citrix application firewall guide 9.1

Citrix NetScaler 9.1

Citrix Application Firewall Guide

CONTENTS 1

PrefaceAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iNew in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiAudience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiFormatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiGetting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

Knowledge Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivSilver and Gold Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vSubscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viEducation and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Chapter 1 IntroductionWhat is the Application Firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1What the Application Firewall Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2How the Application Firewall Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6The Application Firewall Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8The Application Firewall on a Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8The User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

The Citrix NetScaler Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . .10The Citrix NetScaler Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Chapter 2 InstallationPlanning the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Installing the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

The Citrix NetScaler 7000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20The Citrix NetScaler 9010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22The Citrix NetScaler 10010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26The Citrix NetScaler 12000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30The Citrix NetScaler MPX 15000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33The Citrix NetScaler MPX 17000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Performing Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Using the Configuration Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Using the Citrix NetScaler Command Line Interface . . . . . . . . . . . . . . . . . . . .59

Chapter 3 Simple ConfigurationEnabling the Application Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67Creating and Configuring a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

iv Citrix Application Firewall Guide

Creating and Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Globally Binding Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Chapter 4 ProfilesAbout Application Firewall Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86Creating, Configuring, and Deleting a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86Configuring the Security Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Configuring the Security Checks at the Configuration Utility. . . . . . . . . . . . .105Configuring the Security Checks at the NetScaler Command Line. . . . . . . . .114

Configuring the Profile Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121Configuring the Profile Settings at the Configuration Utility . . . . . . . . . . . . .121Configuring the Profile Settings at the NetScaler Command Line . . . . . . . . .124

Configuring the Learning Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Chapter 5 PoliciesAn Overview of Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Creating and Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138Globally Binding a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

Chapter 6 Confidential FieldsAdding Confidential Field Designations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155Managing Confidential Field Designations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Chapter 7 Field TypesConfiguring the Field Types Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167

Chapter 8 ImportsImporting Configuration Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Chapter 9 The Engine SettingsSession Cookie Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184Client IP Header Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

Chapter 10 The Common Security ChecksThe Start URL Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187The Deny URL Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Contents v

The Cookie Consistency Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205The Buffer Overflow Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214The Credit Card Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217The Safe Object Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221

Chapter 11 The HTML Security ChecksThe Form Field Consistency Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229The Field Formats Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240The HTML Cross-Site Scripting Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250The HTML SQL Injection Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

Chapter 12 The XML Security ChecksThe XML Format Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271The XML Denial of Service Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273The XML Cross-Site Scripting Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277The XML SQL Injection Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279The XML Attachment Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282The Web Services Interoperability Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284The XML Message Validation Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Chapter 13 The PCI DSS ReportAbout PCI DSS 1.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293An Overview of the PCI DSS Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293An Overview of the PCI DSS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299

Chapter 14 Use CasesProtecting a Shopping Cart Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304

Creating and Configuring the Shopping Cart Profile . . . . . . . . . . . . . . . . . . . .304Creating and Configuring a Shopping Cart Policy. . . . . . . . . . . . . . . . . . . . . .320

Protecting a Product Information Query Page . . . . . . . . . . . . . . . . . . . . . . . . . . . .325Creating and Configuring a Product Query Profile . . . . . . . . . . . . . . . . . . . . .326Creating and Configuring a Product Query Policy. . . . . . . . . . . . . . . . . . . . . .335

Managing Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

vi Citrix Application Firewall Guide

Appendix A PCRE Character Encoding FormatRepresenting UTF-8 Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383

Appendix B PCI DSS Standard

Appendix C Configuring for Large Files and Web PagesOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405Three Workarounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Appendix D SQL Injection Check Keywords

Appendix E Cross-Site Scripting: Allowed Tags and AttributesAllowed Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417Allowed Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418

Copyright and Trademark Notice CITRIX SYSTEMS, INC., 2009. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC.

ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.

CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:

Move the NetScaler equipment to one side or the other of your equipment.

Move the NetScaler equipment farther away from your equipment.

Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.

BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.

Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, 1994. Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright 1995-1998 Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright 1992. Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright 1991-2, RSA Data Security, Inc. Created 1991. Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001 The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved.

Last Updated: June 2009

PREFACE

Preface

Before you begin to configure the Citrix Application Firewall, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback.

In This PrefaceAbout This Guide

New in This Release

Audience

Formatting Conventions

Getting Service and Support

Documentation Feedback

About This GuideThe Citrix Application Firewall Guide provides an overview of two products: the standalone Citrix Application Firewall, and the Citrix NetScaler Application Firewall feature, an integrated part of the Citrix NetScaler Application Delivery System. Except for certain installation and basic configuration steps, these products are nearly identical. The guide explains what the Application Firewall is and does, and provides detailed instructions on installing, configuring, and managing it.

This guide provides the following information:

Chapter 1, Introduction. Provides an overview of the Application Firewall, including what it does and how it works.

Chapter 2, Installation. Provides installation and configuration information for the standalone Citrix Application Firewall.

Chapter 3, Configuration. Provides instructions on how to create your first Application Firewall profile, your first Application Firewall policy, and globally bind the policy. This process enables the Application Firewall to start protecting Web servers.

ii Citrix Application Firewall Guide

Chapter 4, Profiles. Describes Application Firewall profiles and how to configure the security checks and other settings associated with profiles.

Chapter 5, Policies. Describes Application Firewall policies, how to create a policy, and the structure of the expressions language used in creating policies.

Chapter 6, Confidential Fields. Provides instructions on how to configure the Application Firewall Confidential Field settings.

Chapter 7, Field Types. Provides instructions on how to configure the Application Firewall field types.

Chapter 8, Imports. Provides instructions on how to import HTML error pages, XML error pages, XML schemas, and WSDL pages into the Application Firewall configuration.

Chapter 9, The Engine Settings. Provides instructions on how to configure the Application Firewall global engine settings.

Chapter 10, The Common Security Checks. Describes each Application Firewall security check that is common to all types of profile.

Chapter 11, The HTML Security Checks. Describes each Application Firewall security check that applies to HTML-based Web applications and HTML content.

