Integrating IWSVA 3.1 with Citrix NetScaler

Trend Micro InterScan Web Security Virtual Appliance 3.1 (IWSVA 3.1) is both a horizontally scalable (increasing capacity through additional servers) and vertically scalable (increasing capacity through CPU / memory or disk improvements) product and thus has clear options for increasing capacity and lowering latency.

However, IWSVA 3.1 does not offer built-in load balancing or high availability functionality in the standalone product. Customers desiring this functionality in the standalone IWSVA 3.1 solution must incorporate a third-party product to meet these needs.

The Citrix NetScaler is a powerful solution that matches the performance capabilities of the IWSVA 3.1 application while providing the key business continuity and load distribution functionality that enterprise environments require. Here are some recommended configurations when using IWSVA 3.1 with Citrix NetScaler:

• Citrix NetScaler placed in Transparent mode. This configuration does not require any endpoint browser modifications. This simplifies deployments.

• Trend Micro IWSVA 3.1 in Forward Proxy Mode. Although Citrix NetScaler in transparent mode provides endpoint transparency, you must still place IWSVA 3.1 in forward proxy mode for this functionality to work. This means that all upstream devices will see the MAC and IP addresses of the scanning IWSVA 3.1, not those of the endpoint. This may affect some gateway firewall rules or other applications. Citrix requires an identifying path to distribute load and so cannot aggregate traffic across multiple IWSVA 3.1s while the IWSVA 3.1 cluster is in Forward Proxy mode.

• Citrix NetScaler using "Source IP" persistence. Persistence takes precedence over a configured Load Balancing policy. This ensures that specific endpoints pass through to the same IWSVA when state information is available.

• Citrix NetScaler using the "Least Connections with LRTM" load balancing algorithm. If your environment does not require specific state continuity (in other words, it is acceptable to allow endpoints to pass through any available IWSVA 3.1 for scanning), this algorithm monitors the current number of connections on all IWSVA instances and forwards the incoming requests to the IWSVA with the fewest busy connections.

Read more here...

Its powerful AppExpert!

There are a lot of things to do in Vegas, such as seeing a show, riding a roller coaster and of course, becoming a high roller; however, none of them come with a guarantee that you will go home with something more valuable than you arrived with. At Citrix Synergy, not only will you leave with new and/or renewed connections with other professionals in the industry and at Citrix, but you will leave with knowledge that will deliver more value to your company and to you as an individual.

Sure, there are multiple valuable conferences within a conference at Synergy (iForum, Network World Live! and Virtualization Congress) but my personal favorite is GeekSpeak Live!  If you haven't seen or attended a GeekSpeak session (examples Shawn at Synergy  and Michael with GeekSpeak Roadtrip!) , you need to check this out. These sessions are where true unfiltered technical interactive discussions occur, many sessions are led by Citrix CTPs such as Charles Aunger , Ruben Spruijt  & Jeroen van de Camp, and Brian Madden and many more, but you also have the ability to lead and/or change a discussion topic on the fly.

This year we have expanded GeekSpeak Live to not only include our traditional evening sessions, but we also have the GeekSpeak SpeakEasy sessions on the exhibit floor and we have woven GeekSpeak session through the traditional conference tracks as well.

As we get closer and closer to Citrix Synergy, I will be posting more information about our GeekSpeak sessions and presenters. Please feel free to leave a comment on this blog, check out the GeekSpeak forum or drop me an email if you are interested in a topic or being a GeekSpeak session lead.

Before I go, I wanted to share a discussion I had with a Citrix Synergy attendee. The discussion started regarding the GeekSpeak session, but quickly transitioned to "I am planning to attend, but my boss/finance team is really leery of spending on technology conferences (especially in Vegas), given the negative press that AIG and others in the industry have gotten regarding conferences. Do you have any advice for me?"

We at Citrix are completely aware budget constraints and have pulled together some information on the topic for you. The fact is that from a cost perspective, Vegas is a value compared to other cities hosting technology events Vegas is 20%-60% cheaper from an attendee perspective. With the data we provided, she was able to assure her management that Citrix Synergy was not a boondoggle!

I look forward to seeing you at Citrix Synergy and Geekspeak Live! , perhaps the one time that "What happens in Vegas, stays in Vegas" isn't true!

Entity Templates

An entity template simplifies configuration by providing a set of configured defaults for a policy, service, action, or other configuration entity. After you create an entity template, it can be reused with specific instances of entities of the same type. For example, an entity template created for Load Balancing, can be used to create the same load balancing configuration on the same load balancer, or can be used on a different NetScaler or NetScalers to create the same load balancing configuration.

Entity Templates are most helpful when you have built your configuration for an entity such as load balancing and want to duplicate it across the organization's load balancers without having to re-type all of the configuration commands. In fact, the entity template manager, will allow you to prompt for certain configuration parameters to be input by the user, such as IP Address and port number, at the time of import, which might be specific to a certain locality.

Application Templates

The NetScaler includes the ability to create and manage application templates that provide the administrator a way to configure the NetScaler to handle application-specific traffic without directly configuring NetScaler entities. An application template is a reusable bundle of application's configuration information and can be exported after creation for use on other NetScalers. Also, these templates can be created once and then re-used across multiple NetScalers.

