The St.Bernard iPrism works with Citrix's Application Virtualization platform - XenApp, and works quite well. Seen as a perfect complement to each other the Citrix NetScaler and XenApp products were tested with the St.Bernard iPrism Web Filter. Both companies offer architectures of one-arm (out-of-band) and two-arm (in-band) deployments. At Citrixlabs in Santa Clara, CA, USA, we tested both the out-of-band and in-band configuration of the iPrism Web Filter. We loved the fact that the iPrism is auto-discovered by the management software, so no console cable was needed.

With NetScaler:

We deployed the iPrism Web Filter behind the NetScaler in our proof of concept datacenter in Santa Clara, CA, USA, and configured the NetScaler for NAT (Reverse NAT) for outbound connections to the Internet. NAT is often performed by the Firewall. The Web Application Firewall, also part of the Citrix NetScaler, was configured for protection of inbound security threats to websites and web applications.

The iPrism was configured to monitor outbound traffic from the internal subnet of 172.16.104.0/24, and block all traffic to offensive websites, and monitor traffic to all other websites. The Real-Time monitor in iPrism gave us a detailed report on the users and IP Addresses that were going out to which sites on the internet. We could see who was accessing what, and which content was being blocked. Particularly nice, was the fact that the iPrism automatically authenticated each user to the Citrixlabs domain controller, every time they surfed a new website, without them knowing it. This was very useful for keeping a tight grip on security and for compliance reporting.

With XenApp:

The powerful value is in the integration with XenApp. We plugged the iPrism in as an in-line device, and configured it to work with Citrix XenApp©, formerly known as Citrix Presentation Server. One of the key questions that will arise in this situation is with all of those Citrix XenApp thin clients logging into the XenApp and then launching browsers to the internet, how does iPrism keep track of them. By adding the XenApp IP Address to the iPrism configuration, the users are tracked using "Session Based Authentication" - this catches each individual user and IP Address in each browser session and in the reports. We were impressed by this and determined the iPrism to be an excellent fit into a datacenter outfitted with Citrix.


Citrix & St.Bernard Deployment Guide!

Network Diagram:

Watch this video tip:

NetScaler Developer Network!

AppExpert is now a useful tag used by Citrix Systems, Inc., to qualify articles and content on the web as that which pertains to the art of delivering applications to an end user. Becoming an "Application Expert" is not only an art, but as with anything else in the internet industry, takes time to learn. Becoming an Application Expert and using the knowledge takes time, drive and patience. In an effort to make this art easier, Citrix embarked on a series of product enhancements targeted toward the Application Expert, which started with the use of the NetScaler Policy Engine.

The first in many enhancements directed toward making application delivery easier for the individual using the product. Other product nomenclature was created for other features such as "AppCompress" and "AppCache", but "AppExpert" seemed to stick and a community website was born to promote the development of policies and expressions used in the course of business on the NetScaler at customer sites, by partners and in the labs at Citrix Systems.

The concept of the community site grew with favor as a much needed interactive forum for the exchange of ideas, policies, blogs, video tips and information to expand the knowledge of those using the Citrix products. Thus, the AppExpert community site was born to express this direction of growth in knowledge.

In an effort to create a community site that is both practical and useful for our customers, and in keeping aligned with the principles of ease of use and name recognition, the community site formerly named "AppExpert", has been renamed to "NetScaler Developer Network" to allow for a more easier fit among other Citrix product lines, as the Citrix community continues to grow.

NetScaler Developer Network!

The #1 Web Filter by St.Bernard is now Citrix Ready. The Highest Performance Web Application Solution from Citrix Systems can now be deployed with the the #1 Web Filter by St. Berdard. IDC ranked them #1, SC Magazine gives them high ratings, and you will agree when you plug this thing in. The Citrix Web Application Firewall protects inbound traffic destined to Web and Application Servers without degrading throughput or response time. Now, with St.Bernard's iPrism h-Series high performance appliances, you can also do outbound Web filtering, IM/P2P filtering, and antivirus detection. The iPrism Web Filter is optimized for the datacenter infrastructure and sits behind the firewall while it monitors traffic. St. Bernard's platforms are hybrid so that Web filtering, antivirus and IM/P2P filtering are all contained within one box - unlike other point solutions.

St.Bernard's iPrism Web Filter is easy to use and easy to manage. If fact, it's so easy, we had the device up and running in Proxy mode and then in Bridge mode in a matter of seconds. The management software auto-discovers the box, so you don't have to plug in a console cable - very nice!

It is far better than a transparent proxy because St.Bernard has engineered their filtering technology at the kernel level, so their bridge mode really is a bridge between interfaces, and not just a transparent proxy like other solutions in the market.

We deployed the iPrism Web Filter behind our NetScaler, and had the NetScaler perform NAT (Reverse NAT) for outbound connections to the Internet. The iPrism Web Filter adds another level of security that IT organizations sometimes look for to complement their existing base of high-performance Citrix Gear.


Citrix & St.Bernard Deployment Guide!

You can try this product for free.


The product demo is awesome.


As a hybrid unit, this is a steal.












NetScaler Developer Network!

Load Balancing

A crucial piece of knowledge to being an Application Expert is providing availability and offload of the backend servers across any TCP port number. Most web applications run on port 80 and 443. Some enterprise applications use custom ports. Either way, if you want to optimize the performance and keep clients connected when one of the servers or applications starts to fail, you will need a Load Balancer such as the Citrix Application Switch.

Load balancing allows you to distribute incoming requests to a particular virtual server (vserver or VIP) evenly across several backend physical servers. This is also known as Server Load Balancing (SLB). The virtual server runs load balancing algorithms within the Citrix Application Switch.

A vserver consists of a combination of an IP address, port, and protocol that accepts incoming the traffic. The vserver is bound to a number of physical services running on physical servers in the backend server farm. Typical physical servers range from apache web servers to high-end enterprise applications such as SAP and Oracle.

The way it works is a client sends a request to the virtual server, which selects a physical server in the backend server farm and directs the request to the selected physical server. Load balancing allows the Citrix Application Switch to choose the physical server with the lowest load and greatest available resources and directs the incoming request to that server. The Citrix Application Switch can select from many different algorithms for balancing the load, the most common being Round Robin.

Different virtual servers can be configured for different sets of physical services, for example TCP and UDP services. The Citrix Load Balancer supports protocol/application specific vservers for HTTP, HTTPS, FTP, SSL, SSL BRIDGE, SSLTCP, NNTP, DNS, SIP and SNMP services.

To with with your understanding and first time configuration, this deployment guide speaks directly to configuring Load Balancing and SSL Offload on a Citrix Application Switch. It was developed for the SAP Application, but the concepts apply to any Web Application.

Citrix Load Balancing Deployment Guide.

Watch this Load Balancing Tip:

Tap into the power of AppExpert!

Read about the Citrix Load Balancer here.

Buy the Citrix Load Balancer here.

Monitoring the Wanscaler This is the fouth video in the four part series of configuring a Wanscaler environment for FTP demonstrations. The first in this series is Configuring the W2K3 machine. The second is configuring the XPclient, third is configuring the Linktropy Wan simulator, and fourth is monitoring the Wanscaler

Configuring the XPclient. This is the second video in the four part series of configuring a Wanscaler environment for FTP demonstrations. The first in this series is Configuring the W2K3 machine. The second is configuring the XPclient, third is configuring the Linktropy Wan simulator, and fourth is monitoring the Wanscaler

Configuring the W2K3 server for FTP transfer. This is the first video in the four part series of configuring a WanScaler environment for FTP demonstrations. The first in this series is Configuring the W2K3 machine. The second is configuring the XPclient, third is configuring the Linktropy Wan simulator, and fourth is monitoring the Wanscaler.