Chapter 12, The XML Security Checks. Describes each Application Firewall security check that applies to XML-based Web services and XML content.

Chapter 13, The PCI DSS Report. Describes the PCI DSS report.

Chapter 14, Use Cases. Provides two use cases that describe how to configure the Application Firewall to protect a back-end SQL database, and scripted content that accesses and/or modifies information on other Web servers.

Appendix A, PCRE Character Encoding. Provides a primer on using PCRE character encoding to represent non-ASCII characters in Application Firewall regular expressions.

Appendix B, PCI DSS Standard. Provides a copy of the official Payment Card Industry (PCI) Data Security (DSS) Standard.

Appendix C, Configuring for Large Files and Web Pages. Provides instructions on how to configure the Application Firewall to handle large uploaded files and large, complex Web pages with minimal impact on performance.

Appendix D, SQL Injection Check Keywords. Lists the SQL keywords that the Application Firewall SQL Injection security check uses when examine requests.

iii

Appendix E, Cross-Site Scripting: Allowed Tags and Attributes. Lists the HTML tags and attributes that the Application Firewall Cross-Site Scripting security check will allow in requests without blocking the request.

New in This ReleaseNetScaler 9.1 nCore Technology is a new software release that uses CPU cores for packet handling and greatly improves the performance of many NetScaler features. NetScaler 9.1 nCore does not support Application Firewall. For a summary of the features that are not supported in NetScaler 9.1 nCore, see the Citrix NetScaler 9.1 and NetScaler 9.1 nCore Release Notes.

AudienceThis guide is intended for the following audience:

IT Managers. IT managers or other individuals responsible for managing your network.

System Administrators. Any system administrators responsible for managing your standalone Citrix Application Firewall, or your Citrix NetScaler Application Accelerator or NetScaler appliance.

The concepts and tasks described in this guide require you to have a basic understanding of networking and firewall concepts and terminology, the HTTP protocol, HTML and XML Soap, and Web security.

Formatting ConventionsThis documentation uses the following formatting conventions.Formatting Conventions

Convention Meaning

Boldface Information that you type exactly as shown (user input); elements in the user interface.

Italics Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks).

%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.

iv Citrix Application Firewall Guide

Getting Service and SupportCitrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at http://support.citrix.com/.

You can also get support from Citrix Customer Service at http://www.citrix.com/. On the Support menu, click Customer Service.

In addition to the CSN program and Citrix Customer Service, Citrix offers the following support options for the Citrix Application Firewall.

Knowledge CenterThe Knowledge Center offers a variety of self-service, Web-based technical support tools at http://support.citrix.com/.

Knowledge Center features include:

A knowledge base containing thousands of technical solutions to support your Citrix environment

Monospace System output or characters in a command line. User input and placeholders also are formatted using monspace text.

{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves.

[ brackets ] Optional items in command statements. For example, in the following command, [-range positiveInteger] means that you have the option of entering a range, but it is not required:add lb vserver name serviceType IPAddress port [-range positiveInteger]Do not type the brackets themselves.

| (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods:lbMethod = ( ROUNDROBIN | LEASTCONNECTION | LEASTRESPONSETIME | URLHASH | DOMAINHASH | DESTINATIONIPHASH | SOURCEIPHASH | SRCIPDESTIPHASH | LEASTBANDWIDTH | LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH | LRTM | CALLIDHASH | CUSTOMLOAD )

Formatting Conventions

Convention Meaning

v

An online product documentation library

Interactive support forums for every Citrix product

Access to the latest hotfixes and service packs

Knowledge Center Alerts that notify you when a topic is updated

Note: To set up an alert, sign in at http://support.citrix.com/ and, under Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts.

Security bulletins

Online problem reporting and tracking (for organizations with valid support contracts)

Silver and Gold MaintenanceIn addition to the standard support options, Silver and Gold maintenance options are available. If you purchase either of these options, you receive documentation with special Citrix Technical Support numbers you can call.

Silver Maintenance OptionThe Silver maintenance option provides unlimited system support for one year. This option provides basic coverage hours, one assigned support account manager for nontechnical relations management, four named contacts, and advanced replacement for materials.

Technical support is available at the following times:

North America, Latin America, and the Caribbean: 8 A.M. to 9 P.M. U.S. Eastern Time, Monday through Friday

Asia (excluding Japan): 8 A.M. to 6 P.M. Hong Kong Time, Monday through Friday

Australia and New Zealand: 8 A.M. to 6 P.M. Australian Eastern Standard Time (AEST), Monday through Friday

Europe, Middle East, and Africa: 8 A.M. to 6 P.M. Coordinated Universal Time (Greenwich Mean Time), Monday through Friday

vi Citrix Application Firewall Guide

Gold Maintenance OptionThe Gold maintenance option provides unlimited system support for one year. Support is available 24 hours a day, 7 days a week. There is one assigned support account manager for nontechnical relations management, and there are six named contacts.

Subscription AdvantageYour product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information.

You can find more information on the Citrix Web site at http://www.citrix.com/ (on the Support menu, click Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information.

Education and TrainingCitrix offers a variety of instructor-led and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification.

Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.

Information about programs and courseware for Citrix training and certification is available at http://www.citrixtraining.com.

Documentation FeedbackYou are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version.

For NetScaler documentation, send email to [email protected].

For Command Center documentation, send email to [email protected].

vii

For Access Gateway documentation, send email to [email protected].

You can also provide feedback from the Knowledge Center at http://support.citrix.com/.

To provide feedback from the Knowledge Center home page

1. Go to the Knowledge Center home page at http://support.citrix.com/.

2. On the Knowledge Center home page, under Products expand NetScaler Application Delivery, and click NetScaler Application Delivery Software 9.1.

3. On the Documentation tab, click the guide name, and then click Article Feedback.

4. On the Documentation Feedback page, complete the form and click Submit.

viii Citrix Application Firewall Guide

CHAPTER 1

Introduction

The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to web sites that access sensitive business or customer information. It accomplishes this by filtering both requests and responses, examining them for evidence of malicious activity and blocking those that exhibit it.

