Registration is now open for this years Autumn 2009 CUGtech event in Geilo, Norway on Oct 7th through Oct 9th. It looks like there might also be a discount for the event by registering as a member.

Register here to participate at CUGtech Autumn 2009

• You will have to pay directly to the hotel when checking out Friday, using creditcard or cash.
• Register as a member now and get 50% discount for the membership valid thru 31/12-09.
• Only members can attend Master Classes, and get the special member price for the conference.

Click below to continue to registration:
http://cug.no/cugtech-autumn-2009/register/

Here is a nice view of the Geek Wonderland where the event will be hosted.

Geilo, Norway

Click below to learn more about the event:

CUGtech Autumn 2009: http://cug.no/cugtech-autumn-2009/
Location: http://cug.no/cugtech-autumn-2009/location/
Transport: http://cug.no/cugtech-autumn-2009/transport/
Speakers: http://cug.no/cugtech-autumn-2009/speakers/
Agenda: http://cug.no/cugtech-autumn-2009/agenda/
Master Classes: http://cug.no/cugtech-autumn-2009/master-classes/
Register: http://cug.no/cugtech-autumn-2009/register

Before I head off for a two-week vacation, I wanted to share a NetScaler VPX how-to video on compression that I posted to Citrix TV.

This video shows how configuring a virtual NetScaler system is very similar to configuring a physical system. If this video piques your interest, then be sure to check out our CNS-200-1I Basic Administration for Citrix NetScaler 9.0 5-day instructor-led training course, which is a great way to prepare yourself to administer any NetScaler implementation. Click here for more information.

I also wanted to let everyone know that we are still on target to release the updated CNS-300-2I Advanced Administration for Citrix NetScaler 9.0 Platinum Edition five-day instructor-led training class in Q4 2009. This course is a great way for experienced NetScaler administrators who have already taken our basic NetScaler administration to enhance their knowledge and skills further. Check out my last blog for more information.

Talk to you in two weeks!

Get ready for another European Geek Out event at this year's CUGtech event being hosted by Citrix Users Group Norway on Oct 7 through Oct 9 at the Dr. Holms Hotel in Geilo, Norway

This will be HARDCORE technical stuff with some of the best geeks in the world!
Shawn Bass and Benny Tritsch are coming! So are Alex Yushchenko, the founder and master of PubForum! We also have our danish friend Rene Vester from DKCUG on the speakers list! From Citrix we will have speakers from Citrix Support and Citrix Consulting, and from US our dear friends Rich Crusco and Rick Dehlinger are coming.

If you don't know about Citrix Users Group Norway, climb out from under that rock you have been living under, and come and join us at one of Europe's premier independently run Citrix Users Group events.

Click below to learn more:

CUGtech Autumn 2009: http://cug.no/cugtech-autumn-2009/
Location: http://cug.no/cugtech-autumn-2009/location/
Transport: http://cug.no/cugtech-autumn-2009/transport/
Speakers: http://cug.no/cugtech-autumn-2009/speakers/
Agenda: http://cug.no/cugtech-autumn-2009/agenda/
Master Classes: http://cug.no/cugtech-autumn-2009/master-classes/
Register: http://cug.no/cugtech-autumn-2009/register/

Stay tuned for more announcements about when registration will be made avaialble

Citrix Support is focused on ensuring Customer and Partner satisfaction with our products. One of our initiatives is to increase the ability of our Partners and Customers to leverage self-service avenues via our Knowledge Center.

I will be writing a series of blog entries detailing recently released Citrix Knowledge Center technotes and hotfixes for Citrix products. The technotes are either newly authored or updated articles.

This blog entry will concentrate on NetScaler.

Technotes

Maintenance Releases

David
Twitter - http://twitter.com/citrixreadiness
Citrix Support on Facebook - http://www.facebook.com/citrixsupport

ICA Proxy for XenApp using NetScaler AGEE.

Citrix NetScaler, a member of the Citrix Delivery Center™, is a purpose-built web application delivery solution that accelerates application performance up to five times while improving security and reducing web infrastructure costs. Access Gateway™, a member of the Citrix Delivery Center, is an only SSL VPN to securely deliver any application with policy-based SmartAccess control. Access Gateway, Enterprise Edition (AGEE) runs on the Citrix NetScaler.

Citrix XenApp™, also a member of the Citrix Delivery Center™ product family, is the industry's de facto standard for delivering Windows-based applications with the best performance, security and cost savings.

By centralizing applications and data in secure datacenters, IT can reduce the costs of management and support, increase data security and facilitate business continuity.

We at Citrix are often asked how to deploy a NetScaler AGEE in front of a XenApp server farm, to proxy application delivery over the ICA protocol, securely. The NS SGEE secures XenApp delivered applications by serving as a proxy for those applications. NS AGEE proxies the ICA connections delivered from XenApp, and then wraps those applications with HTTPS or SSL to secure the traffic before it leaves your organization.

This is possible by following the steps in the deployment guide. This guide is specific to the NetScaler Access Gateway Enterprise Edition (AGEE), which is different hardware & software from the Citrix Access Gateway Standard Edition (AGSE).

Download the deployment guide.

Its Powerful Citrix Developer Network!

ICA Proxy for XenApp using CAG

Citrix Access Gateway™, a member of the Citrix Delivery Center, is an SSL VPN to securely deliver any application with policy-based SmartAccess control.

Citrix XenApp™, also a member of the Citrix Delivery Center™ product family, is the industry's de facto standard for delivering Windows-based applications with the best performance, security and cost savings.

By centralizing applications and data in secure datacenters, IT can reduce the costs of management and support, increase data security and facilitate business continuity.

We at Citrix are often asked how to deploy a CAG in front of a XenApp server farm, to proxy application delivery over the ICA protocol, securely. The CAG secures XenApp delivered applications by serving as a proxy for those applications. CAG proxies the ICA connections delivered from XenApp, and then wraps those applications with HTTPS or SSL to secure the traffic before it leaves your organization.

This is possible by following the steps in the deployment guide. This guide is specific to the Citrix Access Gateway Standard Edition (AGSE), which is different hardware & software from the Citrix NetScaler Access Gateway Enterprise Edition (AGEE).

Download the deployment guide.

Its Powerful Citrix Developer Network!

Oracle EBS 12.1 runs on XenApp

Citrix XenApp™, a member of the Citrix Delivery Center™ product family, is the industry's de facto standard for delivering Windows-based applications with the best performance, security and cost savings. XenApp is the most complete application virtualization system available with the ability to virtualize applications on both the client side and server side, delivering them on demand based on the user, the application or the location (online or offline).

By centralizing applications and data in secure datacenters, IT can reduce the costs of management and support, increase data security and facilitate business continuity. XenApp Platinum Edition adds critical capabilities for application performance monitoring, secure remote access, WAN optimization and single-sign-on application security.

Citrix XenApp is compatible with Oracle E-Business Suite 12.1. Organizations of any size can deploy XenApp on industry standard servers anywhere in the datacenter, on a single server or across all cloud computing datacenters. This simple integration takes Enterprise applications into the virtual realm, allowing customers to run Oracle on Virtual Machines, within XenServer, delivered to the end user through XenApp.

Tap into the power of AppExpert!

Oracle EBS 12.1 is integrated with Citrix NetScaler

Deployed in front of Web servers, NetScaler application delivery controller models combine load balancing and content switching. Potential benefits include application acceleration, content caching, SSL acceleration, network optimization, and application performance monitoring in a single built-for-purpose hardware platform. Unlike other approaches that require multiple point products, NetScaler is an all-in-one appliance that is easy to deploy, configure, and operate with AppExpert Visual Policy Builder GUI-based tools, AppExpert Templates, and multiple wizards.

NetScaler 9.1 is available in both hardware-based (NetScaler MPX) and application-based deployments (NetScaler VPX). All deployment options available in version 9.1 are compatible with Oracle E-Business Suite 12.1. Organizations of any size can deploy NetScaler VPX on industry standard servers anywhere in the datacenter. NetScaler VPX enables load balancing, application acceleration, application security and server offload to become virtual appliance-based services that can be easily and dynamically deployed; on-demand and anywhere in the datacenter. Whether installed on a single server or across all cloud computing datacenters.

Download the Citrix NetScaler, Oracle EBS 12.1 Deployment Guide.

Download the Citrix NetScaler, Oracle EBS 12.1 Data Sheet.

Tap into the power of AppExpert!

CERT-FI Advisory on XML Libraries

Several vulnerabilities regarding the parsing of XML data have been found in XML library implementations. The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution.

Some of the most popular open source XML libraries are found to be vulnerable. Please refer to http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details of the vulnerabilities and a list of libraries affected.

XML Security in NetScaler

The NetScaler Application Firewall module includes an XML-aware engine that powers specific XML attack protections. In addition to protecting XML-based applications from attack, NetScaler ensures that incoming XML traffic conforms to the appropriate standards (e.g., XML syntax, schema, WSDL validation).

NetScaler XML Security features that protect against the above vulnerabilities include Format Checks and Denial of Service Prevention. Format Checks prevents malformed or not well-formed messages from reaching the server. Denial of Service Prevention thwarts attacks (like large elements, deeply nested messages, etc.) that attempt to exhaust server resources or exploit weakness in the xml parsers and applications on the server.

For a more comprehensive list of XML security features included in Netscaler, click here.

@CitrixKCForums - The Citrix Support Forums ( http://forums.citrix.com/support )
@CitrixCommunity - The Community & CDN Forums ( http://forums.citrix.com/cdn )


http://twitter.com/chrisfleck

Within this one page you'll have all information on the Citrix and Intel relationship available at your fingertips...or mouse click so to speak.  

Interested in learning about Citrix's latest activities with Intel? We know your time is valuable and that's why we've consolidated all related news, blogs, articles, videos, etc... into the feeds section of this page. We've also created an area that highlights all related forum threads and postings. Look for answers to your burning questions, participate in an existing discussion, or post a new thread. Epitomizing the true nature of community... this page is here for you!  

Did you know that Citrix and Intel are working together to jointly develop a bare-metal Type-1 client hypervisor? Learn about and stay up to date on our joint collaboration of Citrix XenClient. View demos, read blogs and let us know what you think about this upcoming solution.

But it doesn't stop there! Get information and results on our joint product validation, benchmarking and scalability tests. You can even let us know how you're working with Citrix and Intel solutions together in our Community Verified area.

You're only one click away from all things Citrix and Intel. Stop by the Citrix Community page for Intel and check back often! And don't forget to follow us on Twitter!

To finish off with another Damone line, "isn't this great?"

Long before Neo said "whoa" ... civilizations throughout history have relied heavily on the wisdom and information provided by oracles.

In The Matrix, the Oracle says "if you can't find the answer, then I'm afraid there may be no tomorrow for any of us." Well, maybe that's a bit extreme in this case... but with the amount of information available within the Citrix Community page for Oracle, I don't think we'll have to worry about finding out.

Not only will this site provide a variety of information and wisdom on the Citrix and Oracle relationship, but you will also have to opportunity to contribute and become an "oracle" yourself. You can even view Oracle apps working on the iPhone with Citrix Receiver. Consider this page a library of resources for all things Citrix and Oracle...or a "shrine of information" so to speak.

From this page you'll have access to news, blogs, community discussions, and Tweets from the Citrix and Oracle communities as well as third-party sites. This information is aggregated into a single area within the page and provides all related information in a simple-to-use format. You can also follow us on Twitter for up-to-the-minute information.

Got questions? Related discussion forums are also consolidated within this page. Review existing discussion postings and threads to find answers to commonly asked questions. You can even join in the discussion and post new threads. Got knowledge? Become a contributor! The true nature of community is to share information. Remember, it takes a village...or a community in this instance.

We also want to know if and how you're using Oracle in your Citrix environments. Let us know in the Community Verified area. It's easy to use and takes only minutes of your time. Simply identify the Oracle application and Citrix product and you're done!

According to Ralph Waldo Emerson, "each man is a hero and an oracle to somebody." So be a hero within the community and become an oracle for the Citrix & Oracle relationship! Participate in the Citrix Community page for Oracle.

Today Citrix and Microsoft announced an expanded Desktop Virtualization partnership. I'll let the announcement speak for itself and we'll start to release more specifics on the solution over time, but I did want to share my perspective. I think this is good for our customers because Citrix is enabling choice by allowing them to leverage existing or planned investments and extends the reach and usability of those investments. Let me attempt to clarify what I mean.

The reality is, that many customers use or need a combination App-V, Systems Center, Citrix Application Virtualization both online and offline. I always felt that this caused some artificial confusion about what to choose. For example if I need to stream 64 bit apps with Citrix technology, and I need to stream applications which have services via App-V technology then I can now do both side by side in an integrated fashion. Your existing investments (e.g. the sunk cost of packaging, sequencing, testing and validating the applications) are protected and you can plot your course as you see fit together with Citrix and Microsoft.

I know this question will come up so I will also answer it directly based on the data in front of me. Does this mean Citrix is stopping Application Virtualization development? Well, now that I have the advantage of having access to status reports I don't have to speculate anymore. I know for a fact that there are a number of enhancements that our development teams are working on, so these enhancements continue in preparation for the next XenApp release. Moving beyond just the next release of XenApp, we plan to continue to invest to enable delivery of Windows applications as a service.

I believe customers want uncomplicated, user-friendly products that simplify their lives. I know from experience that managing Desktop agent sprawl is a pain. Hence, later in 2009 App-V will be able to be plugged directly into the Citrix Receiver which will make things easier for our customers via the Receiver management framework. This will also enable more intelligent options, where via policy or connectivity one can determine the best place to determine application execution for a user, streamed or hosted. Certainly an area I am going to spend a lot of time thinking about. Additionally, Citrix Dazzle enables a new 'Pull' based interface that consumers are familiar with. Note, I don't just say it's a PNAgent replacement, I think it's a lot more if you grasp the real value. This enables a whole new delivery model, and innovative ways for IT to reach and empower it's customers that too often accuse IT of being slow and rigid. How much time is spent setting up user environments, getting inventory, reconciling and so on? By enabling user based self service, a whole new capability is available. Yes, Citrix will enable App-V to be delivered as a user self service via Dazzle, which I think will be cool, and combined with Merchandising Server, opens up the realm of the possible for delivering applications as a service. Extend these ideas out further into the Cloud and emerging license models, and I think enabling application delivery for the vast majority of applications that are Windows based to complement Desktop Virtualization is a huge deal.

In 2010 XenApp will have a connector to ConfigMgr. This means that you will be able to manage XenApp environments from the ConfigMgr console. We'll blog more on specifics on what features of XenApp management we will expose as we evolve the capability and how,  but for now it's reasonably safe to assume we will do things like publishing apps, advertise XenApp as collections etc.  The more important point right now is to understand that by leveraging XenApp, you will now be able to extend the reach of ConfigMgr to a more diverse set of platforms like Mac and Linux that may not be managed by ConfigMgr. Think of it as Citrix extending the depth of solutions that Microsoft is providing for our mutual customers.

That's why we've worked together to develop the Citrix Community page for SAP, a dedicated, one-stop shop for all things Citrix & SAP! So while we'll never say there is "too much" information on the Citrix and SAP relationship, we will say having a single place to access all information on the relationship is "wonderful".

On this page we've consolidated all related blogs, news, videos, etc... from Citrix, SAP and third-party sites in our feeds section to save you time on staying up to date on the Citrix and SAP happenings. You can even follow us on Twitter!

There's even a discussion forum dedicated to SAP-related discussions. Look for the answers to your questions within existing threads or post a new question in our discussion forum. Do you have technical questions about an SAP implementation? Do you want to learn more about the validation and performance results of SAP NetWeaver with Citrix XenApp and Citrix NetScaler? Do you want to learn more about Citrix's relationship with SAP? If you said yes, then this is the site for you!

Visit this page to learn the latest and greatest information about our relationship including press announcements, product validations, joint activities and resources...and don't forget to participate in our Community Verified initiative! Let us know how you're working with SAP in your Citrix environment from the convenient console located within the page.

So...why don't you come up and see us some time? And oh yeah...don't forget to participate in the discussion! Stop by the Citrix Community page for SAP today!

New Tolly report shows that NetScaler 9.1 with nCore technology significantly outperforms F5's latest software release, BIG-IP v10. The results were astounding. Tolly conducted a battery of standard load balancing and acceleration tests and found that F5 introduces at least 3X more latency than NetScaler across all test scenarios. The report details the impressive performance NetScaler's nCore technology and highlights a significant deficiency with F5's architecture, namely latency. For example, it takes F5 2533.4 milliseconds to deliver an 8KB object versus 1.5 milliseconds for NetScaler. That's a significant negative impact to the end user experience and productivity, which can directly affect a company's bottom line.

To view the full Tolly report, click here

Tap into the power of AppExpert!

PinSafe is a form of multi-factor authentication which is easier to deploy and more cost effective than its token based competitors.  It also integrates seamlessly with the NetScaler for both SSL VPN and AAA for Web Applications.

It works by providing the user a customized "one time" image on the login page.  The image employs character rotation and will use a range of fonts and backgrounds to provide resistance to OCR attacks.  Contained within the image, is a security string which can be made up of numbers, characters or even a mixture of the two.   Place holders in the image help the user to extract their one-time image code.  So in the example below, a PIN of 4359 would yield a one-time code of 3125.

The default image has place holders to help the user extract the one-time code, but other, pattern based images can also be used.  The examples below show the numeric (eg telephone) keypad pattern as well as a more random pattern.  These images can even be branded for individual customers requirements.

For more information goto http://www.swivelsecure.com/

So, who do I think is right? That is easy - they both are!

First I want to say thank you to both of these guys for getting a discussion going. If I can paraphrase Brandon's side of the argument it would be "Why do I need Workflow Studio? I have Windows PowerShell." This is a question I have gotten a lot and I want to take some time to address it here.

Workflow Studio is designed to run on top of PowerShell. PowerShell 1.0 is a pre-requisite and many of our activities are written in PowerShell. Like Brandon, I think that PowerShell is an excellent scripting language and I personally can't wait for the day when everything is in PowerShell and there is no more need for VBScript. I believe every Windows administrator should learn PowerShell and use it regularly. I am doing what I can to drive all Citrix products to expose an SDK in PowerShell.

So wait a minute then... if the Product Manager for Workflow Studio is saying to use PowerShell then what is Workflow Studio for?

There is no reason that you should have to decide between the two technologies. If you are a Citrix customer then you have Workflow Studio at no additional cost. Workflow Studio has a great SDK for consuming PowerShell libraries, so you can leverage your existing PowerShell libraries with Workflow Studio. Here are some other things you can do with Workflow Studio:

1. Workflows are stored centrally in a SQL database making sharing and re-use across your team much easier
2. Workflows are automatically versioned when stored in the database. If you update a workflow that has been deployed, a copy is automatically created so you can continue to reference and use the previous version.
3. Workflow Studio is integrated with a task scheduling interface to automate the execution of your workflows based on schedule.
4. Workflow Studio has a simple, graphical, drag and drop interface. Most likely not everyone on your team is a PowerShell expert. Workflow Studio provides a simple interface that lets those not familiar with PowerShell be productive with it as well.
5. Workflow Studio can easily integrate with things that aren't PowerShell (native libraries support VBScript, WMI, and running batch files. You can also use 'off-the-shelf' activity libraries for Workflow Foundation as well.)
6. Workflow Studio is designed to support persistence. For simple, quick jobs, someone who is familiar with PowerShell and the cmdlets necessary to complete a given task will be more effective using the PowerShell command line interface. If the task requires several levels of approvals over hours, days, or even months then Workflow Studio and its underlying persistence and tracking engine from Workflow Foundation is a better tool for the job.

And remember, everything in Workflow Studio is exposed via PowerShell, so you can build your own interfaces to your workflows in PowerShell.

I would love to get more feedback on this topic in the comments. Let me know if you agree or disagree. Ultimately these are both just tools and if they don't help you do your job then they are meaningless. Let us know how we can make both technologies work better for your organization.

Netscaler 9.1

Citrix NetScaler 9.1 Classic and nCore are now RTW - Release to Web, and are available to all customers via the Downloads section of the citrix.com support site.

Download it here.

What's New:
NetScaler Licensing Update - Starting May 25, all NetScaler appliances that are shipped from Citrix no longer contain pre-installed licenses. Reference "How To License NetScaler Appliances using the Activation System/Manage Licenses Tool on MyCitrix.com" in the Knowledge Base (CTX121062) or contact Customer Service.

Release 9.1 Classic only:

• Support of New MPX 5500, 7500 platforms (8.1 build 65.5 and later are also supported on these new platforms)
• NetScaler Web 2.0 Push
• GSLB
• AppFW

Release 9.1 nCore only:

• NetScaler nCore software (9.1.nc) is currently intended only for use on the NetScaler MPX 15000 and MPX 17000 appliances. All other NetScaler appliances should use Release 9.1 Classic.

Citrix® NetScaler® nCore™ technology is a high performance, parallel-processing architecture that efficiently leverages multi-core technology to scale to meet the requirements of the most demanding Web applications.

The performance and scalability benefits enabled by nCore technology have significance for both current and future Web application delivery requirements. nCore technology provides:

• Better performance for Web 2.0 and rich Internet applications
• Improved ability to handle large traffic spikes
• Expanded capacity to support more users and more applications
• An all-in-one platform for Web application delivery requirements: L4-7 load balancing, caching, GSLB, compression, SSL VPN, SSL offload, application security, performance monitoring and more.

For complex layer 7 workloads that tend to be more CPU intensive, nCore technology provides up to a sixfold improvement. Applications needing to support many concurrent users will benefit from a sevenfold improvement in concurrent connections.

For more information on the NetScaler 9.1 product release, especially for 9.1 Classic and nCore supported features, visit the Release Notes under General Documentation section at http://support.citrix.com.
If further assistance is required, contact the Customer Service representative in your area.

Download Details:

The FCS build is available for download from the following locations:

Via MyCitrix: www.MyCitrix.com > Home > Support > Downloads > NetScaler

Employees and customers with valid ANG maintenance contracts who have requested/received MyCitrix login credentials will be able to view and retrieve files from this location.

Via FTP: ftp.netscaler.com

If you do not have access to this folder, login credentials for this site are available through Technical Support.

Tap into the power of AppExpert!

In the first part of this blog series we looked at specific details on Citrix Delivery Center and the Disaster Recovery demonstration for SAP NetWeaver. In this posting we will cover different High Availability solutions also demonstrated at SAP. In addition to this blog series, please refer the Reference Architecture document that provides all the technical details about Citrix and Marathon solutions implemented for SAP.

Getting back to High Availability, Citrix XenServer and Marathon Technologies everRun VM for XenServer provide solutions that covers a broad spectrum of High Availability requirements  ranging from maintenance to complete system-level fault tolerance. Given the breadth of High Availability solutions, IT administrators are bound to find a Citrix XenServer High Availability solution to meet their application availability needs.  

When looking for an HA solution, various factors such as application criticality and business impact must be considered before choosing a particular solution for an application. A more detailed report on determining availability requirements can be found here.  
In our Proof Of Concept environment at SAP, we showcased all levels of High Availability offered by XenServer and everRun VM. First let's look at the out-of-the-box High Availability solutions that XenServer alone delivers:

• XenMotion: XenMotion supports live migration of running virtual machines from one XenServer to another. The primary purpose of XenMotion is to prepare for planned server maintenance.  The end user will not experience any interruption in application performance in XenMotion.
• XenServer High Availability (HA) - Level 1: XenServer HA provides High Availability by automatically restarting failed virtual machines on a different XenServer host within the same resource pool.  The end user will experience an interruption in service as the virtual machine restarts.

In addition, Marathon Technologies everRun VM for XenServer provides High and Continuous Availability for critical virtual machines hosting business applications like SAP NetWeaver Portal:

• everRun VM for XenServer-- Level 2: Marathon Technologies everRun VM Level 2 delivers High Availability from component-level fault tolerance, eliminating downtime caused by I/O component failures and guaranteeing recovery from system failures. The solution identifies faulty I/O pathways before they become a problem and responds to a wide range of I/O and component failures. Active validation of all components on primary and secondary hosts ensures smooth recovery following any primary host component failure.  
• everRun VM for XenServer - Level 3: Marathon Technologies everRun VM Level 3 provides Continuous Availability from system-level fault tolerance, eliminating data loss, downtime and transaction loss. It offers all of the benefits of Level 2 and adds two important attributes:
  a.    Zero downtime, even with complete XenServer host failure.
  b.    Preservation of application and memory states during failure.

The following video features the Marathon everRun VM Level 3 High Availability solution demonstrated at SAP Co-Innovation Labs, Palo Alto. Again, for more technical details on the implementation, please take a look at the Reference Architecture.

If you need to perform a search of a particular piece of data in the SUBJECT or ISSUER fields of a client's SSL certificate, the CONTAINS and NOCONTAINS Operators will serve you well.  However, if you want to be more granular in your approach, you will likely get frustrated by using the offset values of the Classic AppExpert Expression.

Problems occur when administrators rely on IE's reporting of the certificate values to determine the offset position within these fields rather than using openssl.  The reason you need to use openssl is because IE (and other browsers and operating systems) tend to incorrectly display the values of these parameters, messing up both the format and the order of the values.  So if you're going to set offsets, do NOT get your position information from IE!  Use openssl instead.

For example, take a look at my test certificate:

See how IE makes it look as if you should be reading this list (the top half) from left to right? Or (the bottom half) top to bottom?   Unfortunately, these are completely backwards.  Worse, there aren't any spaces or commas between the substrings.

So if you rely on what IE is telling you when you try to search in a specific location for "Rick.Davis@" you might use an offset of zero.  Or three.  But neither of those is correct.  OpenSSL will show you that the offset is actually 73!  

It's completely contrary to what you might expect because this is how the subject field is read by the NetScaler:
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

Proceedure

In order to accurately calculate the offset, you will need to use the openssl command.  Here's how:

1. Upload the client certificate to the NetScaler.
2. Use OpenSSL to view the SUBJECT or ISSUER fields from the NetScalers CLI: 

> shell
cd /flash/nsconfig/ssl
openssl x509 -noout -in client.cer -subject
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

The fields use ordinal numbering, so the first "/" character is number zero.  Here's the location map: 

/C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab
0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123
0         1         2         3         4         5         6         7         8         9

References

CTX116431 How to Create and Use Client Certificates on the NetScaler 

CLIENT.CERT
CLIENT.CERT.SUBJECT
CLIENT.CERT.ISSUER
CLIENT.CERT.SIGALGO
CLIENT.CERT.VERSION
CLIENT.CERT.VALIDFROM
CLIENT.CERT.VALIDTO
CLIENT.CERT.SERIALNUMBER
CLIENT.CIPHER.TYPE
CLIENT.CIPHER.BITS
CLIENT.SSL.VERSION