Load Balancing

A crucial piece of knowledge to being an Application Expert is providing availability and offload of the backend servers across any TCP port number. Most web applications run on port 80 and 443. Some enterprise applications use custom ports. Either way, if you want to optimize the performance and keep clients connected when one of the servers or applications starts to fail, you will need a Load Balancer such as the Citrix Application Switch.

Load balancing allows you to distribute incoming requests to a particular virtual server (vserver or VIP) evenly across several backend physical servers. This is also known as Server Load Balancing (SLB). The virtual server runs load balancing algorithms within the Citrix Application Switch.

A vserver consists of a combination of an IP address, port, and protocol that accepts incoming the traffic. The vserver is bound to a number of physical services running on physical servers in the backend server farm. Typical physical servers range from apache web servers to high-end enterprise applications such as SAP and Oracle.

The way it works is a client sends a request to the virtual server, which selects a physical server in the backend server farm and directs the request to the selected physical server. Load balancing allows the Citrix Application Switch to choose the physical server with the lowest load and greatest available resources and directs the incoming request to that server. The Citrix Application Switch can select from many different algorithms for balancing the load, the most common being Round Robin.

Different virtual servers can be configured for different sets of physical services, for example TCP and UDP services. The Citrix Load Balancer supports protocol/application specific vservers for HTTP, HTTPS, FTP, SSL, SSL BRIDGE, SSLTCP, NNTP, DNS, SIP and SNMP services.

To with with your understanding and first time configuration, this deployment guide speaks directly to configuring Load Balancing and SSL Offload on a Citrix Application Switch. It was developed for the SAP Application, but the concepts apply to any Web Application.

Citrix Load Balancing Deployment Guide.

Watch this Load Balancing Tip:

Tap into the power of AppExpert!

Read about the Citrix Load Balancer here.

Buy the Citrix Load Balancer here.

Does anyone care about having high-availability for their XenApp farms?  I would envision many of you would say yes.  But what does HA for XenApp really mean?  On the server hosting side, you essentially have HA because you have load balancing at the application level. So if you lose a XenApp server, not too much of a concern as those users can simply restart their application and get load balanced to another server (of course they lose their previous session information, which can be annoying.)   But what other areas of critical to providing a more available XenApp environment?

I've been thinking about this a lot lately, which is probably because my manager has had a lot of meetings and I tend to space out and watch episodes of The Simpsons on my laptop.  Since my DVD player broke, I started to think about HA for XenApp during these meetings (at least I'm now doing work). I was able to come up with the following thoughts:

1. Smart Monitors:  First, I want to know that something has failed or has gone flakey.  I don't want a bunch of messages telling me everything is ok, I just want to know when something is about to go horribly wrong. For example, the XML Black Hole.  I've seen the black hole cause too many issues, so how do we detect it?  You create a smart monitor that does more than pings. It tries to make requests to the XML service. If the expected data comes back, we are good to go. If the request is never answered or the response is junk, then Homer, we have a problem.  
2. HA for the Critical Components: Now if we can detect a failure, DO SOMETHING ABOUT IT.  As we continue looking at the XML Black Hole, if we see there is an issue, then stop making requests to it. But this requires another XML Brokers to take over the responsibility of the failed one without requiring changes to the environment's configuration.   Sounds a lot like load balancing to me.
3. Business Continuity:  Essentially what I'm saying is that if my XenApp environment at one site fails, I  better have another site already waiting for connections without requiring me to make changes.  Many people have 2 data centers: a primary and a backup. Others have 2+ data centers that are all active.  For those organizations with 2 data centers (primary and backup), how do you fail users over to the backup in the event of a failure?  For those organizations that have 2+ active data centers, how do you tell your users data center is their preferred site?  That is really a trick question (Did I get anyone?).  You shouldn't have to tell your users anything about going to a primary, backup, tertiary site. It should happen automatically.  Users want their applications in the fastest possible means necessary, which could mean that one day it is from data center 1 and on another day it could be data center 2.
   

