User's Manual

ManualsBrandsCitrix Systems ManualsNetwork RouterCitrix Systems Network Router 9.2

Citrix

NetScaler

9.2

Citrix NetScaler

Policy Configuration and Reference Guide

Summary of content (302 pages)

PAGE 1
Citrix NetScaler Policy Configuration and Reference Guide Citrix® NetScaler® 9.
PAGE 2
Copyright and Trademark Notice © CITRIX SYSTEMS, INC., 2010. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
PAGE 3
C ONTENTS Contents Preface About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 4
iv Citrix NetScaler Policy Configuration and Reference Guide Binding Advanced Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Feature-Specific Differences in Policy Bindings . . . . . . . . . . . . . . . . . . . . . . . .16 Bind Points and Order of Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Advanced Policy Evaluation Across Features . . . . . . . . . . . . . . . . . . . . . . . . . .19 Entries in a Policy Bank . . . . .
PAGE 5
Contents Chapter 4 v Advanced Expressions: Evaluating Text About Text Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 About Operations on Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Compounding and Precedence in Text Expressions. . . . . . . . . . . . . . . . . . . . . .65 Categories of Text Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
vi Citrix NetScaler Policy Configuration and Reference Guide Expressions for Extracting Segments of URLs . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Expressions for Numeric HTTP Payload Data Other Than Dates . . . . . . . . . . . .130 Operations for HTTP, HTML, and XML Encoding and “Safe” Characters. . . . .131 Expressions for TCP, UDP, and VLAN Data . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 XPath and JSON Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Contents Chapter 11 vii Advanced Policies: Sending HTTP Service Callouts to Applications About Calling Out to an External Application. . . . . . . . . . . . . . . . . . . . . . . . . . . .186 About HTTP Callout Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 Note on the Format of an HTTP Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Note on the Format of an HTTP Response. . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
viii Citrix NetScaler Policy Configuration and Reference Guide Reducing Web Server Redirects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Masking the Server Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 9
P REFACE Preface Before you begin to configure policies and expressions as described in this document, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback.
PAGE 10
x Citrix NetScaler Policy Configuration and Reference Guide • Chapter 3, “Configuring Advanced Expressions: Getting Started.” Describes expression syntax and semantics, and briefly introduces how to configure expressions and policies. • Chapter 4, “Advanced Expressions: Evaluating Text.” Describes expressions that you configure when you want to operate on text (for example, the body of an HTTP POST request or the contents of a user certificate).
PAGE 11
Preface xi • Appendix C, “Tutorial Examples of Advanced Policies for Rewrite.” Examples of advanced policies for use in the Rewrite feature. • Appendix D, “Tutorial Examples of Classic Policies.” Examples of classic policies for NetScaler features such as Application Firewall and SSL. • Appendix E, “Migration of Apache mod_rewrite Rules to Advanced Policies.
PAGE 12
xii Citrix NetScaler Policy Configuration and Reference Guide • NetScaler programmers who want to develop advanced policies and expressions. The concepts and tasks described in this guide require you to have a basic understanding of the NetScaler system and the particular feature for which you want to configure a policy.
PAGE 13
Preface xiii Related Documentation A complete set of documentation is available on the Documentation tab of your NetScaler and from http://support.citrix.com/. (Most of the documents require Adobe Reader, available at http://adobe.com/.) To view the documentation 1. From a Web browser, log on to the NetScaler. 2. Click the Documentation tab. 3. To view a short description of each document, hover your cursor over the title. To open a document, click the title.
PAGE 14
xiv Citrix NetScaler Policy Configuration and Reference Guide Documentation Feedback You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify “Documentation Feedback.” Be sure to include the document name, page number, and product release version. • For NetScaler documentation, send email to nsdocs_feedback@citrix.com.
PAGE 15
C HAPTER 1 Introduction to Policies and Expressions For many NetScaler features, policies control how the feature evaluates data, which ultimately determines what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate requests, responses, or other data, and applies one or more actions determined by the outcome of the evaluation. Or a policy can apply a profile, which defines a complex action.
PAGE 16
2 Citrix NetScaler Policy Configuration and Reference Guide Benefits of Using Advanced Policies Advanced policies use a powerful expression language that is built on a classobject model, and they offer several options that enhance your ability to configure the behavior of various NetScaler features. With advanced policies, you can do the following: • Perform fine-grained analyses of network traffic from layers 2 through 7.
PAGE 17
Chapter 1 • Introduction to Policies and Expressions 3 Bindings. To ensure that the NetScaler can invoke a policy when it is needed, you associate the policy, or bind it, to one or more bind points. You can bind a policy globally or to a virtual server. For more information, see “About Policy Bindings,” on page 7. • An associated action. An action is a separate entity from a policy. Policy evaluation ultimately results in the NetScaler performing an action.
PAGE 18
4 Citrix NetScaler Policy Configuration and Reference Guide NetScaler Feature, Policy Type, and Policy Usage Feature Name Policy Type How You Use Policies in the Feature Protection Features Classic To configure the behavior of the Filter, SureConnect, and Priority Queueing functions. Content Switching Classic and Advanced To determine what server or group of servers is responsible for serving responses, based on characteristics of an incoming request.
PAGE 19
Chapter 1 Introduction to Policies and Expressions 5 NetScaler Feature, Policy Type, and Policy Usage Feature Name Policy Type How You Use Policies in the Feature Access Gateway To determine how the Access Gateway performs authentication, authorization, auditing, and other functions. Classic Authorization policies, however, can be configured with both classic and advanced policy formats. About Actions and Profiles Policies do not themselves take action on data.
PAGE 20
6 Citrix NetScaler Policy Configuration and Reference Guide Use of Actions and Profiles in Particular Features The following table summarizes the use of actions and profiles in different NetScaler features. The table is not exhaustive. For more information on specific uses of actions and profiles for a feature, see the documentation for the feature.
PAGE 21
Chapter 1 Introduction to Policies and Expressions 7 Use of Actions and Profiles in Different NetScaler Features Feature Use of an Action Use of a Profile System The action is implied. For the Authentication function, it is either Allow or Deny. For Auditing, it is Auditing On or Auditing Off. Not used. DNS The action is implied. It is either Drop Packets or the location of a DNS server. Not used. SSL Offload The action is implied.
PAGE 22
8 Citrix NetScaler Policy Configuration and Reference Guide User-defined policy label. For advanced policies, you can configure custom groupings of policies (policy banks) by defining a policy label and collecting a set of related policies under the policy label. Other bind points. The availability of additional bind points depends on type of policy (classic or advanced), and specifics of the relevant NetScaler feature.
PAGE 23
Chapter 1 Introduction to Policies and Expressions 9 Order of Evaluation Based on Traffic Flow As traffic flows through the NetScaler and is processed by various features, each feature performs policy evaluation. Whenever a policy matches the traffic, the NetScaler stores the action and continues processing until the data is about to leave the NetScaler. At that point, the NetScaler typically applies all matching actions.
PAGE 24
10 Citrix NetScaler Policy Configuration and Reference Guide • Integrated Caching: You use advanced expressions to configure a selector for a content group in the Integrated Cache. • Load Balancing: You use advanced expressions to configure token extraction for a load balancing virtual server that uses the TOKEN method for load balancing. • Rewrite: You use advanced expressions to configure Rewrite actions.
PAGE 25
Chapter 1 Introduction to Policies and Expressions 11 About Migration from Classic to Advanced Policies and Expressions The NetScaler supports either classic or advanced policies within a feature. You cannot have both types in the same feature. Over the past few releases, some NetScaler features have migrated from using classic policies and expressions to advanced policies and expressions.
PAGE 26
12 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 27
C HAPTER 2 Configuring Advanced Policies You can create advanced policies for various NetScaler features, including DNS, Rewrite, Responder, and Integrated Caching, and the clientless access function in the Access Gateway. Policies control the behavior of these features. When you create an advanced policy, you assign it a name, a rule (an expression), feature-specific attributes, and an action that is taken when data matches the policy.
PAGE 28
14 Citrix NetScaler Policy Configuration and Reference Guide Creating or Modifying an Advanced Policy All advanced policies have some common elements. Creating an advanced policy consists, at minimum, of naming the policy and configuring a rule. The policy configuration tools for the various features have areas of overlap, but also differences. For the details of configuring a policy for a particular feature, including associating an action with the policy, see the documentation for the feature.
PAGE 29
Chapter 2 Configuring Advanced Policies 15 To create or modify an advanced policy by using the configuration utility 1. In the navigation pane, expand the name of the feature for which you want to configure a policy, and then click Policies. For example, you can select Content Switching, Integrated Caching, DNS, Rewrite, or Responder. 2. In the details pane, click Add, or select an existing policy and click Open. A policy configuration dialog box appears. 3.
PAGE 30
16 Citrix NetScaler Policy Configuration and Reference Guide Note: At the command line, quote marks within a policy rule (the expression) must be escaped or delimited with the q delimiter. For more information, see “Configuring Advanced Expressions in a Policy,” on page 57. Binding Advanced Policies After defining a policy, you indicate when the policy is to be invoked by binding the policy to a bind point and specifying a priority level. You can bind a policy to only one bind point.
PAGE 31
Chapter 2 Configuring Advanced Policies 17 Feature-Specific Bindings for Advanced Policies Feature Name Virtual Servers Policies Bind Points Use of Advanced Policies in Configured in the Configured in the Configured for the the Feature Feature Feature Policies Content Switching Content Switching (CS) Note: This feature can support either advanced or classic policies, but not both.
PAGE 32
18 Citrix NetScaler Policy Configuration and Reference Guide Feature-Specific Bindings for Advanced Policies Feature Name Virtual Servers Policies Bind Points Use of Advanced Policies in Configured in the Configured in the Configured for the the Feature Feature Feature Policies Access Gateway VPN server (clientless VPN functions only) Clientless Access policies • VPN Global • VPN server To determine how the Access Gateway performs authentication, authorization, auditing, and other functions, and to
PAGE 33
Chapter 2 Configuring Advanced Policies 19 balancing virtual servers, the NetScaler process the response-time policies for content switching virtual servers. 8. Response-time default. If policy evaluation cannot be completed after all response-time, virtual-server-specific policies have been evaluated, the NetScaler processes response-time default policies.
PAGE 34
20 Citrix NetScaler Policy Configuration and Reference Guide The following table summarizes each entry in a policy bank. Format of Each Entry in a Policy Bank Policy Name Priority Goto Expression Invocation Type Policy Bank to be Invoked The policy name, or a “dummy” policy named NOPOLICY. The NOPOLICY entry controls evaluation flow without processing a rule. For more information, see “Evaluation Order Within a Policy Bank,” on page 20. An integer. Optional. Optional. Optional.
PAGE 35
Chapter 2 Configuring Advanced Policies 21 • NEXT. This keyword selects the policy with the next higher priority level in the current policy bank. • An integer. If you supply an integer, it must match the priority level of another policy in the current policy bank. • END. This keyword stops evaluation after processing the current policy, and no additional policies in this bank are processed. • Blank. If the Goto expression is empty, it is the same as specifying END. • A numeric expression.
PAGE 36
22 Citrix NetScaler Policy Configuration and Reference Guide • A policy evaluates to TRUE and its Goto statement value is END. No further policies or policy banks in this feature are evaluated. • An external policy bank is invoked, its evaluation returns an END, and the Goto statement uses a value of USE_INVOCATION_RESULT or END. Evaluation continues with the next policy bank for this feature.
PAGE 37
Chapter 2 Configuring Advanced Policies 23 To bind a Rewrite advanced policy globally by using the NetScaler command line At the NetScaler command prompt, type: bind rewrite global [-type REQ_OVERRIDE | REQ_DEFAULT | RES_OVERRIDE | RES_DEFAULT] The type argument is optional for globally bound policies, to maintain backward compatibility.
PAGE 38
24 Citrix NetScaler Policy Configuration and Reference Guide 6. Click Close. To bind a DNS advanced policy globally by using the configuration utility 1. In the navigation pane, expand DNS, and then click Policies. 2. In the details pane, click Global Bindings. 3. In the global bindings dialog box, click Insert Policy, and select the policy that you want to bind globally. 4. Click in the Priority field and enter the priority level. 5. Click OK.
PAGE 39
Chapter 2 Configuring Advanced Policies 4. If you are binding a policy to a Content Switching virtual server, in the Target field select a load balancing virtual server to which traffic that matches the policy is sent. 5. Click OK. 25 Displaying Policy Bindings You can display policy bindings to verify that they are correct.
PAGE 40
26 Citrix NetScaler Policy Configuration and Reference Guide unbind cache|rewrite global [-type req_override|req_default|res_override|res_default] [-priority ] The priority is required only for the “dummy” policy named NOPOLICY. At the NetScaler command prompt, to unbind a Responder policy, type: unbind responder global [-type override|default] [-priority ] The priority is required only for the “dummy” policy named NOPOLICY.
PAGE 41
Chapter 2 Configuring Advanced Policies 27 To unbind an advanced policy from a Load Balancing or Content Switching virtual server by using the configuration utility 1. In the navigation pane, expand Load Balancing or Content Switching, and then click Virtual Servers. 2. In the details pane, double-click the virtual server from which you want to unbind the policy. 3. On the Policies tab, in the Active column, clear the check box next to the policy that you want to unbind. 4. Click OK.
PAGE 42
28 Citrix NetScaler Policy Configuration and Reference Guide add rewrite policylabel http_req|http_res|url|text|clientless_vpn_req|clientless_vpn_res At the NetScaler command prompt, to create a Responder policy label, type: add rewrite policylabel Note: Invoke this policy label from a policy bank. For more information, see “Binding a Policy to a Policy Label,” on page 29. To create a policy label by using the configuration utility 1.
PAGE 43
Chapter 2 Configuring Advanced Policies 29 Binding a Policy to a Policy Label As with policy banks that are bound to the built-in bind points, each entry in a policy label is a policy that is bound to the policy label. As with policies that are bound globally or to a vserver, each policy that is bound to the policy label can also invoke a policy bank or a policy label that is evaluated after the current entry has been processed. The following table summarizes the entries in a policy label.
PAGE 44
30 Citrix NetScaler Policy Configuration and Reference Guide Configuring a Policy Label A policy label consists of a set of policies and invocations of other policy labels and virtual server-specific policy banks. An Invoke parameter enables you to invoke a policy label or a virtual server-specific policy bank from any other policy bank. A special-purpose NoPolicy entry enables you to invoke an external bank without processing an expression (a rule).
PAGE 45
Chapter 2 Configuring Advanced Policies 31 bind cache global NOPOLICY -priority 104 -gotoPriorityExpression next -type RES_OVERRIDE -invoke resvserver lab2 To invoke a policy label from a Responder policy bank by using the NetScaler command line At the NetScaler command prompt, type: bind responder global NOPOLICY -type OVERRIDE|DEFAULT -invoke vserver|policylabel | Example bind responder global NOPOLICY 100 NEXT -type OVERRIDE -invoke
PAGE 46
32 Citrix NetScaler Policy Configuration and Reference Guide information on possible values for a Goto expression, see the table, “Entries in a Policy Bank,” on page 29. • Invoke: Optional. Invokes another policy bank. Configuring a Policy Bank for a Virtual Server You can configure a bank of policies for a virtual server.
PAGE 47
Chapter 2 4. Configuring Advanced Policies 33 To create a new policy in this bank, click the icon for the type of policy or policy label that you want to add to the virtual server’s bank of policies, click Insert Policy. Note that if you want to invoke a policy label without evaluating a policy rule, select the NOPOLICY “dummy” policy. 5. 6.
PAGE 48
34 Citrix NetScaler Policy Configuration and Reference Guide To invoke a policy label or virtual server policy bank by using the NetScaler command line At the NetScaler command prompt, for Rewrite or Integrated Caching, type: bind cache|rewrite global -priority [-gotoPriorityExpression ] -type REQ_OVERRIDE|REQ_DEFAULT|RES_OVERRIDE|RES_DEFAULT] -invoke reqvserver|resvserver|policylabel Example bind cache global myCachePolicy -priority 100 -type req
PAGE 49
Chapter 2 Configuring Advanced Policies 35 unbind lb|cs vserver -policyName NOPOLICY-REWRITE|NOPOLICY-RESPONDER|NOPOLICY-CACHE -type REQUEST|RESPONSE -priority Example unbind lb vserver myLBVserver -policyName NOPOLICY-REWRITE -priority 200 -type REQUEST To invoke a policy label or virtual server policy bank by using the configuration utility 1.
PAGE 50
36 Citrix NetScaler Policy Configuration and Reference Guide • To insert a policy, tab to the row above the insertion point and click Control + Insert, or click Insert Policy. • To remove a policy, tab to the row that contains the policy and press Delete. Note that when you delete the policy, the NetScaler searches the Goto Expression values of other policies in the bank. If any of these Goto Expression values match the priority level of the deleted policy, they are removed.
PAGE 51
Chapter 2 Configuring Advanced Policies 37 In all three cases, priority levels of all other policies are modified as needed to accommodate the new value. Goto Expressions with integer values are also updated automatically. For example, if you change a priority value of 10 to 100, all policies with a Goto Expression value of 10 are updated to the value 100. 7.
PAGE 52
38 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 53
C HAPTER 3 Configuring Advanced Expressions: Getting Started Advanced policies evaluate data on the basis of information that you supply in advanced expressions. An advanced expression analyzes data elements (for example, HTTP headers, source IP addresses, the NetScaler system time, and POST body data). To create an advanced expression, you select a prefix that identifies a piece of data that you want to analyze, and then you specify an operation to perform on the data.
PAGE 54
40 Citrix NetScaler Policy Configuration and Reference Guide Expression Characteristics Policies and a few other entities include rules that the NetScaler uses to evaluate a packet in the traffic flowing through it, to extract data from the NetScaler system itself, to send a request (a callout) to an external application, or to analyze another piece of data. A rule takes the form of a logical expression that is compared against traffic and ultimately returns values of TRUE or FALSE.
PAGE 55
Chapter 3 Configuring Advanced Expressions: Getting Started 41 In this expression, the following is the operator component: eq("text/html") This operator causes the NetScaler to evaluate any HTTP requests that contain a Content-Type header, and in particular, to determine if the value of this header is equal to the string text/html. • is a Boolean or arithmetic operator that forms a compound expression from multiple prefix or prefix.operation elements.
PAGE 56
42 Citrix NetScaler Policy Configuration and Reference Guide • The prefix http.req.url designates an HTTP URL in URLencoded format. • SERVER: Identifies an element in the server that is either processing a request or sending a response. • SYS: Identifies a characteristic of the NetScaler that is processing the traffic. • TARGET:Represents all the strings that result from a search in the target text.
PAGE 57
Chapter 3 Configuring Advanced Expressions: Getting Started 43 Which expression prefixes you can specify depends on the NetScaler feature. The following table describes the expression prefixes that are of interest on a perfeature basis.
PAGE 58
44 Citrix NetScaler Policy Configuration and Reference Guide This prefix extracts URLs in HTTP requests. This expression prefix does not require any operators to be used in an expression. However, when you configure an expression that processes HTTP request URLs, you can specify operations that analyze particular characteristics of the URL. Following are a few possibilities: • Search for a particular host name in the URL. • Search for a particular path in the URL. • Evaluate the length of the URL.
