Recently, I have heard many talk about how to deliver better application experience over WAN to branch users with flat or shrinking IT budgets?

Is delivering a better IT experience to branch or mobile users truly "priceless"? Or do you really need to demonstrate ROI?

It usually takes a lot longer than a year for something to become a 'cliche'. But the current global economic recession has created one of the quickest 'cliches' - 'Flat is the new Growth!' - flat revenues, and flat IT budgets alike.

Faced with flat or shrinking IT budgets, many organizations are clearly and rigorously prioritizing the highest ROI projects, focusing on doing more with less. Increasingly, the following lexicon has taken on a new level of significance and has become part of the IT budgeting process - time-to-ROI, payback time, hard or direct ROI, soft or indirect ROI and so on.

WAN Optimization is one of the very few technologies where IT spend is actually growing while spend on many other technologies is shrinking. In earlier blogs, I blogged about how good the user experience can be with the right WAN optimization solution. But if you are an IT decision maker, you are looking for hard dollar ROI to justify those investments.

We recently published a web-based ROI calculator, designed to show our customers the great savings opportunities available with Citrix Branch Repeater for XenApp and XenDesktop customers. Why don't you try out the calculator and let us know your feedback? We are looking to updating this tool soon based on your feedback.

You may cut and paste the URL in your browser: http://www.citrix.com/English/ps2/products/feature.asp?contentID=1858204.

I look forward to your comments or feedback.

Happy ROI!,

Sai

Mac users out there have long been asking for and waiting for a rich and secure remote access experience with Access Gateway solutions. Now the wait is over. Mac users can now download the Access Gateway plug-in for Mac from MyCitrix.

Access Gateway team has made available Mac OX X plug-in for Access Gateway 4.6 Standard Edition and Access Gateway 9.1 Enterprise Edition:

- The user experience of the plug-in conforms to the native Mac experience, providing rich user experience.

- Mac users can securely connect to their remote applications, leveraging pre- and post-authentication endpoint scans to confirm to their corporate security policies. For stronger security, when the remote Mac user logs off,  the plug-in also destroys any session data (cache, cookies, etc) on the client.

- With globalization features, the plug-in brings this new experience to English, French, German, Spanish and Japanese users.

If you are a Mac user, I encourage you to go to the downloads section on MyCitrix and select Citrix Access Gateway from the drop-down menu of 'Search Downloads by Product", then find "Access Gateway Plug-in for Mac OS X, Version 1.0.2.23" under the Clients section.

If you are using this new plug-in, please share your experience with me and what you would like to see next.

Sai

ICA Proxy for XenApp using NetScaler AGEE.

Citrix NetScaler, a member of the Citrix Delivery Center™, is a purpose-built web application delivery solution that accelerates application performance up to five times while improving security and reducing web infrastructure costs. Access Gateway™, a member of the Citrix Delivery Center, is an only SSL VPN to securely deliver any application with policy-based SmartAccess control. Access Gateway, Enterprise Edition (AGEE) runs on the Citrix NetScaler.

Citrix XenApp™, also a member of the Citrix Delivery Center™ product family, is the industry's de facto standard for delivering Windows-based applications with the best performance, security and cost savings.

By centralizing applications and data in secure datacenters, IT can reduce the costs of management and support, increase data security and facilitate business continuity.

We at Citrix are often asked how to deploy a NetScaler AGEE in front of a XenApp server farm, to proxy application delivery over the ICA protocol, securely. The NS SGEE secures XenApp delivered applications by serving as a proxy for those applications. NS AGEE proxies the ICA connections delivered from XenApp, and then wraps those applications with HTTPS or SSL to secure the traffic before it leaves your organization.

This is possible by following the steps in the deployment guide. This guide is specific to the NetScaler Access Gateway Enterprise Edition (AGEE), which is different hardware & software from the Citrix Access Gateway Standard Edition (AGSE).

Download the deployment guide.