These three items are all part of NetScaler, and it is easy to setup.  For those of you who know me will notice that I've worked with the integration of NetScaler and XenApp for some time.  Well, the NetScaler product group is actually making my job easier because they are making this solution a lot easier.  I created and maintained a 40+ page document that showed you how to set all of these goodies up. Now that document is about 14 pages (with pictures for each step) because of the new NetScaler for XenApp wizards.  I'm just glad I don't get paid by the word.  Take a look at what I'm talking about. In about 5 minutes you will see me configure and integrate NetScaler with XenApp:

Watch this Video:

Also, take a look at recently released articles  that goes into more detail on this integrated solution: http://support.citrix.com/product/nsad/v8.1/consulting/

• Taking XenApp to the Next Level of Availability - Reference Architecture
• Taking XenApp to the Next Level of Availability - Implementation Gudie

I'm curious what other areas concern you when you are focused on HA for XenApp?   Let me know. Yes, my manager finally ended the meeting, I am outta here.

Daniel

(Homer Quote of the Blog "Kids, you've tried your best and failed miserably.  The lesson is, never try")

Monitoring the Wanscaler This is the fouth video in the four part series of configuring a Wanscaler environment for FTP demonstrations. The first in this series is Configuring the W2K3 machine. The second is configuring the XPclient, third is configuring the Linktropy Wan simulator, and fourth is monitoring the Wanscaler

Configuring the Linktrophy. This is the third video in the four part series of configuring a Wanscaler environment for FTP demonstrations. The first in this series is Configuring the W2K3 machine. The second is configuring the XPclient, third is configuring the Linktropy Wan simulator, and fourth is monitoring the Wanscaler

Configuring the XPclient. This is the second video in the four part series of configuring a Wanscaler environment for FTP demonstrations. The first in this series is Configuring the W2K3 machine. The second is configuring the XPclient, third is configuring the Linktropy Wan simulator, and fourth is monitoring the Wanscaler

Configuring the W2K3 server for FTP transfer. This is the first video in the four part series of configuring a WanScaler environment for FTP demonstrations. The first in this series is Configuring the W2K3 machine. The second is configuring the XPclient, third is configuring the Linktropy Wan simulator, and fourth is monitoring the Wanscaler.

This is the second video in a two part series showing CIFS acceleration over a WAN link using Wanscaler. This video will demonstrate the amount of CIFS optimization that occurs in a Wanscaler environment. 

 Here is a video demonstration of Microsoft CIFS acceleration over WanScaler. Equipment used for this demo were Microsoft W2K3 server, an XP client, and a Linktrophy Apposite WAN simulator.

Although, the demonstration seems very simplistic CIFS acceleration represents a milestone in WAN acceleration and data networking, in general. CIFS is the protocol that is used by Microsoft Servers and clients to exchange information. The protocol was originally designed to function over a LAN environment with a minimum of 10 Mbps throughput, half-duplex. As enterprises began expanding their data services to remote offices CIFS, designed for a LAN was being used over low bandwidth, high latency WAN's. Performance and end-user experience vary greatly in this enviornment, and the protocol provides a very high, inefficient overhead. With an accelerator between the remote and central office, TCP transmissions are optimized and thus the protocol is streamlined. Users can now experience LAN like performance while being thousand's of miles away from HQ.

h.1 Watch this videotip

Border Gateway Protocol, open-source and it's para-virtualized. No more proprietary software and hardware, you can run as many copies of this as needed on one physical XenServer machine. As a proof point, we used the Vyatta Open Source router to build out our Link Load Balancing network in Santa Clara.  The Open Source Vyatta is running on a Dell server. We configured the BGP routing protocol, but could have have also configured OSPF or RIP and redistributed the routes. This configuration has been proven to outperform the incumbents, and is less costly by a wide margin.  Reduce opex and capex and start rolling this out today.  

What is needed:

• Vyatta Open Source Networking Software
• A Dell Server that supports Virtualization
• XenServer Enterprise 4.1

The Network:

Watch this Video:

Tap into the power of AppExpert!

