Microsoft Exchange 2013 Citrix NetScaler Deployment Guide

Microsoft Exchange 2013 Citrix NetScaler

2 Table of contents What s new in Microsoft Exchange 2013 3 Exchange 2013 Architecture 3 Load Balancing Exchange 2013 5 Lync and SharePoint integration 6 Mobility for Outlook Web A (OWA) 6 Edge Transort servers 6 Exchange 2013 Architecture summary 7 Configuration examles for Exchange 2013 7 Product versions 7 Toology 7 Exchange rotocol / Port requirements 9 Configuring NetScaler for Outlook Web A (OWA) 9 Configuring NetScaler for Microsoft Outlook Anywhere (OA) 16 Configuring NetScaler for Microsoft Exchange ActiveSync (AS) 17 Configuring NetScaler for IMAP4 18 Configuring NetScaler with POP3 24 Conclusion 30 References 31 Click on the section names above to navigate to that ortion of the book and the arrow icon to return to the table of contents from any age.

3 NetScaler is an alication delivery controller (ADC) that otimizes and enhances the erformance, availability, scalability and security of Microsoft Exchange 2013 deloyments. Citrix NetScaler is available as a hysical or a virtual aliance. This guide will take you through an easy to understand ste by ste rocess of deloying NetScaler for Microsoft Exchange 2013. What s new in Microsoft Exchange 2013 Exchange 2013 Architecture For Microsoft Exchange 2013, there have been major architectural changes to the Exchange server roles. 1 Instead of the five server roles that were resent in Exchange 2010 and Exchange 2007, in Exchange 2013, the number of server roles has been reduced to two: Client Access server The Client Access server rovides authentication, limited redirection, and roxy services. The Client Access server itself doesn t do any data rendering. The Client Access server is a thin and stateless server. There is never anything queued or stored on the Client Access server. The Client Access server offers all the usual client access rotocols: HTTP, POP and IMAP, and Simle Mail Transfer Protocol (SMTP). Mailbox server The Mailbox server includes all the traditional server comonents found in Exchange 2010: the Client Access rotocols, Transort service, Mailbox databases, and Unified Messaging. The Mailbox server handles all activity for the active mailboxes on that server. Previous versions of Exchange were otimized and architected with certain technological constraints that existed at that time. For examle, during develoment for Exchange 2007, one of the key constraints was CPU erformance. To alleviate that constraint, Exchange 2007 was slit into different server roles that allowed scale out through server searation. However, server roles in Exchange 2007 and Exchange 2010 were tightly couled. The tight couling of the roles had several downsides including version deendency, geoaffinity (requiring all roles in a secific site), session affinity (requiring exensive layer 7 hardware load balancing), and namesace comlexity.

4 Today, CPU horseower is significantly less exensive and is no longer a constraining factor. With that constraint lifted, the rimary design goal for Exchange 2013 is for simlicity of scale, hardware utilization, and failure isolation. With this new architecture, the Client Access server and the Mailbox server have become loosely couled. All rocessing and activity for a secific mailbox occurs on the Mailbox server that houses the active database coy where the mailbox resides. All data rendering and data transformation is erformed local to the active database coy, eliminating concerns of version comatibility between the Client Access server and the Mailbox server. The Exchange 2013 architecture rovides the following benefits: Version ugrade flexibility No more rigid ugrade requirements. A Client Access server can be ugraded indeendently and in any order in relation to the Mailbox server. Session indifference With Exchange 2010, session affinity to the Client Access server role was required for several rotocols. In Exchange 2013, the client access and mailbox comonents reside on the same Mailbox server. Because the Client Access server simly roxies all connections for a user to a secific Mailbox server, no session affinity is required at the Client Access servers. This allows inbound connections to Client Access servers to be balanced using techniques rovided by load-balancing technology like least connection or round-robin. Deloyment simlicity With an Exchange 2010 site-resilient design, you needed u to eight different namesaces: two Internet Protocol namesaces, two for Outlook Web A fallback, one for Autodiscover, two for RPC Client Access, and one for Simle Mail Transfer Protocol (SMTP). A legacy namesace was also required if you were ugrading from Exchange 2003 or Exchange 2007. With Exchange 2013, the minimum number of namesaces dros to two. If you re coexisting with Exchange 2007, you still need to create a legacy hostname, but if you re coexisting with Exchange 2010 or you re installing a new Exchange 2013 organization, the minimum number of namesaces you need is two: one for client rotocols and one for Autodiscover. You may also need a Simle Mail Transfer Protocol (SMTP) namesace. As a result of these architectural changes, there have been some changes to client connectivity. First, RPC is no longer a suorted direct access rotocol. This means that all Outlook connectivity must take lace using RPC over HTTP (also known as Outlook Anywhere). At first glance, this may seem like a limitation, but it actually has some added benefits. The most obvious benefit is that there is no need to have the RPC client access service on the Client Access server. This results in the reduction of two namesaces that would normally be required for a site-resilient solution. In addition, there is no longer any requirement to rovide affinity for the RPC client access service.

