creating citrix netscaler policies with appexpert
DESCRIPTION
Creating Citrix NetScaler Policies with AppExpert. Agenda. NetScaler for Traffic Management. Demo: Policies 1-2-3. AppExpert Policy Framework. Agenda. NetScaler for Traffic Management. AppExpert Policy Framework. Demo: Policies 1-2-3. Agenda item number 1. - PowerPoint PPT PresentationTRANSCRIPT
2© 2007 Citrix Systems, Inc. — All rights reserved
Agenda
NetScaler for Traffic Management
Demo: Policies 1-2-3
AppExpert Policy Framework
3© 2007 Citrix Systems, Inc. — All rights reserved
Agenda
Agenda item number 1
AppExpert Policy Framework
NetScaler for Traffic Management
Demo: Policies 1-2-3
4© 2007 Citrix Systems, Inc. — All rights reserved
Remote Users Further Away from Apps
Apps Moved into Fewer Centralized Datacenters
Web Protocols Extremely “Chatty”
Increased Security Requirements
Why NetScaler? Web Application Delivery Challenges
5© 2007 Citrix Systems, Inc. — All rights reserved
XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end-user experience...Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0
MAC address...Source IP...Destination IP...Source port...Destination port...Ping...OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...
Keepalive...SNMP...SSH...SSL...MTBF...Latency...
Users Apps
Router Switch Firewall
Application Traffic
Network Traffic
Solutions Must Span Two Worlds
6© 2007 Citrix Systems, Inc. — All rights reserved
XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end-user experience...Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0
MAC address...Source IP...Destination IP...Source port...Destination port...Ping...OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...
Keepalive...SNMP...SSH...SSL...MTBF...Latency...
Users Apps
Router Switch Firewall
AppExpertPolicy Framework
7© 2007 Citrix Systems, Inc. — All rights reserved
Why AppExpert?
• Traffic Management on the NetScaler is handled by policies
• AppExpert Visual Policy Builder provides an easy flexible interface to write and apply policies
• All of NetScaler Feature Sets can be controlled via policies.
• And writing policies with AppExpert on the NetScaler is so easy that…
9© 2007 Citrix Systems, Inc. — All rights reserved
Agenda
Agenda item number 1NetScaler for Traffic Management
AppExpert Policy Framework
Demo: Policies 1-2-3
11© 2007 Citrix Systems, Inc. — All rights reserved
2) Decrypt / authenticate / analyze requests3) Apply policy + dispatch valid requests
1) Receive + terminate requests
4) Multiplex over persistent connections
AppExpert Policy Engine
AppExpert Policy Engine
Application 1
UsersApplication 2
© 2007 Citrix Systems, Inc. — All rights reserved 12
What NetScaler Features use Policies?
Cache Redirection (CR)Priority Queuing (PQ)
SureConnect (SC)
SSL VPN…and more
Feature Sets
Content switching (CS)Compression (CMP)
Content Filtering (CF)Integrated Caching (IC)
ResponderURL Rewrite
Feature Sets
13© 2007 Citrix Systems, Inc. — All rights reserved
AppExpert Policy Framework is designed to help you…• Defines application-aware
policy expressions
• Logically combines multiple policy expressions
• And increase power and flexibilty by providing policy execution structure and flow control
Policy Banks
Compound Expressions
Policy Expressions
14© 2007 Citrix Systems, Inc. — All rights reserved
Defining AppExpert Policy Engine Elements
• Actions
• Expressions
• Policies and Policy Banks
15© 2007 Citrix Systems, Inc. — All rights reserved
AppExpert NetScaler Policies
• NetScaler Traffic Management is controlled using policies• For example-compression policy defines conditions for compressing
content
• A policy consists of expression and action
ACTIONEXPRESSION
POLICY
16© 2007 Citrix Systems, Inc. — All rights reserved
What are Policy Actions?
Actions are owned by individual feature sets• For example an actions that is configurable in the
responder module is different than an action configurable in the rewrite module
• The individual feature set has to ensure that the respective actions are applied when there is a policy match
17© 2007 Citrix Systems, Inc. — All rights reserved
Understanding Actions• Actions can be predefined or customizable
(using expression sytax)
• Actions cannot depend on results of other actions
• All actions are applied at the end of the policy evaluation process
• For example: A single HTTP header cannot be modified by multiple actions – if you insert a new header “my-header” you cannot then change the name of the header to “my-new-header”.
18© 2007 Citrix Systems, Inc. — All rights reserved
What Are Expressions?
• An expression is the most fundamental component of a policy.
• Expressions are a common pool of conditions that can be applied to content entering the Citrix NetScaler system• For example; source IP address or browser type
• Expressions be "named" or "inline"
19© 2007 Citrix Systems, Inc. — All rights reserved
What Are Expressions?
