Cost Savings, Green Benefits and Improved Server Management.

Citrix Systems, Inc. (NASDAQ: CTXS), the global leader in application delivery, recently announced that leading enterprise resource planning (ERP) manufacturer SAP AG will be virtualizing an estimated 500 servers with Citrix® XenServer™ by the middle of 2009. SAP has also deployed Citrix® XenApp™ application virtualization technology to deliver applications to both SAP employees and external partners. In addition, SAP expects to receive the benefits that a combined XenServer and XenApp solution provides - such as streaming standardized workload images and superior management functionality - which the company anticipates will generate a 35 percent savings in terminal server costs.

SAP was looking to consolidate its server infrastructure and also wanted to create a much more flexible and dynamic computing architecture. Following an extensive test of XenServer, the company decided to move forward with a multi-stage roll-out of the server virtualization solution onto 500 servers, initially in the company's Saint Leon Rot, Germany office. In the next phase of the project, the servers that power the worldwide training centers will be virtualized, followed by the project management division with several hundred development, test, and support environments. After the server virtualization project in Germany is complete, the roll-out will continue at the end of 2009 to SAP's offices in Asia and the United States.

SAP has also deployed Citrix XenApp application virtualization technology to deliver more than 40 applications, including Microsoft Office and the SAP Business Suite software, to its entire user base. In total, there are more than 50,000 end users who access the XenApp infrastructure to work on tasks such as product development and support.

XenServer is FREE !

Read more news like this.

Its powerful AppExpert!

Does your organization deliver virtual applications to the branch office over a sloooow WAN link?
Are you tired of trying to fix all of your WAN issues with a bigger and more expensive WAN connection?

There has to be a better solution...
Citrix Branch Repeater and XenApp work in concert to deliver a "high-definition" branch office experience, drastically improving the XenApp experience to branch office users. Using Citrix HDXTechnology, Branch Repeater and HDX IntelliCache adaptively orchestrate with XenApp to disable the native ICA compression used for optimizing single-user sessions.

Just how much better?

• Branch Repeater reduces XenApp traffic by up to 95 percent, increasing file transfer throughput by up to 20 times and increasing print traffic throughput by up to 33 times.
• Together these enhancements allow customers to serve up to 4x more XenApp users in each branch without upgrading bandwidth.

Learn more about ICA Optimization, how to deploy the components, and see the High Definition branch experience yourself in this exciting demo, which can also be found on the Branch Repeater demo page of Citrix.com.

Entity Templates

An entity template simplifies configuration by providing a set of configured defaults for a policy, service, action, or other configuration entity. After you create an entity template, it can be reused with specific instances of entities of the same type. For example, an entity template created for Load Balancing, can be used to create the same load balancing configuration on the same load balancer, or can be used on a different NetScaler or NetScalers to create the same load balancing configuration.

Entity Templates are most helpful when you have built your configuration for an entity such as load balancing and want to duplicate it across the organization's load balancers without having to re-type all of the configuration commands. In fact, the entity template manager, will allow you to prompt for certain configuration parameters to be input by the user, such as IP Address and port number, at the time of import, which might be specific to a certain locality.

Application Templates

The NetScaler includes the ability to create and manage application templates that provide the administrator a way to configure the NetScaler to handle application-specific traffic without directly configuring NetScaler entities. An application template is a reusable bundle of application's configuration information and can be exported after creation for use on other NetScalers. Also, these templates can be created once and then re-used across multiple NetScalers.

Application vs. Entity Templates

Entity Templates simplify configuration by providing a set of configured default for a specific configuration entity, such as load balancing, rewrite or content switching.

Application Templates simplify configuration by providing configuration details for all entities for an Application, such as Sharepoint, SAP, Oracle, or other web based applications. Application Templates are more comprehensive and contain configuration details for caching, compression, load balancing, ssl offload, rewrite, filtering, responder and application firewall. For one application you might have several policies in each of these categories that are saved into an Application Template.

Both Entity and Application Templates can be exported and imported for ease of use across different NetScalers. All of the configuration policies, including all expressions, pattern sets and policy labels are exported with the Entity or Application Template - once you define your policies, you don't have to define them again.

Watch how easy this is:

Tap into the power of AppExpert!

