As the New Year quickly approaches, we're all thinking of our New Year's resolutions, and I'm sure that on the top of each of your lists is "Improve the Capabilities of my Corporate Citrix Farm".

OK, maybe it's not at the TOP of your list...

But improving the reliability, scalability, and ease of use of your Citrix installations is an issue that most administrators face constantly. And, as the New Year is upon us, it might be a good time to reflect on that "one thing" that you can do to make your farm more productive, more secure, more reliable, and more manageable.

Along those same lines, I think it's a good time for Citrix to ask... What new products or enhancements would you like to see from us? What can WE do to make your job easier? What can we do to make your farm more secure? What can we do to provide you with the tools you need to make your Citrix installation perform in ways you have not been able to achieve?

Feel free to reply with your #1 ITEM (just one, make it your biggest) that you would like Citrix to focus on in the upcoming year. If it's a direction that we're already working towards, and you'd like us to continue, let us know! If there's an area that you think we should look at, we'd like to know that as well! Although I can't personally promise that your suggestion will work it's way to the top of our list, I think that your feedback, as always, is an integral part of our corporate direction, and helps us to plan for the future as well.

So, let the 2009 wishes begin!...

Policies have a fundamental influence on the behavior of most NetScaler features, (for example, Load Balancing, Content Switching, Rewrite, Responder, Integrated Caching, and the Application Firewall).

For a policy to take effect, and to have the desired effect, you must ensure that the policy is invoked at the right point during processing. The binding determines when the policy is evaluated (for example, is the policy applied to requests or responses), and whether the policy applies to all traffic or just to specific virtual servers.

Bind Points for Advanced and Classic Policies

 
NetScaler features use one of two types of policy:

• Advanced policies enable you to analyze almost any type of data in a request or a response (for example, the body of an HTTP request) and permit programmatic functions on the data (for example, transforming data in the body of a request into an HTTP header). In release 9, the following features use advanced policies: DNS, Integrated Caching, Responder, Content Switching, Rewrite, Access Gateway (clientless access functions).
• Classic policies evaluate basic characteristics of traffic and other data. For example, classic policies can identify whether an HTTP request or response contains a particular type of header or URL. In release 9, the following features use classic policies: System, SSL, Compression, Protection Features, Content Switching, Cache Redirection, Application Firewall, Access Gateway (all functions that use policies except clientless access).
  

For an advanced policy the following are the bind points, in typical order of evaluation:

• Request-time override. When a request flows through a feature, the NetScaler first evaluates request-time override policies.
• Request-time Load Balancing virtual server. If policy evaluation cannot be completed after all the request-time override policies have been evaluated, the NetScaler processes request-time policies for load balancing virtual servers.
• Request-time Content Switching virtual server. If policy evaluation cannot be completed after all the request-time policies for load balancing virtual servers have been evaluated, the NetScaler processes request-time policies for content switching virtual servers.
• Request-time default. If policy evaluation cannot be completed after all request-time, virtual server-specific policies have been evaluated, the NetScaler processes request-time default policies.
• Response-time override. At response time, the NetScaler starts with policies that are bound to the response-time override bind point.
• Response-time Load Balancing virtual server. If policy evaluation cannot be completed after all response-time override policies have been evaluated, the NetScaler process the response-time policies for load balancing virtual servers.
• Response-time Content Switching virtual server. If policy evaluation cannot be completed after all policies have been evaluated for load balancing virtual servers, the NetScaler process the response-time policies for content switching virtual servers.
• Response-time default. If policy evaluation cannot be completed after all response-time, virtual-server-specific policies have been evaluated, the NetScaler processes response-time default policies.

Within any of the banks of policies for each of the preceding bind points, the order of evaluation is determined by a priority level that you assign to each policy. You also can define a policy label and bind policies to it. The policy label must itself be invoked from one of the policy banks in the preceding list. You can invoke the policy label any number of times, allowing you to re-use the policies that are bound to the label any number of times.

