Citrix XenApp 5 Feature Pack 2 for Windows Server 2003 has a very cool feature called Secure Clipboard Control. The technical folks may know this feature as "Read-Only Client Drive Mapping and Clipboard", but the end results are the same: it further mitigates risks of data leakage.

Granting remote users CDM access is great because they can open local files with server published apps. But they also have the ability to save server documents locally thereby increasing the probability that confidential data leaks out beyond the enterprise. Some customers have tried to tackle this problem by disabling CDM and clipboard altogether, but that does not offer users flexibility - what if administrators want to only let users save documents back on the server? This is where the new Secure Clipboard Control setting can help. It is a really simple feature for administrators to configure, yet provides an added level of flexibility (users can save documents to the server, but cannot save documents to the local device) administrators didn't have before.

To enable the feature in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdm\Parameters, create a DWORD value with value name ReadOnlyMappedDrive and value data 1.

To enable one way clipboard In registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard, create a DWORD value with value name ReadOnly and value data 1.

After rebooting the server all users that connect will only be able to read documents from their mapped drives and will only be able to copy and paste text into a published application. Data that is copied into the published application clipboard (via CTRL-C) will not show up in the client's clipboard paste buffer. Whenever the user tries to save a file to a mapped drive they will get an error saying they don't have permission to write to the location because XenApp has the drive open in read-only mode.

For now both settings are server wide so remote users will have to be confined to specific machines where the settings are enabled. You can find out more about this feature at CTX123002 and in Citrix eDocs here.

Learn more about Citrix XenApp 5 Feature Pack 2

• Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
• XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
• XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
• XenApp 5 Feature Pack 2 Release Webinar - http://citrix.com/xenapp/fp2/techtalk
• XenApp feature matrix by platform, version and edition - http://citrix.com/xenapp/comparativematrix
• XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
• XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
• Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
• XenApp Product Page - http://citrix.com/xenapp/

Follow XenApp on | | |

Mac users out there have long been asking for and waiting for a rich and secure remote access experience with Access Gateway solutions. Now the wait is over. Mac users can now download the Access Gateway plug-in for Mac from MyCitrix.

Access Gateway team has made available Mac OX X plug-in for Access Gateway 4.6 Standard Edition and Access Gateway 9.1 Enterprise Edition:

- The user experience of the plug-in conforms to the native Mac experience, providing rich user experience.

- Mac users can securely connect to their remote applications, leveraging pre- and post-authentication endpoint scans to confirm to their corporate security policies. For stronger security, when the remote Mac user logs off,  the plug-in also destroys any session data (cache, cookies, etc) on the client.

- With globalization features, the plug-in brings this new experience to English, French, German, Spanish and Japanese users.

If you are a Mac user, I encourage you to go to the downloads section on MyCitrix and select Citrix Access Gateway from the drop-down menu of 'Search Downloads by Product", then find "Access Gateway Plug-in for Mac OS X, Version 1.0.2.23" under the Clients section.

If you are using this new plug-in, please share your experience with me and what you would like to see next.

Sai

Ever got frustrated with how long it takes to email a large report or presentation after incorporating your manager's feedback? Or found yourself in a plane wishing the email downloaded faster when the flight attendant asks you to turn off your 3G-equipped laptop? Or wished for a solution that could deliver email 50 times faster?

Did you know our WAN optimization solution, Citrix Branch Repeater, delivers superior user experience and application performance not only for branch office users but also for remote and teleworkers?

No one feels the need for speed more than a remote user or a teleworker with a low-bandwidth or a high- latency network connection. These users typically use an SSL VPN, such as Citrix Access Gateway, to connect to their corporate network and access email, intranet portals, other applications and data. When your IT augments secure remote access (Access Gateway) infrastructure with Branch Repeater, you can benefit from both secure and accelerated remote access.

Well, now we have two reports that demonstrate ways to use Branch Repeater to augment your Access Gateway infrastructure and the resulting benefits of accelerating secure remote access.

You can download the Turbocharge Access Gateway Performance Report - CTX121034 from the Citrix Knowledge Center. The report explores the benefits of using Access Gateway and Repeater plug-ins for Citrix Receiver together:
• 50x faster Microsoft Outlook and Exchange (MAPI) workflows
• 50x faster Microsoft SharePoint (HTTP) workflows
• 30x faster Windows File Shares (CIFS) workflows

I think you will want to try out the benefits of turbocharged remote access. Check out the Turbocharge Access Gateway Deployment Guide and Reference Architecture - CTX121035 if you want to conduct a POC (proof of concept) or a demo to convince your IT or other decision makers. You will be your end-users hero for providing them with an accelerated yet secure remote access.

Earlier this week, we launched version 1.0.2 of the Citrix Receiver for iPhone. Citrix Access Gateway expands support for Receiver to connect to Access Gateway Enterprise Edition (versions 8.1.57 / 9.0.69 / 9.1.95) in addition to the Access Gateway Standard Edition that was already available. With this release, Access Gateway further enhances mobility by offering secure mobile access on iPhone for the Enterprise Edition.

Citrix Receiver is our lightweight software client that makes accessing virtual applications and desktops on any device simple and easy. It brings together multiple application delivery clients in one single client - all updated automatically, while greatly simplifying client distribution and updates for the IT administrators.

If you are an iPhone user, you will find this latest release very useful. The app is now available to the general public via AppStore on your iPhone or iPod Touch. More importantly, as a corporate user, you will find Doc Finder a 'must-have' for your iPhone. Part of Citrix Receiver, Doc Finder provides fast, one-click access to important documents stored on the corporate network. You can even join a webinar from anywhere - straight from your iPhone. Since these documents are stored in the datacenter and delivered over a secure encrypted link, data and applications always remain completely secure.

