Deployment Guide

Web Filter
Deployment Guide
A Step-by-Step Technical Guide
Deployment Guide

Notice:

The information in this publication is subject to change without notice.

THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.

The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.

Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.

Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-
2009 U.S.A. All rights reserved.
Table of Contents
Introduction...........................................................................................................................................4
Solution Requirements...........................................................................................................................5
Prerequisites..........................................................................................................................................5
Network Diagram..................................................................................................................................6
First time connectivity............................................................................................................................8
Serial Connection.............................................................................................................................8
Ethernet Connection.........................................................................................................................8
NetScaler Configuration.........................................................................................................................9
Deployment Model: Netscaler Two-Arm Mode, Server Load Balancing, RNAT..................................9
Licensing........................................................................................................................................10
Basic Features................................................................................................................................11
IP Addresses, Interfaces and VLANs...............................................................................................12
RNAT Configuration.............................................................................................................................15
About RNAT...................................................................................................................................15
Load Balancing Configuration..............................................................................................................16
About Server Load Balancing.........................................................................................................16
Create Server Objects.....................................................................................................................16
Create Service Groups....................................................................................................................17
Create LB Virtual Server Objects (VIPs)...........................................................................................18
Load Balancing Methods & Persistence..........................................................................................19
St.Bernard Web Filter..........................................................................................................................20
Outbound Web Filter.......................................................................................................................20
Outbound Web Filter for XenApp....................................................................................................24
Appendix A - NetScaler Application Switch Configuration....................................................................26
Headquarters NetScaler.................................................................................................................26
 Introduction
Citrix® NetScaler® optimizes the delivery of web applications — increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership
(TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a
comprehensive network system that combines high-speed load balancing and content switching with
state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic
content caching, SSL acceleration, network optimization, and robust application security into a single,
tightly integrated solution.

Citrix XenApp™, a member of the Citrix Delivery Center product family, is an end-to-end Windows
application delivery system that offers both client-side and server-side application virtualization, for
optimal application performance and flexible delivery options.

St. Bernard products are used in enterprises of all sizes across most commercial markets including
healthcare, manufacturing, finance, insurance, real estate, and public administration, as well as
educational institutions and state/local governments.

St. Bernard offers a full suite of secure content management solutions that integrate on-premise appliances
with on-demand services to protect corporate networks from online threats, manage bandwidth use and
enforce acceptable use policies. This industry-leading hybrid solution platform offers the security and
control of an on-premises appliance with the scalability of an on-demand service.

St. Bernard is the first and only company to support a true Hybrid Product Line, combining the security
and control of h-Series appliances with the unlimited scalability of iPrism Managed Services. Hybrid
solutions provide only the best functions from both an appliance and managed services approach
to deliver filtering solutions at the best location within the IT infrastructure to maximize efficiency and
value.

The Award-winning iPrism Web Filter secures organizations from Internet-based threats such as malware,
spyware, IM, P2P, and inappropriate content, at the perimeter, while it helps enforce acceptable use and
security policies. The new iPrism h-Series appliances also offer unmatched power, value and performance.
With dual quad-core processors and hot-swappable SATA hard drives and power supplies, there isn’t an
appliance on the market that equals the new iPrism h-Series.

When integrated with Citrix NetScaler and Application Firewall, the St.Bernard offers the extra level of
protection that organizations are often looking for to filter outbound traffic.

When integrated with Citrix XenApp, the St.Bernard provides an added layer of security by filtering
individual client sessions that connect to the internet from the Application Virtualization platform -
XenApp.

This deployment guide was created as the result of validation testing with The Citrix NetScaler, Application
Firewall, Citrix XenApp and St.Bernard iPrism h-Series Web Filter. This deployment guide walks through
the step-by-step configuration details of how to configure the Citrix NetScaler application switch, and
the St.Bernard iPrism Web Filter.


Solution Requirements
• Application Switch - Citrix NetScaler NAT (Reverse NAT)
• Application Firewall - Citrix Application Firewall
• Application Virtualization - Citrix XenApp
• Web Filter - St.Bernard iPrism Web Filter, IM/P2P, Antivirus

Prerequisites
• Citrix NetScaler L4/7 Application Switch, running version 8.0+ (Quantity x 2 for Headquarters &
Remote sites).
• Citrix Application Firewall
• Citrix XenApp (Citrix Presentation Server)
• St.Bernard iPrism h-Series Web Filter
• Client laptop/workstation running Internet Explorer 6.0+, Ethernet port
• 9-pin serial cable -or- USB-to-serial cable


Network Diagram
The following is the Network that was used to develop this deployment guide, and is representative of a solution implemented at a customer site.
Shown here with NetScaler in two-arm mode and St.Bernard in one-arm mode along with Citrix XenApp.

VLAN Legend NetScaler St.Bernard Web Filter XenApp

VLAN 1: (Mgmt) Mgmt IP: IP Address:

VLAN 172 Interface 1/2, Untagged 172.16.104.111 / 24 172.16.104.151 / 24
Gateway: Gateway:
NSIP: 169.145.91.71 / 24 172.16.104.1 172.16.104.1
VLAN 65
SNIP: 169.145.91.1 / 24

VLAN 65:
Interface 1/8, Untagged
SNIP: 65.89.216.1 / 24
VIP: 65.89.216.151 / 24

VLAN 172:
Interface 1/7, Untagged
SNIP: 172.16.104.1 / 24


 Application Server

DFG Citrix NetScaler® St.Bernard®

65.89.216.1 Mgmt int 1/2 Web Filter
NAT 10.217.104.71 172.16.104.111
65.89.216.2 Clients
LB VIP
65.89.216.151

Internet

Mac
Outside Inside
67.97.253.0/24 172.16.104.0/24
vlan 65 vlan 172

Windows

XenApp Citrix XenApp®

Thin Clients


   Default IP Address:
Serial: 9600, n, 8, 1
192.168.100.1

First time connectivity

Serial Connection
The NetScaler can be accessed by the serial port through any
terminal emulation program. Windows Hyperterm is commonly
used on a laptop or workstation. Connect a 9-pin Null Modem
cable (or USB-to-9-pin cable) from the computer to the NetScaler’s
console port. In the terminal emulation program configure the
settings for 9600 baud, No stop bits, 8 data bits, and 1 parity bit.
The login prompt should appear. The default login is nsroot, nsroot.
It is advisable to change the nsroot password once connected.
Once connected type in the CLI command ‘configns’ (‘nsconfig’ if
at the shell prompt). Select option 1 to change the NetScaler IP
Address and Network Mask. Exit, save and reboot.
Ethernet Connection
The NetScaler can also be accessed by the default IP Address
of 192.168.100.1, either through an http, https, telnet or ssh
connection. Once connected, the login prompt should appear.
The default login is nsroot, nsroot. It is advisable to change the
nsroot password once connected.
Type in the CLI command ‘configns’ (‘nsconfig’ if at the shell
prompt). Select option 1 to change the NetScaler IP Address and
Network Mask. Exit, save and reboot.
Note: Changing the NetScaler IP Address always requires a
reboot.


 NetScaler Configuration
Deployment Model: Netscaler Two-Arm Mode, Server Load Balancing,
RNAT.
The NetScaler in this example will be used in two-arm mode. The NetScaler in Two-Arm mode uses
different interfaces for the segmentation of VLAN traffic, providing an additional physical layer of
separation. This deployment can easily have been implemented using a Trunk port on the Netscaler and
Layer 2 switch. For incoming connections to the Application server, we will configure a Load Balancing
VIP on the Internet facing subnet.

Connect to the NetScaler

via the NSIP using a web
browser.

In this example: Ethernet

NS1: http://10.217.104.71

Note: Java will be installed.

Default login is: nsroot,

nsroot.


 Licensing
The availability of a feature is controlled by a license key. When using the system for the first time, you
need to load the license key and then enable the feature.

To add new licenses.

From the GUI, navigate

to NetScaler  System
 Licenses  Manage
Licenses.

Note:
Licenses are tied to the hostname of the switch and must match. The hostname can be found under
NetScaler  System. Make sure the license file is in the correct location. With release 8.0 all license
files must be in the /nsconfig/license directory in order to be recognized.

Also, check the “hosts” files in /nsconfig and in /etc, and make sure both include lines for localhost
and for the NetScaler hostname as defined in the configuration and /nsconfig/rc.conf.

A properly configured hosts file should look similar to the following (using nshost as the example
hostname defined for this NetScaler).

127.0.0.1 localhost
127.0.0.1 nshost

10
Basic Features
Load Balancing is enabled in Basic Features.

From the GUI, navigate to

NetScaler  System 
Settings  Basic Features.

Select Load Balancing and

click OK.

11
 Important NetScaler IP Addresses
Acronym Description Usage
Note: NSIP is Mandatory and requires a reboot.
NSIP NetScaler IP Address The NetScaler IP (NSIP) is the management IP address for the
appliance, and is used for all management related access to the
appliance. There can only be one NSIP.
SNIP Subnet IP Address The Subnet IP address (SNIP) allows the user to access
an Application Switch from an external host that is residing
on another subnet. When a subnet IP address is added, a
corresponding route entry is made in the route table. The
Application Switch uses the SNIP as the source IP Address for
outgoing packets, when the “USNIP” mode is enabled. USNIP
is enabled by default. (With USNIP enabled, configuration of
MIP is unnecessary). The SNIP can also be used as the Tagged
VLAN IP, and for RNAT.
MIP Mapped IP Address The mapped IP address (MIP) is becoming outdated. It has
traditionally been used by the Application Switch to represent
the client when communicating with the backend managed
server. Mapped IP addresses (MIP) were used for server-side
connections and can be used for Reverse NAT. Think of this as
the client’s source address on the server-side of the Application
Switch, assuming a two-arm proxy deployment. When using
the USNIP mode above, MIP’s are unnecessary.
VIP Virtual IP Address The Virtual Server IP address (VIP) is used by the Application
Switch to represent the public facing ip address of the managed
services. ARP and ICMP attributes on this IP address allow
users to host the same vserver on multiple Application Switches
residing on the same broadcast domain.
DFG Default Gateway IP Address of the router that forwards traffic outside of the
subnet where the appliance is installed.

Note:
USNIP mode is enabled by default. If both USIP mode and USNIP mode are enabled, USIP mode
takes precedence over USNIP mode.

IP Addresses, Interfaces and VLANs

Assigning IP Addresses to Interfaces is done ‘virtually’ through the use of port based VLANs.

By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces.
This VLAN is the default VLAN with a VID equal to 1.

When an interface is added to a new VLAN as an untagged member, the interface is automatically
removed from the default VLAN and placed in the new VLAN. This becomes a convenient feature,
such that when we plug the Netscaler into a Switch that is using VLANs with tagging, we only need to
check the box, to turn on tagging. VLANs are typically used to separate subnet traffic.

If Trunking is turned On, you will see an interface as a member of more than one VLAN.

12
Add the remaining IP Addresses
IP Addresses (SNIPs) that are used for routing between VLANs and RNAT are added separately according
to the table in the network diagram. Note that VIP addresses are created later during Load Balancing
configuration, not at this time. The following screen shots are for the NetScaler.

Add the remaining IP

Addresses.

NetScaler  Network  IPs

 Add.

Note: Dynamic Routing

must be enabled on the
Subnet IP (SNIP) for these
routes to be propagated in
routing protocols.

Make sure you take this

opportunity to “Save” the
configuration on both the
Primary and Secondary
NetScalers.

13
 Create VLANs and Assign
Subnet IP Addresses to
them.

NetScaler  Network 
VLANs  Add.

Note: For this example: We create

VLANs 65 & 172. We assign
VLAN 65 to Interface 1/8
and VLAN 172 to interface
1/7.

(We did not use VLAN

Trunking in this deployment,
but easily could have by
turning on trunking on one
of the NetScaler interfaces,
and assigning VLANs 65 &
172 to it).

Interface 1/2 is our

management interface, in
VLAN 1.

NetScaler  Network 
VLANs, to add VLAN and
Interface assignments on
the Application Switch. Be
sure to bind the ip address
to each VLAN, and enable
dynamic routing.

Note: Dynamic Routing

must be enabled on the
VLAN for these routes to
be propagated to routing
protocols.

14
RNAT Configuration From the GUI, navigate to
NetScaler  Network 
Routing  Configure RNAT
 Create.
About RNAT
With this configuration
The NetScaler system supports Reverse Network Address Translation (RNAT) or NAT for outbound all internal private ip
connections. When the system performs RNAT, it replaces the source IP addresses of packets generated addresses that originate in
by the back-end servers with a NAT IP address. The NAT IP address is a public IP address. By default, the 10.217.104.0 network
the NAT IP address is a MIP. However, you can configure the system to use a Subnet IP address as the will be translated (NAT’d) to
NAT IP addresses, which we do in this deployment guide. 65.89.216.2 as they reach
the public internet.

We added a separate SNIP

65.89.216.2 to be used for
the public NAT address, but
could have also used the
65.89.216.1 SNIP to save
ip addresses.

15
 Load Balancing Configuration
About Server Load Balancing

Server Load Balancing is used for incoming connections to Application servers. Load balancing
allows you to distribute requests sent to a particular virtual server (vserver or VIP) evenly across
several physical servers. A client sends a request to the virtual server, which selects a physical server
in the server farm and directs the request to the selected physical server. Load balancing allows the
Application Switch to choose the physical server with the lowest load and greatest available resources.

1-2-3:
Configuring Load Balancing is a simple 1-2-3 process performed by creating objects within the Citrix
Application Switch. We create the objects in logical formation from the backend servers to the
forward facing internet IP Address:
1) Create Servers
2) Create Services
3) Create Load Balancing VIPs w/Persistence

Create Server Objects

Create server objects that point to the backend Application and Database servers. We can refer to these
servers by name as opposed to IP Address, and can then assign availability monitors to them.

Create server objects for the

Application and Database
servers on the backend.

From the GUI, navigate to

NetScaler  Load Balancing
 Servers  Add.

16
Create Service Groups
Service Groups are containers for managing load balancing and SSL services to several instances of the
same service (port number) on the same or different servers (ip address).

Add the Service Group for

the HQ Application Server.

From the GUI, navigate

to NetScaler  Load
Balancing  Service
Groups  Add.

Select an availability monitor to keep in contact with the server/service. If the service goes down, load
balancing will mark it down and send traffic to the other available servers/services.

Select the ‘Monitors’ tab.

Select http-ecv. http-ecv
uses a ‘GET’ request.

Monitors can be added or

modified.

17
 To get the most performance, select the Advanced tab and turn on Compression and TCP Buffering. The
compression computation is an off-loaded task for both http and https from the Application servers.

Select the Advanced tab,

check TCP Buffering and
Compression.

Select OK.

Add the Server Load Create LB Virtual Server Objects (VIPs)

Balancing Virtual Server.
The Virtual Server or Virtual IP Address is the logical entity on the system that accepts client connections
NetScaler  Load Balancing from the Internet and distributes them to the service groups/objects. The Vserver or VIP is the public
 Virtual Servers  Add. facing internet connection.

In this example:
Our public facing IP Address
for the Application server is
65.89.216.151 on port 80.

18
Load Balancing Methods & Persistence Select the ‘Methods and
Persistence’ tab. Select
The Citrix Application Switch is capable of several Load Balancing Methods. In order to direct traffic the LB Method  Round
correctly to the Application servers, the Citrix Application Switch can also be configured to persist Robin.
traffic.

By default the Citrix Application Switch uses the ‘Least Connections’ load balancing algorithm, but can
be changed to Round Robin. Several persistence methods are available.

Make sure you take this

opportunity to “Save” the
configuration on both the
Primary and Secondary
switches.

19
 St.Bernard Web Filter
Outbound Web Filter
The St.Bernard Web Filter intercepts traffic bound for the internet and either blocks or logs it. It is very
simple to use. We plugged the "Int" interface into VLAN 172, and allowed the St.Bernard Appliance
Manager to find the appliance automatically. We then assigned an ip address to it.

20
Once in contact, select the
Manage Selected Appliance
 System Configuration.

To configure the iPrism to

seamlessly authenticate
each user with Active
Directory for every session
they browse to the Internet,
select Users  Windows.
Select Active Directory,
type in the Domain, and a
machine account for this
iPrism.

Type in the Administrator

and Password so that this
iPrism machine can join the
Domain.

