Citrix NetScaler Policy Configuration and Reference Guide
Citrix NetScaler
Copyright and Trademark Notice
Contents
Chapter
Contents
Converting Text to Hexadecimal Format
Citrix NetScaler Policy Configuration and Reference Guide
Contents Vii
Accommodating Browser Dependent Content
Blocking Access by Robots
Blocking Access to Inline Images
Reducing Web Server Redirects
Preface
About This Guide
Citrix NetScaler Policy Configuration and Reference Guide
Preface
New in This Release
Audience
Convention Meaning Boldface
Formatting Conventions
Formatting Conventions
To view the documentation
Getting Service and Support
Related Documentation
Documentation Feedback
To provide feedback from the Knowledge Center home
Introduction to Policies Expressions
Advanced and Classic Policies
Benefits of Using Advanced Policies
Basic Components of an Advanced or a Classic Policy
How Different NetScaler Features Use Policies
NetScaler Feature, Policy Type, and Policy Usage
Chapter Introduction to Policies and Expressions
DNS
Authorization policies authorize users
Authorization
Associated cache server
AAA Traffic Classic
Access Classic
Authorization policies, however, can be
About Actions and Profiles
Functions
Use of Actions and Profiles in Different NetScaler Features
Feature Use of an Action Use of a Profile
Pre-Authentication. Uses
Authorization. Uses Allow
About Policy Bindings
Server
About Evaluation Order of Policies
About Advanced Expressions
Advanced and Classic Expressions
Order of Evaluation Based on Traffic Flow
About Classic Expressions
Before You Proceed
Chapter
Citrix NetScaler Policy Configuration and Reference Guide
Configuring Advanced Policies
Argument Specifies
Creating or Modifying an Advanced Policy
Advanced-Policy Parameters
Policy Configuration Examples
Following is an example of a Rewrite policy and action
Binding Advanced Policies
Feature-Specific Differences in Policy Bindings
Feature-Specific Bindings for Advanced Policies
Policies Global default Responder function Policy label
NetScalers integrated
Provide rules for modifying
Address of the incoming
Bind Points and Order of Evaluation
Entries in a Policy Bank
Advanced Policy Evaluation Across Features
Chapter Configuring Advanced Policies
Optional
Evaluation Order Within a Policy Bank
Format of Each Entry in a Policy Bank
How Policy Evaluation Ends
Example
How Features Use Actions After Policy Evaluation
Binding a Policy Globally
Details pane, click Feature Name policy manager
Binding a Policy to a Virtual Server
Unbinding an Advanced Policy
Displaying Policy Bindings
Unbind responder global policyName
Creating Policy Labels
Creating a Policy Label
To create a policy label by using the configuration utility
Configuring a Policy Label or Virtual Server Policy Bank
Binding a Policy to a Policy Label
Entries in a Policy Bank
Attribute Description
Configuring a Policy Label
Example
Choices are Integrated Caching, Rewrite, or Responder
Configuring a Policy Bank for a Virtual Server
Configure Virtual Server dialog box click the Policies tab
Chapter Configuring Advanced Policies
At the NetScaler command prompt, for the Responder, type
Configuring and Binding Policies with the Policy Manager
Click Regenerate Priorities
To remove unused policies by using the Policy Manager
Citrix NetScaler Policy Configuration and Reference Guide
Configuring Advanced Expressions Getting Started
Expression Characteristics
Basic Elements of an Advanced Expression
Prefixes
Http.res.header.myheader
Feature Types of Expression Prefix Used in the Feature
Features Content Switching
Single-Element Expressions
Operations
Operation Determines whether or not
Basic Operations on Expression Prefixes
Basic Operations for Expressions
Basic Types of Operations
Configuring Advanced Expressions Getting Started
Compound Advanced Expressions
Booleans in Compound Expressions
Parentheses in Compound Expressions
Compound Operations for Strings
String-Based Operations for Compound Advanced Expressions
Logical operations on strings
Compound Operations for Numbers
Arithmetic Operations for Compound Advanced Expressions
Num % num
Expression on the right
Returns 12 binary
Result of applying the ~ operator is -11 a binary 1110011
Binary 1100 and numeric.expression2 returns 10 binary
Whole expression evaluates to 8 binary
