Manuals / Brands / Computer Equipment / Network Router / Citrix Systems / Computer Equipment / Network Router

Citrix Systems 9.2 Benefits of Using Advanced Policies , Basic Components of an Advanced or a Classic Policy

1 302

Download 302 pages, 2.02 Mb

2 Citrix NetScaler Policy Configuration and Reference Guide

Benefits of Using Advanced Policies

Advanced policies use a powerful expression language that is built on a class-

object model, and they offer several options that enhance your ability to configure

the behavior of various NetScaler features. With advanced policies, you can do

the following:

• Perform fine-grained analyses of network traffic from layers 2 through 7.

• Evaluate any part of the header or body of an HTTP or HTTPS request or

response.

• Bind policies to the multiple bind points that the advanced policy

infrastructure supports at the default, override, and virtual server levels.

• Use goto expressions to transfer control to other policies and bind points, as

determined by the result of expression evaluation.

• Use special tools such as pattern sets, policy labels, rate limit identifiers,

and HTTP callouts, which enable you to configure policies effectively for

complex use cases.

Additionally, the configuration utility extends robust graphical user interface

support for advanced policies and expressions and enables users who have

limited knowledge of networking protocols to configure policies quickly and

easily. The configuration utility also includes a policy evaluation feature for

advanced policies. You can use this feature to evaluate an advanced policy and

test its behavior before you commit it, thus reducing the risk of configuration

errors.

Basic Components of an Advanced or a Classic Policy

Following are a few characteristics of both classic and advanced policies:

•Name. Each policy has a unique name.

•Rule. The rule is a logical expression that enables the NetScaler feature to

evaluate a piece of traffic or another object.

For example, a rule can enable the NetScaler to determine whether an

HTTP request originated from a particular IP address, or whether a Cache-

Control header in an HTTP request has the value “No-Cache”.

Advanced policies can use all of the expressions that are available in a

classic policy, with the exception of classic expressions for the SSL VPN

client. In addition, advanced policies enable you to configure more

complex expressions.