Rewrite

Performing content rewrite at milli-speed is key to providing a front-end device for application delivery. Most important is the capability to rewrite both request and response headers & body content which the Citrix Application Switch does and it is an easy 3-step process to configure. Not only is it easy, it scales to Enterprise class applications, which we demonstrated here with the Oracle Enterprise Business Suite v12 in our lab in Santa Clara, CA, USA.

Watch this Rewrite Tip:

Tap into the power of AppExpert!

Read about the Citrix Application Switch here.

Buy the Citrix Application Switch here.

In case you missed it there is a really interesting story circulating on the Net, best told by Jim Louderback the CEO of Revision3 and victim of a DDOS attack over Memorial day weekend ( his Blog & CNET interview ). If you're a fan of Revision3 you already know that they got taken off-line for 3 days, if your not you may want to check out their site. They represent perhaps the best example of new Media and the future of TV, including HD video, channels, live and on-demand, etc, all delivered via the web. In order to achieve high quality video Revision3 utilizes BitTorrent technology legitimately for distributing content to users. The problem came about when a "legitimate" media tracking company identified a Revision3 server as a potential source of " questionable " BitTorrent traffic. Once Revision3 was made aware of this situation ( by a forum poster ) they appropriately locked down the server, what happened next was the strange part...

As reported by Revision3, the media tracking company ( presumably automatically ) launched a DDOS attack on Revision3's site flooding it with as many as 8,000 packets per second taking down the site by exceeding the capacity of limited web servers. Complicating the matter was the long weekend and unreachable staff at the offending company. Once they were finally able to get in contact the company stopped the attack and they both started to unravel what had happened.

The NetScaler system may not be positioned as protection from "good" guys ( vs. typical bad guys ) but this situation exemplifies why it is worth consideration as part of a comprehensive protection plan. That is why web based media companies like MSN, CNET, Digg, and many others rely on NetScaler's to protect their infrastructure. Among other features NetScaler protects sites from SYN flood DDOS attacks by handling all requests and only forwarding legitimate ticketed traffic to the web server, all other SYN flood requests are dropped before ever reaching the company Web Servers.

So for the next review of your security infrastructure, keep in mind who are the "good" or bad guys and are you protected either way.

In the Application Expert series part 2, Caching, I released a Deployment Guide discussing Static and Dynamic Caching.  As we are partners with Microsoft, we recently did some work here internally setting up some Dynamic Caching for an ASP.NET application and thought we would share the knowledge. This Caching Deployment Guide for ASP.NET Web Applications discusses the way an Application Expert would find out the potential caching scenarios that a web application can benefit from, and shows how to create and test the NetScaler caching policies and settings to put these scenarios into effect.

Tap into the power of AppExpert!

If you have been following the communication industry, you have no doubt been barraged by all these talks about Unified Communications. But all these years of hype, Unified Communications remains just a fragment of imagination. Why?

Let me share with you just one big reason why, it is not UNIFIED!

Unified Communications is actually a misnomer. What the telephony vendors are doing is to tie you into their own suite of products that they hastily bundle together, then slapping on the Unifeid Communications name. It is not unified because telephony system from one vendor does not work well with the system from another vendor.  Furthermore, there are great limitations on how the telephony companies implemented Unified Communications.

Let's look at the click-to-call technology. Most telephony companies will claim that they support this as part of Unified Communications. However, you will find that this one capability is only limited to one or two popular software applications. You will also discover that in order to extend click-to-call to other applications, you are expected to invest in internal development resources as well as external professional services from the telephony companies. It becomes too cost prohibifive when you need to include communication into more than two or three applications.

If you cannot put a simple click-to-call technology without making your customers break the bank, do you still have the right to call your solution Unified Communications? I think not.

Citrix comes out with a click-to-call solution, called EasyCall, that challenges the current mindset. We are challenging the status-quo on how the current crops of Unified Communications vendors conduct business. EasyCall is a disruptive technology that enables click-to-call on any applications using any phone devices! It is an agnostic solution that gives you the freedom to leverage your existing infrastructure and achieve real hard dollar savings.