5 Second, Outlook clients no longer connect to a server FQDN as they have done in all revious versions of Exchange. Outlook uses Autodiscover to create a new connection oint comrised of mailbox GUID, @ symbol, and the domain ortion of the user s rimary Simle Mail Transfer Protocol (SMTP) address. This simle change results in a near elimination of the unwelcome message of Your administrator has made a change to your mailbox. Please restart. Only Outlook 2007 and higher versions are suorted with Exchange 2013. The high availability model of the mailbox comonent has not changed significantly since Exchange 2010. The unit of high availability is still the database availability grou (DAG). The DAG still uses Windows Server failover clustering. Continuous relication still suorts both file mode and block mode relication. However, there have been some imrovements. Failover times have been reduced as a result of transaction log code imrovements and deeer checkoint on the assive databases. Now, each database runs under its own rocess, allowing for isolation of store issues to a single database. The Client Access server has the following features: Stateless server In revious versions of Exchange, many of the Client Access rotocols required session affinity. For examle, Outlook Web A required that all requests from a articular client be handled by a secific Client Access server within a load balanced array of Client Access servers. In Exchange 2013, the Client Access server is stateless. In other words, because all rocessing for the mailbox haens on the Mailbox server, it doesn t matter which Client Access server in an array of Client Access servers receives each individual client request. This change in functionality means that session affinity is no longer required at the load balancer level. This allows inbound connections to Client Access servers to be balanced using simle techniques rovided by load balancing technology such as DNS round-robin. It also allows hardware load balancing devices to suort significantly more concurrent connections. Connection ooling The Client Access servers handle client authentication and send the AuthN data to the Mailbox server. The account used by the Client Access servers to connect to the Mailbox servers is a rivileged account that s a member of the Exchange Servers grou. This allows the Client Access servers to ool connections to the Mailbox servers effectively. An array of Client Access servers can handle millions of client connections from the Internet, but far fewer connections are used to roxy the requests to the Mailbox servers than in revious releases of Exchange. This imroves rocessing efficiency and end-to-end latency. Load Balancing Exchange 2013 The use of NetScaler is still suorted and the configuration of NetScaler with Exchange 2013 can be much simler, given the architectural changes discussed earlier in this toic. Rather than configuring session affinity for Exchange rotocols, inbound connections to Exchange 2013 Client Access servers can be directed

6 to an available server by the NetScaler with no additional rocessing necessary. The NetScaler still has an imortant role in roviding high availability of the Exchange service because it can detect when a secific Client Access server has become unavailable and remove it from the set of servers that will handle inbound connections. 2 Lync and SharePoint integration Exchange 2013 integrates with SharePoint 2013 to allow users to collaborate more effectively by using site mailboxes. Lync Server 2013 can archive content in Exchange 2013 and use Exchange 2013 as a contact store. Discovery Managers can erform In-Place ediscovery and Hold searches across SharePoint 2013, Exchange 2013, and Lync 2013 data. Oauth authentication allows artner alications to authenticate as a service or imersonate users where required. Mobility for Outlook Web A (OWA) The Outlook Web A user interface is new and otimized for tablets and smarthones as well as deskto and lato comuters. New features include as for Outlook, which allow users and administrators to extend the caabilities of Outlook Web A; Contact linking, the ability for users to add contacts from their LinkedIn accounts; and udates to the look and features of the calendar. Edge Transort servers The Edge Transort server is not currently available in Microsoft Exchange Server 2013.4 However, you can continue to use existing Exchange Server 2007 or Exchange Server 2010 Edge Transort servers that you have deloyed in your erimeter network. Or, you can install a new Exchange 2007 or Exchange 2010 Edge Transort server in your erimeter network for a new or ugraded Exchange 2013 organization. Here are the things you need to know: An Exchange 2007 or Exchange 2010 Edge Transort server exects a connection to a Hub Transort server. In Exchange 2013, the Transort service exists on the Mailbox server. Therefore, Internet mail flow occurs between the Transort service on the Mailbox server and the Edge Transort server, which effectively byasses the Exchange 2013 Client Access server. You can subscribe an Exchange 2007 or Exchange 2010 Edge Transort server to an Active Directory site that contains only Exchange 2013 servers. You can imort the Edge Subscrition file and run EdgeSync on a standalone Exchange 2013 Mailbox server, or on a server where the Mailbox server and the Client Access server are installed on the same comuter. You can t imort the Edge Subscrition file or run EdgeSync on a standalone Exchange 2013 Client Access server. The rocedures to deloy a new Exchange 2007 or Exchange 2010 Edge Transort server in your Exchange 2013 organization are basically the same as in

