Deployment Guide

AppExpert Template
Deployment Guide
Microsoft Sharepoint
Deployment Guide

Notice:

The information in this publication is subject to change without notice.

THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.

The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.

Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.

Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-
2009 U.S.A. All rights reserved.
Table of Contents
Introduction...........................................................................................................................................4
Solution Requirements...........................................................................................................................5
Prerequisites..........................................................................................................................................5
Network Diagram..................................................................................................................................6
AppExpert Templates ...........................................................................................................................7
Introduction......................................................................................................................................7
Sharepoint Template..............................................................................................................................8
Sharepoint AppExpert Template Configuration..................................................................................8
Characterization of the Sharepoint Application..................................................................................9
Sharepoint Application Units...........................................................................................................12
Ordering of Application Units..........................................................................................................18
Sharepoint Public Endpoint Configuration - HTTP...........................................................................19
Sharepoint Load Balancing Configuration - HTTP...........................................................................20
Recommended Sharepoint Deployment.........................................................................................20
Sharepoint Public Endpoint Configuration - HTTPS.........................................................................22
Sharepoint HTTP-to-HTTPS Redirect..............................................................................................23
Application Visualizer......................................................................................................................25
Exporting AppExpert Templates...........................................................................................................26
Importing AppExpert Templates...........................................................................................................27
Appendix A - NetScaler Configuration.................................................................................................29
Appendix B - Content Types................................................................................................................35
 Introduction
Citrix® NetScaler® optimizes the delivery of web applications — increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership (TCO),
security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive
network system that combines high-speed load balancing and content switching with state-of-the-art
application acceleration, layer 4-7 traffic management, data compression, dynamic content caching,
SSL acceleration, network optimization, and robust application security into a single, tightly integrated
solution. Deployed in front of application servers, the system significantly reduces processing overhead
on application and database servers, reducing hardware and bandwidth costs.

NetScaler Applications Templates - introduced in NetScaler 9.0 - provide an application-centric view

of the NetScaler system’s policy configurations. From a single place within the GUI (AppExpert 
Applications) NetScaler administrators can: 1) Configure the various application features the NetScaler
is fronting, 2) View which NetScaler functional modules (e.g., compression, caching, application firewall)
are optimized and active for a given application unit.

Additionally, AppExpert Templates allow you to drill down and see which individual NetScaler policies are
active, and what policies are inactive but available, by application component and NetScaler module.
From this same view, individual policies can be created, activated and deactivated.

AppExpert Templates can be downloaded, imported, modified and exported. Administrators can
download AppExpert Templates built by Citrix, Citrix Partners and members of the NetScaler community
from the Citrix Community Website. These templates are easily imported into any NetScaler running
NetScaler 9.0 or higher, jump starting the configuration and deployment process. Templates developed
in-house can be easily exported and shared within your organization, or posted back to the Citrix
Community Website for others to view and improve.


Solution Requirements
• Application Switch NetScaler
• Microsoft Sharepoint

Prerequisites
• Citrix NetScaler L4/7 Application Switch, running version 9.0 build 66 (Quantity x 2 for HA)
• Windows Sharepoint Services (WSS)
• Microsoft Office Sharepoint Server (MOSS)
• Client laptop/workstation running Internet Explorer 6.0+, Ethernet port
• 9-pin serial cable -or- USB-to-serial cable


Network Diagram
The following is the Network that was used to develop this deployment guide.

Microsoft SharePoint
Server Farm

Citrix NetScaler®
Sharepoint Load Balanced IP
‘virtualsharepoint’
10.60.x.y

SharePoint Web Fronaend

‘spweb1’, 192.168.x.a

int 1/8 int 1/7

SharePoint Web Frontend Main Site URL:

VLAN 10 ‘spweb2’, 192.168.x.b
VLAN 11 ‘http://virtualsharepoint’

SharePoint Web Frontend

‘spweb3’, 192.168.x.c

VLAN Legend NetScaler

VLAN 11 VLAN 1: (Mgmt)

Interface 1/2, Untagged
VLAN 10 NSIP: a.b.c.d / 24
SNIP: a.b.c.e / 24
VLAN 1
VLAN 10:
Interface 1/8, Untagged
VIP: 10.60.x.y / 24

VLAN 11:
Interface 1/7, Untagged
SNIP: 192.168.x.y / 24


 AppExpert Templates
Introduction
AppExpert Templates are a new and simple approach to configuration management for complex enterprise
applications. Applications are listed in the left-most column of the NetScaler GUI under AppExpert. In
one simple view, you can view what is most important to you in terms of application delivery. You simply
configure what constitutes interesting traffic for each application delivery unit, and turn on the rules for
compression, caching, rewrite, filtering, responder and application firewall. This is largely different from
having to go into each feature and define complex rules and expressions individually, reducing the time
to deploy, easing management and improving the bottom line.

Identification of workflows refers to the

areas of the application that are important Methodology for Building an AppExpert Template
to Application Delivery, such as “Reports”,
1. Identify Application Workflows
“Documents”, “Images”, “Stylesheets”, “Web
2. Model Workflows into Application Units.
Services” and “Portal Pages”. Each of these
workflows can be specifically identified by the
type of content they generate from Server to
Client and vice-verse.

The process for entering AppExpert Templates into the NetScaler Application Switch is simple. From
the GUI, navigate to NetScaler  AppExpert  Applications. Select ‘Add’ to add the Application by
name. Select ‘Add’ again to enter an Application Unit, which refers to the workflow, for example “Report
Management”. Enter the Expression to identify the reports, for example URL == ‘/*.pdf’. From this
basis, the important operations can be configured upon all reports that appertain to this application, such
as compression, caching, rewrite, filtering, responder and application firewall.

One final step involves adding the front-end Virtual IP Address (VIP) and back-end servers. Then, by
virtue of this configuration, load balancing is in effect for this application. Load Balancing algorithms and
persistence can be modified from the default values.


Sharepoint Template
Sharepoint AppExpert Template Configuration
Sharepoint is an enterprise information portal from Microsoft that can be configured to run Intranet,
Extranet and Internet sites. There are two underlying software technologies, Microsoft Windows
Sharepoint Services (WSS) and Microsoft Office Sharepoint Server (MOSS). Sharepoint services (WSS)
is typically used by small teams, projects and companies, while Sharepoint Server (MOSS) is designed
for individuals, teams and projects within a medium to large enterprise. MOSS is a collaborative portal
that is built on top of WSS. MOSS requires a license.

The Sharepoint application server is characterized by shared folders and files, collaboration, document
workspace, meetings, discussion boards, integrated workflows, RSS Feeds, blogs, wikis, FrontPage
integration and ASP web pages. The goal of Sharepoint is to provide a simple, familiar and consistent
user experience tightly integrated with applications that run through a web browser.

What this means to an Application Expert is you will see a myriad of content being passed through the
Citrix NetScaler Application Switch.

After installation the first page that comes up on the Sharepoint server is /localhost/default.aspx. If you
view some examples of Sharepoint sites for collaboration, you can see that just about every document
type and content type will be uploaded and downloaded from the site. If you view some example of
Sharepoint Internet Web sites, you will see them full of images, scripts and .aspx pages.

What is important to the Application Expert is how the application is characterized by its content. In
other words, what is the content that comprises the back-end application, and what are you most
concerned with regarding it’s delivery. It is this content that we are most interested in, as we will build
AppExpert Templates surrounding this content.


Characterization of the Sharepoint Application
We know from experience that Sharepoint workflows are characterized by collaboration, portals, enterprise content management, and
business intelligence, to name a few. We can peel back the layers of these workflows to identify the actual data that is transferred between
Client and Server when this Application is in use. Under the hood, the workflows are characterized accordingly to the following table.

