It's been almost a year since Microsoft bought Calista Technologies , a non-shipping set of technologies that leverages host and client-based GPUs for 3D and multimedia remoting. Since the acquisition, Microsoft has been mum about the technology. Nevertheless, we've still learned a few things about it over the past year. So of the Microsoft folks at BriForum talked a bit about it, Tad Brockway posted a blog entry about it earlier this week, Microsoft demoed a Calista preview at WinHEC...

NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.

But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.

As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.      

Useful Links

• XML Security Features in Netscaler 9.0

View Online | Add Comment

This is a presentation by Karen Sciberras from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenDesktop Troubleshooting

View Online | Add Comment

This is a presentation by Walter Hofstetter from Citrix Germany gave at PubForum 2008 in Nice, France on Citrix XenDesktop Updates

??

View Online | Add Comment

This is a presentation by Frederic Serriere from Citrix France given at PubForum 2008 in Nice, France on Citrix Printing Troubleshooting

View Online | Add Comment

This is a presentation by Thomas Monahan from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenApp HRP3

??

View Online | Add Comment

This is a presentation by Thomas Monahan from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenApp Troubleshooting

View Online | Add Comment

This is a presentation Karen Sciberras from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenDesktop Troubleshooting

View Online | Add Comment

Avoiding being Phished
I interviewed Brandon Olekas for this topic.  Brandon is a Lead Security Engineer at Citrix. He has been working in XenApp security for about four years, has been involved with many security features and improvements in the XenApp product, and helped co-author  Citrix Access Security for IT Administrators. He has a Computer Science degree from Georgia Institute of Technology and is an Associate of (ISC)2.
Here is Brandon:

Q: What is Phishing?
A: It is a form of Social engineering - attempting to fool people into revealing information that is subsequently used against them.
Phishing doesn't require a lot of capital, so it is no wonder it is so prevalent.  Research firm Gartner Group estimates that phishers will cost US businesses and consumers a whopping $2.8B this year.  The average take: $1244 per victim.

Phishing primarily targets stealing personal information through the use of e-mail and websites. Phishing emails usually appear to come from well-known financial institutions (which they are not) and their goal is to acquire login information, credit card numbers, social security numbers, or account numbers.

Phishing e-mails attempt to entice the user into clicking a link which will direct them to a malicious website. The thing is, legitimate businesses will never request this information via e-mail.

Bottom line is, if you receive an e-mail asking you to login to your bank, do not click the link. Open a browser and go directly to the official bank site.

Q: Don't malicious Phishing sites also attempt to do damage to the victim's computer?
A: Actually, most virus scans catch virus-infected attachments now.  Phishers are looking to steal personal information.  One other case that comes to mind is the Nigerian scam, which is considered phishing because they attempt to fool victims into sending money.  The victims were enticed to send actual money to the Phisher after being convinced some amount of their own money was required to free up the large winnings.  Even though this sounds ludicrous, many victims fell prey to this scam.  Even now, people still fall for the Nigerian type scams

Q: How else can people notice the dangers and avoid "being Phished"?
A: According to phishtank.com, the most important things to look for in a phishing e-mail are:
1.       Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "First Generic Bank Customer" so they don't have to type all recipients' names out and send emails one-by-one. If you don't see your name, be suspicious.
2.       Forged link. Even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter personal information begin with "https" — the "s" stands for secure. If you don't see "https" do not proceed.
3.       Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
4.       Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.

In addition, in the URL, pay attention to be sure you are reading correctly.  For example, http://Realbank.hacker.com does not mean it is from Realbank.  To the contrary, it is from hacker.com. 
Also look out for numbers preceded by a % sign, which are encoded characters.  They can trick you.  For example, %47 is just a capital G, but it means the same thing to your web browser, i.e., http://%47oogle.com = = http://www.Google.com.

A good educational resource is at this site: http://cups.cs.cmu.edu/antiphishing_phil/   Anti-Phishing Phil - it's a fun online game that teaches how to recognize phishing websites.

