Post to Twitter
Netscaler nCore
Already announced at iForum, but worthy of buzz, is the new multi-core, parallel processing architecture for the Citrix NetScaler released in version 9.1 - nCore Technology. Applications are becoming more dynamic and demanding as we have seen in recent community, social networking and Web 2.0 advancements. Browser request and server response is the old model. Rich interactive applications that provide real-time information require real-time connections between browser and server. Enterprise software vendors such as SAP, Microsoft, Oracle and others understand the need to push toward highly interactive applications that enrich the functionality and user experience.
The richness of experience manifests in several ways:
- Protocols: New protocols such as Ajax, Comet, Ruby, etc.
- Connections: Web 2.0 protocols generate more connections between client and server.
- Chattiness: Web 2.0 protocols initiate more requests between the client and server.
- Applications: Rich Internet applications such as Flash, Flex and Silverlight make applications engaging and interactive.
- Clients: Clients are always connected and content needs to be optimized for them (iPhone, Symbian, Blackberry, Palm, Windows Mobile, Internet Explorer, Firefox, Safari).
ADC's need to deliver greater performance and scalability by supporting higher levels of throughput, HTTP requests, concurrent connections and SSL Transactions. ADC's need to handle the increase in connections and requests to offload the demands placed on back-end web servers. The demands for caching, compression and application firewalls will increase as well.
In order to meet the increasing demand in application delivery environments, you need the Citrix NetScaler nCore technology.
Tap into the power of AppExpert!
Rate Based Policy Enforcement:
New in NetScaler 9.0 are Rate-Based policies which can be used to control, limit and throttle traffic to various servers. Rate Based Policies use the advanced expression syntax found in the Policy Infrastructure (PI) format of the NetScaler, which is also new for 9.0.
You can monitor the rate of traffic that flows through virtual servers or other User defined entities that are associated with different virtual servers, including URLs, domains, and combinations of URLs and domains.
You can control Citrix NetScaler behavior based on the traffic rate, including throttling the traffic flow if it is too high, caching information based on the traffic rate, and redirecting traffic to a new load balancing virtual server based on the traffic rate. You can apply rate-based monitoring to HTTP and DNS requests. You configure traffic rate limit identifiers to monitor the rate of traffic. These identifiers can include filters, known as rate limit selectors, to restrict monitoring (for example, based on IP addresses or subnets). You specify traffic rate limit identifiers in rules for advanced policies in any feature where these identifiers may be useful, including Rewrite, Responder, DNS, and Integrated Caching.
Rate-based monitors can be based on the number of HTTP or DNS requests, number of packets, transactions or amount of bandwidth being used. This is useful for preventing overloads on a network, preventing security attacks, and diverting traffic once it reaches a certain watermark.
More on Rate-Based Policy Enforcement can be found in the NetScaler Traffic Management Guide.
Tap into the power of AppExpert!
What's New
This release provides many enhancements to the policy infrastructure, including:
• Policies for analyzing the traffic rate
• Policies for sending queries to an external application
• Graphical tools for easier creation of policies (see the enclosed video tip for a demo)
• Configuration of policy labels and policy banks
• Policy expression parameters for analyzing new types of data, including IPv6 addresses.
• New documentation for policies and expressions.
Policies to Analyze the Traffic Rate
You can configure policies that parse the request rate or bandwidth usage. The most popular uses for policies based on traffic rate include limiting access to virtual servers or any other user-defined entity, and preventing network overload. You can configure NetScaler features to perform any other supported action based on the traffic rate, for example, redirecting traffic if the rate exceeds a particular threshold.
In this release, you can configure rate-based policies based on the following:
• The number of HTTP requests that the NetScaler intercepts.
• The number of DNS requests that the NetScaler intercepts.
• The bandwidth usage.
Policies to Send HTTP Requests to Remote Applications
You can configure HTTP callout policies to obtain information from external applications and parse the responses. For example, if a server makes a request, you can use an HTTP callout request to determine if this server is on a "deny access" list. The HTTP callout request can send the requesting server's domain to an application that looks up bad domains from a list. When the application sends a response to the NetScaler, the HTTP callout policy can extract the "allowed" or "denied" determination from the response.
To deploy the HTTP callout policy, you also create an agent in front of the application to format the HTTP callout request for the application. When the application returns a response, the agent formats the response for the NetScaler, so that the callout policy can extract data of interest from the response.