For a classic policy to take effect, you bind it to the following bind points:

• System policies. Bound globally.
• SSL policies. Bound globally or to a Load Balancing virtual server.
• Content Switching policies. Bound to a Content Switching or Cache Redirection virtual server. Note that Content Switching policies can be either classic or advanced, but must all be of the same type.
• Compression policies. Bound globally, to a Load Balancing or Content Switching virtual server, or to a service.
• Protection Features. Bound as follows:
  • Filter. Bound globally, to a Load Balancing or Content Switching virtual server, or to a service.
  • SureConnect. Bound to a Load Balancing or to a service.
  • Priority Queuing. Bound to a Load Balancing virtual server.
• Cache Redirection. Bound to a Cache Redirection virtual server.
• Application Firewall. Bound globally.
• Access Gateway. Bound as follows:
  • Pre-Authentication policies. AAA Global, VPN vserver.
  • Authentication policies. System Global, AAA Global, VPN vserver
  • Auditing policies. User, User group, VPN vserver.
  • Session policies. VPN Global, User, User Group, VPN vserver.
  • Authorization policies. User, User Group.
  • Traffic policies. VPN Global, User, User Group, VPN vserver.
  • TCP Compression policies. VPN Global.
    
    

Video Tips: Binding Advanced Policies Globally and to a Virtual Server Using the Policy Manager

Video 1: Binding an advanced policy globally.
 

 
Video 2: Binding an advanced policy to a virtual server.

HTTP Callouts

New in NetScaler 9.0 is the ability to perform a callout using HTTP to an external server. An HTTP Callout is a means to process incoming packets on the NetScaler using an external service that can be a virtual server on the NetScaler itself, a back-end server, or an third party service.

Traditionally, the NetScaler used to verify these packets internally using in-built policies but with specialized services being available for validation, they can be integrated with the NetScaler using this feature.

An HTTP callout will consist of a NetScaler policy expression that can send a simple HTTP request to an external service, wait for the response and then parse the response to produce a simple result. The result will then be used like any other policy expression evaluation result.

The HTTP callout expression:

SYS.HTTP_CALLOUT(<name of HTTP Callout>)

To define the HTTP callout:

set policy httpCallout <name>
	[-IPAddress < ip_addr|ipv6_addr>]
	[-port <port>]
      	[-vServer <string>]
	[-returnType <returnType>]
	[-httpMethod ( GET | POST )]
	[-hostExpr <string>]
	[-urlStemExpr <string>]
	[-headers <name(value)> ...]
	[-parameters <name(value)> ...]
	[-fullReqExpr <string>]
	[-resultExpr <string>]

Where:

-returnType must be one of TEXT, NUM or BOOL.

-IPAddress IP address of the server to which callout is made

-port Port of the server to which callout is made

-vserver must be one of the vservers added using the "add lb/cs/cr vserver" command. The service type of the vserver must be HTTP.

-httpMethod could be GET or POST.

-hostExpr Complex PI string expression for value of the Host header.

-urlStemExpr Complex PI string expression for generating the URL stem.

-headers Every header name must have a corresponding value. These headers will be inserted in the request. Header name is string. Header values are Complex PI Expressions.

-parameters Every parameter name must have a corresponding value. These parameter names are put in the URL query if the request has a GET method or they are put in the body if the request has a POST method. One must not rely on the order in which the parameters are inserted. Parameter name is a string. The parameter values can be computed using Complex PI String expressions. The parameter values will be URL encoded.

-fullReqExpr A complex PI String expressions computes the entire request. It is the user's responsibility to provide a well formed and sane HTTP request. The system will not do any sanity checking. If full request is specified then none of the other arguments can be specified.

HTTP callouts are available with HTTP or TCP Content Switching, Responder and Rewrite functionality.

