integrating cleafy with citrix netscaler · cleafy integration to citrix netscaler install guide...

of 24 /24
Integrating Cleafy with Citrix NetScaler

Author: others

Post on 22-Jul-2020

7 views

Category:

Documents


0 download

Embed Size (px)

TRANSCRIPT

  • Integrating Cleafy with Citrix NetScaler

  • 2

    Cleafy Integration to Citrix NetScaler Install Guide

    Table of Contents Integrating Cleafy with Citrix NetScaler .......................................................................................... 1

    Scope ............................................................................................................................................ 3Supported releases ...................................................................................................................... 3Prerequisites ................................................................................................................................ 3

    Introduction ...................................................................................................................................... 4Reference Architecture ................................................................................................................... 5Sizing Guidelines .............................................................................................................................. 6Installation script .............................................................................................................................. 7

    Configuration Parameters ........................................................................................................... 7Integrating Cleafy DETECT .............................................................................................................. 8

    Integration flow ............................................................................................................................ 8Install commands ......................................................................................................................... 8

    NS Variables ............................................................................................................................. 8NS Assignments ....................................................................................................................... 9HTTP Callouts ........................................................................................................................... 9Rewrite Policies and Actions ................................................................................................. 10Virtual Servers ......................................................................................................................... 11Context Switching .................................................................................................................. 13

    Cleafy PROTECT ............................................................................................................................. 14Integration flow .......................................................................................................................... 14Install commands ....................................................................................................................... 14

    HTTP Callouts ......................................................................................................................... 14Rewrite Policies and Actions ................................................................................................. 15Virtual Servers ........................................................................................................................ 15

    Appendix A – Install script for Cleafy DETECT ............................................................................. 16Appendix B – Install script for Cleafy DETECT and PROTECT .................................................... 20

  • 3

    Cleafy Integration to Citrix NetScaler Install Guide

    Scope This document describes how to integrate Cleafy with Citrix NetScaler solutions to leverage Cleafy advanced threat detection and protection capabilities in a NetScaler environment.

    Supported releases Cleafy 4.x versions support the following Citrix NetScaler families:

    • NetScaler VPX • NetScaler MPX • NetScaler SDX • NetScaler CDX

    The integration has been certified and validated as Citrix Ready with both version 10.5E and later, including 11.0 and 12.0.

    Prerequisites The only prerequisite is represented by a working installation of a supported version of the Citrix NetScaler families. Of course, a working installation of Cleafy with valid license is also required. It is also assumed that both Citrix NetScaler and Cleafy need to be correctly sized for the expected amount of traffic generated for the managed applications once the respective application perimeters are defined.

  • 4

    Cleafy Integration to Citrix NetScaler Install Guide

    Introduction The Cleafy integration with NetScaler is based on the possibility to switch requests between the original application to be managed and the Cleafy application and more importantly on the ability to modify request and response flows thanks to Rewrite Policies and HTTP Callouts. Please refer to Cleafy Installation guide for understanding the general integration mechanisms with Application Delivery Controllers (ADCs) and reading a detailed description of the expected sequence flows. Notice that the actual configuration of the integration between Cleafy and Citrix NetScaler may vary based on both the architecture of the specific application to be managed by Cleafy and on the original configuration of Citrix NetScaler. Therefore, in the rest of this document, a reference implementation is described which can be easily adapted to any other specific implementation.

  • 5

    Cleafy Integration to Citrix NetScaler Install Guide

    Reference Architecture The integration architecture requires configuring several NetScaler components, including Context Switching and Load Balancing components, and defining several NetScaler constructs, including Rewrite Actions and HTTP Callouts. Please refer to Citrix on-line documentation (e.g. for version 12: https://docs.citrix.com/en-us/netscaler/12/getting-started-with-netscaler.html) to get started with NetScaler concepts. The following figure represent a NetScaler architecture with the required components and constructs required to have a single application (named ProBank in the following) managed by Cleafy.

    Fig. 1: Reference architecture of the Cleafy and Citrix NetScaler integration

    For simplicity reasons, this reference architecture only shows only one server defined both for the Virtual Server associated to the ProBank application and for the Cleafy applications. Of course, the number of servers configured for either of these applications is likely to be larger, in a specific installation based on different criteria (e.g. for scaling reasons). The configuration can be easily extended by adding more server to the appropriate Virtual Service, as no specific configuration is required to implement the Cleafy integration to to NetScaler. Also notice that since a single Cleafy implementation usually manages more than one application, some of these components and constructs defined in the following need to be replicated to manage multiple applications, as it will be clear once their role in the reference architecture will described in the following.

  • 6

    Cleafy Integration to Citrix NetScaler Install Guide

    Sizing Guidelines NetScaler needs to be correctly sized for the expected amount of traffic generated once Cleafy is configured for the applications of interest and the required application perimeters. Because Cleafy generates additional traffic both inside the ADC and between the client and the Cleafy engine via the ADC, the integrated NetScaler may need to be resized accordingly (both in terms of resources and required licenses). The increase may vary depending on several factors, including the defined application perimeter (i.e. which pages are being monitored). An educated guess for Cleafy implementation where only a limited perimeter is monitored, typically ranges from 15% (DETECT only) to 30% upward (both DETECT and PROTECT). The additional bandwidth required by Cleafy DETECT is determined by two key factors: i) all events (both HTTP requests and responses, XHR/API calls) being logged; ii) the rendered DOM and other environmental info being (asynchronously) sent back for each response event. For a monitored page, the multiplying factor with respect to the already consumed bandwidth can be estimated as about 2.5 (i.e. a 150% increase in bandwidth) of the source code. For PROTECT these numbers may need to be doubled. Notice that this theoretical increase needs to be adjusted considering that: iii) only non-static resources are monitored; iv) at least initially only selected pages are monitored and v) protection is typically only applied selectively (e.g. on endpoint, sessions and users detected as infected). All these factors are difficult to evaluate the general case. For example, the contribute from iii) depends on whether caching mechanisms or CDN being in place. In a scenario where the first two parameters can be estimated respectively as 50% and 20%, the additional increase in bandwidth could be estimated starting from 15% for Cleafy DETECT, and 30% for (a full) Cleafy PROTECT.