Q: What is "Spear Phishing"? 
A: Just like regular Phishing, the objective is to entice the victim into divulging key information.  Spear Phishing is slightly different in that it is directed to a target person or group, and it is often extremely personalized.  For example, a Spear Phishing exploit may include having all the managers in a company receive a note that looks like it's from the CEO, asking them to click on a malicious web site that could look very credible.  Any person on a network is able to spoof a particular user.  Even a user outside the network could easily get a free email account with the CEO's name clearly evident.

Q: What are "Phishing Kits"?
A: These are sold on hacker forums on the internet.   They provide easy ways for nontechnical people to easily set up a Phishing operation.  Well, often the laugh is even on them: many of these kits create fraudulent web sites that actually send emails back to the Phishing Kit author, giving him the desired Phishing information, instead of or in addition to the Phisher.  Since the nontechnical Kit buyer can't read the code, they can't see that they are actually the dupe.

One of the most prolific phishing groups and kit authors is called Rock Phish.  No one can say for sure where Rock Phish is based, or whether the group operates out of a single country.  "They are sort of the Keyser Soze of Phishing," says Zulfikar Ramzan, senior principal researcher with Symantec's Security Response group, referring to the secretive criminal kingpin in the 1995 film, The Usual Suspects.  Security experts estimate that Rock Phish is responsible for between a third and a half of all phishing messages sent out on a given day.  Information was taken from, and full article can be found at http://www.pcworld.com/article/128175/who_or_what_is_rock_phish_and_why_should_you_care.html

Q: Where can people go for more general information on phishing?
A: There are some Good statistics here:
http://apwg.org/reports/APWG_GlobalPhishingSurvey1H2008.pdf

Other good resources:
[www.phishtank.com]  - Collects and verifies phishing sites. If you suspect a site is fraudulent, you can check it here.
[www.apwg.org]- The Anti-Phishing Working Group. The global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that results from phishing, pharming, and e-mail spoofing of all types

View Online | Add Comment

XML firewall

In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include

•     XML Denial of Service protection,
•     XML Well-formedness check,
•     XML attachment detection,
•     Message validation (Schema)
•     Cross Site scripting and SQL Injection protection
•     Web services Interoperability (WSI) check

 XML protection is integrated into the Application Firewall. So all applicable firewall features including Start and Deny URLs, Buffer overflow, Cookie protection and Safe Object checks are available. More details on the XML firewall functionality can be found here

Application Firewall - Integrated Caching interoperability

The 9.0 release has full interoperability between the Application firewall and the Integrated Caching (IC) module on the Netscaler. In the 8.1 release, the Application firewall supports IC for features that do not require parsing the response body.  In 9.0, this restriction is removed. This results in better performance if the application html pages are cacheable. Features like Form field consistency and URL closure benefit from this new functionality.

URL Transform module

URL transform module provides an easy regular expression based approach to rewrite requests and response URLs. This feature is available separate from the application firewall license. It builds on the application firewall parsing technology to rewrite only valid html links.

Custom error pages

When the Application Firewall detects and blocks an invalid request, it can serve out a custom HTML response that has been uploaded or do a 302 redirect to a configured URL. Previous releases could only do the 302 redirect.

View Online | Add Comment

For those who are looking for a place which aggregates Autodesk and Citrix related technical information, I've created a page on Citrix Developer Network at

http://community.citrix.com/display/xa/Autodesk+Citrix+Best+Practices

Your feedbacks are welcome.

View Online | Add Comment

I'm happy to announce that we have been acquired by TechTarget . This is really cool because it means that Gabe and I can focus 100% on writing and interacting with the community, and we don't have to be weighed down by all the operational minutia of running a business. For those of you unfamiliar with TechTarget, they're an IT Media Company. They have something like 60 IT-related websites, including IT Knowledge Exchange , NotebookReview.com , LabMice.net , and all those...

We've all been hearing about how the big 3 automakers are coming with "hat in hand" to Washington to get their hands on $25 billion to help them survive.  There are many opinions out there about this and I'm not going to share everything I think about this, but I will share my thoughts around innovation as it pertains to GM. Here is a company that hasn't really been in innovation-mode for over 30+ years from a product perspective, but they are innovative on the IT...

