Failed URL Redirect

The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.

In case the current url is not valid & the request needs to be redirected to another web server, the following steps could be taken.

Example : We will check weather the request filename exists on the server or not, in case it fails then redirection is done to another webserver (for example, webServerB.com). In the case of AppExpert, HTTPCallout is used to check the presence of the file on the server by running a script file_check.cgi on the server. The returned value from HTTPCallout is used to validate the policy.

The Script file_check.cgi takes the url as the argument, checks for its presence on the server & returns True or False accordingly.

Apache rewrite:

RewriteCond   /your/docroot/%{REQUEST_FILENAME} !-f
RewriteRule   ^(.+)      http://webserverB.com/$1 [R]

AppExpert rewrite: (There are two ways to do this)

add HTTPCallout Call

set policy httpCallout Call -IPAddress 10.102.59.101 -port 80 -hostExpr '"10.102.59.101"' -returnType BOOL -ResultExpr 'HTTP.RES.BODY(100).CONTAINS("True")'  -urlStemExpr '"/cgi-bin/file_check.cgi"'   -parameters query=http.req.url.path -headers Name("ddd")

add responder action act1 redirect '"http://webserverB.com"+HTTP.REQ.URL' -bypassSafetyCheck yes

add responder policy pol1 '!HTTP.REQ.HEADER("Name").EXISTS  &&  !SYS.HTTP_CALLOUT(call)' act1

bind responder global pol1 100

add HTTPCallout Call

set policy httpCallout Call -IPAddress 10.102.59.101 -port 80 -hostExpr '"10.102.59.101"' -returnType BOOL -ResultExpr 'HTTP.RES.BODY(100).CONTAINS("True")'  -urlStemExpr '"/cgi-bin/file_check.cgi"'   -parameters query=http.req.url.path -headers Name("ddd")

add responder  action act1 respondwith  '"HTTP/1.1 302 Moved Temporarily\r\nLocation: http://webserverB.com"+HTTP.REQ.URL+"\r\n\r\nHTTPCallout Used"' -bypassSafetyCheck yes

add responder policy pol1 '!HTTP.REQ.HEADER("Name").EXISTS  &&  !SYS.HTTP_CALLOUT(call)' act1

bind responder global pol1 100

Tap into the power of AppExpert!

Structured Homedirs

The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.

Some sites with thousands of users usually use a structured homedir layout, i.e. each homedir is in a subdirectory which begins for instance with the first character of the username. So, /~foo/anypath is /home/f/foo/.www/anypath while /~bar/anypath is /home/b/bar/.www/anypath.Following rules could be used to implement this.

Apache rewrite:

RewriteRule   ^/~(([a-z])[a-z0-9]+)(.*)  /home/$2/$1/.www$3

AppExpert rewrite:

Add rewrite action act1 replace 'HTTP.REQ.URL'  '"/home/"+ HTTP.REQ.URL.AFTER_STR("~").PREFIX(1)+"/"+ HTTP.REQ.URL.AFTER_STR("~").BEFORE_STR("/")+"/.www"+HTTP.REQ.URL.SKIP(\'/\',1)'  -bypassSafetyCheck yes

Add rewrite policy pol1  'HTTP.REQ.URL.PATH.STARTSWITH("/~")' act1

Bind rewrite global pol1 100

Tap into the power of AppExpert!

Move Homedirs to Different Web Server

The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.

There are cases when you want to redirect requests for homedirs on one web server to another web server. The typical use case for this arises when establishing a newer web server which will replace the old one over time. i.e. you need to redirect all the requests for a particular homedir to another web server.

Example : Let the hostname for new webserver be newserver.

Apache rewrite:

RewriteRule   ^/(.+)  http://newserver/$1     [R,L]

AppExpert rewrite: (There are two ways to do this)

Add responder  action act1 redirect '"http://newserver"+HTTP.REQ.URL' -bypassSafetyCheck yes
Add responder policy pol1 'HTTP.REQ.URL.REGEX_MATCH(re#^/(.+)#)'   act1
Bind responder global pol1 100 END

Add responder  action act1 redirect '"http://newserver"+HTTP.REQ.URL' -bypassSafetyCheck yes
Add responder policy pol1 'HTTP.REQ.URL.LENGTH.GT(1)'   act1
Bind responder global pol1 100 END

Tap into the power of AppExpert!

New NetScaler Technology Speeds Applications that Push Data to Users, Achieving Greater Real-time Interactivity with Fewer Servers Required

This groundbreaking new capability was specifically designed to address the demands that today's interactive Web 2.0 applications are placing on server infrastructures. While Web 2.0 applications are ushering in a new era of enhanced functionality and responsiveness for end users, they are highly inefficient when it comes to server computing resources. In order to create a rich interactive experience, Web 2.0 applications need to maintain a one-to-one user connection to backend servers for extended periods, which severely taxes datacenter resources and adversely impacts performance and scalability. NetScaler is the first application delivery controller to streamline this process by "pushing" data directly to thousands of users concurrently, offloading web servers from this burdensome task. As a result, server costs for delivering Web 2.0 applications can be reduced by five to ten times.