7 revious versions of Exchange. However, any rocedures that are erformed on the Hub Transort server are erformed on the Mailbox server in Exchange 2013. Exchange 2013 Architecture summary Exchange 2013 has only two roles: Client Access server Mailbox server RPC is no longer a suorted direct access rotocol Outlook connectivity must take lace using RPC over HTTPS (aka Outlook Anywhere) Session affinity no longer required Only Client Access server needs to be load balanced As of this writing, SSL Offloading is not suorted (even though the otion is visible in EAC). 3 However, end-to-end encrytion is available via NetScaler allowing for comression and cookie ersistence. Additionally, NetScaler utilizes SSL session multilexing to reuse existing SSL sessions with the back-end servers, thus avoiding CPU-intensive key exchange (full handshake) oerations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security. Edge Transort server is not currently available in Microsoft Exchange Server 2013 4 Configuration examles for Exchange 2013 Product versions Microsoft Exchange 2013 Office Client (MS Office 2013) Exchange Platform (Server 2012) Active Directory (Server 2012) NetScaler 10.1 Toology mu_exchange_server_2013_x64 en_office_rofessional_lus_2013_x86 en_windows_server_2012_x64 en_windows_server_2012_x64 NS10.1: Build 112.15.nc

8 Figure 1: Lab toology Role FQDN IP Additional Active Directory Exchange Server 2013 Exchange Server 2013 Exchange Server 2013 Exchange Server 2013 Internal NetScaler VIP DMZ NetScaler VIP Windows 8 Client Windows 7 Client Windows 7 Client Table 1: Lab IP addresses ns-tme-srv12-dc. xencloud.net ms-exc2013-1. tme-cloud.net ms-exc2013-2. tme-cloud.net ms-exc2013-3. tme-cloud.net ms-exc2013-4. tme-cloud.net dc-mail.xencloud. net 172.16.100.220 172.16.100.225 Client Access Server (CAS) & Mailbox (MB) 172.16.100.226 Client Access Server (CAS) & Mailbox (MB) 172.16.100.227 Client Access Server (CAS) 172.16.100.228 Client Access Server (CAS) 172.16.99.50 Internal Mail Access mail.xencloud.net 172.16.96.50 External Mail Access win8-01.tmecloud.net win7-01.tmecloud.net win7-02.tmecloud.net 172.16.99.200 172.16.99.201 172.16.93.200

9 Exchange rotocol / Port requirements Descrition VIP Port Protocol Outlook Web A Provides access to e-mail from any Web browser. LB Method, Persistency, & Client Timeout 443 SSL Method: Least Connection or Round Robin Persistence: SOURCEIP or COOKIEINSERT Outlook Anywhere Allows Exchange access through the Microsoft Outlook client by tunneling Outlook s MAPI rotocol over an HTTP connection Active Sync Synchronizes data between your mobile hone and Exchange. You can synchronize e-mail, contacts, calendar information, and tasks. IMAP4 (SSL) Internet Message Access Protocol allows online and offline access to mail by non-outlook mail clients POP3 (SSL) Post Office Protocol allows online and offline access to mail by non- Outlook mail clients Client Timeout: 2 minutes 443 SSL Method: Least Connection or Round Robin Persistence: SOURCEIP or COOKIEINSERT Client Timeout: 2 minutes 443 SSL Method: Least Connection or Round Robin Persistence: SOURCEIP or COOKIEINSERT Client Timeout: 2 minutes 993 SSL_TCP Method: Least Connection or Round Robin Persistence: None (Not needed) 995 SSL_TCP Method: Least Connection or Round Robin Persistence: None (Not needed) Table 2. Configuring NetScaler for Outlook Web A (OWA) Microsoft Outlook Web A (OWA) lets users access their Exchange mailbox from almost any Web browser. The Client Access server role rovides roxy and redirection services for Outlook Web A. Fully suorted web browsers give users access to features such as conversation view, Inbox rules, the reading ane, and the Scheduling Assistant. Browsers that aren t fully suorted can still be used, but users will see the light version of Outlook Web A, which has fewer features.