Application vs. Entity Templates

Entity Templates simplify configuration by providing a set of configured default for a specific configuration entity, such as load balancing, rewrite or content switching.

Application Templates simplify configuration by providing configuration details for all entities for an Application, such as Sharepoint, SAP, Oracle, or other web based applications. Application Templates are more comprehensive and contain configuration details for caching, compression, load balancing, ssl offload, rewrite, filtering, responder and application firewall. For one application you might have several policies in each of these categories that are saved into an Application Template.

Both Entity and Application Templates can be exported and imported for ease of use across different NetScalers. All of the configuration policies, including all expressions, pattern sets and policy labels are exported with the Entity or Application Template - once you define your policies, you don't have to define them again.

Watch how easy this is:

Tap into the power of AppExpert!

***Update: As of the 2.0 release we now include 143 activities with the product, including libraries for Netscaler, XenServer, and XenApp. We keep adding more, and if you have specific requests, please email me...

Alex posted in our forums that he was extremely disappointed in the 1.0 release of Workflow Studio because of a lack of libraries/templates for use with Citrix products. We are working on releasing libraries for Citrix products, as well as libraries that integrate with Active Directory, Group Policy, Power Management, and Windows. I appreciate the criticism, as it made me realize that we haven't done a good job of describing the target audience of this 1.0 release. I would like to take the opportunity to explain the different audiences that Workflow Studio appeals to, and why we released 1.0 as it is. Hopefully this post will help to explain how the different features of Workflow Studio appeal to these audiences and also clarify how it can be used today and where we are going in the future.

To make sure we are all on the same page, I want to start by defining the audiences that I will refer back to later. The titles I chose are not important, but hopefully the descriptions will help you to place where this fits in your organization. In the IT industry people often wear many hats and don't fit neatly into a classification.

• IT Operations - This role is responsible for ensuring that IT systems are working and available on a wide scale, but would not typically do development or scripting tasks.
• Server Administrator - This role is responsible for specific server workloads and is intimately familiar with the software running on a system. They are comfortable with batch files, scripting, PowerShell, etc. but would not be comfortable doing traditional software development.
• Software Developer - This role is defined by people who write software that is either sold (Software Companies, System Integrators, Consultants, etc.) or used internally by other groups (often including the above two audiences.)

Workflow Studio is built on top of two technologies from Microsoft - Windows PowerShell and Windows Workflow Foundation. Linking these technologies to the audiences from above for PowerShell would be the Server Administrator, and for Workflow Foundation would be the Software Developer. Our intent with Workflow Studio is to merge these two technologies together and offer solutions that appeal to the IT Operations staff (and Server Administrators who are looking for tools, but are too busy to script solutions to all their needs themselves.) As a result of being built on top of PowerShell and Workflow Foundation, we offer features that the other two audiences will also find useful.

As Alex pointed out, the 1.0 release is not very interesting to the IT Operations audience yet because there isn't a large base of activity libraries and workflows available today. The Software Developer audience on the other hand can use 1.0 today with the publicly available APIs for our Citrix products (and if they choose, share or sell their work to the community at large.)

Now I want to take a look at specific features and functionality of Workflow Studio and how they map to these audiences:

IT Operations
The intended process of using Workflow Studio for this audience would be to download workflows (and activity libraries) that solve specific problems that this audience faces. All that needs to be done after downloading the workflows is to schedule or execute them as applications that solve those specific needs.

Workflow Studio has a community tab that links the product back to the Citrix Developer Network (CDN). Citrix, our partners, and the community at large can post activity libraries and workflows that can be downloaded and used without any need to write scripts or code. We built in a tutorial workflow called ExportServices that you can access through the Help menu to see how this process is intended to work. We plan to leverage this mechanism to release activity libraries and workflows to address specific problems faced in deploying the Citrix Delivery Center and the Citrix Cloud Center. We are also looking to our partners and community to build additional libraries and workflows that this audience will find valuable.

Obviously, this audience will not be well served until pre-built workflows are available that solve problems you face in your environment. Let me know in the comments or through email what types of things you would like to see. As we release activity libraries we will also release workflows that relate to them and as more are available we will be able to release more integrated workflows as well.

Server Administrator
The intended use case for this audience is to build and modify workflows using the Workflow Studio Designer for use either internally or to share with the community.

We are working on some activity libraries that will be available in coming weeks that will facilitate building workflows that leverage your existing VBScript and PowerShell scripts. This functionality will enable this audience to leverage their existing scripting knowledge in a more visual, database-driven, automatically versioned, and easily share-able way. Workflows can be extended through C# with the code-beside feature, so if you know a little bit of programming you can automate almost anything that .NET and C# will allow with just the Designer and not need to go into Visual Studio to build native activity libraries. We have built in some pretty powerful extensions to Workflow Foundation in our Designer that will help you be more productive and make it easy to share within your group, organization, or the community. For instance, the snippets functionality allows you to save templates of individual activity configurations or groups of activities and then export and reuse/share them. Workflows themselves can also be exported and reused/shared as well. The Workflow Studio Designer is accessed by either creating a New Workflow or editing an existing workflow. You can also download other workflows and edit them to see how they were built.

