1. No category

PE - Citrix

Deployment Guide
Policy Engine (PE)
Deployment Guide
A Technical Reference
Deployment Guide
Notice:
The information in this publication is subject to change without notice.
THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.
Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 333092009 U.S.A. All rights reserved.
Table of Contents
Introduction...........................................................................................................................................4
Prerequisites..........................................................................................................................................5
Policy Expressions (PE)..........................................................................................................................6
Components of Policy Expression.....................................................................................................6
Qualifiers...........................................................................................................................................6
Operators.........................................................................................................................................7
Operands.........................................................................................................................................7
Policy Limitations..............................................................................................................................8
Performance Considerations.............................................................................................................8
Important Policy Behavior - Policy Engine (PE)..................................................................................9
Sample Expressions using the CLI..................................................................................................10
Sample Expressions using the GUI.................................................................................................10
Compound Expressions..................................................................................................................12
Sample Compound Expressions using the CLI...............................................................................12
Sample Compound Expressions using the GUI...............................................................................12
Introduction
Citrix® NetScaler® optimizes the delivery of web applications — increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership (TCO),
security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive
network system that combines high-speed load balancing and content switching with state-of-the-art
application acceleration, layer 4-7 traffic management, data compression, dynamic content caching,
SSL acceleration, network optimization, and robust application security into a single, tightly integrated
solution. Deployed in front of application servers, the system significantly reduces processing overhead
on application and database servers, reducing hardware and bandwidth costs.
Policies are used to configure various Application Switch features. For example, the parameters for
compressing content are defined in a compression policy.
The features that use policies are:
• Content Switching
• Content Filtering
• AppCompress
• Cache Redirection
• SSL VPN
• Priority Queuing
• DoS Protection
• Sure Connect
Policy expressions are applied to content that enters the system. Expressions are shared among
features, but actions are feature-specific. For example, you can create an expression to identify .pdf files
being sent through the system. You can then create a compression policy that uses this expression to
compress those files.
The Policy Engine refers to the architecture in the Citrix NetScaler Application Switch for versions up to
8.x. The architecture for Policy Engine and the manner in which it operates is presented in this guide.
Prerequisites
• Citrix NetScaler Application Switch, running version 8.x, (Quantity x 1 for single deployment, Quantity
x 2 for HA deployment).
• Client laptop/workstation running Internet Explorer 6.0+, Ethernet port
• 9-pin serial cable -or- USB-to-serial cable
NOTE:
The policies in this guide are based on the Policy Engine (PE) architecture in NetScaler version 8.0.
The policies for NetScaler version 9.0+ use the Policy Infrastructure (PI) architecture which are different
in syntax and methodology. Policy Infrastructure (PI) is not discussed in this guide.
Policy Expressions (PE)
Components of Policy Expression
The Policy Expressions (PE) language is a basic expressions language that is used to define policy
conditions on the NetScaler Application Switch. Because it is the original expressions language on the
NetScaler, the expressions written in it are often called classic expressions.
A Policy consists of an expression and an action. Expressions are “shared” among features on the
switch. Actions are “feature-specific”. For example you can create an expression to identify .pdf files
being sent through the system. You can then create a compression policy that uses this expression to
compress (take action) those files.
Policy Expressions are like an If-Then-Else language. The Expression is the “If”, the Action is the
“Then”.
Expressions consist of the following components:
• Name: expression name
• Qualifier: The information to be tested.
• Operator: Operation to perform.
• Operand: Values to compare to Qualifiers.
Expression Syntax:
• add expression <name> <qualifier> <operator> <operand>
Example:
• add expression mpost “REQ.HTTP.METHOD == POST”
Qualifiers
Qualifiers are directional, or flow based. In other words they are relevant to requests coming from clients
and responses being sent from backend servers. Most often they are based on components of HTTP