10 NetScaler rovides the following benefit for OWA: Check the health of the Client Access server. Load Balance multile Client Access servers to scale and ensure high availability for client access. Increase erformance by comressing ayload. SSL session multilexing to reuse existing SSL sessions with the back-end servers, thus avoiding CPU-intensive key exchange (full handshake) oerations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security. 1) Enable basic features 2) Install SSL Certificate exorted from Client Access server Additional information can be found at Managing NetScaler Certificates 3) Create servers

11 4) Create Service Grou

12

13 5) Create Virtual Server

14

15 CLI Commands add server ms-exc2013-3 172.16.97.227 add server ms-exc2013-4 172.16.97.228 add servicegrou ms-exchange2013-owa SSL -maxclient 0 -maxreq 0 -ci DISABLED -usi NO -useroxyort YES -clttimeout 180 -svrtimeout 360 -CKA NO -TCPB NO -CMP YES -af lowlog DISABLED add ssl certkey mail-exchange-cas -cert /nsconfig/ssl/mail-xencloud-net.em -key /nsconfig/ssl/mail-xencloud-net.em add lb vserver ms-exchange2013-owa SSL 172.16.96.50 443 -ersistencetye COOKIEINSERT -cookiename exchange-owa -clttimeout 180 bind lb vserver ms-exchange2013-owa bind servicegrou ms-exchange2013-owa ms-exc2013-3 443 -CustomServerID \ None\ bind servicegrou ms-exchange2013-owa ms-exc2013-4 443 -CustomServerID \ None\

16 bind servicegrou ms-exchange2013-owa -monitorname htts set ssl vserver ms-exchange2013-owa -tls11 DISABLED -tls12 DISABLED bind ssl servicegrou ms-exchange2013-owa -certkeyname mail-exchange-cas bind ssl vserver ms-exchange2013-owa -certkeyname mail-exchange-cas Configuring NetScaler for Microsoft Outlook Anywhere (OA) In Microsoft Exchange Server 2013, the Outlook Anywhere (OA) feature, formerly known as RPC over HTTP, allows clients that use Microsoft Office Outlook 2013, Outlook 2010, Outlook 2007, or Outlook 2003 connect to their Exchange servers over the Internet using the RPC over HTTPS Windows networking comonent. In Exchange 2013, Outlook Anywhere is enabled by default, because all Outlook connectivity takes lace via Outlook Anywhere. The only ost-deloyment task you must erform to successfully use Outlook Anywhere is to install a valid SSL certificate on your Client Access server. Mailbox servers in your organization only require the default self-signed SSL certificate. NetScaler rovides the following benefit for OA: Check the health of the Client Access server. Load Balance multile Client Access servers to scale and ensure high availability for client access. Increase erformance by comressing ayload. SSL session multilexing to reuse existing SSL sessions with the back-end servers, thus avoiding CPU-intensive key exchange (full handshake) oerations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security. Stes to configure NetScaler are the same as documented in Configuring NetScaler for Outlook Web A (OWA): 1. Enable Basic Features 2. Install SSL Certificate Exorted from Client Access Server 3. Create Servers 4. Create Service Grou a. Add Members b. Select Monitor c. Select SSL Certificate 5. Create Virtual Server a. Configure VIP b. Select Protocol: SSL