Best,

Sai

http://twitter.com/SaiAllavarpu

I am glad to share with you all the news about our Citrix Branch Repeater 5.5. Building on our momentum with XenApp optimization (via the ICA acceleration feature) released earlier this year, we announced today the availability of our newest Citrix Branch Repeater 5.5. Among the many benefits this release delivers, check out the following key highlights:

•  Microsoft Exchange (MAPI) optimization accelerates Exchange email for branch and mobile users by up to 50X while reducing bandwidth consumption. You also get these benefits if you are streaming Microsoft Outlook with XenApp or Microsoft App-V because streamed Outlook application behaves just like a native application from a network perspective - a streamed Outlook will talk MAPI to the Exchange server in the datacenter.  Here is a sneak peek of email acceleration benefits from an upcoming performance whitepaper (available soon): 
   
  
  
   
• Branch Repeater with Windows Server 2008  enables consolidation of essential branch services with Microsoft's most advanced server operating system - Windows Server 2008. Customers now have a choice of deploying Branch Repeater appliances built on either Windows Server 2003 or Windows Server 2008. As before, we continue to offer the non-Windows version of Branch Repeater as well.

• • Of the many powerful capabilities in the Windows Server 2008 operating system, the Read-Only Domain Controller (RODC) feature is one I would like to highlight.  RODC allows you to securely deploy Domain Controller in a branch office for faster Windows authentication and login times. This also helps improve the security posture of IT infrastructure in branch offices.
• With the availability of Repeater Plug-in for Citrix Receiver Branch Repeater now provides WAN acceleration benefits for the already easy-to-use Receiver software client. Receiver provides a consistent and intuitive user experience, and simplifies client distribution and updates. For instance, if you want a single client that provides secure access, SSL VPN client and WAN optimization benefits, then Citrix Receiver is a great way to simplify the client distribution and improve the user experience. This now truly provides simple, fast and secure access to applications from anywhere, whether you are working remotely or in a branch office. I encourage you to try it out and share your experiences with us. 
  

Stay tuned for a series of blog posts that explore some of the features in detail.

I encourage you to check out the newest Branch Repeater 5.5 and share your experiences with me at sai.allavarpu@citrix.com.

Sai

Several Citrix products have been nominated for the 2009 Information Security Magazine / SearchSecurity.com Readers Choice Awards:

• NetScaler, Application security: Web application firewall, application/code vulnerability assessment/QA, Web services security
• Access Gateway, Remote access: IPsec, SSL VPNs and other remote access products
• Branch Repeater, Other: Branch optimization/application acceleration solution

Thanks to your support, last year we won the Bronze Award under the 'remote access' category for Citrix Access Gateway and the Bronze Award under the 'application security' category for Citrix App Firewall.

While technically not a security product, Branch Repeater does play a role in building a secure IT infrastructure. Branch optimization allows businesses to centralize applications and data in secure datacenters without sacrificing end-user performance.

Surveys have already gone out to readers of Information Security and SearchSecurity.com via e-mail. If you received one of these surveys please take a few minutes and vote.

Netscaler nCore

Already announced at iForum, but worthy of buzz, is the new multi-core, parallel processing architecture for the Citrix NetScaler released in version 9.1 - nCore Technology. Applications are becoming more dynamic and demanding as we have seen in recent community, social networking and Web 2.0 advancements. Browser request and server response is the old model. Rich interactive applications that provide real-time information require real-time connections between browser and server. Enterprise software vendors such as SAP, Microsoft, Oracle and others understand the need to push toward highly interactive applications that enrich the functionality and user experience.

The richness of experience manifests in several ways:

• Protocols: New protocols such as Ajax, Comet, Ruby, etc.
• Connections: Web 2.0 protocols generate more connections between client and server.
• Chattiness: Web 2.0 protocols initiate more requests between the client and server.
• Applications: Rich Internet applications such as Flash, Flex and Silverlight make applications engaging and interactive.
• Clients: Clients are always connected and content needs to be optimized for them (iPhone, Symbian, Blackberry, Palm, Windows Mobile, Internet Explorer, Firefox, Safari).
  

ADC's need to deliver greater performance and scalability by supporting higher levels of throughput, HTTP requests, concurrent connections and SSL Transactions. ADC's need to handle the increase in connections and requests to offload the demands placed on back-end web servers. The demands for caching, compression and application firewalls will increase as well.

In order to meet the increasing demand in application delivery environments, you need the Citrix NetScaler nCore technology.

Tap into the power of AppExpert!

Securing Web Applications with an Application Firewall

I have been working with Application Firewalls for quite a few years - many times to protect web applications published in languages and character sets that I didn't understand. Frequently, I have seen these Application Firewall deployment projects get bogged down in pursuit of the perfect policy set.

I have also seen many situations in which this process and application changes actually break these applications.

The NetScaler Application Firewall deployment can also be subject to these issues since the appliance provides extensive application firewall features. Even with the learning capabilities, creating the ideal set of security policies for any application can be a trial and error process that can take significant time.

In this blog, I would like to share an implementation methodology that shortens the deployment, and helps avoid breaking the applications to be protected. Experience has shown that approaching the configuration of the Application Firewall in stages is the key to timely success. This methodology is effective for all types of applications and their needs.

To alleviate the time and risk of varying degrees of policy complexity, break the task into stages. That is, separate the policy configuration into groups of ascending risk.  While some may raise the point that a simplified protection policy set is not complete, it must be remembered that protection stages will build upon each other, and will be better than allowing unfiltered access while all policies are in learning or logging/warning mode.

The benefit of staging is that a basic set of policies are made operational.  Then, the following stages will consist of conducting a repeatable process of "policy tightening" procedures as required by the application.

Stage I

When configuring the NetScaler Application firewall policies, start with some of the basic protections.  Activating the simple, generic policies almost never produce false positives.  These typically include:

• Protect against Cross Site Scripting (XSS) attacks
• Protect against SQL Injection attacks
• Protect against Buffer Overflow attacks
• Prevent Credit Card Leakage
• Prevent access to system files
• Alter the contents of the server headers

Activating these policies will typically not break applications.  As such, a small user community - with etc/hosts overrides - can be used to validate the configuration over a fairly brief validation period.

More importantly, this is a great start. These policies create security effectiveness that can typically be rated as a level seven on scale of zero though nine (you can never get to a perfect "10" in security).