Workflow Characterized By Components

FrontPage Services FrontPage RPC responses FrontPage header

SOAP Services SOAP responses Method is a POST, and the Header contains
soapaction

Portal Management Dynamic content - .jsp, .jspx, .asp, .aspx .asp, .aspx, .htm, .html, .mht, .mhtml, .xhtml,
Static content - .html, .mht, .mhtml, .xhtml, .xml .xml, .jsp, .jspx

Document Management Document Sharing & Storage, MS Office .doc, .docx, .ppt, .pptx, .dot, .dotx, .docm,
Documents, Reports, Spreadsheet, Forms .dotm, . rtf, .txt, .wps, .ppt, .pptx, .pot, .potx,
.pptm, .potm, .thmx, .ppsx, .ppsm, .pps, .ppam,
.pdf, .csv, .txt, .prn, .xsn, .xls, .xlsx, .xlt, .xltx,
.xlsb, .xlsm, .xltm, .dif, .slk, .xlam, .xla

Image Management Responses containing images .gif, .jpg, .jpeg, .tif, .tiff, .bmp, .wmf, .emf, .png,
.wbmp, .ico

Styles and Scripts Stylesheets, Scripts .css, .js, .htc, .axd, .wmls

Image Management Responses containing images .gif, .jpg, .jpeg, .tif, .tiff, .bmp, .wmf, .emf, .png,
.wbmp, .ico

Web Services Definitions WSDLs and WSILs ?wsdl, .wsdl, ?wsil, .wsil, .xml

Web Services Schemas XSDs .xsd


If we examine the workflows in Sharepoint, we know that some of this content is compressible, while some is not. Some of this content
is cacheable, while some is not. And so we form the basis of our AppExpert Template. In summary, we want to configure the AppExpert
Template for the following features. A check indicates we want to enable the feature. The Default appears last and is a catch all for traffic
that has not been characterized by our Application units. We have added an Https Redirect, because we want to redirect all HTTP traffic to
HTTPS.

Content flow Compression Caching Rewrite Filter Responder AppFw

FrontPage Services

SOAP Services
 
Portal Management
  
Document Management
 
Image Management
 
Styles and Scripts
  
Web Services Definitions
 
Web Services Schemas
  
Default
  

10
From the Workflow table, we build the following expression table, for the each Application Unit. This is the interesting traffic to which we will
apply policy.

Sharepoint Classic Syntax Advanced Syntax Expression

FrontPage Services
 HTTP.REQ.HEADER(“X-Vermeer-Content-Type”).EXISTS

SOAP Services
 HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.
HEADER(“soapaction”).EXISTS

Portal Management
 URL == ‘/*.jsp’ || URL == ‘/*.jspx’ || URL == ‘/*.asp’ || URL == ‘/*.
aspx’ || URL == ‘/*.htm’ || URL == ‘/*.html’ || URL == ‘/*.mht’ || URL
== ‘/*.mhtml’ || URL == ‘/*.xhtml’ || URL == ‘/*.xml’

Document Management
 URL == ‘/*.pdf’ || URL == ‘/*.csv’ || URL == ‘/*.prn’ || URL == ‘/*.
xsn’ || URL == ‘/*.xls’ || URL == ‘/*.xlsx’ || URL == ‘/*.xlt’ || URL ==
‘/*.xltx’ || URL == ‘/*.xlsb’ || URL == ‘/*.xlsm’ || URL == ‘/*.xltm’ ||
URL == ‘/*.dif’ || URL == ‘/*.slk’ || URL == ‘/*.xlam’ || URL == ‘/*.
xla’ || URL == ‘/*.doc’ || URL == ‘/*.docx’ || URL == ‘/*.ppt’ || URL
== ‘/*.pptx’ || URL == ‘/*.dot’ || URL == ‘/*.dotx’ || URL == ‘/*.
docm’ || URL == ‘/*.dotm’ || URL == ‘/*.rtf’ || URL == ‘/*.txt’ || URL
== ‘/*.wps’ || URL == ‘/*.pot’ || URL == ‘/*.potx’ || URL == ‘/*.pptm’
|| URL == ‘/*.potm’ || URL == ‘/*.thmx’ || URL == ‘/*.ppsx’ || URL
== ‘/*.ppsm’ || URL == ‘/*.pps’ || URL == ‘/*.ppam’

Image Management
 HTTP.REQ.METHOD.EQ(GET) && HTTP.REQ.URL.PATH.
STARTSWITH(“/_layouts/images”) && (HTTP.REQ.URL.PATH.
ENDSWITH(“.gif”) || HTTP.REQ.URL.PATH.ENDSWITH(“.jpg”) ||
HTTP.REQ.URL.PATH.ENDSWITH(“.jpeg”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.tiff”) || HTTP.REQ.URL.PATH.ENDSWITH(“.tif”) ||
HTTP.REQ.URL.PATH.ENDSWITH(“.png”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.bmp”) || HTTP.REQ.URL.PATH.ENDSWITH(“.emf”) ||
HTTP.REQ.URL.PATH.ENDSWITH(“.wmf”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.wbmp”) || HTTP.REQ.URL.PATH.ENDSWITH(“.ico”))

Styles and Scripts

 HTTP.REQ.METHOD.EQ(GET) && (HTTP.REQ.URL.PATH.
STARTSWITH(“/WebResource.axd”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.htc”) || HTTP.REQ.URL.PATH.ENDSWITH(“.wmls”)
|| (HTTP.REQ.URL.STARTSWITH(“/_layouts/1033”) && (HTTP.
REQ.URL.PATH.ENDSWITH(“.css”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.js”))))

Web Services Definitions

 URL CONTAINS ?wsdl || URL CONTAINS .wsdl || URL CONTAINS
?wsil || URL CONTAINS .wsil || URL == ‘/*.xml’

Web Services Schemas

 URL CONTAINS .xsd

11
Sharepoint Application Units
Configuration of the Sharepoint AppExpert Template involves defining Application Units for Sharepoint
Traffic. An Application Unit defines a subset of traffic that you are interested in applying template policies
to. For example Images or Reports, or specific portions of content. Definition of Application units are
Request based, in that the expressions are built upon Request based rules.

From the NetScaler GUI, select

NetScaler  AppExpert 
Applications.

Select Add.

Enter the AppExpert Template

Name. In this example,
Sharepoint.

Select Add again, and enter

the Application Unit. An
Application Unit describes the
Interesting Traffic or a type of
context.

In this example, Application

Unit is Portal_Management,
identified by the rule
expression:
URL == ‘/*.asp’ ||
URL == ‘/*.aspx’ ||
URL == ‘/*.htm’ ||
URL == ‘/*.html’ ||
URL == ‘/*.mht’ ||
URL == ‘/*.mhtml’ ||
URL == ‘/*.xhtml’ ||
URL == ‘/*xml’ ||
URL == ‘/*.jsp’ ||
URL == ‘/*.jspx’.

12
Add the remaining Application
Unit categories.

13
After all of the Application
units have been added, we
configur the policies, starting
with Compression. Click on
the icon under Compression.

Select ‘Add Policy’:

• Name: <policy name>
• Action: COMPRESS
• Expression: ns_true
(Advanced Free Form)

Select ‘Create’.

Make sure the compression

policy is selected.

Click ‘Ok’.

(In this example, our policy

name is ‘sharepoint_
compress’)

14
Enable Caching.

Select ‘Insert Policy’.

Policy Name: NOPOLICY-

CACHE.

Select Invoke: New Policy

Label.

Cache Policy Label:

‘sharepoint_cache_label’.

Select Insert Policy:

Select ‘New Policy’:

• Name: <policy name>
• Action: CACHE
• Expression: TRUE
(Advanced Free Form)

In this example, the

cache policy name will be
‘sharepoint_cache_policy’.

Select ‘Create’, ‘Apply

Changes’, ‘Close’.

Note: Now, the sharepoint_

cache_label can be re-used
for the other Application
Units.

15
 Enable Rewrite.

Select ‘Insert Policy’.

Add Policies and Actions

according to the table below.

Select ‘Create’, ‘Apply

Changes’, ‘Close’.

Note: replace
‘yourspwebserver’ with the
hostname or ip address of
your SharePoint webserver.
Replace ‘yournsvip’ with your
NetScaler Vserver ip address
or hostname.