To use the Application Firewall, you must configure at least one profile to tell it what to do with the connections it filters, one policy to tell it which connections to filter, and then associate the profile with the policy. You can configure an arbitrary number of different profiles and policies to protect more complex web sites. You can adjust how the Application Firewall operates on all connections in the Engine Settings. You can enable, disable, and adjust the setting of each security check separately. Finally, you can configure and use the included PCI-DSS report to assess your security configuration for compliance with PCI-DSS standard.

You can configure the Application Firewall using either the Citrix NetScaler Configuration Utility (configuration utility) or the Citrix NetScaler Command Line Interface (NetScaler command line).

Note: The Application Firewall is not supported in NetScaler 9.1 nCore.

What is the Application Firewall?The Application Firewall is a filter that sits between web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects web servers and web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, web server software, and the underlying operating system.

2 Citrix Application Firewall Guide

The Application Firewall is available on two platforms. First, the Citrix Application Firewall is a standalone appliance based on the Citrix NetScaler Application Accelerator platform and Citrix NetScaler Application Delivery System operating system. Second, the Citrix NetScaler Application Firewall feature is part of the Citrix NetScaler Application Delivery System, which runs on all models of theCitrix NetScaler Application Accelerator or Citrix NetScaler appliance. Therefore, users who want a dedicated Application Firewall can purchase a standalone Citrix Application Firewall. Users who want the Application Firewall functionality in addition to other NetScaler operating system features can purchase a new Citrix NetScaler appliance, or upgrade to version 9.1 of the NetScaler operating system and install it on their existing appliance appliance.

Note: Citrix also supports the Citrix Application Firewall EX, which is built on a different hardware and operating system platform than the Application Firewall discussed in this manual. The Citrix Application Firewall EX has its own separate documentation set. This manual does not apply to the Citrix Application Firewall EX. If you need to obtain the Citrix Application Firewall EX documentation, contact Citrix Customer Support for further assistance.

What the Application Firewall DoesThe Citrix Application Firewall protects web servers and web sites from misuse by hackers and malware, such as viruses and trojans, by filtering traffic between each protected web server and users that connect to any web site on that web server. The Application Firewall examines all traffic for evidence of attacks on web server security or misuse of web server resources, and takes the appropriate action to prevent these attacks from succeeding.

Most types of attacks against web servers and web sites are launched to accomplish two overall goals. These are:

Obtaining private information. The Application Firewall watches for attacks intended to obtain sensitive private information from your web sites and the databases that your web sites can access. This information can include customer names, addresses, phone numbers, social security num-bers, credit card numbers, medical records, and other private information. The hacker or malware author can then use this information directly, sell it to others, or both.

Much of the information obtained by such attacks is protected by law, and all of it by custom and expectation. A breach of this type can have extremely serious consequences for customers whose private information was compromised. At best, these customers will have to exercise vigilance

Chapter 1 Introduction 3

to prevent others from abusing their credit cards, opening unauthorized credit accounts in their name, or appropriate the customers identity outright to commit criminal activities in their name (or identity theft). At worst, the customers may face ruined credit ratings or even be blamed for criminal activities in which they had no part.

If a hacker or malware author manages to obtain such information through your web site and then misuses it, that can create an embarrassing situation at best, and may expose your company to legal consequences.

Obtaining unauthorized access and control. The Application Firewall watches for attacks intended to give the attacker access to and control of your web server without your knowledge or permission. This prevents hackers from using your web server to host unauthorized content, act as a proxy for content hosted on another server, provide SMTP services to send unsolicited bulk email, or provide DNS services to support these activities on other compromised web servers. Such activities constitute theft of your server capacity and bandwidth for purposes you did not authorize.

By preventing unauthorized access to and control of your web servers, the Application Firewall also helps prevent the common practice of unautho-rized modifications of your home page or other pages on your web site (or web site defacement).

Most web sites that are hosted on hacked web servers (or compromised web servers) promote questionable or outright fraudulent businesses. For example, the majority of pharming web sites, phishing web sites, and child pornography web sites (or CP web sites) are hosted on compromised web servers. So are many sites that sell prescription medications without a prescription, illegal OEM copies of copyrighted software, and untested and often worthless quack medical remedies.

If a hacker or malware author manages to host such a web site on your companys web server, or use your companys web server to provide spam support services, that can create an embarrassing incident at the very least.

Many types of attacks can be used to obtain private information from or make unauthorized use of your web servers. These attacks include:

Buffer overflow attacks. Sending an extremely long URL, cookie, or other bit of information to a web server in hopes of causing it or the underlying operating system to hang, crash, or behave in some manner useful to the attacker. A buffer overflow attack can be used to gain access to unautho-rized information, to compromise a web server, or both.

Cookie security attacks. Sending a modified cookie to a web server, usually in hopes of obtaining access to unauthorized content using falsified creden-tials.


Forceful browsing. Accessing URLs on a web site directly, without navi-gating to the URLs via hyperlinks on the home page or other common start URLs on the web site. Individual instances of forceful browsing may sim-ply indicate a user who bookmarked a page on your web site, but repeated attempts to access non-existent content or content that users should never access directly often represents an attack on web site security. Forceful browsing is normally used to gain access to unauthorized information, but can also include a buffer overflow attack and be used to compromise your server.

Web form security attacks. Sending inappropriate content to your web site using a web form. Inappropriate content can include modified hidden fields, HTML or code in a field intended for alphanumeric data only, a overly long string in a field that accepts only a short string, an alphanumeric string in a field that accepts only an integer, and a wide variety of other data that your web site does not expect to receive in that web form. A web form security attack can be used either to obtain unauthorized information from your web site or to compromise the web site outright, usually when com-bined with a buffer overflow attack.

In addition to standard web form security attacks, there are two specialized types of attacks on web form security that deserve special mention:

- SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords using a web form, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information.

- Cross-site scripting attacks. Using a script on a web page to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different web site. Since scripts can obtain information and modify files on your web site, allowing a script access to content on a different web site can provide an attacker the means to obtain unauthorized information, to compromise a web server, or both.

