Post to Twitter
Canonical URLs
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler. On some Apache web servers there is more than one URL for a resource. Usually there are canonical URLs (which should be used and distributed as a best practive) and those which are just shortcuts, internal ones, etc. Independent of which URL was supplied with the request, the user should only see the canonical one URL in the response.
Example : converting URL /~user to /u/user.
Apache rewrite:
RewriteRule ^/~([^/]+)/?(.*) /u/$1/$2[R]
AppExpert rewrite:
Add responder action act1 redirect '"/u/"+HTTP.REQ.URL.AFTER_STR("/~")' -bypassSafetyCheck yes Add responder policy pol1 'HTTP.REQ.URL.STARTSWITH("/~") && HTTP.REQ.URL.LENGTH.GT(2)' act1 Bind responder global pol1 100
Tap into the power of AppExpert!
SAP certifies NetScaler v9.0 and Branch Repeater/WANScaler v4.5 solution
On 3/31/2009, SAP certified Citrix NetScaler v9.0 and Citrix Branch Repeater/WANScaler v4.5 as an integral solution to improve the delivery of the SAP applications. For SAP Portal, the Citrix NetScaler & Branch Repeater/WANScaler solution improved response time to clients. For downloads and backend operations from SAP Composite and ERP servers, response time was also improved.
SAP customers have hundreds of branch offices with a mixture of small and large offices, and a global distribution. It is important to have a solution which optimizes, simplifies and accelerates the delivery of the SAP applications. During certification testing it was proven that the NetScaler and Branch Repeater/WANScaler products improve performance of SAP applications through acceleration, provide security through HTTPS connections, and provide reliability & high availability through load balancing.
Read more about NetScaler here.
Read more about Branch Repeater/WANScaler here.
Tap into the power of AppExpert!
Rate Based Policy Enforcement:
New in NetScaler 9.0 are Rate-Based policies which can be used to control, limit and throttle traffic to various servers. Rate Based Policies use the advanced expression syntax found in the Policy Infrastructure (PI) format of the NetScaler, which is also new for 9.0.
You can monitor the rate of traffic that flows through virtual servers or other User defined entities that are associated with different virtual servers, including URLs, domains, and combinations of URLs and domains.
You can control Citrix NetScaler behavior based on the traffic rate, including throttling the traffic flow if it is too high, caching information based on the traffic rate, and redirecting traffic to a new load balancing virtual server based on the traffic rate. You can apply rate-based monitoring to HTTP and DNS requests. You configure traffic rate limit identifiers to monitor the rate of traffic. These identifiers can include filters, known as rate limit selectors, to restrict monitoring (for example, based on IP addresses or subnets). You specify traffic rate limit identifiers in rules for advanced policies in any feature where these identifiers may be useful, including Rewrite, Responder, DNS, and Integrated Caching.
Rate-based monitors can be based on the number of HTTP or DNS requests, number of packets, transactions or amount of bandwidth being used. This is useful for preventing overloads on a network, preventing security attacks, and diverting traffic once it reaches a certain watermark.
More on Rate-Based Policy Enforcement can be found in the NetScaler Traffic Management Guide.
Tap into the power of AppExpert!
The Reporting tool of Citrix NetScaler provides built-in reports that display statistics collected by the nscollect utility. You can also create and customize reports. The reports use charts to display the statistics. You can modify the charts and add new charts. You can also modify the operation of the nscollect utility and stop or start its operation.
You can import log data from a different NetScaler, or from a previous time period on the same NetScaler, across different software releases.
Read more about Reporting in the NetScaler Administration Guide.
Compression
TCP Connections
SSL Offload
Bandwidth
CPU & Memory
Tap into the power of AppExpert!
EasyCall Conferencing
One of the larger expenditures for enterprises is the cost of voice communications, specifically conference calling. Most enterprises use an outside vendor to host the conference calling capabilities for global communications between internal employees and external participants. You can completely do away with that cost with EasyCall Conferencing. Here is how it works...
EasyCall Conferencing, which is a feature of EasyCall, allows EasyCall users to quickly set up ad-hoc conferences by sending participants an EasyCall Conferencing URL. Participants join a conference call simply by clicking a URL instead of having to dial a conference phone number and complex access codes. The calls are hosted on the EasyCall Gateway, providing toll-free access at much lower cost than commercial audio conference services.
