be noted that these Stage II policies and their relaxations do have a tendency to be susceptible to producing false positives as applications change, and should be re-evaluated in conjunction with major application changes.

Stage III and Beyond

If the application is contains super sensitive information, and undergoes frequent changes, further security configuration may be required.

Stage III typically involves enforcing field formats and enforcing user navigation paths. Adding restrictions to field input types, such as date formats, and more, will require further time for learning these application attributes. Be aware that these policies will also be more likely to be sensitive to application changes.

Enabling the "Start URL" facility allows users to access only the specifically stated URL types. Due to the flexibility inherent in application architectures, however, these restrictions may require modification to include additional request types present in a particular application.

Lastly, carefully consider activating "URL Closure" to control the flow of access by users. Enforcement of this policy set disallows users from navigating to locations not previously offered by an application response. These policies may require significant application validation if client side scripts modify URLs, or if FLASH objects contain links.

The above policies tend to bend the needle towards the nine level and will be more likely to cause false positives during policy refinement or when the application changes. Leaving these to Stage III, however, allows continued protection afforded by the policies of Level I and Level II during the refinement, however.

Summary

Personally, when I plan my application firewall deployments, I always attack the assignment in the phases outlined above. I focus on the quick return policies first. Then I take time to consider if the sensitivities of the specific application even warrant the extra effort of going all the way to Stage III. This last question can produce some interesting answers that pit my application security ideals against the practicalities driven by the depth of my current to-do list.

And then, of course, this staged approach may be completely ignored in situations in which a specific application just suffered from an attack through a specific Level III vulnerability. Such situations may warrant overriding the staged approach and focusing on addressing the impacted vulnerability immediately.

Also, don't forget to sign on to MyCitrix and download the Application Hacking Kit and actually try some of the most common application attacks on the BadStore application!

How many of you have worked with or started designing a XenDesktop solution?  Chances are you have tons of questions about the best way to design the environment for growth, scalability and stability.  I know this because I, like so many others, are asked the same questions.  For example

• Should I install or stream applications into the virtual desktop?
• Where should the Provisioning Services write cache go?
• How should I design my Web Interface implementation to provide seamless integration without causing confusion for my users?
• How do I provide better availability to the TFTP server used to deliver the Provisioning Services bootstrap file?

Thomas Berger and I started gathering these questions to build the XenDesktop Design Handbook.  The current release of the Handbook is focused on Operating System, Application and Virtual Desktop delivery design decisions, but this is only a start. Over the coming months, we will continue expanding into different design decision areas commonly discussed in a XenDesktop solution including: virtualization infrastructure and implementation practices. We will discuss the Citrix Consulting Best Practices about these topics and encourage you to submit your related questions .  Thanks and we look forward to hearing from you 

Daniel - Sr. Architect

Follow me on Twitter: http://www.twitter.com/djfeller
Follow me in the Blogs: http://community.citrix.com/blogs/citrite/danielf

 
We're going to have another exciting round of Geek Speak Live! at this year's Synergy! As many of you know, Geek Speak is a series of informal discussions led by technically minded folks about topics that interest us all; for example, "TS vs. VDI" and "IT in the Cloud." This year we have four different session formats planned: a Geek Speak day session track, Geek Speakeasy sessions during Expo Hall, Geek Speak Tonight!, and a Geek Speak Happy Hour.

For details about the different session formats, check out http://www.citrixsynergy.com/geekspeaklive

We've got several Citrix Technology Professionals (CTPs) and other industry experts lined up on the agenda to do what they do best...lead interesting discussions! Speakers include:

- Alex Danilychev  
- Bernhard Tritsch  
- Brandon Shell
- Brian Madden  
- Charles Aunger
- Gabe Knuth 
- Gus Pinto
- Jason Conger  
- Jeroen van de Kamp  
- Joe Shonk
- Michael Keen
- Rich Crusco
- Rick Dehlinger  
- Ruben Spruijt  
- Shawn Bass  
- Steve Greenberg
...and more!