HTTP Callouts

New in NetScaler 9.0 is the ability to perform a callout using HTTP to an external server. An HTTP Callout is a means to process incoming packets on the NetScaler using an external service that can be a virtual server on the NetScaler itself, a back-end server, or an third party service.

Traditionally, the NetScaler used to verify these packets internally using in-built policies but with specialized services being available for validation, they can be integrated with the NetScaler using this feature.

An HTTP callout will consist of a NetScaler policy expression that can send a simple HTTP request to an external service, wait for the response and then parse the response to produce a simple result. The result will then be used like any other policy expression evaluation result.

The HTTP callout expression:

SYS.HTTP_CALLOUT(<name of HTTP Callout>)

To define the HTTP callout:

set policy httpCallout <name>
	[-IPAddress < ip_addr|ipv6_addr>]
	[-port <port>]
      	[-vServer <string>]
	[-returnType <returnType>]
	[-httpMethod ( GET | POST )]
	[-hostExpr <string>]
	[-urlStemExpr <string>]
	[-headers <name(value)> ...]
	[-parameters <name(value)> ...]
	[-fullReqExpr <string>]
	[-resultExpr <string>]

Where:

-returnType must be one of TEXT, NUM or BOOL.

-IPAddress IP address of the server to which callout is made

-port Port of the server to which callout is made

-vserver must be one of the vservers added using the "add lb/cs/cr vserver" command. The service type of the vserver must be HTTP.

-httpMethod could be GET or POST.

-hostExpr Complex PI string expression for value of the Host header.

-urlStemExpr Complex PI string expression for generating the URL stem.

-headers Every header name must have a corresponding value. These headers will be inserted in the request. Header name is string. Header values are Complex PI Expressions.

-parameters Every parameter name must have a corresponding value. These parameter names are put in the URL query if the request has a GET method or they are put in the body if the request has a POST method. One must not rely on the order in which the parameters are inserted. Parameter name is a string. The parameter values can be computed using Complex PI String expressions. The parameter values will be URL encoded.

-fullReqExpr A complex PI String expressions computes the entire request. It is the user's responsibility to provide a well formed and sane HTTP request. The system will not do any sanity checking. If full request is specified then none of the other arguments can be specified.

HTTP callouts are available with HTTP or TCP Content Switching, Responder and Rewrite functionality.

The basic communication flow for HTTP callout is:

1. User sends request
2. Policy sends HTTP request to an external service
3. Result used like any other policy evaluation result
4. Available for multiple features

HTTP Callout Deployment Scenarios

The examples in this section illustrate how to use HTTP callouts to perform various tasks. In all cases, the NetScaler performs a callout to an external server where a callout agent is configured to respond to the request from the NetScaler based on the data that is present on the external server.

This section describes how to configure HTTP callouts in the following scenarios:

1. Filter clients based on an IP blacklist.
2. Fetch and update content on the fly using Edge Side Includes (ESI) markup language.
3. Authenticate users and control access to resources.
4. Filter Outlook Web Access (OWA) spam.

Filtering clients based on an IP blacklist

HTTP callouts can be used to block requests from clients that are blacklisted by the administrator. This list of clients can either be a publicly known blacklist or one that is maintained specifically by the administrator or a combination of both.

The source IP address of the incoming client request is checked against the external pre-configured blacklist and based on whether the IP address has been blacklisted or not, the transaction is either blocked by the NetScaler or the NetScaler continues to process the transaction normally.

The HTTP callout feature facilitates this by allowing the NetScaler to communicate with the external server that maintains a database of such blacklisted IP addresses.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

ESI support for fetching and updating content dynamically

Edge Side Includes (ESI) is a markup language for edge-level dynamic Web content assembly. It helps in accelerating dynamic Web-based applications by defining a simple markup language to describe cacheable and non-cacheable Web page components that can be aggregated, assembled, and delivered at the network edge.

Using HTTP callouts on the NetScaler, you can read through the ESI constructs and aggregate or assemble content dynamically.

The following outlines the requirements to implement this configuration:
1. Enable Rewrite on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Rewrite action to replace the ESI content with the callout response body.
4. Bind the Rewrite action to a Rewrite policy.
5. Bind the Rewrite policy globally on the NetScaler.

Access Control and Authentication

In high security environments, it may be mandatory to externally authenticate a user before a resource is accessed by clients. On the NetScaler, you can use HTTP callouts to externally authenticate a user based on supplied credentials. There are different ways that authentication credentials might be supplied; the client could be sending the user name and password in HTTP headers in the request, or, the credentials could be fetched from the URL or the HTTP body.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

OWA-based spam filtering

Spam filtering is the ability to dynamically block emails that are not from a known or trusted source or has inappropriate content. Spam filtering requires business logic that indicates a particular kind of message is a spam.

Using HTTP callouts, you can take out any portion of the incoming message and check with the configured external callout server that has the rules to detect if the message is a legitimate email or spam. In case of a spam email, the sender will not be notified that the email is marked as spam because it will only alert spammers to modify their messages.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

Read about the Citrix Application Switch with Version 9.0 here.

Try the Citrix Application Switch with Version 9.0 here.

Tap into the power of AppExpert!

An easy step up to IPv6

IPv6 has been available on NetScaler since April 2007, but only to select customers, and with a limited feature set.

Today, with NetScaler version 9.0, the IPv6 feature set is complete, with support for IPv6 communication all the way back to the application servers that the NetScaler is protecting and optimizing. Now that the IPv6 feature has matured, it has been released with the latest version of software! NetScaler version 9.0 includes IPv6 communication to the application servers, and all the usual tools use for troubleshooting will be present, such as ping6, traceroute6, etc.

The "IPv4 Dinosaur" may well be a term used in the future to describe a site which doesn't have an IPv6 representation on the internet. It's not a label one would want if they consider themselves to be keeping up to date with the latest and greatest technologies, as that of the Citrix NetScaler Application Switch.

Do keep in mind, running an IPv6 ONLY network, is probably still an arms length away and not very easy to migrate to. What would be required is a hybrid approach - and this is where NetScaler version 9.0 can provide a quick solution.

It is possible to use IPv6 communication from the internet to your NetScaler, and then use IPv4 from the NetScaler to the application servers. This will provide an IPv6 presence on the internet for your external website, without having to use time, resources, and budget to rebuild your entire environment right away.

Think of this as IPv6 offload, if you will. The fact that the application and back end systems are running IPv4 will be fully hidden from the end user. You can then, in your own time, port your back end infrastructure over to IPv6 step by step, making testing and roll-back a cinch.

Of course, full IPv6 end-to-end communication is equally important, especially for those government accounts which require this box to be checked-off for any new hardware going into the racks. This is the newest part of this feature, which is also now available in NetScaler version 9.0.

Read about the Citrix Application Switch with Version 9.0 here.

Try the Citrix Application Switch with Version 9.0 here.

Tap into the power of AppExpert!

NetScaler supports the chaining of Intermediate SSL Certificates

Up to 10 Chained Certificates to be exact, one Server Certificate and nine CA Certificates.

Verisign recently posted an advisory stating the discontinuance of Unchained SSL Certificates, and that all Verisign SSL Certificates issued after Dec 11, 2008 will be chained to Root CAs to align with security best practices - Read the advisory here.

Chaining of Certificates is done with Intermediate Certificates. What are Intermediate Certificates?

They sit in the middle, between the Public Trusted Certificate Authority (CA) and your Server, in our case the Citrix NetScaler.

The Citrix NetScaler Application Switch supports the chaining of SSL Certificates just for this very purpose, and to show how easy it is to obtain an SSL Certificate from a Trusted Certificate Authority, such as Verisign, and install it into the Citrix NetScaler, we developed the following deployment guide to walk you through the process.

Verisign Certificate Authority w/ Citrix NetScaler SSL Deployment Guide.

Tap into the Power of AppExpert!

Try it!

Not very long ago I published a series on how to become an Application Expert. Citrix NetScaler 9.0 makes it easier with AppExpert Templates. NetScaler AppExpert Templates - introduced in NetScaler 9.0 - provide an application-centric view of the NetScaler system's policy configurations. From a single place within the GUI (AppExpert -> Applications) NetScaler administrators can: 1) Configure the various AppExpert features the NetScaler is fronting, 2) View which NetScaler functional modules (e.g., compression, caching, application firewall) are optimized and active for a given application unit.