Rewrite for: Policy Name Expression Action Name Expression

SOAP Services sp_soap_req_url_rw_ns_ HTTP.REQ.METHOD. sp_req_url_rw_ns_to_ws_ Type: REPLACE_ALL

to_ws_pol EQ(POST) && HTTP.REQ. act Expr: HTTP.REQ.FULL_
HEADER(“SoapAction”). HEADER
EXISTS Replacement:
“yourspwebserver”
Pattern: re/(?U)yournsvip/

sp_soap_req_url_rw_ns_ HTTP.REQ.METHOD. sp_req_url_rw_ns_to_ws_ Type: REPLACE_ALL

to_ws_pl2 EQ(POST) && HTTP.REQ. act2 Expr: HTTP.REQ.
HEADER(“SoapAction”). BODY(4096)
EXISTS Replacement:
“yourspwebserver”
Pattern: re/(?U)yournsvip/

Portal sp_res_url_rw_ws_to_ns_ HTTP.RES. sp_res_url_rw_ws_to_ns_ Type: REPLACE_ALL

Management pol HEADER(“Content-Type”). act Expr: HTTP.RES.
CONTAINS(“text/html”) BODY(10000)
Replacement: “yournsvip”
Pattern: re/ (?U)yourspwe
bserver|YOURSPWEBSE
RVER/

16
To enable compression for
other Application units, re-
use the policy created in the
previous step.

Compression:
• select sharepoint_
compress

To enable caching for other

Application Units, re-use the
policy created in the previous
step.

Caching:
• Insert Policy.
• Policy Name: NOPOLICY-
CACHE
• Invoke: sharepoint_cache_
label

17
 The Default Application Unit is
a “Catch-All” for content that
was not previously expressed
in an Application Unit.

Compression and Caching

should be turned on as a
default.

After all of the Application

units have been entered and
the features configured, the
AppExpert Template will look
like the following:

Make sure you take this

opportunity to “Save” the
configuration.
Ordering of Application Units
Order of Application Units matters from a top-down methodology. The first Application Unit at the top
of the list takes precedence. The next Application Unit in the list takes next precedence, and so forth.
The Default Application Unit appears last for all traffic that was not expressed in an Application unit. The
Application units can be reordered by moving them up and down in the GUI interface.

Use the Move Up & Move

Down buttons to re-order
Application Units.

Move them to the top of the

list for higher precedence, or
to the bottom of the list for
lower precedence.

18
 Sharepoint Public Endpoint Configuration - HTTP
The Front-End configuration, or public endpoints configuration, is the public facing IP Address(es) that
users will use to access the Application.

Select Configure Public

Endpoints.

Select Add. Add the IP

Address and Port that the
public users will access the
Application with.
• Name: <endpoint name>
• Public IP Address: x.x.x.x
• Protocol: HTTP
• Port: 80

Select Ok.

A couple final steps to

complete the picture.

We need to add the Front-end

VIP and Back-end servers.

Select Configure Public

Endpoints.

Select Add.

19
Sharepoint Load Balancing Configuration - HTTP
Configuring backend services is the place where we add the backend servers to send traffic to. When
the AppExpert Template was created, a Load Balancing virtual server (vserver) was created internally
within the NetScaler. It is during the configuration of the backend services that we can change the
default load balancing settings.

Select Configure Backend

Services.

Select the Service Group tab.

Select Add.

Add the Servers by IP Address

or Name, and Port Numbers
the Servers use.
• Name: <server name>
• Server IP Address: x.x.x.x
• Port: 80
• Protocol: HTTP

These are the servers that we

will load balance.

Select the http-ecv monitor, in

the monitor tab.

Select ‘Ok’.

Recommended Sharepoint Deployment

To be able to use Netscaler as a load balancer for the SharePoint Web Servers, the SharePoint servers
need to be configured to support load balancing either using the Alternate Access Mapping feature or
configuring each site to use a ‘load balanced URL’ that doesn’t use the server name. Follow the links to
learn more about either feature. The DNS name for the netscaler’s sharepoint public endpoint should be
set to the server name in the load balanced public URL of the site’s configuration (‘virtualsharepoint’ in
the diagram at the beginning of this document). The use of ‘virtualsharepoint’ as the dns name should
be the same for the public and private access. The idea is to use “virtualsharepoint” as the URL name
to access the SharePoint externally or internally.

Alternate Access Mapping: http://technet.microsoft.com/en-us/library/cc288173.aspx

Load Balanced URL: http://technet.microsoft.com/en-us/library/cc287954.aspx

20
Select the Monitors tab to set
the health check monitor to
be used.

Select ‘http-ecv’, ‘Add’.

Select ‘Ok’.

Select the Methods and

Persistence tab to set the
Load Balancing method and
Persistence method to be
used.

Select ‘Ok’.

21
Sharepoint Public Endpoint Configuration - HTTPS To enable SSL or HTTPS
for the Sharepoint Public
The NetScaler Application Switch can be used as a secure SSL or HTTPS gateway to the Sharepoint Endpoints, select Add.
Applications. A NetScaler server certificate can be created using the SSL Certificate Wizard by navigating
in the GUI to NetScaler  SSL, Certificate Wizard. Add the IP Address and
Port that the public users
will access the SHarePoint
Application with.
• Name: <endpoint name>
• Public IP Address: x.x.x.x
• Protocol: SSL
• Port: 443

Select the SSL Tab and

Configure the NetScaler
certificate to be used on the
front-end public connections.

Select Ok.

22
 Sharepoint HTTP-to-HTTPS Redirect
To turn the Sharepoint HTTP Portal into a secure HTTPS portal, a simple redirect needs to be added to
the AppExpert Template, which can be enabled and disabled at any time.

Select the AppExpert Template

Name, Click on Add.

Add a new Application Unit

for the redirect.
• Name: Https_Redirect
• Rule: URL == ‘/*’

Select Create.

Move it to the top of all

Application Units.

Enable Responder.

Select ‘Insert Policy’.

Policy Name: NOPOLICY-

RESPONDER.

Select Invoke: New Policy

Label.

23
Create Responder Policy
Label: ‘http-to-https-
responder’.

Select Insert Policy:

Select ‘New Policy’:

• Name: http_to_https_
policy
• Action: http_to_https_
action
• Expression: HTTP.
REQ.HEADER(“Host”).
CONTAINS(“strategic”) &&
!CLIENT.SSL.IS_SSL

Select ‘New’ Action:

• Name: http_to_https_
action
• Type: Redirect
• Expression: “https://
strategic.citrixlabs.com/”
+ HTTP.REQ.URL
• Bypass Safety Check

Select ‘Create’, ‘Create’,

‘Create’, ‘Apply Changes’
to the Application Unit, then
‘Close’.

24
 Application Visualizer
When an AppExpert Template is complete, all of the policies that are configured can be viewed in the
Application Visualizer. The Visualizer provides an end-to-end view of the Application Flow from the Client
to the Server.

When complete, the

AppExpert Template can
be viewed in the AppExpert
Template Visualizer.

25
Exporting AppExpert Templates
AppExpert Templates can be exported so that they can be shared, uploaded to the Citrix Community
Website, modified by others, and imported into other NetScaler switches to simplify and ease
deployment.

To Export the AppExpert

Template, highlight the
AppExpert Template name,
select Export.

26
 Importing AppExpert Templates
AppExpert Templates can be imported into the Citrix NetScaler Application Switch. Templates can be
downloaded from the Citrix Community Website or from local or network storage.

Select the template to import.

Templates are stored in
<name>.gz file format.

To Import the AppExpert

Template, click on Application,
select Import.

When importing a template,

you will need to Add or Select
the Public Endpoints and
Backend Service Groups.

27
28
Appendix A - NetScaler Configuration
Primary NetScaler
set ns config -IPAddress 10.60.108.100 -netmask 255.255.0.0

set ns config -timezone GMT-08:00-PST-Pacific/Pitcairn

set ns config -ftpPortRange 5000-6000

enable ns feature WL SP LB CS CR CMP GSLB CF IC REWRITE AppFw RESPONDER

enable ns mode FR L3 Edge USNIP PMTUD

set lacp -sysPriority 32768

set system user nsroot 1e9021f5f0036df0541b58111a24c2a5671c0d5bf7aa2dea2 -encrypted

set interface 1/1 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/2 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/3 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/4 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/5 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/6 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/7 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/8 -flowControl RX -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

add ns ip 10.60.108.101 255.255.0.0 -vServer DISABLED

add policy expression ns_html “RES.HTTP.HEADER Content-Type CONTAINS text/html” -description “Http response has html content type”

add policy expression ns_all_image_types “(URL == \’/*.gif\’ || URL == \’/*.jpg\’ || URL == \’/*.jpeg\’ || URL == \’/*.tiff\’ || URL == \’/*.tif\’ || URL
== \’/*.png\’ || URL == \’/*.bmp\’ || URL == \’/*.emf\’ || URL == \’/*.wmf\’ || URL == \’/*.wbmp\’ || URL == \’/*.ico\’)”

add policy expression app_0_ApplicationsSharePoint ns_true

add policy expression app_u_SharePointFrontPage_Services ns_true

add policy expression app_u_SharePointSOAP_Services ns_true

add policy expression app_u_SharePointPortal_Management ns_true

add policy expression app_u_SharePointDocument_Management ns_true

add policy expression app_u_SharePointImage_Management ns_true

add policy expression app_u_SharePointStyles_and_Scripts ns_true

add policy expression app_u_SharePointWeb_Service_Definitions ns_true

add policy expression app_u_SharePointWeb_Service_Schemas ns_true

add policy expression app_o_SharePointdefault ns_true

set locationParameter -context geographic -q1label Continent -q2label Country -q3label Region -q4label City -q5label ISP -q6label
Organization

add server 10.60.2.41 10.60.2.41

add server 10.60.2.25 10.60.2.25

29
add server 10.60.2.110 10.60.2.110

add server 10.60.2.40 10.60.2.40

add server 10.9.154.149 10.9.154.149

add cs policy “pol-true” -rule true

add cs policy app_cs0 -rule “HTTP.REQ.HEADER(\”X-Vermeer-Content-Type\”).EXISTS”

add cs policy app_cs1 -rule “HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HEADER(\”soapaction\”).EXISTS”

add cs policy app_cs2 -rule “SYS.EVAL_CLASSIC_EXPR(\”URL == \’/*.jsp\’ || URL == \’/*.jspx\’ || URL == \’/*.asp\’ || URL == \’/*.aspx\’\”)”

add cs policy app_cs3 -rule “SYS.EVAL_CLASSIC_EXPR(\”URL == \’/*.pdf\’ || URL == \’/*.csv\’ || URL == \’/*.prn\’ || URL == \’/*.xsn\’ || URL
== \’/*.xls\’ || URL == \’/*.xlsx\’ || URL == \’/*.xlt\’ || URL == \’/*.xltx\’ || URL == \’/*.xlsb\’ || URL == \’/*.xlsm\’ || URL == \’/*.xltm\’ || URL ==
\’/*.dif\’ || URL == \’/*.slk\’ || URL == \’/*.xlam\’ || URL == \’/*.xla\’ || URL == \’/*.doc\’ || URL == \’/*.docx\’ || URL == \’/*.ppt\’ || URL == \’/*.
pptx\’ || URL == \’/*.dot\’ || URL == \’/*.dotx\’ || URL == \’/*.docm\’ || URL == \’/*.dotm\’ || URL == \’/*.rtf\’ || URL == \’/*.txt\’ || URL == \’/*.
wps\’ || URL == \’/*.pot\’ || URL == \’/*.potx\’ || URL == \’/*.pptm\’ || URL == \’/*.potm\’ || URL == \’/*.thmx\’ || URL == \’/*.ppsx\’ || URL ==
\’/*.ppsm\’ || URL == \’/*.pps\’ || URL == \’/*.ppam\’\”)”

add cs policy app_cs4 -rule “HTTP.REQ.METHOD.EQ(GET) && HTTP.REQ.URL.PATH.STARTSWITH(\”/_layouts/images\”) && (HTTP.REQ.

URL.PATH.ENDSWITH(\”.gif\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.jpg\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.jpeg\”) || HTTP.REQ.URL.
PATH.ENDSWITH(\”.tiff\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.tif\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.png\”) || HTTP.REQ.URL.PATH.
ENDSWITH(\”.bmp\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.emf\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.wmf\”) || HTTP.REQ.URL.PATH.
ENDSWITH(\”.wbmp\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.ico\”))”

add cs policy app_cs5 -rule “HTTP.REQ.METHOD.EQ(GET) && (HTTP.REQ.URL.PATH.STARTSWITH(\”/WebResource.axd\”) || HTTP.REQ.

URL.PATH.ENDSWITH(\”.htc\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.wmls\”) || (HTTP.REQ.URL.STARTSWITH(\”/_layouts\”) && (HTTP.REQ.
URL.PATH.ENDSWITH(\”.css\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.js\”))))”

add cs policy app_cs6 -rule “SYS.EVAL_CLASSIC_EXPR(\”URL CONTAINS ?wsdl || URL CONTAINS .wsdl || URL CONTAINS ?wsil || URL
CONTAINS .wsil || URL == \’/*.xml\’\”)”

add cs policy app_cs7 -rule “SYS.EVAL_CLASSIC_EXPR(\”URL CONTAINS .xsd\”)”

add service MercurySP1 10.60.2.41 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -sp OFF -cltTimeout 180 -
svrTimeout 360 -CKA NO -TCPB NO -CMP YES

add service MercurySPx 10.60.2.25 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -sp OFF -cltTimeout 180 -
svrTimeout 360 -CKA NO -TCPB NO -CMP YES

add service my_citrite 10.9.154.149 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -sp OFF -cltTimeout 180 -
svrTimeout 360 -CKA NO -TCPB NO -CMP YES

set rewrite param -undefAction NOREWRITE

add filter action act_prebody add prebody

add filter action act_postbody add postbody

add vpn intranetApplication route_migrate_1 ANY 192.168.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT

add cmp policy sharepoint_compress -rule ns_true -resAction COMPRESS

add filter policy html_prebody -rule “REQ.HTTP.METHOD == GET || REQ.HTTP.HEADER Content-Type == text/html” -reqAction act_
prebody

add filter policy html_postbody -rule “REQ.HTTP.METHOD == GET || REQ.HTTP.HEADER Content-Type == text/html” -reqAction act_
postbody

add lb vserver app_0_ApplicationsSharePoint HTTP 0.0.0.0 0 -persistenceType COOKIEINSERT -persistenceBackup SOURCEIP -lbMethod
ROUNDROBIN -cltTimeout 180 -downStateFlush DISABLED

add lb vserver app_u_SharePointFrontPage_Services HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED

30
add lb vserver app_u_SharePointSOAP_Services HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED

add lb vserver app_u_SharePointPortal_Management HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180
-downStateFlush DISABLED

add lb vserver app_u_SharePointDocument_Management HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout
180 -downStateFlush DISABLED

add lb vserver app_u_SharePointImage_Management HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush
DISABLED

add lb vserver app_u_SharePointStyles_and_Scripts HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED

add lb vserver app_u_SharePointWeb_Service_Definitions HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout
180 -downStateFlush DISABLED

add lb vserver app_u_SharePointWeb_Service_Schemas HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180
-downStateFlush DISABLED

add lb vserver app_o_SharePointdefault HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED

add cs vserver mercurylb HTTP 10.60.108.40 80 -cltTimeout 180

set ns rpcNode 10.60.108.100 -password 8a7b474124957776a0cd31b862cbe4d72b5cbd59868a136d4bdeb56cf03b28 -encrypted -srcIP

10.60.108.100

add responder action http_to_https_action12 redirect “\”https://\” + HTTP.REQ.HOSTNAME+ HTTP.REQ.URL” -bypassSafetyCheck YES

add responder action http_to_https_action121 redirect “\”https://\” + HTTP.REQ.HOSTNAME+ HTTP.REQ.URL” -bypassSafetyCheck YES

add responder action http_to_https_action1211 redirect “\”https://\” + HTTP.REQ.HOSTNAME+ HTTP.REQ.URL” -bypassSafetyCheck YES

add responder policy https_redirect_for_sharepointA2 “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”strategic\”) && !CLIENT.SSL.IS_SSL”

http_to_https_action12

add responder policy https_redirect_for_sharepointA1 “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”strategic\”) && !CLIENT.SSL.IS_SSL”

http_to_https_action121

add responder policy https_redirect_for_sharepointA3 “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”strategic\”) && !CLIENT.SSL.IS_SSL”

http_to_https_action1211

add responder policylabel label_redirect_forSharepointAp2

add responder policylabel label_redirect_forSharepointAp1

add responder policylabel label_redirect_forSharepointAp3

bind responder policylabel label_redirect_forSharepointAp2 https_redirect_for_sharepointA2 100 END

bind responder policylabel label_redirect_forSharepointAp1 https_redirect_for_sharepointA1 100 END

bind responder policylabel label_redirect_forSharepointAp3 https_redirect_for_sharepointA3 100 END

set responder param -undefAction NOOP

set cache parameter -memLimit 512 -via “NS-CACHE-8.0: 1” -verifyUsing HOSTNAME_AND_IP -maxPostLen 1024 -enableBypass YES
-undefAction NOCACHE

add cache contentGroup BASEFILE -relExpiry 86000 -weakNegRelExpiry 600 -quickAbortSize 4194303 -maxResSize 256 -memLimit 2
-minHits 0

add cache contentGroup DELTAJS -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -quickAbortSize 4194303 -maxResSize 256
-memLimit 1 -minHits 0 -pinned YES

add cache contentGroup DEFAULT -quickAbortSize 4194303 -maxResSize 4000 -minHits 0

add cache contentGroup SHAREPOINT_DEFAULT -quickAbortSize 4194303 -maxResSize 4000 -minHits 0