And this time, we're going to have the Citrix CTOs mixing it up even more with the CTPs. The following CTOs are planning their GSL sessions as we speak:

- Abolfazl Sirjani
- Brad Pedersen
- Chris Fleck
- Ian Pratt
- Jason Lieblich  
- Kurt Roemer  
- Martin Duursma
- Michael Harries
- Simon Crosby  

You can vote on your favorite session topics and suggest new ones through our Geek Speak Live Topic Voting Tool. Just log onto the site to cast your votes!

We will also have sponsor sessions taking place at the Geek Speakeasy. These sessions will be led by:

- Microsoft
- HP
- Dell
- Intel
- NetApp
- Wyse
- Stratus
- AppSense
- IGEL
- Symantec
...and more!

We'll be posting more details about the Geek Speak session speakers, topics, and schedule soon, so please stay tuned to the Citrix Community and Synergy sites to find out the latest. Note that speaker and session details may be subject to change prior to the event.

Be there -and- be square! Hope to see you at this year's event.

Laura Whalen

Citrix Systems, Inc.

In 1993 Bell Atlantic was frantically trying to figure out how to deploy television services over their network to compete with the then emerging Cable companies.  They failed.  In 1998 Verizon embarked on a campaign to provide television through their network starting with high rise apartments and condominium complexes in order to quicken the pace of deployment through what was then called MDU (Multi Dwelling Unit) delivery.  Deals were struck with huge developers and a 50 city roll out started in 2000.  They failed.  In 2001 BellSouth began deploying FTTC (Fiber to the Curb) in an effort to deliver entertainment services to their subscribers through high bandwidth fiber optic cable.  They failed.  In 2005 Southwestern Bell Communications (SBC) announced U-verse, a Very high speed Asynchronous Digital Subscriber Line (VHDSL) based Internet Protocol (IP) television service in Texas.  On December 16, 2008 SBC (now AT&T) announced it had signed its 1 million^th U-Verse customer.  This is a far cry from the tens of millions of customers that the cable companies have secured, but finally shows some traction. 

Why is AT&T succeeding when there has been such a long history of failure in this space?  Because over the past 10 years while Telcos have been failing at providing Cable entertainment services, cable companies like Comcast have been devouring phone subscribers.  In fact, Comcast just announced they are the fourth largest phone operator in the U.S. with 6.47 million subscribers.  It's a matter of business.  The Telco now has to succeed at providing alternate services because they have fierce competition over their core business... namely telephony.

The moral of the story is not to sell your Telco stocks or even be dismayed by the lethargic progress of these monoliths.  The moral is that whenever large corporations attempt large game changing moves, time is the only way to measure success.  Secondly, the measure of technology push and consequently adoption sometimes has to do with market pressure from competition and not just increasing revenues but protecting them as well.

So what does all of this have to do with Software as a Service?  Well, take for instance the fact that Microsoft (as well as others) started to deliver their software over the Internet in 2000, created ASP.net in 2002 and has been hard at it ever since.  With hundreds of thousands of hosted Exchange licenses in this space it's safe to say that Microsoft is entrenched and growing.  With all of the business customers that Telcos like AT&T have, why aren't they also growing this (SaaS) business?  The answer is simple.  It has not yet begun to encroach on the core telephony business.  Or has it?  The enterprise space is usually the place that large telephony companies start new services.  One only has to look at Voice over IP (VoIP) implementations to see this.  Adoption of VoIP in the Telco subscription base has grown dramatically over the past few years.  And even though the growth has slowed in this economy, there is an extending strategy emerging for mobile use of VoIP.  This is the first entry of IP delivery services to business from the Telco showing traction.

Will the big Telcos or Service Providers be competition or partners for applications hosting providers?