To enable external users to join EasyCall Conferences, join requests must be proxied to the EasyCall Gateway from the internet as the EasyCall Gateway is always installed inside the corporate firewall. This is similar to many web applications that require protected external access, and the HTTPS proxy is simple to configure on the Citrix Netscaler to provide the necessary SSL Offloading and Content Filtering.
The Citrix NetScaler System provides continuous service availability through application-level protection by blocking attacks and delivery of the EasyCall application securely. The Citrix NetScaler Content filtering prevents unwanted requests from reaching the EasyCall Gateway.
The EasyCall Conferencing configuration template for the NetScaler policies is provided free of charge right here on our community website. Just import it, and your NetScaler is setup for EasyCall Conferencing.
Together, the EasyCall Gateway and NetScaler provides a low-cost, non-recurring charge, to host global conference calls with your own equipment, making it easy for participants to join just by clicking a URL ... no cryptic meeting codes or passwords.
Download the EasyCall Conferencing / NetScaler Deployment Guide Guide.
Download the EasyCall Conferencing - NetScaler AppExpert Configuration Template.
Watch how easy this is:
How it will look in your network:
Download the EasyCall Virtual Appliance here.
Get the NetScaler here.
Tap into the power of AppExpert!
NetScaler supports the chaining of Intermediate SSL Certificates
Up to 10 Chained Certificates to be exact, one Server Certificate and nine CA Certificates.
Verisign recently posted an advisory stating the discontinuance of Unchained SSL Certificates, and that all Verisign SSL Certificates issued after Dec 11, 2008 will be chained to Root CAs to align with security best practices - Read the advisory here.
Chaining of Certificates is done with Intermediate Certificates. What are Intermediate Certificates?
They sit in the middle, between the Public Trusted Certificate Authority (CA) and your Server, in our case the Citrix NetScaler.
The Citrix NetScaler Application Switch supports the chaining of SSL Certificates just for this very purpose, and to show how easy it is to obtain an SSL Certificate from a Trusted Certificate Authority, such as Verisign, and install it into the Citrix NetScaler, we developed the following deployment guide to walk you through the process.
Verisign Certificate Authority w/ Citrix NetScaler SSL Deployment Guide.
Citrix Systems is closing the gap on the Number 1 Load Balancer for Web Applications. They are certainly a leader and not going to relent on the pace. Check out the Gartner Magic Quadrant. Further proving a commitment to Application Delivery, Citrix teamed with Akamai to extend Application Delivery from the datacenter into the cloud. Combining Akamai's efficiency in the cloud with Citrix's efficiency in the datacenter provides the ultimate in global acceleration of applications.
Citrix & Akamai Load Balancing Deployment Guide.
Tap into the power of AppExpert!
Read about the Citrix Load Balancer here.
Buy the Citrix Load Balancer here.
The #1 Web Filter by St.Bernard is now Citrix Ready. The Highest Performance Web Application Solution from Citrix Systems can now be deployed with the the #1 Web Filter by St. Berdard. IDC ranked them #1, SC Magazine gives them high ratings, and you will agree when you plug this thing in. The Citrix Web Application Firewall protects inbound traffic destined to Web and Application Servers without degrading throughput or response time. Now, with St.Bernard's iPrism h-Series high performance appliances, you can also do outbound Web filtering, IM/P2P filtering, and antivirus detection. The iPrism Web Filter is optimized for the datacenter infrastructure and sits behind the firewall while it monitors traffic. St. Bernard's platforms are hybrid so that Web filtering, antivirus and IM/P2P filtering are all contained within one box - unlike other point solutions.
St.Bernard's iPrism Web Filter is easy to use and easy to manage. If fact, it's so easy, we had the device up and running in Proxy mode and then in Bridge mode in a matter of seconds. The management software auto-discovers the box, so you don't have to plug in a console cable - very nice!
It is far better than a transparent proxy because St.Bernard has engineered their filtering technology at the kernel level, so their bridge mode really is a bridge between interfaces, and not just a transparent proxy like other solutions in the market.
We deployed the iPrism Web Filter behind our NetScaler, and had the NetScaler perform NAT (Reverse NAT) for outbound connections to the Internet. The iPrism Web Filter adds another level of security that IT organizations sometimes look for to complement their existing base of high-performance Citrix Gear.
Citrix & St.Bernard Deployment Guide!
You can try this product for free.
The product demo is awesome.
As a hybrid unit, this is a steal.
NetScaler Developer Network!
As web applications grow in complexity, the art of accelerating them seems to remain the same. This art is performed by applying some basic concepts to the application; that is, Caching, Compression, Load Balancing, Global Server Load Balancing, SSL Offload & Acceleration, Content Switching, TCP Multiplexing and SSL Session Reuse.
Citrix® is a leader in Gartners magic quadrant for Application Delivery with their flagship appliance NetScaler®. NetScaler accelerates web application performance by leveraging multiple acceleration technologies and innovative TCP optimizations.
Whether you are building out a new datacenter and architecting it the right way, or retrofitting an existing datacenter, Citrix NetScaler will perform and keep costs down. Whether you are looking to accelerate legacy enterprise applications such as Oracle or SAP, or building a new web 2.0 social community, Citrix NetScaler contains all of the tools to get you there.
Citrix NetScaler web application delivery solutions are purpose built appliances that accelerate application performance, while simultaneously reducing datacenter costs and improving web application security. Platforms range from the entry level 7000 to the latest MPX-series appliances that provide an industry-leading 15 Gbs of throughput at Layers 4 through 7.
There's more here: Case Studies, White Papers, Analysts , Datasheets
Check out the new MPX!
Buy it here!
Tap into the power of AppExpert!
Becoming an Application Expert means that you can profile an application and quickly determine how it can be architected or re-constructed for higher performance. Of course, we want you to use the Citrix Application Switch as part of the architecture. In Part 1, we learned how to profile an application to learn what it looks like as the traffic flows through the Citrix Application Switch. Now we will determine what parts of an application are cacheable and what parts are non-cacheable.
By Application Profiling we can determine which parts of the application are cacheable and non-cacheable just by looking at the Request and Response headers. The application will sometimes tell you through it's "Cache-Control" header directives. Some content that we just know is static and doesn't ever change, we can consider cacheable as static content. Content that changes, such as reports, are often considered non-cacheable but with the help of Selectors and Dynamic Content Groups in the Citrix NetScaler, this content can be cached. As a proof of concept, we deployed the Citrix NetScaler Application Switch in the front of Oracle E-Business Suite v12 application and implemented caching policies for both static and dynamic content. As it turns out, alot of static content is cached by default policies and setting up dynamic policies is not that difficult. To see how, read the Caching Deployment Guide for Oracle E-Business Suite v12.
Watch this Caching Tip:
Tap into the power of AppExpert!
Application Profiling
Introduction:
I can turn you into an Application expert in 5 minutes by reading this post. Just do what the experts do, or even the not-so-experts. They pay meticulous attention to the requests from clients and the responses from servers, both headers and body content. You do this the old fashioned way by taking a trace. There are better tools out there, some free, some not-so-free.
Running a trace:
Running a trace will help you 'profile' the application. It is recommended that you do this before placing the Citrix Application Switch in-line of the Application traffic. This will gather important information about the Application that will help you understand it's basic operation at Layer 7, and help you begin to understand what it is that needs to be accelerated - cached, compressed, load balanced, ssl offloaded, etc.
Running a trace exposes the flow of transactions between all points of interest. Traces are especially helpful when digging in to find what is contained within the headers being exchanged between the client and the application.
Taking a trace with wireshark:
The free network protocol analyzer called wireshark, http://www.wireshark.org, will capture packets for you on the localhost, whether it's windows or linux. By filtering the stream of packets by IP Address, right clicking and selecting 'Follow TCP Stream' inside of wireshark, you can see the headers for both requests and responses.
 | Wireshark tip 1 Find the first 'SYN' in the stream, right click, 'Follow TCP Stream'. |
| Wireshark tip 2 Client requests are in Red, Server responses are in Blue. |
Taking a trace with the Citrix Application Switch:
If the Citrix Application Switch is already in place, a trace can be run directly on the Citrix Application Switch. Running a trace will expose the flow of transactions between all points of interest, especially the client, load balancing VIPs and backend servers. Traces are especially helpful when digging in to find out if the proper headers are being exchanged between client & VIP and VIP & backend servers. A trace can be run directly on the Citrix Application Switch. Once downloaded this file can be opened and request and response headers read with Wireshark, a free network trace utility, http://www.wireshark.org. From the Citrix Application Switch GUI, navigate to NetScaler -> System -> Diagnostics -> New Trace -> Run.
Viewing headers with Paros:
Paros was originially written for web security, but has value when viewing request and response headers, cookies and the like. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted. There is an additional option of trapping and modifying data before sending it on to the server, or client. Paros can be found at http://parosproxy.org. Free.
Viewing headers with Live HTTP Headers:
Live HTTP Headers, http://livehttpheaders.mozdev.org/, was developed for use with the Firefox web browser. It is a free add-on and allows you to view HTTP header information in real time. Free.
Viewing headers with IE Analyzer:
IEInspector HTTP Analyzer, http://www.ieinspector.com, is a tool that allows you to monitor, trace, debug and analyze HTTP/HTTPS traffic in real-time. It works with Microsoft Internet Explorer. Not-Free.
Viewing headers with IE Watch:
IEWatch, http://www.iewatch.com, is another plug-in for Microsoft Internet Explorer that helps you profile your web applications. You can use this tool to dig deep into the inner workings of web applications to find hidden issues. Not-Free.
Watch this Application Profiling Tip:
Tap into the power of AppExpert
The SAP Enterprise Service Oriented Architecture (SOA) provides a blueprint for services-based, enterprise scale business solutions that are adaptable, flexible, and open. Enterprise Services Architecture takes the concept of service-oriented architecture to a new level by transforming Web services into enterprise services. Bringing Citrix and SAP Enterprise Services Architecture together reduces the dependence on customized applications, and increases flexibility and reduces time to deployment while reducing operational expenses.
This Citrix / SAP Enterprise SOA Deployment Guide was created out of a joint engagement between Citrix and SAP at the Co-Innovation Laboratory in Palo Alto, California, USA. This deployment guide walks through the step-by-step configuration details of how to configure the Citrix NetScaler for use as front-end to SAP Portal for end-user traffic, that is HTTP ~ HTML. To further complement the value of the Enterprise SOA, this guide walks through the details of how to configure the Citrix NetScaler for use as a front-end to the SAP Composite Application Framework and SAP ERP Web Services platforms, providing a flexible load balancer and HTTPS encryption point for machine to machine web service traffic. With this deployment Citrix becomes an integral and flexible part of the SAP Enterprise SOA "Applistructure" bringing together applications and technology for a fast, flexible and highly effective service oriented IT infrastructure.
Watch this Load Balancing Tip:
Tap into the power of AppExpert
We recently had a meeting with a large partner of ours and they handed down some hefty requirements. An average of 100 partners using their portal on any given month to access their development environments on the backend. It was clear that NetScaler could scale, but the question was how to keep all of those partners separated from each other, without them peeking into each others traffic. It turned out to be easier than we thought using the NetScaler as an SSL VPN with the addition of some policies bound to each partner's user group. The following is an overview of the network diagram, and there are some deployment guides to walk you through these installations.
The Citrix SSL VPN CPS Deployment Guide walks you through deploying NetScaler SSL VPN as an ICA Proxy and authentication point. It then walks you through deploying Citrix Presentation Server and the steps necessary to connect the SSL VPN to the CPS Applications. The guide includes Session policies which direct users upon authentication to specific CPS farms on the backend of the NetScaler SSL VPN. Think of it as an authentication portal.
The Citrix SSL VPN Deployment Guide walks you through deploying NetScalers as an HA Pair, and then as an SSL VPN with ICA Proxy OFF. The intention was to use the SSL VPN for regular VPN traffic, and not Citrix Presentation Server traffic. Just as well, policies can be combined on the same NetScaler Application Switch to allow both non-CPS and CPS traffic to traverse the same SSL VPN.
Tap into the power of AppExpert
Moved Document Root
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
Usually the Document Root of the web server directly relates to the URL "/". But in some cases the document root should shift to some other directory. The following rules can be used to implement this.
Example : Rewrite the url / to /e/www
Apache rewrite:
RewriteEngine on RewriteRule ^/$ /e/www/ [R]
AppExpert rewrite: (There are two ways to do this)
add responder action act1 redirect '"/e/www/"' -bypassSafetyCheck yes add responder policy pol1 'HTTP.REQ.URL.EQ("/")' act1 bind responder global pol1 100
add responder action act1 redirect '"/e/www"+HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 '!HTTP.REQ.URL.STARTSWITH("/e/www/")' act1 bind responder global pol1 100 END
Tap into the power of AppExpert!