31
add cache contentGroup SHAREPOINT_IMAGES -quickAbortSize 4194303 -maxResSize 4000 -minHits 0

add cache contentGroup SHAREPOINT_SCRIPTS -quickAbortSize 4194303 -maxResSize 4000 -minHits 0

add cache policy _nonGetReq -rule “!HTTP.REQ.METHOD.eq(GET)” -action NOCACHE

add cache policy _advancedConditionalReq -rule “HTTP.REQ.HEADER(\”If-Match\”).EXISTS || HTTP.REQ.HEADER(\”If-Unmodified-Since\”).

EXISTS” -action NOCACHE

add cache policy _personalizedReq -rule “HTTP.REQ.HEADER(\”Cookie\”).EXISTS || HTTP.REQ.HEADER(\”Authorization\”).EXISTS || HTTP.

REQ.HEADER(\”Proxy-Authorization\”).EXISTS” -action NOCACHE

add cache policy _uncacheableStatusRes -rule “! ((HTTP.RES.STATUS.EQ(200)) || (HTTP.RES.STATUS.EQ(304)) || (HTTP.RES.STATUS.

BETWEEN(400,499)) || (HTTP.RES.STATUS.BETWEEN(300, 302)) || (HTTP.RES.STATUS.EQ(307))|| (HTTP.RES.STATUS.EQ(203)))” -action
NOCACHE

add cache policy _uncacheableCacheControlRes -rule “((HTTP.RES.CACHE_CONTROL.IS_PRIVATE) || (HTTP.RES.CACHE_CONTROL.IS_

NO_CACHE) || (HTTP.RES.CACHE_CONTROL.IS_NO_STORE) || (HTTP.RES.CACHE_CONTROL.IS_INVALID))” -action NOCACHE

add cache policy _cacheableCacheControlRes -rule “((HTTP.RES.CACHE_CONTROL.IS_PUBLIC) || (HTTP.RES.CACHE_CONTROL.IS_

MAX_AGE) || (HTTP.RES.CACHE_CONTROL.IS_MUST_REVALIDATE) || (HTTP.RES.CACHE_CONTROL.IS_PROXY_REVALIDATE) || (HTTP.
RES.CACHE_CONTROL.IS_S_MAXAGE))” -action CACHE -storeInGroup DEFAULT

add cache policy _uncacheableVaryRes -rule “((HTTP.RES.HEADER(\”Vary\”).EXISTS) && ((HTTP.RES.HEADER(\”Vary\”).INSTANCE(1).

LENGTH > 0) || (!HTTP.RES.HEADER(\”Vary\”).STRIP_END_WS.SET_TEXT_MODE(IGNORECASE).eq(\”Accept-Encoding\”))))” -action
NOCACHE

add cache policy _uncacheablePragmaRes -rule “HTTP.RES.HEADER(\”Pragma\”).EXISTS” -action NOCACHE

add cache policy _cacheableExpiryRes -rule “HTTP.RES.HEADER(\”Expires\”).EXISTS” -action CACHE -storeInGroup DEFAULT

add cache policy _imageRes -rule “HTTP.RES.HEADER(\”Content-Type\”).SET_TEXT_MODE(IGNORECASE).STARTSWITH(\”image/\”)” -

action CACHE -storeInGroup DEFAULT

add cache policy _personalizedRes -rule “HTTP.RES.HEADER(\”Set-Cookie\”).EXISTS || HTTP.RES.HEADER(\”Set-Cookie2\”).EXISTS” -

action NOCACHE

add cache policy cache_everything_sharepoint -rule true -action CACHE -storeInGroup SHAREPOINT_DEFAULT

add cache policy cache_sharepoint_scripts -rule true -action CACHE -storeInGroup SHAREPOINT_SCRIPTS

add cache policy cache_sharepoint_images -rule true -action CACHE -storeInGroup SHAREPOINT_IMAGES

add cache policylabel _reqBuiltinDefaults -evaluates REQ

add cache policylabel cache_sharepoint_scripts -evaluates REQ

add cache policylabel cache_all_sharepoint -evaluates REQ

add cache policylabel cache_sharepoint_images -evaluates REQ

add cache policylabel _resBuiltinDefaults -evaluates RES

bind cache policylabel _reqBuiltinDefaults -policyName cache_sharepoint_images -priority 100 -gotoPriorityExpression END

bind cache policylabel cache_all_sharepoint -policyName cache_everything_sharepoint -priority 100 -gotoPriorityExpression END

bind cache policylabel _resBuiltinDefaults -policyName _uncacheableStatusRes -priority 100 -gotoPriorityExpression END

bind cache policylabel _resBuiltinDefaults -policyName _uncacheableVaryRes -priority 200 -gotoPriorityExpression END

bind cache policylabel _resBuiltinDefaults -policyName _uncacheableCacheControlRes -priority 300 -gotoPriorityExpression END

bind cache policylabel _resBuiltinDefaults -policyName _cacheableCacheControlRes -priority 400 -gotoPriorityExpression END

bind cache policylabel _resBuiltinDefaults -policyName _uncacheablePragmaRes -priority 500 -gotoPriorityExpression END

bind cache policylabel _resBuiltinDefaults -policyName _cacheableExpiryRes -priority 600 -gotoPriorityExpression END

32
bind cache policylabel _resBuiltinDefaults -policyName _imageRes -priority 700 -gotoPriorityExpression END

bind cache policylabel _resBuiltinDefaults -policyName _personalizedRes -priority 800 -gotoPriorityExpression END

bind cache global NOPOLICY -priority 100 -gotoPriorityExpression END -type REQ_DEFAULT -invoke policylabel _reqBuiltinDefaults

bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression NEXT -type REQ_DEFAULT -invoke policylabel _reqBuiltinDefaults

bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression NEXT -type RES_DEFAULT -invoke policylabel _resBuiltinDefaults

add appfw profile sp_web2_firewall_profile

add appfw profile sp_xml_firewall_profile

set appfw profile sp_web2_firewall_profile -startURLAction block learn log stats -startURLClosure ON -cookieConsistencyAction block learn
log stats -fieldConsistencyAction block learn log stats -crossSiteScriptingAction block learn log stats -SQLInjectionAction block learn log stats
-fieldFormatAction block learn log stats -XMLSQLInjectionAction none -XMLXSSAction none -type HTML XML

set appfw profile sp_xml_firewall_profile -startURLAction block learn log stats -startURLClosure ON -cookieConsistencyAction block learn log
stats -fieldConsistencyAction block learn log stats -crossSiteScriptingAction block learn log stats -SQLInjectionAction block learn log stats
-fieldFormatAction block learn log stats -XMLSQLInjectionAction none -XMLXSSAction none -type XML

bind appfw profile sp_web2_firewall_profile -XMLDoSURL “.*” -XMLMaxElementDepthCheck ON -XMLMaxElementNameLengthCheck ON