Its Powerful Citrix Developer Network!

ICA Proxy for XenApp using CAG

Citrix Access Gateway™, a member of the Citrix Delivery Center, is an SSL VPN to securely deliver any application with policy-based SmartAccess control.

Citrix XenApp™, also a member of the Citrix Delivery Center™ product family, is the industry's de facto standard for delivering Windows-based applications with the best performance, security and cost savings.

By centralizing applications and data in secure datacenters, IT can reduce the costs of management and support, increase data security and facilitate business continuity.

We at Citrix are often asked how to deploy a CAG in front of a XenApp server farm, to proxy application delivery over the ICA protocol, securely. The CAG secures XenApp delivered applications by serving as a proxy for those applications. CAG proxies the ICA connections delivered from XenApp, and then wraps those applications with HTTPS or SSL to secure the traffic before it leaves your organization.

This is possible by following the steps in the deployment guide. This guide is specific to the Citrix Access Gateway Standard Edition (AGSE), which is different hardware & software from the Citrix NetScaler Access Gateway Enterprise Edition (AGEE).

Download the deployment guide.

Its Powerful Citrix Developer Network!

What if you could deliver online (published) apps through XenApp 6 times faster to your branch office workers? Or increase XenApp ICA print throughput by 38 times?

Well, now you can accelerate ICA with Branch Repeater and XenApp. Find out the benefits for yourselves by downloading Turbocharge applications to your branch offices CTX122321 whitepaper. 
Please share with us your experiences, results and thoughts.

Sai

Other relevant blogs: http://community.citrix.com/blogs/citrite/saia/

Ever got frustrated with how long it takes to email a large report or presentation after incorporating your manager's feedback? Or found yourself in a plane wishing the email downloaded faster when the flight attendant asks you to turn off your 3G-equipped laptop? Or wished for a solution that could deliver email 50 times faster?

Did you know our WAN optimization solution, Citrix Branch Repeater, delivers superior user experience and application performance not only for branch office users but also for remote and teleworkers?

No one feels the need for speed more than a remote user or a teleworker with a low-bandwidth or a high- latency network connection. These users typically use an SSL VPN, such as Citrix Access Gateway, to connect to their corporate network and access email, intranet portals, other applications and data. When your IT augments secure remote access (Access Gateway) infrastructure with Branch Repeater, you can benefit from both secure and accelerated remote access.

Well, now we have two reports that demonstrate ways to use Branch Repeater to augment your Access Gateway infrastructure and the resulting benefits of accelerating secure remote access.

You can download the Turbocharge Access Gateway Performance Report - CTX121034 from the Citrix Knowledge Center. The report explores the benefits of using Access Gateway and Repeater plug-ins for Citrix Receiver together:
• 50x faster Microsoft Outlook and Exchange (MAPI) workflows
• 50x faster Microsoft SharePoint (HTTP) workflows
• 30x faster Windows File Shares (CIFS) workflows

I think you will want to try out the benefits of turbocharged remote access. Check out the Turbocharge Access Gateway Deployment Guide and Reference Architecture - CTX121035 if you want to conduct a POC (proof of concept) or a demo to convince your IT or other decision makers. You will be your end-users hero for providing them with an accelerated yet secure remote access.

Earlier this week, we launched version 1.0.2 of the Citrix Receiver for iPhone. Citrix Access Gateway expands support for Receiver to connect to Access Gateway Enterprise Edition (versions 8.1.57 / 9.0.69 / 9.1.95) in addition to the Access Gateway Standard Edition that was already available. With this release, Access Gateway further enhances mobility by offering secure mobile access on iPhone for the Enterprise Edition.

Citrix Receiver is our lightweight software client that makes accessing virtual applications and desktops on any device simple and easy. It brings together multiple application delivery clients in one single client - all updated automatically, while greatly simplifying client distribution and updates for the IT administrators.