Stage II

The next stage will include applying policies that require more application validation to determine the application specific relaxation adjustments ("policy overrides").

But first, don't forget to ask yourself if this application actually requires tightened policies.

If so, Stage II protections should be sequenced - Cookie Tampering prevention should be blocked first. Then, move on to blocking tampering with the values of parameter and/or hidden form fields.

Start with cookie poisoning prevention ("Cookie Consistency"). It will be likely require the least number of relaxations. This will build on the Stage I successes most rapidly.

To do this, use the learning process to identify the cookies that are legitimately altered between the response and request process. Minimally, relaxations will be required for cookies that are set and modified by third party monitoring services. Again, because of the staging, this learning can happen while the basic policies are in place and actively applying their protection mechanisms.

If further tightening is required, focus on creating policies that prevent users from tampering with the values of parameter and hidden form fields. This is achieved by activating "Field Consistency" learning in the NetScaler application firewall. Depending on the architecture of the application or a frequent use of client side scripting, these policies carry a higher risk of blocking legitimate requests. These policies thus require a more extensive learning period and associated relaxation overrides.

It should also be noted that these Stage II policies and their relaxations do have a tendency to be susceptible to producing false positives as applications change, and should be re-evaluated in conjunction with major application changes.

Stage III and Beyond

If the application is contains super sensitive information, and undergoes frequent changes, further security configuration may be required.

Stage III typically involves enforcing field formats and enforcing user navigation paths. Adding restrictions to field input types, such as date formats, and more, will require further time for learning these application attributes. Be aware that these policies will also be more likely to be sensitive to application changes.

Enabling the "Start URL" facility allows users to access only the specifically stated URL types. Due to the flexibility inherent in application architectures, however, these restrictions may require modification to include additional request types present in a particular application.

Lastly, carefully consider activating "URL Closure" to control the flow of access by users. Enforcement of this policy set disallows users from navigating to locations not previously offered by an application response. These policies may require significant application validation if client side scripts modify URLs, or if FLASH objects contain links.

The above policies tend to bend the needle towards the nine level and will be more likely to cause false positives during policy refinement or when the application changes. Leaving these to Stage III, however, allows continued protection afforded by the policies of Level I and Level II during the refinement, however.

Summary

Personally, when I plan my application firewall deployments, I always attack the assignment in the phases outlined above. I focus on the quick return policies first. Then I take time to consider if the sensitivities of the specific application even warrant the extra effort of going all the way to Stage III. This last question can produce some interesting answers that pit my application security ideals against the practicalities driven by the depth of my current to-do list.

And then, of course, this staged approach may be completely ignored in situations in which a specific application just suffered from an attack through a specific Level III vulnerability. Such situations may warrant overriding the staged approach and focusing on addressing the impacted vulnerability immediately.

Also, don't forget to sign on to MyCitrix and download the Application Hacking Kit and actually try some of the most common application attacks on the BadStore application!

Rate Based Policy Enforcement:

New in NetScaler 9.0 are Rate-Based policies which can be used to control, limit and throttle traffic to various servers. Rate Based Policies use the advanced expression syntax found in the Policy Infrastructure (PI) format of the NetScaler, which is also new for 9.0.

You can monitor the rate of traffic that flows through virtual servers or other User defined entities that are associated with different virtual servers, including URLs, domains, and combinations of URLs and domains.

You can control Citrix NetScaler behavior based on the traffic rate, including throttling the traffic flow if it is too high, caching information based on the traffic rate, and redirecting traffic to a new load balancing virtual server based on the traffic rate. You can apply rate-based monitoring to HTTP and DNS requests. You configure traffic rate limit identifiers to monitor the rate of traffic. These identifiers can include filters, known as rate limit selectors, to restrict monitoring (for example, based on IP addresses or subnets). You specify traffic rate limit identifiers in rules for advanced policies in any feature where these identifiers may be useful, including Rewrite, Responder, DNS, and Integrated Caching.

Rate-based monitors can be based on the number of HTTP or DNS requests, number of packets, transactions or amount of bandwidth being used. This is useful for preventing overloads on a network, preventing security attacks, and diverting traffic once it reaches a certain watermark.

More on Rate-Based Policy Enforcement can be found in the NetScaler Traffic Management Guide.

Tap into the power of AppExpert!

I interviewed Jon Andersen for this topic. 
 
Jon Anderson is a Lead Security Engineer at Citrix.  Jon has a Masters in Computer Science and has also worked on web application security for several open source projects.

Here is Jon:

Q: Jon, what are the advantages of SSL?  Tell me a little about the technology.

A: According to Wikipedia: "transport Layer Security (TLS) Protocol and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP)."

Q:  Why would an enterprise NOT choose SSL?

A:
1. It requires the enterprise to purchase certificates from certificate authority (CA).
2. An enterprise may not entrust its security to an external CA.
3. Traditional SSL may not prevent phishing attacks.
4. Certificates may expire or be revoked, and are complicated for end-users.

Q: What else might they use?

A: The enterprise may have other options such as traditional password-based symmetric cryptographic protocols (Kerberos or Entity Authentication and Key Distribution) and password based asymmetric cryptographic protocols (SRP). The current SSL/TLS standards incorporate support for SRP and traditional pre-shared symmetric key cryptographic protocols which makes it more versatile and robust.
 

Q: How does SSL compare with Secure ICA?

A: Secure ICA is an RD5-based encryption layer that protects just the ICA connection itself.  It is a lighter-weight solution for protecting connections to remotely hosted applications, as compared to SSL. However, Secure ICA does not protect all of the network traffic involved in the use of remote applications; it only protects the connection to the XenApp server itself.   A defense-in-depth approach might include both SSL and Secure ICA.
 

Q: What are Citrix recommendations on using SSL?  Where and how would it be used in context of XA?

A: Citrix recommends the use of SSL and certificates for high-security protection against eavesdropping and network tampering.   Citrix follows industry best-practices in recommending the use of SSL for all connections to XenApp servers, as well as the various other gateways and servers involved in a complete application virtualization solution.  Customers can protect all of the components of their CitrixDeliveryCenter using SSL, including their Web Interface, Gateway, and streamed application servers.  Most web servers support SSL, and customers can improve the performance of SSL by using a hardware SSL solution such as Citrix NetScalar.
 