XML security attacks. Sending inappropriate content to an XML-based web service or attempting to breach security on your XML-based web ser-vice. There are a number of special attacks that can be made against XML-based web services using XML requests that contain malicious code or objects. These include attacks based on badly-formed XML requests, or XML requests that do not conform to the W3C XML specification, XML requests used to stage a denial of service (DoS) attack, and on XML requests that contain attached files that can breach site security.

In addition to standard XML-based attacks, there are two specialized types of XML attacks that deserve special mention:


- SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords in a XML-based request, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information.

- Cross-site scripting attacks. Using a script included in an XML-based web service URL to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different web service. Since scripts can obtain information and modify files using your web service, allowing a script access to content belonging to a different web service can provide an attacker the means to obtain unauthorized information, to compromise the web service, or both.

The Application Firewall has special filters, or checks, that look for each of these types of attack and prevent them from succeeding. The checks use a range of filters and techniques to detect each attack, and respond to different types of attacks or potential attacks differently. A potential attack that does not pose a significant threat may simply be logged. If the same pattern of activity does not reoccur, it probably was not a deliberate attack and no further action was needed. A series of potential attacks may require a different response, which may include blocking further requests from that source.

The greatest threat against web sites and web services does not come from known attacks, however. It comes from new and unknown attacks, attacks for which the Application Firewall may not yet have a specific check. For this reason, the core Application Firewall methodology does not rely upon specific checks. It relies upon comparing requests and responses to a profile of normal use of a protected web site or web service. The user helps create the profile during initial configuration and at intervals thereafter by providing certain information to the Application Firewall. The Application Firewall then generates the rest of this profile using its learning feature.

Thereafter, if a request or response falls outside of the profile for that web site or web service, either the threat in the request or response is neutralized, or the request or response is blocked. This is called a positive security model, and allows the Application Firewall to protect a web site or web service against attacks for which it may not yet have specific checks.

In summary, the Application Firewall prevents outsiders from misusing your web sites and web services for their own purposes. It ensures that your web sites and web services are used as you intended them to be used, for your benefit and that of your customers.

The following section explains in more detail how the Application Firewall performs these tasks.


How the Application Firewall WorksThe Application Firewall protects your web sites and web services by filtering traffic to and from them, and blocking or rendering harmless any attacks or threats that it detects. This subsection provides an outline of the filtering process it uses to accomplish this.

The platform on which the Application Firewall is built is the Citrix NetScaler Application Delivery product line, which can be installed as either a layer 3 network device or a layer 2 network bridge between your servers and your users, usually behind your companys router or firewall. Depending on which Application Firewall model you have and which other tasks it performs, you may install it in different locations and configure it differently. To function, however, an Application Firewall must be installed in a location where it can intercept traffic between the web servers you want to protect and the hub or switch through which users access those web servers. You then configure the network to send requests to the Application Firewall instead of directly to your web servers, and responses to the Application Firewall instead of directly to your users.

The Application Firewall then filters that traffic before forwarding it to its final destination. It examines each request or response using both its internal rule set and your additions and modifications. In addition to profiling the web servers it protects using its learning feature, the Application Firewall also profiles each specific users session in real time to determine if incoming traffic from that user to your web server, and outgoing traffic from your web server to that user, is appropriate in light of previous requests from the user during the current session.

It then blocks or renders harmless any that trigger a specific check or that fail to match the web site profile. The figure below provides an overview of the filtering process.


A Flowchart of Application Firewall Filtering

As the figure shows, when a user requests a URL on a protected web server, the Application Firewall first examines the request to ensure that it violates no network security rules. These rules check for DoS attacks and other types of network attacks that are not specific to web servers. Many of those attacks do not require the same level of analysis to detect as many web site or web services attacks do. Detecting and stopping these attacks before analyzing requests further reduces overall load on the Application Firewall.

If the request passes network security inspection, the Application Firewall checks to see if the request needs further filtering. Requests for certain types of content, such as image files, do not require further analysis. Requests for HTML-based web pages, web services, or active content do require further analysis, and are passed to the Application Firewall filtering engine.


The Application Firewall then examines the request, applying all relevant checks and comparing it to the profile it has of the protected web site or web service. If the request passes the Application Firewall security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall passes the request on to the server.

The web site or web service sends its response back to the Application Firewall, which examines the response. If the response does not violate any security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall forwards the response to the user. This process is repeated for each request and response.

In summary, the Application Firewall filters HTTP traffic for security-related issues at two points in the HTTP request/response cycle: it filters requests before they are sent to the server, and responses before they are sent to the user. When it detects a problem, it either neutralizes the problem or, if it cannot, blocks the request or response.

The Application Firewall PlatformThe Citrix Application Firewall is built on the NetScaler operating system (NetScaler operating system) platform. It is fully integrated into the appliance platform and interoperates cleanly with all other appliance features.The appliance software runs on several types of hardware and a range of different servers optimized for different levels and types of network traffic. All are collectively referred to as the Citrix NetScaler Application Delivery product line. As of the NetScaler operating system 8.0 release, the Application Firewall has been available as a licensed feature. You can also purchase a standalone Citrix Application Firewall based on the same platform.

For more information about the hardware platforms in the Citrix NetScaler Application Delivery product line, see Installing the Server on page 19. For complete information about the Citrix NetScaler Application Delivery product line, see the Installation and Configuration Guide.

The Application Firewall on a NetworkTo do its work properly, any Application Firewall model must be installed in the right place on your network. The location must allow traffic to and from your protected web servers to be routed through the Application Firewall. You can ensure this by installing the Application Firewall in a location where traffic to and from your web servers must pass through it, or you can use virtual LANs (VLANS) to ensure that your network can distinguish between packets that need to be routed to the Application Firewall, and packets that the Application Firewall has already filtered and that can be sent to the web server or user, as appropriate.