If you are an iPhone user, you will find this latest release very useful. The app is now available to the general public via AppStore on your iPhone or iPod Touch. More importantly, as a corporate user, you will find Doc Finder a 'must-have' for your iPhone. Part of Citrix Receiver, Doc Finder provides fast, one-click access to important documents stored on the corporate network. You can even join a webinar from anywhere - straight from your iPhone. Since these documents are stored in the datacenter and delivered over a secure encrypted link, data and applications always remain completely secure.

Best,

Sai

http://twitter.com/SaiAllavarpu

I am glad to share with you all the news about our Citrix Branch Repeater 5.5. Building on our momentum with XenApp optimization (via the ICA acceleration feature) released earlier this year, we announced today the availability of our newest Citrix Branch Repeater 5.5. Among the many benefits this release delivers, check out the following key highlights:

•  Microsoft Exchange (MAPI) optimization accelerates Exchange email for branch and mobile users by up to 50X while reducing bandwidth consumption. You also get these benefits if you are streaming Microsoft Outlook with XenApp or Microsoft App-V because streamed Outlook application behaves just like a native application from a network perspective - a streamed Outlook will talk MAPI to the Exchange server in the datacenter.  Here is a sneak peek of email acceleration benefits from an upcoming performance whitepaper (available soon): 
   
  
  
   
• Branch Repeater with Windows Server 2008  enables consolidation of essential branch services with Microsoft's most advanced server operating system - Windows Server 2008. Customers now have a choice of deploying Branch Repeater appliances built on either Windows Server 2003 or Windows Server 2008. As before, we continue to offer the non-Windows version of Branch Repeater as well.

• • Of the many powerful capabilities in the Windows Server 2008 operating system, the Read-Only Domain Controller (RODC) feature is one I would like to highlight.  RODC allows you to securely deploy Domain Controller in a branch office for faster Windows authentication and login times. This also helps improve the security posture of IT infrastructure in branch offices.
• With the availability of Repeater Plug-in for Citrix Receiver Branch Repeater now provides WAN acceleration benefits for the already easy-to-use Receiver software client. Receiver provides a consistent and intuitive user experience, and simplifies client distribution and updates. For instance, if you want a single client that provides secure access, SSL VPN client and WAN optimization benefits, then Citrix Receiver is a great way to simplify the client distribution and improve the user experience. This now truly provides simple, fast and secure access to applications from anywhere, whether you are working remotely or in a branch office. I encourage you to try it out and share your experiences with us. 
  

Stay tuned for a series of blog posts that explore some of the features in detail.

I encourage you to check out the newest Branch Repeater 5.5 and share your experiences with me at sai.allavarpu@citrix.com.

Sai

Check out the newest Branch Repeater customer case study posted on citrix.com at http://citrix.com/English/aboutCitrix/caseStudies/caseStudy.asp?storyID=1855157
 Lately I have been discussing with partners and customers about how enterprises pursuing M&A strategy or with distributed branch offices often face the kind of challenges that Consolidated Graphics faced. Enterprises with far flung offices and locations are now looking at ways to reduce the cost of delivering applications to branch offices while improving user experience and productivity. Check out the case study to see how Consolidated Graphics:

• • Enabled datacenter consolidation for cost savings
  • Simplified IT administration
  • Doubled throughput on existing T1 lines, avoiding need for network upgrades
  • Improved the user experience at branches

Happy reading!

Sai
Twitter:@SaiAllavarpu

Citrix Branch Repeater: http://www.citrix.com/English/ps2/products/product.asp?contentID=1350184

If you need to perform a search of a particular piece of data in the SUBJECT or ISSUER fields of a client's SSL certificate, the CONTAINS and NOCONTAINS Operators will serve you well.  However, if you want to be more granular in your approach, you will likely get frustrated by using the offset values of the Classic AppExpert Expression.