  • 7

    Cleafy Integration to Citrix NetScaler Install Guide

    Installation script Installing the Cleafy integration with Citrix NetScaler requires executing a set of NetScaler commands. All these commands required by the integration can be issued either from the command line interface or from the NetScaler Console. In the following they are introduced in an order that helps explaining them, while the appendixes at the end of this document provides the full integration script where they are listed in the expected execution order. Notice that all IP addresses (and ports) in the following (and in the install script in the appendixes) need to be replaced with those referring to the specific environment which is being implemented. As described in the following section, there are other Cleafy-related configuration parameters that also need to be changed.

    Configuration Parameters When configuring the NetScaler environment to implement the Cleafy integration, that there some key configuration parameters (described in the following table) than need to be set to values aligned to the Cleafy configuration. To facilitate their identification in the different contexts, these parameters are highlighted in the sample commands listed below.

    Parameter Sample value Recommended value

    URL prefix for Cleafy incoming

    calls

    “cleafy” (used in several contexts: NS Assignment, Rewrite Rule, Context Switching

    Policy)

    The actual value should reflect the Cleafy configuration (INGESTION PATH PREFIX) and be application specific. Notice: it is suggested to use a keyword that resembles the name of the managed app (e.g. “probank01”) to avoid exposing any reference to Cleafy.

    Access Token for Cleafy

    incoming calls

    “cleafycitrix” (used in the HTTP Callout

    context)

    The actual value should reflect the Cleafy configuration (INGESTION ACCESS TOKEN). This parameter is configured when adding a new application to the environment (please refer to the Cleafy manuals).

    FQDN of the managed

    application

    “app.citrix.test” (used in the HTTP Callout

    context)

    The actual value should represent the FQDN of the managed application.

    Context Switching,

    Virtual Server and server

    names and IP addresses

    “probank”, “probank_vs” (managed application),

    “ceafy_vs” (Cleafy application) and all IP Addresses referenced

    These will differ from what indicated in the sample commands – so there are also highlighted to facilitate their replacement

  • 8

    Cleafy Integration to Citrix NetScaler Install Guide

    Integrating Cleafy DETECT This chapter describes the NetScaler configuration required for leveraging Cleafy DETECT capabilities, while the following chapter describes how to modify this integration to also get the Cleafy PROTECT capabilities implemented.

    Integration flow The following picture illustrates the integration flow for Cleafy DETECT.

    Fig. 2: Flow diagram for Cleafy DETECT

    Install commands Notice that is assumed that this integration is implemented on top of the Cleafy DETECT. All commands are documented in Appendix A at the end of the document.

    NS Variables

    The integration requires 7 NS Variables to be defined. These NS Variables are used by the corresponding NS Assignments to store values of the Session ID, Event ID, Browser ID, Request Header, Request Body, Timestamp and Cleafy-injected script. Their values are taken (or set) from an application request and used by Rewrite Policies to change the application response as required. The following commands can be used to define these NS Variables: add ns variable sid_var -type "text(512)" -scope transaction -comment "SID variable per transaction" add ns variable bid_var -type "text(512)" -scope transaction -comment "BID variable per transaction"

  • 9

    Cleafy Integration to Citrix NetScaler Install Guide

    add ns variable eid_var -type "text(512)" -scope transaction -comment "Event ID variable per transaction" add ns variable req_header -type "text(50000)" -scope transaction -comment "Req Header full Dump" add ns variable req_body -type "text(50000)" -scope transaction -comment "Req Body full Dump" add ns variable time_var -type "text(20)" -scope transaction -comment "Request timedate" add ns variable script_var -type "text(1024)" -scope transaction -comment "Injected Cleafy Script"

    NS Assignments

    The integration requires 8 NS Assignments to be defined. These NS Assignments are used to retrieve and set the value of the Session ID and the Browser ID, and to set the values of the Event ID, Request Header, Timestamp and Cleafy-injected Script. The NS Assignments for Session ID and Browser ID are defined so that the values of their associated NS Variables are either taken from the associated request cookie or are generated by using a unique ID based on the request. The following commands defining these NS Assignments: add ns assignment Set_REQ_Header -variable "$req_header" -set "HTTP.REQ.FULL_HEADER.PREFIX(HTTP.REQ.FULL_HEADER.LENGTH - 4)" add ns assignment Set_REQ_Body -variable "$req_body" -set "HTTP.REQ.BODY(5000)" add ns assignment Get_BID_from_Cookie -variable "$bid_var" -set "HTTP.REQ.COOKIE.VALUE(\"bid\")" add ns assignment Set_BID_var -variable "$bid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Get_SID_from_Cookie -variable "$sid_var" -set "HTTP.REQ.COOKIE.VALUE(\"sid\")" add ns assignment Set_SID_var -variable "$sid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_EID_var -variable "$eid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_TIME_var -variable "$time_var" -set "SYS.TIME.YEAR + \"-\" + SYS.TIME.MONTH + \"-\" + SYS.TIME.DAY + \"T\" + SYS.TIME.HOURS + \":\" + SYS.TIME.MINUTES + \":\" + SYS.TIME.SECONDS + \"Z\"" add ns assignment Set_Script_var -variable "$script_var" -set "\"\""

    All definitions of NS Assignments do not require to be changed as they reflect the general logic of Cleafy integration with NetScaler. The only exception is represented by the value “cleafy” in the expression associated to “Set_Script_var” that need to be changed to the INGESTION PATH PREFIX configured in the Cleafy configuration for the managed application.