Rich Web Experience at a Fraction of the Cost

These new capabilities allow NetScaler to free up backend servers from inefficient connection management tasks, thus shrinking the number of servers needed. This reduced server footprint in the datacenter improves server utilization and allows a smaller set of servers to accomplish the same business tasks, cutting server costs by up to 90 percent by decreasing power, cooling and operational overhead.

Read more.

Its available now.

Its powerful - AppExpert!

SharePoint Template

AppExpert Templates are nothing new for NetScaler. However, with a new release of NetScaler comes an updated, new and improved NetScaler AppExpert Template for use with Microsoft SharePoint applications.

AppExpert Templates are a simple approach to configuration management for complex enterprise applications. In one simple view, you can view what is most important to you in terms of application delivery. No more confusing and complex rules to define, reducing the time to deploy, easing management and improving the bottom line.

Improvements to the template include additional optimizations for Image Management, Scripts, SOAP and FrontPage. Caching and Compression policies have been optimized, along with the addition of a section for rewrite. There is a redirect policy for converting HTTP to HTTPS on the fly, to enable secure traffic to/from the Microsoft SharePoint applications.

All of these improvements can be found in the new Microsoft SharePoint template, and a description of the template can be found in the updated SharePoint Deployment Guide.

Download the updated Microsoft SharePoint AppExpert Template here (NS v9.0 b66 required).

Download the updated Microsoft SharePoint Deployment Guide here.

Its Powerful - AppExpert!

Load Balancing Auto-Configuration for SAP using Workflow Studio and NetScaler

At the tail end of our certification process at SAP, Citrix engaged in a unique opportunity to make use of the SAP APIs, using Workflow Studio to auto-configure the Citrix NetScaler for Load Balancing. The way it works is, Workflow Studio polls the SAP API, reads the response, and then based on the results in the response, configures the NetScaler Load Balancing groups that map directly to the SAP servers running in the server farm.

SAP has a community group dedicated to the development of their APIs, please reference the latest blog post Catching Up with Deployment and Operations Automation, describes the SAP APIs.

The SAP Community Definition Group (CDG) - titled "PCDG 97 NetWeaver Infrastructure APIs for Network Solutions" - is focused on automation of network-application integrated configuration and operation. As the group title implies, the SAP NetWeaver technology platform includes APIs, which are used by the NetScaler ADCs (load balancers) to auto-configure themselves as proxies for multi-instance SAP application systems. Using Citrix Workflow Studio, the SAP APIs are polled on a regular basis so that the NetScaler ADCs can react to SAP application instance changes during production runtime.

If another application instance is brought up, let's say for providing more computing capacity for an increasing end-user load, or if an instance is brought down temporarily for maintenance, Workflow Studio communicates with the NetScaler ADC to adjust load balancing automatically without any manual administrator intervention. There is no more wait, or lengthy change management required to provision applications.

Workflow Studio, NetScaler and SAP API Use Cases:

Use Case 1: (auto-configure new SAP services).

Workflow Studio sends a URL request to the SAP Message Server, and receives a response. Workflow Studio parse's the response, looking for specific SAP generated patterns. WFS then uses this information to configure a Load Balancing Virtual Server inside of the Citrix NetScaler.

Use Case 2: (dynamic configuration).

Workflow Studio repeatedly queries the SAP API. WFS studio can determine hostnames, ip addresses, port numbers, and whether an SAP server is coming online or going down. When a SAP server comes online/goes down - WFS detects this change, and then takes action on the Citrix NetScaler, to add/remove the SAP service from the Load Balancing group - automatically.

Use Case 3: (graceful shutdown).

Workflow Studio queries the SAP API, determines a SAP server is going down, and based on the response, waits until all existing sessions have been retired, before removing the server from the Load Balancing group . During the shutdown period, no new sessions are added to that SAP server, providing a graceful shutdown of the SAP service. This way, there are no TCP resets sent to existing sessions. New logins are routed to a different server.

Read the SAP article here.

Tap into the power of AppExpert!

Securing Web Applications with an Application Firewall

I have been working with Application Firewalls for quite a few years - many times to protect web applications published in languages and character sets that I didn't understand. Frequently, I have seen these Application Firewall deployment projects get bogged down in pursuit of the perfect policy set.

I have also seen many situations in which this process and application changes actually break these applications.

The NetScaler Application Firewall deployment can also be subject to these issues since the appliance provides extensive application firewall features. Even with the learning capabilities, creating the ideal set of security policies for any application can be a trial and error process that can take significant time.

In this blog, I would like to share an implementation methodology that shortens the deployment, and helps avoid breaking the applications to be protected. Experience has shown that approaching the configuration of the Application Firewall in stages is the key to timely success. This methodology is effective for all types of applications and their needs.

