ExtraHop Central Manager: A TRM, Consultant or Channel Partner’s best friend

I was asking a few of my friends who are work as resellers where they make their money? Professional Services/Consulting or reselling. What one reseller told me is that from a profit standpoint, services are the highest margin with ever increasing margin pressure on software licenses and hardware being considerably lower. I was told (and I experienced this as a customer to numerous Platinum Citrix partners) that the channel is able to offer their expertise along with the hardware/software. I would purchase my licenses and a block of professional services from my partner and they would spend time helping me get the new environment planned. The channel consults with my team on security, best practices, architecture and even training providing them a chance to market their best product, their talent.

One of the limiting factors in professional services is the size of your bench. I know a fantastic resource (rock star) working for a Citrix platinum partner in Nashville and I am certain that he does a great job of generating revenue for his company but there are only so many resources like him in the greater Nashville area much less the United States. He can only be at in so many places during the few hours a week that he has. As they say, it’s impossible to be in two places at once…..or is it?

ExtraHop Central Manager:
ExtraHop Networks has an appliance called the ExtraHop Central Manager, this is a virtual appliance that can be imported into your Hypervisor and can be leveraged to provide a portal into a customer’s Physical or virtual ExtraHop Appliance. In this design, absolutely no wire/packet data is exchanged between the customer’s downstream appliance and the ECM portal however, you are able to write rules on the ECM that are relevant to your customers and apply them to the downstream ExtraHop appliances.

You are a Citrix reseller and you have sold licenses to two Customers who publish VDI to deliver applications to end users. One customer (AWS) has their information stored in an AWS cloud environment and another customer is a large hospital (Customer A). Both of them have around 500 Citrix Platinum seats and neither can afford to have or cannot find a full time Netscaler/XenDesktop expert. While the AWS customer cannot afford to have a full Operations staff your hospital does have an operations team but they are still learning their way through IT and spend more time routing tickets than fixing problems. So in sum we have the following:

  • AWS Customer: AWS Hosted Customer
    • 500 Platinum Seats
    • No Operations Staff
    • No proficient Citrix expertise
  • Customer A: Hospital
    • 500 Platinum Seats
    • Has an Operations Team but is limited in scope
    • No proficient Citrix expertise

What can you do for your AWS Customer?
At one of my jobs years ago my manager told me “if I could just put you in a bottle and have the ops guys drink it…” At ExtraHop we can do better than a bottle, we can do a bundle. Bundles are made up of critical metrics that are gathered via triggers by assembling custom dashboards to provide early responders and entry level operations teams with the ability to leverage the years of experience of the person who wrote it. It truly is a way to “level up” your incumbent resources. Additionally, they can be customized for specific environments/customers. So in the case of your AWS customer, I would load the Citrix Bundle as well as parse metrics on your back end database allowing you to see not just the Citrix performance, but the back end database calls or web based calls. You can then configure custom-branded reporting for the customer or you can configure alerts that summon both partner resources as well as the customer to start the triage process and make proactive something more than a buzz word. This also presents an opportunity for premium services to be delivered as you can get directly engaged with a customer to deliver consulting services.

What can you do for your large hospital?
For your hospital, I would load the Citrix bundle as well as deploy the HL7 Module. Leveraging these two technologies will allow you to monitor/alert on Citrix related issues as well as provide real time visibility into your HL7 Interfaces. Additionally, all of the moving parts that go into the customer’s HIS and EMR systems can be monitored so that you can see slow stored procedures, SOAP calls and IBMMQ calls that are part of your EMR suite or you can provide early detection of issues with outside API calls that are made out to integration partners. Let’s say this same customer was also breached last year by some malware and they would like you to record all egress packets to ensure that nothing is stolen from them again. You can create a logical ATO (Authority To Operate) boundary earmarking which hosts, ports and protocols their critical infrastructure should be talking to and provide them a periodic summary of any communications that were outside of that. Examples include:

  • The SA account querying patient data ad hoc
  • A computer from the mail room making a database connection to your EMR database.
  • Your Web/SOAP/REST tier making ad hoc queries instead of canned stored procedures consistent with its applications.
  • An FTP server starting up all of the sudden or your medical imaging server making an FTP connection to an IP address in Russia.

You will be able to remotely monitor this information for this customer and modify it remotely from the ECM again, with NO DATA being transferred between the ECM and your customer’s Network.

In both of these scenarios you are positioned to potentially sell a services agreement to your customers allowing you to leverage professional services (where you have control of the margin) and it allows the customer to have some choices in support options. I personally have paid the 6 figure cost for a vendor-specific TRM only to have them route support tickets for me. The customer gets to leverage an top flight Architecture/Operations team without hiring/training one themselves and they don’t have to make the commitment of an FTE (if they can find one) or a TRM. They also get to leverage the unique talent bench that only exists in the channel.



Leveraging ExtraHop’s wire data analytics platform allows both customers and consultants, MSPs and Channel partners to have the best of both worlds. The customer gets unparalleled visibility into their environment without installing any agents or any impact on their critical systems. They also get to tap into the unique knowledge that exists in the Channel without the need to have a person on site. The Channel gets the ability to more efficiently leverage their bench to make sure that their customer’s systems are running smoothly and provide billable escalation when it is not. Custom built bundles can be leveraged so that each customer’s environment can have relevant and effective monitoring and they don’t have to be on premise because ExtraHop’s ECM appliance puts them on the wire.

Thanks for reading

John M. Smith






Leave a Reply