You can invoke HTTP callout policies from any other type of NetScaler advanced policy using the expression prefix SYS.HTTP_CALLOUT. For example, you can invoke an HTTP callout policy from a rewrite action and insert the value that is returned by the callout in an HTTP response header.
Policy Banks and Policy Labels
This release introduces new methods for configuring collections of advanced policies known as policy banks. Policy banks are groups of polices that share the same bind point:
• Built-in bind points are global or specific to a virtual server.
• A user-defined bind point is known as a policy label.
After you create a policy label and bind policies to it, you invoke the policy label (and its associated policies) from one of the built-in bind points. If you bind policies to a virtual server, you can also invoke the virtual server's policy bank from any other policy bank. You can invoke a policy label or policy bank using when binding a policy or by specifying a new "NOPOLICY" place-holder that performs invocation without processing a rule.
As part of policy bank configuration you can also create an arbitrary evaluation order by specifying Goto expressions.
A new graphical tool called the Policy Manager simplifies configuration of policy banks and invocation of policy labels.
Policy Manager and Other Usability Enhancements
In this release, some applications provide a specialized Policy Manager in the NetScaler configuration utility to simplify the binding of policies to an invocation point or a user-defined policy label, assigning policy priorities to policies, viewing the different policy banks that are configured in the feature. The Policy Manager also enables you to find and delete policies and actions that are not being used. As of release 9.0, the Policy Manager is available for the Rewrite, Integrated Caching, and Responder features.
In addition, the configuration utility simplifies the task of viewing policy bindings to vservers. A Visualizer in the Load Balancing and Content Switching features enables you to view policy bindings as well as service and monitor bindings.
See the enclosed video tip for a demo of the Policy Manager.
New Parameters for Classic and Advanced Expressions
New expression parameters have been provided for parsing additional types of data, including:
• IPv6 addresses
• String sets (comparisons with any or all strings in a set)
• Caching headers
• Dates and times
• File system information (files, directories, file system commands)
Policy Configuration and Reference Guide
A new policy guide provides comprehensive information on all the available parameters for advanced and classic policies and configuration instructions. This guide is available from the Documentation tab in the NetScaler configuration utility.
Video Tips
Video tip 1: Using the Policy Manager to add the first policy in a policy bank:
Video tip 2: Using the Policy Manager to add a second policy and order the policies in the bank:
In the Application Expert series part 2, Caching, I released a Deployment Guide discussing Static and Dynamic Caching. As we are partners with Microsoft, we recently did some work here internally setting up some Dynamic Caching for an ASP.NET application and thought we would share the knowledge. This Caching Deployment Guide for ASP.NET Web Applications discusses the way an Application Expert would find out the potential caching scenarios that a web application can benefit from, and shows how to create and test the NetScaler caching policies and settings to put these scenarios into effect.
Tap into the power of AppExpert!
As an addendum to the Citrix NetScaler Policy Engine post I wrote recently, I pulled together some Frequently Asked Questions (FAQ) pertaining to the Policy Engine (PE). Policies are used to configure various Citrix NetScaler Application Switch features, and are executed in the order of their priorities. The priorities are configurable and increment in units of 10.
Watch this Policy Priority Tip:
Tap into the power of AppExpert!
Policies are used to configure various Citrix NetScaler Application Switch features. For example, the parameters for compressing content are defined in a compression policy.
The features that use policies are:
- Load Balancing
- Content Switching
- Content Filtering
- AppCompress
- Cache Redirection
- SSL VPN
- Priority Queuing
- DoS Protection
- Sure Connect
Policy expressions are applied to content that enters the switch. Expressions are shared among features, but actions are feature-specific. For example, you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress those files. The Policy Engine (PE) refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x. The architecture for Policy Engine and the manner in which it operates is presented in this Deployment Guide. Did you know that each feature in the Citrix NetScaler Application Switch is processed in a certain order, and the Policy Engine (PE) applies policy according to that order. That order is represented in this diagram and discussed in the Deployment Guide for Policy Engine (PE).
Watch this Policy Engine Tip:
Tap into the power of AppExpert!
As web applications grow in complexity, the art of accelerating them seems to remain the same. This art is performed by applying some basic concepts to the application; that is, Caching, Compression, Load Balancing, Global Server Load Balancing, SSL Offload & Acceleration, Content Switching, TCP Multiplexing and SSL Session Reuse.