Holiday Travelers Can Guard Against Laptop Theft and Lost Data with GoToMyPC

Keep in mind...

The average high temperature in South Florida during December is 77°F, and the average low, 61°F
The last time it snowed in South Florida was in 1977

Are you a Network Engineer or a Systems Engineer who specializes in the planning and integration of Citrix XenApp Platinum in an enterprise environment? If so, Citrix Education would like to invite you to participate in a four-day, onsite Job Task Analysis (JTA) workshop at Citrix worldwide headquarters located in sunny Ft. Lauderdale, Florida from Tuesday, December 16th through Friday, December 19th. In this workshop, you will provide input that will be used to design the new Citrix Certified Enterprise Engineer™ (CCEE) certification exams and corresponding training curriculum. 

The objectives of the workshop are the following: 

• Determine the job tasks that Citrix Engineers are responsible for in Citrix XenApp Platinum environments
• Create real-world scenarios that will be used in future training and certifications
• Select the topics that should be taught and tested in the new Citrix Certified Enterprise Engineer (CCEE) track

No need to prepare! Simply attend all four days and provide information about your Citrix implementation as well as the specific tasks you perform.

Compensation: If you are selected to attend the workshop, Citrix Education will pick up the tab for your travel, meals during the workshop, and entertainment in beautiful sunny South Florida!

Criteria for participation:

• Must act as Engineer for a XenApp 5.0 for Windows Server 2008 environment
• Must have integrated XenApp with at least one Platinum component such as:
  • EdgeSight 4.5 or higher
  • WANScaler 4.5 or higher
  • Access Gateway 8.0 Enterprise Edition or higher
• Experience with the following is ideal:
  • Using XenApp SDKs for customizations
  • Scripting (MFCOM or Powershell)
• Experience with or plans for the following are a plus but not required:
  • Virtualizing XenApp on XenServer, VMware, or Hyper-V
  • Provisioning XenApp loads
  • Monitoring Loads of XenApp farms

If you, or a member of your technical team, are interested in participating in this workshop, please send an email to Lourdes Soler at Lourdes.Soler@citrix.com. Please include your phone number, and the dates and times when it would be convenient for you to be contacted.

Space is limited so act now!

View Online | Add Comment

This is a presentation I gave at PubForum 2008 in Nice, France on Citrix Provisioning Server 5.0 New Features

View Online | Add Comment

The Streaming Client installer goes out of its way to prevent installation on the "home" editions of Windows XP and Vista. Technically, the streaming client does not really care about which edition of the operating system it is; its just a test coverage statement.  This post describes how to convince the streaming client to install on the "home" editions and has some fun debating the dev-test checks and balances that exist in all large software organizations.

Consider this scenario

• Streaming client was written without any particular dependence on "Professional" version of the operating system
• Streaming client installer was written to prevent installation on non-professional versions (meeting requirements).
• Customer feedback during XenApp 5.0 / Streaming 1.2 Beta described this restriction as undesirable. 
• Now - You want to fix it....

The Streaming Client supports many platforms.  In streaming client 1.2, we dropped Windows 2000 Professional, but it still supports a large list including

• XP Professional
• Vista Professional
• Windows 2003 Server
• Windows 2008 Server 
• XP Professional 64-bit
• Vista Professional 64-bit
• Windows 2003 Server 64-bit
• Windows 2008 Server 64-bit

The above list may not be the correct list, but stick with me on the concept.  That's 8 platforms that the test team has to "certify".  Add in XP and Vista "home" and you have 2 more.  If it takes N days to decide that an operating system version definately works, then that's 2 * N more work to do and this has to be repeated numerous times throughout a development cycle.

Back to the "bug" - Streaming Client refuses to install on "XP Home".

Development point of view: The Streaming Client doesn't care about home vs. professional.  It will work.

Test point of view: I haven't SEEN IT WORK - therefore, it doesn't work.

The solution taken for Streaming Client 1.2 was to publish an installation transform which would FORCE the streaming client to install even if it doesn't like what it sees with regard to the operating system version at installation.  This transform was officially included on the XenApp 5.0 installation media, allowing the "home" editions to remain officially unsupported, yet letting them un-officially really work.