This audience needs activity libraries available, and we are working on several that will be released in coming months. Active Directory, Group Policy, Windows, Power Management, and Citrix product support are all coming soon, so stay tuned.

Software Developer
The intended use case for this audience is to build and share/sell activity libraries that the above two audiences will find useful. These can target Workflow Studio directly or target Workflow Foundation more generically as the vendors in my post on Workflow Studio Extensibility have done.

Activity Libraries are the mechanism for extending Workflow Studio. An activity library is a component defined by Microsoft as part of Workflow Foundation. These can be built without any knowledge of Workflow Studio (standard Workflow Foundation activity libraries), but there are some features of Workflow Studio that we think offer additional value. We make it easy to target Workflow Studio directly with a set of templates for Visual Studio. Specifically, we have a converter that will take existing PowerShell snap-ins and convert them to activity libraries automatically. You will soon be able to download these templates and documentation on automating Workflow Studio on our Download SDKs page.

Workflow Foundation and PowerShell have been around now for more than 2 years. These technologies are robust and stable and can easily be leveraged with the 1.0 release of Workflow Studio. If you are a Citrix partner (or want to be one) and have some ideas in this space, feel free to contact me to discuss.

Hopefully this will help clarify where we are with Workflow Studio and where we are going. Feel free to email me with comments or thoughts on how we can do a better job of addressing your needs with Workflow Studio - whichever audience you may fall into.

Workflow Studio leverages product SDKs to accomplish automation, so I want to take a moment to remind everyone that each of the Citrix products has their own SDK page on the CDN:

• XenApp - http://community.citrix.com/cdn/xa/sdks
• XenServer - http://community.citrix.com/cdn/xs/sdks
• XenDesktop - http://community.citrix.com/cdn/xd/sdks
• NetScaler  - http://community.citrix.com/cdn/ns/sdks

Notice the similar link on the Workflow Studio page? Stay tuned...

For those of you who were not able to attend the live event or wish to re-watch it, you can get to the recording by going here: http://www.citrix.com/English/NE/events/event.asp?eventID=1685355 

Q: Where can I get NeScaler training

A: You should check out the Citrix Training website for information on classes and locations. (http://www.citrixtraining.com/courses/courses/index.cfm)

Q: Is there Web Interface and XML Broker Monitors part of Citrix Access Gateway Ent.?

A: Access Gateway Enterprise Edition is a component on the NetScaler platform.  In order to use Access Gateway functionality along with the load balancing functionality, you will need to have the correct license for the NetScaler platform.  Please take a look at the Citrix NetScaler Editions description (http://www.citrix.com/English/ps2/products/subfeature.asp?contentID=1683492)

Q: In the demo being shown, if the application is only available via the Minneapolis datacenter, but the user is closer to the Ft Lauderdale datacenter, is it possible to configure the NS/AG to redirect the connection to the Minneapolis NS pair instead?

A: Excellent question. The challenge with your question is that NetScaler does not know which application you intend to launch when it decides the most appropriate data center.  Even if the NetScaler sends you to the Ft Lauderdale data center, you will still be able to launch an application only available in the Minneapolis data center, but you still have your SSLVPN session going to Ft. Lauderdale.

Q: If you have redundant WI and/or XML Broker servers set up does NS determine that the Primary has gone down and alert the admin that redundancy is no longer there?"

A: These should be SNMP traps that you could pick up with a management tool to alert the administrator.

Q: What happen if we have two sites with different subnets and we have two DNS over NAT?

A: Two sites with different subnets, NAT, etc is fine. Your configuration will just be different and include different addresses.  With multiple DNS servers, you just need to make sure that the fully qualified domain name you setup as part of Global Server Load Balancing is configured on both DNS servers to point to the NetScaler devices, which are the authoritative DNS servers for that domain name.

Daniel

EasyCall Conferencing

One of the larger expenditures for enterprises is the cost of voice communications, specifically conference calling. Most enterprises use an outside vendor to host the conference calling capabilities for global communications between internal employees and external participants. You can completely do away with that cost with EasyCall Conferencing. Here is how it works...

EasyCall Conferencing, which is a feature of EasyCall, allows EasyCall users to quickly set up ad-hoc conferences by sending participants an EasyCall Conferencing URL. Participants join a conference call simply by clicking a URL instead of having to dial a conference phone number and complex access codes. The calls are hosted on the EasyCall Gateway, providing toll-free access at much lower cost than commercial audio conference services.

To enable external users to join EasyCall Conferences, join requests must be proxied to the EasyCall Gateway from the internet as the EasyCall Gateway is always installed inside the corporate firewall. This is similar to many web applications that require protected external access, and the HTTPS proxy is simple to configure on the Citrix Netscaler to provide the necessary SSL Offloading and Content Filtering.

The Citrix NetScaler System provides continuous service availability through application-level protection by blocking attacks and delivery of the EasyCall application securely. The Citrix NetScaler Content filtering prevents unwanted requests from reaching the EasyCall Gateway.

The EasyCall Conferencing configuration template for the NetScaler policies is provided free of charge right here on our community website. Just import it, and your NetScaler is setup for EasyCall Conferencing.