And it's FREE! Throw away those behemoths that suck power from every grid in the state and drain your budget. This baby is Free, Open Source and VIRTUAL, meaning you can run as many instances of this router as you want on your choice of hardware. What is even more gratifying is it's faster than the old router technology.

Vyatta has commoditized router, firewall and VPN deployment in the same way that Linux commoditized the operating system market. Vyatta open-source networking offers you an alternative to over-priced, inflexible products from proprietary vendors.

Vyatta software enables customers to build routing and security solutions using standard x86-based hardware of their choosing, ensuring networks will always meet performance requirements. Vyatta open-source software delivers the unique advantage of allowing customers to scale networks from the simplest LAN configurations to large BGP WAN edge configurations using a single software package.

Vyatta software includes support for most commonly used network interfaces, industry standard routing and management protocols, and all of these features are configurable via a single command-line interface (CLI) or web-based graphical user interface (GUI) - avail Q3'08. The integrated features and functionality make Vyatta software ideal for SMB, Branch Office, Enterprise and Service Provider deployments.

Summary of features:
BGP, OSPF, RIP, DHCP, QoS, IPSec VPN, VRRP, PPP, 802.1Q, Complete List.

This open source router is already running on XenServer in a large service provider in Europe. We are using it in our Citrix Ready program as a multi-link Intranet with connections to the Internet along with high availability link load balancing.

This para-virtualized Vyatta image runs as a virtual appliance in XenServer v3.2.1 and v4.1.

The XenServer Platform we are using:

• Dell Poweredge 2950 server.
• 2 x Intel 64-bit Quad-Core Xeon Processors, Model E5335 @ 2.00 GHz each, for a total of 8 CPUs.
• 2 Intel 82571EB Gigabit Ethernet (on-board)
• 2 Broadcom NetXtremeII Gigabit Ethernet
• 16 GB of memory.
• 300 GB of Storage.
• XenServer v4.1
• *note: CPU's must support virtualization technology.
  
  
  
  
  
  

Virtual Router - Install:

Virtual Router - Config:

Tap into the power of AppExpert.

Join Citrix Experts for this TechTalk webinar and learn how Citrix NetScaler Application Firewall prevents web applications attacks automatically-without degrading throughput or application response times!

In this session learn:

- How NetScaler Application Firewall works
- How to manage web traffic & provide protection at application layer 7
- The inside scoop on SQL injection, cross-site scripting exploits, forceful browsing & many other attacks

When

Wednesday, June 11th 2008
1:00p (EDT)
Duration: 60 Minutes

Click here to register!

Application Delivery is at the top of the list of any organization's priorities. Keeping up with those priorities requires a move to dynamic application delivery and virtualization. The Citrix NetScaler Application Switch is a powerful step in that direction.

Compressing content at the server level can be done, but is tedious, and with the number of hosted servers on the backend growing proportionally with virtualization, it is better suited to a frontend tool. 

As an Application Expert, determining what type of content is compressible vs. that which is not compressible should be at the tip of your tongue, or at least you should be able to reference this post or document.  The thing is, while some content types remain compressible/non-compressible across many applications, you might run across an application that requires some content be treated uniquely.  For example, the SAP application requires that pdf files should not be compressed when sent back to the clients.  Either way, you should know how to dynamically configure rules to accommodate for the applications content.  This Compression Deployment Guide shows you how.

Watch this Compression Tip:

Buy the Citrix NetScaler Application Switch here.

Tap into the power of AppExpert.

Many news reports have recently identified the increased threat to web sites and applications from SQL injections, the most recent example being the Nihaorr1 script that resulted in over 600,000 sites being infected even including the Department of Homeland Security and the UN. Although initially identified as a Windows IIS server vulnerability, the root cause of the recent exposure goes beyond IIS and has identified lax web application coding as the culprit. A Register interview with the DHS assistant secretary for Cybersecurity is quoted as saying " our networks are only as strong as the weakest link " which makes sense but also identifies how vulnerable web applications are on the web. If a company is relying on the variability of programmer security knowledge and limited QA testing to protect their web app from yet to be defined threats, it's no wonder that so many sites are exposed and hacked. 