• Policy expression syntax is universal and shared among NetScaler features
• Expressions referenced as a rule by NetScaler feature sets
• Expressions can be unary or compound
• The expression (or condition that is evaluated) does not change the content, but the configured action can change the content
21© 2007 Citrix Systems, Inc. — All rights reserved
Writing Expressions using AppExpert Visual Expression Builder
© 2007 Citrix Systems, Inc. — All rights reserved 22
Advanced vs. Classic Expression Syntax
• Policy Expressions can be named or inline
• Is not available for all feature sets
• Backwards compatible with previous versions of the NetScaler
• Easy to configure and use
Classic Syntax
• Policy Expressions must be written inline
• Is not available for all feature sets
• Increases the processing power and flexibility of policies through the use of GOTO expressions and Policy Banks
• Easy to configure and use
Advanced Syntax
23© 2007 Citrix Systems, Inc. — All rights reserved
Defining Top Level Objects for expressions
Advanced Syntax Starter Object
Description
CLIENT Provides operations on client side data
HTTP Operates on HTTP protocol data
SERVER Provides operations on server side data
SYSTEM Provides operations on system wide data
Classic Syntax Starter Object
Description
REQUEST Operates on an incoming client request traffic
RESPONSE Operates on server response traffic
24© 2007 Citrix Systems, Inc. — All rights reserved
AppExpert Policy ExpressionsSTARTER OBJECT
CLIENT
SERVER
HTTP
SYS
PROTOCOL
ETHER
INTERFACE
IP
TCP
VLAN
REQ
RES
PROTOCOL METHOD
Varies by protocol
OPERATORS
STRUCTURED UNSTRUCTURED
List After RegEx
Name-value list Before RegEx
Date and time After string
IP address Before string
HTTP URL Contains
HTTP Version Contains any
More… More…
25© 2007 Citrix Systems, Inc. — All rights reserved
Structure of Basic Expressions
• In the Policy Engine, a basic expression is a composition of object-level operations
• Basic expressions consist of a top level starter object followed by various operations or parameters
HTTP.REQ.HEADER (advanced), or REQ.HTTP.HEADER (classic)
26© 2007 Citrix Systems, Inc. — All rights reserved
Understanding Expression Types
Expressions can return one of the following:• A BOOLEAN TRUE or FALSE (used in all Policy
types)
Example: “HTTP.REQ.IS_VALID”
• A STRING (Used in Rewrite Actions)
Example:add rewrite action INSERT_CLIENT_IP insert_http_header “Client-ip” “CLIENT.IP.SRC”
29© 2007 Citrix Systems, Inc. — All rights reserved
What are AppExpert Policy Banks?
• A policy bank is a bind point for a group of policies
• Each policy in a policy bank must have a priority defined• Every policy is evaluated in priority order• Two policies can not have the same priority
• Predefined banks include:• Override • Default
30© 2007 Citrix Systems, Inc. — All rights reserved
AppExpert Policy Banks
• GotoExp statements• Policy match will trigger “jump” to another policy within the bank• Cannot GotoExp back (no possibility of endless loop)
• Provides structured execution and flow control• Performance optimization (course-grained policies first)• Deterministic execution• Subroutine call-like behavior
• Processing of policies within a policy bank ends when all valid policies have been processed or an END is encountered on a policy match
31© 2007 Citrix Systems, Inc. — All rights reserved
Agenda
Agenda item number 1NetScaler for Traffic Management
AppExpert Policy Framework
Demo: Policies 1-2-3
32© 2007 Citrix Systems, Inc. — All rights reserved
Using AppExpert to Configure Policies
Configuing Policies is as easy as 1-2-31. Create/Identify the Feature Specific
Action2. Create the Expression and Add the
Expression and Action into the Policy3. Bind/Activate the Policy
REWRITE DEMO
In this demonstration we will configure a policy for the Rewrite Feature that will mask the
backend server's software type in the HTTP traffic
35© 2007 Citrix Systems, Inc. — All rights reserved
Create the Expression and PolicyCreate the Rewrite policy by
creating an expression and adding your action
2
CONTENT SWITCHING DEMO
In this demonstration we will configure policies for Content Switching that will route test traffic to a test Load Balancing VServer which
performs Load Balancing for the “test-web” servers which exist within the same domain as
the production web servers
39© 2007 Citrix Systems, Inc. — All rights reserved
Identify the ActionA Content Switching Action is the
target Load Balancing Vserver, so first we need to create/identify which LB Vserver will be the target.
1
40© 2007 Citrix Systems, Inc. — All rights reserved
Create the Expression and PolicyCreate the CS Policy which will
identify internal testing team via IP address
2
41© 2007 Citrix Systems, Inc. — All rights reserved
BindActivate your policy on the
Content Switching Server3
RESPONDER DEMO
In this demonstration we will configure a policy for Responder which will respond to a request URL with /myIP. The NetScaler will
provide an auto-generated page that gives the client their IP address (this page does not exist
on the backend web servers).
45© 2007 Citrix Systems, Inc. — All rights reserved
Create the Expression and PolicyCreate the responder policy by
creating an expression and adding your action
2
INTEGRATED CACHING DEMO
In this demonstration we will configure an integrated caching request policy to cache
any content that contains .html in the requested URL
49© 2007 Citrix Systems, Inc. — All rights reserved
Identify the ActionIdentify the NetScaler Integrated
Caching Action you will use1
50© 2007 Citrix Systems, Inc. — All rights reserved
Create the Expression and PolicyCreate the Integrated Caching
policy by creating an expression and adding a pre-defined action
2