    HTTP Callouts

    The integration requires an HTTP Callout to be defined for the Virtual Server associated to the Cleafy application to ensure that all (asynchronous) calls to Cleafy services are correctly executed. As already mentioned, since a Cleafy implementation can manage multiple applications, an HTTP Callout definition for each managed application will need to be defined.

  • 10

    Cleafy Integration to Citrix NetScaler Install Guide

    The sample command defining this HTTP Callout is: add policy httpCallout send_hitlog -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/in/\" + $eid_var +\"/10.105.158.127/cleafycitrix/hitlog\"" -bodyExpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.B64ENCODE + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \"|\" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.B64ENCODE + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultExpr TRUE set policy httpCallout send_hitlog -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/in/\" + $eid_var +\"/10.105.158.127/cleafycitrix/hitlog\"" -bodyExpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.B64ENCODE + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \"|\" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.B64ENCODE + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultExpr TRUE

    In these commands, the value 10.105.158.127 in URL Stem Expression needs to be replaced by the FQDN or IP Address of the managed application while the value “cleafycitrix” needs to be replaced by the access token configured in the Cleafy implementation for the managed application. It is also suggested to replace the value 10.105.158.127 the Host Expression by the FQDN of the managed application, even if the specific value for this field is irrelevant for the Cleafy integration.

    Rewrite Policies and Actions

    The integration requires several Rewrite Policies/Actions (both for HTTP requests and for HTTP responses) to be defined for the Virtual Server defined associated to the managed application and a single Rewrite Policy/Action (for HTTP requests, while none is required for HTTP responses) defined for the Virtual Server associated to the Cleafy application. The following commands can be used for defining the Rewrite Actions and Policies for the Virtual Server associated to the Cleafy application: add rewrite action req_act_removeCleafyPath replace HTTP.REQ.URL "\"/\" + HTTP.REQ.URL.PATH_AND_QUERY.STRIP_START_CHARS(\"/cleafy/\")" add rewrite policy req_pol_removeCleafyPath "HTTP.REQ.URL.STARTSWITH(\"/cleafy\")" req_act_removeCleafyPath

    The URL fragment “cleafy” in both this Rewrite Action and Rewrite Policy should be changed to reflect the Cleafy configuration (i.e. the INGESTION PATH PREFIX), as they take care of removing of the Cleafy ingestion path prefix from the URLs, thus making calls received by Cleafy the same in every Cleafy implementation. The following commands can be used for defining the Rewrite Actions for the Virtual Server associated to the managed application: add rewrite action req_act_replaceHttpVer replace HTTP.REQ.VERSION "\"HTTP/1.0\"" add rewrite action req_act_insertConnKalive insert_http_header Connection "\"Keep- Alive\"" add rewrite action req_act_removeAcceptEncoding delete_http_header Accept-Encoding add rewrite action Set-BID-Cookie insert_http_header Set-Cookie "\"bid=\" + $bid_var + \";expires=\" + SYS.TIME.ADD(86400).TYPECAST_TIME_AT + \";path=/;\""

  • 11

    Cleafy Integration to Citrix NetScaler Install Guide

    add rewrite action Set-SID-Cookie insert_http_header Set-Cookie "\"sid=\" + $sid_var + \";expires=\" + SYS.TIME.ADD(1200).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Inject_Script insert_before_all "HTTP.RES.BODY(9999999).SET_TEXT_MODE(ignorecase)" "$script_var" -search "regex(re~~)" add rewrite action Insert-EID-Header insert_http_header uniqueid "$eid_var"

    Most of the Rewrite Actions are used to set all the different IDs. A specific Rewrite Action Inject_Script is used to inject the Cleafy script by rewriting the fragment “” with the NS Variable containing the Cleafy script at the end of the response, which also takes care of restoring “” (see definition of the corresponding NS Assignment). The following commands can be used to define the corresponding Rewrite Policies for the Virtual Server associated to the managed application: add rewrite policy req_pol_insertConnHeader TRUE req_act_insertConnKalive add rewrite policy req_pol_removeAcceptEncoding TRUE req_act_removeAcceptEncoding add rewrite policy req_pol_replaceHttpVer TRUE req_act_replaceHttpVer add rewrite policy Policy-Rewrite-Set-TIME-var TRUE Set_TIME_var add rewrite policy Policy-Rewrite-Set_EID_var TRUE Set_EID_var add rewrite policy Policy-Rewrite-Set_SID_var TRUE Set_SID_var add rewrite policy Policy-Rewrite-Set_BID_var TRUE Set_BID_var add rewrite policy Policy-Rewrite-Get_BID_Cookie "HTTP.REQ.COOKIE.VALUE(\"bid\").LENGTH >4" Get_BID_from_Cookie add rewrite policy Policy-Rewrite-Get_SID_Cookie "HTTP.REQ.COOKIE.VALUE(\"sid\").LENGTH >4" Get_SID_from_Cookie add rewrite policy Policy-Rewrite-Set-REQ-Header TRUE Set_REQ_Header add rewrite policy Policy-Rewrite-Set-REQ-Body TRUE Set_REQ_Body add rewrite policy Policy-Rewrite-Set-Script-var TRUE Set_Script_var add rewrite policy Policy-Rewrite-Insert-EID-Header TRUE Insert-EID-Header add rewrite policy Policy-Rewrite-Set_BID_Cookie "$bid_var.EQ(\"\").NOT" Set-BID-Cookie add rewrite policy Policy-Rewrite-Set_SID_Cookie "$sid_var.EQ(\"\").NOT" Set-SID-Cookie add rewrite policy Policy-Rewrite-Inject-Script "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\")" Inject_Script add rewrite policy Policy-Rewrite-Send-LOG "(HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\") || HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/json\") || HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/xml\")) && SYS.NON_BLOCKING_HTTP_CALLOUT(send_hitlog)" NOREWRITE NOREWRITE