-XMLMaxElementsCheck ON -XMLMaxElementChildrenCheck ON -XMLMaxAttributesCheck ON -XMLMaxAttributeNameLengthCheck ON
-XMLMaxAttributeValueLengthCheck ON -XMLMaxCharDATALengthCheck ON -XMLMaxFileSizeCheck ON -XMLMinFileSizeCheck ON -
XMLBlockPI ON -XMLBlockDTD ON -XMLBlockExternalEntities ON

bind appfw profile sp_web2_firewall_profile -XMLWSIURL “.*” -XMLWSIChecks “BP1201, R1000, R1001, R1003, R1004, R1005, R1006,
R1007, R1011, R1013, R1014, R1015, R1031, R1032, R1033, R1109, R1111, R1126, R1132, R1140, R1141, R2113, R2211, R2714,
R2729, R2735, R2738, R2740, R2744, R4003”

bind appfw profile sp_web2_firewall_profile -XMLValidationURL “.*” -XMLValidateSOAPEnvelope ON

bind appfw profile sp_web2_firewall_profile -denyURL “/core(/.*)?$” -comment “Unix core file attacks” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “[\\/]etc[\\/](passwd|group|hosts)” -comment “Unix file attacks” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL q{([ /=]|\t|\n)(ls|rm|cat)([ ;’\”&].*)?$} -comment “Command injection attack” -state
DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[+][.]htr” -comment “HTR source disclosure” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/[?][SM]=[AD]” -comment “Apache possible directory index disclosure
vulnerability” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/[?]wp-” -comment “Netscape enterprise server directory indexing vulnerability”
-state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/NULL[.]printer” -comment “Printer buffer overflow” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/default[.]ida[?]N+” -comment CodeRed -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/publisher” -comment “Netscape enterprise server web publishing vulnerability”
-state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*Admin[.]dll” -comment “Nimbda-3” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/winnt/” -comment “Nimbda-4” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[+]dir” -comment “IIS executable file parsing vulnerability-1” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/georgi[.]asp” -comment “IIS executable file parsing vulnerability-2” -state
DISABLED

33
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.](bat|ini|exe)(|[?].*)$” -comment “IIS executable file parsing vulnerability-3” -state
DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|]” -comment “Script exploit” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.]asp\\.*” -comment “Microsoft IIS UNC mapped virtual host vulnerability” -state
DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.]htx” -comment “Microsoft IIS UNC path disclosure vulnerability” -state
DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.]id[aq]” -comment “Index server buffer overflow” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$” -comment “Access attacks” -state
DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$” -comment “Password file attacks” -
state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*dvwssr[.]dll” -comment “Front Page server extensions buffer overflow-1” -state
DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*fp30reg[.]dll” -comment “Front Page server extensions buffer overflow-2” -state
DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*null[.]htw” -comment “Webhits source disclosure” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “debug[.][^/?]*(|[?].*)$” -comment “Debug attacks” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL q/system( |\t|\n)*[(]/ -comment “System command attacks” -state DISABLED

bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/_vti_bin/shtml[.]” -comment “Front Page server extensions path disclosure
vulnerability” -state DISABLED

bind appfw profile sp_xml_firewall_profile -XMLDoSURL “.*” -XMLMaxElementDepthCheck ON -XMLMaxElementNameLengthCheck ON -

XMLMaxElementsCheck ON -XMLMaxElementChildrenCheck ON -XMLMaxAttributesCheck ON -XMLMaxAttributeNameLengthCheck ON
-XMLMaxAttributeValueLengthCheck ON -XMLMaxCharDATALengthCheck ON -XMLMaxFileSizeCheck ON -XMLMinFileSizeCheck ON -
XMLBlockPI ON -XMLBlockDTD ON -XMLBlockExternalEntities ON

bind appfw profile sp_xml_firewall_profile -XMLWSIURL “.*” -XMLWSIChecks “BP1201, R1000, R1001, R1003, R1004, R1005, R1006,
R1007, R1011, R1013, R1014, R1015, R1031, R1032, R1033, R1109, R1111, R1126, R1132, R1140, R1141, R2113, R2211, R2714,
R2729, R2735, R2738, R2740, R2744, R4003”
bind appfw profile sp_xml_firewall_profile -XMLValidationURL “.*” -XMLValidateSOAPEnvelope ON

bind appfw profile sp_xml_firewall_profile -denyURL “/core(/.*)?$” -comment “Unix core file attacks” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “[\\/]etc[\\/](passwd|group|hosts)” -comment “Unix file attacks” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL q{([ /=]|\t|\n)(ls|rm|cat)([ ;’\”&].*)?$} -comment “Command injection attack” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[+][.]htr” -comment “HTR source disclosure” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/[?][SM]=[AD]” -comment “Apache possible directory index disclosure vulnerability”
-state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/[?]wp-” -comment “Netscape enterprise server directory indexing vulnerability”
-state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/NULL[.]printer” -comment “Printer buffer overflow” -state DISABLED

34
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/default[.]ida[?]N+” -comment CodeRed -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/publisher” -comment “Netscape enterprise server web publishing vulnerability”
-state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*Admin[.]dll” -comment “Nimbda-3” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/winnt/” -comment “Nimbda-4” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[+]dir” -comment “IIS executable file parsing vulnerability-1” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/georgi[.]asp” -comment “IIS executable file parsing vulnerability-2” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.](bat|ini|exe)(|[?].*)$” -comment “IIS executable file parsing vulnerability-3” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|]” -comment “Script exploit” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.]asp\\.*” -comment “Microsoft IIS UNC mapped virtual host vulnerability” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.]htx” -comment “Microsoft IIS UNC path disclosure vulnerability” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.]id[aq]” -comment “Index server buffer overflow” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$” -comment “Access attacks” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$” -comment “Password file attacks” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*dvwssr[.]dll” -comment “Front Page server extensions buffer overflow-1” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*fp30reg[.]dll” -comment “Front Page server extensions buffer overflow-2” -state
DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*null[.]htw” -comment “Webhits source disclosure” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL “debug[.][^/?]*(|[?].*)$” -comment “Debug attacks” -state DISABLED

bind appfw profile sp_xml_firewall_profile -denyURL q/system( |\t|\n)*[(]/ -comment “System command attacks” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/_vti_bin/shtml[.]” -comment “Front Page server extensions path disclosure
vulnerability” -state DISABLED

add appfw policy sp_xml_firewall_pol ns_true sp_xml_firewall_profile

add appfw policy sp_web2_firewall_pol ns_true sp_web2_firewall_profile

bind lb vserver app_0_ApplicationsSharePoint MercurySP1

bind lb vserver app_0_ApplicationsSharePoint MercurySPx

bind lb vserver app_u_SharePointFrontPage_Services MercurySP1

bind lb vserver app_u_SharePointFrontPage_Services MercurySPx

bind lb vserver app_u_SharePointSOAP_Services MercurySP1

bind lb vserver app_u_SharePointSOAP_Services MercurySPx

35
bind lb vserver app_u_SharePointPortal_Management MercurySP1

bind lb vserver app_u_SharePointDocument_Management MercurySP1

bind lb vserver app_u_SharePointDocument_Management MercurySPx

bind lb vserver app_u_SharePointImage_Management MercurySP1

bind lb vserver app_u_SharePointStyles_and_Scripts MercurySP1

bind lb vserver app_u_SharePointWeb_Service_Definitions MercurySP1

bind lb vserver app_u_SharePointWeb_Service_Definitions MercurySPx

bind lb vserver app_u_SharePointWeb_Service_Schemas MercurySP1

bind lb vserver app_o_SharePointdefault MercurySP1

bind lb vserver app_o_SharePointdefault MercurySPx

bind lb vserver app_u_SharePointFrontPage_Services -policyName sharepoint_compress

bind lb vserver app_u_SharePointFrontPage_Services -policyName sp_xml_firewall_pol

bind lb vserver app_u_SharePointSOAP_Services -policyName sharepoint_compress

bind lb vserver app_u_SharePointSOAP_Services -policyName sp_xml_firewall_pol

bind lb vserver app_u_SharePointPortal_Management -policyName sharepoint_compress

bind lb vserver app_u_SharePointPortal_Management -policyName sp_web2_firewall_pol

bind lb vserver app_u_SharePointDocument_Management -policyName sharepoint_compress

bind lb vserver app_u_SharePointStyles_and_Scripts -policyName sharepoint_compress

bind lb vserver app_u_SharePointStyles_and_Scripts -policyName sp_web2_firewall_pol

bind lb vserver app_u_SharePointWeb_Service_Definitions -policyName sharepoint_compress

bind lb vserver app_u_SharePointWeb_Service_Definitions -policyName sp_xml_firewall_pol

bind lb vserver app_u_SharePointWeb_Service_Schemas -policyName sharepoint_compress

bind lb vserver app_u_SharePointWeb_Service_Schemas -policyName sp_xml_firewall_pol

bind lb vserver app_o_SharePointdefault -policyName sharepoint_compress

bind lb vserver app_u_SharePointImage_Management -policyName “NOPOLICY-CACHE” -priority 100 -gotoPriorityExpression END -type
REQUEST -invoke policylabel cache_sharepoint_images

bind lb vserver app_u_SharePointStyles_and_Scripts -policyName “NOPOLICY-CACHE” -priority 100 -gotoPriorityExpression END -type
REQUEST -invoke policylabel cache_sharepoint_scripts

bind lb vserver app_u_SharePointWeb_Service_Schemas -policyName “NOPOLICY-CACHE” -priority 100 -gotoPriorityExpression END -type
REQUEST -invoke policylabel cache_all_sharepoint

bind lb vserver app_o_SharePointdefault -policyName “NOPOLICY-CACHE” -priority 100 -gotoPriorityExpression END -type REQUEST -
invoke policylabel cache_all_sharepoint

bind lb vserver app_u_SharePointPortal_Management -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression END