Contents

Main Page Contents Preface Chapter 1 Introduction to Policies and Expressions Chapter 2 Configuring Advanced Policies Chapter 3 Configuring Advanced Expressions: Getting Started Chapter 4 Advanced Expressions: Evaluating Text Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data Chapter 7 Advanced Expressions: Parsing SSL Certificates Chapter 8 Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats Chapter 10 Advanced Policies: Controlling the Rate of Traffic Chapter 11 Advanced Policies: Sending HTTP Service Callouts to Applications Chapter 12 Configuring Classic Policies and Expressions Appendix A Expressions Reference Appendix D Tutorial Examples of Classic Policies Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies Appendix F New Advanced Expression Operators in This Release P Preface About This Guide Page New in This Release Audience Formatting Conventions This documentation uses the following formatting conventions Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback Introduction to Policies and Expressions Advanced and Classic Policies Benefits of Using Advanced Policies Basic Components of an Advanced or a Classic Policy How Different NetScaler Features Use Policies NetScaler Feature, Policy Type, and Policy Usage About Actions and Profiles About Actions About Profiles Use of Actions and Profiles in Particular Features About Policy Bindings Following is an overview of different types of bind points for a policy: Use of Actions and Profiles in Different NetScaler Features About Evaluation Order of Policies Order of Evaluation Based on Traffic Flow Advanced and Classic Expressions About Advanced Expressions About Classic Expressions About Migration from Classic to Advanced Policies and Expressions Before You Proceed Page Configuring Advanced Policies Creating or Modifying an Advanced Policy Policy Configuration Examples Binding Advanced Policies Feature-Specific Differences in Policy Bindings Feature-Specific Bindings for Advanced Policies Bind Points and Order of Evaluation Advanced Policy Evaluation Across Features Entries in a Policy Bank Evaluation Order Within a Policy Bank How Policy Evaluation Ends How Features Use Actions After Policy Evaluation Binding a Policy Globally Page Binding a Policy to a Virtual Server Displaying Policy Bindings Unbinding an Advanced Policy Page Creating Policy Labels Creating a Policy Label Page Binding a Policy to a Policy Label Configuring a Policy Label or Virtual Server Policy Bank Configuring a Policy Label Page Configuring a Policy Bank for a Virtual Server Invoking or Removing a Policy Label or Virtual Server Policy Bank Page Configuring and Binding Policies with the Policy Manager Page Page Page Configuring Advanced Expressions: Getting Started Expression Characteristics Basic Elements of an Advanced Expression Prefixes Page Single-Element Expressions Operations Basic Operations on Expression Prefixes Compound Advanced Expressions Booleans in Compound Expressions Parentheses in Compound Expressions Compound Operations for Strings String-Based Operations for Compound Advanced Expressions Compound Operations for Numbers Page Page Page Page Page Page Page Page Classic Expressions in Advanced Expressions Configuring Advanced Expressions in a Policy Page Page Configuring Named Advanced Expressions Configuring Advanced Expressions Outside the Context of a Policy Page Advanced Expressions: Evaluating Text About Text Expressions About Operations on Text Compounding and Precedence in Text Expressions Categories of Text Expressions Guidelines for Text Expressions Expression Prefixes for Text Expression Prefixes for Text in HTTP Requests and Responses Page Page Page Page Page Page Page Page Expression Prefixes for VPNs and Clientless VPNs The following table describes the expression prefixes for this type of data. Page Page Page Page Page Page Page Page Operations on Text Basic Operations on Text Operations for Calculating the Length of a String Operations for Controlling Case Sensitivity Complex Operations on Text Operations on the Length of a String Operations on a Portion of a String You can extract a subset of a larger string using one of the operations in the following table. Basic Operations on a Portion of a String Operations on Strings Based on a Character Count Operations for Comparing the Alphanumeric Order of Two Strings Basic Operations on a Portion of a String Extracting the nth Integer from a String of Bytes that Represent Text Converting Text to a Hash Value Encoding and Decoding Text by Applying the Base64 Encoding Algorithm Refining the Search in a Rewrite Action by Using the EXTEND Operator Converting Text to Hexadecimal Format Page Advanced Expressions: Working with Dates, Times, and Numbers Format of Dates and Times in an Expression Dates and Times in a Rewrite Action Expressions for the NetScaler System Time Page Page Page Expressions for SSL Certificate Dates The following table describes time-based operations on SSL certificates. Page Page Page Page Page Page Page Expressions for HTTP Request and Response Dates Expression Prefixes for Numeric Data Other Than Date and Time Page Advanced Expressions: Parsing HTTP , TCP, and UDP Data About Evaluating HTTP and TCP Payload About Evaluating the Payload Body Expressions for HTTP Headers Prefixes for HTTP Headers The following table describes expression prefixes that extract HTTP headers. Page Page Page Page Page Operations for HTTP Headers Page Page Page Prefixes for Cache-Control Headers The following prefixes apply specifically to Cache-Control headers. Operations for Cache-Control Headers Prefixes That Extract Cache-Control Headers Page Operations That Evaluate Cache-Control Headers Expressions for Extracting Segments of URLs The following table describes prefixes for HTTP URLs that are not described elsewhere. Expressions for Numeric HTTP Payload Data Other Than Dates Prefixes That Extract URLs Prefixes That Evaluate HTTP Request or Response Length Operations