Although the appliances in the Citrix NetScaler Application Delivery product line are normally installed as a layer 3 devices, none of them acts like a traditional layer 3 or layer 4 firewall when filtering traffic to and from your protected web servers. The Application Firewall itself analyzes only HTTP requests and responses, and analyzes HTTP traffic at a different level than a traditional firewall does. Therefore, only requests to your web sites or web services that might contain attacks are sent to the Application Firewall.

A NetScaler appliance must see and route other types of traffic than simply HTTP connections because it will have multiple appliance features licensed and enabled. Some of the other appliance features block DoS and DDoS attacks, accelerate throughput to and from your applications, and provide secure access to servers and applications. When installing a NetScaler appliance, you will therefore need to determine the best location in light of all the features you plan to use. The appliance OS then determines which packets need to be processed by the Application Firewall and routes only those packets to it.

If you are installing or already use a NetScaler appliance and have licensed the Application Firewall feature, you must first determine which other appliance features you will use in addition to the Application Firewall. You should then determine where on your network to install your NetScaler appliance so that it can intercept all incoming traffic that it must process, and as little additional traffic as possible.

The best solution will depend heavily on the configuration of your individual network. Because a NetScaler appliance is a multipurpose appliance, you probably will need to install it in a central location in your network, where it can intercept much (if not all) traffic entering your network from the outside. You may also not have the option of installing it within the same subnet as the servers that host your protected web sites or web services.

These factors will require some additional configuration of your NetScaler appliance so that they can identify and properly route traffic to the Application Firewall.

The User InterfacesAll models in the Citrix NetScaler Application Delivery product line can be configured and managed from either of two different user interfaces: the command line-based Citrix NetScaler Command Line Interface (the NetScaler command line) and the web-based Citrix NetScaler Configuration Utility (the configuration utility).


The Citrix NetScaler Command Line InterfaceThe Citrix NetScaler Command Line Interface (NetScaler command line) is a modified UNIX shell based on the FreeBSD bash shell. To configure the Application Firewall using the NetScaler command line, you type commands at the prompt and press the Enter key, just as you do with any other Unix shell.The figure below shows the NetScaler command line as it appears immediately after you log on.

Note: The actual appearance of the NetScaler command line window varies somewhat depending on which SSH program you use to connect to the NetScaler command line.

The NetScaler command line after Logging On

The format of NetScaler command line commands is:> action groupname entity [-parameter]


For action, you substitute the action you want to perform. For groupname, you substitute the groupname associated with the feature or task. For entity, you substitute the specific type of object you are viewing or changing. For , you substitute the IP, hostname, or other specific name for the entity. Finally, for [-parameter], you substitute one or more parameters (if any) that your command requires.

For example, you use the add appfirewall profile command to create a profile named HTML with basic defaults, as shown below.

> add appfirewall profile HTML -defaults basicDone

> In this command, add is the action; appfirewall is the groupname; profile is the entity; HTML is the ; and -defaults basic is the parameter. Since the command produces no output, the NetScaler command line simply informs you that it has performed the command by printing Done, and then returns to the prompt.

You use the show appfirewall profile command to review all profiles that currently exist on your Application Firewall, as shown below:

> show appfw profile3) Name: HTML1 ErrorURL: / StripComments: ON DefaultCharSet: iso-8859-1StartURLAction: block log stats StartURLClosure: OFF DenyURLAction: block log stats XSSAction: block log statsXSSTransformUnsafeHTML: OFF XSSCheckCompleteURLs: OFFSQLAction: block log stats SQLTransformSpecialChars: OFFSQLOnlyCheckFieldsWithSQLChars: ON FieldConsistencyAction:

noneCookieConsistencyAction: none BufferOverflowAction: block

log statsBufferOverflowMaxURLLength: 1024

BufferOverflowMaxHeaderLength: 4096BufferOverflowMaxCookieLength: 4096FieldFormatAction: block log stats DefaultFieldFormatType:

""DefaultFieldFormatMinLength: 0 DefaultFieldFormatMaxLength:

65535CommerceAction: block log stats CommerceCard: CommerceMaxAllowed: 0 CommerceXOut: OFF

Done>

Unlike the add appfirewall profile command, this command has output, and that output is displayed beneath the line where you typed the command. The output terminates with Done, and beneath that, a new prompt is displayed.Another useful command, the show config command, lacks everything after the groupname. It has no entity or parameters, as shown below.


> show configNetScaler IP: 192.168.100.42 (mask: 255.255.255.0)Number of MappedIP(s): 1Node: Standalone

Global configuration settings:HTTP port(s): (none)

Max connections: 0Max requests per connection: 0

Client IP insertion: DISABLEDCookie version: 0

Min Path MTU: 576Path MTU entry timeout: 10

FTP Port Range: 0Done

> You use the show config command to determine the appliance IP and global configuration settings. To determine the settings for any specific configuration area, you use the show action with the appropriate groupname and entity, as you did above to view the Application Firewall profile settings.

There are an enormous number of commands and variations available at the NetScaler command line. A small number of these commands that you can use to configure various parts of the Application Firewall are described in this manual. For a complete description of the commands available at the NetScaler command line, see the Citrix NetScaler Command Reference Guide.

The Citrix NetScaler Configuration UtilityThe configuration utility is a web-based interface used to configure the Application Firewall. You can perform almost any configuration task using the configuration utility. Less experienced users usually find the configuration utility the easiest interface to use.

The figure below shows the configuration utilitys System Overview screen.


The Citrix NetScaler Configuration Utility, System Overview

Note: The items displayed in the navigation tree on the left of the configuration utility window differ depending on which features are licensed on your NetScaler appliance.

The configuration utility screen has three areas that organize the work of configuring all the features you licensed on your Citrix NetScaler Application Accelerator or NetScaler appliance.

Logo bar. The logo bar extends along the top of the configuration utility window. On the left the Citrix logo and Access Gateway Enterprise Edi-tion title appear. On the right is a horizontal row of global hyperlinks that allow you to control the look and feel of the configuration utility screen, save your settings, do a complete refresh of the entire configuration utility display, log out, and access the online help.