Problems occur when administrators rely on IE's reporting of the certificate values to determine the offset position within these fields rather than using openssl.  The reason you need to use openssl is because IE (and other browsers and operating systems) tend to incorrectly display the values of these parameters, messing up both the format and the order of the values.  So if you're going to set offsets, do NOT get your position information from IE!  Use openssl instead.

For example, take a look at my test certificate:

See how IE makes it look as if you should be reading this list (the top half) from left to right? Or (the bottom half) top to bottom?   Unfortunately, these are completely backwards.  Worse, there aren't any spaces or commas between the substrings.

So if you rely on what IE is telling you when you try to search in a specific location for "Rick.Davis@" you might use an offset of zero.  Or three.  But neither of those is correct.  OpenSSL will show you that the offset is actually 73!  

It's completely contrary to what you might expect because this is how the subject field is read by the NetScaler:
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

Proceedure

In order to accurately calculate the offset, you will need to use the openssl command.  Here's how:

1. Upload the client certificate to the NetScaler.
2. Use OpenSSL to view the SUBJECT or ISSUER fields from the NetScalers CLI: 

> shell
cd /flash/nsconfig/ssl
openssl x509 -noout -in client.cer -subject
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

The fields use ordinal numbering, so the first "/" character is number zero.  Here's the location map: 

/C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab
0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123
0         1         2         3         4         5         6         7         8         9

References

CTX116431 How to Create and Use Client Certificates on the NetScaler 

CLIENT.CERT
CLIENT.CERT.SUBJECT
CLIENT.CERT.ISSUER
CLIENT.CERT.SIGALGO
CLIENT.CERT.VERSION
CLIENT.CERT.VALIDFROM
CLIENT.CERT.VALIDTO
CLIENT.CERT.SERIALNUMBER
CLIENT.CIPHER.TYPE
CLIENT.CIPHER.BITS
CLIENT.SSL.VERSION 

Several Citrix products have been nominated for the 2009 Information Security Magazine / SearchSecurity.com Readers Choice Awards:

• NetScaler, Application security: Web application firewall, application/code vulnerability assessment/QA, Web services security
• Access Gateway, Remote access: IPsec, SSL VPNs and other remote access products
• Branch Repeater, Other: Branch optimization/application acceleration solution

Thanks to your support, last year we won the Bronze Award under the 'remote access' category for Citrix Access Gateway and the Bronze Award under the 'application security' category for Citrix App Firewall.

While technically not a security product, Branch Repeater does play a role in building a secure IT infrastructure. Branch optimization allows businesses to centralize applications and data in secure datacenters without sacrificing end-user performance.

Surveys have already gone out to readers of Information Security and SearchSecurity.com via e-mail. If you received one of these surveys please take a few minutes and vote.

New courseware has been released from Citrix Education - Get up to speed on Citrix XenApp 5.0, XenDesktop 3, NetScaler 9 and more! Click on the course/certification title below for more information on these hot releases.

Instructor-led Courses

• CXA-100-1I Providing Help Desk Support for Citrix XenApp
  Prepare to troubleshoot common XenApp issues and identify whether complex issues are related to the XenApp product, the network or directory services.
• CXD-200-1I Implementing Citrix XenDesktop 3
  Learn to install, configure and manage Citrix XenDesktop 3.
• CMB-201-1I Implementing Citrix XenApp Platinum Edition Components
  Learn to properly design, implement, and support Citrix XenApp Platinum Edition components, including EdgeSight 5.0, Access Gateway 9.0 Enterprise Edition, Password Manager 4.5 and WANScaler 4.3. For experienced IT professionals.
  

Self-paced Online Courses

• CNS-200-1W Basic Administration for Citrix NetScaler 9.0
  Gain an understanding of NetScaler features such as load balancing, SSL offload, classic and advanced expressions, compression, auditing and logging and monitoring.
• CPV-200-1W Implementing Citrix Provisioning Server 5.0
  Learn to install, configure and administer Citrix Provisioning Server 5.0 farms.
  