Additionally, AppExpert Templates allow you to drill down and see which individual NetScaler policies are active, and what policies are inactive but available, by application component and NetScaler module. From this same view, individual policies can be created, activated and deactivated.

AppExpert Templates can be downloaded, imported, modified and exported AppExpert Templates page of the Citrix Community Website. Administrators can download AppExpert Templates built by Citrix, Citrix Partners and members of the NetScaler community from the Citrix Community Website. These templates are easily imported into any NetScaler running NetScaler 9.0 or higher, jump starting the configuration and deployment process. Templates developed in-house can be easily exported and shared within your organization, or posted back to the Citrix Community Website for others to view and improve.

See the new AppExpert Templates page here!

Tap into the power of AppExpert!

Citrix Systems is closing the gap on the Number 1 Load Balancer for Web Applications. They are certainly a leader and not going to relent on the pace. Check out the Gartner Magic Quadrant. Further proving a commitment to Application Delivery, Citrix teamed with Akamai to extend Application Delivery from the datacenter into the cloud. Combining Akamai's efficiency in the cloud with Citrix's efficiency in the datacenter provides the ultimate in global acceleration of applications.

Citrix & Akamai Load Balancing Deployment Guide.

Tap into the power of AppExpert!

Read about the Citrix Load Balancer here.

Buy the Citrix Load Balancer here.

As web applications grow in complexity, the art of accelerating them seems to remain the same. This art is performed by applying some basic concepts to the application; that is, Caching, Compression, Load Balancing, Global Server Load Balancing, SSL Offload & Acceleration, Content Switching, TCP Multiplexing and SSL Session Reuse.

Citrix® is a leader in Gartners magic quadrant for Application Delivery with their flagship appliance NetScaler®. NetScaler accelerates web application performance by leveraging multiple acceleration technologies and innovative TCP optimizations.

Whether you are building out a new datacenter and architecting it the right way, or retrofitting an existing datacenter, Citrix NetScaler will perform and keep costs down. Whether you are looking to accelerate legacy enterprise applications such as Oracle or SAP, or building a new web 2.0 social community, Citrix NetScaler contains all of the tools to get you there.

Citrix NetScaler web application delivery solutions are purpose built appliances that accelerate application performance, while simultaneously reducing datacenter costs and improving web application security. Platforms range from the entry level 7000 to the latest MPX-series appliances that provide an industry-leading 15 Gbs of throughput at Layers 4 through 7.

There's more here: Case Studies, White Papers, Analysts , Datasheets

Check out the new MPX!

Buy it here!

Tap into the power of AppExpert!

Becoming an Application Expert means that you can profile an application and quickly determine how it can be architected or re-constructed for higher performance. Of course, we want you to use the Citrix Application Switch as part of the architecture. In Part 1, we learned how to profile an application to learn what it looks like as the traffic flows through the Citrix Application Switch. Now we will determine what parts of an application are cacheable and what parts are non-cacheable.

By Application Profiling we can determine which parts of the application are cacheable and non-cacheable just by looking at the Request and Response headers. The application will sometimes tell you through it's "Cache-Control" header directives. Some content that we just know is static and doesn't ever change, we can consider cacheable as static content. Content that changes, such as reports, are often considered non-cacheable but with the help of Selectors and Dynamic Content Groups in the Citrix NetScaler, this content can be cached. As a proof of concept, we deployed the Citrix NetScaler Application Switch in the front of Oracle E-Business Suite v12 application and implemented caching policies for both static and dynamic content. As it turns out, alot of static content is cached by default policies and setting up dynamic policies is not that difficult. To see how, read the Caching Deployment Guide for Oracle E-Business Suite v12.

Watch this Caching Tip:

Tap into the power of AppExpert!

Application Profiling

Introduction:

I can turn you into an Application expert in 5 minutes by reading this post.  Just do what the experts do, or even the not-so-experts.  They pay meticulous attention to the requests from clients and the responses from servers, both headers and body content.  You do this the old fashioned way by taking a trace.  There are better tools out there, some free, some not-so-free.

Running a trace:

Running a trace will help you 'profile' the application. It is recommended that you do this before placing the Citrix Application Switch in-line of the Application traffic. This will gather important information about the Application that will help you understand it's basic operation at Layer 7, and help you begin to understand what it is that needs to be accelerated - cached, compressed, load balanced, ssl offloaded, etc.