To alleviate the time and risk of varying degrees of policy complexity, break the task into stages. That is, separate the policy configuration into groups of ascending risk.  While some may raise the point that a simplified protection policy set is not complete, it must be remembered that protection stages will build upon each other, and will be better than allowing unfiltered access while all policies are in learning or logging/warning mode.

The benefit of staging is that a basic set of policies are made operational.  Then, the following stages will consist of conducting a repeatable process of "policy tightening" procedures as required by the application.

Stage I

When configuring the NetScaler Application firewall policies, start with some of the basic protections.  Activating the simple, generic policies almost never produce false positives.  These typically include:

• Protect against Cross Site Scripting (XSS) attacks
• Protect against SQL Injection attacks
• Protect against Buffer Overflow attacks
• Prevent Credit Card Leakage
• Prevent access to system files
• Alter the contents of the server headers

Activating these policies will typically not break applications.  As such, a small user community - with etc/hosts overrides - can be used to validate the configuration over a fairly brief validation period.

More importantly, this is a great start. These policies create security effectiveness that can typically be rated as a level seven on scale of zero though nine (you can never get to a perfect "10" in security).

Stage II

The next stage will include applying policies that require more application validation to determine the application specific relaxation adjustments ("policy overrides").

But first, don't forget to ask yourself if this application actually requires tightened policies.

If so, Stage II protections should be sequenced - Cookie Tampering prevention should be blocked first. Then, move on to blocking tampering with the values of parameter and/or hidden form fields.

Start with cookie poisoning prevention ("Cookie Consistency"). It will be likely require the least number of relaxations. This will build on the Stage I successes most rapidly.

To do this, use the learning process to identify the cookies that are legitimately altered between the response and request process. Minimally, relaxations will be required for cookies that are set and modified by third party monitoring services. Again, because of the staging, this learning can happen while the basic policies are in place and actively applying their protection mechanisms.

If further tightening is required, focus on creating policies that prevent users from tampering with the values of parameter and hidden form fields. This is achieved by activating "Field Consistency" learning in the NetScaler application firewall. Depending on the architecture of the application or a frequent use of client side scripting, these policies carry a higher risk of blocking legitimate requests. These policies thus require a more extensive learning period and associated relaxation overrides.

It should also be noted that these Stage II policies and their relaxations do have a tendency to be susceptible to producing false positives as applications change, and should be re-evaluated in conjunction with major application changes.

Stage III and Beyond

If the application is contains super sensitive information, and undergoes frequent changes, further security configuration may be required.

Stage III typically involves enforcing field formats and enforcing user navigation paths. Adding restrictions to field input types, such as date formats, and more, will require further time for learning these application attributes. Be aware that these policies will also be more likely to be sensitive to application changes.

Enabling the "Start URL" facility allows users to access only the specifically stated URL types. Due to the flexibility inherent in application architectures, however, these restrictions may require modification to include additional request types present in a particular application.

Lastly, carefully consider activating "URL Closure" to control the flow of access by users. Enforcement of this policy set disallows users from navigating to locations not previously offered by an application response. These policies may require significant application validation if client side scripts modify URLs, or if FLASH objects contain links.

The above policies tend to bend the needle towards the nine level and will be more likely to cause false positives during policy refinement or when the application changes. Leaving these to Stage III, however, allows continued protection afforded by the policies of Level I and Level II during the refinement, however.

Summary

Personally, when I plan my application firewall deployments, I always attack the assignment in the phases outlined above. I focus on the quick return policies first. Then I take time to consider if the sensitivities of the specific application even warrant the extra effort of going all the way to Stage III. This last question can produce some interesting answers that pit my application security ideals against the practicalities driven by the depth of my current to-do list.

And then, of course, this staged approach may be completely ignored in situations in which a specific application just suffered from an attack through a specific Level III vulnerability. Such situations may warrant overriding the staged approach and focusing on addressing the impacted vulnerability immediately.

Also, don't forget to sign on to MyCitrix and download the Application Hacking Kit and actually try some of the most common application attacks on the BadStore application!

Nelson Esteves has moved through the ranks as part of the Citrix Technical Support team. He started out as a level one support engineer on the XenApp team, and now is an Escalation Engineer for the NetScaler and Advanced Access Gateway (AAG) support team. Nelson will be presenting the following sessions at Citrix TechEdge during Citrix Summit and Citrix Synergy 2009: End-to-end virtualization with Citrix Delivery Center, with a focus on Citrix Access Gateway, Enterprise Edition (AGEE), and then his in-depth session will cover Integrating and troubleshooting Citrix Access Gateway, Enterprise Edition.
Q. How has AGEE improved from a support perspective over the past year?

Nelson: AGEE has evolved to a bigger and better product. With the 9.0 release we are able to meet most of users demands such as full Microsoft SharePoint Integration as well as Branch Repeater acceleration. From a support perspective, the new filtering capabilities of network tracing on the appliance is great not to mention the ability for more granular control such as choosing packet type and size.

Q. What AGEE and Citrix Delivery Center tips will attendees learn at your session this year?

Nelson: During the breakout session, attendees will learn with great detail how pre and post-authentication scans work and how to configure them properly. They'll also learn how AGEE integrates with XenApp via Web Interface. I'll show what's involved on the login process to Web Interface and how Smart Access works in the background. In addition to all that they'll learn how to successfully decrypt a network trace and how to troubleshooting SSL errors when launching a published application via a pre-recorded troubleshooting video. The CDC presentation will explain how AGEE integrates with XenDesktop as well as Web Interface and NetScaler.

Q. What new tools or techniques are you using to troubleshoot NetScaler?

Nelson: The new filtering system when taking network traces was a great addition, and it made troubleshooting a lot faster since we can now select what we want to filter instead of having to handle very large network trace files.

Q. What types of cases have you worked on this past year? Why?

Nelson: I have handled cases related to VoIP issues via the VPN, SSL Errors when launching applications, Microsoft SharePoint integration issues, and several others. Most of the VoIP issues had to do with the software being used since it didn't have an option for VPN configuration. We need to make sure the call manager server receives the VPN user Intranet IP and not its local IP. SSL Errors were due to clients either not having the proper certificates installed or misconfiguration on the AGEE or Web Interface (missing STA, wrong STA URL, missing STA port, etc.). SharePoint integration has been challenging since the release of 9.0, but now we have corrected all the errors we have encountered.

About Nelson Esteves
Nelson has been with Citrix Technical Support for a little over three years. He started as level one support engineer working on core products such as XenApp, Password Manager, Installation Manager and Resource Manager. He was then transferred to the Web Security team working with Web Interface and Access Gateway. One year later he was promoted to the frontline NetScaler support team, and about a year after that he became an Escalation Engineer supporting NetScaler, Application Firewall and AGEE. He holds certifications in A+, Net+, MCP, CCNA and CCA for Citrix NetScaler 8 Platinum Edition. He's also pretty quick on his feet, as an amateur soccer player, and has played in local tournaments and traveled with the Florida select team.Do you have an AGEE troubleshooting area that you would like Nelson to focus on during his presentation? Leave a comment.

Check out more posts in the Citrix TechEdge 2009 series.

Canonical Hostnames

The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.

The goal of the following rule is to force the use of a particular hostname, in preference to other hostnames which may be used to reach the same site. For example, if you wish to force the use of www.example.com instead of example.com, you might use a variant of the following rules.

Example : changing example.com to www.example.com

Apache rewrite:

RewriteCond %{HTTP_HOST}   !^www.example.com 
RewriteCond %{HTTP_HOST}   !^$
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^/(.*)         http://www.example.com:%{SERVER_PORT}/$1 [L,R]

RewriteCond %{HTTP_HOST}   !^www.example.com 
RewriteCond %{HTTP_HOST}   !^$
RewriteRule ^/(.*)         http://www.example.com/$1 [L,R]

AppExpert rewrite:

add responder action act1 redirect '"http://www.example.com:"+CLIENT.TCP.DSTPORT+HTTP.REQ.URL' -bypassSafetyCheck yes
add responder policy pol1 '!HTTP.REQ.HOSTNAME.CONTAINS("www.example.com")&&!HTTP.REQ.HOSTNAME.EQ("")&&!HTTP.REQ.HOSTNAME.PORT.EQ(80)&&HTTP.REQ.HOSTNAME.CONTAINS("example.com")' act1
bind responder global pol1 100 END

add responder action act1 redirect '"http://www.example.com"+HTTP.REQ.URL' -bypassSafetyCheck yes
add responder policy pol1  '!HTTP.REQ.HOSTNAME.CONTAINS("www.example.com")&&!HTTP.REQ.HOSTNAME.EQ("")&&HTTP.REQ.HOSTNAME.PORT.EQ(80)&&HTTP.REQ.HOSTNAME.CONTAINS("example.com")' act1
bind responder global  pol1 100 END

Tap into the power of AppExpert!

Canonical URLs

The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler. On some Apache web servers there is more than one URL for a resource. Usually there are canonical URLs (which should be used and distributed as a best practive) and those which are just shortcuts, internal ones, etc. Independent of which URL was supplied with the request, the user should only see the canonical one URL in the response.

Example : converting URL /~user to /u/user.

Apache rewrite:

RewriteRule   ^/~([^/]+)/?(.*)    /u/$1/$2[R]

AppExpert rewrite:

Add responder action act1 redirect  '"/u/"+HTTP.REQ.URL.AFTER_STR("/~")' -bypassSafetyCheck yes
Add responder policy pol1 'HTTP.REQ.URL.STARTSWITH("/~") && HTTP.REQ.URL.LENGTH.GT(2)' act1    
Bind responder global pol1 100

Tap into the power of AppExpert!