for HTTP, HTML, and XML Encoding and Safe Characters Prefixes That Evaluate HTTP Request or Response Length Page Page Expressions for TCP, UDP, and VLAN Data Prefixes that Extract TCP and UDP Data XPath and JSON Expressions Page Page Page Page Advanced Expressions: Parsing SSL Certificates About SSL and Certificate Expressions Prefixes for Text-Based SSL and Certificate Data Prefixes for Numeric Data in SSL Certificates Expressions for SSL Certificates Page Page Page Page Page Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs Expressions for IP Addresses and IP Subnets Prefixes for IPV4 Addresses and IP Subnets Operations for IPV4 Addresses About IPv6 Expressions Operations on IPV4 Addresses Expression Prefixes for IPv6 Addresses Operations for IPV6 Prefixes The following table describes operations on IPv6 IP addresses: Operations That Evaluate IPv6 Addresses IPv6 Expression Prefixes that Return Text Expressions for MAC Addresses Prefixes for MAC Addresses Operations for MAC Addresses Expressions for Numeric Client and Server Data Page Advanced Expressions: String Sets, String Patterns, and Data Formats Matching Text With Strings in a Set Note: The patterns in a pattern set can be regular expressions in PCRE format. Operators That Use a Pattern Set Operators That Compare Text and HTTP Headers With a Pattern Set Configuring a Pattern Set Page Page Page Matching Text With a Pattern Basic Characteristics of Regular Expressions Operations for Regular Expressions The following table describes operations that use regular expressions. Page Page Transforming Text and Numbers into Different Data Types The following table describes various typecasting operations. Page Page Page Page Page Page Page Page Page Page Page Page Advanced Policies: Controlling the Rate of Traffic About Policies that Monitor the Traffic Rate Expressions for Controlling the Traffic Rate Configuring Policies That Control the Traffic Rate Advanced Policies: Sending HTTP Service Callouts to Applications About Calling Out to an External Application About HTTP Callout Policies Note on the Format of an HTTP Request Note on the Format of an HTTP Response Configuring an HTTP Callout Policy Elements in an HTTP Callout Policy 1. In the left navigation pane, expand AppExpert, and then click HTTP Callouts. Elements in an HTTP Callout Policy Page For parameter descriptions, see the table, Elements in an HTTP Callout Policy, on page 188: Where: At a NetScaler command prompt, type: Invoking an HTTP Callout Policy If the return type is NUM, the following expression is valid: Notes on Invoking a Callout Page Page Configuring Classic Policies and Expressions Where Classic Policies Are Used Page Policy Type and Bind Points for Policies in Features That Use Classic Policies Viewing Classic Policies Configuring a Classic Policy Page Configuring a Classic Expression Page Page Page Binding a Classic Policy Page Creating Named Classic Expressions Page Expressions Reference Advanced Expressions Page Page Page Page Requests and Responses, on page 67 Page Page Page Page Page Page Page Classic Expressions Operators General Expressions Page Page Client Security Expressions Network-Based Expressions Date/Time Expressions File System Expressions Page Note: File system expressions do not support regular expressions. Built-In Named Expressions (General) Page Page Built-In Named Expressions (Anti-Virus) Built-In Named Expressions (Personal Firewall) Built-In Named Expressions (Client Security) A PPENDIX B Summary Examples of Advanced Expressions and Policies Page Page Page Page Page Page Page Tutorial Examples of Advanced Policies for Rewrite Redirecting an External URL to an Internal URL Page Redirecting a Query Redirecting HTTP to HTTPS Removing Unwanted Headers Reducing Web Server Redirects Masking the Server Header Page A D Tutorial Examples of Classic Policies Access Gateway Policy to Check for a Valid Client Certificate Application Firewall Policy to Protect a Shopping Cart Application Page Page Application Firewall Policy to Protect Scripted Web Pages DNS Policy to Drop Packets from Specific IPs SSL Policy to Require Valid Client Certificates Page A E Migration of Apache mod_rewrite Rules to Advanced Policies Converting URL Variations into Canonical URLs Converting Host Name Variations to Canonical Host Names Moving a Document Root Moving Home Directories to a New Web Server Working with Structured Home Directories Redirecting Invalid URLs to Other Web Servers 264 Citrix NetScaler Policy Configuration and Reference Guide NetScaler solution for redirection if a URL is wrong (method 2) Rewriting a URL Based on Time Apache mod_rewrite solution for rewriting a URL based on the time NetScaler solution for rewriting a URL based on the time Redirecting to a New File Name (Invisible to the User) Redirecting to New File Name (User-Visible URL) Accommodating Browser Dependent Content Blocking Access by Robots Blocking Access to Inline Images Creating Extensionless Links Page Redirecting a Working URI to a New Format Ensuring That a Secure Server Is Used for Selected Pages Apache mod_rewrite solution NetScaler solution using regular expressions NetScaler solution using pattern sets Page A F New Advanced Expression Operators in This Release Operators for Extracting and Evaluating Numeric Data Operators for Extracting and Evaluating Text The following operators have been introduced for extracting and evaluating text. New Operators for Extracting and Evaluating Numeric Data New Operators for Evaluating Text Operators for Extracting and Evaluating HTTP Data Operators for the CLIENT and ipv6 Expression Prefixes XPath and JSON Operators for Evaluating XML and JSON Data The following operators have been introduced for evaluating XML and JSON text. Operators for Evaluating Groups to Which a User Belongs XPath and JSON Operators for Evaluating XML and JSON Text Operators for Evaluating Groups to Which a User Belongs Index A B C Page D E Page F G H I L M N O P Page Q R S T U