• View Communities
    • Citrix Developer Network
      The place for unfiltered straight talk on Citrix products. Blogs, code downloads, best practices, APIs, and more can all be found here.
    • Citrix Ready Community Verified
      Does it work with Citrix? Application compatibility questions are a thing of the past with the new Citrix Community Verified site.
    • Blogs
      Learn the latest from the Citrix employees who are building application delivery infrastructure technologies.
    • Blogosphere
      The Citrix Blogosphere is a window into the thousands of conversations taking place about Citrix and Application Delivery.
  •  Sign In
The Citrix Blog
Blogs for tag 'soap'

Permalink | Twitter Post to Twitter | Comments (1) | Views (7339) |

20 Nov 2008 01:30 PM EST
What is new in the Application firewall in 9.0?
[ Tags:  appfirewall ,   xml ,   soa ,   security ,   firewall ,   soap ,   woa ,   rest ,   validation ,   xdos ,   xss ,   web services ,   sql injection ,   web 2 ,   threat protection ,   denial of service ,   nonspecific ]
posted by vamsi Korrapati

XML firewall

In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include

  •     XML Denial of Service protection,
  •     XML Well-formedness check,
  •     XML attachment detection,
  •     Message validation (Schema)
  •     Cross Site scripting and SQL Injection protection
  •     Web services Interoperability (WSI) check

 XML protection is integrated into the Application Firewall. So all applicable firewall features including Start and Deny URLs, Buffer overflow, Cookie protection and Safe Object checks are available. More details on the XML firewall functionality can be found at XML Security Features in Netscaler 9.0

Application Firewall - Integrated Caching interoperability

The 9.0 release has full interoperability between the Application firewall and the Integrated Caching (IC) module on the Netscaler. In the 8.1 release, the Application firewall supports IC for features that do not require parsing the response body.  In 9.0, this restriction is removed. This results in better performance if the application html pages are cacheable. Features like Form field consistency and URL closure benefit from this new functionality.

URL Transform module

URL transform module provides an easy regular expression based approach to rewrite requests and response URLs. This feature is available separate from the application firewall license. It builds on the application firewall parsing technology to rewrite only valid html links.

Custom error pages

When the Application Firewall detects and blocks an invalid request, it can serve out a custom HTML response that has been uploaded or do a 302 redirect to a configured URL. Previous releases could only do the 302 redirect.

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (9011) |

14 Nov 2008 01:06 PM EST
XML Security Features in Netscaler 9.0
[ Tags:  xml ,   soa ,   woa ,   rest ,   security ,   firewall ,   validation ,   soap ,   xdos ,   netscaler ,   web 2 ,   web services ,   threat protection ,   sql injection ,   denial of service ]
posted by Sridhar Guthula

One of the long awaited new features in NetScaler 9.0 is XML security.  In 2007, Citrix acquired QuickTree, a small privately-held software technology provider on the forefront of addressing the key security and performance challenges of XML, web services and Web 2.0.  With Netscaler 9.0 the XML security capabilities acquired from QuickTree are fully integrated into the Netscaler web application delivery appliance.

Some the XML Security Features available in the new NetScaler release:

Feature

Benefits

Format Checks Prevents malformed or not well-formed messages from reaching the server.
Denial of Service Prevention Thwart attacks (like large elements, deeply nested messages, etc.) that attempt to exhaust server resources or exploit weakness in the xml parsers and applications on the server.
Recursive Expansion Attack Prevention Protects against messages containing recursive entity expansion attacks in their document type definition (DTD).
External Entity Attack Prevention Prevents server from processing data from untrusted sources.
XML Attachment Security Protects against attachments that contain malicious executables and viruses from reaching the server
SQL Injection Check Protects back-end SQL-based database servers and prevents from hackers obtaining information that they were not entitled to obtain
Cross-site Scripting Check Prevents Web 2.0 applications from cross-site scripting attacks
Start URLs Prevent against forceful scanning for services on a server.
Deny URLs Prevents attacks against various known security weaknesses that exist in different web servers
Cookie Consistency Protect sensitive data by preventing hackers from logging in under other user's credentials.
Buffer Overflow Prevents attacks against insecure operating system or web server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle.
Service Obfuscation Protects against service scanning attacks by rewriteing end-point locations to obfuscate the true location of the service.
SOAP Message Validation Ensures only messages that are compliant with the SOAP and WSDL standards reach the server and offloads this validation process from the server.
XML Schema Validation Ensures only messages that are compliant with a given XML Schema reach the server and offloads this validation process from the server.
Web Services Interoperability Checks Performs a wide variety of checks on SOAP messages to ensure that they are compliant with Web Services Interoperability Organization (WS-I) recommendations.
Data Leak Prevention Prevents credit card and other sensitive business data from leaving the organization.
Service Proxy Provides transport level security for all XML and Web Services messages by acting as the SSL proxy.
Rate Limiting Prevents overwhelming the server by limiting the number of requests per second
PCI DSS Report Provides a detailed Payment Card Industry (PCI) Data Security Standard (DSS) report which lists all the relevant PCI DSS criteria
Alerts Via SNMP Alerts a designated person or server when a there is a security violation.
Violation Counters Displays counters for monitoring all violations.
Historic Charts Built-in and customizable charts for viewing historic traffic patterns and violations.
Express Configuration Protects XML applications right out of the box with very little configuration and maintenance
Secures All Flavors of XML Applications With the combination of XML, HTML, and HTTP security features, a single appliance can protect Plain-old-XML (POX), SOAP, REST, Web 2.0, .Net and all other flavors of XML applications.


Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (6245) |

04 Apr 2008 06:06 PM EDT
Citrix & SAP Enterprise SOA
[ Tags:  sap ,   soa ,   caching ,   compression ,   rewrite ,   lb ,   soap ,   xml ,   wisl ,   appexpert ,   apptips ,   tips ,   netscaler ,   llb ,   slb ,   gslb ,   clustering ,   expertexchange ,   mpx ,   client-ip ,   x-forwarded-for ,   apache ,   iis ,   headers ,   policies ,   policy ,   pe ,   request ,   response ,   cache ,   appcache ,   compress ,   appcompress ,   controller ,   acceleration ,   ssl offload ,   citrix load balancer ,   citrix load balancing ,   link load balancer ,   link load balancing ,   load balancer ,   load balancing ,   server load balancer ,   server load balancing ,   security load balancer ,   security load balancing ,   hardware load balancer ,   hardware load balancing ,   next gen load balancing ,   website load balancer ,   website load balancing ,   application load balancer ,   application load balancing ,   application switch ,   web application controller ,   application controller ,   application delivery ,   tcp multiplexing ,   ssl multiplexing ,   global server load balancing ,   wan load balancing ,   xml load balancer ,   xml load balancing ,   content rewrite ,   external url ,   internal url ,   home page redirect ,   apache rewrite ,   server obfuscation ,   application obfuscation ,   http header ,   policy engine ,   content switching ,   content switch ,   content acceleration ,   content accelerator ,   application acceleration ,   application accelerator ,   tcp acceleration ,   ssl acceleration ]
posted by Craig Ellrod

The SAP Enterprise Service Oriented Architecture (SOA) provides a blueprint for services-based, enterprise scale business solutions that are adaptable, flexible, and open. Enterprise Services Architecture takes the concept of service-oriented architecture to a new level by transforming Web services into enterprise services. Bringing Citrix and SAP Enterprise Services Architecture together reduces the dependence on customized applications, and increases flexibility and reduces time to deployment while reducing operational expenses.