Perhaps one of the ways to better protect an organization from the next undefined attack is to look at minimizing the impact of variability. A common best practice in the manufacturing industry is to evaluate every process and implement techniques and tools to reduce variability so as not be overly dependent on a final test or inspection which always has some level of escapes. This is the core of the Six Sigma  technique that many world class manufacturers utilize to improve product quality.  

As applied to IT protecting Web Applications, a tool that can be implemented to reduce the impact of programmer variability is to utilize a Web App firewall such the positive security model feature of the NetScaler Application Firewall. This feature recognizes best coding practices for HTML and Industry HTTP standards and automatically blocks Web App behavior and variations outside a known-good model. The result is a significant reduction in the risk created by variable programmer skills and expensive but incomplete QA testing.  In the specific example of the Nihaorr1 attack, a recent test validated that the NetScaler Firewall was indeed able to block the Nihaorr1 script using the default configurations. Additionally the learning features of the App Firewall can be used for more granular configurations and protection as well.  

So before the next threat to your web applications is discovered, it may be worth further investigation as to the human influence of variability in IT operations and consider steps to mitigate the risks.   

Hundreds of Thousands of Web Servers have been getting hacked, including several at the United Nations. The appearance is that the hack exploits a vulnerability in Microsoft IIS because of a Microsoft SQL Specific injection payload, however the attack is capable of infecting any type of web server open to SQL Injection and Cross Site Scriting (XSS) attacks.

Microsoft released some security bulletins (951306, MS08-006) stating vulnerabilities in their IIS web server,  alluding to the vulnerabilities recently brought to light. A script homed at nihaorr1.com based in China was found to be infecting many servers, and spreading quickly. Further research into the problem indicates that non-Microsoft types of servers may also be affected by the attack.

As of May 12, 2008, Google's Index had 1,700,000 infected pages.  The domains currently being injected that contain the malicious Javascript are:

• nihaorr1.com
• 2117966.net
• aspder.com
• haoliuliang.net
• nmidahena.com
• free.hostpinoy.info
• xprmn4u.info
• winzipices.cn
• wowgm1.cn
• killwow1.cn
• wowyeye.cn
• wowgm1.cn
• winzipices.cn

This vulnerability and others like it can easily be stopped with a Citrix Web Application Firewall using default policies to block SQL injection and Cross Site Scripting. We setup a demo in our lab, to show how easy it is to configure and block this type of threat.

See the mailicious script in action:

Watch how Citrix Web App Firewall blocks the malicious script:

See how easy it is to configure the Citrix Web App Firewall:

Read about the Citrix Application Firewall here.

Buy the Citrix Application Firewall here.

Tap into the power of AppExpert

As an addendum to the Citrix NetScaler Policy Engine post I wrote recently, I pulled together some Frequently Asked Questions (FAQ) pertaining to the Policy Engine (PE). Policies are used to configure various Citrix NetScaler Application Switch features, and are executed in the order of their priorities. The priorities are configurable and increment in units of 10.

Watch this Policy Priority Tip:

Tap into the power of AppExpert!

Everybody has heard the stories and wants to believe - but there's no such thing as "PCI Compliant" products*.

People are constantly asking the question: Is "Product X" PCI compliant? The short answer is: No.

The long answer requires some careful explanation.

PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes - but the result is the same: the organization is deemed compliant or not)

But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don't these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.

So, given that PCI doesn't directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?

1. Verify vendor claims - just because a salesperson says it, it doesn't make the statement true.
   
2. Rely on trusted third-parties - organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
   
3. Discuss concerns with your auditors - because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
   

There have been some wild claims with PCI - including the notion of "PCI certified products." When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.

With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard - the PCI DSS.

PCI Backgrounder

PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.

*Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval._