Border Gateway Protocol, open-source and it's para-virtualized. No more proprietary software and hardware, you can run as many copies of this as needed on one physical XenServer machine. As a proof point, we used the Vyatta Open Source router to build out our Link Load Balancing network in Santa Clara.  The Open Source Vyatta is running on a Dell server. We configured the BGP routing protocol, but could have have also configured OSPF or RIP and redistributed the routes. This configuration has been proven to outperform the incumbents, and is less costly by a wide margin.  Reduce opex and capex and start rolling this out today.  

What is needed:

• Vyatta Open Source Networking Software
• A Dell Server that supports Virtualization
• XenServer Enterprise 4.1

The Network:

Watch this Video:

Tap into the power of AppExpert!

We are all used to the familiar commands to configure IP Addressing on *nix and *dows types of systems, however there is a little bit of a trick involved with XenServer. 

Imagine if you had built your XenServer in one location and then transported it to another location where a different IP Addressing scheme was being used.  In order to have XenCenter come in contact with the XenServer again, you will need to re-configure the Management IP Address.  Since you probably won't RTM, and you don't want to rip your hair out trying to figure it out, the steps are outlined in this XenServer Tip.

Download this XenTip.

Tap into the power of AppExpert!

Rewrite

Performing content rewrite at milli-speed is key to providing a front-end device for application delivery. Most important is the capability to rewrite both request and response headers & body content which the Citrix Application Switch does and it is an easy 3-step process to configure. Not only is it easy, it scales to Enterprise class applications, which we demonstrated here with the Oracle Enterprise Business Suite v12 in our lab in Santa Clara, CA, USA.

Watch this Rewrite Tip:

Tap into the power of AppExpert!

Read about the Citrix Application Switch here.

Buy the Citrix Application Switch here.

In the Application Expert series part 2, Caching, I released a Deployment Guide discussing Static and Dynamic Caching.  As we are partners with Microsoft, we recently did some work here internally setting up some Dynamic Caching for an ASP.NET application and thought we would share the knowledge. This Caching Deployment Guide for ASP.NET Web Applications discusses the way an Application Expert would find out the potential caching scenarios that a web application can benefit from, and shows how to create and test the NetScaler caching policies and settings to put these scenarios into effect.

Tap into the power of AppExpert!

And it's FREE! Throw away those behemoths that suck power from every grid in the state and drain your budget. This baby is Free, Open Source and VIRTUAL, meaning you can run as many instances of this router as you want on your choice of hardware. What is even more gratifying is it's faster than the old router technology.

Vyatta has commoditized router, firewall and VPN deployment in the same way that Linux commoditized the operating system market. Vyatta open-source networking offers you an alternative to over-priced, inflexible products from proprietary vendors.

Vyatta software enables customers to build routing and security solutions using standard x86-based hardware of their choosing, ensuring networks will always meet performance requirements. Vyatta open-source software delivers the unique advantage of allowing customers to scale networks from the simplest LAN configurations to large BGP WAN edge configurations using a single software package.

Vyatta software includes support for most commonly used network interfaces, industry standard routing and management protocols, and all of these features are configurable via a single command-line interface (CLI) or web-based graphical user interface (GUI) - avail Q3'08. The integrated features and functionality make Vyatta software ideal for SMB, Branch Office, Enterprise and Service Provider deployments.

Summary of features:
BGP, OSPF, RIP, DHCP, QoS, IPSec VPN, VRRP, PPP, 802.1Q, Complete List.

This open source router is already running on XenServer in a large service provider in Europe. We are using it in our Citrix Ready program as a multi-link Intranet with connections to the Internet along with high availability link load balancing.

This para-virtualized Vyatta image runs as a virtual appliance in XenServer v3.2.1 and v4.1.