    All definitions of Rewrite Actions and Rewrite Policies should not be changed as they reflect the general logic of Cleafy integration with an ADC.

    Virtual Servers

    As indicated in the reference architecture, two Virtual Servers need be defined: one for the ProBank application to be managed and another for the Cleafy application. For simplicity sake only one server is associate to each Virtual Servers. The following commands can be used to define the defined servers are: add service probank_server1 10.105.158.131 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service cleafy_server1 10.105.158.142 HTTP 9091 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

  • 12

    Cleafy Integration to Citrix NetScaler Install Guide

    Notice that here the HTTP port associated to Cleafy is expected to be the standard value 9091 associated to Cleafy ingestion APIs, so it has not been highlighted as a potential value to be changed. The following commands can be used to define these Virtual Servers: add lb vserver probank_vs HTTP 192.168.158.123 80 -persistenceType NONE -cookieName testingsid -cltTimeout 180 add lb vserver cleafy_vs HTTP 192.168.158.124 80 -persistenceType NONE -cltTimeout 180

    The following commands can be used to define the binding between the defined servers (only two in the simplified reference architecture) and Virtual Servers: bind lb vserver probank_vs probank_server1 bind lb vserver cleafy_vs cleafy_server1

    The following commands can be used to define the binding between Rewrite Policies (both for HTTP Requests and HTTP Responses) and the Virtual Server associated to the managed application: bind lb vserver probank_vs -policyName Policy-Rewrite-Set-TIME-var -priority 130 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_EID_var -priority 140 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_SID_var -priority 150 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_BID_var -priority 160 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Get_SID_Cookie -priority 170 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Get_BID_Cookie -priority 180 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-REQ-Header -priority 190 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-REQ-Body -priority 195 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-Script-var -priority 200 -gotoPriorityExpression END -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_SID_Cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Set_BID_Cookie -priority 110 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Insert-EID-Header -priority 115 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Inject-Script -priority 120 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Send-LOG -priority 130 -gotoPriorityExpression END -type RESPONSE

    The following command can be used to define the binding between Rewrite Policies (only 1) and the Virtual Server associated to the Cleafy application: bind lb vserver cleafy_vs -policyName req_pol_removeCleafyPath -priority 100 -gotoPriorityExpression END -type REQUEST

  • 13

    Cleafy Integration to Citrix NetScaler Install Guide

    Context Switching

    As indicated in the reference architecture (Figure 1), a Context Switching component should be configured to manage the traffic directed to the application to be managed by Cleafy from the traffic directed to the Cleafy application (its associated virtual server). Since a Cleafy implementation can manage multiple applications, the Context Switching commands need to be replicated for each managed application. The sample command defining the Context Switching is: add cs vserver probank HTTP 10.105.158.127 80 -cltTimeout 180

    The sample commands defining the required Context Switching Policy and Action are: add cs action To_Cleafy -targetLBVserver cleafy_vs add cs policy Traffic_to_cleafy -rule "HTTP.REQ.URL.STARTSWITH(\"/cleafy/\")" -action To_Cleafy

    As already noted, in the string “cleafy” the Context Switching Policy needs to changed to reflect the Cleafy configuration (i.e. the configured INGESTION PATH PREFIX). The sample commands defining the binding between Context Switching and defined Context Switching Policy and Action are: bind cs vserver probank -policyName Traffic_to_cleafy -priority 100 bind cs vserver probank -lbvserver probank_vs

  • 14

    Cleafy Integration to Citrix NetScaler Install Guide

    Cleafy PROTECT This chapter describes the NetScaler configuration required for leveraging Cleafy PROTECT capabilities.

    Integration flow The following picture illustrates the integration flow required by Cleafy PROTECT. This picture also clarifies the high-level idea of Cleafy PROTECT of first delivering a secured “container”, before delivering the content originally requested so that it can be safely executed in this “container” (which is unwraps it in its place). For more details about Cleafy PROTECT please refer to the Cleafy documentation.

    Fig. 3: Flow diagram for Cleafy PROTECT when integrated with

    Install commands Notice that is assumed that this integration is implemented on top of the Cleafy DETECT. The full set of commands required by Cleafy DETECT and PROTECT are documented in Appendix B at the end of the document.