Certification

• Citrix Certified Administrator (CCA) for Citrix NetScaler 9
  Validate expertise in the implementation and administration of NetScaler 9.
  

Nelson Esteves has moved through the ranks as part of the Citrix Technical Support team. He started out as a level one support engineer on the XenApp team, and now is an Escalation Engineer for the NetScaler and Advanced Access Gateway (AAG) support team. Nelson will be presenting the following sessions at Citrix TechEdge during Citrix Summit and Citrix Synergy 2009: End-to-end virtualization with Citrix Delivery Center, with a focus on Citrix Access Gateway, Enterprise Edition (AGEE), and then his in-depth session will cover Integrating and troubleshooting Citrix Access Gateway, Enterprise Edition.
Q. How has AGEE improved from a support perspective over the past year?

Nelson: AGEE has evolved to a bigger and better product. With the 9.0 release we are able to meet most of users demands such as full Microsoft SharePoint Integration as well as Branch Repeater acceleration. From a support perspective, the new filtering capabilities of network tracing on the appliance is great not to mention the ability for more granular control such as choosing packet type and size.

Q. What AGEE and Citrix Delivery Center tips will attendees learn at your session this year?

Nelson: During the breakout session, attendees will learn with great detail how pre and post-authentication scans work and how to configure them properly. They'll also learn how AGEE integrates with XenApp via Web Interface. I'll show what's involved on the login process to Web Interface and how Smart Access works in the background. In addition to all that they'll learn how to successfully decrypt a network trace and how to troubleshooting SSL errors when launching a published application via a pre-recorded troubleshooting video. The CDC presentation will explain how AGEE integrates with XenDesktop as well as Web Interface and NetScaler.

Q. What new tools or techniques are you using to troubleshoot NetScaler?

Nelson: The new filtering system when taking network traces was a great addition, and it made troubleshooting a lot faster since we can now select what we want to filter instead of having to handle very large network trace files.

Q. What types of cases have you worked on this past year? Why?

Nelson: I have handled cases related to VoIP issues via the VPN, SSL Errors when launching applications, Microsoft SharePoint integration issues, and several others. Most of the VoIP issues had to do with the software being used since it didn't have an option for VPN configuration. We need to make sure the call manager server receives the VPN user Intranet IP and not its local IP. SSL Errors were due to clients either not having the proper certificates installed or misconfiguration on the AGEE or Web Interface (missing STA, wrong STA URL, missing STA port, etc.). SharePoint integration has been challenging since the release of 9.0, but now we have corrected all the errors we have encountered.

About Nelson Esteves
Nelson has been with Citrix Technical Support for a little over three years. He started as level one support engineer working on core products such as XenApp, Password Manager, Installation Manager and Resource Manager. He was then transferred to the Web Security team working with Web Interface and Access Gateway. One year later he was promoted to the frontline NetScaler support team, and about a year after that he became an Escalation Engineer supporting NetScaler, Application Firewall and AGEE. He holds certifications in A+, Net+, MCP, CCNA and CCA for Citrix NetScaler 8 Platinum Edition. He's also pretty quick on his feet, as an amateur soccer player, and has played in local tournaments and traveled with the Florida select team.Do you have an AGEE troubleshooting area that you would like Nelson to focus on during his presentation? Leave a comment.

Check out more posts in the Citrix TechEdge 2009 series.

Have you ever wished your VPN connection was faster?
Do you need to take a lunch break when downloading your sales presentation over your VPN?

Did you know that you can Turbo Charge Access Gateway with Citrix Branch Repeater and make these headaches go away? Citrix Branch Repeater can accelerate all editions of Access Gateway by adding Branch Repeater to your Citrix Delivery Center environment. The Citrix Repeater and Access Gateway Plug-ins seamlessly deliver the fastest secure access solution. Granular Access Gateway policies enable the IT Administrator to fine tune when and how a user's connection is turbo charged.