The XenServer Platform we are using:

• Dell Poweredge 2950 server.
• 2 x Intel 64-bit Quad-Core Xeon Processors, Model E5335 @ 2.00 GHz each, for a total of 8 CPUs.
• 2 Intel 82571EB Gigabit Ethernet (on-board)
• 2 Broadcom NetXtremeII Gigabit Ethernet
• 16 GB of memory.
• 300 GB of Storage.
• XenServer v4.1
• *note: CPU's must support virtualization technology.
  
  
  
  
  
  

Virtual Router - Install:

Virtual Router - Config:

Tap into the power of AppExpert.

Application Delivery is at the top of the list of any organization's priorities. Keeping up with those priorities requires a move to dynamic application delivery and virtualization. The Citrix NetScaler Application Switch is a powerful step in that direction.

Compressing content at the server level can be done, but is tedious, and with the number of hosted servers on the backend growing proportionally with virtualization, it is better suited to a frontend tool. 

As an Application Expert, determining what type of content is compressible vs. that which is not compressible should be at the tip of your tongue, or at least you should be able to reference this post or document.  The thing is, while some content types remain compressible/non-compressible across many applications, you might run across an application that requires some content be treated uniquely.  For example, the SAP application requires that pdf files should not be compressed when sent back to the clients.  Either way, you should know how to dynamically configure rules to accommodate for the applications content.  This Compression Deployment Guide shows you how.

Watch this Compression Tip:

Buy the Citrix NetScaler Application Switch here.

Tap into the power of AppExpert.

Many news reports have recently identified the increased threat to web sites and applications from SQL injections, the most recent example being the Nihaorr1 script that resulted in over 600,000 sites being infected even including the Department of Homeland Security and the UN. Although initially identified as a Windows IIS server vulnerability, the root cause of the recent exposure goes beyond IIS and has identified lax web application coding as the culprit. A Register interview with the DHS assistant secretary for Cybersecurity is quoted as saying " our networks are only as strong as the weakest link " which makes sense but also identifies how vulnerable web applications are on the web. If a company is relying on the variability of programmer security knowledge and limited QA testing to protect their web app from yet to be defined threats, it's no wonder that so many sites are exposed and hacked. 

Perhaps one of the ways to better protect an organization from the next undefined attack is to look at minimizing the impact of variability. A common best practice in the manufacturing industry is to evaluate every process and implement techniques and tools to reduce variability so as not be overly dependent on a final test or inspection which always has some level of escapes. This is the core of the Six Sigma  technique that many world class manufacturers utilize to improve product quality.  

As applied to IT protecting Web Applications, a tool that can be implemented to reduce the impact of programmer variability is to utilize a Web App firewall such the positive security model feature of the NetScaler Application Firewall. This feature recognizes best coding practices for HTML and Industry HTTP standards and automatically blocks Web App behavior and variations outside a known-good model. The result is a significant reduction in the risk created by variable programmer skills and expensive but incomplete QA testing.  In the specific example of the Nihaorr1 attack, a recent test validated that the NetScaler Firewall was indeed able to block the Nihaorr1 script using the default configurations. Additionally the learning features of the App Firewall can be used for more granular configurations and protection as well.  

So before the next threat to your web applications is discovered, it may be worth further investigation as to the human influence of variability in IT operations and consider steps to mitigate the risks.   

Hundreds of Thousands of Web Servers have been getting hacked, including several at the United Nations. The appearance is that the hack exploits a vulnerability in Microsoft IIS because of a Microsoft SQL Specific injection payload, however the attack is capable of infecting any type of web server open to SQL Injection and Cross Site Scriting (XSS) attacks.

Microsoft released some security bulletins (951306, MS08-006) stating vulnerabilities in their IIS web server,  alluding to the vulnerabilities recently brought to light. A script homed at nihaorr1.com based in China was found to be infecting many servers, and spreading quickly. Further research into the problem indicates that non-Microsoft types of servers may also be affected by the attack.