Together, the EasyCall Gateway and NetScaler provides a low-cost, non-recurring charge, to host global conference calls with your own equipment, making it easy for participants to join just by clicking a URL ... no cryptic meeting codes or passwords.

Download the EasyCall Conferencing / NetScaler Deployment Guide Guide.

Download the EasyCall Conferencing - NetScaler AppExpert Configuration Template.

Watch how easy this is:

How it will look in your network:

Download the EasyCall Virtual Appliance here.

Get the NetScaler here.

Tap into the power of AppExpert!

Date: February 24, 2009
Time: 12:00 PM -- 1:00 PM EST (9:00 AM -- 10:00 AM PST)

Date: February 26, 2009
Time: 8:00 PM -- 9:00 PM EST (5:00 PM -- 6:00 PM PST)

Citrix Education invites you to attend a webinar on the application networking capabilities of Citrix NetScaler 9.0.
The webinar will include the following topics:

• Lower total cost of ownership
• Application acceleration
• Application security
• Application availability
• Simple manageability
  

In addition, the webinar will highlight the Citrix Education offerings that are available to train and certify IT professionals to install, administer and support NetScaler 9.0.

Who Should Attend?
IT professionals responsible for application networking initiatives. Some familiarity with Citrix NetScaler is recommended.

Highlights Include:

• NetScaler technical overview
• New NetScaler 9.0 features
• Overview of the instructor-led administration course: CNS-200-1I Basic Administration for Citrix NetScaler 9.0
• Benefits of obtaining the Citrix Certified Administrator (CCA) for Citrix NetScaler 9.0 technical certification
  

Register Now:  February 24   February 26

A recording of the webinar will be available on the CNS-200-1I course page following the live broadcast.

Now that a new year has begun, it is time to think about change. What did you do well in 2008, that you would repeat in 2009? What will you do differently?

Forecasting bad economic news for 2009 is old, and we all know it is going to be a tough year. I can think of several people I know personally that have already been affected. Among the predictions and forecasts from analysts is that IT spending will slow down. 2009 will be a tough year, and with spending on hold, if I was an IT infrastructure guy or a service provider, with all of the virtualization technology available, I would take more than a few minutes to rethink my strategy.

2009 Forecasts that cloud computing and virtualization will grow. It is not just a prediction that I believe in because I work for a virtualization company, I believe in it because I am an operations guy at heart and this virtualization stuff is real.

One of the things I am going to continue to do in 2009, is make use of XenServer and its tangentially related products. At Citrix, I spend a lot of time with my head buried in a lab working on several projects at a time. At any given time I may need to bring up Windows servers and clients, *nix Servers, install a partners product into a server, or install some enterprise application for testing. All of these I did in 2008 without spending any money on hardware. I had an existing Dell 2950 III that I use for XenServer. I can bring up, bring down any number of hosts at any time, for any purpose, without having to fill a rack with hardware that sucks the power grid dry, and depreciates in value the second I order it.

Not only have I done a great job of saving money on capital expenditures in my lab, I have also saved a lot of energy and rack space. In addition, with faster time-to-deployment and more resources at hand, I have increased my productivity immensely.

I work with our internal Citrix IT and Training departments who both make use of Citrix Virtualization technology – this has proven to increase their productivity as well, while reducing cost.

Looking forward, I know I will be able to keep costs and spending down to almost nothing this year as I make continued use of Citrix Virtualization technology. As an operations guy at heart, nothing brings greater joy in slashing a budget and saving money going into 2009 while increasing productivity.

Do you use XenApp? Thinking about it? Heard of it?  Want to make it better?  Are you alive?   If you answered Yes to any of those questions, then I highly encourage you to attend the XenApp Deep-Dive TechTalk series.  Each TechTalk focuses on one aspect of making your XenApp environments easier, better and more available.

Part 1: Simplifying the Migration to XenApp 5 with XenServer (Register)

The first TechTalk on February 2nd at 1PM Eastern Time is focused on a task I did not like doing when I was an XenApp admin (although it was called MetaFrame back then)... XenApp Migrations.  Each release of XenApp has some pretty cool features to help make the users more productive or make the environment easier to manage and XenApp 5 is no exception.  So the big question is why aren't you migrating?  Is it because it takes too much time? Is it because it is too difficult?  A few months ago I blogged about the possibility of simplifying XenApp migrations with the use of XenServer (here and here).  This TechTalk will tell you if it is indeed possible.    Who knows, I might speak for 1 minute and say it doesn't help at all, but I highly doubt that will happen .  If you want to find out if XenServer helps and how, you will just have to tune into the upcoming TechTalk to find out

Part 2: Simplifying Desktop Delivery with XenApp (Register)

A lot of talk lately is virtual desktop this and virtual desktop that.  Well, this TechTalk is also focused on the virtual desktop, but not in a way you would expect. Most people talk about virtual desktops as a new way of managing the desktop infrastructure and how XenDesktop is the best solution.  This TechTalk, on February 3rd at 1PM Eastern Time is focused on the XenApp portion of desktop delivery.  How can and should we use XenApp to make the virtual desktop solution easier?  What best practices are there for application delivery and integration into XenDesktop? Tune in to find out.

Part 3: High Availability for XenApp with XenServer and NetScaler (Register)

Is your XenApp environment delivering mission-critical applications?  What happens if a physical server fails, or a hard drive crashes, or a internet link dies or an entire data center goes offline?  As we all know, XenApp contains many different components and each one is critical to the proper operation of the environment.  This TechTalk, on February 4th at 1PM Eastern Time, will provide some of the best practices for providing fault tolerance and high-availability to XenApp environments.  Don't leave your XenApp users in the dark if the lights go out.

I'm sure everyone will learn something or at least come away with a new perspective or idea on how to use and improve their XenApp environments.  I know I'm looking forward to getting some of your comments on your environments and how they can be made better.  Hope to see many people there.

Daniel

As the New Year quickly approaches, we're all thinking of our New Year's resolutions, and I'm sure that on the top of each of your lists is "Improve the Capabilities of my Corporate Citrix Farm".

OK, maybe it's not at the TOP of your list...

But improving the reliability, scalability, and ease of use of your Citrix installations is an issue that most administrators face constantly. And, as the New Year is upon us, it might be a good time to reflect on that "one thing" that you can do to make your farm more productive, more secure, more reliable, and more manageable.

Along those same lines, I think it's a good time for Citrix to ask... What new products or enhancements would you like to see from us? What can WE do to make your job easier? What can we do to make your farm more secure? What can we do to provide you with the tools you need to make your Citrix installation perform in ways you have not been able to achieve?

Feel free to reply with your #1 ITEM (just one, make it your biggest) that you would like Citrix to focus on in the upcoming year. If it's a direction that we're already working towards, and you'd like us to continue, let us know! If there's an area that you think we should look at, we'd like to know that as well! Although I can't personally promise that your suggestion will work it's way to the top of our list, I think that your feedback, as always, is an integral part of our corporate direction, and helps us to plan for the future as well.

So, let the 2009 wishes begin!...

Policies have a fundamental influence on the behavior of most NetScaler features, (for example, Load Balancing, Content Switching, Rewrite, Responder, Integrated Caching, and the Application Firewall).

For a policy to take effect, and to have the desired effect, you must ensure that the policy is invoked at the right point during processing. The binding determines when the policy is evaluated (for example, is the policy applied to requests or responses), and whether the policy applies to all traffic or just to specific virtual servers.

Bind Points for Advanced and Classic Policies

 
NetScaler features use one of two types of policy:

• Advanced policies enable you to analyze almost any type of data in a request or a response (for example, the body of an HTTP request) and permit programmatic functions on the data (for example, transforming data in the body of a request into an HTTP header). In release 9, the following features use advanced policies: DNS, Integrated Caching, Responder, Content Switching, Rewrite, Access Gateway (clientless access functions).
• Classic policies evaluate basic characteristics of traffic and other data. For example, classic policies can identify whether an HTTP request or response contains a particular type of header or URL. In release 9, the following features use classic policies: System, SSL, Compression, Protection Features, Content Switching, Cache Redirection, Application Firewall, Access Gateway (all functions that use policies except clientless access).
  

For an advanced policy the following are the bind points, in typical order of evaluation:

• Request-time override. When a request flows through a feature, the NetScaler first evaluates request-time override policies.
• Request-time Load Balancing virtual server. If policy evaluation cannot be completed after all the request-time override policies have been evaluated, the NetScaler processes request-time policies for load balancing virtual servers.
• Request-time Content Switching virtual server. If policy evaluation cannot be completed after all the request-time policies for load balancing virtual servers have been evaluated, the NetScaler processes request-time policies for content switching virtual servers.
• Request-time default. If policy evaluation cannot be completed after all request-time, virtual server-specific policies have been evaluated, the NetScaler processes request-time default policies.
• Response-time override. At response time, the NetScaler starts with policies that are bound to the response-time override bind point.
• Response-time Load Balancing virtual server. If policy evaluation cannot be completed after all response-time override policies have been evaluated, the NetScaler process the response-time policies for load balancing virtual servers.
• Response-time Content Switching virtual server. If policy evaluation cannot be completed after all policies have been evaluated for load balancing virtual servers, the NetScaler process the response-time policies for content switching virtual servers.
• Response-time default. If policy evaluation cannot be completed after all response-time, virtual-server-specific policies have been evaluated, the NetScaler processes response-time default policies.

Within any of the banks of policies for each of the preceding bind points, the order of evaluation is determined by a priority level that you assign to each policy. You also can define a policy label and bind policies to it. The policy label must itself be invoked from one of the policy banks in the preceding list. You can invoke the policy label any number of times, allowing you to re-use the policies that are bound to the label any number of times.