Learn more about Turbo Charging Access Gateway; how the components are deployed, and see the Turbo Charge experience yourself in this exciting demo. View the video in full size and learn more about Access Gateway here.

Citrix will soon release the next version of Access Gateway Enterprise Edition. By Citrix's standards this version is a minor release so it hasn't gotten much coverage. I'm here to fix that and give you an idea of what new features to expect.

First up is WANScaler interoperability. Remote workers (like me) can deploy Access Gateway and WANScaler plug-ins on their machine and get the benefits of a VPN with traffic acceleration and optimization. We'll publish some performance numbers in the near future but based on my personal experience of using it every day, I can tell you that it's fast - real fast. I can also report that this combination of technologies is now a permanent and necessary part of my work life.

Next, we added clientless access to SharePoint 2003 and 2007. The engineering team has spent time testing the product's URL rewriting capabilities against the most popular applications and this time we're officially supporting SharePoint.

Falling under the category of a better user experience, we've added single sign-on to file shares. When a user clicks on a link to a file share in their landing page, Access Gateway will attempt to use the user's credentials to authenticate to the file server and eliminate the need for them to re-enter their credentials.

Not to be forgotten, we've also added functionality to help administrators. Historical charting is a graphical tool that can chart historical details about system performance and user activity.

And for those of you braving the protocol transition, we've added the ability to bridge from IPv6 external networks to IPv4 on the internal network. For now, this only works when users are connecting to XenApp or XenDesktop since the Secure Access VPN plug-in does not currently support this functionality. This version also gives the ability to define LDAP and RADIUS servers with an IPv6 address.

Look for this firmware update to be available from MyCitrix.com on November 27^th. Enjoy!

NetScaler 9 is officially here. Well, actually, it's officially announced. It won't be officially available to download from mycitrix.com until November 27^th. Yes, I know that's Thanksgiving. However, Citrix is a global company, and what better way to prove it than to post the NetScaler 9 code on a major US holiday? And, there is a chance that it might show up a day or two before the 27^th.

NetScaler 9 is a pretty big release. Looking at the detailed feature tracker, it contains over 350 new features and feature enhancements. I'm not going to go through all of them in this post, because that's what release notes are for. However, I do want to highlight some of the major new features that folks seem to be most excited about, and point you to some additional resources on this site that go into a bit more detail on some of them.

I like to think that NetScaler acts as the bridge between the network and the applications that run on it, making each of them work better with the other. NetScaler 9 furthers this.  A lot of the new capabilities and features making NetScaler more application-saavy than it already is. This is not to say that there aren't any hardcore networking enhancements in NetScaler 9, because there are a lot of them. These include everything from end-to-end support for IPv6 to enhancements to our GSLB functionality to the ability to tunnel IP within IP.

But in the end our networks are there to run applications, and it's the new AppExpert features in NetScaler 9 that seem to be generating the most interest.

AppExpert Templates make a given application the "first class citizen" within NetScaler. They do this by encapsulating everything about a NetScaler configuration that is specific to a given application, including:

1. The different application components (e.g., pages, files, archives, Web Services) NetScaler is managing
2. The various NetScaler entities and settings (e.g., VServers/VIPs, load-balancing algorithms, health checks, persistence methods, SSL offload settings) defined for these application components
3. The specific NetScaler policies (e.g., caching, compression, application firewall, rewrite) used for the application

All of this is presented in a way that puts the application front and center, and configuration and policy changes can be made from there as well. So, while today understanding the entire NetScaler configuration for Microsoft SharePoint (for example) involves moving around between the various NetScaler GUI tabs, with AppExpert Templates everything is centralized in one place.

AppExpert Templates can be imported and exported as well, so they make it pretty easy to move app-specific configurations between different systems. More broadly, several folks have told us that this, and the general look and feel of AppExpert Templates, will help with knowledge transfer within their organizations. You can see an example of the Microsoft SharePoint template being imported and then applied here.