The basic communication flow for HTTP callout is:

1. User sends request
2. Policy sends HTTP request to an external service
3. Result used like any other policy evaluation result
4. Available for multiple features

HTTP Callout Deployment Scenarios

The examples in this section illustrate how to use HTTP callouts to perform various tasks. In all cases, the NetScaler performs a callout to an external server where a callout agent is configured to respond to the request from the NetScaler based on the data that is present on the external server.

This section describes how to configure HTTP callouts in the following scenarios:

1. Filter clients based on an IP blacklist.
2. Fetch and update content on the fly using Edge Side Includes (ESI) markup language.
3. Authenticate users and control access to resources.
4. Filter Outlook Web Access (OWA) spam.

Filtering clients based on an IP blacklist

HTTP callouts can be used to block requests from clients that are blacklisted by the administrator. This list of clients can either be a publicly known blacklist or one that is maintained specifically by the administrator or a combination of both.

The source IP address of the incoming client request is checked against the external pre-configured blacklist and based on whether the IP address has been blacklisted or not, the transaction is either blocked by the NetScaler or the NetScaler continues to process the transaction normally.

The HTTP callout feature facilitates this by allowing the NetScaler to communicate with the external server that maintains a database of such blacklisted IP addresses.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

ESI support for fetching and updating content dynamically

Edge Side Includes (ESI) is a markup language for edge-level dynamic Web content assembly. It helps in accelerating dynamic Web-based applications by defining a simple markup language to describe cacheable and non-cacheable Web page components that can be aggregated, assembled, and delivered at the network edge.

Using HTTP callouts on the NetScaler, you can read through the ESI constructs and aggregate or assemble content dynamically.

The following outlines the requirements to implement this configuration:
1. Enable Rewrite on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Rewrite action to replace the ESI content with the callout response body.
4. Bind the Rewrite action to a Rewrite policy.
5. Bind the Rewrite policy globally on the NetScaler.

Access Control and Authentication

In high security environments, it may be mandatory to externally authenticate a user before a resource is accessed by clients. On the NetScaler, you can use HTTP callouts to externally authenticate a user based on supplied credentials. There are different ways that authentication credentials might be supplied; the client could be sending the user name and password in HTTP headers in the request, or, the credentials could be fetched from the URL or the HTTP body.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

OWA-based spam filtering

Spam filtering is the ability to dynamically block emails that are not from a known or trusted source or has inappropriate content. Spam filtering requires business logic that indicates a particular kind of message is a spam.

Using HTTP callouts, you can take out any portion of the incoming message and check with the configured external callout server that has the rules to detect if the message is a legitimate email or spam. In case of a spam email, the sender will not be notified that the email is marked as spam because it will only alert spammers to modify their messages.

The following outlines the requirements to implement this configuration:
1. Enable Responder on the NetScaler.
2. Create an HTTP callout on the NetScaler and configure it with details about the external server and other required parameters.
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally on the NetScaler.
5. Create a callout agent on the remote server.

Read about the Citrix Application Switch with Version 9.0 here.

Try the Citrix Application Switch with Version 9.0 here.

Tap into the power of AppExpert!

We are always looking for idea's to improve our Citrix events. Some of the past feedback we have received is to step-up the technical content and include more unscripted and unfiltered opinions and dialog. At Synergy 2008 we introduced GeekSpeak which was very well received as indicated by the feedback and standing room only crowds. At Synergy 2009 you can expect even more technical content plus more GeekSpeak sessions. In addition as many iForum/Summit/Synergy attendees know. Citrix usually includes a concluding session that could be a brand name comedian ( Dana Carvey - Synergy 2008) or an Athlete with a story ( Lance Armstrong - Summit 2008 ) or other memorable entertainer.
 
In keeping with listening to the community and even better engaging with some of the innovators of social media we thought it might be interesting to have Kevin Rose and Alex Albright host an episode of Diggnation at Synergy 2009. As you may know Kevin is the founder of Digg and an expert at developing a community. If you're not familiar with the show check it out at Diggnation.com ( it's about as unscripted and unfiltered you can get ...  ). If you are a fan of Digg this might be your chance to watch an episode first hand and maybe hang out with Kevin and Alex afterwards with some beers at our closing party. If you're not a fan of Diggnation and would rather we look for other entertainment we would like to hear that as well. As always, suggestions and comments welcome.
 

Do you Digg the idea of Diggnation at Synergy ?	Choose
2 Thumbs up, I want to see Kevin and Alex at Synergy in Vegas !
Keep looking ...

An easy step up to IPv6

IPv6 has been available on NetScaler since April 2007, but only to select customers, and with a limited feature set.

Today, with NetScaler version 9.0, the IPv6 feature set is complete, with support for IPv6 communication all the way back to the application servers that the NetScaler is protecting and optimizing. Now that the IPv6 feature has matured, it has been released with the latest version of software! NetScaler version 9.0 includes IPv6 communication to the application servers, and all the usual tools use for troubleshooting will be present, such as ping6, traceroute6, etc.

The "IPv4 Dinosaur" may well be a term used in the future to describe a site which doesn't have an IPv6 representation on the internet. It's not a label one would want if they consider themselves to be keeping up to date with the latest and greatest technologies, as that of the Citrix NetScaler Application Switch.

Do keep in mind, running an IPv6 ONLY network, is probably still an arms length away and not very easy to migrate to. What would be required is a hybrid approach - and this is where NetScaler version 9.0 can provide a quick solution.

It is possible to use IPv6 communication from the internet to your NetScaler, and then use IPv4 from the NetScaler to the application servers. This will provide an IPv6 presence on the internet for your external website, without having to use time, resources, and budget to rebuild your entire environment right away.

Think of this as IPv6 offload, if you will. The fact that the application and back end systems are running IPv4 will be fully hidden from the end user. You can then, in your own time, port your back end infrastructure over to IPv6 step by step, making testing and roll-back a cinch.

Of course, full IPv6 end-to-end communication is equally important, especially for those government accounts which require this box to be checked-off for any new hardware going into the racks. This is the newest part of this feature, which is also now available in NetScaler version 9.0.

Read about the Citrix Application Switch with Version 9.0 here.

Try the Citrix Application Switch with Version 9.0 here.

Tap into the power of AppExpert!

First the thanks!

As we roll into the Thanksgiving week in the US, I thought I would give a quick shout out of thanks to all of you that have participated in the Citrix Ready Community Verified site. Verifications are coming in faster than we can keep up with them (which was, after all, the whole idea in the first place). As of this morning, we have well over 1,000 applications and products verified by customers and partners as "Citrix Ready", backed by more than 7,000 verifications... more than 500 were added this week alone, and it's only Wednesday!

I'm assuming that you have all seen the Citrix Ready Community Verified site and you know it rocks... not because of anything we've done, but because it's created, owned and maintained by YOU; if not don't just take my word on it, check out Chris' blog, or Rene Vester's two blogs, here and here, or even Brian Madden's review, ...or of course, the site itself!

By many standards, the site has proven to be an overwhelming success. We launched it at Citrix Summit on October 25 this year with 600 Applications and 500 Community Verifications. In the month since launch, these numbers have gone through the roof with no end in sight. In fact, I am already hearing of cases where the Citrix Ready Community Verified site has encouraged customers to virtualize more apps, helped channel partners answer customer & prospect questions more quickly and technology partners who have submitted apps (theirs as well as from other vendors).

Citrix IT has even taken up the challenge by starting to validate all the products and applications we use internally in our IT environment. I challenge all of you reading this to verify via the "voting" function all apps and other products you are using via XenApp, XenDesktop, XenServer and NetScaler!

May I have another? Or more appropriately, may we give you another?

The Citrix Ready Community Verified site is a great example of how a community can share small bits of information that doesn't impose a tax on the submitter (the apps are already deployed, submitters are just telling us they have already completed the work)... taking full advantage of the network effect to drive overall benefit.