-invoke policylabel label_redirect_forSharepointAp3

bind lb vserver app_u_SharePointDocument_Management -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression

END -invoke policylabel label_redirect_forSharepointAp3

36
bind lb vserver app_u_SharePointImage_Management -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression END
-invoke policylabel label_redirect_forSharepointAp3

bind lb vserver app_u_SharePointStyles_and_Scripts -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression END -

invoke policylabel label_redirect_forSharepointAp3

bind lb vserver app_u_SharePointWeb_Service_Definitions -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression

END -invoke policylabel label_redirect_forSharepointAp3

bind lb vserver app_u_SharePointWeb_Service_Schemas -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression END

-invoke policylabel label_redirect_forSharepointAp3

bind lb vserver app_o_SharePointdefault -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression END -invoke
policylabel label_redirect_forSharepointAp3

bind cs vserver mercurylb app_u_SharePointFrontPage_Services -policyName app_cs0 -priority 25

bind cs vserver mercurylb app_u_SharePointSOAP_Services -policyName app_cs1 -priority 50

bind cs vserver mercurylb app_u_SharePointPortal_Management -policyName app_cs2 -priority 100

bind cs vserver mercurylb app_u_SharePointDocument_Management -policyName app_cs3 -priority 200

bind cs vserver mercurylb app_u_SharePointImage_Management -policyName app_cs4 -priority 300

bind cs vserver mercurylb app_u_SharePointStyles_and_Scripts -policyName app_cs5 -priority 400

bind cs vserver mercurylb app_u_SharePointWeb_Service_Definitions -policyName app_cs6 -priority 500

bind cs vserver mercurylb app_u_SharePointWeb_Service_Schemas -policyName app_cs7 -priority 600

bind cs vserver mercurylb app_o_SharePointdefault

set snmp alarm HA-VERSION-MISMATCH -time 86400

set snmp alarm HA-SYNC-FAILURE -time 86400

set snmp alarm HA-NO-HEARTBEATS -time 86400

set snmp alarm HA-BAD-SECONDARY-STATE -time 86400

add lb monitor sp_http HTTP -respCode 200 401 -httpRequest “HEAD /” -LRTM ENABLED -interval 20

add lb monitor sp_http2 USER -scriptName nssp.pl -scriptArgs q{url=/default.aspx;user=ENG\reduser1;password=Citrix$1} -dispatcherIP

127.0.0.1 -dispatcherPort 3013 -LRTM ENABLED -interval 30
add route 0.0.0.0 0.0.0.0 10.60.1.2

set ssl parameter -encryptTriggerPktCount 45

add ssl certKey “ns-server-certificate” -cert “ns-server.cert” -key “ns-server.key”

set ssl service “nskrpcs-127.0.0.1-3009” -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED

set ssl service “nshttps-127.0.0.1-443” -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED

set ssl service “nsrpcs-127.0.0.1-3008” -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED

set aaa parameter -maxAAAUsers 5

set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true

set vpn parameter -splitDns BOTH -killConnections OFF -defaultAuthorizationAction ALLOW -proxyLocalBypass DISABLED -forceCleanup
none -clientOptions all -clientConfiguration all -SSO OFF -clientDebug OFF -icaProxy OFF

37
set audit syslogParams -serverIP 127.0.0.1

set audit nslogParams -serverIP 127.0.0.1

bind cmp global ns_nocmp_xml_ie -priority 8700 -state DISABLED

bind cmp global ns_nocmp_mozilla_47 -priority 8800 -state DISABLED

bind cmp global ns_cmp_mscss -priority 8900 -state DISABLED

bind cmp global ns_cmp_msapp -priority 9000 -state DISABLED

bind cmp global ns_cmp_content_type -priority 10000 -state DISABLED

bind filter global html_prebody

bind filter global html_postbody

bind vpn global -intranetApplication route_migrate_1

set lb sipParameters -addRportVip ENABLED

bind ssl service “nskrpcs-127.0.0.1-3009” -certkeyName “ns-server-certificate”

bind ssl service “nshttps-127.0.0.1-443” -certkeyName “ns-server-certificate”

bind ssl service “nsrpcs-127.0.0.1-3008” -certkeyName “ns-server-certificate”

set ns hostName ns

set uiinternal CSVSERVER mercurylb -rule “used as an application endpoint”

set uiinternal EXPRESSION app_0_ApplicationsSharePoint -uiinfo “P%Applications^ET%PE^CS%mercurylb^”

set uiinternal EXPRESSION app_u_SharePointFrontPage_Services -uiinfo “ET%PI^PR%25^P%app_0_ApplicationsSharePoint^CS%mercur

ylb^” -rule “HTTP.REQ.HEADER(\”X-Vermeer-Content-Type\”).EXISTS”

set uiinternal EXPRESSION app_u_SharePointSOAP_Services -uiinfo “ET%PI^PR%50^P%app_0_ApplicationsSharePoint^CS%mercurylb^”

-rule “HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HEADER(\”soapaction\”).EXISTS”

set uiinternal EXPRESSION app_u_SharePointPortal_Management -uiinfo “PR%100^P%app_0_ApplicationsSharePoint^ET%PE^CS%merc

urylb^” -rule “URL == \’/*.jsp\’ || URL == \’/*.jspx\’ || URL == \’/*.asp\’ || URL == \’/*.aspx\’”

set uiinternal EXPRESSION app_u_SharePointDocument_Management -uiinfo “PR%200^ET%PE^P%app_0_ApplicationsSharePoint^CS%

mercurylb^” -rule “URL == \’/*.pdf\’ || URL == \’/*.csv\’ || URL == \’/*.prn\’ || URL == \’/*.xsn\’ || URL == \’/*.xls\’ || URL == \’/*.xlsx\’ || URL
== \’/*.xlt\’ || URL == \’/*.xltx\’ || URL == \’/*.xlsb\’ || URL == \’/*.xlsm\’ || URL == \’/*.xltm\’ || URL == \’/*.dif\’ || URL == \’/*.slk\’ || URL == \’/*.
xlam\’ || URL == \’/*.xla\’ || URL == \’/*.doc\’ || URL == \’/*.docx\’ || URL == \’/*.ppt\’ || URL == \’/*.pptx\’ || URL == \’/*.dot\’ || URL == \’/*.
dotx\’ || URL == \’/*.docm\’ || URL == \’/*.dotm\’ || URL == \’/*.rtf\’ || URL == \’/*.txt\’ || URL == \’/*.wps\’ || URL == \’/*.pot\’ || URL == \’/*.
potx\’ || URL == \’/*.pptm\’ || URL == \’/*.potm\’ || URL == \’/*.thmx\’ || URL == \’/*.ppsx\’ || URL == \’/*.ppsm\’ || URL == \’/*.pps\’ || URL
== \’/*.ppam\’”

set uiinternal EXPRESSION app_u_SharePointImage_Management -uiinfo “ET%PI^PR%300^P%app_0_ApplicationsSharePoint^CS%m

ercurylb^” -rule “HTTP.REQ.METHOD.EQ(GET) && HTTP.REQ.URL.PATH.STARTSWITH(\”/_layouts/images\”) && (HTTP.REQ.URL.PATH.
ENDSWITH(\”.gif\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.jpg\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.jpeg\”) || HTTP.REQ.URL.PATH.
ENDSWITH(\”.tiff\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.tif\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.png\”) || HTTP.REQ.URL.PATH.
ENDSWITH(\”.bmp\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.emf\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.wmf\”) || HTTP.REQ.URL.PATH.
ENDSWITH(\”.wbmp\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.ico\”))”

set uiinternal EXPRESSION app_u_SharePointStyles_and_Scripts -uiinfo “PR%400^ET%PI^P%app_0_ApplicationsSharePoint^CS%me

rcurylb^” -rule “HTTP.REQ.METHOD.EQ(GET) && (HTTP.REQ.URL.PATH.STARTSWITH(\”/WebResource.axd\”) || HTTP.REQ.URL.PATH.
ENDSWITH(\”.htc\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.wmls\”) || (HTTP.REQ.URL.STARTSWITH(\”/_layouts\”) && (HTTP.REQ.URL.PATH.
ENDSWITH(\”.css\”) || HTTP.REQ.URL.PATH.ENDSWITH(\”.js\”))))”