If you go here when NetScaler 9 becomes available in a couple of weeks, you'll be able to download AppExpert Templates we've already built. And, as you'll quickly notice, AppExpert Templates aren't static. The underlying infrastructure makes it really easy for you tweak a template to your own specific needs, or to improve the template by adding to it. Hopefully, you'll all post any improvements and modifications you make back to the community site so that others can benefit. And definitely look for additional AppExpert Templates to be made available by us, but Citrix partners, and hopefully by other NetScaler users.  

With AppExpert rate controls, we've integrated the concept of data rate into the core NetScaler policy infrastructure.  This allows building policies that are only triggered when a defined data rate is exceeded.  And since it's integrated with the core policy infrastructure, it can be used with the various NetScaler functional modules (e.g., content switching, responder), so you're not limited to just dropping traffic as an action.

There's a number of ways folks have told us they're going to use AppExpert rate controls. Of course straight-up rate limiting (e.g., DNS rate-limiting, limiting traffic originating from a single subnet) is one example. Ensuring a given resource (e.g., anything from a VServer to a specific URL) isn't overwhelmed by requests is another. Two specific examples are:

1. One customer allows some of its partners to scrape its website so the partners can republish content on their own sites. However, the customer wants to ensure that overly aggressive scraping by the partners doesn't overwhelm the website and degrade the site's performance. AppExpert rate controls can be used to limit how much scraping each partner can do. This same approach could be used to ensure that websites that publish APIs -- so that partners can do mashups, for example -- aren't overwhelmed by any particular partner's use of the API.
2. Another example is a customer that was having problems with a couple of users FTPing a few too many large files at the same time. By using AppExpert rate controls to build an expression around bandwidth consumed per sourceIP, they can drop any additional FTP requests coming from a sourceIP (aka a user) that already has too much FTP activity. A more generalized use could also do something along the lines of limiting the amount of concurrent file downloading for a given SharePoint site, to ensure that downloads don't drown out other SharePoint (or other application) activity.

AppExpert service callouts make NetScaler policies extensible, and will allow you to integrate logic or functionality available in other systems and applications into NetScaler policies. Specifically, using an AppExpert service callout, a policy can send (over HTTP or HTTPS) any part of an incoming request to an external service. The result returned by the external service is then used like any other policy evaluation result.

As an example, one beta customer has an application that identifies and tracks IP addresses that are scraping its site's content. No, this is not the same customer that is interested in AppExpert rate controls. In earlier case, scraping is encouraged, they just needed to control it. In this case, the scraping of content amounts to theft, and the customer want to prevent as much of it as possible. Unfortunately, the IP addresses doing scraping change constantly (hence the reason they had to build an app), so statically defining them within the policy itself isn't practical. However, a service callout can query the application in real-time, and NetScaler then uses the response to either pass or drop the request.

Other use cases customers have mentioned include:

• Passing content to an external transformation engine
• Integration with UDDI or other directory services
• Geo-targeting or other token-based switching decisions, where the logic for the content switch is available in an external application  

NetScaler 9 has the first availability of the XML technology we acquired from QuickTree last year. New XML protections in the NetScaler Application Firewall module will now be able to inspect and protect XML as well as HTML traffic. In addition to protecting XML-based applications from attack, this can also be used to ensure that incoming XML traffic conforms to various standards (e.g., XML syntax, schema, WSDL validation). With XML, sometimes "bad" traffic isn't malicious but is just a mistake. Either way, the XML capabilities in the app firewall will catch it.

We've had the ability to rewrite payloads within the TCP header or payload since NetScaler 8.0. However, in NetScaler 9.0 we've added a URL transformation 'mini-module' to our generalized rewrite functionality specifically for rewriting HREFs. While this function is often thought of in the context of either SSL VPN or application firewall, it has uses beyond these as well. For example, onboarding apps acquired through M&A activity, simplifying change management or "Akamai-zing" graphics content.

Again, NetScaler 9.0 is big release. There is a lot more than the app-centric things mentioned above. There is a pretty comprehensive What's New in NetScaler 9 writeup here for those of you that want a more comprehensive overview.

Updated November 12, 2008:

I received a question via comments asking about Access Gateway Enterprise enhancements. As many of you know, Access Gateway Enterprise is in essence another module in NetScaler. So, all Access Gateway Enterprise functionality is included in NetScaler, which is why NetScaler is such a great solution for Citrix XenApp and XenDesktop. There are definitely enhancement to Access Gateway Enterprise in NetScaler 9. At a high level, they are:

• Support for IPv6 XenApp Client Connections
• Single sign-on to file shares, so your users won't get get as annoyed by as many authentication prompts (unless you want them to be)
• Full clientless access to Microsoft SharePoint 2003 and 2007 so users can access SharePoint sites from any browser
• Historical charting which allows you to see trend data on system activity

 
 In my last post, I discussed the importance of user experience -> It's All About The User Experience (IAATHUX) 
Our Access Gateway team has come up with a new look and
feel that is nice and clean.   I think this is much more intuitive and consistent with the experience across Citrix Delivery Center.   Notice that they are using plugin terminology in anticipation of App Receiver.

The desktop icon has changed from the "two rubic's cubes connected by a red pipe" to the simple and easy to understand lock symbol.   The rationale here is that secure access is not just about remote access but should secure connections onsite and offsite.

The thing I like the most with Access Gateway is that with auto-reconnect, I can just live in secure connected mode all the time.  At Citrix, we run open wireless networks at most locations, so I can just put my laptop to sleep and start-up in any location (including at home) and be assured a secure connection without having to do anything.  I just see the secure lock icon in my systray and the auto reconnect happen as I transit networks. 
 
With the advantages of de-perimeterization,
I think more and more users will appreciate this model. Check out the Jericho Forum, for more on this model.

Cheers,

Gordon

The views expressed here are mine alone and have not been authorized by, and do not necessarily reflect the views of, Citrix.

Typically, an admin that implements the Access Gateway Enterprise Edition(AGEE), find themselves deciding how to lock down the environment that the users will connect to.  I have been asked many times what the "Best Practice" would be to restrict or allow access to their users.  What I like to explain is that the normal security guidelines come into play first, however each environment can differ based on company security policies and application delivery goals. 

What I like most about the AGEE, aside from multiple vServers, automated failover, enterprise scalability, policy control, etc.. is the flexibility to provide secure remote access to Presentation Server applications without using a "VPN" client. The AGEE's is called the Secure Access Client(SAC).  The SAC is there if needed, and all of the granular access policies can be applied to the full "VPN" tunnel.  The flexibility to give users access to just Presentation Server application and/or a full desktop experience is only outdone by the ease and flexibility of the policies that can determine the users logon session environment.......  This is called SmartAccess and it gets performed via the AGEE appliance itself.

Bottom line with using policies is to make sure you start with a solid design.  Included in that design should be what kind of users will be connecting and what resources they will need access to.  From there, you will need to decide on if you need to run Pre-Authentication Policies to grant/deny access to the logon page as well as determining other features that the users will have during their session.  In addition, you will need to determine if you need to setup any policies to run End-Point Analysis after their credentials are entered to filter Presentation Server applications and/or grant/deny access to other resources, including the entire session.

This is just the beginning, there are many other features provided by the AGEE as well as many different combinations of how to apply policy and dynamically create the users logon environment when connecting via the AGEE.  I hope after reading this, you too will be excited about the power and flexibility of the AGEE and remember to keep in mind how important an initial design is to maximize the AGEEs full potential. 

So, this is my first ever blog post.  Thought I share a diagram that I been using since December when the two products were married together. It been passed around, so you may have seen it before. It is also starting to get awefully busy, so things like CRL are left off.