Navigation tree. The navigation tree extends down the left side of the screen, and provides a collapsible menu that contains links to all screens in the configuration utility. To navigate to a screen within a category, you click the plus (+) sign to expand that category. When a submenu is open, the plus sign changes to a minus (-) sign and all screens and subcategories within that category are displayed.

- To display a category or subcategory, you click the plus sign beside the category or subcategory title.


- To collapse a category or subcategory that has been displayed, you click the minus sign beside the title of that category.

Page Title bar. The page title bar extends horizontally across the screen, directly beneath the logo bar and to the right of the navigation menu. It con-tains the title of the current page, and on the right a button that allows you to refresh just that page.

Page Data area. The page data area contains the information for the page you have displayed at the time. If the data area contains more information that can easily be fit on one page, it may have multiple pages that you access by clicking tabs at the top of the data area. For example, the System Overview screen shown in the screen shot titled The Citrix NetScaler Con-figuration Utility, System Overview on page 13 has two tabs: the System Information and System Sessions tabs.

Note: The data area on most pages in the configuration utility is read-only. To add a configuration entry or modify an existing configuration entry, you normally click the appropriate button at the bottom of the data area and use the dialog box that appears to make your changes.

In addition to the main screens, the configuration utility makes considerable use of wizards and other types of dialog boxes. A dialog box is a standalone window that asks you a question or prompts you to fill in a form that asks for a set of related data points. You click a button at the bottom or the right of the dialog box to respond to the question (usually a Yes or No button) or to indicate that youve finished filling in the form (usually an OK or Cancel button).Wizards organize a related set of tasks in a logical workflow, displaying each task on a separate page and prompting you to perform that task before you proceed to the next task. The pages within a wizard also contain short explanations of what each task is for and what it does.

To use the a wizard, you simply follow the instructions on each page, and when you have finished, click the Next > button to proceed to the next page and next task. If at any point, you need to change a setting you made on a previous page, you can click the < Back button to return to that page and modify your work. Then, you click the Next > button to return to the task you were completing previously.

You are likely to encounter two wizards quickly: the Setup Wizard and Upgrade Wizard. The figure below shows the first screen of the Setup Wizard.


The Setup Wizard, First Screen

The Setup Wizard takes you through the process of initial configuration of your NetScaler appliance, prompting you for the necessary information at each step. The Setup Wizard and other wizards in the configuration utility can make the sometimes-daunting job of configuring a new NetScaler appliance much easier.

The figure below shows the first screen of the Upgrade Wizard.

The Upgrade Wizard, First Screen


The Upgrade Wizard, like the Setup Wizard, takes you through a set of screens. Instead of performing an initial configuration, however, it takes you through the process of upgrading your NetScaler appliance, prompting you for the necessary information at each step.

This concludes the current chapter.

If you are installing a new Citrix NetScaler appliance, proceed to Chapter 2, Installation, on page 17.

If you are upgrading the NetScaler operating system on a Citrix NetScaler appliance that you already own, and want to enable and configure the Citrix NetScaler Application Firewall feature, proceed directly to Chapter 3, Simple Configuration, on page 67.

CHAPTER 2

Installation

This chapter contains basic installation instructions for two types of system:

The standalone Citrix Application Firewall, built on the Citrix NetScaler platform.

Any appliance in the Citrix NetScaler Application Delivery product line that runs the Citrix NetScaler Application Firewall feature.

Note: If you already have a NetScaler appliance installed on your network, have just upgraded to the NetScaler 9.1 release, and have licensed the Citrix NetScaler Application Firewall feature, you do not need to read this chapter. Your appliance is already installed and has already had initial configuration performed on it. Skip to Chapter 3, Simple Configuration, on page 67.

The first section provides a detailed look at all of the hardware platforms (or appliances) on which the standalone or embedded Application Firewall runs, shows where ports and other important features are located on each unit, and explains what you must do to get the appliance properly installed on your network. The second section describes what you must do to perform initial configuration of the NetScaler operating system.

When you have finished installing the appliance and performing initial configuration, your appliance will be ready for you to configure the Application Firewall itself.

Planning the InstallationThe Citrix NetScaler Application Delivery product line supports a wide range of installation modes, depending on which NetScaler features you will use and how your network is set up. This section provides instructions for installing a standalone Citrix Application Firewall, or for performing a simple installation of a single Citrix NetScaler appliance. For more detailed information about a wider range of available configurations, including high availability (HA) pairs and SSL VPN, see the Installation and Configuration Guide, Volume 1, Chapter 2, Installing the Application Switch.


The NetScaler appliance can be installed with a single connection via one hub or switch to your network (called one-arm mode), or with two connections to different hubs or switches to two different subnets (called two-arm mode). The following figure provides a conceptual illustration of both modes.

Citrix NetScaler appliance Installation Modes

Each installation mode has its advantages. With a one-arm mode installation, you do not have to worry about complex webs of connections. You simply connect the appliance and the web servers it protects to a single layer 2 switch, and set up VLANs to handle routing. With a two-arm mode installation, however, the appliance is physically located between the web servers it protects and your users. Connections must pass through it, minimizing chances that a route can be found around it. This may enhance security.

You must also consider whether to install the appliance on the same subnet as the web servers it protects, or on a different subnet from some or all of them. In a single subnet networking environment, the appliances IP address, mapped IP address (MIP) and the IP address of all servers the Application Firewall manages are on the same subnet. Installation on a single subnet is easier to configure, but may require more work overall if the web servers you want to protect are currently on different subnets or are installed on a subnet which cannot accommodate the appliance.

Router

Application FirewallProtected

Web Servers ProtectedWeb Servers

Application Firewall

Layer 2Switch

Layer 2Switch

Layer 2Switch

One-Arm Mode Two-Arm Mode

Router

Chapter 2 Installation 19

In a multiple subnet networking environment, the appliances IP address, mapped IP address (MIP), and the IP addresses of the servers it connects to are on two or more subnets. Installation on multiple subnets may require that you add static routes and make other configuration adjustments to ensure that the appliance and the servers it manages are able to connect to each other correctly, and that incoming traffic to a managed server goes through the NetScaler appliance before being sent to the managed server.