For a classic policy to take effect, you bind it to the following bind points:

• System policies. Bound globally.
• SSL policies. Bound globally or to a Load Balancing virtual server.
• Content Switching policies. Bound to a Content Switching or Cache Redirection virtual server. Note that Content Switching policies can be either classic or advanced, but must all be of the same type.
• Compression policies. Bound globally, to a Load Balancing or Content Switching virtual server, or to a service.
• Protection Features. Bound as follows:
  • Filter. Bound globally, to a Load Balancing or Content Switching virtual server, or to a service.
  • SureConnect. Bound to a Load Balancing or to a service.
  • Priority Queuing. Bound to a Load Balancing virtual server.
• Cache Redirection. Bound to a Cache Redirection virtual server.
• Application Firewall. Bound globally.
• Access Gateway. Bound as follows:
  • Pre-Authentication policies. AAA Global, VPN vserver.
  • Authentication policies. System Global, AAA Global, VPN vserver
  • Auditing policies. User, User group, VPN vserver.
  • Session policies. VPN Global, User, User Group, VPN vserver.
  • Authorization policies. User, User Group.
  • Traffic policies. VPN Global, User, User Group, VPN vserver.
  • TCP Compression policies. VPN Global.
    
    

Video Tips: Binding Advanced Policies Globally and to a Virtual Server Using the Policy Manager

Video 1: Binding an advanced policy globally.
 

 
Video 2: Binding an advanced policy to a virtual server.

HTTP Callouts

New in NetScaler 9.0 is the ability to perform a callout using HTTP to an external server. An HTTP Callout is a means to process incoming packets on the NetScaler using an external service that can be a virtual server on the NetScaler itself, a back-end server, or an third party service.

Traditionally, the NetScaler used to verify these packets internally using in-built policies but with specialized services being available for validation, they can be integrated with the NetScaler using this feature.

An HTTP callout will consist of a NetScaler policy expression that can send a simple HTTP request to an external service, wait for the response and then parse the response to produce a simple result. The result will then be used like any other policy expression evaluation result.

The HTTP callout expression:

SYS.HTTP_CALLOUT(<name of HTTP Callout>)

To define the HTTP callout:

set policy httpCallout <name>
	[-IPAddress < ip_addr|ipv6_addr>]
	[-port <port>]
      	[-vServer <string>]
	[-returnType <returnType>]
	[-httpMethod ( GET | POST )]
	[-hostExpr <string>]
	[-urlStemExpr <string>]
	[-headers <name(value)> ...]
	[-parameters <name(value)> ...]
	[-fullReqExpr <string>]
	[-resultExpr <string>]

Where:

-returnType must be one of TEXT, NUM or BOOL.

-IPAddress IP address of the server to which callout is made

-port Port of the server to which callout is made

-vserver must be one of the vservers added using the "add lb/cs/cr vserver" command. The service type of the vserver must be HTTP.

-httpMethod could be GET or POST.

-hostExpr Complex PI string expression for value of the Host header.

-urlStemExpr Complex PI string expression for generating the URL stem.

-headers Every header name must have a corresponding value. These headers will be inserted in the request. Header name is string. Header values are Complex PI Expressions.

-parameters Every parameter name must have a corresponding value. These parameter names are put in the URL query if the request has a GET method or they are put in the body if the request has a POST method. One must not rely on the order in which the parameters are inserted. Parameter name is a string. The parameter values can be computed using Complex PI String expressions. The parameter values will be URL encoded.

-fullReqExpr A complex PI String expressions computes the entire request. It is the user's responsibility to provide a well formed and sane HTTP request. The system will not do any sanity checking. If full request is specified then none of the other arguments can be specified.

HTTP callouts are available with HTTP or TCP Content Switching, Responder and Rewrite functionality.

The basic communication flow for HTTP callout is:

1. User sends request
2. Policy sends HTTP request to an external service
3. Result used like any other policy evaluation result
4. Available for multiple features

HTTP Callout Deployment Scenarios

The examples in this section illustrate how to use HTTP callouts to perform various tasks. In all cases, the NetScaler performs a callout to an external server where a callout agent is configured to respond to the request from the NetScaler based on the data that is present on the external server.

This section describes how to configure HTTP callouts in the following scenarios:

1. Filter clients based on an IP blacklist.
2. Fetch and update content on the fly using Edge Side Includes (ESI) markup language.
3. Authenticate users and control access to resources.
4. Filter Outlook Web Access (OWA) spam.

Filtering clients based on an IP blacklist

HTTP callouts can be used to block requests from clients that are blacklisted by the administrator. This list of clients can either be a publicly known blacklist or one that is maintained specifically by the administrator or a combination of both.

The source IP address of the incoming client request is checked against the external pre-configured blacklist and based on whether the IP address has been blacklisted or not, the transaction is either blocked by the NetScaler or the NetScaler continues to process the transaction normally.

The HTTP callout feature facilitates this by allowing the NetScaler to communicate with the external server that maintains a database of such blacklisted IP addresses.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

ESI support for fetching and updating content dynamically

Edge Side Includes (ESI) is a markup language for edge-level dynamic Web content assembly. It helps in accelerating dynamic Web-based applications by defining a simple markup language to describe cacheable and non-cacheable Web page components that can be aggregated, assembled, and delivered at the network edge.

Using HTTP callouts on the NetScaler, you can read through the ESI constructs and aggregate or assemble content dynamically.

The following outlines the requirements to implement this configuration:
1. Enable Rewrite on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Rewrite action to replace the ESI content with the callout response body.
4. Bind the Rewrite action to a Rewrite policy.
5. Bind the Rewrite policy globally on the NetScaler.