21
 To configure the iPrism
policies for blocking and
monitoring content, select
Access  Profiles. Add
the profile name. Select
which content to block, and
which

22
To apply the iPrism policies
for to the internal subnet
Users  Network. Select
Add, add the IP Subnet start
and end, select the Web
Profile. Click ‘Ok’.

To apply the policy to the

Active Directory domain,
select Users  Profile
Mappings. Select Add,
select the Domain, type in
‘Domain Admins’ for the
group.

Under Web Access Profile,

select the profile you
created. Click ‘Ok’.

23
 Outbound Web Filter for XenApp
The St.Bernard Web Filter can be configured to work with Citrix XenApp. Because the St.Bernard uses
'Session Authentication' with every user against Active Directory, every individual user that is logged into
XenApp via a thin client is captured in the St.Bernard logs and reports by individual username.

To configure St.Bernard for

use with Citrix XenApp, add
the Citrix XenApp server to
the ‘Networks” list by its IP
Address.

On the Citrix XenApp,

configure internet sessions
to proxy through the iPrism,
on port 3128.

24
25
Appendix A - NetScaler Application Switch
Configuration
Headquarters NetScaler
nshq1> #NS9.0 Build 47.008

set ns config -IPAddress 10.217.104.71 -netmask 255.255.255.0

enable ns feature WL SP LB

enable ns mode FR L3 Edge USNIP PMTUD

set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0

set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0

set interface 1/3 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk
OFF -lacpMode DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0
set interface 1/4 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0

set interface 1/5 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0

set interface 1/6 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -throughput 0 -
bandwidthHigh 0 -bandwidthNormal 0

set interface 1/7 -speed AUTO -duplex AUTO -flowControl RXTX -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -
throughput 0 -bandwidthHigh 0 -bandwidthNormal 0

set interface 1/8 -speed AUTO -duplex AUTO -flowControl RXTX -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -
throughput 0 -bandwidthHigh 0 -bandwidthNormal 0
add ns ip 10.217.104.73 255.255.255.0 -vServer DISABLED

add ns ip 65.89.216.1 255.255.255.0 -vServer DISABLED -dynamicRouting ENABLED

add ns ip 172.16.104.1 255.255.255.0 -vServer DISABLED -dynamicRouting ENABLED

add ns ip 10.217.104.72 255.255.255.0 -type MIP -vServer DISABLED

add ns ip 66.91.171.1 255.255.255.0 -vServer DISABLED -dynamicRouting ENABLED

add ns ip 65.89.216.2 255.255.255.0 -vServer DISABLED

add vlan 65 -ipv6DynamicRouting ENABLED

add vlan 66 -ipv6DynamicRouting ENABLED

add vlan 172 -ipv6DynamicRouting ENABLED

bind vlan 65 -ifnum 1/8

bind vlan 65 -IPAddress 65.89.216.1 255.255.255.0

bind vlan 66 -ifnum 1/6

26
bind vlan 66 -IPAddress 66.91.171.1 255.255.255.0

bind vlan 172 -ifnum 1/7

bind vlan 172 -IPAddress 172.16.104.1 255.255.255.0

add server Server151 172.16.104.151

add serviceGroup ServerGroup151 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -cltTimeout 180 -svrTimeout 360 -CKA NO
-TCPB YES -CMP YES

add lb vserver VIP151 HTTP 65.89.216.151 80 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180

bind serviceGroup ServerGroup151 Server151 80 -serverID 151

bind lb vserver VIP151 ServerGroup151

bind lb monitor “http-ecv” ServerGroup151

add route 0.0.0.0 0.0.0.0 65.89.216.250 -distance 205 -cost 1

set rnat 172.16.104.0 255.255.255.0 -natIP 65.89.216.2

set ns hostName nshq1

27
 Citrix Worldwide
Worldwide headquarters

Citrix Systems, Inc.

851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
T +1 800 393 1888
T +1 954 267 3000

Regional headquarters

Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000

Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700

Asia Pacific
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000

Citrix Online division

5385 Hollister Avenue
Santa Barbara, CA 93111
USA
T +1 805 690 6400

www.citrix.com

About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more
than 100 countries. Annual revenue in 2006 was $1.1 billion.

Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access
Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its
subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and
other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks
and registered trademarks are property of their respective owners.

www.citrix.com