Q: How do the vulnerabilities in the MD5 hashing scheme affect a customer's Citrix Delivery Center?

A: The MD5 hash algorithm has known flaws that security researchers have recently demonstrated are exploitable to produce falsely trusted SSL connections.  This is a general industry problem and not specific to Citrix. Customers should ensure that none of the root certificates trusted by SSL are signed by an MD5 hash.  For more from Microsoft on this topic please see http://www.microsoft.com/technet/security/advisory/961509.mspx

 I interviewed Kurt Roemer for this topic.  Kurt is Chief Security Strategist for Citrix Systems and a member of the CTO Office. He's a seasoned information security veteran with more than 20 years experience in networking, applications, and the evolving Web services infrastructure markets. He has designed, implemented, and assessed solutions and policies for Fortune 1000, mid-size, and government organizations worldwide.  Roemer is a CISSP and has spoken at a wide variety of leading industry shows and conferences across the globe including BITS, CSI, RSA, Networld+Interop, Japan's inaugural Web Application Security Forum, Society for Information Management, ITEC, SecureAsia and numerous regional ISSA and InfraGard conferences.  He has also appeared as a security expert on CNN, Fox Business News, and the Fox News Channel and is well known for his popular "Web Hacking Live" sessions. Prior to joining Citrix, Kurt held roles as CTO/CSO at NetContinuum and headed up information technology practices at Micron Electronics, NetFRAME and Hewitt.

Q: Kurt, isn't Cloud Computing competitive with Citrix?
A:  In some ways, yes, but in many ways interest in Cloud Computing actually creates opportunities for Citrix.  Our NetScaler and XenServer products are good examples of this.  Both   NetScaler and XenServer are powering major cloud providers today.  We also have partners, such as 3Tera, who are hosting applications, using XenApp and XenDesktop, on the Cloud.

Q: It seems to me that Cloud Computing requires that you really trust the provider - after all you are turning over your valuable data to them - is this a consideration?
A: Yes.  The old security mantra was that physical security trumps all. With the Cloud you lose control over physical security.  The actual servers could be anywhere the provider decides to put them, factoring in availability and least cost.  This is significantly different than a SaaS model, especially as you factor in access to data, backups, encryption keys and other security concerns.
When you sign an agreement with a provider you agree to pay for a certain amount of storage and resources like applications and are committed service levels.  You lose control over the assets in some respects and therefore the security model must be refactored.

Q: The security concerns with this must make security professionals uncomfortable.  Tell me more about what Citrix has to offer to improve this situation.
A: The fundamentals are encryption of data and access control to data.  Citrix has recently introduced the Citrix Cloud Center, which is composed of several Citrix offerings.  Access Gateway and NetScaler address encryption, and Access Gateway provides authentication services.  In addition to the security features, the Citrix Cloud Center provides geo-location with NetScaler (where the user can be connected to different hardware in different regions in the world, but yet have all the same applications and capabilities), local data caching with WANScaler and orchestration with Workflow Studio.  Citrix is also working with key ecosystem partners to enable end-to-end security in the cloud model.

Q: What is the future of security in Cloud Computing?
A:  The ultimate solution is data level security.  After all, sensitive data is the domain of the enterprise, not the Cloud Computing provider.   Security will need to move to the data level so that enterprises can be sure their data is protected, wherever it goes.  For example, with data level security, the enterprise can specify that this data is not allowed to go outside of the US.  It can also force encryption of certain types of data, and permit only specified users to access the data.  It can provide compliance with PCI.  We are working with several partners in the data security area.

I interviewed Glenn MacDonald  for this topic.  Glenn is a Senior Software Engineer at Citrix. He has been with Citrix since 2003 and has worked on every release of Password Manger.  He has a Masters degree in Computing Science from Simon Fraser University and over fifteen years of software development experience.  The interview did not actually take place on the yacht, below.

Q: When did CPM begin to provide provisioning?
A:  The CPM Provisioning feature was introduced during the Nassau release in 2005. The intent of this feature was to empower CPM administrators with the ability to provide users' secondary credentials directly to CPM, rather than forcing users to do so.  Being unable to do this had been an administrator pain point during CPM roll outs and when new applications were added to deployments.
In  a sense, provisioning in CPM provides additional security, in removing the responsibility from users for providing secondary credentials,  as users tend to do things like write down their passwords before entering them.

Provisioning in CPM increases the security by avoiding the initial distribution of credentials details directly to the user. Typically this is done by a less secure method such as a memo, voice mail or email.Another focus of the feature was to provide a means to integrate with existing identity management and provisioning systems (e.g. Courion Account Courier).

Q: Does CPM provisioning set up user accounts in applications?
A: No, it just informs CPM of the users' the credentials.

Q: How does it work?
A: The new web service (the Provisioning service) responsible for receiving the provisioning commands was added to the CPM Service.  These commands are added to a per-user queue located in the user specific container of the central store. Eventually the Plugin executes the queued commands to complete the provisioning action.

Q: Is it really that simple?

A: Of course not! There are lots of details to do this securely, but that's the basic flow.

 Q: Can you elaborate on those security details?
A:  Recall that the CPM Plugin protects a user's credentials using user specific keys. (i.e. Only the Plugin running in a user session can obtain the keys). This implies that it is impossible for the Provisioning service to directly execute the commands and alter the user's central store data. (i.e. the service can't add a credential because it doesn't have the key to protect the secrets).  This is why the commands are queued until a Plugin running as the user requests them. The service is completely responsible for the life cycle and encryption of the queued commands.

The Plugin does not directly access the queued commands - it obtains them from the Provisioning service over an SSL connection. Once the Plugin has successfully executed the commands, it informs the service that the queue can be deleted.
 