Right-side number argument number of bits
Following example assumes that numeric.expression1 returns
Number .ADD
Integer Value Following is an example
Number .SUB
Integer Number value Following is an example
Number .LE
Integer Integer argument Following is an example
Number .LT
Binary value of 10 is 1010, and the result of applying
Result of applying the Bitneg operator is -11 a binary
1110011, 32 bits total with all ones to the left
Expression as an argument rather than an integer
Assumes that numeric.expression returns 12 binary
Bitxor operator to the entire expression is 6 binary
Caret performs a similar function to BITXOR, but takes
Another expression as an argument rather than an integer
Number.LSHIFT
Number.RSHIFT
Double .ADDi
Value represented by double
Parameters
Double .GEi
Value represented by double is greater than or equal to
Double .GTi
Value represented by double is greater than the argument
Configuring Advanced Expressions in a Policy
Classic Expressions in Advanced Expressions
Following is an example of configuring a caching policy
HTTP.REQ.BODY1000.BETWEENthis,that
Configuring Named Advanced Expressions
Click Advanced Expressions
Chapter
Citrix NetScaler Policy Configuration and Reference Guide
Advanced Expressions Evaluating Text
About Text Expressions
About Operations on Text
Chapter Advanced Expressions Evaluating Text
Compounding and Precedence in Text Expressions
Categories of Text Expressions
Guidelines for Text Expressions
Expression Prefixes for Text
Expression Prefixes for Text in Http Requests and Responses
Http Expression Prefixes that Return Text
Prefix Description
Returns the domain name part of the host name. For
Myhost.com8080, the domain is myhost.com
Returns incorrect results if the host name has an IP
Address. For information on expressions for IP
URL
LISTT,. IGNOREEMPTYELEMENTS.COUNT
LISTT,.COUNT
HTTP.REQ.USER.EXTERNALGROUPS
HTTP.REQ.USER.GROUPS
Returns a list of internal groups to which the user
For example, the following expression returns a
User belongs
HTTP.REQ.USER.INTERNALGROUPS
Group
Default value of 80 or 443 for Https connections
Returns the Http version listed in the request
Returns a portion of the Http response body.
Integer argument
Expression Prefixes for VPNs and Clientless
VPN and Clientless VPN Expression Prefixes that Return Text
VPN and Clientless VPN Description Expression
By default, is not considered an empty element
When evaluating this header
Evaluates the server portion of the host name
Extracts a slash- / separated list from the path
Extracts a name-value list, using the =
Evaluates the protocol in the URL
Delimiters from the query string in a URL
This method ignores the empty elements in a
Hostname
Ignores empty elements in a list. For example, if
List delimiter is a comma , the following list
Has an empty element following a=10
Evaluating this header
Ignores empty elements in a name-value list. For
Example, the following list contains an empty
Element after a=10
As another example, consider the following http
Results in Boolean True if the host name
Is case insensitive
Following expression returns True
Evaluates the server part of the host name
This method ignores the empty elements in a list
For example, if the delimiter in a list is ,
Entry a=10
Consider the following header
Example, the following list uses a semicolon
Preceding example, the element following
=11 is not considered an empty element
Evaluating the same header
Operations on Text
Basic Operations on Text
Basic Operations on Text
Returns a Boolean True value if the target contains
Operations for Calculating the Length of a String
Operations for Controlling Case Sensitivity
Operations on Case Sensitivity of Text
Basic Text Operation Description
Complex Operations on Text
Operations on the Length of a String
Operations on Strings Based on a Character Count
Case Operation Description
Operations on a Portion of a String
Basic Operations on a Portion of a String
Character Count Operation Description
Object of 0 length
Returns a Boolean True value if the length of the text
Object is greater than or equal to the sum starting string
Matches starting string, and if the suffix of the target
Matches ending string
Converting Text to a Hash Value
Operation Description
Operator Description
Base64 encoding algorithm