This Citrix / SAP Enterprise SOA Deployment Guide was created out of a joint engagement between Citrix and SAP at the Co-Innovation Laboratory in Palo Alto, California, USA. This deployment guide walks through the step-by-step configuration details of how to configure the Citrix NetScaler for use as front-end to SAP Portal for end-user traffic, that is HTTP ~ HTML. To further complement the value of the Enterprise SOA, this guide walks through the details of how to configure the Citrix NetScaler for use as a front-end to the SAP Composite Application Framework and SAP ERP Web Services platforms, providing a flexible load balancer and HTTPS encryption point for machine to machine web service traffic. With this deployment Citrix becomes an integral and flexible part of the SAP Enterprise SOA "Applistructure" bringing together applications and technology for a fast, flexible and highly effective service oriented IT infrastructure.


Watch this Load Balancing Tip:



Tap into the power of AppExpert

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (1) | Views (10805) |

11 Jan 2008 06:09 PM EST
Secure Application Developer Portal
[ Tags:  netscaler ,   sap ,   appexpert ,   xenapp ,   apptips ,   tips ,   netscaler ,   mpx ,   lb ,   llb ,   slb ,   gslb ,   clustering ,   rewrite ,   client-ip ,   x-forwarded-for ,   apache ,   iis ,   headers ,   policies ,   policy ,   pe ,   request ,   response ,   cache ,   caching ,   appcache ,   compress ,   compression ,   appcompress ,   controller ,   acceleration ,   soa ,   soap ,   xml ,   wsdl ,   wisl ,   uddi ,   ica ,   rdp ,   ssl vpn ,   ica proxy ,   citrix load balancer ,   citrix load balancing ,   link load balancer ,   link load balancing ,   load balancer ,   load balancing ,   server load balancer ,   server load balancing ,   security load balancer ,   security load balancing ,   hardware load balancer ,   hardware load balancing ,   next gen load balancing ,   website load balancer ,   website load balancing ,   application load balancer ,   application load balancing ,   application switch ,   web application controller ,   application controller ,   application delivery ,   tcp multiplexing ,   ssl offload ,   ssl multiplexing ,   global server load balancing ,   wan load balancing ,   xml load balancer ,   xml load balancing ,   content rewrite ,   external url ,   internal url ,   home page redirect ,   apache rewrite ,   server obfuscation ,   application obfuscation ,   http header ,   policy engine ,   content switching ,   content switch ,   content acceleration ,   content accelerator ,   application acceleration ,   application accelerator ,   tcp acceleration ,   ssl acceleration ,   xml firewall ,   xml gateway ,   xml rewrite ,   xml acceleration ,   enterprise soa ,   terminal server ,   terminal switch ,   virtual terminal ]
posted by Craig Ellrod

We recently had a meeting with a large partner of ours and they handed down some hefty requirements.  An average of 100 partners using their portal on any given month to access their development environments on the backend.  It was clear that NetScaler could scale, but the question was how to keep all of those partners separated from each other, without them peeking into each others traffic. It turned out to be easier than we thought using the NetScaler as an SSL VPN with the addition of some policies bound to each partner's user group.  The following is an overview of the network diagram, and there are some deployment guides to walk you through these installations. 


The Citrix SSL VPN CPS Deployment Guide walks you through deploying NetScaler SSL VPN as an ICA Proxy and authentication point.  It then walks you through deploying Citrix Presentation Server and the steps necessary to connect the SSL VPN to the CPS Applications.  The guide includes Session policies which direct users upon authentication to specific CPS farms on the backend of the NetScaler SSL VPN.  Think of it as an authentication portal.

The Citrix SSL VPN Deployment Guide walks you through deploying NetScalers as an HA Pair, and then as an SSL VPN with ICA Proxy OFF.  The intention was to use the SSL VPN for regular VPN traffic, and not Citrix Presentation Server traffic.  Just as well, policies can be combined on the same NetScaler Application Switch to allow both non-CPS and CPS traffic to traverse the same SSL VPN.

Tap into the power of AppExpert

Expand Blog Post