All of this creates opportunity for existing Tier 2 Hosting/Managed Service Providers.  Why?  Large service providers do not set the pace for early adoption.  The iPhone is one exception but even then it was actually Apple who set the pace and not AT&T.  As more businesses adopt SaaS and the market share grows, Tier 1 service providers will be forced to reckon with the delivery of applications over their networks.

Since brand is the number one asset among these service providers they will be looking to purchase "white label" offerings which have a proven track record in services, especially those that scale.  These will be the Tier 2 applications hosting companies who show promise in their subscription growth, but more importantly have adopted a strategy for growth of their data centers which adds scale and flexibility.  Since Xen is used prolifically today in large service implementations XenServer would be a likely choice for HA (High Availability) and management.  And since XenApp is the most prolific application delivery platform on the planet and has the highest utilization capacity on XenServer of any hypervisor/SBC combination, it would make sense to use it in a hosting environment for scale.

If you want to grow your current hosting business beyond Microsoft Exchange, you need to look at what a long term strategy is for servicing millions of subscribers, not just a few thousand.  Sure, in this economy you will need to pay the light bills with your core business and not throw money (CapEx and OpEx) to the wind.  But you better have a plan for sustained growth or you will be eaten alive by those companies who see the storm on the horizon for mass market application delivery.  If you don't believe me all you have to do is look to what happened last year at GE.  Even Google Apps won't compete in this market when there is an alternative that scales better like Zoho.

This is not to say you should dump all of your Windows apps... quite the opposite, for the Tier 1 service provider to pick up your service in mass, the applications will have to be in the main stream.  Launch what SMBs want and need, do it cost effectively and form a strategy for growth... that's the road to the big leagues.

If you want to learn more about a holistic approach that scales, check out the podcast that Doug Brown did a few weeks ago entitled, "Citrix Cloud Computing".

"What this power is, I cannot say. All I know is that it exists...and it becomes available only when you are in that state of mind in which you know exactly what you want...and are fully determined not to quit until you get it." - Alexander Graham Bell  (Kind of ironic don't you think?)

Twitter

We are moving down the best practices road and now we come up to Active Directory.  This, of course, is just a recommendation as I know everyone's AD structure will be different.  But let's start out with a long-standing best practice... XenApp servers have warranted their own organizational unit within Active Directory for organizational and policy enforcement purposes. The recommendation has also included breaking out specific XenApp roles or locations into their own OU.  Each identical group of servers would have the same policies applied. Typically, this creates an Active Directory structure like the following:

• If the OU contains a set of XenApp servers all provisioned with the same vDisk, then any Provisioning Services related policies can be applied to the entire OU.
• If the OU contains provisioned and non-provisioned XenApp servers, all hosting the same applications, then a new OU should be created that contains only the provisioned XenApp servers.
• If the OU contains provisioned and non-provisioned XenApp servers hosting different applications, then multiple OUs should be created containing only identical servers.

With Provisioning Services, the XenApp OU structure might resemble something like the following:

• Similar servers: Applications, infrastructure components, XenApp components
• Similar delivery processes: Provisioned or not provisioned
  

Please comment with your thoughts or if there is another best practices you are wondering about. The list has already grown based on feedback from previous blogs. Stay tuned for more upcoming best practice blogs specifically focused on Provisioning Services and XenApp:

• vDisk Type
• vDisk Cache
• Active Directory
• Application Integration
• Application Streaming Cache
• System-level settings: Page file, drive remapping and multiple drives
• Image Management
• Local Database Storage (event viewer, EdgeSight, AntiVirus updates)
• Plus more if we get some good ideas on other areas of focus

Daniel - Sr. Architect

Follow me on Twitter: http://www.twitter.com/djfeller

Many of you tuned into the TechTalk webinar over a month ago when I spoke about how to integrate applications into a virtual desktop. If you didn't attend the live event, you can still listen in to the recorded version of it.  It sounds like an easy topic, right? "Just install them stupid!"  Of course that approach does work, but is it the best approach?  Many of us are long-time XenApp people.  We see the value with virtualizing applications in XenApp.  We've already spent lots of time, money and sanity to get our XenApp environments tricked out so it is running smooth.  So I'm here to tell you, leverage it.  Just because you are going to do a virtual desktop solution does NOT mean you have to throw away your XenApp environment. That is just crazy.