There is no single right configuration for installations. You should review your network and decide where to install your appliance based on which features you will enable and which servers it will manage. Once you have decided where to install your appliance and how to connect it to your net, you can proceed with the installation.

Installing the ServerThis section describes how to install your NetScaler appliance in your server room. It describes the hardware platforms on which these servers are built, and tells you how to operate each unit properly.

As of the current release, the hardware platforms on which all models in the Citrix NetScaler Application Delivery product line are available are the Citrix NetScaler 7000, the Citrix NetScaler 9000, the Citrix NetScaler 9010, the Citrix NetScaler 10000, the Citrix NetScaler 10010, the Citrix NetScaler 12000, the Citrix NetScaler MPX 15000, and the Citrix NetScaler MPX 17000. The Application Firewall can be licensed on any of these hardware platforms as part of any model of the NetScaler appliance. The standalone Citrix Application Firewall is available on the Citrix NetScaler 7000 and the Citrix NetScaler 12000 platforms.

Before installing your appliance, you must first determine which hardware platform your Application Firewall uses.

Citrix NetScaler 7000. If you are installing unit built on the 7000 platform, proceed to The Citrix NetScaler 7000 on page 20.

Citrix NetScaler 9010. If you are installing a unit built on the 9010 plat-form, proceed to The Citrix NetScaler 9010 on page 22.



Citrix NetScaler MPX 15000. If you are installing a unit built on the 15000 platform, proceed to The Citrix NetScaler MPX 15000 on page 33.


Citrix NetScaler MPX 17000. If you are installing a unit built on the 17000 platform, proceed to The Citrix NetScaler MPX 15000 on page 33.

The Citrix NetScaler 7000The Citrix NetScaler 7000 model is a single processor, 1U unit that supports both Fast Ethernet and copper Gigabit Ethernet. The unit ships with 1 GB of memory by default. The 7000 handles up to 50,000 HTTP requests per second and up to 4,400 SSL transactions per second. It has a system throughput of 600 Mbps, and SSL and compression throughputs of 150 Mbps.

The figure below contains a drawing of the 7000 as seen from the front, with ports and important features labeled.

The Citrix NetScaler 7000, From the Front

You use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws.

The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the units state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide.

The Citrix NetScaler 7000 has the following ports on the front of the unit:

Four 10/100Base-T network interfaces (labeled 1/1, 1/2, 1/3, and 1/4)

Two 10/100/1000Base-T network interfaces (labeled 1/5 and 1/6)

Serial port (9600 baud, 8 bits, 1 stop bit, No parity)

You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable, as described in Using the Configuration Utility, on page 40.


The figure below shows a drawing of the 7000 from the back, with important features labeled.

The Citrix NetScaler 7000, From the Back

To plug in the 7000, simply insert the supplied power cord into the power supply, and plug the other end into an appropriately grounded outlet. To power down the 7000, you should first execute a controlled shutdown via the CLI or GUI. Then, press the main power supply switch on the rear right-hand side of the unit to switch the unit off.

Before you install the 7000, ensure that you have the following items available:

The power cord and serial cable, which are supplied with the 7000.

One to four ethernet cables, which are not supplied with the unit.

Four rack screws and a screwdriver.

You are now ready to install the 7000.

To install the Citrix NetScaler 7000 in your server room

1. Open the packing box the appliance arrive d in, and lift the appliance carefully out of the box.

Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another.

2. Place the appliance on an open rack in your server room, or in a temporary location with easy access for initial configuration.

If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance.

Use four rack screws to secure the unit to the rack.

Power SupplyFan

Hard Disk Power Switch

Second Power Switch

Compact FlashDrive and Release Button


3. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet.

Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations.

4. Turn on the appliance by tapping the power switch quickly, and then letting up.

The appliance will perform a series of power-on tests that take approximately a minute as it comes up.

You have now successfully installed your Citrix NetScaler 7000. Proceed to Performing Initial Configuration, on page 39 to configure it.

The Citrix NetScaler 9010The Citrix NetScaler 9010 is a single processor, 2U unit that ships with 2 GB of memory. The user can specify either four fiber Gigabit 1000Base-X optical ethernet ports (fiber version) or four 10/100/1000Base-T copper ethernet ports (copper version) when ordering the unit. The 9010 can process up to 125,000 HTTP requests per second and 4,400 SSL requests per second. It has 2,000 Mbps system throughput, 500 Mbps SSL throughput, and 400 Mbps compression throughput.

The figure below shows a drawing of the 9010 (fiber version) as seen from the front, with ports and important features labeled clearly.

The Citrix NetScaler 9010 (fiber version), From the Front

The 9010 (fiber version) has the following ports on the front:

Four Optical 1000base-X

Ethernet Ports

RS232 Serial Port

LCD Display

Rack mounts

Handleto carrythe unit.



Four fiber Gigabit 1000-Base-X optical network interfaces, labeled 1/1, 1/2, 1/3, and 1/4.


When facing the bezel, the upper LEDs to the left of each port inset represent connectivity. They are lit and amber in color when active. The lower LEDs represent throughput. They are lit and green when active.

The figure below shows a drawing of the 9010 (copper version) as seen from the front, with ports and important features labeled clearly.

The Citrix NetScaler 9010 (copper version), From the Front

The 9010 (copper version) has the following ports on the front:

Four 10/100/1000-Base-T copper ethernet network interfaces, labeled 1/1, 1/2, 1/3, and 1/4.


For both 9010 versions, you use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws.

The LCD display on both versions consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the units state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide.

You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable. The figure below shows the 9010 from the back, with ports and important features clearly labeled.

Four10/100/1000base-T

Copper Ethernet Ports

RS232 Serial Port

LCD Display

Rack mounts





To power the unit off, you press the left side of the power switch until it clicks down. To power it on, you press the right side until it clicks down.

You can use the 10/100/1000Base-T copper ethernet port to connect the unit to a secure control network that you then use to configure and manage the unit. The compact flash drive contains the NetScaler operating system (OS) software. The hard disk can be used to store logs and backups.