As of May 12, 2008, Google's Index had 1,700,000 infected pages.  The domains currently being injected that contain the malicious Javascript are:

• nihaorr1.com
• 2117966.net
• aspder.com
• haoliuliang.net
• nmidahena.com
• free.hostpinoy.info
• xprmn4u.info
• winzipices.cn
• wowgm1.cn
• killwow1.cn
• wowyeye.cn
• wowgm1.cn
• winzipices.cn

This vulnerability and others like it can easily be stopped with a Citrix Web Application Firewall using default policies to block SQL injection and Cross Site Scripting. We setup a demo in our lab, to show how easy it is to configure and block this type of threat.

See the mailicious script in action:

Watch how Citrix Web App Firewall blocks the malicious script:

See how easy it is to configure the Citrix Web App Firewall:

Read about the Citrix Application Firewall here.

Buy the Citrix Application Firewall here.

Tap into the power of AppExpert

As an addendum to the Citrix NetScaler Policy Engine post I wrote recently, I pulled together some Frequently Asked Questions (FAQ) pertaining to the Policy Engine (PE). Policies are used to configure various Citrix NetScaler Application Switch features, and are executed in the order of their priorities. The priorities are configurable and increment in units of 10.

Watch this Policy Priority Tip:

Tap into the power of AppExpert!

Policies are used to configure various Citrix NetScaler Application Switch features. For example, the parameters for compressing content are defined in a compression policy.

The features that use policies are:

• Load Balancing
• Content Switching
• Content Filtering
• AppCompress
• Cache Redirection
• SSL VPN
• Priority Queuing
• DoS Protection
• Sure Connect

Policy expressions are applied to content that enters the switch. Expressions are shared among features, but actions are feature-specific. For example, you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress those files. The Policy Engine (PE) refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x. The architecture for Policy Engine and the manner in which it operates is presented in this Deployment Guide.  Did you know that each feature in the Citrix NetScaler Application Switch is processed in a certain order, and the Policy Engine (PE) applies policy according to that order.  That order is represented in this diagram and discussed in the Deployment Guide for Policy Engine (PE).

Watch this Policy Engine Tip:

Tap into the power of AppExpert!

As web applications grow in complexity, the art of accelerating them seems to remain the same. This art is performed by applying some basic concepts to the application; that is, Caching, Compression, Load Balancing, Global Server Load Balancing, SSL Offload & Acceleration, Content Switching, TCP Multiplexing and SSL Session Reuse.

Citrix® is a leader in Gartners magic quadrant for Application Delivery with their flagship appliance NetScaler®. NetScaler accelerates web application performance by leveraging multiple acceleration technologies and innovative TCP optimizations.

Whether you are building out a new datacenter and architecting it the right way, or retrofitting an existing datacenter, Citrix NetScaler will perform and keep costs down. Whether you are looking to accelerate legacy enterprise applications such as Oracle or SAP, or building a new web 2.0 social community, Citrix NetScaler contains all of the tools to get you there.

Citrix NetScaler web application delivery solutions are purpose built appliances that accelerate application performance, while simultaneously reducing datacenter costs and improving web application security. Platforms range from the entry level 7000 to the latest MPX-series appliances that provide an industry-leading 15 Gbs of throughput at Layers 4 through 7.

There's more here: Case Studies, White Papers, Analysts , Datasheets

Check out the new MPX!

Buy it here!

Tap into the power of AppExpert!

Citrix AppExpert  is an online community dedicated to NetScaler users. This moderated community is the best place for conversations on how to get the most from your NetScaler deployment, including creative AppExpert policies, innovative configurations, integration with other infrastructure technologies and more

AppExpert represents a breakthrough in ease-of-use, developers occasionally need more programmatic ways to invoke policies or system settings as well. For these scenarios, AppExpert also provides powerful APIs that use industry-standard WSDL (web services description language). Using AppExpert APIs, external applications and systems can automatically modify any NetScaler system setting and any AppExpert policy.