Before you start on the XenDesktop build out, take a look at the just released Reference Architecture.  You can share and streamline your XenDesktop environment by using and sharing your XenApp environment. Some of the XenDesktop components can be shared with XenApp components.  Which ones? How about the license server, data store or Web Interface? 

Also, the integration must be streamlined.  You don't want to make your users jump through 20 hoops before they get to their applications. They will be tired and hate the solution, resulting in your project failing.  Make it look like the following diagram... Simplified user perspective

The important thing to remember is don't throw away your past successes to build something new.  Leverage your past success to make your future success easier.

Daniel - Sr. Architect

Follow me on Twitter: http://www.twitter.com/djfeller

Have you been hearing about the new Citrix HDX Technologies? Have you heard that HDX enables branch office users to get that "high definition" XenApp experience? Are you still trying to figure out what this all really means?

• What is driving branch offices to virtualize their applications
• What are branch offices doing about the WAN
• What Citrix Branch Repeater does for XenApp
• How HDX Broadcast and HDX IntelliCache deliver a high-def branch experience

The whitepaper (CTX120455) is available for download on the Branch Repeater section of the Citrix Knowledge Center.

In reference to hosting applications in this new Cloud world I recently heard from a guy I admire and respect, "We've been here before and all that came out of this was a bunch of hype." When we consider what happened to the Application Service Providers in 2000 that is a fair assessment. So the million dollar question(s) today is who is making money hosting applications, what applications are they using and who are they selling these subscriptions to?

The answer is a bit complex because hosting service providers come in many shapes and sizes. However, if we only take into consideration those service providers who are actually charging for application delivery (subscription of applications) and not outsourcing companies who are mainly infrastructure providers, we can distill the market down to just a few distinct categories. The chart below is a depiction of the types of applications most subscribed to in this emerging space.

Human Resource Management Systems, Collaboration and Communications, Customer Relationship Management and Content Management Systems top the list of applications being delivered via hosting among Small and Medium Businesses (SMB). When we look at the practical application of these services, there is a business reason for why this is happening. 

Smaller companies do not have the capacity for overhead related to support functions within Human Resources such as Payroll, Talent Management, Employee Review processes, etc.  It makes absolute sense that these services would be either completely outsourced or applications hosted that perform the needed function. 

In order to cut the cost of expense items such as travel, Collaboration and Conferencing using the Internet and hosted applications is a sure fired way to accomplish this.  I've got to plug Citrix Online here... some say the 3^rd largest SaaS concern in the world for this category.  Corporate email is a good fit in this category as well.  There are currently over one hundred million unmanaged electronic mailboxes worldwide today and using email that has no business continuity is dangerous and unprofessional.  SMBs use hosted business email such as Microsoft Exchange to mitigate this issue.

Customer Relationship Management services shouldn't be a surprise to anyone with the success of Saleforce.com.  But there are many CRM packages used in this space.  Using a product like XenApp to virtualize applications opens the door to products typically used in the Enterprise but can now be scaled to operate in the larger Internet cloud.  Citrix has customers today who (internally) host CRM software using XenApp to thousands of end points in remote locations worldwide.

Content Management Systems may be a bit of a surprise for some.  However, document management and workflow is a critical need especially in market verticals such as Healthcare (HIPAA) and Finance (SOX).  When requirements of this magnitude are levied on the SMB the overhead can be overwhelming.  So the IT management of a system like this is a burden not many SMBs are willing to bear.  Application hosting is a cost effective alternative.  I recently spoke to an ISV in this space who started selling his application to SMBs in the insurance industry.  It became unmanageable to scale his business so he started to host the application 8 years ago.  Now he has 12,000 SMBs using the software.