Citrix® is a leader in Gartners magic quadrant for Application Delivery with their flagship appliance NetScaler®. NetScaler accelerates web application performance by leveraging multiple acceleration technologies and innovative TCP optimizations.
Whether you are building out a new datacenter and architecting it the right way, or retrofitting an existing datacenter, Citrix NetScaler will perform and keep costs down. Whether you are looking to accelerate legacy enterprise applications such as Oracle or SAP, or building a new web 2.0 social community, Citrix NetScaler contains all of the tools to get you there.
Citrix NetScaler web application delivery solutions are purpose built appliances that accelerate application performance, while simultaneously reducing datacenter costs and improving web application security. Platforms range from the entry level 7000 to the latest MPX-series appliances that provide an industry-leading 15 Gbs of throughput at Layers 4 through 7.
There's more here: Case Studies, White Papers, Analysts , Datasheets
Check out the new MPX!
Buy it here!
Tap into the power of AppExpert!
Becoming an Application Expert means that you can profile an application and quickly determine how it can be architected or re-constructed for higher performance. Of course, we want you to use the Citrix Application Switch as part of the architecture. In Part 1, we learned how to profile an application to learn what it looks like as the traffic flows through the Citrix Application Switch. Now we will determine what parts of an application are cacheable and what parts are non-cacheable.
By Application Profiling we can determine which parts of the application are cacheable and non-cacheable just by looking at the Request and Response headers. The application will sometimes tell you through it's "Cache-Control" header directives. Some content that we just know is static and doesn't ever change, we can consider cacheable as static content. Content that changes, such as reports, are often considered non-cacheable but with the help of Selectors and Dynamic Content Groups in the Citrix NetScaler, this content can be cached. As a proof of concept, we deployed the Citrix NetScaler Application Switch in the front of Oracle E-Business Suite v12 application and implemented caching policies for both static and dynamic content. As it turns out, alot of static content is cached by default policies and setting up dynamic policies is not that difficult. To see how, read the Caching Deployment Guide for Oracle E-Business Suite v12.
Watch this Caching Tip:
Tap into the power of AppExpert!
This is my first blog entry in this new AppExpert Community site.
I am excited that we are now ready to tap into the power of the community to spread the
knowledge power of AppExpert amongst the user base of Citrix application networking products!
The first thing I would like to share is my core belief in the strength of AppExpert Policy system,
which is its ability to provide powerful, extensive, flexible and expressive policy control while keeping
the simple tasks extremely simple.
AppExpert blends the power of extremely advanced application layer policy control with the ease of point and
click ease of use in its declarative rule setting model. Also, while administrators can compose
very complex expressions and combine them into powerful predicates and rule sequences,
AppExpert does not forget to keep simple things simple - rules that are needed most often are
often just a click or two away!
This is in keeping with my often expressed analogy of Digital SLR camera model of admin interfaces.
(yes, my esteemed colleagues are indeed quite sick of hearing me expound on this analogy, but I will do so
here for this new audience! 
)
Even the most complex Digital SLR cameras come with a fully automatic "A" mode for point-and-shoot
simplicity, while presenting an "PA" mode for more advanced users who want to customize only a couple of
key settings and a fully custom "M" (manual) mode for full power and control of all the aperture, speed,
Lens, focus etc settings of the camera.
AppExpert similarly, makes it a quite simple click for simple content switching type rules. But it goes on to
provide full power of pattern matching, predicates and rule sequences, for the more advanced users.
Granted it does not provide the "M" mode of a "Turing-complete" programming language or custom
script exits - yet. The reason, is that Citrix architects have wanted to first natively provide
the advanced capabilities in the PA mode, rather than just punting
the task of key application layer policy rules to be programmed in scripting languages by the administrator
without first carefully understanding the customer requirements.
Other systems have jumped to "outsource" development of such policy capabilities to their users,
thus subjecting them to the rigors of hiring programming and scripting experts even for simple
app layer rules! And, sometimes they claim to provide a grab bag of such scripts on web-sites to
copy and paste for their use. That's great, but have they stopped to think if that's the way someone
can set up rules for their system without a scripting expert, what happens when something breaks in that
script or it is not 100% suited to their specific installation? Who troubleshoots when things go bump
in the middle of the night or user traffic shoots up on a popular web2.0 application and the script breaks?!