The appliance has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution.

In the event that one power supply fails, or if you choose to connect only one power cord to the unit, an alarm sounds. You push the Disable Alarm button to silence the alarm.

Caution: If you choose to continue operating the 9010 with only one functioning or one connected power supply, you forfeit the built-in fail-safe protection.




If you are installing a 9010 (fiber version), four Finisar Active Copper SFP transceivers, which are also supplied with the appliance.



Two removablepower supplies

Hard disk

Power switch

Non-maskeable interrupt(NMI) button

Compact flashdrive and release button

10/100Base-Tcopper Ethernet port

Disable alarm button



1. Open the packing box the appliance arrived in, and lift the appliance carefully out of the box.





Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet.




4. Take an ethernet cable, connect one end to interface number 1/4 and connect the other end to the switch or hub that leads to your WAN or the internet.

If you want, you can use a different interface number. The appliance detects which interfaces are in use and which networks they are connected to automatically.

5. If you are installing your appliance in two-arm mode, take another ethernet cable, connect one end to interface number 1/3, and connect the other end to the switch or hub that leads to your LAN.

Again, if you want, you can use a different interface number.



The Citrix NetScaler 10010The Citrix NetScaler 10010 is a single processor, 2U unit that ships with 2 GB of memory, four fiber Gigabit 1000Base-X optical ethernet ports, and four 10/100/1000Base-T copper ethernet ports by default. The unit can process up to 255,000 HTTP requests per second and 8,800 SSL requests per second. It has 4,800 Mbps system throughput, 760 Mbps SSL throughput, and 555 Mbps compression throughput.

The following figure shows a drawing of the 10010 as seen from the front, with ports and other important features clearly labeled.


The 10010 has the following ports on the front:

Four fiber Gigabit 1000-Base-X optical network interfaces, labeled 1/1, 1/2, 1/3, and 1/4.

Four 10/100/1000-Base-T copper ethernet network interfaces, labeled 1/5, 1/6, 1/7, and 1/8.

Serial port (9600 baud, 8 bits, 1 stop bit, No parity).

When facing the bezel, the upper LEDs to the left of each fiber port represent connectivity. They are lit and amber in color when active. The lower LEDs represent throughput. They are lit and green when active.


The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the units state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide.

Four gigabit SFP ports

Four10/100/1000Base-T

copper Ethernet ports

RS232 serial console

port

LCD display

Rack mounts

Handleto carrythe unit



If you choose, you can convert the 1000Base-X ports on the unit to 10/100/1000Base-T ports using the Finisar Active Copper SFP transceiver. The following figure shows examples of the transceivers, and how they plug into the 1000base-X ports to convert them to copper ethernet ports.

The Citrix NetScaler 10010, From the Front, Details

To insert a transceiver into a 1000Base-X port, you must first lower the transceiver lock bar into its unlocked position. You next insert the transceiver into the port, and press firmly until it clicks into place. Finally, you raise the lock bar to its up/locked position, and plug an ethernet cable into the port.

Note: If you do not insert and lock the transceiver correctly, you will be unable to plug an ethernet cable into the port.

You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable. For more information on how to do this, see To log on to the NetScaler command line via the serial port on page 60.

The following figure shows the 10010 from the back, with ports and important features clearly labeled.

Finisar Active Copper SFP TransceiversPlugged in and locked in place.

Transceiver unlocked positionfrom side

Transceiver locked positionfrom side





The unit has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution.





Four Finisar Active Copper SFP transceivers, which are also supplied with the appliance.





Hard disk

Power switch












3. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet.




5. Take an ethernet cable, connect one end to interface number 1/8 and connect the other end to the switch or hub that leads to your WAN or the internet.

If you want, you can use a different interface number. The appliance detects which interfaces are in use and which networks they are connected to automatically.

6. If you are installing your appliance in two-arm mode, take another ethernet cable, connect one end to interface number 1/7, and connect the other end to the switch or hub that leads to your LAN.

Again, if you want, you can use a different interface number.



The Citrix NetScaler 12000The Citrix NetScaler 12000 is a high-capacity, fault-tolerant hardware platform intended for heavy use in enterprise environments. The unit is a double form factor (2U) rack-mountable unit, 24 in/61 cm deep, that weighs 52 lbs/24 kg. It is designed to be installed on a rack in an air-conditioned server room.

The unit can process up to 275,000 HTTP requests per second and 28,000 SSL requests per second. It has 6,000 Mbps system throughput, 3,000 Mbps SSL throughput, and 1,300 Mbps compression throughput.

The following figure shows the 12000 unit from the front, with ports and other important features clearly labeled.



The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the units state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Installation and Configuration Guide, Volume 1, Chapter 3, Configuring the Application Switch, Understanding the LCD Monitor, on page 3-13.

You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable, as described in To log on to the NetScaler command line via the serial port on page 60.

The following figure shows examples of the Finisar Active Copper SFP transceivers, and how they plug into the 1000base-X ports.

Eight Gigabit SFP PortsRS232 serial console

port

LCD display

Rack mounts



1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8


The Citrix NetScaler 12000, From the Front, Details

To insert a transceiver into a 1000Base-X port, you must first lower the transceiver lock bar into its unlocked position. You next insert the transceiver into the port, and press firmly until it clicks into place. Finally, you raise the lock bar to its up/locked position, and plug an ethernet cable into the port.

Note: If you do not insert and lock the transceiver correctly, you will be unable to plug an ethernet cable into the port.

The following figure shows the back of the 12000, with ports and other important features clearly labeled.



Finisar Active Copper SFP TransceiversPlugged in and locked in place.

Transceiver unlocked positionfrom side

Transceiver locked positionfrom side


Hard disk

Power switch







The unit has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution.





Eight Finisar Active Copper SFP transceivers, which are also supplied with the appliance.

One to eight ethernet cables, which are not supplied with the unit.









citrix application firewall guide 9.1

Documents

citrix netscaler mpx

url check

xml attachment check

xml sql injection check

xml message validation

shopping cart application

html sql injection check

buffer overflow check