Order Management, Enterprise Relationship Planning, Web 2.0 applications and Supply Chain Management round out the list.  And there it is... the applications making the most impact and therefore the most revenue in the SaaS space among SMBs. 

What if business productivity applications such as Microsoft Office could be offered up through the Internet (Cloud)?  Service providers who have tried this before might say that this is impossible because Office wasn't designed to be hosted... but what if you could do it using a platform that could make Office run as though it were local?  Wouldn't that be great?  Citrix has the technology and the products to accomplish this and my guess is it won't be long until service providers (in 2009) actually use it to host these types of applications.

Here's another surprise.  In an economy that is shrinking in virtually every other aspect of IT, applications hosting is still growing.  What are you waiting for?

Twitter

There are a lot of things to do in Vegas, such as seeing a show, riding a roller coaster and of course, becoming a high roller; however, none of them come with a guarantee that you will go home with something more valuable than you arrived with. At Citrix Synergy, not only will you leave with new and/or renewed connections with other professionals in the industry and at Citrix, but you will leave with knowledge that will deliver more value to your company and to you as an individual.

Sure, there are multiple valuable conferences within a conference at Synergy (iForum, Network World Live! and Virtualization Congress) but my personal favorite is GeekSpeak Live!  If you haven't seen or attended a GeekSpeak session (examples Shawn at Synergy  and Michael with GeekSpeak Roadtrip!) , you need to check this out. These sessions are where true unfiltered technical interactive discussions occur, many sessions are led by Citrix CTPs such as Charles Aunger , Ruben Spruijt  & Jeroen van de Camp, and Brian Madden and many more, but you also have the ability to lead and/or change a discussion topic on the fly.

This year we have expanded GeekSpeak Live to not only include our traditional evening sessions, but we also have the GeekSpeak SpeakEasy sessions on the exhibit floor and we have woven GeekSpeak session through the traditional conference tracks as well.

As we get closer and closer to Citrix Synergy, I will be posting more information about our GeekSpeak sessions and presenters. Please feel free to leave a comment on this blog, check out the GeekSpeak forum or drop me an email if you are interested in a topic or being a GeekSpeak session lead.

Before I go, I wanted to share a discussion I had with a Citrix Synergy attendee. The discussion started regarding the GeekSpeak session, but quickly transitioned to "I am planning to attend, but my boss/finance team is really leery of spending on technology conferences (especially in Vegas), given the negative press that AIG and others in the industry have gotten regarding conferences. Do you have any advice for me?"

We at Citrix are completely aware budget constraints and have pulled together some information on the topic for you. The fact is that from a cost perspective, Vegas is a value compared to other cities hosting technology events Vegas is 20%-60% cheaper from an attendee perspective. With the data we provided, she was able to assure her management that Citrix Synergy was not a boondoggle!

I look forward to seeing you at Citrix Synergy and Geekspeak Live! , perhaps the one time that "What happens in Vegas, stays in Vegas" isn't true!

Does your organization deliver virtual applications to the branch office over a sloooow WAN link?
Are you tired of trying to fix all of your WAN issues with a bigger and more expensive WAN connection?

There has to be a better solution...
Citrix Branch Repeater and XenApp work in concert to deliver a "high-definition" branch office experience, drastically improving the XenApp experience to branch office users. Using Citrix HDXTechnology, Branch Repeater and HDX IntelliCache adaptively orchestrate with XenApp to disable the native ICA compression used for optimizing single-user sessions.

Just how much better?

• Branch Repeater reduces XenApp traffic by up to 95 percent, increasing file transfer throughput by up to 20 times and increasing print traffic throughput by up to 33 times.
• Together these enhancements allow customers to serve up to 4x more XenApp users in each branch without upgrading bandwidth.

Learn more about ICA Optimization, how to deploy the components, and see the High Definition branch experience yourself in this exciting demo, which can also be found on the Branch Repeater demo page of Citrix.com.