Continue to the AppExpert Community

Becoming an Application Expert means that you can profile an application and quickly determine how it can be architected or re-constructed for higher performance. Of course, we want you to use the Citrix Application Switch as part of the architecture. In Part 1, we learned how to profile an application to learn what it looks like as the traffic flows through the Citrix Application Switch. Now we will determine what parts of an application are cacheable and what parts are non-cacheable.

By Application Profiling we can determine which parts of the application are cacheable and non-cacheable just by looking at the Request and Response headers. The application will sometimes tell you through it's "Cache-Control" header directives. Some content that we just know is static and doesn't ever change, we can consider cacheable as static content. Content that changes, such as reports, are often considered non-cacheable but with the help of Selectors and Dynamic Content Groups in the Citrix NetScaler, this content can be cached. As a proof of concept, we deployed the Citrix NetScaler Application Switch in the front of Oracle E-Business Suite v12 application and implemented caching policies for both static and dynamic content. As it turns out, alot of static content is cached by default policies and setting up dynamic policies is not that difficult. To see how, read the Caching Deployment Guide for Oracle E-Business Suite v12.

Watch this Caching Tip:

Tap into the power of AppExpert!

Citrix® NetScaler® web application delivery solutions are purpose built appliances that accelerate application performance up to five times, while simultaneously reducing datacenter costs and improving web application security. Platforms range from the entry level 7000 to the latest MPX-series appliances that provide an industry-leading 15 gigabits per second of througput at both Layer 4 and Layer 7 with maximum simultaneous use of all functional modules. They provide visibility into the end-user application experience and comprehensive web application security in concert with advanced traffic management. NetScaler, a member of the Citrix Delivery Center product family, is an ideal network management solution for any enterprise seeking accelerated Web application performance, improved web application security and increased application availability.

Continue at Source: Citrix

*Santa Clara, CA » 4/28/2008 »* Citrix Systems, Inc. (Nasdaq: CTXS), the global leader in application delivery infrastructure, today announced its new NetScaler MPX line of web application delivery systems.  The new NetScaler solutions feature a massively parallel multi-core system architecture that significantly increases datacenter capacity and delivers 2.5¹  times more web applications with the same infrastructure footprint. Citrix® NetScaler® MPX also provides unmatched performance when delivering applications that demand the highest security and best end-user experience. Today's web applications are straining traditional load balancers and rigidly-constructed datacenters with the integration of rich media capabilities, service oriented architectures (SOA) and interactive Web 2.0 capabilities. These applications are significantly more complex and resource intensive, yet they must still be delivered with the fastest performance, best security and lowest cost. NetScaler MPX is the industry's first web application delivery controller to drive greater than ten gigabits per second (Gbps) of real world application performance while concurrently providing advanced acceleration, traffic compression, and integrated web application firewall security - all in an energy-smart appliance form factor.

As an integral component of the Citrix Delivery Center^TM product family, NetScaler MPX also enables the push toward dynamic datacenters that can more easily adapt to the needs of today's increasingly complex web applications.  As part of this end-to-end solution architecture, NetScaler MPX provides sophisticated workflow virtualization that senses changes in application demand and automatically invokes the necessary application and server resources to meet dynamic workloads. This unique capability provides a fundamental building block of the new dynamic datacenter by offering the necessary scalability and virtualization capabilities needed to cost effectively deliver both enterprise and Internet-facing web applications.

"With its high-performance architecture, NetScaler MPX relieves key customer pain points in large, dynamic datacenters, including the challenge of reducing power consumption while managing traffic loads that are beginning to cross the 10 Gbps threshold," said Cindy Borovick, Research Vice President for IDC's Datacenter Networks service.

Continue at Source: Citrix

This is my first blog entry in this new AppExpert Community site.

I am excited that we are now ready to tap into the power of the community to spread the
knowledge power of AppExpert amongst the user base of Citrix application networking products!