    HTTP Callouts

    The integration requires two HTTP Callouts to be defined for the Virtual Server associated to the Cleafy application to request a Cleafy “container” and. As already mentioned, since a Cleafy implementation can manage multiple applications, an HTTP Callout definition for each managed application will need to be defined. The sample commands defining these HTTP Callouts are:

  • 15

    Cleafy Integration to Citrix NetScaler Install Guide

    add policy httpCallout get_box_container -vServer cleafy_vs -returnType TEXT -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/container/\"" -scheme http -resultExpr "HTTP.RES.BODY(999999)" set policy httpCallout get_box_container -vServer cleafy_vs -returnType TEXT -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/container/\"" -scheme http -resultExpr "HTTP.RES.BODY(999999)" add policy httpCallout save_page_to_protect -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/\"" -bodyExpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultExpr TRUE set policy httpCallout save_page_to_protect -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/\"" -bodyExpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultExpr TRUE

    Rewrite Policies and Actions

    The integration requires some Rewrite Policies/Actions (for HTTP responses) to be defined for the Virtual Server defined associated to the managed application. The following commands can be used for defining the Rewrite Actions for the Virtual Server associated to the managed application: add rewrite action Replace_with_Container replace "HTTP.RES.BODY(999999)" "SYS.HTTP_CALLOUT(get_box_container)"

    The following commands can be used to define the corresponding Rewrite Policies for the Virtual Server associated to the managed application: add rewrite policy Policy_Replace_with_Container "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\")" Replace_with_Container add rewrite policy Policy_Save_Page "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\") && SYS.HTTP_CALLOUT(save_page_to_protect)" NOREWRITE NOREWRITE

    Virtual Servers

    The following commands can be used for defining the Rewrite Actions for the Virtual Server associated to the managed application: bind lb vserver probank_vs -policyName Policy_Save_Page -priority 150 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy_Replace_with_Container -priority 160 -gotoPriorityExpression END -type RESPONSE

    Notice that in case the NetScaler configuration has been already implemented to support Cleafy DETECT, the following binding needs to be re-created with NEXT as go-to expression (in place of END): bind lb vserver probank_vs -policyName Policy-Rewrite-Send-LOG -priority 130 -gotoPriorityExpression NEXT -type RESPONSE

  • 16

    Cleafy Integration to Citrix NetScaler Install Guide

    Appendix A – Install script for Cleafy DETECT For convenience sake, the following lists all commands for the integration of Cleafy DETECT in the reference architecture. Since they are listed so as to take into account dependencies among the defined constructs, so the following can be directly used as install script (once the appropriate values are set for the specific environment of interest). ########################################## # Cleafy integration to Citrix NetScaler # ########################################## # Architecture disclaimer # # Content Switch: 10.105.158.127 # Cleafy Virtual Server: 10.105.158.124 # App Virtual Server: 10.105.158.123 # Cleafy Server: 10.105.158.131 # App Server: 10.105.158.142 # # Cleafy Ingestion Access Token: cleafycitrix # Cleafy Application FQDN: 10.105.158.127 # Cleafy Ingestion Post URI: cleafy # # ###################################### # # # Server Pools # add service probank_server1 10.105.158.131 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service cleafy_server1 10.105.158.142 HTTP 9091 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO # # Virtual Servers # add lb vserver probank_vs HTTP 10.105.158.123 80 -persistenceType NONE -cltTimeout 180 add lb vserver cleafy_vs HTTP 10.105.158.124 80 -persistenceType NONE -cltTimeout 180 # # Bind Server Pools to Virtual Servers # bind lb vserver probank_vs probank_server1 bind lb vserver cleafy_vs cleafy_server1 # # Context Switching # add cs vserver probank HTTP 10.105.158.127 80 -cltTimeout 180 # # Switching Actions # add cs action To_Cleafy -targetLBVserver cleafy_vs # # Switching Policies

  • 17

    Cleafy Integration to Citrix NetScaler Install Guide

    # add cs policy Traffic_to_cleafy -rule "HTTP.REQ.URL.STARTSWITH(\"/cleafy/\")" -action To_Cleafy bind cs vserver probank -policyName Traffic_to_cleafy -priority 100 bind cs vserver probank -lbvserver probank_vs # # Rewrite Action and Policy # add rewrite action req_act_removeCleafyPath replace HTTP.REQ.URL "\"/\" + HTTP.REQ.URL.PATH_AND_QUERY.STRIP_START_CHARS(\"/cleafy/\")" add rewrite policy req_pol_removeCleafyPath "HTTP.REQ.URL.STARTSWITH(\"/cleafy\")" req_act_removeCleafyPath bind lb vserver cleafy_vs -policyName req_pol_removeCleafyPath -priority 100 -gotoPriorityExpression END -type REQUEST # add rewrite action req_act_replaceHttpVer replace HTTP.REQ.VERSION "\"HTTP/1.0\"" add rewrite action req_act_insertConnKalive insert_http_header Connection "\"Keep- Alive\"" add rewrite action req_act_removeAcceptEncoding delete_http_header Accept-Encoding # add rewrite policy req_pol_insertConnHeader TRUE req_act_insertConnKalive add rewrite policy req_pol_removeAcceptEncoding TRUE req_act_removeAcceptEncoding add rewrite policy req_pol_replaceHttpVer TRUE req_act_replaceHttpVer # bind lb vserver probank_vs -policyName req_pol_insertConnHeader -priority 100 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName req_pol_replaceHttpVer -priority 110 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName req_pol_removeAcceptEncoding -priority 120 -gotoPriorityExpression NEXT -type REQUEST # # NS Variables # add ns variable sid_var -type "text(512)" -scope transaction -comment "SID variable per transaction" add ns variable bid_var -type "text(512)" -scope transaction -comment "BID variable per transaction" add ns variable eid_var -type "text(512)" -scope transaction -comment "Event ID variable per transaction" add ns variable req_header -type "text(50000)" -scope transaction -comment "Req Header full Dump" add ns variable req_body -type "text(50000)" -scope transaction -comment "Req Body full Dump" add ns variable time_var -type "text(20)" -scope transaction -comment "Request timedate" add ns variable script_var -type "text(1024)" -scope transaction -comment "Injected Cleafy Script" # # NS Assignements # add ns assignment Set_REQ_Header -variable "$req_header" -set "HTTP.REQ.FULL_HEADER.PREFIX(HTTP.REQ.FULL_HEADER.LENGTH - 4)" add ns assignment Set_REQ_Body -variable "$req_body" -set "HTTP.REQ.BODY(5000)" add ns assignment Get_BID_from_Cookie -variable "$bid_var" -set "HTTP.REQ.COOKIE.VALUE(\"bid\")"