So the question that I have for all of you, is what can we do next? The Citrix Ready Community Verified site is addressing a common question around product verification with Citrix products that has been around literally since the first release of WinFrame. Are there other longstanding questions, issues, etc that seem difficult to solve as an individual customer, SE, channel partner, technology partner or Citrix employee, that we as a community can attack?

My team and I are very interested in your feedback and would welcome the opportunity to help.

Please feel free to comment on this blog, or send an email to me at john.fanelli@citrix.com

NetScaler supports the chaining of Intermediate SSL Certificates

Up to 10 Chained Certificates to be exact, one Server Certificate and nine CA Certificates.

Verisign recently posted an advisory stating the discontinuance of Unchained SSL Certificates, and that all Verisign SSL Certificates issued after Dec 11, 2008 will be chained to Root CAs to align with security best practices - Read the advisory here.

Chaining of Certificates is done with Intermediate Certificates. What are Intermediate Certificates?

They sit in the middle, between the Public Trusted Certificate Authority (CA) and your Server, in our case the Citrix NetScaler.

The Citrix NetScaler Application Switch supports the chaining of SSL Certificates just for this very purpose, and to show how easy it is to obtain an SSL Certificate from a Trusted Certificate Authority, such as Verisign, and install it into the Citrix NetScaler, we developed the following deployment guide to walk you through the process.

Verisign Certificate Authority w/ Citrix NetScaler SSL Deployment Guide.

Tap into the Power of AppExpert!

Try it!

Wan Optimization Survey:

Take this quick survey to tell us more about the solutions your organization uses to optimize your WAN.

1. Do you currently have a WAN optimization solution in your IT environment?	Choose
Yes (go to Q2)
No (go to Q3)

2. Which, if any, of the following WAN optimization solutions does your organization currently use?	Choose
Citrix WAN opt product(s) (WANScaler, Branch Repeater, Branch Repeater w\Windows Server)
Riverbed
Blue Coat
Expand
Other (please specify in a comment)
I don't know

3. Approximately what average percentage of your organization's overall network traffic is via XenApp (ICA)?	Choose
0%
1-25%
26-50%
51-75%
76-99%
100%
I don't know

Thank you If there is anything else you would like to tell us, please leave a comment.

NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.

But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.

As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.      

_{Useful Links}

• XML Security Features in Netscaler 9.0

Not very long ago I published a series on how to become an Application Expert. Citrix NetScaler 9.0 makes it easier with AppExpert Templates. NetScaler AppExpert Templates - introduced in NetScaler 9.0 - provide an application-centric view of the NetScaler system's policy configurations. From a single place within the GUI (AppExpert -> Applications) NetScaler administrators can: 1) Configure the various AppExpert features the NetScaler is fronting, 2) View which NetScaler functional modules (e.g., compression, caching, application firewall) are optimized and active for a given application unit.

Additionally, AppExpert Templates allow you to drill down and see which individual NetScaler policies are active, and what policies are inactive but available, by application component and NetScaler module. From this same view, individual policies can be created, activated and deactivated.

AppExpert Templates can be downloaded, imported, modified and exported AppExpert Templates page of the Citrix Community Website. Administrators can download AppExpert Templates built by Citrix, Citrix Partners and members of the NetScaler community from the Citrix Community Website. These templates are easily imported into any NetScaler running NetScaler 9.0 or higher, jump starting the configuration and deployment process. Templates developed in-house can be easily exported and shared within your organization, or posted back to the Citrix Community Website for others to view and improve.

See the new AppExpert Templates page here!

Tap into the power of AppExpert!

One of the long awaited new features in NetScaler 9.0 is XML security.  In 2007, Citrix acquired QuickTree, a small privately-held software technology provider on the forefront of addressing the key security and performance challenges of XML, web services and Web 2.0.  With Netscaler 9.0 the XML security capabilities acquired from QuickTree are fully integrated into the Netscaler web application delivery appliance.

Some the XML Security Features available in the new NetScaler release:

What's New

This release provides many enhancements to the policy infrastructure, including:
•    Policies for analyzing the traffic rate
•    Policies for sending queries to an external application
•    Graphical tools for easier creation of policies (see the enclosed video tip for a demo)
•    Configuration of policy labels and policy banks
•    Policy expression parameters for analyzing new types of data, including IPv6 addresses.
•    New documentation for policies and expressions.

Policies to Analyze the Traffic Rate

You can configure policies that parse the request rate or bandwidth usage. The most popular uses for policies based on traffic rate include limiting access to virtual servers or any other user-defined entity, and preventing network overload. You can configure NetScaler features to perform any other supported action based on the traffic rate, for example, redirecting traffic if the rate exceeds a particular threshold.

In this release, you can configure rate-based policies based on the following:
•    The number of HTTP requests that the NetScaler intercepts.
•    The number of DNS requests that the NetScaler intercepts.
•    The bandwidth usage.

Policies to Send HTTP Requests to Remote Applications

You can configure HTTP callout policies to obtain information from external applications and parse the responses. For example, if a server makes a request, you can use an HTTP callout request to determine if this server is on a "deny access" list. The HTTP callout request can send the requesting server's domain to an application that looks up bad domains from a list. When the application sends a response to the NetScaler, the HTTP callout policy can extract the "allowed" or "denied" determination from the response.

To deploy the HTTP callout policy, you also create an agent in front of the application to format the HTTP callout request for the application. When the application returns a response, the agent formats the response for the NetScaler, so that the callout policy can extract data of interest from the response.

You can invoke HTTP callout policies from any other type of NetScaler advanced policy using the expression prefix SYS.HTTP_CALLOUT. For example, you can invoke an HTTP callout policy from a rewrite action and insert the value that is returned by the callout in an HTTP response header.

Policy Banks and Policy Labels

This release introduces new methods for configuring collections of advanced policies known as policy banks. Policy banks are groups of polices that share the same bind point:

•    Built-in bind points are global or specific to a virtual server.
•    A user-defined bind point is known as a policy label.  

After you create a policy label and bind policies to it, you invoke the policy label (and its associated policies) from one of the built-in bind points. If you bind policies to a virtual server, you can also invoke the virtual server's policy bank from any other policy bank. You can invoke a policy label or policy bank using when binding a policy or by specifying a new "NOPOLICY" place-holder that performs invocation without processing a rule.

As part of policy bank configuration you can also create an arbitrary evaluation order by specifying Goto expressions.

A new graphical tool called the Policy Manager simplifies configuration of policy banks and invocation of policy labels.

Policy Manager and Other Usability Enhancements

In this release, some applications provide a specialized Policy Manager in the NetScaler configuration utility to simplify the binding of policies to an invocation point or a user-defined policy label, assigning policy priorities to policies, viewing the different policy banks that are configured in the feature. The Policy Manager also enables you to find and delete policies and actions that are not being used. As of release 9.0, the Policy Manager is available for the Rewrite, Integrated Caching, and Responder features.

In addition, the configuration utility simplifies the task of viewing policy bindings to vservers. A Visualizer in the Load Balancing and Content Switching features enables you to view policy bindings as well as service and monitor bindings.

See the enclosed video tip for a demo of the Policy Manager.

New Parameters for Classic and Advanced Expressions

New expression parameters have been provided for parsing additional types of data, including:
•    IPv6 addresses
•    String sets (comparisons with any or all strings in a set)
•    Caching headers
•    Dates and times  
•    File system information (files, directories, file system commands)

Policy Configuration and Reference Guide

A new policy guide provides comprehensive information on all the available parameters for advanced and classic policies and configuration instructions. This guide is available from the Documentation tab in the NetScaler configuration utility.