The first thing I would like to share is my core belief in the strength of AppExpert Policy system,
which is its ability to provide powerful, extensive, flexible and expressive policy control while keeping
the simple tasks extremely simple.

AppExpert blends the power of extremely advanced application layer policy control with the ease of point and
click ease of use in its declarative rule setting model.  Also, while administrators can compose
very complex expressions and combine them into powerful predicates and rule sequences,
AppExpert does not forget to keep simple things simple - rules that are needed most often are
often just a click or two away!

 This is in keeping with my often expressed analogy of Digital SLR camera model of admin interfaces.
(yes, my esteemed colleagues are indeed quite sick of hearing me expound on this analogy, but I will do so
here for this new audience! )

Even the most complex Digital SLR cameras come with a fully automatic "A" mode for point-and-shoot
simplicity, while presenting an "PA" mode for  more advanced users who want to customize only a couple of
key settings and a fully custom "M" (manual) mode for full power and control of all the aperture, speed,
Lens, focus etc settings of the camera.

AppExpert similarly, makes it a quite simple click for simple content switching type rules.  But it goes on to
provide full power  of pattern matching, predicates and rule sequences, for the more advanced users.

Granted it does not provide the "M" mode of a "Turing-complete" programming language or custom
script exits - yet.    The reason, is that Citrix architects have wanted to first natively provide
the advanced capabilities in the PA mode, rather than just punting
the task of key application layer policy rules to be programmed in scripting languages by the administrator
without first carefully understanding the customer requirements.

Other systems have jumped to "outsource" development of such policy capabilities to their users,
thus subjecting them to the rigors of hiring programming and scripting experts even for simple
app layer rules!  And, sometimes they claim to provide a grab bag of such scripts on web-sites to
copy and paste for their use.  That's great, but have they stopped to think if that's the way someone
can set up rules for their system without a scripting expert, what happens when something breaks in that
script or it is not 100% suited to their specific installation?  Who troubleshoots when things go bump
in the middle of the night or user traffic shoots up on a popular web2.0 application and the script breaks?!
Further, most often such scripting system provide a level of performance that is an order of magnitude
slower than the native rules.  So while tempting with complete freedom, these scripting environments
very often flatter to deceive, and are unsuitable for many demanding, high throughput applications.

Citrix architects have taken the approach of providing the best of both worlds by providing
powerful capabilities within the native AppExpert system so that even very demanding
policies can be set using the visual, declarative point and click paradigm.  And, these rules execute
at the speed of the core switching engine, preserving the high throughputs.  This means that
customers can achieve what they need with the robustness and speed and express it with the
ease of visual+declarative interface and leave it to the system to carry out their wish in the fastest
possible way.  The engine keeps getting optimized, so they continue to get performance improvements
as well, completely transparently.  With a script, they have to reprogram, retest, and suffer through
a new test of hard to troubleshoot corner case bugs!

But does that mean that AppExpert will never ever offer the M mode?  To the contrary.
Long time  users of AppExpert will note that it has consistently evolved
release after release to include more powerful features and more flexible capabilities.
This will continue and AppExpert will add more flexible and extensible policycapabilities.

Moreover, the Citrix architects are carefully examining a structured way
to allow customers to leverage their investments in gateway logic to be applied to customize
policy processing.  You all will hear more about it as the plans get more concrete and closer to
fruition.

Watch this space for exciting AppExpert improvements in an Citrix app networking system near you!

Prabakar Sundarrajan
CTO, Application Networking Group,
Citrix Systems, Inc
 

Application Profiling

Introduction:

I can turn you into an Application expert in 5 minutes by reading this post.  Just do what the experts do, or even the not-so-experts.  They pay meticulous attention to the requests from clients and the responses from servers, both headers and body content.  You do this the old fashioned way by taking a trace.  There are better tools out there, some free, some not-so-free.

Running a trace:

Running a trace will help you 'profile' the application. It is recommended that you do this before placing the Citrix Application Switch in-line of the Application traffic. This will gather important information about the Application that will help you understand it's basic operation at Layer 7, and help you begin to understand what it is that needs to be accelerated - cached, compressed, load balanced, ssl offloaded, etc.

Running a trace exposes the flow of transactions between all points of interest. Traces are especially helpful when digging in to find what is contained within the headers being exchanged between the client and the application.

Taking a trace with wireshark:

The free network protocol analyzer called wireshark, http://www.wireshark.org, will capture packets for you on the localhost, whether it's windows or linux. By filtering the stream of packets by IP Address, right clicking and selecting 'Follow TCP Stream' inside of wireshark, you can see the headers for both requests and responses.

Wireshark tip 1 Find the first 'SYN' in the stream, right click, 'Follow TCP Stream'.

Wireshark tip 2 Client requests are in Red, Server responses are in Blue.

Taking a trace with the Citrix Application Switch:

If the Citrix Application Switch is already in place, a trace can be run directly on the Citrix Application Switch. Running a trace will expose the flow of transactions between all points of interest, especially the client, load balancing VIPs and backend servers. Traces are especially helpful when digging in to find out if the proper headers are being exchanged between client & VIP and VIP & backend servers. A trace can be run directly on the Citrix Application Switch. Once downloaded this file can be opened and request and response headers read with Wireshark, a free network trace utility, http://www.wireshark.org. From the Citrix Application Switch GUI, navigate to NetScaler -> System -> Diagnostics -> New Trace -> Run. 

Viewing headers with Paros:

Paros was originially written for web security, but has value when viewing request and response headers, cookies and the like. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted. There is an additional option of trapping and modifying data before sending it on to the server, or client. Paros can be found at http://parosproxy.org. Free.

Viewing headers with Live HTTP Headers:

Live HTTP Headers, http://livehttpheaders.mozdev.org/, was developed for use with the Firefox web browser. It is a free add-on and allows you to view HTTP header information in real time. Free.

Viewing headers with IE Analyzer:

IEInspector HTTP Analyzer, http://www.ieinspector.com, is a tool that allows you to monitor, trace, debug and analyze HTTP/HTTPS traffic in real-time. It works with Microsoft Internet Explorer. Not-Free.

Viewing headers with IE Watch:

IEWatch, http://www.iewatch.com, is another plug-in for Microsoft Internet Explorer that helps you profile your web applications. You can use this tool to dig deep into the inner workings of web applications to find hidden issues. Not-Free.

Watch this Application Profiling Tip:

Tap into the power of AppExpert

The SAP Enterprise Service Oriented Architecture (SOA) provides a blueprint for services-based, enterprise scale business solutions that are adaptable, flexible, and open. Enterprise Services Architecture takes the concept of service-oriented architecture to a new level by transforming Web services into enterprise services. Bringing Citrix and SAP Enterprise Services Architecture together reduces the dependence on customized applications, and increases flexibility and reduces time to deployment while reducing operational expenses.

Watch this Load Balancing Tip:

Tap into the power of AppExpert

We recently had a meeting with a large partner of ours and they handed down some hefty requirements.  An average of 100 partners using their portal on any given month to access their development environments on the backend.  It was clear that NetScaler could scale, but the question was how to keep all of those partners separated from each other, without them peeking into each others traffic. It turned out to be easier than we thought using the NetScaler as an SSL VPN with the addition of some policies bound to each partner's user group.  The following is an overview of the network diagram, and there are some deployment guides to walk you through these installations. 

Simple and Intuitive Application Delivery Policy Creation

The AppExpert Visual Policy Builder is a GUI-based environment that simplifies creating even the most complex application policy expressions. The AppExpert Visual Policy Builder can define any NetScaler application traffic management policy, regardless of what functional module is being invoked or whether it is acting upon header or payload content