Running a trace exposes the flow of transactions between all points of interest. Traces are especially helpful when digging in to find what is contained within the headers being exchanged between the client and the application.

Taking a trace with wireshark:

The free network protocol analyzer called wireshark, http://www.wireshark.org, will capture packets for you on the localhost, whether it's windows or linux. By filtering the stream of packets by IP Address, right clicking and selecting 'Follow TCP Stream' inside of wireshark, you can see the headers for both requests and responses.

Wireshark tip 1 Find the first 'SYN' in the stream, right click, 'Follow TCP Stream'.

Wireshark tip 2 Client requests are in Red, Server responses are in Blue.

Taking a trace with the Citrix Application Switch:

If the Citrix Application Switch is already in place, a trace can be run directly on the Citrix Application Switch. Running a trace will expose the flow of transactions between all points of interest, especially the client, load balancing VIPs and backend servers. Traces are especially helpful when digging in to find out if the proper headers are being exchanged between client & VIP and VIP & backend servers. A trace can be run directly on the Citrix Application Switch. Once downloaded this file can be opened and request and response headers read with Wireshark, a free network trace utility, http://www.wireshark.org. From the Citrix Application Switch GUI, navigate to NetScaler -> System -> Diagnostics -> New Trace -> Run. 

Viewing headers with Paros:

Paros was originially written for web security, but has value when viewing request and response headers, cookies and the like. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted. There is an additional option of trapping and modifying data before sending it on to the server, or client. Paros can be found at http://parosproxy.org. Free.

Viewing headers with Live HTTP Headers:

Live HTTP Headers, http://livehttpheaders.mozdev.org/, was developed for use with the Firefox web browser. It is a free add-on and allows you to view HTTP header information in real time. Free.

Viewing headers with IE Analyzer:

IEInspector HTTP Analyzer, http://www.ieinspector.com, is a tool that allows you to monitor, trace, debug and analyze HTTP/HTTPS traffic in real-time. It works with Microsoft Internet Explorer. Not-Free.

Viewing headers with IE Watch:

IEWatch, http://www.iewatch.com, is another plug-in for Microsoft Internet Explorer that helps you profile your web applications. You can use this tool to dig deep into the inner workings of web applications to find hidden issues. Not-Free.

Watch this Application Profiling Tip:

Tap into the power of AppExpert

The SAP Enterprise Service Oriented Architecture (SOA) provides a blueprint for services-based, enterprise scale business solutions that are adaptable, flexible, and open. Enterprise Services Architecture takes the concept of service-oriented architecture to a new level by transforming Web services into enterprise services. Bringing Citrix and SAP Enterprise Services Architecture together reduces the dependence on customized applications, and increases flexibility and reduces time to deployment while reducing operational expenses.

Watch this Load Balancing Tip:

Tap into the power of AppExpert

We recently had a meeting with a large partner of ours and they handed down some hefty requirements.  An average of 100 partners using their portal on any given month to access their development environments on the backend.  It was clear that NetScaler could scale, but the question was how to keep all of those partners separated from each other, without them peeking into each others traffic. It turned out to be easier than we thought using the NetScaler as an SSL VPN with the addition of some policies bound to each partner's user group.  The following is an overview of the network diagram, and there are some deployment guides to walk you through these installations. 

Moved Document Root

The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.

Usually the Document Root of the web server directly relates to the URL "/". But in some cases the document root should shift to some other directory. The following rules can be used to implement this.

Example : Rewrite the url / to /e/www

Apache rewrite:

RewriteEngine on
RewriteRule   ^/$  /e/www/  [R]

AppExpert rewrite: (There are two ways to do this)

add responder action act1 redirect '"/e/www/"' -bypassSafetyCheck yes
add responder policy pol1 'HTTP.REQ.URL.EQ("/")' act1
bind responder global pol1 100

add responder action act1 redirect '"/e/www"+HTTP.REQ.URL' -bypassSafetyCheck yes
add responder policy pol1 '!HTTP.REQ.URL.STARTSWITH("/e/www/")' act1
bind responder global pol1 100 END

Tap into the power of AppExpert!