NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.

But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.

As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.      

(Contributed by Raghu Bathina) 

_{Useful Links}

• XML Security Features in Netscaler 9.0

Not very long ago I published a series on how to become an Application Expert. Citrix NetScaler 9.0 makes it easier with AppExpert Templates. NetScaler AppExpert Templates - introduced in NetScaler 9.0 - provide an application-centric view of the NetScaler system's policy configurations. From a single place within the GUI (AppExpert -> Applications) NetScaler administrators can: 1) Configure the various AppExpert features the NetScaler is fronting, 2) View which NetScaler functional modules (e.g., compression, caching, application firewall) are optimized and active for a given application unit.

Additionally, AppExpert Templates allow you to drill down and see which individual NetScaler policies are active, and what policies are inactive but available, by application component and NetScaler module. From this same view, individual policies can be created, activated and deactivated.

AppExpert Templates can be downloaded, imported, modified and exported AppExpert Templates page of the Citrix Community Website. Administrators can download AppExpert Templates built by Citrix, Citrix Partners and members of the NetScaler community from the Citrix Community Website. These templates are easily imported into any NetScaler running NetScaler 9.0 or higher, jump starting the configuration and deployment process. Templates developed in-house can be easily exported and shared within your organization, or posted back to the Citrix Community Website for others to view and improve.

See the new AppExpert Templates page here!

Tap into the power of AppExpert!

One of the long awaited new features in NetScaler 9.0 is XML security.  In 2007, Citrix acquired QuickTree, a small privately-held software technology provider on the forefront of addressing the key security and performance challenges of XML, web services and Web 2.0.  With Netscaler 9.0 the XML security capabilities acquired from QuickTree are fully integrated into the Netscaler web application delivery appliance.

Some the XML Security Features available in the new NetScaler release:

What's New

This release provides many enhancements to the policy infrastructure, including:
•    Policies for analyzing the traffic rate
•    Policies for sending queries to an external application
•    Graphical tools for easier creation of policies (see the enclosed video tip for a demo)
•    Configuration of policy labels and policy banks
•    Policy expression parameters for analyzing new types of data, including IPv6 addresses.
•    New documentation for policies and expressions.

Policies to Analyze the Traffic Rate

You can configure policies that parse the request rate or bandwidth usage. The most popular uses for policies based on traffic rate include limiting access to virtual servers or any other user-defined entity, and preventing network overload. You can configure NetScaler features to perform any other supported action based on the traffic rate, for example, redirecting traffic if the rate exceeds a particular threshold.

In this release, you can configure rate-based policies based on the following:
•    The number of HTTP requests that the NetScaler intercepts.
•    The number of DNS requests that the NetScaler intercepts.
•    The bandwidth usage.

Policies to Send HTTP Requests to Remote Applications

You can configure HTTP callout policies to obtain information from external applications and parse the responses. For example, if a server makes a request, you can use an HTTP callout request to determine if this server is on a "deny access" list. The HTTP callout request can send the requesting server's domain to an application that looks up bad domains from a list. When the application sends a response to the NetScaler, the HTTP callout policy can extract the "allowed" or "denied" determination from the response.

To deploy the HTTP callout policy, you also create an agent in front of the application to format the HTTP callout request for the application. When the application returns a response, the agent formats the response for the NetScaler, so that the callout policy can extract data of interest from the response.

You can invoke HTTP callout policies from any other type of NetScaler advanced policy using the expression prefix SYS.HTTP_CALLOUT. For example, you can invoke an HTTP callout policy from a rewrite action and insert the value that is returned by the callout in an HTTP response header.

Policy Banks and Policy Labels

This release introduces new methods for configuring collections of advanced policies known as policy banks. Policy banks are groups of polices that share the same bind point:

•    Built-in bind points are global or specific to a virtual server.
•    A user-defined bind point is known as a policy label.  

After you create a policy label and bind policies to it, you invoke the policy label (and its associated policies) from one of the built-in bind points. If you bind policies to a virtual server, you can also invoke the virtual server's policy bank from any other policy bank. You can invoke a policy label or policy bank using when binding a policy or by specifying a new "NOPOLICY" place-holder that performs invocation without processing a rule.

As part of policy bank configuration you can also create an arbitrary evaluation order by specifying Goto expressions.

A new graphical tool called the Policy Manager simplifies configuration of policy banks and invocation of policy labels.

Policy Manager and Other Usability Enhancements

In this release, some applications provide a specialized Policy Manager in the NetScaler configuration utility to simplify the binding of policies to an invocation point or a user-defined policy label, assigning policy priorities to policies, viewing the different policy banks that are configured in the feature. The Policy Manager also enables you to find and delete policies and actions that are not being used. As of release 9.0, the Policy Manager is available for the Rewrite, Integrated Caching, and Responder features.

In addition, the configuration utility simplifies the task of viewing policy bindings to vservers. A Visualizer in the Load Balancing and Content Switching features enables you to view policy bindings as well as service and monitor bindings.

See the enclosed video tip for a demo of the Policy Manager.

New Parameters for Classic and Advanced Expressions

New expression parameters have been provided for parsing additional types of data, including:
•    IPv6 addresses
•    String sets (comparisons with any or all strings in a set)
•    Caching headers
•    Dates and times  
•    File system information (files, directories, file system commands)

Policy Configuration and Reference Guide

A new policy guide provides comprehensive information on all the available parameters for advanced and classic policies and configuration instructions. This guide is available from the Documentation tab in the NetScaler configuration utility.

Video Tips

Video tip 1: Using the Policy Manager to add the first policy in a policy bank:

Video tip 2: Using the Policy Manager to add a second policy and order the policies in the bank:

NetScaler 9 is officially here. Well, actually, it's officially announced. It won't be officially available to download from mycitrix.com until November 27^th. Yes, I know that's Thanksgiving. However, Citrix is a global company, and what better way to prove it than to post the NetScaler 9 code on a major US holiday? And, there is a chance that it might show up a day or two before the 27^th.

NetScaler 9 is a pretty big release. Looking at the detailed feature tracker, it contains over 350 new features and feature enhancements. I'm not going to go through all of them in this post, because that's what release notes are for. However, I do want to highlight some of the major new features that folks seem to be most excited about, and point you to some additional resources on this site that go into a bit more detail on some of them.

I like to think that NetScaler acts as the bridge between the network and the applications that run on it, making each of them work better with the other. NetScaler 9 furthers this.  A lot of the new capabilities and features making NetScaler more application-saavy than it already is. This is not to say that there aren't any hardcore networking enhancements in NetScaler 9, because there are a lot of them. These include everything from end-to-end support for IPv6 to enhancements to our GSLB functionality to the ability to tunnel IP within IP.

But in the end our networks are there to run applications, and it's the new AppExpert features in NetScaler 9 that seem to be generating the most interest.

AppExpert Templates make a given application the "first class citizen" within NetScaler. They do this by encapsulating everything about a NetScaler configuration that is specific to a given application, including:

1. The different application components (e.g., pages, files, archives, Web Services) NetScaler is managing
2. The various NetScaler entities and settings (e.g., VServers/VIPs, load-balancing algorithms, health checks, persistence methods, SSL offload settings) defined for these application components
3. The specific NetScaler policies (e.g., caching, compression, application firewall, rewrite) used for the application

All of this is presented in a way that puts the application front and center, and configuration and policy changes can be made from there as well. So, while today understanding the entire NetScaler configuration for Microsoft SharePoint (for example) involves moving around between the various NetScaler GUI tabs, with AppExpert Templates everything is centralized in one place.

AppExpert Templates can be imported and exported as well, so they make it pretty easy to move app-specific configurations between different systems. More broadly, several folks have told us that this, and the general look and feel of AppExpert Templates, will help with knowledge transfer within their organizations. You can see an example of the Microsoft SharePoint template being imported and then applied here.

If you go here when NetScaler 9 becomes available in a couple of weeks, you'll be able to download AppExpert Templates we've already built. And, as you'll quickly notice, AppExpert Templates aren't static. The underlying infrastructure makes it really easy for you tweak a template to your own specific needs, or to improve the template by adding to it. Hopefully, you'll all post any improvements and modifications you make back to the community site so that others can benefit. And definitely look for additional AppExpert Templates to be made available by us, but Citrix partners, and hopefully by other NetScaler users.  

With AppExpert rate controls, we've integrated the concept of data rate into the core NetScaler policy infrastructure.  This allows building policies that are only triggered when a defined data rate is exceeded.  And since it's integrated with the core policy infrastructure, it can be used with the various NetScaler functional modules (e.g., content switching, responder), so you're not limited to just dropping traffic as an action.

There's a number of ways folks have told us they're going to use AppExpert rate controls. Of course straight-up rate limiting (e.g., DNS rate-limiting, limiting traffic originating from a single subnet) is one example. Ensuring a given resource (e.g., anything from a VServer to a specific URL) isn't overwhelmed by requests is another. Two specific examples are:

1. One customer allows some of its partners to scrape its website so the partners can republish content on their own sites. However, the customer wants to ensure that overly aggressive scraping by the partners doesn't overwhelm the website and degrade the site's performance. AppExpert rate controls can be used to limit how much scraping each partner can do. This same approach could be used to ensure that websites that publish APIs -- so that partners can do mashups, for example -- aren't overwhelmed by any particular partner's use of the API.
2. Another example is a customer that was having problems with a couple of users FTPing a few too many large files at the same time. By using AppExpert rate controls to build an expression around bandwidth consumed per sourceIP, they can drop any additional FTP requests coming from a sourceIP (aka a user) that already has too much FTP activity. A more generalized use could also do something along the lines of limiting the amount of concurrent file downloading for a given SharePoint site, to ensure that downloads don't drown out other SharePoint (or other application) activity.

AppExpert service callouts make NetScaler policies extensible, and will allow you to integrate logic or functionality available in other systems and applications into NetScaler policies. Specifically, using an AppExpert service callout, a policy can send (over HTTP or HTTPS) any part of an incoming request to an external service. The result returned by the external service is then used like any other policy evaluation result.

As an example, one beta customer has an application that identifies and tracks IP addresses that are scraping its site's content. No, this is not the same customer that is interested in AppExpert rate controls. In earlier case, scraping is encouraged, they just needed to control it. In this case, the scraping of content amounts to theft, and the customer want to prevent as much of it as possible. Unfortunately, the IP addresses doing scraping change constantly (hence the reason they had to build an app), so statically defining them within the policy itself isn't practical. However, a service callout can query the application in real-time, and NetScaler then uses the response to either pass or drop the request.

Other use cases customers have mentioned include:

• Passing content to an external transformation engine
• Integration with UDDI or other directory services
• Geo-targeting or other token-based switching decisions, where the logic for the content switch is available in an external application  

NetScaler 9 has the first availability of the XML technology we acquired from QuickTree last year. New XML protections in the NetScaler Application Firewall module will now be able to inspect and protect XML as well as HTML traffic. In addition to protecting XML-based applications from attack, this can also be used to ensure that incoming XML traffic conforms to various standards (e.g., XML syntax, schema, WSDL validation). With XML, sometimes "bad" traffic isn't malicious but is just a mistake. Either way, the XML capabilities in the app firewall will catch it.

We've had the ability to rewrite payloads within the TCP header or payload since NetScaler 8.0. However, in NetScaler 9.0 we've added a URL transformation 'mini-module' to our generalized rewrite functionality specifically for rewriting HREFs. While this function is often thought of in the context of either SSL VPN or application firewall, it has uses beyond these as well. For example, onboarding apps acquired through M&A activity, simplifying change management or "Akamai-zing" graphics content.

Again, NetScaler 9.0 is big release. There is a lot more than the app-centric things mentioned above. There is a pretty comprehensive What's New in NetScaler 9 writeup here for those of you that want a more comprehensive overview.

Updated November 12, 2008:

I received a question via comments asking about Access Gateway Enterprise enhancements. As many of you know, Access Gateway Enterprise is in essence another module in NetScaler. So, all Access Gateway Enterprise functionality is included in NetScaler, which is why NetScaler is such a great solution for Citrix XenApp and XenDesktop. There are definitely enhancement to Access Gateway Enterprise in NetScaler 9. At a high level, they are:

• Support for IPv6 XenApp Client Connections
• Single sign-on to file shares, so your users won't get get as annoyed by as many authentication prompts (unless you want them to be)
• Full clientless access to Microsoft SharePoint 2003 and 2007 so users can access SharePoint sites from any browser
• Historical charting which allows you to see trend data on system activity

Citrix Systems is closing the gap on the Number 1 Load Balancer for Web Applications. They are certainly a leader and not going to relent on the pace. Check out the Gartner Magic Quadrant. Further proving a commitment to Application Delivery, Citrix teamed with Akamai to extend Application Delivery from the datacenter into the cloud. Combining Akamai's efficiency in the cloud with Citrix's efficiency in the datacenter provides the ultimate in global acceleration of applications.

