It's been almost a year since Microsoft bought Calista Technologies , a non-shipping set of technologies that leverages host and client-based GPUs for 3D and multimedia remoting. Since the acquisition, Microsoft has been mum about the technology. Nevertheless, we've still learned a few things about it over the past year. So of the Microsoft folks at BriForum talked a bit about it, Tad Brockway posted a blog entry about it earlier this week, Microsoft demoed a Calista preview at WinHEC...

In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include:...

I've followed Wyse for the longest time and yet, when I had an opportunity to speak with Jeff McNaught, CMO of Wyse Technology I was surprised at how far they're business has evolved from that base....

On August 25th, 2008, Citrix Systems announced the immediate availability of XenApp 5, its flagship application delivery solution (formerly called Citrix Presentation Server). This release has several new features including improved interfaces, combined support for Windows Server 2003 and 2008, and additional performance measurement and op­timization capabilities. ...

NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.

But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.

As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.      

Useful Links

• XML Security Features in Netscaler 9.0

View Online | Add Comment

This is a presentation by Karen Sciberras from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenDesktop Troubleshooting

View Online | Add Comment

This is a presentation by Walter Hofstetter from Citrix Germany gave at PubForum 2008 in Nice, France on Citrix XenDesktop Updates

??

View Online | Add Comment

This is a presentation by Frederic Serriere from Citrix France given at PubForum 2008 in Nice, France on Citrix Printing Troubleshooting

View Online | Add Comment

This is a presentation by Thomas Monahan from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenApp HRP3

??

View Online | Add Comment

This is a presentation by Thomas Monahan from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenApp Troubleshooting

View Online | Add Comment

A number of months ago, I penned a blog about how HP's EDS acquisition left Dell in an IT services lurch. One of the side points in this blog was Dell's lack of enterprise credibility.... and Dell being a potential suitor to buy Sun Microsystems (It's Your Turn Dell). Fast-forward to this week, where Sun announced they would lay off 6,000 employees. Also notice Sun's market capitalization is now down to $3.1B US. If ever there were a time for Dell to scoop up Sun, this is it.

Why would Dell buy Sun? Isn't this madness? Doesn't Dell have enough problems of it's own? Yes, they do. But let's ask ourselves how Dell got into this position (and not just blame it on the current economic conditions).

The crux of my blog went back to a time when Compaq -- lacking enterprise credibility -- was in a similar situation to Dell. Here's an excerpt:

Dell’s product portfolio is lacking the power to reach into some enterprise accounts. This situation reminds me of a [compay wide] meeting at Compaq (circa 1994). The gist from executive management was that Compaq (a $20 Billion dollar company at the time) could not compete in some accounts because it did not have enterprise products necessary to win the [entire] account. In other accounts, it could only win a portion of the IT budget (those tied to x86 servers and small business storage). Compaq executives realized – correctly – that the Compaq brand lacked enterprise credibility; they needed to acquire the technology and talent necessary to compete, rather than building it internally over several years. As a result, they acquired Tandem (Non-stop platform) and DEC (enterprise services, storage, workstations, VAX, 64-bit computing, top-notch compiler team…the list is so long), which gave Compaq the goods and brand recognition to compete at an enterprise level.

Dell needs to do the same. They’re basically at the same point Compaq was in 1994. The Dell brand is lacking the enterprise punch to compete. And with more HP “feet on the street” than ever, Dell will increasingly be marginalized -- pushed out of accounts where they don’t have the product portfolio to “own the entire account”. They need to acquire the technology rather than slowly building internally/organically.

The blog went on to say that although Dell had some products in the enterprise space, they needed to beef up their server and storage enterprise credibility and that acquiring Sun would help Dell attain the credibility they need rather than waiting for Intel to push mini-computers out of the market using the x86 architecture.

Although x-86 servers make up a majority of the server market (especially in terms of units sold), for some applications, customers require systems that have a higher class of availability and performance. In this area, IBM and HP have products at the “mainframe” level (Z-Series and Superdome respectively) and the “workstation” level (P-Series/i-Series and Non-Stop/HP-UX respectively). Dell doesn’t. This problem is harder for Dell to solve. Perhaps Dell can wait for AMD and Intel to solve this product gap problem for them through the future scalability of the x86 server architecture. But another possible scenario is for Dell to acquire Sun (which could be had at a good price). This may sound like madness, but so did the HP/Compaq merger when Carly Firoina and Michael Capellas announced the plan in 2001. Today, the HP/Compaq merger is widely regarded as the right move because it gave HP the product portfolio and services it needed to compete with IBM in the enterprise. Dell needs the product punch and the enterprise brand credibility that Sun can provide.

Little did I know that the price would get much, much better.

Dell's business model has always been about draining profit pools. Dell jumps into a market when the competition has created a market with significant demand on a profit rich product. Dell MO is to come in at a lower price point, drive up tons of volume, and push the competition out of the market. At Dell, they call it "the curve". "The Dell curve" is drilled into the heads of Dell-ians from the day they walk through the front door. But many question the value of such a business model. What happens when there are no more profit pools to drain? What happens when margins are so slim that quality and support suffer? What perception does "low-cost leader" do to the brand? In enterprise circles, price is only one concern...availability, reliability, scalability, and management can be just as -- if not more -- important.

The margin-rich enterprise arena is where Sun excels. Sun has the credibility in enterprise hardware, operating systems, software, and several other technologies. The enterprise is Sun's home turf and they bring a truck-load of loyal enterprise customers.

The question is: would Dell make this move? It's a gamble to be sure. Dell would have to change their spots -- the way they operate, their mindset. Enterprise products are not made without investments in research.

From another viewpoint, Dell has the enough cash to make such a purchase. As of Friday, Dell had approximately $9B US in cash on hand, with about $2B US in debt. Sun, on the other hand, has $2.3B US in cash and $1.2B US in debt. And...one could make the argument that Dell should wait until the market recovers; Dell is in a better position to recover than Sun. But Dell has to think in terms of the compeition too. Dan Nosowitz from Gizmodo wrote an interesting blog on a CNET article concerning which PC company was best positioned to weather the current economic conditions.

I mean, what if HP or IBM bought Sun? What would Dell’s options be if that happened? With Sun off the market, who else could Dell buy to get into the enterprise game? Basically, no one. They’d have to settle for being a smaller player in the enterprise – hoping to grow the market organically (which could take years or never happen). HP buying Sun would leave Dell in an enterprise lurch they way HP's EDS acquisition did for services.

Dell missed their opportunity to buy EMC several years back and now they are kicking themselves. They should not make the same mistake with Sun. If HP bought Sun, Dell’s best option would probably be to move down market toward consumer devices. Meaning: become the best consumer gadget device company in the land because the enterprise space would be a much more difficult market to capture (Dell probably wouldn’t “give up” in the enterprise, but the road will only continue to get harder for them).

However, being a consumer device company would be difficult road too because 1) the margins are slim. 2) Discretionary consumer spending is much more sensitive to market downturns. 3) There is lots of competition from Apple, Sony, etc, where customer brand loyalty is strong. It’s much easier to drain profit pools where profit margins exist.

Dell has to make some hard choices. But, opportunity arises amid chaos.

[posted by: Drue Reeves]

This is a presentation Karen Sciberras from Citrix Ireland gave at PubForum 2008 in Nice, France on Citrix XenDesktop Troubleshooting

View Online | Add Comment

Avoiding being Phished
I interviewed Brandon Olekas for this topic.  Brandon is a Lead Security Engineer at Citrix. He has been working in XenApp security for about four years, has been involved with many security features and improvements in the XenApp product, and helped co-author  Citrix Access Security for IT Administrators. He has a Computer Science degree from Georgia Institute of Technology and is an Associate of (ISC)2.
Here is Brandon:

Q: What is Phishing?
A: It is a form of Social engineering - attempting to fool people into revealing information that is subsequently used against them.
Phishing doesn't require a lot of capital, so it is no wonder it is so prevalent.  Research firm Gartner Group estimates that phishers will cost US businesses and consumers a whopping $2.8B this year.  The average take: $1244 per victim.

Phishing primarily targets stealing personal information through the use of e-mail and websites. Phishing emails usually appear to come from well-known financial institutions (which they are not) and their goal is to acquire login information, credit card numbers, social security numbers, or account numbers.

Phishing e-mails attempt to entice the user into clicking a link which will direct them to a malicious website. The thing is, legitimate businesses will never request this information via e-mail.

Bottom line is, if you receive an e-mail asking you to login to your bank, do not click the link. Open a browser and go directly to the official bank site.