This is the second video in a two part series showing CIFS acceleration over a WAN link using Wanscaler. This video will demonstrate the amount of CIFS optimization that occurs in a Wanscaler environment. 

 Here is a video demonstration of Microsoft CIFS acceleration over WanScaler. Equipment used for this demo were Microsoft W2K3 server, an XP client, and a Linktrophy Apposite WAN simulator.

Although, the demonstration seems very simplistic CIFS acceleration represents a milestone in WAN acceleration and data networking, in general. CIFS is the protocol that is used by Microsoft Servers and clients to exchange information. The protocol was originally designed to function over a LAN environment with a minimum of 10 Mbps throughput, half-duplex. As enterprises began expanding their data services to remote offices CIFS, designed for a LAN was being used over low bandwidth, high latency WAN's. Performance and end-user experience vary greatly in this enviornment, and the protocol provides a very high, inefficient overhead. With an accelerator between the remote and central office, TCP transmissions are optimized and thus the protocol is streamlined. Users can now experience LAN like performance while being thousand's of miles away from HQ.

h.1 Watch this videotip

Border Gateway Protocol, open-source and it's para-virtualized. No more proprietary software and hardware, you can run as many copies of this as needed on one physical XenServer machine. As a proof point, we used the Vyatta Open Source router to build out our Link Load Balancing network in Santa Clara.  The Open Source Vyatta is running on a Dell server. We configured the BGP routing protocol, but could have have also configured OSPF or RIP and redistributed the routes. This configuration has been proven to outperform the incumbents, and is less costly by a wide margin.  Reduce opex and capex and start rolling this out today.  

What is needed:

• Vyatta Open Source Networking Software
• A Dell Server that supports Virtualization
• XenServer Enterprise 4.1

The Network:

Watch this Video:

Tap into the power of AppExpert!

We are all used to the familiar commands to configure IP Addressing on *nix and *dows types of systems, however there is a little bit of a trick involved with XenServer. 

Imagine if you had built your XenServer in one location and then transported it to another location where a different IP Addressing scheme was being used.  In order to have XenCenter come in contact with the XenServer again, you will need to re-configure the Management IP Address.  Since you probably won't RTM, and you don't want to rip your hair out trying to figure it out, the steps are outlined in this XenServer Tip.

Download this XenTip.

Tap into the power of AppExpert!

Rewrite

Performing content rewrite at milli-speed is key to providing a front-end device for application delivery. Most important is the capability to rewrite both request and response headers & body content which the Citrix Application Switch does and it is an easy 3-step process to configure. Not only is it easy, it scales to Enterprise class applications, which we demonstrated here with the Oracle Enterprise Business Suite v12 in our lab in Santa Clara, CA, USA.

Watch this Rewrite Tip:

Tap into the power of AppExpert!

Read about the Citrix Application Switch here.

Buy the Citrix Application Switch here.

In the Application Expert series part 2, Caching, I released a Deployment Guide discussing Static and Dynamic Caching.  As we are partners with Microsoft, we recently did some work here internally setting up some Dynamic Caching for an ASP.NET application and thought we would share the knowledge. This Caching Deployment Guide for ASP.NET Web Applications discusses the way an Application Expert would find out the potential caching scenarios that a web application can benefit from, and shows how to create and test the NetScaler caching policies and settings to put these scenarios into effect.

Tap into the power of AppExpert!

And it's FREE! Throw away those behemoths that suck power from every grid in the state and drain your budget. This baby is Free, Open Source and VIRTUAL, meaning you can run as many instances of this router as you want on your choice of hardware. What is even more gratifying is it's faster than the old router technology.

Vyatta has commoditized router, firewall and VPN deployment in the same way that Linux commoditized the operating system market. Vyatta open-source networking offers you an alternative to over-priced, inflexible products from proprietary vendors.