Applying the Base64 decoding algorithm. The operation
Raises an Undef if text is not in B64-encoded format
Converting Text to Hexadecimal Format
Citrix NetScaler Policy Configuration and Reference Guide
Advanced Expressions Working with Dates, Times, and Numbers
Format of Dates and Times in an Expression
Dates and Times in a Rewrite Action
Expressions for the NetScaler System Time
Expressions that Return NetScaler System Dates and Times
NetScaler Time Description Operation
Advanced Expressions Working with Dates, Times, and Numbers
Scheduled reboot, and returns an integer
Is equal to the time argument
Sys.time.leGMT 2006 True in this example
False depending on the current timezone
Expressions for SSL Certificate Dates
Time2
SSL Certificate Operation Description
True
For example, if the current time is GMT 2005 May
10h 15m 30s, and it is the first Sunday of the month
You can specify the following evaluation results for
This example are in parentheses
Closest boot time is in the past, the integer is
Extracts the last hour that the certificate is valid
Returns a Boolean True if the time precedes or is
Equal to the time argument
System time and the specified time and returns an
If it is in the future, the integer is positive
Extracts the last weekday that the certificate is valid
To give the weekday in the time value
Returns a Boolean True if the time value is between
Time1, time2 arguments. Both the time1, time2
Arguments must be fully specified
LOCAL, and time2 must be bigger than time1
Returns a Boolean True if the time is greater than
After or equal to the time argument
Results are in parentheses
Returns a Boolean True if the time occurs after
Extracts the last minute that the certificate is valid
Returns the current month as an integer from
Returns the number of seconds between the current
NetScaler system time and the specified time as an
Extracts the last second that the certificate is valid
Returns the current second as an integer from 0 to
6 Saturday
Element of time from time2, it is assumed to have
Expressions for Http Request and Response Dates
Prefixes That Evaluate Http Date Headers
111
Citrix NetScaler Policy Configuration and Reference Guide
Advanced Expressions Parsing HTTP, TCP, and UDP Data
About Evaluating Http and TCP Payload
About Evaluating the Payload Body
Expressions for Http Headers
115
Http Header Prefix Description
Prefixes for Http Headers
Prefixes That Extract Http Headers
Advanced Expressions Parsing HTTP, TCP, and UDP Data
Returns the value of Path field of the cookie
As a slash- / separated list. Multiple
First instance is returned
For example, the following is a cookie with
Returns the value of Port field of the cookie
Operate as a comma-separated list
From Set-Cookie Customer =
ABC PATH=/a/b/c PORT= 80
Returns the value of the Domain field
First cookie with the specified name. For
Example, the following expression returns a
DOMAIN=.xyz.com
Named cookie as a , separated list. For
From the cookie Set-Cookie Customer
Operations for Http Headers
Operations That Evaluate Http Headers
Returns the value of Version field of the nth
Header type exists
Any instance of the header value
Following is an example of request with two headers
Following returns a Boolean True
Does not concatenate the different values
STR string
Instance to the first
Following is an example of a request
Following extracts the string def from the last
Or a response. This operation returns the header that
Occurs instance number of places before the final
Used in bidirectional policies
Instance number argument cannot exceed
Prefixes for Cache-Control Headers
Operations for Cache-Control Headers
Prefixes That Extract Cache-Control Headers
Cannot exceed
Http Header Operation Description
Operations That Evaluate Cache-Control Headers
127
Has the value Min-Fresh
Has the value Max-Stale
Has the value Must-Revalidate
Has the value No-Transform
Expressions for Extracting Segments of URLs
Expressions for Numeric Http Payload Data Other Than Dates
Prefixes That Extract URLs
Prefixes That Evaluate Http Request or Response Length
URL Prefix Description
Html or XML Operation Description
Operations That Evaluate Html and XML Encoding
Returns the response status code
Where xx is a hex-based representation
Specifies how to treat the plus character +.