flows. In the Policy Expression language you will see flow based expressions start with REQ for request
based expressions and RES for response based expressions.
The qualifier format is:
• [<flow.type>.<protocol>.]qualifier
For example:
• REQ.HTTP.METHOD
• REQ.HTTP.URL
• REQ.HTTP.HEADER
Operators
The Operator identifies the operation to perform on the operands. The following table defines the
operators.
Operator
Description
==, !=, EQ, NEQ
Test for exact matches. These are case sensitive.
GT
Use for numerical comparisons on the length of the URLs and query
strings.
CONTAINS,
NOTCONTAINS
Determine if the specified string is contained in the qualifier. These are not
case sensitive.
EXIST,
NOTEXISTS
Checks for the existence of particular qualifier. For example, to check is a
specific HTTP header exists or if a URL query exists.
CONTENTS
Checks for the existence of the qualifier and it’s contents.
Operands
An Operand defines the values for the corresponding qualifiers, or the values being compared to the
corresponding qualifiers. Wildcard characters can sometimes be used in Operands. For example “/*.
gif”.
Policy Limitations
The Cache Redirection feature has a maximum of 128 expressions and Content Switching has a
maximum of 512 expressions, which are hard-coded and cannot be changed.
For the remaining features, there is a built-in maximum limit of 1024 expressions in the NetScaler
Application Switch, but this can be changed by entering the following through the command line
interface:
• nsapimgr -ys maxexpr=<new limit number
Performance Considerations
Some operators behave differently, so you might want to take note of the behavior and the potential
impact to performance.
The operator “==” is:
• Case Sensitive
• Accepts Wildcards “*”
• Is not CPU intensive
The operator “CONTAINS” is:
• Not Case Sensitive
• Does Not Accept Wildcards “*”
• Is CPU Intensive
Important Policy Behavior - Policy Engine
(PE)
Requests
Responses
SSL
Decryption
Policies get evaluated in the order that they are classified in, that
is with their priority numbers. Policies operate on a first-match
principle. In a policy classification, the action associated with the
first policy that matches gets applied. Once a match is determined,
the policy evaluation exits the evaluation logic tree and no more
policies are evaluated.
If there is no match, the GOTO expression is evaluated, which can
be goto the ‘END’ of the logic tree, or go to the ‘NEXT’ priority
number, or goto a specific priority number.
AAA
App Fw
TCP
Buffering
Responder
SSL
Encryption
Caching
TCP
Compression
Content
Switching
Caching
Load
Balancing
HTTP
Compression
Content
Filtering
App Fw
HTTP
DoS
Response
Rewrite
Sure
Connect
Content
Filtering
Priority
Queueing
SSL
Decryption
Each Feature has it’s own set of priority numbers for it’s own set
of policies. Policy priority numbers don’t overlap between feature
sets. Having a policy for rewrite with priority 20 doesn’t interfere
with a policy for caching with priority 20 or 10 or 30. Request flow
policy priorities come before (lower numbers) Response flow policy
priorities (higher numbers).
Priority numbers increment in units of 10.
Request
Rewrite
SSL
Encryption
Sample Expressions using the CLI
• add policy expression mget “REQ.HTTP.METHOD == GET”
• add policy expression uhtml “REQ.HTTP.URL == /*.html”
• add policy expression hhdr “REQ.HTTP.HEADER Host CONTAINS myhost.com”
• add policy expression srcip “REQ.IP.SOURCEIP == 192.168.10.1”
• add policy expression dstip “REQ.IP.DESTIP == 192.168.12.2”
Sample Expressions using the GUI
To add a expression in the
NetScaler GUI, navigate to
NetScaler 
System 
Expressions  Add. Add
each expression and click
on Create.
10
11
Compound Expressions
Compound expressions check for multiple conditions. Compound expression logic is formed with one
or more expressions connected using the logical operators “&&” and “||”, and are grouped for order of
evaluation using the symbols “(“ and ”)”. Processing of compound expressions is done from left to right,
and is done with “lazy” evaluation, i.e. once the final result is known, evaluation is terminated.
Sample Compound Expressions using the CLI
Sample using and “&&” operators:
• add policy expression not_get “REQ.HTTP.METHOD != GET”
• add policy expression not_post “REQ.HTTP.METHOD != POST”
• add policy expression not_head “REQ.HTTP.METHOD != HEAD”
• add policy expression not_normal_method “not_get && not_post && not_head”
Sample using or “||” operators:
• add policy expression no_hdr_host “REQ.HTTP.HEADER Host NOTEXISTS”
• add policy expression no_hdr_user_agent “REQ.HTTP.HEADER User-Agent NOTEXISTS”
• add policy expression not_normal_hdrs “no_hdr_host || no_hdr_user_agent”
• add policy expression bad_request “not_normal_method || not_normal_hdrs”
Sample Compound Expressions using the GUI
Sample using and “&&” operators:
12
13
Sample using or “||” operators:
14
15
Citrix Worldwide
Worldwide headquarters
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
T +1 800 393 1888
T +1 954 267 3000
Regional headquarters
Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000
Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700
Asia Pacific
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000
Citrix Online division
5385 Hollister Avenue
Santa Barbara, CA 93111
USA
T +1 805 690 6400
www.citrix.com
About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more
than 100 countries. Annual revenue in 2006 was $1.1 billion.
Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access
Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its
subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and
other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks
and registered trademarks are property of their respective owners.
www.citrix.com

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz