Mac users out there have long been asking for and waiting for a rich and secure remote access experience with Access Gateway solutions. Now the wait is over. Mac users can now download the Access Gateway plug-in for Mac from MyCitrix.

Access Gateway team has made available Mac OX X plug-in for Access Gateway 4.6 Standard Edition and Access Gateway 9.1 Enterprise Edition:

- The user experience of the plug-in conforms to the native Mac experience, providing rich user experience.

- Mac users can securely connect to their remote applications, leveraging pre- and post-authentication endpoint scans to confirm to their corporate security policies. For stronger security, when the remote Mac user logs off,  the plug-in also destroys any session data (cache, cookies, etc) on the client.

- With globalization features, the plug-in brings this new experience to English, French, German, Spanish and Japanese users.

If you are a Mac user, I encourage you to go to the downloads section on MyCitrix and select Citrix Access Gateway from the drop-down menu of 'Search Downloads by Product", then find "Access Gateway Plug-in for Mac OS X, Version 1.0.2.23" under the Clients section.

If you are using this new plug-in, please share your experience with me and what you would like to see next.

Sai

Ever got frustrated with how long it takes to email a large report or presentation after incorporating your manager's feedback? Or found yourself in a plane wishing the email downloaded faster when the flight attendant asks you to turn off your 3G-equipped laptop? Or wished for a solution that could deliver email 50 times faster?

Did you know our WAN optimization solution, Citrix Branch Repeater, delivers superior user experience and application performance not only for branch office users but also for remote and teleworkers?

No one feels the need for speed more than a remote user or a teleworker with a low-bandwidth or a high- latency network connection. These users typically use an SSL VPN, such as Citrix Access Gateway, to connect to their corporate network and access email, intranet portals, other applications and data. When your IT augments secure remote access (Access Gateway) infrastructure with Branch Repeater, you can benefit from both secure and accelerated remote access.

Well, now we have two reports that demonstrate ways to use Branch Repeater to augment your Access Gateway infrastructure and the resulting benefits of accelerating secure remote access.

You can download the Turbocharge Access Gateway Performance Report - CTX121034 from the Citrix Knowledge Center. The report explores the benefits of using Access Gateway and Repeater plug-ins for Citrix Receiver together:
• 50x faster Microsoft Outlook and Exchange (MAPI) workflows
• 50x faster Microsoft SharePoint (HTTP) workflows
• 30x faster Windows File Shares (CIFS) workflows

I think you will want to try out the benefits of turbocharged remote access. Check out the Turbocharge Access Gateway Deployment Guide and Reference Architecture - CTX121035 if you want to conduct a POC (proof of concept) or a demo to convince your IT or other decision makers. You will be your end-users hero for providing them with an accelerated yet secure remote access.

Citrix will soon release the next version of Access Gateway Enterprise Edition. By Citrix's standards this version is a minor release so it hasn't gotten much coverage. I'm here to fix that and give you an idea of what new features to expect.

First up is WANScaler interoperability. Remote workers (like me) can deploy Access Gateway and WANScaler plug-ins on their machine and get the benefits of a VPN with traffic acceleration and optimization. We'll publish some performance numbers in the near future but based on my personal experience of using it every day, I can tell you that it's fast - real fast. I can also report that this combination of technologies is now a permanent and necessary part of my work life.

Next, we added clientless access to SharePoint 2003 and 2007. The engineering team has spent time testing the product's URL rewriting capabilities against the most popular applications and this time we're officially supporting SharePoint.

Falling under the category of a better user experience, we've added single sign-on to file shares. When a user clicks on a link to a file share in their landing page, Access Gateway will attempt to use the user's credentials to authenticate to the file server and eliminate the need for them to re-enter their credentials.

Not to be forgotten, we've also added functionality to help administrators. Historical charting is a graphical tool that can chart historical details about system performance and user activity.

And for those of you braving the protocol transition, we've added the ability to bridge from IPv6 external networks to IPv4 on the internal network. For now, this only works when users are connecting to XenApp or XenDesktop since the Secure Access VPN plug-in does not currently support this functionality. This version also gives the ability to define LDAP and RADIUS servers with an IPv6 address.

Look for this firmware update to be available from MyCitrix.com on November 27^th. Enjoy!

NetScaler 9 is officially here. Well, actually, it's officially announced. It won't be officially available to download from mycitrix.com until November 27^th. Yes, I know that's Thanksgiving. However, Citrix is a global company, and what better way to prove it than to post the NetScaler 9 code on a major US holiday? And, there is a chance that it might show up a day or two before the 27^th.