The Citrix Support team has a knowledge base article written on this: ctx118086

What it comes down to is

1) You need the installation transform.  It is on the XenApp 5.0 installation media (DVD) in the "Support\AppStreaming " folder.
2) You need to tell the installer to use the transform.  XenAppStreaming.exe is the streaming client installer.
XenAppStreaming.exe /C:"setup TRANSFORMS=<LocationOfTransform>"

There's one more thing.  The KB references how to do this using the MSI installer.  You'll notice that there is no MSI installer for the streaming client included on the installation media.  I don't recall the reason, but we removed it and I'm sure it was a good reason.  The EXE version extracts the MSI and runs it.  The point: the KB references two methods to run the transform - use the one for the EXE installer.

I extend my thanks to our CEO, Mark Templeton for purchasing a machine with XP Home pre-loaded and expecting to be able to stream to it.  This motivating me to "spread the knowledge" so other folks might work around the same thing without great headaches.   We will do well to remove the "home" limitation in future releases.

A question to solict comments: If we remove the installation check for "home", from a customer point of view, is it necessary to actually test "home"?  Notice that this means that we assume "home" will work given that "professional" does, and let conflicting views arrive during beta feedback.  I note that we already do this for "Media Center" and "Ultimate" editions.

Joe Nord

Product Architect - Application Streaming

Citrix Systems, Fort Lauderdale, FL, USA

View Online | Add Comment

This is a presentation on Citrix Provisioning Server 5.0 New Features that I gave at PubForum 2008 in Nice, France ...

Blue Ocean Strategy is a book written by W. Chan Kim and Renée Mauborgne.  Unlike some of the previous business books written about, this one was selected by me.  There were a few different conversations about it at work which led me to believe that it was worth learning about.  Having read it over the last few weeks, I know feel fairly well informed about the strategy and what makes it different from existing methods.

The most basic idea is that instead of competing in an existing market (”ocean”), why not create a new market to work with.  By redefining the market space, the company can be the first to provide products and services.  However, it is not just about creating something different.  It is also about creating value innovation for the customers.  This means that the product or service needs to fit a strategy canvas that keeps both the company and the customer happy.  True value comes from stopping certain activities while growing new ones.  The different strategies can be plotted against an X-Y axis and compared to other companies.  The overall difference is that the company with the blue ocean strategy is going to look a lot lower in certain strategies but much higher than others.

The tricky part is figuring out what needs to be readjusted. The book spends much time explaining how to target the strategy canvas.  As an example,  Southwest Airlines created a blue ocean by dropping traditional airline features like meals, lounges, seating choices, and hubs.  It instead focused on friendly service, speed, and frequent point to point departure.  This shift in focus reduced their cost base while increasing their demand based on what customers wanted most.  Instead of raising prices, Southwest instead found the most appropriate price for the customer while still guaranteeing a profit.  The assigning of price and costs is very important for the success of the business.  Setting the price too high hurts demand while also encouraging competition.  Setting the price too low with little or no profits guarantees that the business will not survive.

I was most skeptical about the idea related to keeping the ocean blue.  Nothing would be stopping a newcomer from entering the market later on.  However, this is where the blue ocean strategy shines.  Not only are you the first to enter that market, but if you set the price correctly from the start, you will discourage any other companies from doing the same.  Existing companies will not want to change their strategy canvases to match.  It is very hard to stop doing things that everyone expects is going to continue even if it does not make sense.

There is no easy way to do justice to all the things said.  Perhaps there will be more posts about Blue Ocean Strategy in the future like what was done for “Good To Great”.

      

This will probably shock a lot of you, but this will probably be my shortest post ever.  It's been the buzz for quite some time.  We spent a great deal of time talking about it at the last BriForum, I hear about it from customers in almost every meeting. What is it?  Virtual Destkops.  Besides the technical reasoning of where and why it does and does not work, of which I'm pretty confident some of those issues/challenges will be solved sooner rather than later,...