PAGE 59
Chapter 3 Configuring Advanced Expressions: Getting Started 45 Basic Operations for Expressions Operation GT() Determines whether or not An object's value is greater than a particular value. Following is an example: http.req.content_length.gt(5) The following table summarizes a few of the available types of operations. Basic Types of Operations Operation Type Description Text operations Match individual strings and sets of strings with any portion of a target.
PAGE 60
46 Citrix NetScaler Policy Configuration and Reference Guide You can use parentheses to control the order of evaluation in a compound expression. Booleans in Compound Expressions You configure compound expressions with the following operators: • &&. This operator is a logical AND. For the expression to evaluate to TRUE, all components that are joined by the And must evaluate to TRUE. Following is an example: http.req.url.hostname.eq("myHost") && http.req.header("myHeader").exists • ||.
PAGE 61
Chapter 3 Configuring Advanced Expressions: Getting Started 47 String-Based Operations for Compound Advanced Expressions All string operations str + str Concatenates the value of the expression on the left of the operator with the value on the right. Following is an example: http.req.hostname + http.req.url.protocol str + num Concatenates the value of the expression on the left of the operator with a numeric value on the right. Following is an example: http.req.hostname + http.req.url.
PAGE 62
48 Citrix NetScaler Policy Configuration and Reference Guide String-Based Operations for Compound Advanced Expressions All string operations bool && bool This operator is a logical AND. When evaluating the components of the compound expression, all components that are joined by the AND must evaluate to TRUE. Following is an example: http.req.method.eq(GET) && http.req.url.query.contains("viewReport && my_pagelabel") bool || bool This operator is a logical OR.
PAGE 63
Chapter 3 Configuring Advanced Expressions: Getting Started 49 Arithmetic Operations for Compound Advanced Expressions Operator Description num % num Calculate the modulo, or the numeric remainder on a division of the value of the expression on the left of the operator by the value of the expression on the right. For example, the values "15 mod 4" equals 3, and "12 mod 4" equals 0. ~number Returns a number after applying a bitwise logical negation of the number.
PAGE 64
50 Citrix NetScaler Policy Configuration and Reference Guide Arithmetic Operations for Compound Advanced Expressions Operator Description number & number Compares two bit patterns of equal length and performs a bitwise AND operation on each pair of corresponding bits, returning 1 if both of the bits contains a value of 1, and 0 if either bits are 0. The following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 10 (binary 1010): numeric.
PAGE 65
Chapter 3 Configuring Advanced Expressions: Getting Started 51 Arithmetic Operations for Compound Advanced Expressions Operator Description num <= num Determine if the value of the expression on the left of the operator is less than or equal to the value of the expression on the right Operations on numbers of data type “integer” number.ADD (integer) Returns a number after adding the integer argument to the number value. Following is an example: http.req.content_length.add(10) number.
PAGE 66
52 Citrix NetScaler Policy Configuration and Reference Guide Arithmetic Operations for Compound Advanced Expressions Operator Description number.GT (integer) Return a Boolean TRUE if the number value is greater than the integer argument. Following is an example: http.req.content_length.gt(500) number.LE (integer) Return a Boolean TRUE if the number value is less than or equal to the integer argument. Following is an example: http.req.content_length.le(5) number.LT (integer).
PAGE 67
Chapter 3 Configuring Advanced Expressions: Getting Started 53 Arithmetic Operations for Compound Advanced Expressions Operator Description number.BITNEG Returns a number after applying a bitwise logical negation of the number. The following example assumes that numeric.expression returns 12 (binary 1100): numeric.expression.bitneg() The result of applying the BITNEG operator is -11 (a binary 1110011, 32 bits total with all ones to the left).
PAGE 68
54 Citrix NetScaler Policy Configuration and Reference Guide Arithmetic Operations for Compound Advanced Expressions Operator Description number.BITXOR (integer) Returns a number after applying a bitwise XOR to the integer argument and the current number value. If the values in the bitwise comparison are the same, the returned value is a 0. The following example assumes that numeric.expression returns 12 (binary 1100): numeric.expression.
PAGE 69
Chapter 3 Configuring Advanced Expressions: Getting Started 55 Arithmetic Operations for Compound Advanced Expressions Operator Description number.RSHIFT (integer) Returns a number after a bitwise right shift of the number value by the integer argument number of bits. Note that the number of bits shifted is integer modulo 32. The following example assumes that numeric.expression returns 12 (binary 1100): numeric.expression.rshift(3) The result of applying the RSHIFT operator is 1 (a binary 0001).
PAGE 70
56 Citrix NetScaler Policy Configuration and Reference Guide Arithmetic Operations for Compound Advanced Expressions Operator Description double.GE(i) Returns a Boolean value (TRUE or FALSE) that indicates whether the value represented by double is greater than or equal to the argument i. Parameters: i - Value of type double double.GT(i) Returns a Boolean value (TRUE or FALSE) that indicates whether the value represented by double is greater than the argument i.
PAGE 71
Chapter 3 Configuring Advanced Expressions: Getting Started 57 Classic Expressions in Advanced Expressions Classic expressions describe basic characteristics of traffic. In some cases, you may want to use the classic expression syntax in an advanced policy. You can do so with the advanced expression configuration tool. This can be helpful when manually migrating older, classic expressions to the advanced expression format. Note that when you upgrade the NetScaler to version 9.
PAGE 72
58 Citrix NetScaler Policy Configuration and Reference Guide You must also use a backslash to escape question marks and other backslashes on the command line. For example, the expression http.req.url.contains(“\?”) requires a backslash so that the question mark is parsed. Note that the backslash character will not appear on the command line after you type the question mark. On the other hand, if you escape a backslash (for example, in the expression 'http.req.url.
PAGE 73
Chapter 3 Configuring Advanced Expressions: Getting Started 59 4. Click the Prefix icon (the house) and select the first expression prefix from the drop-down list. For example, in Responder, the options are HTTP, SYS, and CLIENT. The next set of applicable options appear in a dropdown list. 5. Double-click the next option to select it, and then type a period (.). Again, a set of applicable options appears in another drop-down list. 6.
PAGE 74
60 Citrix NetScaler Policy Configuration and Reference Guide 5. In the HTTP Request Data or HTTP Response Data field, paste the HTTP request or response that you want to parse with the expression, and click Evaluate. Note that you must supply a complete HTTP request or response, and the header and body should be separated by blank line. Some programs that trap HTTP headers do not also trap the response.
PAGE 75
Chapter 3 5. Configuring Advanced Expressions: Getting Started 61 Configure the expression as described in “To configure an advanced policy expression by using the configuration utility,” on page 58. Configuring Advanced Expressions Outside the Context of a Policy A number of functions, including the following, can require an advanced expression that is not part of a policy: • Integrated Caching selectors. You define multiple non-compound expressions (selectlets) in the definition of the selector.
PAGE 76
62 Citrix NetScaler Policy Configuration and Reference Guide q~http.req.url.query.value("_ghi")~ http.req.url.path q~http.req.body(150).typecast_nvlist_t('=','&').value("portlet _C{actionForm.endDate}")~ q~http.req.body(150).typecast_nvlist_t('=','&').value("portlet _C{actionForm.
PAGE 77
C HAPTER 4 Advanced Expressions: Evaluating Text You can configure an advanced expression to examine text in a request or a response. For example, a expression can perform string matching on the following types of data: • An HTTP header type • An HTTP header value • A user or group name in an HTTP request • A file type in a URL • A string in an HTTP POST body You can configure text expressions to be case sensitive or case insensitive and to use or ignore spaces.
PAGE 78
64 Citrix NetScaler Policy Configuration and Reference Guide About Text Expressions You can configure various expressions for working with text that flows through the NetScaler. Following are some examples of how you can parse text using an advanced expression: • Determine that a particular HTTP header exists. For example, you may want to identify HTTP requests that contains a particular Accept-Language header for the purpose of directing the request to a particular server.
PAGE 79
Chapter 4 Advanced Expressions: Evaluating Text 65 In the preceding examples, the contains operator permits a partial match and the eq operator looks for an exact match. Other operations are available to format the string before evaluating it, for example, to strip out quotes and white spaces, to convert the string to all lowercase, or to concatenate strings. Note: Complex operations are available to perform matching based on patterns or to convert one type of text format to another type.
PAGE 80
66 Citrix NetScaler Policy Configuration and Reference Guide TCP payload expressions are discussed in another chapter. For more information, see “Advanced Expressions: Parsing HTTP, TCP, and UDP Data,” on page 113. • Text in an Secure Sockets Layer (SSL) certificate. SSL and certificate expressions are discussed in another chapter. For information on SSL and certificate data, see “Advanced Expressions: Parsing SSL Certificates,” on page 141 and “Expressions for SSL Certificate Dates,” on page 101.
PAGE 81
Chapter 4 Advanced Expressions: Evaluating Text 67 HTTP.REQ.HEADER("Example").AFTER_REGEX(re/more/) For more information on regular expressions, see “Matching Text With a Pattern,” on page 164. Expression Prefixes for Text The following sections discuss expression prefixes for strings. Expression Prefixes for Text in HTTP Requests and Responses An HTTP request or response typically contains text, such as in the form of headers, header values, URLs, and POST body text.
PAGE 82
68 Citrix NetScaler Policy Configuration and Reference Guide HTTP Expression Prefixes that Return Text Prefix HTTP.REQ.HOSTNAME. DOMAIN Description Returns the domain name part of the host name. For example, if the host name is www.myhost.com or www. myhost.com:8080, the domain is myhost.com. Returns incorrect results if the host name has an IP address. For information on expressions for IP addresses, see “Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs,” on page 149.
PAGE 83
Chapter 4 Advanced Expressions: Evaluating Text 69 HTTP Expression Prefixes that Return Text Prefix HTTP.REQ.URL.HOSTNAME. DOMAIN Description Returns the domain name part of the host name. For example, if the host name is www.myhost.com or www. myhost.com:8080, the domain is myhost.com. This operation returns incorrect results if the host name has an IP address. For information on expressions for IP addresses, see “Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs,” on page 149.
