creating citrix netscaler policies with appexpert

Creating Citrix NetScaler Policies with AppExpert

2© 2007 Citrix Systems, Inc. — All rights reserved

Agenda

NetScaler for Traffic Management

Demo: Policies 1-2-3

AppExpert Policy Framework


Agenda

Agenda item number 1


NetScaler for Traffic Management



Remote Users Further Away from Apps

Apps Moved into Fewer Centralized Datacenters

Web Protocols Extremely “Chatty”

Increased Security Requirements

Why NetScaler? Web Application Delivery Challenges


XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end-user experience...Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0

MAC address...Source IP...Destination IP...Source port...Destination port...Ping...OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...

Keepalive...SNMP...SSH...SSL...MTBF...Latency...

Users Apps

Router Switch Firewall

Application Traffic

Network Traffic

Solutions Must Span Two Worlds


XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end-user experience...Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0

MAC address...Source IP...Destination IP...Source port...Destination port...Ping...OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...

Keepalive...SNMP...SSH...SSL...MTBF...Latency...

Users Apps

Router Switch Firewall

AppExpertPolicy Framework


Why AppExpert?

• Traffic Management on the NetScaler is handled by policies

• AppExpert Visual Policy Builder provides an easy flexible interface to write and apply policies

• All of NetScaler Feature Sets can be controlled via policies.

• And writing policies with AppExpert on the NetScaler is so easy that…


Code-Monkeys need NOT apply


Agenda

Agenda item number 1NetScaler for Traffic Management




2) Decrypt / authenticate / analyze requests3) Apply policy + dispatch valid requests

1) Receive + terminate requests

4) Multiplex over persistent connections

AppExpert Policy Engine

AppExpert Policy Engine

Application 1

UsersApplication 2

© 2007 Citrix Systems, Inc. — All rights reserved 12

What NetScaler Features use Policies?

Cache Redirection (CR)Priority Queuing (PQ)

SureConnect (SC)

SSL VPN…and more

Feature Sets

Content switching (CS)Compression (CMP)

Content Filtering (CF)Integrated Caching (IC)

ResponderURL Rewrite

Feature Sets


AppExpert Policy Framework is designed to help you…• Defines application-aware

policy expressions

• Logically combines multiple policy expressions

• And increase power and flexibilty by providing policy execution structure and flow control

Policy Banks

Compound Expressions

Policy Expressions


Defining AppExpert Policy Engine Elements

• Actions

• Expressions

• Policies and Policy Banks


AppExpert NetScaler Policies

• NetScaler Traffic Management is controlled using policies• For example-compression policy defines conditions for compressing

content

• A policy consists of expression and action

ACTIONEXPRESSION

POLICY


What are Policy Actions?

Actions are owned by individual feature sets• For example an actions that is configurable in the

responder module is different than an action configurable in the rewrite module

• The individual feature set has to ensure that the respective actions are applied when there is a policy match


Understanding Actions• Actions can be predefined or customizable

(using expression sytax)

• Actions cannot depend on results of other actions

• All actions are applied at the end of the policy evaluation process

• For example: A single HTTP header cannot be modified by multiple actions – if you insert a new header “my-header” you cannot then change the name of the header to “my-new-header”.


What Are Expressions?

• An expression is the most fundamental component of a policy.

• Expressions are a common pool of conditions that can be applied to content entering the Citrix NetScaler system• For example; source IP address or browser type

• Expressions be "named" or "inline"


What Are Expressions?

• Policy expression syntax is universal and shared among NetScaler features

• Expressions referenced as a rule by NetScaler feature sets

• Expressions can be unary or compound

• The expression (or condition that is evaluated) does not change the content, but the configured action can change the content


GUI - Policy Expressions


Writing Expressions using AppExpert Visual Expression Builder

© 2007 Citrix Systems, Inc. — All rights reserved 22

Advanced vs. Classic Expression Syntax

• Policy Expressions can be named or inline

• Is not available for all feature sets

• Backwards compatible with previous versions of the NetScaler

• Easy to configure and use

Classic Syntax

• Policy Expressions must be written inline

• Is not available for all feature sets

• Increases the processing power and flexibility of policies through the use of GOTO expressions and Policy Banks