Q: Is the provisioning feature standards-based, since there are many provisioning products out there to integrate with?
A:  As a matter of fact, it is.  To ease third party integrations, we opted to use the SPML V2.0 open standard. The Service Provisioning Markup Language (SPML) is an XML-based framework, developed by OASIS, for exchanging user, resource and service provisioning information. Additionally, many identity management systems already support SPML 2.0.  A connector is required for identity management integration.

Q: Why do I need a custom connector if my identity management system already supports SPML 2.0?
A: To understand why a custom connector is needed, you need to consider the conceptual differences between provisioning for CPM and provisioning in general.

Consider a typical provisioning scenario from the perspective of an administrator of an identity management system. A new employee has joined the company and needs to be provisioned with a domain account and specific accounts for SAP, Outlook, etc. The administrator will request that an SAP account get created. To do this, the identity management system will send a message to the Provisioning Service Provider (PSP) for SAP.

"Hey SAP PSP, create a new account with user name=baracko and password=prez"
The Provisioning Service Provider will create the account and return a reference ID for the account.

Next, the administrator would want to provision CPM with the newly created SAP credential. The message that the CPM Provisioning Service needs to receive must say:
"Hey CPM Provisioning Service, for the domain user bobama, add a credential for SAP having the user name=baracko and password=prez"
First, notice that provisioning from the CPM perspective is simply providing the user with his CPM secondary credentials. There is NO creation of the accounts accessed with those credentials. Those accounts must be created by an outside means completely separate from CPM. Essentially, CPM provisioning is the act of populating the user's credential store - i.e., the administrator is populating a small data store and not actually provisioning accounts or resources.

Q:  I sort of see what you mean. The CPM provisioning command added the SAP credential for the specified domain user, it didn't actually create the SAP account. How does CPM know what "SAP" refers to in the command?
A: Good, you've noticed the second subtlety. Ultimately, the goal is to have CPM submit this credential when it detects to the SAP logon page. To achieve this, the credential needs to be associated with a specific application definition.

A unique GUID is assigned to every application definition when it is created in the CPM Administrative Console. This GUID is included in the command to provide the link between the credential and the application that the credential is for. So, the message actually needs to be:
"Hey CPM Provisioning Service, for the domain user bobama, add a credential for GUID-of-SAP-application-definition having the user name=baracko and password=prez"
The connector needs to provide the mapping between the application definition GUIDs and the credentials.

Q: How does the custom connector learn the application definition GUIDs?
A:  To determine the list of applications definitions available to a user, the connector needs to send a lookupApplicationRequest. The response to this will contain a list of the applications defined in the User Configuration associated with that user. The description of each application definition will contain the GUID and the fields in the a credential (e.g. user id, password and database name). Note that the lookupApplicationRequest command is a CPM specific, custom extension to SPML v2.0.
 
Q: Are you saying a custom connector is needed because it has to provide the binding between the CPM application definitions and the specific credentials?
A: Exactly!
The connector needs to know:

-  the mapping between the application definition GUIDs and the credentials.

- how to use the lookupApplicationRequest custom command to obtain the application definition GUIDs

- how to construct the CPM specific SPML extensions to use in the data elements of the commands.

Avoiding being Phished
I interviewed Brandon Olekas for this topic.  Brandon is a Lead Security Engineer at Citrix. He has been working in XenApp security for about four years, has been involved with many security features and improvements in the XenApp product, and helped co-author  Citrix Access Security for IT Administrators. He has a Computer Science degree from Georgia Institute of Technology and is an Associate of (ISC)².
Here is Brandon:

Q: What is Phishing?
A: It is a form of Social engineering - attempting to fool people into revealing information that is subsequently used against them.
Phishing doesn't require a lot of capital, so it is no wonder it is so prevalent.  Research firm Gartner Group estimates that phishers will cost US businesses and consumers a whopping $2.8B this year.  The average take: $1244 per victim.

Phishing primarily targets stealing personal information through the use of e-mail and websites. Phishing emails usually appear to come from well-known financial institutions (which they are not) and their goal is to acquire login information, credit card numbers, social security numbers, or account numbers.

Phishing e-mails attempt to entice the user into clicking a link which will direct them to a malicious website. The thing is, legitimate businesses will never request this information via e-mail.

Bottom line is, if you receive an e-mail asking you to login to your bank, do not click the link. Open a browser and go directly to the official bank site.

Q: Don't malicious Phishing sites also attempt to do damage to the victim's computer?
A: Actually, most virus scans catch virus-infected attachments now.  Phishers are looking to steal personal information.  One other case that comes to mind is the Nigerian scam, which is considered phishing because they attempt to fool victims into sending money.  The victims were enticed to send actual money to the Phisher after being convinced some amount of their own money was required to free up the large winnings.  Even though this sounds ludicrous, many victims fell prey to this scam.  Even now, people still fall for the Nigerian type scams

Q: How else can people notice the dangers and avoid "being Phished"?
A: According to phishtank.com, the most important things to look for in a phishing e-mail are:
1.       Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "First Generic Bank Customer" so they don't have to type all recipients' names out and send emails one-by-one. If you don't see your name, be suspicious.
2.       Forged link. Even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter personal information begin with "https" — the "s" stands for secure. If you don't see "https" do not proceed.
3.       Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
4.       Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.

In addition, in the URL, pay attention to be sure you are reading correctly.  For example, http://Realbank.hacker.com does not mean it is from Realbank.  To the contrary, it is from hacker.com. 
Also look out for numbers preceded by a % sign, which are encoded characters.  They can trick you.  For example, %47 is just a capital G, but it means the same thing to your web browser, i.e., http://%47oogle.com = = http://www.Google.com.

A good educational resource is at this site: http://cups.cs.cmu.edu/antiphishing_phil/   Anti-Phishing Phil - it's a fun online game that teaches how to recognize phishing websites.

Q: What is "Spear Phishing"? 
A: Just like regular Phishing, the objective is to entice the victim into divulging key information.  Spear Phishing is slightly different in that it is directed to a target person or group, and it is often extremely personalized.  For example, a Spear Phishing exploit may include having all the managers in a company receive a note that looks like it's from the CEO, asking them to click on a malicious web site that could look very credible.  Any person on a network is able to spoof a particular user.  Even a user outside the network could easily get a free email account with the CEO's name clearly evident.

Q: What are "Phishing Kits"?
A: These are sold on hacker forums on the internet.   They provide easy ways for nontechnical people to easily set up a Phishing operation.  Well, often the laugh is even on them: many of these kits create fraudulent web sites that actually send emails back to the Phishing Kit author, giving him the desired Phishing information, instead of or in addition to the Phisher.  Since the nontechnical Kit buyer can't read the code, they can't see that they are actually the dupe.

One of the most prolific phishing groups and kit authors is called Rock Phish.  No one can say for sure where Rock Phish is based, or whether the group operates out of a single country.  "They are sort of the Keyser Soze of Phishing," says Zulfikar Ramzan, senior principal researcher with Symantec's Security Response group, referring to the secretive criminal kingpin in the 1995 film, The Usual Suspects.  Security experts estimate that Rock Phish is responsible for between a third and a half of all phishing messages sent out on a given day.  Information was taken from, and full article can be found at http://www.pcworld.com/article/128175/who_or_what_is_rock_phish_and_why_should_you_care.html

Q: Where can people go for more general information on phishing?
A: There are some Good statistics here:
http://apwg.org/reports/APWG_GlobalPhishingSurvey1H2008.pdf

Other good resources:
[www.phishtank.com]  - Collects and verifies phishing sites. If you suspect a site is fraudulent, you can check it here.
[www.apwg.org]- The Anti-Phishing Working Group. The global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that results from phishing, pharming, and e-mail spoofing of all types

XML firewall

In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include

•     XML Denial of Service protection,
•     XML Well-formedness check,
•     XML attachment detection,
•     Message validation (Schema)
•     Cross Site scripting and SQL Injection protection
•     Web services Interoperability (WSI) check

 XML protection is integrated into the Application Firewall. So all applicable firewall features including Start and Deny URLs, Buffer overflow, Cookie protection and Safe Object checks are available. More details on the XML firewall functionality can be found at XML Security Features in Netscaler 9.0

Application Firewall - Integrated Caching interoperability

The 9.0 release has full interoperability between the Application firewall and the Integrated Caching (IC) module on the Netscaler. In the 8.1 release, the Application firewall supports IC for features that do not require parsing the response body.  In 9.0, this restriction is removed. This results in better performance if the application html pages are cacheable. Features like Form field consistency and URL closure benefit from this new functionality.

URL Transform module

URL transform module provides an easy regular expression based approach to rewrite requests and response URLs. This feature is available separate from the application firewall license. It builds on the application firewall parsing technology to rewrite only valid html links.

Custom error pages

When the Application Firewall detects and blocks an invalid request, it can serve out a custom HTML response that has been uploaded or do a 302 redirect to a configured URL. Previous releases could only do the 302 redirect.

NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.

But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.

As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.      

_{Useful Links}

• XML Security Features in Netscaler 9.0

One of the long awaited new features in NetScaler 9.0 is XML security.  In 2007, Citrix acquired QuickTree, a small privately-held software technology provider on the forefront of addressing the key security and performance challenges of XML, web services and Web 2.0.  With Netscaler 9.0 the XML security capabilities acquired from QuickTree are fully integrated into the Netscaler web application delivery appliance.

Some the XML Security Features available in the new NetScaler release:

NetScaler 9 is officially here. Well, actually, it's officially announced. It won't be officially available to download from mycitrix.com until November 27^th. Yes, I know that's Thanksgiving. However, Citrix is a global company, and what better way to prove it than to post the NetScaler 9 code on a major US holiday? And, there is a chance that it might show up a day or two before the 27^th.

NetScaler 9 is a pretty big release. Looking at the detailed feature tracker, it contains over 350 new features and feature enhancements. I'm not going to go through all of them in this post, because that's what release notes are for. However, I do want to highlight some of the major new features that folks seem to be most excited about, and point you to some additional resources on this site that go into a bit more detail on some of them.

I like to think that NetScaler acts as the bridge between the network and the applications that run on it, making each of them work better with the other. NetScaler 9 furthers this.  A lot of the new capabilities and features making NetScaler more application-saavy than it already is. This is not to say that there aren't any hardcore networking enhancements in NetScaler 9, because there are a lot of them. These include everything from end-to-end support for IPv6 to enhancements to our GSLB functionality to the ability to tunnel IP within IP.

But in the end our networks are there to run applications, and it's the new AppExpert features in NetScaler 9 that seem to be generating the most interest.

AppExpert Templates make a given application the "first class citizen" within NetScaler. They do this by encapsulating everything about a NetScaler configuration that is specific to a given application, including:

1. The different application components (e.g., pages, files, archives, Web Services) NetScaler is managing
2. The various NetScaler entities and settings (e.g., VServers/VIPs, load-balancing algorithms, health checks, persistence methods, SSL offload settings) defined for these application components
3. The specific NetScaler policies (e.g., caching, compression, application firewall, rewrite) used for the application

All of this is presented in a way that puts the application front and center, and configuration and policy changes can be made from there as well. So, while today understanding the entire NetScaler configuration for Microsoft SharePoint (for example) involves moving around between the various NetScaler GUI tabs, with AppExpert Templates everything is centralized in one place.

AppExpert Templates can be imported and exported as well, so they make it pretty easy to move app-specific configurations between different systems. More broadly, several folks have told us that this, and the general look and feel of AppExpert Templates, will help with knowledge transfer within their organizations. You can see an example of the Microsoft SharePoint template being imported and then applied here.

If you go here when NetScaler 9 becomes available in a couple of weeks, you'll be able to download AppExpert Templates we've already built. And, as you'll quickly notice, AppExpert Templates aren't static. The underlying infrastructure makes it really easy for you tweak a template to your own specific needs, or to improve the template by adding to it. Hopefully, you'll all post any improvements and modifications you make back to the community site so that others can benefit. And definitely look for additional AppExpert Templates to be made available by us, but Citrix partners, and hopefully by other NetScaler users.  