PAGE 84
70 Citrix NetScaler Policy Configuration and Reference Guide HTTP Expression Prefixes that Return Text Prefix HTTP.REQ.URL.QUERY. VALUE Description Returns the value from the name-value pair in the argument supplied to this prefix, using the delimiter “=” from the query component in the URL. Following is an example: http.req.url.query.value("action") The first component that matches the name is selected. The matching process honors the IGNORECASE and the NOIGNORECASE text modes.
PAGE 85
Chapter 4 Advanced Expressions: Evaluating Text 71 HTTP Expression Prefixes that Return Text Prefix Description HTTP.REQ.USER.EXTERNAL_ Returns a list of all the external groups to which the user belongs. The groups are separated by the given GROUPS(sep) delimiter. For example, the following expression gives a list of all the external groups, and the groups are separated by a colon (":"): HTTP.REQ.USER.EXTERNAL_GROUPS(':') Parameters: sep - delimiter HTTP.REQ.USER.
PAGE 86
72 Citrix NetScaler Policy Configuration and Reference Guide HTTP Expression Prefixes that Return Text Prefix HTTP.REQ.USER.GROUPS. IGNORE_EMPTY_ELEMENTS Description Ignores the empty elements in the list of groups to which the user belongs. If the element delimiter in the list is a comma (","), then the following list has an empty element following "a=10": a=10,,b=11, ,c=89 But the element that follows "b=11" is not considered an empty element.
PAGE 87
Chapter 4 Advanced Expressions: Evaluating Text 73 HTTP Expression Prefixes that Return Text Prefix HTTP.REQ.USER.GROUPS. IGNORE_EMPTY_ELEMENTS Description Ignores the empty elements in the list of groups to which the user belongs. If the element delimiter in the list is a comma (","), then the following list has an empty element following "a=10": a=10,,b=11, ,c=89 But the element following "b=11" is not considered an empty element.
PAGE 88
74 Citrix NetScaler Policy Configuration and Reference Guide HTTP Expression Prefixes that Return Text Prefix Description HTTP.REQ.USER.INTERNAL_ Returns a list of the internal groups to which the user belongs. The groups are separated by the given GROUPS(sep) delimiter. For example, the following expression returns a colonseparated list of all the internal groups to which the user belongs. HTTP.REQ.USER.INTERNAL_GROUPS(':') Parameters: sep - delimiter HTTP.REQ.USER.
PAGE 89
Chapter 4 Advanced Expressions: Evaluating Text 75 HTTP Expression Prefixes that Return Text Prefix HTTP.REQ.VERSION Description Returns the HTTP version listed in the request. Following is an example: http.req.version "\"HTTP/1.0\" HTTP.RES.BODY(integer) Returns a portion of the HTTP response body. The length of the returned text is equal to the number in the integer argument. If there are fewer characters in the body than are specified in integer, the entire body is returned.
PAGE 90
76 Citrix NetScaler Policy Configuration and Reference Guide HTTP Expression Prefixes that Return Text Prefix HTTP.REQ.URL.PATH. IGNORE_EMPTY_ELEMENTS Description Ignores the empty elements in the list. For example, if the element delimiter in the list is a comma, the following list has an empty element following a=10: a=10,b=11, ,c=89 The element following b=11 is not considered an empty element.
PAGE 91
Chapter 4 • Advanced Expressions: Evaluating Text 77 Queries in the VPN traffic. These text elements are often URLs and components of URLs. In addition to applying the text-based operations on these elements as described elsewhere in this chapter, you can parse these elements using operations that are specific to parsing URLs. For more information, see “Expressions for Extracting Segments of URLs,” on page 129. The following table describes the expression prefixes for this type of data.
PAGE 92
78 Citrix NetScaler Policy Configuration and Reference Guide VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression Description VPN.BASEURL.HOSTNAME.SERVER Evaluates the server portion of the host name. For example, if the host name is www. mycompany.com or www.mycompany.com:8080, the server is www.mycompany.com. All text operations after this prefix are case insensitive. VPN.BASEURL.PATH Extracts a slash- (/) separated list from the path component of the URL.
PAGE 93
Chapter 4 Advanced Expressions: Evaluating Text 79 VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression VPN.BASEURL.PROTOCOL Description Evaluates the protocol in the URL. Do not use this prefix in bidirectional policies. VPN.BASEURL.QUERY Extracts a name-value list, using the “=” and “&” delimiters from the query string in a URL. VPN.BASEURL.QUERY.IGNORE_ EMPTY_ELEMENTS This method ignores the empty elements in a name-value list.
PAGE 94
80 Citrix NetScaler Policy Configuration and Reference Guide VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression VPN.CLIENTLESS_BASEURL. HOSTNAME.DOMAIN Description Evaluates the domain name part of the host name. For example, if the host name is www. mycompany.com or www.mycompany.com:8080, the domain is mycompany.com. This operation returns incorrect results if the host name is an IP address.
PAGE 95
Chapter 4 Advanced Expressions: Evaluating Text 81 VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression Description VPN.CLIENTLESS_BASEURL. Ignores empty elements in a list. For example, if PATH.IGNORE_EMPTY_ELEMENTS the list delimiter is a comma (,) the following list has an empty element following “a=10”: a=10,b=11, ,c=89 The element following b=11 contains a space and is not considered an empty element.
PAGE 96
82 Citrix NetScaler Policy Configuration and Reference Guide VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression VPN.CLIENTLESS_BASEURL. QUERY.IGNORE_EMPTY_ ELEMENTS Description Ignores empty elements in a name-value list. For example, the following list contains an empty element after “a=10”: a=10;;b=11; ;c=89 The element following b=11 contains a space and is not considered an empty element.
PAGE 97
Chapter 4 Advanced Expressions: Evaluating Text 83 VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression VPN.CLIENTLESS_HOSTURL. HOSTNAME.EQ("hostname") Description Results in Boolean TRUE if the host name matches the hostname argument. The comparison is case insensitive. For example, if the host name is www. mycompany.com or www.mycompany.com., the following expression returns TRUE: vpn.clilentless_hosturl. hostname. eq("www.mycompany.
PAGE 98
84 Citrix NetScaler Policy Configuration and Reference Guide VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression Description VPN.CLIENTLESS_HOSTURL. This method ignores the empty elements in a list. PATH.IGNORE_EMPTY_ELEMENTS For example, if the delimiter in a list is “,” the following list contains an empty element after the entry “a=10”: a=10,b=11, ,c=89 The element following b=11 contains a space and is not considered an empty element.
PAGE 99
Chapter 4 Advanced Expressions: Evaluating Text 85 VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression VPN.CLIENTLESS_HOSTURL. QUERY.IGNORE_EMPTY_ ELEMENTS Description Ignores empty elements in a name-value list. For example, the following list uses a semicolon (;) delimiter. This list contains an empty element after “a=10”: a=10;;b=11; ;c=89 In the preceding example, the element following b=11 is not considered an empty element.
PAGE 100
86 Citrix NetScaler Policy Configuration and Reference Guide VPN and Clientless VPN Expression Prefixes that Return Text VPN and Clientless VPN Expression VPN.HOST.EQ("hostname") Description Returns a Boolean TRUE value if the host name matches the hostname. The comparison is case insensitive. For example, if the host name is www. mycompany.com or www.mycompany.com:8080, the following returns TRUE: vpn.host.eq("www.mycompany.com") If the text mode is URLENCODED the host name is decoded before comparison.
PAGE 101
Chapter 4 Advanced Expressions: Evaluating Text 87 Basic Operations on Text Basic Text Operation text.EQ("string") Description Returns a Boolean TRUE value if the target is an exact match with string. For example, the following expression returns a Boolean TRUE for a URL with a host name of “myhostabc”: http.req.url.hostname.eq("myhostabc") text. STARTSWITH("string") Returns a Boolean TRUE value if the target begins with string.
PAGE 102
88 Citrix NetScaler Policy Configuration and Reference Guide Operations on Case Sensitivity of Text Case Operation text.TO_LOWER Description Converts the target to lowercase. For example, the string “ABCd:” is converted to “abcd:”. text.TO_UPPER Converts the target to uppercase. For example, the string “abcD:” is converted to “ABCD:”.
PAGE 103
Chapter 4 Advanced Expressions: Evaluating Text Operations on Strings Based on a Character Count Character Count Operation text.SUFFIX(character, count) Description Selects the longest suffix in the target that has at most count occurrences of character. For example, consider the following response body: JLEwx The following expression returns a value of “JLEwx”: http.res.body(100).suffix('L',1) The following expression returns “LLEwx”: http.res.body(100).suffix('L',2) text.
PAGE 104
90 Citrix NetScaler Policy Configuration and Reference Guide Basic Operations on a Portion of a String Basic Text Operation Description text. BETWEEN("starting string", "ending string") Returns a Boolean TRUE value if the length of the text object is greater than or equal to the sum starting string, ending string argument lengths, and if a prefix of the target matches starting string, and if the suffix of the target matches ending string. text.
PAGE 105
Chapter 4 Advanced Expressions: Evaluating Text 91 • The difference between “abc” and “abd” is -1 (based on the third pair-wise character comparison). • The difference between “@” and “abc” is -33. • The difference between “1” and “abc” is -47. The following is the syntax for the COMPARE operation. text.
PAGE 106
92 Citrix NetScaler Policy Configuration and Reference Guide Encoding and Decoding Text by Applying the Base64 Encoding Algorithm The following two operators encode and decode a text string by applying the Base64 encoding algorithm: Operators for Encoding and Decoding a Text String by Using Base64 Encoding Operator Description text.B64ENCODE Encodes the text string (designated by text) by applying the Base64 encoding algorithm. text.
PAGE 107
Chapter 4 • delete_all • insert_before_all Advanced Expressions: Evaluating Text 93 For example, you might want to delete all instances of "http://exampleurl.com/" and "http://exampleurl.au/" in the first 1000 bytes of the body. To do this, you can configure a rewrite action to search for all instances of the string "exampleurl," extend the scope of the search on both sides of the string when a match is found, and then use a regular expression to perform the rewrite in the extended region.
PAGE 108
94 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 109
C HAPTER 5 Advanced Expressions: Working with Dates, Times, and Numbers Most numeric data that the NetScaler processes consists of dates and times. However, advanced expressions also work with other numeric data, for example, the lengths of HTTP requests and responses. You can configure advanced expressions to evaluate and to perform operations on dates, times, and other numeric data.
PAGE 110
96 Citrix NetScaler Policy Configuration and Reference Guide Note: Numeric operations are also covered in “Compound Operations for Numbers,” on page 48 and “Advanced Expressions: Parsing HTTP, TCP, and UDP Data,” on page 113.
PAGE 111
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 97 When you specify a date and time, note that the format is case sensitive and must preserve the exact number of blank spaces between entries. Note: In an expression that requires two time values, both must use GMT or both must use LOCAL. You cannot mix the two in an expression. Dates and Times in a Rewrite Action Unlike using the SYS.TIME prefix in an advanced policy expression, if you specify SYS.
PAGE 112
98 Citrix NetScaler Policy Configuration and Reference Guide The following table describes the available expressions that you can configure using the SYS.TIME prefix and its associated operations. Expressions that Return NetScaler System Dates and Times NetScaler Time Operation SYS.TIME. BETWEEN(time1, time2) Description Returns a Boolean TRUE if the returned value is later than time1 and earlier than time2. You format the time1, time2 arguments as follows: • They must both be GMT or both LOCAL.
PAGE 113
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 99 Expressions that Return NetScaler System Dates and Times NetScaler Time Operation Description SYS.TIME.GE(time) Returns a Boolean TRUE if the current time is later than or equal to time. For example, if the current time is GMT 2005 May 1 10h 15m 30s, and it is the first Sunday of the month, you can specify the following (evaluation results are shown in parentheses): • sys.time.ge(GMT 2004) (TRUE in this example.) • sys.time.
PAGE 114
100 Citrix NetScaler Policy Configuration and Reference Guide Expressions that Return NetScaler System Dates and Times NetScaler Time Operation Description SYS.TIME.LE(time) Returns a Boolean TRUE if the current time value precedes or is equal to the time argument. For example, if the current time is GMT 2005 May 1 10h 15m 30s, and it is the first Sunday of the month, you can specify the following (evaluation results are shown in parentheses): • sys.time.le(GMT 2006) (TRUE in this example.) • sys.time.
PAGE 115
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 101 Expressions that Return NetScaler System Dates and Times NetScaler Time Operation SYS.TIME. RELATIVE_NOW Description Calculates the number of seconds between the current NetScaler system time and the specified time, and returns an integer showing the difference. If the designated time is in the past, the integer is negative; if it is in the future, the integer is positive. SYS.TIME.
PAGE 116
102 Citrix NetScaler Policy Configuration and Reference Guide CLIENT.SSL.CLIENT_CERT The following example expression matches a particular time for expiration with the information in the certificate: client.ssl.client_cert.valid_not_after.eq(GMT 2009) The following table describes time-based operations on SSL certificates. Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation Description certificate.
PAGE 117
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 103 Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation certificate. VALID_NOT_AFTER. EQ(time) Description Returns a Boolean TRUE if the time is equal to the time argument. For example, if the current time is GMT 2005 May 1 10h 15m 30s, and it is the first Sunday of the month, you can specify the following (evaluation results for this example are in parentheses): • . . .eq(GMT 2005) (TRUE) • .
PAGE 118
104 Citrix NetScaler Policy Configuration and Reference Guide Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation Description certificate. VALID_NOT_AFTER.HOURS Extracts the last hour that the certificate is valid and returns that value as an integer from 0 to 23. certificate. VALID_NOT_AFTER. LE(time) Returns a Boolean TRUE if the time precedes or is equal to the time argument.
PAGE 119
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 105 Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation certificate. VALID_NOT_AFTER. RELATIVE_NOW Description Calculates the number of seconds between the current system time and the specified time and returns an integer. If the time is in the past, the integer is negative; if it is in the future, the integer is positive. certificate.
PAGE 120
106 Citrix NetScaler Policy Configuration and Reference Guide Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation certificate. VALID_NOT_BEFORE. BETWEEN(time1, time2) Description Returns a Boolean TRUE if the time value is between the time1, time2 arguments. Both the time1, time2 arguments must be fully specified. Following are examples: • GMT 1995 Jan is fully specified. • GMT Jan is not fully specified. • GMT 1995 20 is not fully specified.
PAGE 121
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 107 Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation certificate. VALID_NOT_BEFORE. GE(time) Description Returns a Boolean TRUE if the time is greater than (after) or equal to the time argument. For example, if the time value is GMT 2005 May 1 10h 15m 30s, and it is the first Sunday of the month of May in 2005, you can specify the following (evaluation results are in parentheses): • . . .
PAGE 122
108 Citrix NetScaler Policy Configuration and Reference Guide Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation certificate. VALID_NOT_BEFORE. LE(time) Description Returns a Boolean TRUE if the time precedes or is equal to the time argument. For example, if the time value is GMT 2005 May 1 10h 15m 30s, and it is the first Sunday of the month of May in 2005, you can specify the following (evaluation results for this example are in parentheses): • . . .
PAGE 123
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 109 Operations on Certificate (client.ssl.client_cert) Dates and Times SSL Certificate Operation Description certificate. VALID_NOT_BEFORE. SECONDS Extracts the last second that the certificate is valid. Returns the current second as an integer from 0 to 59. certificate. VALID_NOT_BEFORE. WEEKDAY Extracts the last weekday that the certificate is valid. Returns the weekday as a number between 0 (Sunday) and 6 (Saturday).
PAGE 124
110 Citrix NetScaler Policy Configuration and Reference Guide Expressions for HTTP Request and Response Dates The following expression prefixes return the contents of the HTTP Date header as text or as a date object. Prefixes That Evaluate HTTP Date Headers Prefix HTTP.REQ.DATE Description Returns the contents of the HTTP Date header as text or as a date object.The date formats recognized are: RFC822. Sun, 06 Jan 1980 08:49:37 GMT RFC850. Sunday, 06-Jan-80 09:49:37 GMT ASCTIME.
PAGE 125
Chapter 5 Advanced Expressions: Working with Dates, Times, and Numbers 111 Expression Prefixes for Numeric Data Other Than Date and Time In addition to expressions that operate on time, you can configure expressions for the following types of numeric data: • The length of HTTP requests, the number of HTTP headers in a request, and so on. For more information, see “Expressions for Numeric HTTP Payload Data Other Than Dates,” on page 130. • IP and MAC addresses.
PAGE 126
112 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 127
C HAPTER 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data You can configure advanced expressions to parse the payload for HTTP requests and responses, including headers and body content. For example, you can ensure that an HTTP request or response contains a header of a particular type, or you can extract a particular segment from a URL path. You can also configure expressions to transform the URL encoding and apply HTML or XML “safe” coding for subsequent evaluation.
PAGE 128
114 Citrix NetScaler Policy Configuration and Reference Guide About Evaluating HTTP and TCP Payload The payload of an HTTP request or response consists of header fields, URLs, the body content, the version, status, and so on. For example, the following expression performs a simple matching operation on an HTTP request to determine if it contains a header named “myHeader”: http.req.header("myHeader").exists The following example compound expression evaluates HTTP headers.
PAGE 129
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 115 Following is an example that evaluates to TRUE if a response body of 1024 bytes contains the string “https”, and this string occurs after the string “start string” and before the string “end string”: http.res.body(1024).after_str("start_string").before_str("end_ string").contains("https") Note: You can apply any text operation to the payload body.
PAGE 130
116 Citrix NetScaler Policy Configuration and Reference Guide Prefixes for HTTP Headers The following table describes expression prefixes that extract HTTP headers. Prefixes That Extract HTTP Headers HTTP Header Prefix Description HTTP.REQ.HEADER("header_name") Returns the contents of the HTTP header specified by the header_name argument. The header name cannot exceed 32 characters. Note that this prefix returns the value from the Host header by default.
PAGE 131
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 117 Prefixes That Extract HTTP Headers HTTP Header Prefix HTTP.RES.SET_COOKIE or Description Returns the HTTP Set-Cookie header object in a response. HTTP.RES.SET_COOKIE2 HTTP.RES.SET_COOKIE("name") or HTTP.RES.SET_COOKIE2("name") HTTP.RES.SET_COOKIE("name"). DOMAIN or HTTP.RES.SET_COOKIE2("name"). DOMAIN Returns the cookie of the specified name if it is present. If it is not present, returns a text object of length 0.
PAGE 132
118 Citrix NetScaler Policy Configuration and Reference Guide Prefixes That Extract HTTP Headers HTTP Header Prefix HTTP.RES.SET_COOKIE. COOKIE("name").PATH|PATH. GET(n) or HTTP.RES.SET_COOKIE2. COOKIE("name").PATH|PATH. GET(n) Description Returns the value of Path field of the cookie as a slash- (“/”) separated list. Multiple instances of a slash are treated as single slash. If multiple Path fields are present, the value of the first instance is returned.
PAGE 133
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 119 Prefixes That Extract HTTP Headers HTTP Header Prefix Description HTTP.RES.SET_COOKIE. COOKIE("name").PORT Returns the value of Port field of the cookie. Operate as a comma-separated list. or For example, the following expression returns 80. 2580 from Set-Cookie : Customer = "ABC"; PATH="/a/b/c"; PORT= "80, 2580": HTTP.RES.SET_COOKIE2. COOKIE("name").PORT http.res.set_cookie. cookie("ABC").
PAGE 134
120 Citrix NetScaler Policy Configuration and Reference Guide Prefixes That Extract HTTP Headers HTTP Header Prefix Description HTTP.RES.SET_COOKIE. Returns the value of the Domain field of the COOKIE("name", integer).DOMAIN first cookie with the specified name. For or HTTP.RES.SET_COOKIE2. COOKIE("name", integer).DOMAIN example, the following expression returns a value of abc.com from the cookie Set-Cookie : Customer = "ABC"; DOMAIN=".abc.com"; DOMAIN=.xyz.com http.res.set_cookie. cookie("CUSTOMER").
PAGE 135
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 121 Prefixes That Extract HTTP Headers HTTP Header Prefix HTTP.RES.SET_COOKIE. COOKIE("name", integer).PATH. IGNORE_EMPTY_ELEMENTS or HTTP.RES.SET_COOKIE2. COOKIE("name", integer).PATH. IGNORE_EMPTY_ELEMENTS Description Ignores the empty elements in the list. For example, in the list a=10,b=11, ,c=89, the element delimiter in the list is , and the list has an empty element following a=10.
PAGE 136
122 Citrix NetScaler Policy Configuration and Reference Guide Prefixes That Extract HTTP Headers HTTP Header Prefix HTTP.RES.SET_COOKIE. COOKIE("name", integer). VERSION or Description Returns the value of Version field of the nth cookie as a decimal integer. A string of zero length is returned if the Port field or its value is absent. HTTP.RES.SET_COOKIE2. COOKIE("name", integer). VERSION HTTP.RES.TXID Returns the HTTP transaction ID.
PAGE 137
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 123 Operations That Evaluate HTTP Headers HTTP Header Operation http header. CONTAINS("string") Description Returns a Boolean TRUE if the string argument appears in any instance of the header value. Note: This operation overrides any text-based Contains operations on all instances of the current header type. Following is an example of request with two headers: HTTP/1.
PAGE 138
124 Citrix NetScaler Policy Configuration and Reference Guide Operations That Evaluate HTTP Headers HTTP Header Operation Description http header.AFTER_ Extracts the text that follows the first occurrence of the string argument.The headers are evaluated from the last instance to the first. STR("string") Following is an example of a request: HTTP/1.
PAGE 139
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 125 Operations That Evaluate HTTP Headers HTTP Header Operation http header. INSTANCE(instance number) Description An HTTP header can occur multiple times in a request or a response. This operation returns the header that occurs instance number of places before the final instance. For example, instance(0) selects the last instance of the current type, instance(1) selects the next-to-last instance, and so on.
PAGE 140
126 Citrix NetScaler Policy Configuration and Reference Guide Operations That Evaluate HTTP Headers HTTP Header Operation http header. VALUE(instance number) Description An HTTP header can occur multiple times in a request or a response. VALUE(0) selects the value in the last instance, VALUE(1) selects the value in the next-tolast instance, and so on. The instance number argument cannot exceed 14. Following is an example of a request with two headers: HTTP/1.
PAGE 141
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 127 In addition, the following operations identify specific types of Cache-Control headers. See RFC 2616 for details on these header types. Operations That Evaluate Cache-Control Headers HTTP Header Operation Cache-Control header. NAME(integer) Description Returns as a text value the name of the Cache-Control header that corresponds to the nth component in a name-value list, as specified by integer.
PAGE 142
128 Citrix NetScaler Policy Configuration and Reference Guide Operations That Evaluate Cache-Control Headers HTTP Header Operation Cache-Control header. IS_MIN_FRESH Description Returns a Boolean TRUE if the Cache-Control header has the value Min-Fresh. Following is an example: http.req.cache_control.is_min_fresh Cache-Control header. IS_MAX_STALE Returns a Boolean TRUE if the Cache-Control header has the value Max-Stale. Following is an example: http.req.cache_control.
PAGE 143
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 129 Operations That Evaluate Cache-Control Headers HTTP Header Operation Cache-Control header. MAX_AGE Description Returns the value of the Cache-Control header MaxAge. If this header is absent or invalid, 0 is returned. Following is an example: http.req.cache_control.max_age.le(3) Cache-Control header. MAX_STALE Returns the value of the Cache-Control header MaxStale. If this header is absent or invalid, 0 is returned.
PAGE 144
130 Citrix NetScaler Policy Configuration and Reference Guide The following table describes prefixes for HTTP URLs that are not described elsewhere. Prefixes That Extract URLs URL Prefix HTTP.REQ.URL.PATH. GET(n) Description Returns a slash- (“/”) separated list from the URL path. For example, consider the following URL: http://www.mycompany.com/dir1/dir2/dir3/ index.html?a=1 The following expression returns dir1 from this URL: http.req.url.path.get(1) The following expression returns dir2: http.req.
PAGE 145
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 131 Prefixes That Evaluate HTTP Request or Response Length Prefix HTTP.RES.STATUS Description Returns the response status code Operations for HTTP, HTML, and XML Encoding and “Safe” Characters The following operations work with the encoding of HTML data in a request or response and XML data in a POST body. Operations That Evaluate HTML and XML Encoding HTML or XML Operation text.
PAGE 146
132 Citrix NetScaler Policy Configuration and Reference Guide Operations That Evaluate HTML and XML Encoding HTML or XML Operation text.HTTP_URL_SAFE Description Converts unsafe URL characters to '%xx' values, where “xx” is a hex-based representation of the input character. For example, the ampersand (&) is represented as %26 in URL-safe encoding. This is a read-only operation. Following are URL safe characters. All others are unsafe: • • • • • • • • • • • • • • • • • text.
PAGE 147
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 133 Operations That Evaluate HTML and XML Encoding HTML or XML Operation Description text.SET_TEXT_ Specifies whether or not backslash decoding is MODE(BACKSLASH_ENCODED|NO_ performed on the text object represented by text.
PAGE 148
134 Citrix NetScaler Policy Configuration and Reference Guide Expressions for TCP, UDP, and VLAN Data TCP and UDP data takes the form of a string or a number. For expression prefixes that return string values for TCP and UDP data, you can apply any text-based operations. For more information, see “Advanced Expressions: Evaluating Text,” on page 63. For expression prefixes that return numeric value, such as a source port, you can apply an arithmetic operation.
PAGE 149
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 135 Prefixes that Extract TCP and UDP Data GET Operation Description CLIENT.UDP.DNS.IS_MXREC Returns a Boolean TRUE if the record is of type MX (mail exchanger). This DNS record describes a priority and a host name. The MX records for the same domain name specify the email servers in the domain and the priority for each server. CLIENT.UDP.DNS.IS_NSREC Returns a Boolean TRUE if the record is of type NS.
PAGE 150
136 Citrix NetScaler Policy Configuration and Reference Guide XPath and JSON Expressions The advanced expression engine supports expressions for evaluating and retrieving data from XML and JavaScript Object Notation (JSON) files. This enables you to find specific nodes in an XML or JSON document, determine if a node exists in the file, locate nodes in XML contexts (for example, nodes that have specific parents or a specific attribute with a given value), and return the contents of such nodes.
PAGE 151
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data 137 XPath Prefix Description text.XPATH(xpathex) Operate on an XML file and return a node-set or a string. Node-sets are converted to corresponding strings by using the standard XPath string conversion routine. For example, the following expression selects all the nodes that are enclosed by “/Book/ creator” (a node-set) in the first 1000 bytes of the body: HTTP.REQ.BODY(1000).
PAGE 152
138 Citrix NetScaler Policy Configuration and Reference Guide XPath Prefix Description text.XPATH_JSON(xpathex) Operate on a JSON file and return a node-set or a string. Node-sets are converted to corresponding strings by using the standard XPath string conversion routine.
PAGE 153
Chapter 6 Advanced Expressions: Parsing HTTP, TCP, and UDP Data XPath Prefix Description text.XPATH_WITH_ MARKUP(xpathex) Operate on an XML file and return a string that contains the entire portion of the document for the result node, including markup such as including the enclosing element tags. 139 For example, the following expression operates on an XML file and selects all the nodes enclosed by “/Book/creator" in the first 1000 bytes of the body. HTTP.REQ.BODY(1000).
PAGE 154
140 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 155
C HAPTER 7 Advanced Expressions: Parsing SSL Certificates You can configure expressions that parse information in X.
PAGE 156
142 Citrix NetScaler Policy Configuration and Reference Guide • Version • Serial number • Signature algorithm ID • Issuer name • Validity period • Subject (user) name • A public key • Signatures You can configure a policy that examines both SSL connections and data in a client certificate. For example, suppose that you want to send SSL requests that use low strength ciphers to a particular load balancing virtual server farm.
PAGE 157
Chapter 7 Advanced Expressions: Parsing SSL Certificates 143 Prefixes That Return Text or Boolean Values for SSL and Client Certificate Data Prefix Description CLIENT.SSL.CIPHER_NAME Returns the name of the SSL Cipher if invoked from an SSL connection, and a NULL string if invoked from a non-SSL connection. CLIENT.SSL.IS_SSL Returns a Boolean TRUE if the current connection is SSL-based.
PAGE 158
144 Citrix NetScaler Policy Configuration and Reference Guide CLIENT.SSL.CLIENT_CERT This section discusses the expressions that you can configure for certificates, with the exception of expressions that examine certificate expiration. Time-based operations are described in “Advanced Expressions: Working with Dates, Times, and Numbers,” on page 95. The following table describes operations that you can specify for the CLIENT. SSL.CLIENT_CERT prefix. Operations That Can Be Specified with the CLIENT.SSL.
PAGE 159
Chapter 7 Advanced Expressions: Parsing SSL Certificates 145 Operations That Can Be Specified with the CLIENT.SSL.CLIENT_CERT Prefix SSL Certificate Operation Description certificate.AUTH_KEYID. EXISTS Returns a Boolean TRUE if the certificate contains an Authority Key Identifier extension. certificate.AUTH_KEYID. ISSUER_NAME Returns the Issuer Distinguished Name in the certificate as a name-value list.
PAGE 160
146 Citrix NetScaler Policy Configuration and Reference Guide Operations That Can Be Specified with the CLIENT.SSL.CLIENT_CERT Prefix SSL Certificate Operation Description certificate. KEY_USAGE(string) Returns a Boolean value to indicate whether the specified key usage extension bit value in the X.509 certificate is set. The string argument specifies which bit is checked. Following are valid arguments: • DIGITAL_SIGNATURE. Returns TRUE if the digital signature bit is set; otherwise, it returns FALSE.
PAGE 161
Chapter 7 Advanced Expressions: Parsing SSL Certificates 147 Operations That Can Be Specified with the CLIENT.SSL.CLIENT_CERT Prefix SSL Certificate Operation Description certificate.SUBJECT Returns the Distinguished Name of the Subject as a name-value. An equals sign (“=”) separates names and values and a slash (“/”) delimits namevalue pairs. Following is an example: /C=US/O=myCompany/OU=www. mycompany.com/CN=www.mycompany. com/ emailAddress=myuserid@mycompany. com certificate.SUBJECT.
PAGE 162
148 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 163
C HAPTER 8 Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs You can configure expressions that parse IP and MAC addresses, IP subnets, and transaction throughput rates. In This Chapter Expressions for IP Addresses and IP Subnets Expressions for MAC Addresses Expressions for Numeric Client and Server Data Expressions for IP Addresses and IP Subnets You can use advanced expressions to parse IP addresses and subnets.
PAGE 164
150 Citrix NetScaler Policy Configuration and Reference Guide Note: As the preceding example shows, if you configure an advanced expression on the command line, you must escape the quotation marks. For more information, see “Configuring Advanced Expressions in a Policy,” on page 57. Prefixes for IPV4 Addresses and IP Subnets The following table describes prefixes that return IPv4 addresses and subnets and segments of the addresses.
PAGE 165
Chapter 8 Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs 151 Operations on IPV4 Addresses Prefix ip address.GET1. . .GET4 Description Returns a portion of an IP address as a numeric value. For example, if the IP address value is 10.100.200.1, the following is returned: client.ip.src.get1 Returns 10 client.ip.src.get2 returns 100 client.ip.src.get3 returns 200 ip address.IN_SUBNET(subnet) Returns a Boolean TRUE if the subnet argument matches the subnet of the IP address value.
PAGE 166
152 Citrix NetScaler Policy Configuration and Reference Guide http://[9901:0ab1:22a2:88a3:3333:4a4b:5555:6666]/ The brackets in the IPv6 URL differentiate the IP address and the port number. The following expression is an example of an IPv6 URL that contains a port number: https://[9901:0ab1:22a2:88a3:3333:4a4b:5555:6666]:8080/ IPv6 addresses are always in hex format (RFC 2373). Note that you can only use the '+' operator to combine IPv6 expressions with other expressions.
PAGE 167
Chapter 8 Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs 153 IPv6 Expression Prefixes that Return Text Prefix Description SERVER.IPV6.DST Returns the IPv6 address in the destination field of the IP header. SERVER.IPV6.SRC Returns the IPv6 address in the source field of the IP header. Following are examples: server.ipv6.src.in_subnet(2007::2008/64) server.ipv6.src.get1.
PAGE 168
154 Citrix NetScaler Policy Configuration and Reference Guide Operations That Evaluate IPv6 Addresses IPv6 Operation ipv6.SUBNET(n) Description Returns the IPv6 address after applying the subnet mask specified as the argument. The subnet mask can take values between 0 and 128. For example: CLIENT.IPV6.SRC.SUBNET(24) Expressions for MAC Addresses MAC addresses are colon-delimited hexadecimal codes in the format ##:##:##:##:##:##, where # represents the numbers 0-9 and the letters A-F.
PAGE 169
Chapter 8 Advanced Expressions: IP and MAC Addresses, Throughput, VLAN IDs 155 Expressions for Numeric Client and Server Data The following table describes prefixes for working with numeric client and server data, including throughput, port numbers, and VLAN IDs. Prefixes That Evaluate Numeric Client and Server Data Prefix Description client.interface.rxthroughput Returns an integer representing the raw received traffic throughput in kilobytes per second (KBps) for the previous seven seconds. client.
PAGE 170
156 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 171
C HAPTER 9 Advanced Expressions: String Sets, String Patterns, and Data Formats You can configure an operation that matches text in a target against a set of strings (an array) or a single string within an array. You can also match a target against a pattern defined in a regular expression. You can use a regular expression to specify wildcard characters in a pattern, such as text, numbers, and spaces. Finally, you can use typecasting to convert one type of data into another type.
PAGE 172
158 Citrix NetScaler Policy Configuration and Reference Guide Note: The patterns in a pattern set can be regular expressions in PCRE format. Operators That Use a Pattern Set The following table describes operations that match text and HTTP header values with a collection of static strings in a pattern set. Operators That Compare Text and HTTP Headers With a Pattern Set Matching Operators Description text.
PAGE 173
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 159 Operators That Compare Text and HTTP Headers With a Pattern Set Matching Operators http header.EQUALS_ANY (pattern_set_name) Description Works with the following prefixes: • HTTP.REQ.COOKIE • HTTP.REQ.HEADER("header_name") • HTTP.RES.HEADER("header_name") • HTTP.RES.SET_COOKIE • HTTP.RES.SET_COOKIE2 Evaluates whether the target matches any of the strings that are bound to pattern_set_name.
PAGE 174
160 Citrix NetScaler Policy Configuration and Reference Guide Operators That Compare Text and HTTP Headers With a Pattern Set Matching Operators Description http header.CONTAINS_INDEX Operates on all the instances of the current header type. Evaluates all header values, and returns the (pattern_set_name) index of the matching pattern in the pattern set name argument that is present in any instance of a header value. This operations works with the following prefixes: • • • • • HTTP.REQ.COOKIE HTTP.REQ.
PAGE 175
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 161 To create a named pattern set using the AppExpert in the configuration utility 1. In the navigation pane, expand AppExpert, and click Pattern Sets. 2. In the details pane, click Add. 3. In the Create Pattern Set dialog box, enter a name in the Name field, and then click Add. 4. In the Add Pattern dialog box, enter a pattern in the Pattern field. 5.
PAGE 176
162 Citrix NetScaler Policy Configuration and Reference Guide The following screen shot is an example of an “_ANY” operator.. 6. To use an existing pattern set, select it from the Pattern Set Name dropdown menu. 7. To create a new pattern set, click the icon for creating a new pattern set, and configure the pattern set as follows: • In the Name field, enter a name, and then click Add. • In the Add Pattern dialog box, enter a pattern in the Pattern field.
PAGE 177
Chapter 9 2. Advanced Expressions: String Sets, String Patterns, and Data Formats 163 Associate a pattern with the named pattern set, as follows: bind policy patset pattern_name pattern Where pattern_name is the name of a pattern that you want to configure and pattern is an actual text pattern. Following is an example: add policy patset myPatSet bind policy patset myPatSet aaa bind policy patset myPatSet bbb bind policy patset myPatSet ccc 3.
PAGE 178
164 Citrix NetScaler Policy Configuration and Reference Guide show policy patset pattern_name Where patternName is the name of a pattern that you want to view. 4. Configure the pattern set as part of an expression. For example, you can configure it in a policy rule. For more information, see “Creating or Modifying an Advanced Policy,” on page 14.
PAGE 179
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 165 http://www.regular-expressions.info/quickstart.html http://www.silverstones.com/thebat/Regex.html These sites provide tutorial and reference information on regular expressions. Note: Processing of regular expressions can be slow, and should only be used if other expression types do not satisfy your requirements.
PAGE 180
166 Citrix NetScaler Policy Configuration and Reference Guide The following table describes operations that use regular expressions. Operations That Apply Regular Expressions to Text and HTTP Headers Regular Expression Operation text.BEFORE_REGEX(regular expression) Description Selects text that precedes the string that matches the regular expression argument. If the regular expression does not match any data in the target, the expression returns a text object of length of 0.
PAGE 181
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 167 Operations That Apply Regular Expressions to Text and HTTP Headers Regular Expression Operation text.REGEX_MATCH(regular expression) Description Returns TRUE if the target matches a regular expression argument of up to 1499 characters. The regular expression must be of the following format: reregular expression< delimiter> Both delimiters must be the same.
PAGE 182
168 Citrix NetScaler Policy Configuration and Reference Guide Operations That Apply Regular Expressions to Text and HTTP Headers Regular Expression Operation http header.AFTER_ REGEX(regular expression) Description Evaluates all instances of the header and extracts the text following the string that matches the regular expression argument in any instance of the header value. The header instances are matched from the last to the first. The following example extracts "BBCCDD" from "AABBCCDD". http.req.
PAGE 183
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 169 Operations That Apply Regular Expressions to Text and HTTP Headers Regular Expression Operation Description http header.REGEX_ Selects the text that matches the regular expression SELECT(regular expression) argument in any instance of the http header value. The header instances are matched from the last to the first. The following example selects "NS-CACHE-9.0: 90": http.req.header("via").regex_ select(re!NS-CACHE\d\.
PAGE 184
170 Citrix NetScaler Policy Configuration and Reference Guide The following table describes various typecasting operations. Typecasting Operations Operation Description text.TYPECAST_LIST_ Treats the text in an HTTP request or response body as a list whose elements are delimited by the character in the T(separator) separator argument. Text mode settings have no effect on the separator.