Vyatta software enables customers to build routing and security solutions using standard x86-based hardware of their choosing, ensuring networks will always meet performance requirements. Vyatta open-source software delivers the unique advantage of allowing customers to scale networks from the simplest LAN configurations to large BGP WAN edge configurations using a single software package.

Vyatta software includes support for most commonly used network interfaces, industry standard routing and management protocols, and all of these features are configurable via a single command-line interface (CLI) or web-based graphical user interface (GUI) - avail Q3'08. The integrated features and functionality make Vyatta software ideal for SMB, Branch Office, Enterprise and Service Provider deployments.

Summary of features:
BGP, OSPF, RIP, DHCP, QoS, IPSec VPN, VRRP, PPP, 802.1Q, Complete List.

This open source router is already running on XenServer in a large service provider in Europe. We are using it in our Citrix Ready program as a multi-link Intranet with connections to the Internet along with high availability link load balancing.

This para-virtualized Vyatta image runs as a virtual appliance in XenServer v3.2.1 and v4.1.

The XenServer Platform we are using:

• Dell Poweredge 2950 server.
• 2 x Intel 64-bit Quad-Core Xeon Processors, Model E5335 @ 2.00 GHz each, for a total of 8 CPUs.
• 2 Intel 82571EB Gigabit Ethernet (on-board)
• 2 Broadcom NetXtremeII Gigabit Ethernet
• 16 GB of memory.
• 300 GB of Storage.
• XenServer v4.1
• *note: CPU's must support virtualization technology.
  
  
  
  
  
  

Virtual Router - Install:

Virtual Router - Config:

Tap into the power of AppExpert.

Application Delivery is at the top of the list of any organization's priorities. Keeping up with those priorities requires a move to dynamic application delivery and virtualization. The Citrix NetScaler Application Switch is a powerful step in that direction.

Compressing content at the server level can be done, but is tedious, and with the number of hosted servers on the backend growing proportionally with virtualization, it is better suited to a frontend tool. 

As an Application Expert, determining what type of content is compressible vs. that which is not compressible should be at the tip of your tongue, or at least you should be able to reference this post or document.  The thing is, while some content types remain compressible/non-compressible across many applications, you might run across an application that requires some content be treated uniquely.  For example, the SAP application requires that pdf files should not be compressed when sent back to the clients.  Either way, you should know how to dynamically configure rules to accommodate for the applications content.  This Compression Deployment Guide shows you how.

Watch this Compression Tip:

Buy the Citrix NetScaler Application Switch here.

Tap into the power of AppExpert.

Hundreds of Thousands of Web Servers have been getting hacked, including several at the United Nations. The appearance is that the hack exploits a vulnerability in Microsoft IIS because of a Microsoft SQL Specific injection payload, however the attack is capable of infecting any type of web server open to SQL Injection and Cross Site Scriting (XSS) attacks.

Microsoft released some security bulletins (951306, MS08-006) stating vulnerabilities in their IIS web server,  alluding to the vulnerabilities recently brought to light. A script homed at nihaorr1.com based in China was found to be infecting many servers, and spreading quickly. Further research into the problem indicates that non-Microsoft types of servers may also be affected by the attack.

As of May 12, 2008, Google's Index had 1,700,000 infected pages.  The domains currently being injected that contain the malicious Javascript are:

• nihaorr1.com
• 2117966.net
• aspder.com
• haoliuliang.net
• nmidahena.com
• free.hostpinoy.info
• xprmn4u.info
• winzipices.cn
• wowgm1.cn
• killwow1.cn
• wowyeye.cn
• wowgm1.cn
• winzipices.cn

This vulnerability and others like it can easily be stopped with a Citrix Web Application Firewall using default policies to block SQL injection and Cross Site Scripting. We setup a demo in our lab, to show how easy it is to configure and block this type of threat.