As part of the Citrix Technical Support team, Jacob Salassi is not only a senior escalation engineer, he's also an appliance technical relationship manager (TRM). Jacob gave us a glimpse into the following sessions he'll be presenting at Citrix TechEdge during Citrix Summit and Citrix Synergy 2009: End-to-end virtualization with Citrix Delivery Center, with a focus on Citrix NetScaler, and then his in-depth session will cover Advanced troubleshooting of Citrix NetScaler.

Q. How has NetScaler improved from a support perspective over the past year?

Jacob: With the release of 8.1 and 9.0 we have seen big gains in overall feature sets, UI improvements, and stability improvements. Along with that have come enhancements and additions to logging (TCP logging for example), and the various tools we in support employ to troubleshoot issues. A hotly awaited change in 9.0 was the addition of the ability to use filters in nstrace.sh which allows us to capture much smaller sniffs and avoid post-capture filtering while still preserving the entire session and its related packets.

Q. What NetScaler and Citrix Delivery Center tips will attendees learn at your session this year? 

Jacob: My sessions will take an administrator through overall troubleshooting methods and techniques, to a simple XenApp deployment example, and then to troubleshooting that same deployment using the techniques that have been learned.

Q: What NetScaler Tech Tip can you give people now?

Jacob: Always disable unused interfaces on BOTH nodes of an HA pair. It's common for administrators to forget about the secondary node which may cause HA to behave improperly in the event of a failover.

Q. What new tools or techniques are you using to troubleshoot NetScaler?

Jacob: Having more experience and spending more time using and developing troubleshooting tools has been a huge benefit for me. We now have tools to automate many things we had to do manually in the past, and this really helps our customers provide us with the data we need to resolve their issues.

Q. What types of cases have you worked on this past year? Why?

Jacob: I don't like the restrict myself to any particular kind of case, and the issues around NetScaler can be of a huge variety. This year some of the stand out issues have been dynamic routing deployments, as well as some very large, exotic, and sensitive deployments where resolving an issue quickly is absolutely a requirement.

About Jacob Salassi

Jacob's been with Citrix Technical Support for just under two years. His first position at Citrix was as an escalation engineer. He was then promoted to lead escalation engineer, and then to senior escalation engineer where he joined the TRM team. He holds certifications in Citrix Certified Administrator (CCA) for NetScaler. When Jacob is not troubleshooting a hot issue, he's listening to his motorcycle scream around the track at 15,000 RPM.

Do you have a NetScaler troubleshooting area that you would like Jacob to focus on during his presentation? Leave a comment.

Check out more posts in the Citrix TechEdge 2009 series.

SAP certifies NetScaler v9.0 and Branch Repeater/WANScaler v4.5 solution

On 3/31/2009, SAP certified Citrix NetScaler v9.0 and Citrix Branch Repeater/WANScaler v4.5 as an integral solution to improve the delivery of the SAP applications. For SAP Portal, the Citrix NetScaler & Branch Repeater/WANScaler solution improved response time to clients. For downloads and backend operations from SAP Composite and ERP servers, response time was also improved.

SAP customers have hundreds of branch offices with a mixture of small and large offices, and a global distribution. It is important to have a solution which optimizes, simplifies and accelerates the delivery of the SAP applications. During certification testing it was proven that the NetScaler and Branch Repeater/WANScaler products improve performance of SAP applications through acceleration, provide security through HTTPS connections, and provide reliability & high availability through load balancing.

Read more about NetScaler here.

Read more about Branch Repeater/WANScaler here.

Tap into the power of AppExpert!

Rate Based Policy Enforcement:

New in NetScaler 9.0 are Rate-Based policies which can be used to control, limit and throttle traffic to various servers. Rate Based Policies use the advanced expression syntax found in the Policy Infrastructure (PI) format of the NetScaler, which is also new for 9.0.

You can monitor the rate of traffic that flows through virtual servers or other User defined entities that are associated with different virtual servers, including URLs, domains, and combinations of URLs and domains.

You can control Citrix NetScaler behavior based on the traffic rate, including throttling the traffic flow if it is too high, caching information based on the traffic rate, and redirecting traffic to a new load balancing virtual server based on the traffic rate. You can apply rate-based monitoring to HTTP and DNS requests. You configure traffic rate limit identifiers to monitor the rate of traffic. These identifiers can include filters, known as rate limit selectors, to restrict monitoring (for example, based on IP addresses or subnets). You specify traffic rate limit identifiers in rules for advanced policies in any feature where these identifiers may be useful, including Rewrite, Responder, DNS, and Integrated Caching.

Rate-based monitors can be based on the number of HTTP or DNS requests, number of packets, transactions or amount of bandwidth being used. This is useful for preventing overloads on a network, preventing security attacks, and diverting traffic once it reaches a certain watermark.

More on Rate-Based Policy Enforcement can be found in the NetScaler Traffic Management Guide.

Tap into the power of AppExpert!