Further, most often such scripting system provide a level of performance that is an order of magnitude
slower than the native rules. So while tempting with complete freedom, these scripting environments
very often flatter to deceive, and are unsuitable for many demanding, high throughput applications.
Citrix architects have taken the approach of providing the best of both worlds by providing
powerful capabilities within the native AppExpert system so that even very demanding
policies can be set using the visual, declarative point and click paradigm. And, these rules execute
at the speed of the core switching engine, preserving the high throughputs. This means that
customers can achieve what they need with the robustness and speed and express it with the
ease of visual+declarative interface and leave it to the system to carry out their wish in the fastest
possible way. The engine keeps getting optimized, so they continue to get performance improvements
as well, completely transparently. With a script, they have to reprogram, retest, and suffer through
a new test of hard to troubleshoot corner case bugs!
But does that mean that AppExpert will never ever offer the M mode? To the contrary.
Long time users of AppExpert will note that it has consistently evolved
release after release to include more powerful features and more flexible capabilities.
This will continue and AppExpert will add more flexible and extensible policycapabilities.
Moreover, the Citrix architects are carefully examining a structured way
to allow customers to leverage their investments in gateway logic to be applied to customize
policy processing. You all will hear more about it as the plans get more concrete and closer to
fruition.
Watch this space for exciting AppExpert improvements in an Citrix app networking system near you!
Prabakar Sundarrajan
CTO, Application Networking Group,
Citrix Systems, Inc
Application Profiling
Introduction:
I can turn you into an Application expert in 5 minutes by reading this post. Just do what the experts do, or even the not-so-experts. They pay meticulous attention to the requests from clients and the responses from servers, both headers and body content. You do this the old fashioned way by taking a trace. There are better tools out there, some free, some not-so-free.
Running a trace:
Running a trace will help you 'profile' the application. It is recommended that you do this before placing the Citrix Application Switch in-line of the Application traffic. This will gather important information about the Application that will help you understand it's basic operation at Layer 7, and help you begin to understand what it is that needs to be accelerated - cached, compressed, load balanced, ssl offloaded, etc.
Running a trace exposes the flow of transactions between all points of interest. Traces are especially helpful when digging in to find what is contained within the headers being exchanged between the client and the application.
Taking a trace with wireshark:
The free network protocol analyzer called wireshark, http://www.wireshark.org, will capture packets for you on the localhost, whether it's windows or linux. By filtering the stream of packets by IP Address, right clicking and selecting 'Follow TCP Stream' inside of wireshark, you can see the headers for both requests and responses.
 | Wireshark tip 1 Find the first 'SYN' in the stream, right click, 'Follow TCP Stream'. |
| Wireshark tip 2 Client requests are in Red, Server responses are in Blue. |
Taking a trace with the Citrix Application Switch:
If the Citrix Application Switch is already in place, a trace can be run directly on the Citrix Application Switch. Running a trace will expose the flow of transactions between all points of interest, especially the client, load balancing VIPs and backend servers. Traces are especially helpful when digging in to find out if the proper headers are being exchanged between client & VIP and VIP & backend servers. A trace can be run directly on the Citrix Application Switch. Once downloaded this file can be opened and request and response headers read with Wireshark, a free network trace utility, http://www.wireshark.org. From the Citrix Application Switch GUI, navigate to NetScaler -> System -> Diagnostics -> New Trace -> Run.
Viewing headers with Paros:
Paros was originially written for web security, but has value when viewing request and response headers, cookies and the like. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted. There is an additional option of trapping and modifying data before sending it on to the server, or client. Paros can be found at http://parosproxy.org. Free.
Viewing headers with Live HTTP Headers:
Live HTTP Headers, http://livehttpheaders.mozdev.org/, was developed for use with the Firefox web browser. It is a free add-on and allows you to view HTTP header information in real time. Free.
Viewing headers with IE Analyzer:
IEInspector HTTP Analyzer, http://www.ieinspector.com, is a tool that allows you to monitor, trace, debug and analyze HTTP/HTTPS traffic in real-time. It works with Microsoft Internet Explorer. Not-Free.
Viewing headers with IE Watch:
IEWatch, http://www.iewatch.com, is another plug-in for Microsoft Internet Explorer that helps you profile your web applications. You can use this tool to dig deep into the inner workings of web applications to find hidden issues. Not-Free.
