�ݺ�ߣ

SYN504 - UNLEASHING THE POWER OF THE
NETSCALER POLICY AND EXPRESSIONS ENGINE
MAY 6 �C 4.00PM
Henrik Johansson
Twitter: @HenrikJay
Web: https://www.ngenx.com || https://henrikjay.com
Email: henrik.johansson@ngenx.com || henrik@henrikjay.com

Tweet about this session with hashtag
#SYN504 and #CitrixSynergy

CTP, CCIA and AWS certified Architect.
Director of Professional Services.
13+ years Citrix experience,17+ years IT.
NetScaler Wizard, Public Cloud, Security,
Evangelist and Speaker.
Speaker bio compressed
Henrik Johansson
Twitter: @HenrikJay

Founded in 2000, nGenx is a pioneer in cloud-based application delivery.
Throughout our history, we have always pushed the envelope with
technology while working to build bridges between all of our technology
partners, including Microsoft, Citrix, Cisco, Amazon Web Services, NetApp,
RES, Google Chrome, Dell/Compellent, Intuit and others. Working with these
partners, we have developed a dynamic set of cloud solutions.
nGenx �C White label CSP

? What is a policy
? NetScaler Policies Use cases
? Classic vs default
? RegEx intro
? Optimizing expressions
Agenda at a glance

? Policies control how a feature evaluate data and thru that determine
what action to take for the data thru the use of logical expressions.
? A policy can trigger a simple effect like DROP, nothing (NOOP) or a
complex action/chain thru profiles.
What are NetScaler policies

Expression Hierarchy
HTTP
SYS
CLIENT
SERVER
REQ
RES
URL
METHOD
BODY
HEADER
��
STATUS
BODY
DATE
HEADER
��DAY
HOUR
��
EXPR
PATH
PROTOCOL
QUERY
SUFFIX
HOSTNAME
EQ
CONTAINS
BETWEEN
SKIP
TRUNCATE
SUBSTR
REGEX_MATCH
HTTP_URL_SAFE
TYPECAST_TEXT_T
��
DST
SRC
ID
VERSION
CLIENT_CERT
��
SRCPORT
PAYLOAD()
��
DNS
SRCPORT
DSTPORT
ID
THROUGHPUT
��
SRCMAC
DSTMAC
NTIME
CLASSIC
CHECK_LIMIT
HTTP_CALLOUT
IP
VLAN
SSL
TCP
UDP
INTERFACE
ETHER
IPv6
IP
VLAN
TCP
INTERFACE
ETHER
IPv6
Analytics
SIP
MySQL
MSSQL

? Enables you to route, modify, control traffic based on:
? Phone model, browser type, OS
? Control content delivery
? Block unsecure features on certain browsers
? Can be used to trigger other policies like:
? Redirect thru responder, Rewrite,
? Example:
add responder policy RESP_BLOCK_FF_POL "HTTP.REQ.HEADER("User-
Agent").SET_TEXT_MODE(IGNORECASE).CONTAINS("Mozilla")" DROP
Use case - Client/browser identification

? Enables you actively modify and rewrite content on the fly
? For example requested URL��s, text, metadata
? Example:
add rewrite action RW_RES_CMPMode_ACT insert_before
"HTTP.RES.BODY(10000).SUBSTR(��<meta")" q{"<meta http-equiv="X-UA-
Compatible" content="IE=EmulateIE7" />"}
Use case - Rewrites

? Use HTTP CallOut to verify client IP or username
? Fetch back end-pages for response replacement.
? Can be used to trigger other policies like:
? Redirect thru responder, Rewrite,
? Example:
set policy httpcallout CheckUser �Cipaddress 10.10.10.10 �Cport 80 -returntype
text �Chttpmethod get �Curlstemexpr '"/CheckIP&��+HTTP.REQ.USER.NAME"' -
resultexpr 'http.res.body(5)'
sys.http_callout(CheckUser)
Use case - White/blacklisting

Only support Classic
Support Default
? Authentication, Pre-authentication
? SSL
? Cache redirection
? VPN (session, traffic, and tunnel traffic)
? Content filtering (use Responder instead)
Classic to Default
? Application firewall policies
? Authorization policies
? Named expressions
? Compression policies
? Content switching policies
? User-defined, rule-based tokens/persistency

Manual
? root@ns# nspepi -e "RES.HTTP.HEADER Content-Type CONTAINS
application/msword"
? "HTTP.RES.HEADER("Content-
Type").AFTER_STR("application/msword").LENGTH.GT(0)��
? root@ns# nspepi -e "URL != '/*.gif'"
? "HTTP.REQ.URL.REGEX_MATCH(re#/(.*).gif#).NOT��
? Is this the most optimal rule?
Expression conversion

Full config
root@ns# cd /nsconfig
root@ns# nspepi -f ns.conf
OUTPUT: New configuration file created: new_ns.conf
OUTPUT: New warning file created: warn_ns.conf
root@ns#

Remember:
? The commands that exceed 1499 character limit must be manually
updated.
? Multiple classic can share priority 0. Not supported in Default
? Error lines shown after command and in warning file
? Use as guidance
? Test��Test��and when done��Test again!