The Reporting tool of Citrix NetScaler provides built-in reports that display statistics collected by the nscollect utility. You can also create and customize reports. The reports use charts to display the statistics. You can modify the charts and add new charts. You can also modify the operation of the nscollect utility and stop or start its operation.

You can import log data from a different NetScaler, or from a previous time period on the same NetScaler, across different software releases.

Read more about Reporting in the NetScaler Administration Guide.

Compression

TCP Connections

SSL Offload

Bandwidth

CPU & Memory

Tap into the power of AppExpert!

 Keith McLaughlin, Escalation Engineer
 
Keith McLaughlin is a Provisioning Server expert on the Citrix Technical Support Escalation team, joining the team when Citrix acquired Ardence about two years ago. Keith filled us in on the two sessions that he'll present at Citrix TechEdge during Citrix Summit and Synergy 2009: End-to-end virtualization with Citrix Delivery Center, with a focus on Active Directory integration with Provisioning Server, and then his in-depth session will be on Planning and implementing a Provisioning Server high availability (HA) solution.

Q. How has Provisioning Server improved from a support perspective over the past year?
Keith: The biggest improvement this year is the addition of the Streaming Service Logs.  These logs, which came out as part of 5.0 SP1 are extremely helpful in narrowing down the issue.

 Q. What Provisioning Server and Citrix Delivery Center tips will attendees learn at your session this year?
Keith: This year's session is focused on High Availability. In the session we are going to go over troubleshooting procedures and explain in depth what happens when a Target Device fails over and how to track that failover through the logs files. For the Citrix Delivery Center session, I'll focus on Active Directory integration with Provisioning Server Standard Image.

Q: What Provisioning Server Tech Tip can you give people now?

Keith: When planning your Provisioning Server deployment, give the Target Devices unique names in the Provisioning Server Console. Do not use the hostname of the machine that is being imaged as the name of the Target Device. This avoids conflicts when booting the Target Device from the Vdisk.

Q. What new tools or techniques are you using to troubleshoot Provisioning Server?

Keith: A year of working with the 5.0 is probably the biggest factor.  5.0 had many improvements over the previous version and many architecture changes.  Also seeing where customers and end users were running into problems and being able to identify the symptoms because of past experiences greatly cuts down on troubleshooting time.

 Q. What types of cases have you worked on this past year? Why?

Keith: As part of the Provisioning Server Escalation group, I have covered a lot of different issues ranging from Active Directory integration to tracking down possible bottlenecks on customers networks that could be causing timeouts on the provisioning server.

 About Keith McLaughlin

Keith's been with Citrix Technical Support for two years.  He holds certifications in Citrix Certified Administrator, CCA, for Provisioning Server and XenServer. During his free time Keith loves playing the guitar, and his favorite artist is Stevie Ray Vaughan.

Do you have a Provisioning Server troubleshooting area that you would like Keith to focus on during his presentation? Leave a comment.

 Want to learn more about TechEdge 2009, www.citrix.com/techedge. Stay tuned for our weekly close-up interviews on the TechEdge presenters.

Posts in this series:

• Citrix TechEdge - Troubleshooting Tips and Tricks

• Interview 1: Close-up with Jamie Baker

• Interview 2: Close-up with Keith McLaughlin  

Jamie Baker, Sr. Escalation Engineer 

Without a doubt one of Citrix Technical Support's top engineers is Jamie Baker. Jamie works with the Strategic Managed Accounts Resolution team, SMART, which handles 24 hour coverage on critical and high priority issues, and he also is a Subject Matter Expert, SME, in various areas such as Printing, Application Streaming and currently the XenDesktop, SME, for the SMART team. Jamie took a few moments out of his busy day of solving customer issues to answer some questions on the sessions that he'll be presenting at Citrix TechEdge.

The sessions he'll be covering are End-to-end virtualization with Citrix Delivery Center with a focus on XenDesktop, and then presenting an in-depth session on XenDesktop 3 architecture and design. TechEdge is the new name for the Citrix Support and Engineering Institute of Technology, CSEIT. The event is hosted by top Citrix Technical Support engineers at Citrix Summit and Synergy, and is the event for troubleshooting your Citrix Application Delivery environment

 Q. How has XenDesktop improved from a support perspective over the past year?

Jamie: The release of XenDesktop 3.0 has closed a lot of issues, added USB device support which was a big need for a lot of customers and provided pool management failover when using XenServer as the desktop hosting infrastructure. The new failover allows the administrator to configure multiple pool masters for the same XenServer pool in the XenDesktop Management Console and if the original XenServer pool master fails, the Pool Management service will fail over to the secondary pool master. This makes the product much more resilient by eliminating a single point of failure, which is always more supportable

Q. What XenDesktop and Citrix Delivery Center tips will attendees learn at your session this year?  

Jamie: We will provide tips on both how to design your XenDesktop infrastructure to take advantage of the new features in XenDesktop 3.0 and how to implement those new features, including USB device support. We will also provide tips on how to configure XenDesktop to take advantage of the robust hosting infrastructure provided by XenServer.

The Citrix Delivery Center Session will highlight how each of the components of the Citrix Deliver Center can integrate to provide secure and robust access to desktops and applications. We'll focus on each product and the features it brings specifically to complement the entire Citrix Delivery Center.

Q. What new tools or techniques are you using to troubleshoot XenDesktop?

Jamie: Besides from having a year's more experience working with customer issues and the new products, we've developed our internal tools to more quickly identify XenDesktop issues. We've updated the CDFControl utility to allow for remote CDF trace on VDA and DDC machines. This allows us to more easily set up a diagnostic trace and resolve issues more quickly.

This year we've also stood up a public symbol server. This allows us to access more diagnostic data through system dumps and memory dumps without having to bring those dump files in house. In time sensitive situations, this can save us hours of time. It also allows customers and other vendors to diagnose issues from dump files more quickly.

Q. What types of cases have you worked on this past year? Why?

Jamie: For me, being on the critical situation team, I've focused on identifying single points of failure and issues that have the potential for wide impact. The pool management service's ability to connect to a hosting infrastructure and to recover quickly in case of an issue with the infrastructure is the biggest issue we tackled this year. As mentioned above, we were able to build in failover when using XenServer infrastructure. The addition of HDX technology has improved multi-monitor display handling as well as USB device remoting and multi-media display.
 

About Jamie Baker

Jamie's been with Citrix Systems for six years, and all of those with Citrix Technical Support. He started out as a first level frontline support engineer, supporting MetaFrameXP. After two years on the phones, he moved to the Escalation team, and a year later moved to the SMART team. Jamie is currently a Sr. Escalation Engineer, and holds certifications as a CCA in XenDesktop and XenApp, as well as a Windows MCSE.

When Jamie isn't working, he loves to spend time with his wife and three year old twin daughters, exploring all the playgrounds that North Georgia has to offer. On Fall Sundays, you'll find him watching the Philadelphia Eagles and trying desperately to control his emotions so he doesn't scare the dog.

Do you have a XenDesktop troubleshooting area that you would like Jamie to focus on during his presentation? Leave a comment.

TechEdge 2009 sessions:

• End-to-end virtualization with Citrix Delivery Center
• XenDesktop 3 architecture and design
• Planning and implementing a Provisioning Server high availability (HA) solution
• Integrating and troubleshooting Citrix Access Gateway
• Enterprise Edition Advanced troubleshooting of Citrix NetScaler
• XenServer disaster recovery and automation
• Troubleshooting tools and methodology for Citrix XenApp 5 environments

Want to learn more about TechEdge 2009, www.citrix.com/techedge. Stay tuned for our weekly close-up interviews on the TechEdge presenters.

Posts in this series:

• Citrix TechEdge - Troubleshooting Tips and Tricks

• Interview 1: Close-up with Jamie Baker
  

According to Microsoft, SharePoint Server licenses have topped the $1 billion mark and it is rapidly becoming one of the fast-growing Microsoft products ever released.  Given the long standing relationship between Citrix and Microsoft, it should be of no surprise that Citrix NetScaler and Branch Repeater solutions are geared to support SharePoint.  The Citrix NetScaler team has been working on a specific NetScaler template designed to optimize SharePoint performance.  The Citrix NetScaler SharePoint template simplifies the configuration and implementation of NetScaler in a SharePoint environment to easily obtain the NetScaler performance benefits.  A quick start guide to the SharePoint AppExpert Template for NetScaler is available.  The Branch Repeater team has been working closely with Microsoft to develop the Citrix Branch Repeater for Windows Server, a Windows Server version of the Branch Repeater with the ability to incorporate Microsoft Internet Security and Acceleration (ISA) Server. 
So great, everyone has been working together on a cohesive solution, but where is the action?  Where are the performance numbers?  We are actually lucky to have two different reports on this exact topic from two different perspectives - Citrix Worldwide Consulting Solutions did one and HP did one.    HP did an analysis of NetScaler 8 and WANScaler  4.3(Using Citrix solutions to increase Microsoft Office SharePoint Server 2007 WAN performance on HP BladeSystem), but the Branch Repeater and NetScaler SharePoint AppExpert template did not exist at the time.  So, the Consulting Solutions team took another pass, using the latest Branch Repeater release and also the AppExpert template for NetScaler 9 to create SharePoint 2007 with Citrix NetScaler and Branch Repeater Performance Assessment. And within our testing, we used a different methodology to allow Administrators to look at things from a different perspective. Between the two reports, Administrators should get a nice broad spectrum of how NetScaler and WANScaler/Branch Repeater improve SharePoint performance. 
The key differences between the HP document and the Citrix document include an evaluation of the CPU utilization benefits associated with offloading the SSL traffic from the SharePoint web servers to the NetScaler.  In addition, the page response time was assessed for the NetScaler and Branch Repeater independently and then also assessed as a combined solution.  With the results from the NetScaler and Branch Repeater combined solution showing a response time improvement of over 84% in some scenarios. 
If you have a Microsoft Office SharePoint Server environment, then you need to read about the performance improvements Citrix can provide shown in the SharePoint 2007 with Citrix NetScaler and Branch Repeater Performance Assessment document.  This document will provide you with all the test data, environment configurations, and test plans used to obtain these remarkable performance improvements.
 

If your thinking about attending Synergy 2009 you may want to check out some of the "underground" videos taken at Synergy 2008 on a new Synergy Underground Channel on YouTube at: 

http://www.youtube.com/synergyunderground

Citrix Synergy 2009

Where Virtualization, Networking and Application Delivery Meet

MGM Grand Hotel, Las Vegas (May 4-7, 2009)

For more information: www.citrixsynergy.com

What's Citrix TechEdge?

TechEdge, the new name for Citrix Support and Engineering Institute of Technology (CSEIT), started nine years ago as a small in-depth troubleshooting training event hosted by Citrix Technical Support for support agreement customers.  Over the years, this event has grown from 50 customers to over 300 customers and now  provides training to our support agreement customers prior to Citrix Synergy and to our partners as a part of Citrix Summit.  This has become the event for troubleshooting the Citrix Application Delivery environment.

 Meet the support experts who can answer all of your technical questions:

Citrix Technical Support's top Escalation team engineers are hosting the TechEdge 2009 sessions. Here are some interesting facts about the team.

• On average these guys work and close 65 to 100 cases each per year.

• There are a total of 65 engineers on the team, so that's over 5,000 cases total per year.

• The average engineer has ten to fifteen years experience in the IT industry; the most common certifications are CCA and MCSE, ANG NetScaler and AGEE.
  

What they'll cover:

• End-to-end virtualization with Citrix Delivery Center
• XenDesktop 3 architecture and design
• Planning and implementing a Provisioning Server high availability (HA) solution
• Integrating and troubleshooting Citrix Access Gateway, Enterprise Edition
• Advanced troubleshooting of Citrix NetScaler
• XenServer disaster recovery and automation
• Troubleshooting tools and methodology for Citrix XenApp 5 environments  
  
  

Who can attend?
All partners who have registered for Summit, Citrix Technology Professionals (CTP) and customers with active support or maintenance agreements as of the first day of the event (May 3, 2009).
 

When and where?

The event will be at the MGM Grand Hotel and Casino in Las Vegas, Nevada on Monday, May 4th from 8:00am to 5:30pm. 

Here's what a few past attendees had to say:

"This was probably the most valuable day of iForum [Synergy]. It was extremely technical and really provided a lot of insight into managing a Citrix environment."

"In-depth seminars, get to meet face to face with the people that support us, a wonderful venue."

Check out past event presentations and videos:

TechEdge 2008
October 29, 2008
Orlando, FL
Presentations and Session Videos

CSEIT 2008
May 19, 2008
Houston, TX
Presentations and Session Videos

CSEIT 2007
October 21, 2007
Las Vegas, NV
Presentations and Session Videos

Click here to register for TechEdge 2009

Learn More:

Want to learn more about TechEdge 2009, www.citrix.com/techedge. Stay tuned for our weekly close-up interview blog posts of the TechEdge presenters. Please let us know your thoughts, questions and feedback.

This post is part of a series on the TechEdge event:

• Check out my interview this week with Jamie Baker to discuss his sessions on End-to-end virtualization with Citrix Delivery Center and XenDesktop 3 architecture and design.

Cost Savings, Green Benefits and Improved Server Management.

Citrix Systems, Inc. (NASDAQ: CTXS), the global leader in application delivery, recently announced that leading enterprise resource planning (ERP) manufacturer SAP AG will be virtualizing an estimated 500 servers with Citrix® XenServer™ by the middle of 2009. SAP has also deployed Citrix® XenApp™ application virtualization technology to deliver applications to both SAP employees and external partners. In addition, SAP expects to receive the benefits that a combined XenServer and XenApp solution provides - such as streaming standardized workload images and superior management functionality - which the company anticipates will generate a 35 percent savings in terminal server costs.

SAP was looking to consolidate its server infrastructure and also wanted to create a much more flexible and dynamic computing architecture. Following an extensive test of XenServer, the company decided to move forward with a multi-stage roll-out of the server virtualization solution onto 500 servers, initially in the company's Saint Leon Rot, Germany office. In the next phase of the project, the servers that power the worldwide training centers will be virtualized, followed by the project management division with several hundred development, test, and support environments. After the server virtualization project in Germany is complete, the roll-out will continue at the end of 2009 to SAP's offices in Asia and the United States.

SAP has also deployed Citrix XenApp application virtualization technology to deliver more than 40 applications, including Microsoft Office and the SAP Business Suite software, to its entire user base. In total, there are more than 50,000 end users who access the XenApp infrastructure to work on tasks such as product development and support.

XenServer is FREE !

Read more news like this.

Its powerful AppExpert!