Converts unsafe URL characters to %xx values
Read-only operation
With the character Y where XXX represents
Where the colon is the Ascii equivalent
Decoded to http//, where the colon is
Where WW and XX represent two distinct
GET Operation Description
Expressions for TCP, UDP, and Vlan Data
Prefixes that Extract TCP and UDP Data
Enables locating the domain name that is
MX mail exchanger. This DNS record describes
Domain and the priority for each server
NS. This is a name server record that includes a
XPath and Json Expressions
XPath and Json Expression Prefixes that Return Text
Or a string. Node-sets are converted to
XPath string conversion routine
File Book creator person Namename , titletitle
Json file and returns a Boolean True if
For example, consider the following Json
That are enclosed by /Book a node-set
First 1000 bytes of the body of the Json
File and returns the corresponding string
MARKUPxp%/Book/creator%
Text.XPATHWITH
Bytes of the body
Citrix NetScaler Policy Configuration and Reference Guide
Advanced Expressions Parsing SSL Certificates
About SSL and Certificate Expressions
Prefixes for Text-Based SSL and Certificate Data
Returns the SSL client certificate in the current
SSL transaction
SSL cryptographic cipher is exportable
Advanced Expressions Parsing SSL Certificates
Prefixes for Numeric Data in SSL Certificates
Expressions for SSL Certificates
Issuer in the certificate as a name-value list. An
Based on the preceding Issuer definition
Returns a Boolean True if the client has an SSL
Returns the Distinguished Name DN
Returns the Issuer Distinguished Name
An Authority Key Identifier extension
Certificate as a name-value list. An equals sign
= is the delimiter for the name and the value
False
CLIENT.SSL.CLIENTCERT.ISSUER
IGNOREEMPTYELEMENTS.COUNT
Citrix NetScaler Policy Configuration and Reference Guide
Expressions for IP Addresses and IP Subnets
Prefixes for IPV4 Addresses and IP Subnets
Operations for IPV4 Addresses
Prefixes That Evaluate IP and MAC Addresses
Operations on IPV4 Addresses
About IPv6 Expressions
Qual1.qual2.qual3.qual4.qual5.qual6
Expression Prefixes for IPv6 Addresses
IPv6 Expression Prefixes that Return Text
IP header
Returns the IPv6 address in the source field of the IP
IPv6 Operation Description
Operations for IPV6 Prefixes
Operations That Evaluate IPv6 Addresses
Expressions for MAC Addresses
Prefixes for MAC Addresses
Operations for MAC Addresses
Prefixes That Evaluate MAC Addresses
155
Expressions for Numeric Client and Server Data
Prefixes That Evaluate Numeric Client and Server Data
Citrix NetScaler Policy Configuration and Reference Guide
Matching Text With Strings in a Set
Operators That Use a Pattern Set
Matching Operators Description
Patternsetname
To patternsetname
Name
Setname
Configuring a Pattern Set
161
At a NetScaler command prompt, type
163
Add policy patset myPatSet
Matching Text With a Pattern
165
Basic Characteristics of Regular Expressions
Operations for Regular Expressions
Selects text that precedes the string that matches
Regular expression argument. If the regular
From text/plain
Expression does not match any text in the target
Regular Expression Operation Description
Settextmodeignorecase
Insensitive, multi-line match, where the dot
Text following the string that matches
Header value. The header instances are matched
From the last to the first
Following example selects NS-CACHE-9.0
Transforming Text and Numbers into Different Data Types
First
Typecasting Operations
If the current text mode is Ignorecase and you specify
Are ignored
As the delimiter, an uppercase P is not treated as a
Delimiter
Hostname path? query, and the text mode is set to
Urlencoded by default
Treats a numeric string like an IP address
For example, the following policy matches Http requests
Following policy extracts a numeric portion of a query
String, adds 4 to the number, and inserts an Http header
For example, this policy would extract 4444 from
Following Http response header
HTTP.REQ.COOKIE.TYPECASTHTTPHEADERT