See the mailicious script in action:

Watch how Citrix Web App Firewall blocks the malicious script:

See how easy it is to configure the Citrix Web App Firewall:

Read about the Citrix Application Firewall here.

Buy the Citrix Application Firewall here.

Tap into the power of AppExpert

As an addendum to the Citrix NetScaler Policy Engine post I wrote recently, I pulled together some Frequently Asked Questions (FAQ) pertaining to the Policy Engine (PE). Policies are used to configure various Citrix NetScaler Application Switch features, and are executed in the order of their priorities. The priorities are configurable and increment in units of 10.

Watch this Policy Priority Tip:

Tap into the power of AppExpert!

Policies are used to configure various Citrix NetScaler Application Switch features. For example, the parameters for compressing content are defined in a compression policy.

The features that use policies are:

• Load Balancing
• Content Switching
• Content Filtering
• AppCompress
• Cache Redirection
• SSL VPN
• Priority Queuing
• DoS Protection
• Sure Connect

Policy expressions are applied to content that enters the switch. Expressions are shared among features, but actions are feature-specific. For example, you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress those files. The Policy Engine (PE) refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x. The architecture for Policy Engine and the manner in which it operates is presented in this Deployment Guide.  Did you know that each feature in the Citrix NetScaler Application Switch is processed in a certain order, and the Policy Engine (PE) applies policy according to that order.  That order is represented in this diagram and discussed in the Deployment Guide for Policy Engine (PE).

Watch this Policy Engine Tip:

Tap into the power of AppExpert!

As web applications grow in complexity, the art of accelerating them seems to remain the same. This art is performed by applying some basic concepts to the application; that is, Caching, Compression, Load Balancing, Global Server Load Balancing, SSL Offload & Acceleration, Content Switching, TCP Multiplexing and SSL Session Reuse.

Citrix® is a leader in Gartners magic quadrant for Application Delivery with their flagship appliance NetScaler®. NetScaler accelerates web application performance by leveraging multiple acceleration technologies and innovative TCP optimizations.

Whether you are building out a new datacenter and architecting it the right way, or retrofitting an existing datacenter, Citrix NetScaler will perform and keep costs down. Whether you are looking to accelerate legacy enterprise applications such as Oracle or SAP, or building a new web 2.0 social community, Citrix NetScaler contains all of the tools to get you there.

Citrix NetScaler web application delivery solutions are purpose built appliances that accelerate application performance, while simultaneously reducing datacenter costs and improving web application security. Platforms range from the entry level 7000 to the latest MPX-series appliances that provide an industry-leading 15 Gbs of throughput at Layers 4 through 7.

There's more here: Case Studies, White Papers, Analysts , Datasheets

Check out the new MPX!

Buy it here!

Tap into the power of AppExpert!

Becoming an Application Expert means that you can profile an application and quickly determine how it can be architected or re-constructed for higher performance. Of course, we want you to use the Citrix Application Switch as part of the architecture. In Part 1, we learned how to profile an application to learn what it looks like as the traffic flows through the Citrix Application Switch. Now we will determine what parts of an application are cacheable and what parts are non-cacheable.

By Application Profiling we can determine which parts of the application are cacheable and non-cacheable just by looking at the Request and Response headers. The application will sometimes tell you through it's "Cache-Control" header directives. Some content that we just know is static and doesn't ever change, we can consider cacheable as static content. Content that changes, such as reports, are often considered non-cacheable but with the help of Selectors and Dynamic Content Groups in the Citrix NetScaler, this content can be cached. As a proof of concept, we deployed the Citrix NetScaler Application Switch in the front of Oracle E-Business Suite v12 application and implemented caching policies for both static and dynamic content. As it turns out, alot of static content is cached by default policies and setting up dynamic policies is not that difficult. To see how, read the Caching Deployment Guide for Oracle E-Business Suite v12.

Watch this Caching Tip:

Tap into the power of AppExpert!