What is RegEx
A regular expression is a sequence or pattern of characters that is matched
against a string of text when performing searches.
NetScaler uses PCRE
Patterns are selective and can search any part of the string.
Searches can use different entry points and look back and forward
RegEx uses delimeters to select text: re~test|test2~
These can be anything that is unique
RegEx

RegEx
Metacharacter Function Example What if Matches
^ Beginning-of-line anchor /^love/ Matches all lines beginning with love
$ End-of-line anchor /love$/ Matches all lines ending with love
. Matches one character /l..e/ Matches lines containing an l, followed by two characters,
followed by an e
* Matches zero or more of the
preceding characters
/ *love/ Matches lines with zero or more spaces, followed by the
pattern love
[] Matches one character in
the set
/[Ll]ove Matches lines containing love or Love
[x-y] Matches one character
within a range in the set
/[A-Z]ove/ Matches letters from A through Z followed by ove
[^] Matches one character not
on a set
/[^A-Z]/ Matches any character not in the range between A and Z.
Used to escape a character /love./ Matches lines containing love, followed by a literal period

RegEx
Metacharacter Function Definition
d Match any digit [0-9]
w Match any word character [A-Za-z0-9_]
s Match any whitespace character [ tn]
D Match any NON-digit [^d]
W Match any NON-word character [^w]
S Match any NON-whitespace
character
[^s]

Example
I have a lovely time on our little picnic.
Lovers were all around us. It is springtime. Oh
love, how much I adore you. Do you know
the extent of my love? Oh, by the way, I think
I lost my gloves somewhere out in that field of
clover. Did you see them? I can only hope love
is forever. I live for you. It's hard to get back in the
groove.
/ove[^a-zA-Z0-9]/
RegEx

? What are you trying to find, don��t evaluate full result
? http.req.url.suffix.contains("jpeg��)
? http.req.url.suffix.eq("jpeg")
? Regex takes more resources, but can match multiple values
? Match multiple items in single request
? HTTP.REQ.HOSTNAME.SERVER.REGEX_MATCH(re~host1|host2~)
? HTTP.REQ.HEADER("Example").AFTER_STR("more��)
? Is better then
? HTTP.REQ.HEADER("Example").AFTER_REGEX(re/more/)
Policy optimization

? A PatternSet is an excellent way to match multiple values
? Example: Checking for filetypes or hosts
add policy patset PatSet_AllowedHosts
bind policy patset PatSet_AllowedHosts host1 -index 1
bind policy patset PatSet_AllowedHosts host3 -index 2
HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY("PatSet
_AllowedHosts")"
Policy optimization �C PatternSet

? StringMap can be used for dynamic renaming
add policy stringmap SM_Name
bind policy stringmap SM_Name site1.domain.com ��Desktop1"
bind policy stringmap SM_Name site2.domain.com ��Desktop2��
add rewrite action RW_RES_DesktopName_ACT replace_all
"HTTP.RES.BODY(100000)"
"HTTP.REQ.HOSTNAME.SERVER.MAP_STRING("SM_Name��)" -pattern
"re~(Other Desktop)|(Real Desktop)~" -bypassSafetyCheck YES
Policy optimization - StringMap

? Expression policy simplifies reusing frequently used expressions
add policy expression Exp1
"!HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY("PatS
et_AllowedHosts")"
add responder policy RESP_DROP_Unsecure_Hosts_POL Exp1 DROP
Policy optimization - ExpressionPolicy

? Always use the correct policy expression
Example:
HTTP.REQ.URL.QUERY
Performs better than
HTTP.REQ.URL.AFTER_STR("?")
which is based on string parsing that have to look thru the whole query
Policy optimization �C Correct policy

? TypeCasting allow you to convert data
HTTP.REQ.HEADER("Example").AFTER_STR(",").BEFORE_STR(",")
Can be optimized by changing into
HTTP.REQ.HEADER("Example").TYPECAST_LIST_T(',').GET(1)
SET_TEXT_MODE(IGNORECASE) is excellent when working with rewrite
Policy optimization - TypeCasting

Citrix NetScaler Policy Expression Reference - Release 10.1
http://support.citrix.com/article/CTX137705
Typecasting
http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-1-map/ns-
typecasting-data-wrapper-con.html#ns-typecasting-data-wrapper-con
Online resources

Henrik Johansson
Twitter: @HenrikJay
Questions?

Before you leave��
Conference surveys are available online at www.citrixsynergy.com starting
Thursday, May 8 at 9:00 a.m.
? Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes
Download presentations starting Monday, May 19, from your My Event
Planning Tool

�ݺ�ߣ

Syn504 unleashing the power of the net scaler policy and expressions engine - final

Recommended

More Related Content

What's hot (7)

Similar to Syn504 unleashing the power of the net scaler policy and expressions engine - final (20)

Recently uploaded (20)

Syn504 unleashing the power of the net scaler policy and expressions engine - final

Editor's Notes