Q: Don't malicious Phishing sites also attempt to do damage to the victim's computer?
A: Actually, most virus scans catch virus-infected attachments now.  Phishers are looking to steal personal information.  One other case that comes to mind is the Nigerian scam, which is considered phishing because they attempt to fool victims into sending money.  The victims were enticed to send actual money to the Phisher after being convinced some amount of their own money was required to free up the large winnings.  Even though this sounds ludicrous, many victims fell prey to this scam.  Even now, people still fall for the Nigerian type scams

Q: How else can people notice the dangers and avoid "being Phished"?
A: According to phishtank.com, the most important things to look for in a phishing e-mail are:
1.       Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "First Generic Bank Customer" so they don't have to type all recipients' names out and send emails one-by-one. If you don't see your name, be suspicious.
2.       Forged link. Even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter personal information begin with "https" — the "s" stands for secure. If you don't see "https" do not proceed.
3.       Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
4.       Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.

In addition, in the URL, pay attention to be sure you are reading correctly.  For example, http://Realbank.hacker.com does not mean it is from Realbank.  To the contrary, it is from hacker.com. 
Also look out for numbers preceded by a % sign, which are encoded characters.  They can trick you.  For example, %47 is just a capital G, but it means the same thing to your web browser, i.e., http://%47oogle.com = = http://www.Google.com.

A good educational resource is at this site: http://cups.cs.cmu.edu/antiphishing_phil/   Anti-Phishing Phil - it's a fun online game that teaches how to recognize phishing websites.

Q: What is "Spear Phishing"? 
A: Just like regular Phishing, the objective is to entice the victim into divulging key information.  Spear Phishing is slightly different in that it is directed to a target person or group, and it is often extremely personalized.  For example, a Spear Phishing exploit may include having all the managers in a company receive a note that looks like it's from the CEO, asking them to click on a malicious web site that could look very credible.  Any person on a network is able to spoof a particular user.  Even a user outside the network could easily get a free email account with the CEO's name clearly evident.

Q: What are "Phishing Kits"?
A: These are sold on hacker forums on the internet.   They provide easy ways for nontechnical people to easily set up a Phishing operation.  Well, often the laugh is even on them: many of these kits create fraudulent web sites that actually send emails back to the Phishing Kit author, giving him the desired Phishing information, instead of or in addition to the Phisher.  Since the nontechnical Kit buyer can't read the code, they can't see that they are actually the dupe.

One of the most prolific phishing groups and kit authors is called Rock Phish.  No one can say for sure where Rock Phish is based, or whether the group operates out of a single country.  "They are sort of the Keyser Soze of Phishing," says Zulfikar Ramzan, senior principal researcher with Symantec's Security Response group, referring to the secretive criminal kingpin in the 1995 film, The Usual Suspects.  Security experts estimate that Rock Phish is responsible for between a third and a half of all phishing messages sent out on a given day.  Information was taken from, and full article can be found at http://www.pcworld.com/article/128175/who_or_what_is_rock_phish_and_why_should_you_care.html

Q: Where can people go for more general information on phishing?
A: There are some Good statistics here:
http://apwg.org/reports/APWG_GlobalPhishingSurvey1H2008.pdf

Other good resources:
[www.phishtank.com]  - Collects and verifies phishing sites. If you suspect a site is fraudulent, you can check it here.
[www.apwg.org]- The Anti-Phishing Working Group. The global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that results from phishing, pharming, and e-mail spoofing of all types

View Online | Add Comment

XML firewall

In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include

•     XML Denial of Service protection,
•     XML Well-formedness check,
•     XML attachment detection,
•     Message validation (Schema)
•     Cross Site scripting and SQL Injection protection
•     Web services Interoperability (WSI) check

 XML protection is integrated into the Application Firewall. So all applicable firewall features including Start and Deny URLs, Buffer overflow, Cookie protection and Safe Object checks are available. More details on the XML firewall functionality can be found here

Application Firewall - Integrated Caching interoperability

The 9.0 release has full interoperability between the Application firewall and the Integrated Caching (IC) module on the Netscaler. In the 8.1 release, the Application firewall supports IC for features that do not require parsing the response body.  In 9.0, this restriction is removed. This results in better performance if the application html pages are cacheable. Features like Form field consistency and URL closure benefit from this new functionality.

URL Transform module

URL transform module provides an easy regular expression based approach to rewrite requests and response URLs. This feature is available separate from the application firewall license. It builds on the application firewall parsing technology to rewrite only valid html links.

Custom error pages

When the Application Firewall detects and blocks an invalid request, it can serve out a custom HTML response that has been uploaded or do a 302 redirect to a configured URL. Previous releases could only do the 302 redirect.

View Online | Add Comment

For those who are looking for a place which aggregates Autodesk and Citrix related technical information, I've created a page on Citrix Developer Network at

http://community.citrix.com/display/xa/Autodesk+Citrix+Best+Practices

Your feedbacks are welcome.

View Online | Add Comment

In the past couple of months, both Microsoft and VMware have been wary of defining their new platforms as an “operating system”. Microsoft was adamant that Azure isn’t an operating system, while VMware did use the term but hedged by saying that it wasn’t really the same thing as a conventional operating system. So the question arises "is there such a thing as a cloud operating system?". To answer that question we need to look at what a traditional operating system provides and compare it with the functionality that is needed to create a "cloud". Traditional operating systems are something of a moving target in that they have evolved over time and the definition has become somewhat clouded. But for the most part people would agree that the operating system provides:

1. Management of hardware resources like processors, memory and I/O interfaces to abstract the underlying hardware details from applications.
2. Scheduling of application execution to allow multiple applications to share the same hardware.
3. Application programming interfaces (APIs) to allow inter-process communication and other fundamental constructs needed by application developers.
4. Management interfaces to simplify installation and update of applications and operating system components.

These features all operate at a single system level (though clustered systems have extended the concepts to some degree) and require the operating system to “understand” the individual hardware components within the server.

A “cloud operating system” has to operate at macro level to control the operation of multiple servers in the cloud, which means creating functions that are analogs of the micro-level functions provided by a traditional operating system:

1. You can’t just plug a server into the cloud and make it useful, it’s just a bunch of components, so there has to be some software installed on each server to control it. For example Microsoft’s Azure system will install a hypervisor onto any server in the cloud (for more details see http://www.vinternals.com/2008/11/microsoft-azure-infrastructure.html). This provides the bare minimum of functionality on each server.
2. Shared resources like storage have to be managed and presented to applications in the cloud, the vStorage component of VMware’s VDC-OS (for more details on vStorage see http://virtualgeek.typepad.com/virtual_geek/2008/09/so-what-does-vs.html).
3. Applications have to be scheduled in the cloud, so that quality of service can be maintained by ensuring that nobody hogs all the resources in the cloud.
4. Depending on the cloud implementation there maybe APIs for application developers. Examples of cloud platforms that provide interfaces for application developers include both Microsoft’s Azure and Google’s App Engine. In contrast, VMware’s VDC-OS doesn’t provide application developers with interfaces (for more discussion on this see my previous blog entry “Waiting For The Other Shoe to Drop”
5. Management interface to assist in managing the cloud and deploying applications into the cloud.

So the cloud platforms of the future must have functions that are similar in many ways to a traditional operating system. To a degree, the classification of these new cloud platforms is irrelevant, ultimately, if vendors and customers are comfortable with calling them cloud operating systems, then that’s what they’ll end up being called.

Posted by: Nik Simpson

Here's another odd App-V error you could possibly run into.  The first time I read this I wondered how this could ever possibly happen but I guess it happened to someone otherwise it wouldn't have been reported to us: ======== Issue: If an App-V...(read more)

Hi, Tad Brockway here. I am a Product Unit Manager on the Windows Server team. My team is focused on rich media remoting technologies for the new Remote Desktop Services (RDS) in Windows Server which we announced last week at ITForum EMEA in Barcelona. I just returned from WinHEC 2008 in Los Angeles where we showed a demo of some of the new rich media capabilities of RDS as well as a technology preview of what the Calista team has been working on since the company was acquired by Microsoft ea...

NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall....

I'm happy to announce that we have been acquired by TechTarget . This is really cool because it means that Gabe and I can focus 100% on writing and interacting with the community, and we don't have to be weighed down by all the operational minutia of running a business. For those of you unfamiliar with TechTarget, they're an IT Media Company. They have something like 60 IT-related websites, including IT Knowledge Exchange , NotebookReview.com , LabMice.net , and all those...