Access Control and Authentication

In high security environments, it may be mandatory to externally authenticate a user before a resource is accessed by clients. On the NetScaler, you can use HTTP callouts to externally authenticate a user based on supplied credentials. There are different ways that authentication credentials might be supplied; the client could be sending the user name and password in HTTP headers in the request, or, the credentials could be fetched from the URL or the HTTP body.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

OWA-based spam filtering

Spam filtering is the ability to dynamically block emails that are not from a known or trusted source or has inappropriate content. Spam filtering requires business logic that indicates a particular kind of message is a spam.

Using HTTP callouts, you can take out any portion of the incoming message and check with the configured external callout server that has the rules to detect if the message is a legitimate email or spam. In case of a spam email, the sender will not be notified that the email is marked as spam because it will only alert spammers to modify their messages.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

Read about the Citrix Application Switch with Version 9.0 here.

Try the Citrix Application Switch with Version 9.0 here.

Tap into the power of AppExpert!

We are always looking for idea's to improve our Citrix events. Some of the past feedback we have received is to step-up the technical content and include more unscripted and unfiltered opinions and dialog. At Synergy 2008 we introduced GeekSpeak which was very well received as indicated by the feedback and standing room only crowds. At Synergy 2009 you can expect even more technical content plus more GeekSpeak sessions. In addition as many iForum/Summit/Synergy attendees know. Citrix usually includes a concluding session that could be a brand name comedian ( Dana Carvey - Synergy 2008) or an Athlete with a story ( Lance Armstrong - Summit 2008 ) or other memorable entertainer.
 
In keeping with listening to the community and even better engaging with some of the innovators of social media we thought it might be interesting to have Kevin Rose and Alex Albright host an episode of Diggnation at Synergy 2009. As you may know Kevin is the founder of Digg and an expert at developing a community. If you're not familiar with the show check it out at Diggnation.com ( it's about as unscripted and unfiltered you can get ...  ). If you are a fan of Digg this might be your chance to watch an episode first hand and maybe hang out with Kevin and Alex afterwards with some beers at our closing party. If you're not a fan of Diggnation and would rather we look for other entertainment we would like to hear that as well. As always, suggestions and comments welcome.
 

Do you Digg the idea of Diggnation at Synergy ?	Choose
2 Thumbs up, I want to see Kevin and Alex at Synergy in Vegas !
Keep looking ...

An easy step up to IPv6

IPv6 has been available on NetScaler since April 2007, but only to select customers, and with a limited feature set.

Today, with NetScaler version 9.0, the IPv6 feature set is complete, with support for IPv6 communication all the way back to the application servers that the NetScaler is protecting and optimizing. Now that the IPv6 feature has matured, it has been released with the latest version of software! NetScaler version 9.0 includes IPv6 communication to the application servers, and all the usual tools use for troubleshooting will be present, such as ping6, traceroute6, etc.

The "IPv4 Dinosaur" may well be a term used in the future to describe a site which doesn't have an IPv6 representation on the internet. It's not a label one would want if they consider themselves to be keeping up to date with the latest and greatest technologies, as that of the Citrix NetScaler Application Switch.

Do keep in mind, running an IPv6 ONLY network, is probably still an arms length away and not very easy to migrate to. What would be required is a hybrid approach - and this is where NetScaler version 9.0 can provide a quick solution.

It is possible to use IPv6 communication from the internet to your NetScaler, and then use IPv4 from the NetScaler to the application servers. This will provide an IPv6 presence on the internet for your external website, without having to use time, resources, and budget to rebuild your entire environment right away.

Think of this as IPv6 offload, if you will. The fact that the application and back end systems are running IPv4 will be fully hidden from the end user. You can then, in your own time, port your back end infrastructure over to IPv6 step by step, making testing and roll-back a cinch.

Of course, full IPv6 end-to-end communication is equally important, especially for those government accounts which require this box to be checked-off for any new hardware going into the racks. This is the newest part of this feature, which is also now available in NetScaler version 9.0.

Read about the Citrix Application Switch with Version 9.0 here.

Try the Citrix Application Switch with Version 9.0 here.

Tap into the power of AppExpert!

Many of you have seen or heard me speak about improving XenApp availability with NetScaler through the use of smart monitors, high-availability and business continuity solutions.  These things are extremely critical to any XenApp environment, just as beer is extremely critical to Homer Simpson.  As I've worked with previous NetScaler versions , configuring these solutions for XenApp was not very easy. It required you to go through and configure servers, services, monitors and virtual servers in multiple sites for multiple components. This required an understanding into how the NetScaler provides the fault tolerant solutions for XenApp and took quite a bit of time to complete.  Well, with NetScaler 9, let's talk simplicity.  What used to take 60 pages to discuss in a white paper now takes 10 pages (with pictures for each step).  What used to take days to setup now takes minutes. Don't believe me? Well, I dare you to attend this TechTalk and see for yourself.

If you want to see how to improve availability for XenApp easily, take a look at this TechTalk on Wednesday, December 10 at 10:00 AM Eastern and again at 2:00 PM Eastern.  How do you know if this TechTalk is for you? Well, if any of the following applies, then this TechTalk is for you...# If you have a XenApp environment that is critical to your business, this TechTalk is for you

1. If you have a XenApp environment that contains multiple Web Interface and XML Brokers, this TechTalk is for you
2. If you have a XenApp environment that has experienced an XML Black Hole, this TechTalk is for you
3. If you have a XenApp environment that spans multiple locations, this TechTalk is for you
4. If you require your XenApp users to remember multiple addresses to access the XenApp environment based on their location or availability, this TechTalk is for you
5. If you like the TV show The Simpsons, this TechTalk is for you
   

That last one should result in millions of attendees

Hope to see you there

Daniel

First the thanks!

As we roll into the Thanksgiving week in the US, I thought I would give a quick shout out of thanks to all of you that have participated in the Citrix Ready Community Verified site. Verifications are coming in faster than we can keep up with them (which was, after all, the whole idea in the first place). As of this morning, we have well over 1,000 applications and products verified by customers and partners as "Citrix Ready", backed by more than 7,000 verifications... more than 500 were added this week alone, and it's only Wednesday!

I'm assuming that you have all seen the Citrix Ready Community Verified site and you know it rocks... not because of anything we've done, but because it's created, owned and maintained by YOU; if not don't just take my word on it, check out Chris' blog, or Rene Vester's two blogs, here and here, or even Brian Madden's review, ...or of course, the site itself!

By many standards, the site has proven to be an overwhelming success. We launched it at Citrix Summit on October 25 this year with 600 Applications and 500 Community Verifications. In the month since launch, these numbers have gone through the roof with no end in sight. In fact, I am already hearing of cases where the Citrix Ready Community Verified site has encouraged customers to virtualize more apps, helped channel partners answer customer & prospect questions more quickly and technology partners who have submitted apps (theirs as well as from other vendors).

Citrix IT has even taken up the challenge by starting to validate all the products and applications we use internally in our IT environment. I challenge all of you reading this to verify via the "voting" function all apps and other products you are using via XenApp, XenDesktop, XenServer and NetScaler!

May I have another? Or more appropriately, may we give you another?

The Citrix Ready Community Verified site is a great example of how a community can share small bits of information that doesn't impose a tax on the submitter (the apps are already deployed, submitters are just telling us they have already completed the work)... taking full advantage of the network effect to drive overall benefit.

So the question that I have for all of you, is what can we do next? The Citrix Ready Community Verified site is addressing a common question around product verification with Citrix products that has been around literally since the first release of WinFrame. Are there other longstanding questions, issues, etc that seem difficult to solve as an individual customer, SE, channel partner, technology partner or Citrix employee, that we as a community can attack?

My team and I are very interested in your feedback and would welcome the opportunity to help.

Please feel free to comment on this blog, or send an email to me at john.fanelli@citrix.com

NetScaler supports the chaining of Intermediate SSL Certificates

Up to 10 Chained Certificates to be exact, one Server Certificate and nine CA Certificates.

Verisign recently posted an advisory stating the discontinuance of Unchained SSL Certificates, and that all Verisign SSL Certificates issued after Dec 11, 2008 will be chained to Root CAs to align with security best practices - Read the advisory here.

Chaining of Certificates is done with Intermediate Certificates. What are Intermediate Certificates?

They sit in the middle, between the Public Trusted Certificate Authority (CA) and your Server, in our case the Citrix NetScaler.

The Citrix NetScaler Application Switch supports the chaining of SSL Certificates just for this very purpose, and to show how easy it is to obtain an SSL Certificate from a Trusted Certificate Authority, such as Verisign, and install it into the Citrix NetScaler, we developed the following deployment guide to walk you through the process.

Verisign Certificate Authority w/ Citrix NetScaler SSL Deployment Guide.

Tap into the Power of AppExpert!

Try it!

Citrix will soon release the next version of Access Gateway Enterprise Edition. By Citrix's standards this version is a minor release so it hasn't gotten much coverage. I'm here to fix that and give you an idea of what new features to expect.

First up is WANScaler interoperability. Remote workers (like me) can deploy Access Gateway and WANScaler plug-ins on their machine and get the benefits of a VPN with traffic acceleration and optimization. We'll publish some performance numbers in the near future but based on my personal experience of using it every day, I can tell you that it's fast - real fast. I can also report that this combination of technologies is now a permanent and necessary part of my work life.

Next, we added clientless access to SharePoint 2003 and 2007. The engineering team has spent time testing the product's URL rewriting capabilities against the most popular applications and this time we're officially supporting SharePoint.

Falling under the category of a better user experience, we've added single sign-on to file shares. When a user clicks on a link to a file share in their landing page, Access Gateway will attempt to use the user's credentials to authenticate to the file server and eliminate the need for them to re-enter their credentials.

Not to be forgotten, we've also added functionality to help administrators. Historical charting is a graphical tool that can chart historical details about system performance and user activity.

And for those of you braving the protocol transition, we've added the ability to bridge from IPv6 external networks to IPv4 on the internal network. For now, this only works when users are connecting to XenApp or XenDesktop since the Secure Access VPN plug-in does not currently support this functionality. This version also gives the ability to define LDAP and RADIUS servers with an IPv6 address.

Look for this firmware update to be available from MyCitrix.com on November 27^th. Enjoy!

NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.

But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.

As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.      

_{Useful Links}

• XML Security Features in Netscaler 9.0