Citrix & Akamai Load Balancing Deployment Guide.

Tap into the power of AppExpert!

Read about the Citrix Load Balancer here.

Buy the Citrix Load Balancer here.

Citrix EasyCall provides a simple and intuitive way communication enabling your existing applications with the flexibility of using any telephone.

EasyCall enables:

• Click-to-Call from any application
• Any telephone (mobile, office, home)
• Click-to-Call enabled directory & call-log
  
  The embedded presentation below reviews the features of Citrix EasyCall.
  
  

  ---

  ---

  Click here to view the presentation in full screen at Slide Share.
  
  

Here is a short demo video that covers how to use EasyCall and reviews briefly how it works.

EasyCall Demo video

EasyCall is a standard feature on:

• Citrix XenApp Platinum Edition
• Citrix NetScaler Platinum Edition
• Citrix XenDesktop Platinum Edition
  
  

You can find the EasyCall Administrator's Guide here and the Getting Started Guide here. The EasyCall User Guide is at this link.

There are several Systems Integrators Guide for various phone systems -

Nortel

Avaya

Bandwidth.com

I recently recorded a video session with Tim Bardzil and Eric Wolf, two team members of the Citrix Wanscaler Product Marketing group. The video is a Frequently Asked Questions session on the Citrix Systems Branch Repeater. This video can be used to address some of the common hardware and feature capabilities of the Branch Repeater.

Watch this video tip

This is the second blog in my series on Wan Optimization and Distributed Storage.
 
Remote Copy provides a powerful and flexible method for reproducing data and keeping that replicated data available for disaster recovery, business continuance, backup and recovery, data migration and data mining. For example in figure 1 the accounting department in Chicago runs a corporate accounting application and stores the resulting data. The designated backup site is in San Francisco. Nightly at 11:00 p.m., accounting updates are copied to the San Francisco facility using Remote Copy. Remote copying follows a three-step process.

1. Creation of a primary snapshot at the Chicago facility - this is called the primary snapshot, 2. Creation of a remote volume at the San Francisco office. Then you create a remote copy of the primary snapshot to the remote volume. 3. The system then copies data from the primary snapshot to the remote snapshot.

So, you ask "what is a snapshot?" A storage snapshot is a set of reference markers, or pointers to data stored on a storage area network (SAN). A snapshot is something like a detailed table of contents, but it is treated as a complete data backup.There are two types of snapshots - the first being the copy-on-write which creates a snapshot of changes to existing data every time the data is modified or new data is added to the volume. The second is split-mirror which creates a snapshot of all the existing data including the new and updated data. Copy-on-write involves the transfer of less amounts of data than the split-mirror method.

In a typical Distributed Storage environment Copy-on-write snapshots are scheduled for daily or weekly copies from primary to remote sites. These snapshots transfer data over a Wide Area Network and by utilizing Wanscaler Wan Optimization devices at both sites these data transfers are accelerated the time of complete transfer of the data is greatly reduced. In my next blog I will demonstrate Remote Copying within a Distributed Storage environment both with and without Wan Optimization to show the dramatic decrease in transfer times. 

In my next blog I will demonstrate remote copying and snapshots both with and without Wan Optimization via a video capture highlighting the results. 

WAN Load Balancing by Elfiq Networks is a perfect fit for the Citrix WanScaler WAN Optimization Engine product. The Citrix NetScaler already performs Server Load Balancing on inbound connections, and can even perform Link Load Balancing on outbound connections. However, when it comes to managing link resiliency directly at the WAN Links, at layer 2, this is where Elfiq shines. The Elfiq Layer 2 implementation allows the insertion of the Elfiq unit between the firewall and the primary link router without any change to their configuration for an easy deployment. For private WAN Links, Elfiq will redirect packets to all links at Layer 2 on a per session basis. Another great advantage with Elfiq is the low price point to get this type of functionality. When connectivity is being deployed to multiple sites with multiple links, Elfiq SitePathMTPX can be used with IPSec VPN Tunnels and VoIP along side of enterprise applications for greater performance and resilience.

Citrix & Elfiq Networks Deployment Guide!

WAN Failover Video Tip:

WAN Load Balancing Video Tip:

NetScaler Developer Network!