HTTP.REQ.SETCOOKIE
HTTP.REQ.COOKIE.TYPECASTHTTPHEADER
Converts the designated text to a multi-line Http header
That you specify in a name argument
For example, the following expression converts
MyHeader to InHeader
Betweengmt 2004, GMT 2006 True
Time value argument t
Eqgmt 2005 True
Eqgmt 2005 Dec False
EQLocal 2005 May True or FALSE, depending on
Gtgmt 2004 True
Gtgmt 2005 Jan True
GTLocal 2005 May True or FALSE, depending on
Gtgmt 8h True
Legmt 2006 True
Legmt 2005 Dec True
LELocal 2005 May True or FALSE, depending on
Legmt 8h False
Most recent reboot or the number of seconds to the next
Time is in the future scheduled reboot time, the integer is
Value as an integer that ranges from 0 to
Value as an integer that ranges from 1 January to
Time1 and time2
Double to an integer
Extracts the year from the current system time and returns
Transforms the double-precision number represented by
Expressions for Controlling the Traffic Rate
Advanced Policies Controlling Rate of Traffic
About Policies that Monitor the Traffic Rate
Configuring Policies That Control the Traffic Rate
Chapter
About Calling Out to an External Application
About Http Callout Policies
Following is an example of a response
187
Parameter Specifies
Configuring an Http Callout Policy
Elements in an Http Callout Policy
Attribute-based Http Method httpMethod
Server mutually
Expression that derives the value. Examples
URL stem expression urlStemExpr
Example, if you configure a return type of text, the result
Expression to 8191 characters
NetScaler does not check the validity of this request. You
Must manually validate the request
191
To modify a callout policy using the NetScaler command line
Examples
To delete a callout policy using the NetScaler command line
To view a callout policy using the NetScaler command line
Invoking an Http Callout Policy
193
If the return type is NUM, the following expression is valid
195
Citrix NetScaler Policy Configuration and Reference Guide
Configuring Classic Policies Expressions
Where Classic Policies Are Used
Http
Configuring Classic Policies and Expressions
Auditing of user access
Viewing Classic Policies
Click Policies
Configuring a Classic Policy
201
At the command line, type
To create a classic policy using the NetScaler command line
Configuring a Classic Expression
203
REQ.IP.SOURCEIP == 200.0.0.0 -netmask
205
Flow Type.protocol.qualifier.operator.value.header Name
Binding a Classic Policy
207
Configure Virtual Server dialog box, click the Policies tab
Creating Named Classic Expressions
209
Citrix NetScaler Policy Configuration and Reference Guide
Expression Prefix Descriptions
Expressions Reference
Advanced Expressions
Citrix NetScaler Policy Configuration and Reference Guide
Appendix a Expressions Reference
Operates on the Vlan through which the current
Expression Prefixes for Text in Http
Ignores spaces in the data. See the table Http
Appendix a Expressions Reference 217
Obtains the Expires field of the cookie as a date
Appendix a Expressions Reference 219
SERVER.INTERFACE.ID.EQLA/1
Appendix a Expressions Reference 221
VPNs, on
Ignores spaces in the data. For an example, see
Appendix a Expressions Reference 223
Expression Element Definition
Classic Expressions
Operators
General Expressions
Appendix a Expressions Reference 225
REQ.SSL.CLIENT.CERT.ISSUER
REQ.HTTP.URLQUERYLEN
REQ.SSL
REQ.SSL.CLIENT.CERT
Appendix a Expressions Reference 227
Actual Expression Definition
Client Security Expressions
Expression Element
Expression Definition
Network-Based Expressions
Appendix a Expressions Reference 229
Date/Time Expressions
File System Expressions
Time
Date
Appendix a Expressions Reference 231
Built-In Named Expressions General
Appendix a Expressions Reference 233
Always returns a value of False
Nstrue Nsurlpathbin
Nsfarclient
Nsmsexcel Nsmsie Nsmsppt Nsmsword
Appendix a Expressions Reference 235
Built-InNamed Expressions Anti-Virus
Built-InNamed Expressions Personal Firewall
Any version of Norton Internet Security
Built-InNamed Expressions Client Security