38
set uiinternal EXPRESSION app_u_SharePointWeb_Service_Definitions -uiinfo “ET%PE^PR%500^P%app_0_ApplicationsSharePoint^CS%
mercurylb^” -rule “URL CONTAINS ?wsdl || URL CONTAINS .wsdl || URL CONTAINS ?wsil || URL CONTAINS .wsil || URL == \’/*.xml\’”

set uiinternal EXPRESSION app_u_SharePointWeb_Service_Schemas -uiinfo “ET%PE^PR%600^P%app_0_ApplicationsSharePoint^CS%m

ercurylb^” -rule “URL CONTAINS .xsd”

set uiinternal EXPRESSION app_o_SharePointdefault -uiinfo “ET%PE^P%app_0_ApplicationsSharePoint^CS%mercurylb^”

set filter htmlinjectionvariable EDGESIGHT_SERVER_IP -value 10.60.2.64

39
40
Appendix B - Content Types
Content Type Extension mimeType Compress

msword doc,dot,docx,docm,dotx,dotm application/word, Yes

application/doc,
application/msword,
application/winword,
application/ms-word,
application/x-word,
application/x-msword,
application/vnd.word,
application/vnd.msword,
application/vnd.ms-word

x-vermeer-rpc application/x-vermeer-rpc Yes

msexcel xls,xla,xlc,xlm,xlt,xlw,xlsx,xlsm,xltx, application/xls, Yes

xlsb,xlam application/excel,
application/msexcel,
application/ms-excel,
application/x-excel,
application/x-xls,
application/x-msexcel,
application/x-ms-excel,
application/vnd.excel,
application/vnd.msexcel,
application/vnd.ms-excel

mspowerpoint ppt,pot,pps,pptx,pptm,potx,potm,ppa application/powerpoint, Yes

m, ppsx,ppsm application/mspowerpoint,
application/ms-powerpoint,
application/x-powerpoint,
application/x-mspowerpoint,
application/vnd.powerpoint,
application/vnd.mspowerpoint,
application/vnd.ms-pps

postscript ai,eps,ps application/ps, Yes

application/x-ps,
application/x-postscript,
application/postscript,
text/postscript

photoshop psd,pdd image/photoshop, Yes

image/psd,
image/x-photoshop,
application/photoshop,
application/psd,
application/x-photoshop

quarkexpress qxd application/x-quark-express, Yes

application/quarkexpress

41
Content Type Extension mimeType Compress

msproject mpp application/mpp, Yes

application/msproject,
application/x-msproject,
application/x-ms-project,
application/vnd.ms-project

msworks wcm,wdb,wks,wps application/wks, Yes

application/x-wks,
application/lotus123,
application/x-lotus123,
application/x-msworks-db,
application/x-msworks-wps,
application/vnd.ms-works-db,
application/vnd.ms-works

rtf rtf,rtx text/rtf, Yes

text/richtext,
application/rtf,
application/x-rtf

msaccess mdb,clp application/x-mscardfile, Yes

application/x-msclip,
application/mdb,
application/x-mdb,
application/msaccess,
application/msaccess,
application/vnd.msaccess,
application/vnd.ms-access

pdf pdf text/pdf, Yes

text/x-pdf,
application/pdf,
application/x-pdf,
application/acrobat,
application/vnd.pdf

plaintext txt,log,sql,ppd application/txt, text/plain Yes

vcf vcf text/x-vcalendar, text/x-vcard Yes

42
Content Type Extension mimeType Compress

images jpg,jpeg,jpe,gif,png,tif,tiff,ico,wbmp image/jpeg, No

image/jpg,
image/gif,
image/tiff,
image/ico,
image/x-icon,
application/ico,
application/x-ico,
application/x-win-bitmap,
image/x-win/bitmap,
image/vnd.wap.wbmp,
application/png,
application/x-png,
image/png

bmp bmp application/x-bmp, No

application/bmp,
image/x-bmp,
image/bmp,
image/bmp,
image/x-ms-bmp,
image/x-windows-bmp

html htm,html,jsp,asp,aspx,wml,xhtml text/html, Yes

text/vnd.wap.wml,
text/wml, text/wap,
application/vnd.wap.wmlc,
application/vnd.wap.xhtml+xml, application/
xhtml+xml

xml xml application/xml, Yes

application/x-xml,
text/xml

styles, scripts js,css,htc,wmls text/vnd.wap.wmlscript, Yes

application/vnd.wap.cmlscriptc,
text/css,
application/css-stylesheet,
application/css,
text/javascript,
application/javascript,
text/x-component,
application/x-javascript

43
Content Type Extension mimeType Compress

compressed z,gz,zip,rar,arj,lzh,cab,jar,gtar,sit application/x-compress, No

application/x-compressed,
application/x-zip-compressed,
application/x-tar,
application/x-gtar,
application/x-stuffit,
application/arj,
application/x-arj,
application/zip,
application/x-zip,
multipart/x-zip,
gzip/document,
application/gzip,
application/gzipped,
application/x-gzip,
application/x-gunzip,
application/cab,
application/z,
application/x-z,
application/lzh,
application/x-lzh,
application/x-lha

octet-stream application/octet-stream No

media mid,rmi,mp3,aif,aifc,aiff,m3u,ra, application/x-shockwave-flash, Yes

ram,mp2,mpa,mpe, mpeg,mpg,mpv2, application/futuresplash, audio/m, audio/mid,
mpv,mov,qt,avi, lsx,asf,asx, au, audio/midi, audio/x-midi, application/x-midi,
snd,wav,vrml, swf,fla,as,swd,asc, audio/mp3, audio/x-mp3, audio/mpg,
flv,swc, jsfl,swt,flp, spl,aso,sol audio/x-mpg, audio/mpeg3, audio/x-mpeg3,
audio/mpeg, audio/x-mpeg,
audio/x-mpeg audio, audio/rmf, audio/x-rmf,
audio/aiff, audio/x-aiff,
audio/x-aifc, audio/x-gsm, audio/x-pn-aiff,
sound/aiff, audio/x-mpegurl, audio/mpeg-url,
audio/vnd.rn-realaudio, audio/x-realaudio,
audio/x-pn-realaudio-plugin,
audio/x-pn-realaudio, audio/x-pn-realvideo,
video/x-pn-realvideo, audio/avi, video/avi,
image/avi, image/mov, video/mpeg,
video/quicktime, video/x-quicktime,
video/msvideo, video/x-msvideo, audio/asf,
video/x-ms-asf, video/x-ms-wm,
video/x-ms-wmx, video/x-ms-asf,
video/vnd.ms-asf, application/asx,
video/asx,application/asf,
video/x-la-asf,audio/basic, audio/wav,
audio/x-pn-wav, audio/wave, audio/x-wav,
x-world/x-vrml, model/vrml, video/x-vrml

44
 Citrix Worldwide
Worldwide headquarters

Citrix Systems, Inc.

851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
T +1 800 393 1888
T +1 954 267 3000

Regional headquarters

Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000

Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700

Asia Pacific
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000

Citrix Online division

5385 Hollister Avenue
Santa Barbara, CA 93111
USA
T +1 805 690 6400

www.citrix.com

About Citrix

Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more
than 100 countries. Annual revenue in 2006 was $1.1 billion.

Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access
Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its
subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and
other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks
and registered trademarks are property of their respective owners.

www.citrix.com