With AppExpert rate controls, we've integrated the concept of data rate into the core NetScaler policy infrastructure.  This allows building policies that are only triggered when a defined data rate is exceeded.  And since it's integrated with the core policy infrastructure, it can be used with the various NetScaler functional modules (e.g., content switching, responder), so you're not limited to just dropping traffic as an action.

There's a number of ways folks have told us they're going to use AppExpert rate controls. Of course straight-up rate limiting (e.g., DNS rate-limiting, limiting traffic originating from a single subnet) is one example. Ensuring a given resource (e.g., anything from a VServer to a specific URL) isn't overwhelmed by requests is another. Two specific examples are:

1. One customer allows some of its partners to scrape its website so the partners can republish content on their own sites. However, the customer wants to ensure that overly aggressive scraping by the partners doesn't overwhelm the website and degrade the site's performance. AppExpert rate controls can be used to limit how much scraping each partner can do. This same approach could be used to ensure that websites that publish APIs -- so that partners can do mashups, for example -- aren't overwhelmed by any particular partner's use of the API.
2. Another example is a customer that was having problems with a couple of users FTPing a few too many large files at the same time. By using AppExpert rate controls to build an expression around bandwidth consumed per sourceIP, they can drop any additional FTP requests coming from a sourceIP (aka a user) that already has too much FTP activity. A more generalized use could also do something along the lines of limiting the amount of concurrent file downloading for a given SharePoint site, to ensure that downloads don't drown out other SharePoint (or other application) activity.

AppExpert service callouts make NetScaler policies extensible, and will allow you to integrate logic or functionality available in other systems and applications into NetScaler policies. Specifically, using an AppExpert service callout, a policy can send (over HTTP or HTTPS) any part of an incoming request to an external service. The result returned by the external service is then used like any other policy evaluation result.

As an example, one beta customer has an application that identifies and tracks IP addresses that are scraping its site's content. No, this is not the same customer that is interested in AppExpert rate controls. In earlier case, scraping is encouraged, they just needed to control it. In this case, the scraping of content amounts to theft, and the customer want to prevent as much of it as possible. Unfortunately, the IP addresses doing scraping change constantly (hence the reason they had to build an app), so statically defining them within the policy itself isn't practical. However, a service callout can query the application in real-time, and NetScaler then uses the response to either pass or drop the request.

Other use cases customers have mentioned include:

• Passing content to an external transformation engine
• Integration with UDDI or other directory services
• Geo-targeting or other token-based switching decisions, where the logic for the content switch is available in an external application  

NetScaler 9 has the first availability of the XML technology we acquired from QuickTree last year. New XML protections in the NetScaler Application Firewall module will now be able to inspect and protect XML as well as HTML traffic. In addition to protecting XML-based applications from attack, this can also be used to ensure that incoming XML traffic conforms to various standards (e.g., XML syntax, schema, WSDL validation). With XML, sometimes "bad" traffic isn't malicious but is just a mistake. Either way, the XML capabilities in the app firewall will catch it.

We've had the ability to rewrite payloads within the TCP header or payload since NetScaler 8.0. However, in NetScaler 9.0 we've added a URL transformation 'mini-module' to our generalized rewrite functionality specifically for rewriting HREFs. While this function is often thought of in the context of either SSL VPN or application firewall, it has uses beyond these as well. For example, onboarding apps acquired through M&A activity, simplifying change management or "Akamai-zing" graphics content.

Again, NetScaler 9.0 is big release. There is a lot more than the app-centric things mentioned above. There is a pretty comprehensive What's New in NetScaler 9 writeup here for those of you that want a more comprehensive overview.

Updated November 12, 2008:

I received a question via comments asking about Access Gateway Enterprise enhancements. As many of you know, Access Gateway Enterprise is in essence another module in NetScaler. So, all Access Gateway Enterprise functionality is included in NetScaler, which is why NetScaler is such a great solution for Citrix XenApp and XenDesktop. There are definitely enhancement to Access Gateway Enterprise in NetScaler 9. At a high level, they are:

• Support for IPv6 XenApp Client Connections
• Single sign-on to file shares, so your users won't get get as annoyed by as many authentication prompts (unless you want them to be)
• Full clientless access to Microsoft SharePoint 2003 and 2007 so users can access SharePoint sites from any browser
• Historical charting which allows you to see trend data on system activity

I interviewed Chris Mayers for this topic.  Chris has been with Citrix since 1998, and in his role as principal security architect at Citrix, Chris has both internal and external responsibilities for promoting security, developing security strategies and advocating the secure enterprise.  Based in Cambourne, Cambridge, Chris's job takes him all over Europe and to the USA, where he can be found advising CIOs and CSOs, presenting White Papers at industry conferences and working to develop Citrix technology to ensure it continues to protect the 'perimeterless' enterprise.

Here is Chris:

Q: Chris, first can you explain what we mean by "Strong Authentication"?
A: Strong Authentication is multiple factor authentication.  The classic definition is something you know (such as a password), coupled with something you have (such as a token or smartcard) or something you are (biometric data.)  For remote access using Web Interface, Citrix recommends that customers always use strong authentication rather than just passwords.

Q: That makes sense.  Why wouldn't everyone use strong authentication for remote access?
A: Everyone should use strong authentication, but there are choices, so it's a question of balance.  Security requirements are balanced against cost and user acceptance.   The number of users who actually need remote access, and the applications they are using must be evaluated.  There may be less expensive ways to secure remote access to simple applications such as email - using Smart Access or XenApp capabilities.

Q: What kind of cost would a customer be looking at for implementing strong authentication?
A: The good news is that the purchase price of second factor devices has come down in recent years.  A security token, for example, costs only a few dollars now.  Unfortunately there are additional costs, such as fulfillment to the user, and administrative and help desk costs; these need watching.

Q: What about user acceptance, why is that an issue for customers?
A: Well, users are required to either carry an item with them for access (something they have) or use biometrics (something they are.)  End users must be involved in this process - authentication is not something administrators can do for them.  So, users may view this as inconvenient. 
One interesting way around this is dual-purpose: combine strong authentication on an item the user can use for other tasks.  There are several solutions based on mobile phones, USB tokens (which can be used generically as well), and smartcards (which can be used for digital signature and encryption as well as authentication).