  • 18

    Cleafy Integration to Citrix NetScaler Install Guide

    add ns assignment Set_BID_var -variable "$bid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Get_SID_from_Cookie -variable "$sid_var" -set "HTTP.REQ.COOKIE.VALUE(\"sid\")" add ns assignment Set_SID_var -variable "$sid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_EID_var -variable "$eid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_TIME_var -variable "$time_var" -set "SYS.TIME.YEAR + \"-\" + SYS.TIME.MONTH + \"-\" + SYS.TIME.DAY + \"T\" + SYS.TIME.HOURS + \":\" + SYS.TIME.MINUTES + \":\" + SYS.TIME.SECONDS + \"Z\"" add ns assignment Set_Script_var -variable "$script_var" -set "\"\"" # # HTTP Callout # add policy httpCallout send_hitlog -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/in/\" + $eid_var +\"/10.105.158.127/cleafycitrix/hitlog\"" -bodyExpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.B64ENCODE + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \"|\" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.B64ENCODE + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultExpr TRUE # set policy httpCallout send_hitlog -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/in/\" + $eid_var +\"/10.105.158.127/cleafycitrix/hitlog\"" -bodyExpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.B64ENCODE + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \"|\" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.B64ENCODE + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultExpr TRUE # # Rewrite Actions # add rewrite action Set-BID-Cookie insert_http_header Set-Cookie "\"bid=\" + $bid_var + \";expires=\" + SYS.TIME.ADD(86400).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Set-SID-Cookie insert_http_header Set-Cookie "\"sid=\" + $sid_var + \";expires=\" + SYS.TIME.ADD(1200).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Inject_Script insert_before_all "HTTP.RES.BODY(9999999).SET_TEXT_MODE(ignorecase)" "$script_var" -search "regex(re~~)" add rewrite action Insert-EID-Header insert_http_header uniqueid "$eid_var" # # Rewrite Policies # add rewrite policy Policy-Rewrite-Set-TIME-var TRUE Set_TIME_var add rewrite policy Policy-Rewrite-Set_EID_var TRUE Set_EID_var add rewrite policy Policy-Rewrite-Set_SID_var TRUE Set_SID_var add rewrite policy Policy-Rewrite-Set_BID_var TRUE Set_BID_var add rewrite policy Policy-Rewrite-Get_BID_Cookie "HTTP.REQ.COOKIE.VALUE(\"bid\").LENGTH >4" Get_BID_from_Cookie

  • 19

    Cleafy Integration to Citrix NetScaler Install Guide

    add rewrite policy Policy-Rewrite-Get_SID_Cookie "HTTP.REQ.COOKIE.VALUE(\"sid\").LENGTH >4" Get_SID_from_Cookie add rewrite policy Policy-Rewrite-Set-REQ-Header TRUE Set_REQ_Header add rewrite policy Policy-Rewrite-Set-REQ-Body TRUE Set_REQ_Body add rewrite policy Policy-Rewrite-Set-Script-var TRUE Set_Script_var add rewrite policy Policy-Rewrite-Insert-EID-Header TRUE Insert-EID-Header # add rewrite policy Policy-Rewrite-Set_BID_Cookie "$bid_var.EQ(\"\").NOT" Set-BID-Cookie add rewrite policy Policy-Rewrite-Set_SID_Cookie "$sid_var.EQ(\"\").NOT" Set-SID-Cookie add rewrite policy Policy-Rewrite-Inject-Script "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\")" Inject_Script add rewrite policy Policy-Rewrite-Send-LOG "(HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\") || HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/json\") || HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/xml\")) && SYS.NON_BLOCKING_HTTP_CALLOUT(send_hitlog)" NOREWRITE NOREWRITE # # Bind Rewirte Policies to Virtual Servers # bind lb vserver probank_vs -policyName Policy-Rewrite-Set-TIME-var -priority 130 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_EID_var -priority 140 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_SID_var -priority 150 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_BID_var -priority 160 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Get_SID_Cookie -priority 170 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Get_BID_Cookie -priority 180 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-REQ-Header -priority 190 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-REQ-Body -priority 195 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-Script-var -priority 200 -gotoPriorityExpression END -type REQUEST # bind lb vserver probank_vs -policyName Policy-Rewrite-Set_SID_Cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Set_BID_Cookie -priority 110 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Insert-EID-Header -priority 115 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Inject-Script -priority 120 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Send-LOG -priority 130 -gotoPriorityExpression END -type RESPONSE # # END

    Please remember to delete first any pre-existing definition of these constructs before issuing these commands to get their configuration updated. Alternatively, a direct editing from the NetScaler Console is also an option.

  • 20

    Cleafy Integration to Citrix NetScaler Install Guide

    Appendix B – Install script for Cleafy DETECT and PROTECT For convenience sake, the following lists all commands for the integration of Cleafy DETECT and PROTECT in the reference architecture. Since they are listed so as to take into account dependencies among the defined constructs, so the following can be directly used as install script (once the appropriate values are set for the specific environment of interest). ########################################## # Cleafy integration to Citrix NetScaler # ########################################## # Architecture disclaimer # # Content Switch: 10.105.158.127 # Cleafy Virtual Server: 10.105.158.124 # App Virtual Server: 10.105.158.123 # Cleafy Server: 10.105.158.131 # App Server: 10.105.158.142 # # Cleafy Ingestion Access Token: cleafycitrix # Cleafy Application FQDN: 10.105.158.127 # Cleafy Ingestion Post URI: cleafy # # ###################################### # # # Server Pools # add service probank_server1 10.105.158.131 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service cleafy_server1 10.105.158.142 HTTP 9091 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO # # Virtual Servers # add lb vserver probank_vs HTTP 10.105.158.123 80 -persistenceType NONE -cltTimeout 180 add lb vserver cleafy_vs HTTP 10.105.158.124 80 -persistenceType NONE -cltTimeout 180 # # Bind Server Pools to Virtual Servers # bind lb vserver probank_vs probank_server1 bind lb vserver cleafy_vs cleafy_server1 # # Context Switching # add cs vserver probank HTTP 10.105.158.127 80 -cltTimeout 180 # # Switching Actions # add cs action To_Cleafy -targetLBVserver cleafy_vs # # Switching Policies

  • 21

    Cleafy Integration to Citrix NetScaler Install Guide

    # add cs policy Traffic_to_cleafy -rule "HTTP.REQ.URL.STARTSWITH(\"/cleafy/\")" -action To_Cleafy bind cs vserver probank -policyName Traffic_to_cleafy -priority 100 bind cs vserver probank -lbvserver probank_vs # # Rewrite Action and Policy # add rewrite action req_act_removeCleafyPath replace HTTP.REQ.URL "\"/\" + HTTP.REQ.URL.PATH_AND_QUERY.STRIP_START_CHARS(\"/cleafy/\")" add rewrite policy req_pol_removeCleafyPath "HTTP.REQ.URL.STARTSWITH(\"/cleafy\")" req_act_removeCleafyPath bind lb vserver cleafy_vs -policyName req_pol_removeCleafyPath -priority 100 -gotoPriorityExpression END -type REQUEST # add rewrite action req_act_replaceHttpVer replace HTTP.REQ.VERSION "\"HTTP/1.0\"" add rewrite action req_act_insertConnKalive insert_http_header Connection "\"Keep- Alive\"" add rewrite action req_act_removeAcceptEncoding delete_http_header Accept-Encoding # add rewrite policy req_pol_insertConnHeader TRUE req_act_insertConnKalive add rewrite policy req_pol_removeAcceptEncoding TRUE req_act_removeAcceptEncoding add rewrite policy req_pol_replaceHttpVer TRUE req_act_replaceHttpVer # bind lb vserver probank_vs -policyName req_pol_insertConnHeader -priority 100 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName req_pol_replaceHttpVer -priority 110 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName req_pol_removeAcceptEncoding -priority 120 -gotoPriorityExpression NEXT -type REQUEST # # NS Variables # add ns variable sid_var -type "text(512)" -scope transaction -comment "SID variable per transaction" add ns variable bid_var -type "text(512)" -scope transaction -comment "BID variable per transaction" add ns variable eid_var -type "text(512)" -scope transaction -comment "Event ID variable per transaction" add ns variable req_header -type "text(50000)" -scope transaction -comment "Req Header full Dump" add ns variable req_body -type "text(50000)" -scope transaction -comment "Req Body full Dump" add ns variable time_var -type "text(20)" -scope transaction -comment "Request timedate" add ns variable script_var -type "text(1024)" -scope transaction -comment "Injected Cleafy Script" # # NS Assignements # add ns assignment Set_REQ_Header -variable "$req_header" -set "HTTP.REQ.FULL_HEADER.PREFIX(HTTP.REQ.FULL_HEADER.LENGTH - 4)" add ns assignment Set_REQ_Body -variable "$req_body" -set "HTTP.REQ.BODY(5000)" add ns assignment Get_BID_from_Cookie -variable "$bid_var" -set "HTTP.REQ.COOKIE.VALUE(\"bid\")"

  • 22

    Cleafy Integration to Citrix NetScaler Install Guide

    add ns assignment Set_BID_var -variable "$bid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Get_SID_from_Cookie -variable "$sid_var" -set "HTTP.REQ.COOKIE.VALUE(\"sid\")" add ns assignment Set_SID_var -variable "$sid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_EID_var -variable "$eid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_TIME_var -variable "$time_var" -set "SYS.TIME.YEAR + \"-\" + SYS.TIME.MONTH + \"-\" + SYS.TIME.DAY + \"T\" + SYS.TIME.HOURS + \":\" + SYS.TIME.MINUTES + \":\" + SYS.TIME.SECONDS + \"Z\"" add ns assignment Set_Script_var -variable "$script_var" -set "\"\"" # # HTTP Callout # add policy httpCallout send_hitlog -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/in/\" + $eid_var +\"/10.105.158.127/cleafycitrix/hitlog\"" -bodyExpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.B64ENCODE + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \"|\" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.B64ENCODE + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultExpr TRUE set policy httpCallout send_hitlog -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/in/\" + $eid_var +\"/10.105.158.127/cleafycitrix/hitlog\"" -bodyExpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.B64ENCODE + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \"|\" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.B64ENCODE + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultExpr TRUE # add policy httpCallout get_box_container -vServer cleafy_vs -returnType TEXT -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/container/\"" -scheme http -resultExpr "HTTP.RES.BODY(999999)" set policy httpCallout get_box_container -vServer cleafy_vs -returnType TEXT -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/container/\"" -scheme http -resultExpr "HTTP.RES.BODY(999999)" # set policy httpCallout save_page_to_protect -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/\"" -bodyExpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultExpr TRUE add policy httpCallout save_page_to_protect -vServer cleafy_vs -returnType BOOL -httpMethod POST -hostExpr "\"10.105.158.127\"" -urlStemExpr "\"/b/\" + $eid_var +\"/10.105.158.127/cleafycitrix/\"" -bodyExpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultExpr TRUE # # Rewrite Actions # add rewrite action Set-BID-Cookie insert_http_header Set-Cookie "\"bid=\" + $bid_var + \";expires=\" + SYS.TIME.ADD(86400).TYPECAST_TIME_AT + \";path=/;\""

  • 23

    Cleafy Integration to Citrix NetScaler Install Guide

    add rewrite action Set-SID-Cookie insert_http_header Set-Cookie "\"sid=\" + $sid_var + \";expires=\" + SYS.TIME.ADD(1200).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Inject_Script insert_before_all "HTTP.RES.BODY(9999999).SET_TEXT_MODE(ignorecase)" "$script_var" -search "regex(re~~)" add rewrite action Insert-EID-Header insert_http_header uniqueid "$eid_var" add rewrite action Replace_with_Container replace "HTTP.RES.BODY(999999)" "SYS.HTTP_CALLOUT(get_box_container)" # # Rewrite Policies # add rewrite policy Policy-Rewrite-Set-TIME-var TRUE Set_TIME_var add rewrite policy Policy-Rewrite-Set_EID_var TRUE Set_EID_var add rewrite policy Policy-Rewrite-Set_SID_var TRUE Set_SID_var add rewrite policy Policy-Rewrite-Set_BID_var TRUE Set_BID_var add rewrite policy Policy-Rewrite-Get_BID_Cookie "HTTP.REQ.COOKIE.VALUE(\"bid\").LENGTH >4" Get_BID_from_Cookie add rewrite policy Policy-Rewrite-Get_SID_Cookie "HTTP.REQ.COOKIE.VALUE(\"sid\").LENGTH >4" Get_SID_from_Cookie add rewrite policy Policy-Rewrite-Set-REQ-Header TRUE Set_REQ_Header add rewrite policy Policy-Rewrite-Set-REQ-Body TRUE Set_REQ_Body add rewrite policy Policy-Rewrite-Set-Script-var TRUE Set_Script_var add rewrite policy Policy-Rewrite-Insert-EID-Header TRUE Insert-EID-Header # add rewrite policy Policy-Rewrite-Set_BID_Cookie "$bid_var.EQ(\"\").NOT" Set-BID-Cookie add rewrite policy Policy-Rewrite-Set_SID_Cookie "$sid_var.EQ(\"\").NOT" Set-SID-Cookie add rewrite policy Policy-Rewrite-Inject-Script "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\")" Inject_Script add rewrite policy Policy-Rewrite-Send-LOG "(HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\") || HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/json\") || HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/xml\")) && SYS.NON_BLOCKING_HTTP_CALLOUT(send_hitlog)" NOREWRITE NOREWRITE add rewrite policy Policy_Replace_with_Container "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\")" Replace_with_Container add rewrite policy Policy_Save_Page "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"text/html\") && SYS.HTTP_CALLOUT(save_page_to_protect)" NOREWRITE NOREWRITE # # Bind Rewirte Policies to Virtual Servers # bind lb vserver probank_vs -policyName Policy-Rewrite-Set-TIME-var -priority 130 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_EID_var -priority 140 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_SID_var -priority 150 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set_BID_var -priority 160 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Get_SID_Cookie -priority 170 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Get_BID_Cookie -priority 180 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-REQ-Header -priority 190 -gotoPriorityExpression NEXT -type REQUEST bind lb vserver probank_vs -policyName Policy-Rewrite-Set-REQ-Body -priority 195 -gotoPriorityExpression NEXT -type REQUEST

  • 24

    Cleafy Integration to Citrix NetScaler Install Guide

    bind lb vserver probank_vs -policyName Policy-Rewrite-Set-Script-var -priority 200 -gotoPriorityExpression END -type REQUEST # bind lb vserver probank_vs -policyName Policy-Rewrite-Set_SID_Cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Set_BID_Cookie -priority 110 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Insert-EID-Header -priority 115 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Inject-Script -priority 120 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy-Rewrite-Send-LOG -priority 130 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy_Save_Page -priority 150 -gotoPriorityExpression NEXT -type RESPONSE bind lb vserver probank_vs -policyName Policy_Replace_with_Container -priority 160 -gotoPriorityExpression END -type RESPONSE # # END

    Please remember to delete first any pre-existing definition of these constructs before issuing these commands to get their configuration updated. Alternatively, a direct editing from the NetScaler Console is also an option.