NetScaler 9 is a pretty big release. Looking at the detailed feature tracker, it contains over 350 new features and feature enhancements. I'm not going to go through all of them in this post, because that's what release notes are for. However, I do want to highlight some of the major new features that folks seem to be most excited about, and point you to some additional resources on this site that go into a bit more detail on some of them.

I like to think that NetScaler acts as the bridge between the network and the applications that run on it, making each of them work better with the other. NetScaler 9 furthers this.  A lot of the new capabilities and features making NetScaler more application-saavy than it already is. This is not to say that there aren't any hardcore networking enhancements in NetScaler 9, because there are a lot of them. These include everything from end-to-end support for IPv6 to enhancements to our GSLB functionality to the ability to tunnel IP within IP.

But in the end our networks are there to run applications, and it's the new AppExpert features in NetScaler 9 that seem to be generating the most interest.

AppExpert Templates make a given application the "first class citizen" within NetScaler. They do this by encapsulating everything about a NetScaler configuration that is specific to a given application, including:

1. The different application components (e.g., pages, files, archives, Web Services) NetScaler is managing
2. The various NetScaler entities and settings (e.g., VServers/VIPs, load-balancing algorithms, health checks, persistence methods, SSL offload settings) defined for these application components
3. The specific NetScaler policies (e.g., caching, compression, application firewall, rewrite) used for the application

All of this is presented in a way that puts the application front and center, and configuration and policy changes can be made from there as well. So, while today understanding the entire NetScaler configuration for Microsoft SharePoint (for example) involves moving around between the various NetScaler GUI tabs, with AppExpert Templates everything is centralized in one place.

AppExpert Templates can be imported and exported as well, so they make it pretty easy to move app-specific configurations between different systems. More broadly, several folks have told us that this, and the general look and feel of AppExpert Templates, will help with knowledge transfer within their organizations. You can see an example of the Microsoft SharePoint template being imported and then applied here.

If you go here when NetScaler 9 becomes available in a couple of weeks, you'll be able to download AppExpert Templates we've already built. And, as you'll quickly notice, AppExpert Templates aren't static. The underlying infrastructure makes it really easy for you tweak a template to your own specific needs, or to improve the template by adding to it. Hopefully, you'll all post any improvements and modifications you make back to the community site so that others can benefit. And definitely look for additional AppExpert Templates to be made available by us, but Citrix partners, and hopefully by other NetScaler users.  

With AppExpert rate controls, we've integrated the concept of data rate into the core NetScaler policy infrastructure.  This allows building policies that are only triggered when a defined data rate is exceeded.  And since it's integrated with the core policy infrastructure, it can be used with the various NetScaler functional modules (e.g., content switching, responder), so you're not limited to just dropping traffic as an action.

There's a number of ways folks have told us they're going to use AppExpert rate controls. Of course straight-up rate limiting (e.g., DNS rate-limiting, limiting traffic originating from a single subnet) is one example. Ensuring a given resource (e.g., anything from a VServer to a specific URL) isn't overwhelmed by requests is another. Two specific examples are:

1. One customer allows some of its partners to scrape its website so the partners can republish content on their own sites. However, the customer wants to ensure that overly aggressive scraping by the partners doesn't overwhelm the website and degrade the site's performance. AppExpert rate controls can be used to limit how much scraping each partner can do. This same approach could be used to ensure that websites that publish APIs -- so that partners can do mashups, for example -- aren't overwhelmed by any particular partner's use of the API.
2. Another example is a customer that was having problems with a couple of users FTPing a few too many large files at the same time. By using AppExpert rate controls to build an expression around bandwidth consumed per sourceIP, they can drop any additional FTP requests coming from a sourceIP (aka a user) that already has too much FTP activity. A more generalized use could also do something along the lines of limiting the amount of concurrent file downloading for a given SharePoint site, to ensure that downloads don't drown out other SharePoint (or other application) activity.

AppExpert service callouts make NetScaler policies extensible, and will allow you to integrate logic or functionality available in other systems and applications into NetScaler policies. Specifically, using an AppExpert service callout, a policy can send (over HTTP or HTTPS) any part of an incoming request to an external service. The result returned by the external service is then used like any other policy evaluation result.