Q: Counting on users is always risky  How do you recommend IT deal with this?
A: The trick is to manage risks and have a calculated backup plan.  For example, if tokens or smartcards are used for strong authentication, and the user loses, damages or forgets the item, you might enable the help desk to temporarily allow a password to access the account remotely.  That way, even if a user intentionally "forgets" the item, there is no excuse to avoid work!

Q: What about biometrics - that way the user doesn't have to remember a device?
A: Biometrics are great for unlocking things, like laptops and doors.  The big danger for the remote access use case is that the biometric data can go over the network.   The issues with this are nasty - stolen biometric data can be much more damaging than stolen credentials (biometrics don't change like passwords do.) 

Q: Does Citrix provide strong authentication solutions?

A: No, but Citrix has numerous partners - check out Citrix Ready.

I interviewed Ola Nordstrom for this topic - way interesting!  Ola is a Senior Security Engineer at Citrix. He has been securing XenApp for the last five years. He's been involved with a number of product features and has driven numerous security improvements. He has a Master of Science in Computer Science degree from Georgia Institute of Technology and is a Certified Information Systems Security Professional (CISSP).

Here is Ola:
  

Q: Ola, what is an "Attack Surface" as it relates to software?

A: Attack Surface is a measure of how potentially vulnerable a piece of software is.  It enumerates the entry points and associated code a malicious user could employ to exploit the software. 

Q: What are examples of entry points?

A: Examples would be open sockets, RPC entry points, and even the number of web applications hosted inside a web server. 

Q: Why would the number of web apps running be an issue?

A: The more programs that are running, the more program code is exposed to malicious users finding vulnerabilities. Also, larger programs will tend to provide more opportunities for exploitation.  For example, a web application with 1000 lines of code is generally less likely than a web application with 10000 lines of code to have vulnerability.  

Q: Are there any "best practices" that can help customers reduce attack surface of the software they use.

A: Disabling unneeded features is a good step.  In fact, software vendors like Citrix are tending to disable more features by default to improve security.  Customers can also disable services and features not used - the smaller the number of features, the less attack surface is effectively available. The principle of least privilege also applies to all deployments. 

Q: What other steps is Citrix taking as a software vendor to decrease attack surface of our products?

A: We are disabling more features by default, of course.  We are also reducing the privilege of each component to the lowest possible - this is valuable in restricting capabilities of a component, even if it IS compromised.  In the web server example any vulnerabilities found will execute as the identity of the web server - so the less privileges the web server has the better off the system is. We are also focusing our security scrutiny and testing on components with large attack surface.  If a component is running with high privilege and is processing complex data (lots of code), that component has a high attack surface will receive more security review.  

Q: Can attack surface be measured?

A: Yes, there is a Relative Attack Surface Quotient metric that allows for comparisons. 

Q: Do you have any reference for more information?
A: Sure.  Measuring Relative Attack Surfaces and The Attack Surface Problem     

This is an interview with Andrew Innes.  Andrew is the Platform Architect for user interaction components of XenApp and XenDesktop, notably Web Interface and the desktop integration clients.  His job entails finding creative ways to improve the usability and security of these products, and helping strike the right balance between them.

Here is Andrew:

 Q: Andrew, what are the security issues Citrix Admins should be aware of with Web Interface?
A: Hi Kate.  There are two main categories of issues admins need to think about: security of the web server itself and security of the whole XenApp or XenDesktop delivery system.  For the web server itself, there are all the standard hardening rules to follow, especially if it is facing the Internet - I won't try to summarize these here.  The aim is to prevent intrusions into the web server itself or the network behind it.

It's worth mentioning though that Web Interface has undergone probably hundreds of evaluations in customer environments as well as regular security audits within Citrix as part of our secure development process.  It has been engineered with all the known web application threats in mind, and we track 'webappsec' developments closely to build in defenses against new styles of attack as they emerge. 

Hardening the web server itself is the #1 recommended best practice for everyone.  Some customers will still want to employ extra measures, such as a web app firewall or other monitoring systems to spot potential attacks.  NetScaler can easily be configured to provide web app firewall, SSL and detailed logs.

For the Citrix specific aspects of security, the admin should start by understanding the business reason for publishing resources (apps, desktops, documents etc) via the web, and the appropriate policies on access rights and restrictions.  These feed into the design requirements for the delivery system, including the configuration of Web Interface.  The aim here is primarily to ensure authorized users are allowed access in the intended way while unauthorized users are denied access, and that policies are not circumvented.
Web Interface has a brokering role in the delivery system, making it an effective place to enforce certain policies, for instance ensuring strong authentication happens before access is granted.  It can be augmented with Citrix Access Gateway to scan end point devices to make fine-grained access decisions; in this case Web Interface plays a supporting role in upholding those policy mechanisms.  It also implements a number of sensitive features, like password change and password reset, which can be enabled when the usability gains outweigh the security considerations.

Q: What are the prescribed security precautions Citrix Admins should use with WI?
A:  There are a few standard precautions we recommend all customers follow:
   -      Require SSL on the Web Interface server; this protects user credentials in transit and helps prevent spoofing attacks (like those that could result from the recent DNS vulnerabilities). 
   -    Use SSL or IPSec for requests to the XML service on XenApp or XenDesktop; again this protects credentials.
   -      Follow best practices for web server administration; this protects against accidental or malicious reconfiguration.
   -      Disabling the HTTP port, or having it redirect to the HTTPS port can be helpful.  Then to prevent potential phishing attacks (MITM against the HTTP connection that redirects to a replicated WI site) the Internet Option setting "Websites in less privileged web content zone can navigate into this zone" should be disabled.

Where possible, we encourage customers to consider using the Kerberos or smart card support in XenApp which avoids the need to send passwords at all.

Q: Do you have any Knowledge Base articles to reference that might be of help?
A:  There is a collection of technotes for Web Interface which cover useful points, but my favorite reference is the Troubleshooter's Guide for Web Interface.