17 c. Configure Port: 443 d. Select Service Grou e. Select LB Method: Least Connection or Round Robin f. Select Persistence: SOURCEIP or COOKIEINSERT g. Set Client Timeout: 2 minutes h. Select SSL Certificate Configuring NetScaler for Microsoft Exchange ActiveSync (AS) Exchange ActiveSync lets devices such as a cellular telehone or a Microsoft Windows Mobile owered device access cororate information on a server that is running Exchange. Exchange ActiveSync is a data synchronization service that enables mobile users to access their e-mail, calendar, and contacts and retain access to this information while they are offline. NetScaler rovides the following benefit for AS: Check the health of the Client Access server. Load Balance multile Client Access servers to scale and ensure high availability for client access. Increase erformance by comressing ayload. SSL session multilexing to reuse existing SSL sessions with the back-end servers, thus avoiding CPU-intensive key exchange (full handshake) oerations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security. NOTE: ActiveSync RULE-based ersistence (i.e. Basic Authentication with htt. REQ.HEADER( Authorization )) is no longer required in Exchange 2013. Stes to configure are the same as documented in Configuring NetScaler for Outlook Web A (OWA): 1. Enable Basic Features 2. Install SSL Certificate Exorted from Client Access Server 3. Create Servers 4. Create Service Grou a. Add Members b. Select Monitor c. Select SSL Certificate

18 5. Create Virtual Server a. Configure VIP b. Select Protocol: SSL c. Configure Port: 443 d. Select Service Grou e. Select LB Method: Least Connection or Round Robin f. Select Persistence: SOURCEIP or COOKIEINSERT g. Set Client Timeout: 2 minutes h. Select SSL Certificate Configuring NetScaler for IMAP4 Internet Message Access Protocol (IMAP4) is an Alication Layer Internet rotocol oerating on secure ort 993 that allows an e-mail client to access e-mail on a remote mail server. Within Microsoft Exchange, IMAP4 clients are serviced by the Client Access server comonent. IMAP4 does not offer advanced collaboration features, such as calendaring, contacts, and tasks. IMAP4 is commonly used in e-mail clients, such as Windows Mail, Windows Live Mail, and Mozilla Thunderbird. IMAP4 cannot be used to send messages from a client alication to the e-mail server. E-mail alications that use IMAP4 to send messages rely on the Simle Mail Transfer Protocol (SMTP) rotocol to send messages. NetScaler rovides the following benefit for secure IMAP4: Check the health of the Client Access server Load Balance multile Client Access servers to scale and ensure high availability for client access 1) Install SSL Certificate exorted from Client Access server Additional information can be found at Managing NetScaler Certificates

19 2) Create an alication level monitor for IMAP (otional)

20 3) Create Service Grou

21

22 4) Create Virtual Server

23

24 CLI Commands add server ms-exc2013-3 172.16.97.227 add server ms-exc2013-4 172.16.97.228 add servicegrou ms-exchange2013-imap4 TCP -maxclient 0 -maxreq 0 -ci DISABLED -usi NO -useroxyort YES -clttimeout 9000 -svrtimeout 9000 -CKA NO -TCPB NO -CMP NO -aflowlog DISABLED add ssl certkey ns-server-certificate -cert ns-server.cert -key ns-server.key add ssl certkey mail-exchange-cas -cert /nsconfig/ssl/mail-xencloud-net.em -key /nsconfig/ssl/mail-xencloud-net.em add lb vserver ms-exchange2013-ima4 SSL_TCP 172.16.96.50 993 -ersistencetye NONE -clttimeout 9000 bind lb vserver ms-exchange2013-ima4 ms-exchange2013-imap4 add lb monitor Exchange2013_IMAP4_monitor TCP-ECV -send GET / -recv The Microsoft Exchange IMAP4 service is ready. -LRTM ENABLED -interval 30 -destip 172.16.97.227 -destport 143 bind servicegrou ms-exchange2013-imap4 ms-exc2013-3 143 -CustomServerID \ None\ bind servicegrou ms-exchange2013-imap4 ms-exc2013-4 143 -CustomServerID \ None\ bind servicegrou ms-exchange2013-imap4 -monitorname Exchange2013_ IMAP4_monitor set ssl vserver ms-exchange2013-ima4 -tls11 DISABLED -tls12 DISABLED bind ssl vserver ms-exchange2013-ima4 -certkeyname mail-exchange-cas Configuring NetScaler with POP3 Post Office Protocol version 3(POP3) is an alication-layer Internet rotocol oerating on secure ort 995 and used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. POP and IMAP (Internet Message Access Protocol) are the two most revalent Internet standard rotocols for e-mail retrieval. Virtually all modern e-mail clients and servers suort both. POP3 was designed to suort offline mail rocessing. With POP3, e-mail messages are removed from the server and stored on the local POP3 client, unless the client has been set to leave mail on the server. This uts the data management and security resonsibility in the hands of the user. POP3 does not offer advanced collaboration features, such as calendaring, contacts, and tasks. POP3 cannot be used to send messages from a client alication to the e-mail server. E-mail alications that use POP3 to send messages rely on the Simle Mail Transfer Protocol (SMTP) rotocol to send messages.