As an example, one beta customer has an application that identifies and tracks IP addresses that are scraping its site's content. No, this is not the same customer that is interested in AppExpert rate controls. In earlier case, scraping is encouraged, they just needed to control it. In this case, the scraping of content amounts to theft, and the customer want to prevent as much of it as possible. Unfortunately, the IP addresses doing scraping change constantly (hence the reason they had to build an app), so statically defining them within the policy itself isn't practical. However, a service callout can query the application in real-time, and NetScaler then uses the response to either pass or drop the request.

Other use cases customers have mentioned include:

• Passing content to an external transformation engine
• Integration with UDDI or other directory services
• Geo-targeting or other token-based switching decisions, where the logic for the content switch is available in an external application  

NetScaler 9 has the first availability of the XML technology we acquired from QuickTree last year. New XML protections in the NetScaler Application Firewall module will now be able to inspect and protect XML as well as HTML traffic. In addition to protecting XML-based applications from attack, this can also be used to ensure that incoming XML traffic conforms to various standards (e.g., XML syntax, schema, WSDL validation). With XML, sometimes "bad" traffic isn't malicious but is just a mistake. Either way, the XML capabilities in the app firewall will catch it.

We've had the ability to rewrite payloads within the TCP header or payload since NetScaler 8.0. However, in NetScaler 9.0 we've added a URL transformation 'mini-module' to our generalized rewrite functionality specifically for rewriting HREFs. While this function is often thought of in the context of either SSL VPN or application firewall, it has uses beyond these as well. For example, onboarding apps acquired through M&A activity, simplifying change management or "Akamai-zing" graphics content.

Again, NetScaler 9.0 is big release. There is a lot more than the app-centric things mentioned above. There is a pretty comprehensive What's New in NetScaler 9 writeup here for those of you that want a more comprehensive overview.

Updated November 12, 2008:

I received a question via comments asking about Access Gateway Enterprise enhancements. As many of you know, Access Gateway Enterprise is in essence another module in NetScaler. So, all Access Gateway Enterprise functionality is included in NetScaler, which is why NetScaler is such a great solution for Citrix XenApp and XenDesktop. There are definitely enhancement to Access Gateway Enterprise in NetScaler 9. At a high level, they are:

• Support for IPv6 XenApp Client Connections
• Single sign-on to file shares, so your users won't get get as annoyed by as many authentication prompts (unless you want them to be)
• Full clientless access to Microsoft SharePoint 2003 and 2007 so users can access SharePoint sites from any browser
• Historical charting which allows you to see trend data on system activity

The #1 Web Filter by St.Bernard is now Citrix Ready. The Highest Performance Web Application Solution from Citrix Systems can now be deployed with the the #1 Web Filter by St. Berdard. IDC ranked them #1, SC Magazine gives them high ratings, and you will agree when you plug this thing in. The Citrix Web Application Firewall protects inbound traffic destined to Web and Application Servers without degrading throughput or response time. Now, with St.Bernard's iPrism h-Series high performance appliances, you can also do outbound Web filtering, IM/P2P filtering, and antivirus detection. The iPrism Web Filter is optimized for the datacenter infrastructure and sits behind the firewall while it monitors traffic. St. Bernard's platforms are hybrid so that Web filtering, antivirus and IM/P2P filtering are all contained within one box - unlike other point solutions.

St.Bernard's iPrism Web Filter is easy to use and easy to manage. If fact, it's so easy, we had the device up and running in Proxy mode and then in Bridge mode in a matter of seconds. The management software auto-discovers the box, so you don't have to plug in a console cable - very nice!

It is far better than a transparent proxy because St.Bernard has engineered their filtering technology at the kernel level, so their bridge mode really is a bridge between interfaces, and not just a transparent proxy like other solutions in the market.

We deployed the iPrism Web Filter behind our NetScaler, and had the NetScaler perform NAT (Reverse NAT) for outbound connections to the Internet. The iPrism Web Filter adds another level of security that IT organizations sometimes look for to complement their existing base of high-performance Citrix Gear.


Citrix & St.Bernard Deployment Guide!

You can try this product for free.


The product demo is awesome.


As a hybrid unit, this is a steal.












NetScaler Developer Network!

We recently had a meeting with a large partner of ours and they handed down some hefty requirements.  An average of 100 partners using their portal on any given month to access their development environments on the backend.  It was clear that NetScaler could scale, but the question was how to keep all of those partners separated from each other, without them peeking into each others traffic. It turned out to be easier than we thought using the NetScaler as an SSL VPN with the addition of some policies bound to each partner's user group.  The following is an overview of the network diagram, and there are some deployment guides to walk you through these installations.