Expression Definition Norton Internet Security
Expression Type Sample Expressions
Summary Examples of Advanced Expressions and Policies
Examples of Advanced Expressions
Content-Type header
Look for a particular file type in an
Http request based on the file
Extension
Examples of Advanced Expressions and Policies
Purpose Example
To https// in all URLs
This policy uses
Responder functionality
Modify a URL to redirect
Through unchanged
Limit the number
Check the client IP
NS-Client header
Remove old headers from
Request and insert an
Request, insert an
NS-Client header,
Then modify the insert
Header action so that
Citrix NetScaler Policy Configuration and Reference Guide
Tutorial Examples of Advanced Policies for Rewrite
Redirecting an External URL to an Internal URL
Bind the policy globally
Redirecting a Query
Redirecting Http to Https
Appendix C
247
Removing Unwanted Headers
249
Reducing Web Server Redirects
Masking the Server Header
Add rewrite policy polmask-server true actmask-server
Tutorial Examples of Classic Policies
Citrix NetScaler Policy Configuration and Reference Guide
Appendix D Tutorial Examples of Classic Policies 253
REQ.HTTP.HEADER URL Contains string
Application Firewall Policy to Protect Scripted Web Pages
Appendix D Tutorial Examples of Classic Policies 255
DNS Policy to Drop Packets from Specific IPs
SSL Policy to Require Valid Client Certificates
Add dns policy polddosdrop
Citrix NetScaler Policy Configuration and Reference Guide
Migration of Apache modrewrite Rules to Advanced Policies
Apache modrewrite solution for converting a URL
NetScaler solution for converting a URL
Converting URL Variations into Canonical URLs
Converting Host Name Variations to Canonical Host Names
Apache modrewrite solution for moving the document root
NetScaler solution for moving the document root
Moving a Document Root
Appendix E
Moving Home Directories to a New Web Server
Working with Structured Home Directories
Apache modrewrite solution for structured home directories
NetScaler solution for structured home directories
NetScaler solution for redirection if a URL is wrong method
Redirecting Invalid URLs to Other Web Servers
NetScaler solution for rewriting a URL based on the time
Rewriting a URL Based on Time
265
Redirecting to a New File Name Invisible to the User
Redirecting to New File Name User-Visible URL
Accommodating Browser Dependent Content
Apache modrewrite solution for browser-specific settings
Blocking Access by Robots
267
Creating Extensionless Links
Blocking Access to Inline Images
NetScaler solution for blocking access to an inline image
269
NetScaler policy for adding a .php extension to all requests
Apache modrewrite solution
Redirecting a Working URI to a New Format
NetScaler solution
NetScaler solution using regular expressions
NetScaler solution using pattern sets
Ensuring That a Secure Server Is Used for Selected Pages
Bind patset pat1 page4 Bind patset pat1 page5
New Advanced Expression Operators in This Release
Operators for Extracting and Evaluating Numeric Data
New Operators for Extracting and Evaluating Numeric Data
Number.TYPECASTIPADDRESSAT
Operators Operation
Operators for Extracting and Evaluating Text
New Operators for Evaluating Text
Operators for Extracting and Evaluating Http Data
Operators for the Client and ipv6 Expression Prefixes
New Operators for Extracting and Evaluating Http data
Operators for Client and ipv6 Expression Prefixes
XPath and Json Operators for Evaluating XML and Json Data
Operators for Evaluating Groups to Which a User Belongs
XPath and Json Operators for Evaluating XML and Json Text
Operators for Evaluating Groups to Which a User Belongs
Index
Introduction to 224 migration to advanced
Index 279
RES.VLANID
CLIENT.ETHER.DSTMAC
Index
HTTP.RES.SETCOOKIE2.COOKIEname, i
Omain 82 VPN.CLIENTLESSHOSTURL.HOSTNAME.E
Authkeyid
Citrix NetScaler Policy Configuration and Reference Guide
Index
Useinvocationresult
VPN 65 Character 57 ? character
Citrix NetScaler Policy Configuration and Reference Guide