25 NetScaler rovides the following benefit for secure POP3: Check the health of the Client Access server Load Balance multile Client Access servers to scale and ensure high availability for client access 1) Install SSL Certificate exorted from Client Access server Additional information can be found at Managing NetScaler Certificates 2) Create an alication level monitor for POP3 (otional)

26 3) Create Service Grou

27

28 4) Create Virtual Server

29

30 CLI Commands add server ms-exc2013-3 172.16.97.227 add server ms-exc2013-4 172.16.97.228 add servicegrou ms-exchange2013-pop3 TCP -maxclient 0 -maxreq 0 -ci DISABLED -usi NO -useroxyort YES -clttimeout 9000 -svrtimeout 9000 -CKA NO -TCPB NO -CMP NO -aflowlog DISABLED add ssl certkey ns-server-certificate -cert ns-server.cert -key ns-server.key add ssl certkey mail-exchange-cas -cert /nsconfig/ssl/mail-xencloud-net.em -key /nsconfig/ssl/mail-xencloud-net.em add lb vserver ms_exchange2013-o3 SSL_TCP 172.16.96.50 995 -ersistencetye NONE -clttimeout 9000 bind lb vserver ms_exchange2013-o3 ms-exchange2013-pop3 add lb monitor Exchange2013_POP3_monitor POP3 -scritname nso3.l -disatcherip 127.0.0.1 -disatcherport 3013 -username o3testuser -assword d22a145a72d73226fd9368f92e97b797 -encryted -LRTM ENABLED -interval 30 -destip 172.16.97.227 -destport 110 bind servicegrou ms-exchange2013-pop3 ms-exc2013-3 110 -CustomServerID \ None\ bind servicegrou ms-exchange2013-pop3 ms-exc2013-4 110 -CustomServerID \ None\ bind servicegrou ms-exchange2013-pop3 -monitorname Exchange2013_ POP3_monitor set ssl vserver ms_exchange2013-o3 -tls11 DISABLED -tls12 DISABLED bind ssl vserver ms_exchange2013-o3 -certkeyname mail-exchange-cas Conclusion This concludes the NetScaler deloyment guide for MS Exchange 2013. NetScaler can front-end and imrove the erformance, scalability, availability and security for Exchange 2013 deloyments.

31 References 1. What s New in Exchange 2013 htt://technet.microsoft.com/en-us/library/jj150540(v=exchg.150).asx#bkmk_arch 2. Load Balancing htt://technet.microsoft.com/en-us/library/jj898588(v=exchg.150).asx 3. Exchange Forum htt://social.technet.microsoft.com/forums/exchange/en-us/39315d05-d764-4afa-b9c6-e341f7b14384/does-exchange-2013-cu1-now-suort-ssl-offloading 4. Use an Edge Transort Server in Exchange 2013 htt://technet.microsoft.com/en-us/library/jj150569(v=exchg.150).asx Cororate Headquarters Fort Lauderdale, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA EMEA Headquarters Schaffhausen, Switzerland India Develoment Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China Latin America Headquarters Coral Gables, FL, USA UK Develoment Center Chalfont, United Kingdom About Citrix Citrix (NASDAQ:CTXS) is the cloud comany that enables mobile workstyles emowering eole to work and collaborate from anywhere, easily and securely. With market-leading solutions for mobility, deskto virtualization, cloud networking, cloud latforms, collaboration and data sharing, Citrix hels organizations achieve the seed and agility necessary to succeed in a mobile and dynamic world. Citrix roducts are in use at more than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.. Coyright 2013 Citrix Systems, Inc. All rights reserved. Citrix and NetScaler are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other roduct and comany names mentioned herein may be trademarks of their resective comanies. 0813/PDF