Video Tips

Video tip 1: Using the Policy Manager to add the first policy in a policy bank:

Video tip 2: Using the Policy Manager to add a second policy and order the policies in the bank:

NetScaler 9 is officially here. Well, actually, it's officially announced. It won't be officially available to download from mycitrix.com until November 27^th. Yes, I know that's Thanksgiving. However, Citrix is a global company, and what better way to prove it than to post the NetScaler 9 code on a major US holiday? And, there is a chance that it might show up a day or two before the 27^th.

NetScaler 9 is a pretty big release. Looking at the detailed feature tracker, it contains over 350 new features and feature enhancements. I'm not going to go through all of them in this post, because that's what release notes are for. However, I do want to highlight some of the major new features that folks seem to be most excited about, and point you to some additional resources on this site that go into a bit more detail on some of them.

I like to think that NetScaler acts as the bridge between the network and the applications that run on it, making each of them work better with the other. NetScaler 9 furthers this.  A lot of the new capabilities and features making NetScaler more application-saavy than it already is. This is not to say that there aren't any hardcore networking enhancements in NetScaler 9, because there are a lot of them. These include everything from end-to-end support for IPv6 to enhancements to our GSLB functionality to the ability to tunnel IP within IP.

But in the end our networks are there to run applications, and it's the new AppExpert features in NetScaler 9 that seem to be generating the most interest.

AppExpert Templates make a given application the "first class citizen" within NetScaler. They do this by encapsulating everything about a NetScaler configuration that is specific to a given application, including:

1. The different application components (e.g., pages, files, archives, Web Services) NetScaler is managing
2. The various NetScaler entities and settings (e.g., VServers/VIPs, load-balancing algorithms, health checks, persistence methods, SSL offload settings) defined for these application components
3. The specific NetScaler policies (e.g., caching, compression, application firewall, rewrite) used for the application

All of this is presented in a way that puts the application front and center, and configuration and policy changes can be made from there as well. So, while today understanding the entire NetScaler configuration for Microsoft SharePoint (for example) involves moving around between the various NetScaler GUI tabs, with AppExpert Templates everything is centralized in one place.

AppExpert Templates can be imported and exported as well, so they make it pretty easy to move app-specific configurations between different systems. More broadly, several folks have told us that this, and the general look and feel of AppExpert Templates, will help with knowledge transfer within their organizations. You can see an example of the Microsoft SharePoint template being imported and then applied here.

If you go here when NetScaler 9 becomes available in a couple of weeks, you'll be able to download AppExpert Templates we've already built. And, as you'll quickly notice, AppExpert Templates aren't static. The underlying infrastructure makes it really easy for you tweak a template to your own specific needs, or to improve the template by adding to it. Hopefully, you'll all post any improvements and modifications you make back to the community site so that others can benefit. And definitely look for additional AppExpert Templates to be made available by us, but Citrix partners, and hopefully by other NetScaler users.  

With AppExpert rate controls, we've integrated the concept of data rate into the core NetScaler policy infrastructure.  This allows building policies that are only triggered when a defined data rate is exceeded.  And since it's integrated with the core policy infrastructure, it can be used with the various NetScaler functional modules (e.g., content switching, responder), so you're not limited to just dropping traffic as an action.

There's a number of ways folks have told us they're going to use AppExpert rate controls. Of course straight-up rate limiting (e.g., DNS rate-limiting, limiting traffic originating from a single subnet) is one example. Ensuring a given resource (e.g., anything from a VServer to a specific URL) isn't overwhelmed by requests is another. Two specific examples are:

1. One customer allows some of its partners to scrape its website so the partners can republish content on their own sites. However, the customer wants to ensure that overly aggressive scraping by the partners doesn't overwhelm the website and degrade the site's performance. AppExpert rate controls can be used to limit how much scraping each partner can do. This same approach could be used to ensure that websites that publish APIs -- so that partners can do mashups, for example -- aren't overwhelmed by any particular partner's use of the API.
2. Another example is a customer that was having problems with a couple of users FTPing a few too many large files at the same time. By using AppExpert rate controls to build an expression around bandwidth consumed per sourceIP, they can drop any additional FTP requests coming from a sourceIP (aka a user) that already has too much FTP activity. A more generalized use could also do something along the lines of limiting the amount of concurrent file downloading for a given SharePoint site, to ensure that downloads don't drown out other SharePoint (or other application) activity.

AppExpert service callouts make NetScaler policies extensible, and will allow you to integrate logic or functionality available in other systems and applications into NetScaler policies. Specifically, using an AppExpert service callout, a policy can send (over HTTP or HTTPS) any part of an incoming request to an external service. The result returned by the external service is then used like any other policy evaluation result.

As an example, one beta customer has an application that identifies and tracks IP addresses that are scraping its site's content. No, this is not the same customer that is interested in AppExpert rate controls. In earlier case, scraping is encouraged, they just needed to control it. In this case, the scraping of content amounts to theft, and the customer want to prevent as much of it as possible. Unfortunately, the IP addresses doing scraping change constantly (hence the reason they had to build an app), so statically defining them within the policy itself isn't practical. However, a service callout can query the application in real-time, and NetScaler then uses the response to either pass or drop the request.

Other use cases customers have mentioned include:

• Passing content to an external transformation engine
• Integration with UDDI or other directory services
• Geo-targeting or other token-based switching decisions, where the logic for the content switch is available in an external application  

NetScaler 9 has the first availability of the XML technology we acquired from QuickTree last year. New XML protections in the NetScaler Application Firewall module will now be able to inspect and protect XML as well as HTML traffic. In addition to protecting XML-based applications from attack, this can also be used to ensure that incoming XML traffic conforms to various standards (e.g., XML syntax, schema, WSDL validation). With XML, sometimes "bad" traffic isn't malicious but is just a mistake. Either way, the XML capabilities in the app firewall will catch it.

We've had the ability to rewrite payloads within the TCP header or payload since NetScaler 8.0. However, in NetScaler 9.0 we've added a URL transformation 'mini-module' to our generalized rewrite functionality specifically for rewriting HREFs. While this function is often thought of in the context of either SSL VPN or application firewall, it has uses beyond these as well. For example, onboarding apps acquired through M&A activity, simplifying change management or "Akamai-zing" graphics content.

Again, NetScaler 9.0 is big release. There is a lot more than the app-centric things mentioned above. There is a pretty comprehensive What's New in NetScaler 9 writeup here for those of you that want a more comprehensive overview.

Updated November 12, 2008:

I received a question via comments asking about Access Gateway Enterprise enhancements. As many of you know, Access Gateway Enterprise is in essence another module in NetScaler. So, all Access Gateway Enterprise functionality is included in NetScaler, which is why NetScaler is such a great solution for Citrix XenApp and XenDesktop. There are definitely enhancement to Access Gateway Enterprise in NetScaler 9. At a high level, they are:

• Support for IPv6 XenApp Client Connections
• Single sign-on to file shares, so your users won't get get as annoyed by as many authentication prompts (unless you want them to be)
• Full clientless access to Microsoft SharePoint 2003 and 2007 so users can access SharePoint sites from any browser
• Historical charting which allows you to see trend data on system activity

Citrix Systems is closing the gap on the Number 1 Load Balancer for Web Applications. They are certainly a leader and not going to relent on the pace. Check out the Gartner Magic Quadrant. Further proving a commitment to Application Delivery, Citrix teamed with Akamai to extend Application Delivery from the datacenter into the cloud. Combining Akamai's efficiency in the cloud with Citrix's efficiency in the datacenter provides the ultimate in global acceleration of applications.

Citrix & Akamai Load Balancing Deployment Guide.

Tap into the power of AppExpert!

Read about the Citrix Load Balancer here.

Buy the Citrix Load Balancer here.