Watch this Application Profiling Tip:
Tap into the power of AppExpert
The SAP Enterprise Service Oriented Architecture (SOA) provides a blueprint for services-based, enterprise scale business solutions that are adaptable, flexible, and open. Enterprise Services Architecture takes the concept of service-oriented architecture to a new level by transforming Web services into enterprise services. Bringing Citrix and SAP Enterprise Services Architecture together reduces the dependence on customized applications, and increases flexibility and reduces time to deployment while reducing operational expenses.
This Citrix / SAP Enterprise SOA Deployment Guide was created out of a joint engagement between Citrix and SAP at the Co-Innovation Laboratory in Palo Alto, California, USA. This deployment guide walks through the step-by-step configuration details of how to configure the Citrix NetScaler for use as front-end to SAP Portal for end-user traffic, that is HTTP ~ HTML. To further complement the value of the Enterprise SOA, this guide walks through the details of how to configure the Citrix NetScaler for use as a front-end to the SAP Composite Application Framework and SAP ERP Web Services platforms, providing a flexible load balancer and HTTPS encryption point for machine to machine web service traffic. With this deployment Citrix becomes an integral and flexible part of the SAP Enterprise SOA "Applistructure" bringing together applications and technology for a fast, flexible and highly effective service oriented IT infrastructure.
Watch this Load Balancing Tip:
Tap into the power of AppExpert
We recently had a meeting with a large partner of ours and they handed down some hefty requirements. An average of 100 partners using their portal on any given month to access their development environments on the backend. It was clear that NetScaler could scale, but the question was how to keep all of those partners separated from each other, without them peeking into each others traffic. It turned out to be easier than we thought using the NetScaler as an SSL VPN with the addition of some policies bound to each partner's user group. The following is an overview of the network diagram, and there are some deployment guides to walk you through these installations.
The Citrix SSL VPN CPS Deployment Guide walks you through deploying NetScaler SSL VPN as an ICA Proxy and authentication point. It then walks you through deploying Citrix Presentation Server and the steps necessary to connect the SSL VPN to the CPS Applications. The guide includes Session policies which direct users upon authentication to specific CPS farms on the backend of the NetScaler SSL VPN. Think of it as an authentication portal.
The Citrix SSL VPN Deployment Guide walks you through deploying NetScalers as an HA Pair, and then as an SSL VPN with ICA Proxy OFF. The intention was to use the SSL VPN for regular VPN traffic, and not Citrix Presentation Server traffic. Just as well, policies can be combined on the same NetScaler Application Switch to allow both non-CPS and CPS traffic to traverse the same SSL VPN.
Tap into the power of AppExpert
The views expressed here are mine alone and have not been authorized by, and do not necessarily reflect the views of, Citrix.
Typically, an admin that implements the Access Gateway Enterprise Edition(AGEE), find themselves deciding how to lock down the environment that the users will connect to. I have been asked many times what the "Best Practice" would be to restrict or allow access to their users. What I like to explain is that the normal security guidelines come into play first, however each environment can differ based on company security policies and application delivery goals.
What I like most about the AGEE, aside from multiple vServers, automated failover, enterprise scalability, policy control, etc.. is the flexibility to provide secure remote access to Presentation Server applications without using a "VPN" client. The AGEE's is called the Secure Access Client(SAC). The SAC is there if needed, and all of the granular access policies can be applied to the full "VPN" tunnel. The flexibility to give users access to just Presentation Server application and/or a full desktop experience is only outdone by the ease and flexibility of the policies that can determine the users logon session environment....... This is called SmartAccess and it gets performed via the AGEE appliance itself.
Bottom line with using policies is to make sure you start with a solid design. Included in that design should be what kind of users will be connecting and what resources they will need access to. From there, you will need to decide on if you need to run Pre-Authentication Policies to grant/deny access to the logon page as well as determining other features that the users will have during their session. In addition, you will need to determine if you need to setup any policies to run End-Point Analysis after their credentials are entered to filter Presentation Server applications and/or grant/deny access to other resources, including the entire session.
This is just the beginning, there are many other features provided by the AGEE as well as many different combinations of how to apply policy and dynamically create the users logon environment when connecting via the AGEE. I hope after reading this, you too will be excited about the power and flexibility of the AGEE and remember to keep in mind how important an initial design is to maximize the AGEEs full potential.