• Easy to configure and use

Advanced Syntax


Defining Top Level Objects for expressions

Advanced Syntax Starter Object

Description

CLIENT Provides operations on client side data

HTTP Operates on HTTP protocol data

SERVER Provides operations on server side data

SYSTEM Provides operations on system wide data

Classic Syntax Starter Object

Description

REQUEST Operates on an incoming client request traffic

RESPONSE Operates on server response traffic


AppExpert Policy ExpressionsSTARTER OBJECT

CLIENT

SERVER

HTTP

SYS

PROTOCOL

ETHER

INTERFACE

IP

TCP

VLAN

REQ

RES

PROTOCOL METHOD

Varies by protocol

OPERATORS

STRUCTURED UNSTRUCTURED

List After RegEx

Name-value list Before RegEx

Date and time After string

IP address Before string

HTTP URL Contains

HTTP Version Contains any

More… More…


Structure of Basic Expressions

• In the Policy Engine, a basic expression is a composition of object-level operations

• Basic expressions consist of a top level starter object followed by various operations or parameters

HTTP.REQ.HEADER (advanced), or REQ.HTTP.HEADER (classic)


Understanding Expression Types

Expressions can return one of the following:• A BOOLEAN TRUE or FALSE (used in all Policy

types)

Example: “HTTP.REQ.IS_VALID”

• A STRING (Used in Rewrite Actions)

Example:add rewrite action INSERT_CLIENT_IP insert_http_header “Client-ip” “CLIENT.IP.SRC”


AppExpert Visual Policy Builder


What are AppExpert Policy Banks?

• A policy bank is a bind point for a group of policies

• Each policy in a policy bank must have a priority defined• Every policy is evaluated in priority order• Two policies can not have the same priority

• Predefined banks include:• Override • Default


AppExpert Policy Banks

• GotoExp statements• Policy match will trigger “jump” to another policy within the bank• Cannot GotoExp back (no possibility of endless loop)

• Provides structured execution and flow control• Performance optimization (course-grained policies first)• Deterministic execution• Subroutine call-like behavior

• Processing of policies within a policy bank ends when all valid policies have been processed or an END is encountered on a policy match


Agenda

Agenda item number 1NetScaler for Traffic Management




Using AppExpert to Configure Policies

Configuing Policies is as easy as 1-2-31. Create/Identify the Feature Specific

Action2. Create the Expression and Add the

Expression and Action into the Policy3. Bind/Activate the Policy

REWRITE DEMO

In this demonstration we will configure a policy for the Rewrite Feature that will mask the

backend server's software type in the HTTP traffic


Create the ActionNetScaler Rewrite Action1


Create the Expression and PolicyCreate the Rewrite policy by

creating an expression and adding your action

2


BindBind your policy3


And…

Test

CONTENT SWITCHING DEMO

In this demonstration we will configure policies for Content Switching that will route test traffic to a test Load Balancing VServer which

performs Load Balancing for the “test-web” servers which exist within the same domain as

the production web servers


Identify the ActionA Content Switching Action is the

target Load Balancing Vserver, so first we need to create/identify which LB Vserver will be the target.

1


Create the Expression and PolicyCreate the CS Policy which will

identify internal testing team via IP address

2


BindActivate your policy on the

Content Switching Server3


And…

Test

RESPONDER DEMO

In this demonstration we will configure a policy for Responder which will respond to a request URL with /myIP. The NetScaler will

provide an auto-generated page that gives the client their IP address (this page does not exist

on the backend web servers).


Create the ActionNetScaler Responder Action1


Create the Expression and PolicyCreate the responder policy by

creating an expression and adding your action

2


BindBind your policy3


And…

Test

INTEGRATED CACHING DEMO

In this demonstration we will configure an integrated caching request policy to cache

any content that contains .html in the requested URL


Identify the ActionIdentify the NetScaler Integrated

Caching Action you will use1


Create the Expression and PolicyCreate the Integrated Caching

policy by creating an expression and adding a pre-defined action

2


BindActivate your policy3


And…

Verify

creating citrix netscaler policies with appexpert

Documents

citrix systems

delivery of web applications

web apps

citrix netscaler policies

web use

application users

applications i

distance application