PAGE 185
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 171 Typecasting Operations Operation Description text.TYPECAST_ Treats the text as a name-value list. The separator argument NVLIST_T(separator, identifies the character and separates the name and the value. The delimiter argument identifies the character that separates delimiter) or each name-value pair. The quote character is required when typecasting text into a name-value list that supports quoted strings.
PAGE 186
172 Citrix NetScaler Policy Configuration and Reference Guide Typecasting Operations Operation Description numeric Treats a numeric string like an IP address. string.TYPECAST_IP_ For example, the following policy matches HTTP requests ADDRESS_T that contains Cookie headers with a value of: 12.34.56.78\r\n. set rewrite policy ip_check_policy -rule 'http.req.cookie.value("ip").typecast_ip_ address_t.eq(12.34.56.78)' bind rewrite global ip_check_policy 200 type req_default numeric string.
PAGE 187
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 173 Typecasting Operations Operation Description number.TYPECAST_NUM_ Converts a numeric string into decimal format. For example, the following policy extracts a numeric portion of a query T(DECIMAL) string, adds 4 to the number, and inserts an HTTP header named Company with a value of the resulting decimal value. add rewrite action myadd_action insert_http_ header Company "http.req.url.query.typecast_ num_t(decimal).
PAGE 188
174 Citrix NetScaler Policy Configuration and Reference Guide Typecasting Operations Operation Description text.TYPECAST_HTTP_ Overrides the behavior of certain methods that are used with protocol-aware prefixes. This operator can be used only with HEADER_T protocol-aware prefixes that qualify standard HTTP headers, that is, prefixes of the format HTTP.REQ. (for example, HTTP.REQ.COOKIE and HTTP.REQ.SET_COOKIE). Protocol-aware prefixes of the format HTTP.REQ.
PAGE 189
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 175 Typecasting Operations Operation Description text.TYPECAST_HTTP_ Converts the designated text to a multi-line HTTP header that you specify in a name argument. HEADER_T("name") For example, the following expression converts “MyHeader” to “InHeader”: http.req.header("MyHeader").
PAGE 190
176 Citrix NetScaler Policy Configuration and Reference Guide Typecasting Operations Operation number.TYPECAST_ TIME_ AT.BETWEEN(time1, time2) Description Returns a Boolean value (TRUE or FALSE) that indicates whether the time value designated by number is between the lower and upper time value arguments time1 and time2. The following are prerequisites for this operator: • Both the lower and upper time arguments must be fully specified. For example, GMT 1995 Jan is fully specified.
PAGE 191
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 177 Typecasting Operations Operation number.TYPECAST_ TIME_AT.EQ(t) Description Returns a Boolean value (TRUE or FALSE) that indicates whether the time value designated by number is equal to the time value argument t. The following examples assume that the current time value is GMT 2005 May 1 10h 15m 30s and that the day is the 1st Sunday of the month of May in 2005. The result of the evaluation is given after each example.
PAGE 192
178 Citrix NetScaler Policy Configuration and Reference Guide Typecasting Operations Operation number.TYPECAST_ TIME_AT.GT(t) Description Returns a Boolean value (TRUE or FALSE) that indicates whether the time value designated by number is greater than the time value argument t. The following examples assume that the current time value is GMT 2005 May 1 10h 15m 30s and that the day is the 1st Sunday of the month of May in 2005. The result of the evaluation is given after each example.
PAGE 193
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 179 Typecasting Operations Operation number.TYPECAST_ TIME_AT.LE(t) Description Returns a Boolean value (TRUE or FALSE) that indicates whether the time value designated by number is lesser than or equal to the time value argument t. The following examples assume that the current time value is GMT 2005 May 1 10h 15m 30s and that the day is the 1st Sunday of the month of May in 2005.
PAGE 194
180 Citrix NetScaler Policy Configuration and Reference Guide Typecasting Operations Operation Description number.TYPECAST_ TIME_AT.MINUTES Extracts the minute from the current system time and returns the value as an integer that ranges from 0 to 59. number.TYPECAST_ TIME_AT.MONTH Extracts the month from the current system time and returns the value as an integer that ranges from 1 (January) to 12 (December). number.TYPECAST_ TIME_AT.
PAGE 195
Chapter 9 Advanced Expressions: String Sets, String Patterns, and Data Formats 181 Typecasting Operations Operation number.TYPECAST_ TIME_ AT.WITHIN(time1, time2) Description Returns a Boolean value (TRUE or FALSE) that indicates whether the time value designated by number lies within all the ranges defined by lower and upper time value arguments time1 and time2.
PAGE 196
182 Citrix NetScaler Policy Configuration and Reference Guide Typecasting Operations Operation number.TYPECAST_ TIME_AT.YEAR Description Extracts the year from the current system time and returns the value as a four-digit integer. double.TYPECAST_NUM_ Transforms the double-precision number represented by double to an integer.
PAGE 197
C HAPTER 10 Advanced Policies: Controlling the Rate of Traffic You can limit access to virtual servers or any other user-defined entity and prevent overloading the network by configuring policies and expressions that control the rate of traffic. You can also configure the NetScaler to perform any other supported action based on the traffic rate, including redirecting traffic if the rate exceeds a particular threshold.
PAGE 198
184 Citrix NetScaler Policy Configuration and Reference Guide Where limit_identifier is a NetScaler function that indicates the type of traffic to be monitored. For an example, see “Summary Examples of Advanced Expressions and Policies,” on page 237. For more information on configuring limit identifiers, see the Citrix NetScaler Traffic Management Guide. This prefix can be used in any NetScaler feature that uses advanced policies and expressions, such as Rewrite and Responder.
PAGE 199
C HAPTER 11 Advanced Policies: Sending HTTP Service Callouts to Applications You can use HTTP callouts to obtain information from external applications. For example, if a server makes a request, you can use an HTTP callout to determine if this server is on a “deny access” list. The callout policy sends an HTTP request to an external application. An agent that you deploy in front of the application formats the request for the application.
PAGE 200
186 Citrix NetScaler Policy Configuration and Reference Guide About Calling Out to an External Application A callout to an external application consists of an HTTP request and a set of parameters that parse the response to the request. You configure the entire request, or significant parameters in the request, in the HTTP callout policy. The HTTP callout policy also contains information about the recipient of the request and advanced expressions for parsing the HTTP response when it is received.
PAGE 201
Chapter 11 Advanced Policies: Sending HTTP Service Callouts to Applications 187 • Parameters that the NetScaler uses to create an HTTP request or a single parameter that contains a fully-formed HTTP request. • Parameters for extracting data of interest from the HTTP response. Note on the Format of an HTTP Request You can specify a literal HTTP request in an HTTP callout policy.
PAGE 202
188 Citrix NetScaler Policy Configuration and Reference Guide Configuring an HTTP Callout Policy You configure an HTTP callout policy by using the AppExpert feature. You invoke this policy by specifying the SYS.HTTP_CALLOUT expression prefix in an advanced expression. For details on invocation, see “Invoking an HTTP Callout Policy,” on page 193. The following table describes the elements in an HTTP callout policy.
PAGE 203
Chapter 11 Advanced Policies: Sending HTTP Service Callouts to Applications 189 Elements in an HTTP Callout Policy Parameter Specifies Attribute-based request to send to the server (mutually exclusive with sending an expression-based request to the server) HTTP Method (httpMethod). Method used in the HTTP request that this callout sends. Valid values: GET or POST. Default: GET. Host expression (hostExpr). Advanced text expression to configure the Host header. Maximum length: 255.
PAGE 204
190 Citrix NetScaler Policy Configuration and Reference Guide Elements in an HTTP Callout Policy Parameter Specifies Expression-based request to send to the server (fullReqExpr) Exact HTTP request that the NetScaler is to send as an advanced expression to 8191 characters. If you specify this parameter, you must omit the httpMethod, hostExpr, urlStemExpr, headers, and parameters arguments. The request expression is constrained by the feature where the callout is used. For example, an HTTP.
PAGE 205
Chapter 11 Advanced Policies: Sending HTTP Service Callouts to Applications 191 2. In the details pane, click Add. 3. In the Create HTTP Callout dialog box, in the Name field, enter a name for the callout. 4. In the Server to receive callout request section, select the name of a virtual server to which you want to send the callout, or specify an IP address and port for the server.
PAGE 206
192 Citrix NetScaler Policy Configuration and Reference Guide The following is the basic syntax for an HTTP callout policy. Note that in the following syntax, line breaks have been added for readability.
PAGE 207
Chapter 11 Advanced Policies: Sending HTTP Service Callouts to Applications 193 • calloutName is the name of the HTTP callout policy that you are configuring. • argument is one of the arguments that you supplied when you configured the callout, including returnType, parameters, fullReqEx, and so on. After unsetting the configuration, use the set command to apply any new settings.
PAGE 208
194 Citrix NetScaler Policy Configuration and Reference Guide sys.http_callout(authCallout).contains("someText") If the return type is NUM, the following expression is valid: sys.http_callout(authCallout).gt(500) The following example shows the use of SYS.HTTP_CALLOUT to retrieve a source IP address and insert it in a header of an HTTP request. (Bold is used for emphasis.) set policy httpCallout extractSrcIPCallout -ipAddress 10.101. 10.10 -port 80 -returnType text -hostExpr "\"10.101.10.
PAGE 209
Chapter 11 Advanced Policies: Sending HTTP Service Callouts to Applications 195 add responder policy 'http.req.url.eq("/callout.pl").NOT && sys. http_callout(MyCalloutPL)' some_action Also, if you modify an expression in an HTTP callout policy, you may get an error if any policy that invokes it is bound to a new policy label or bind point. For example, suppose that you create an HTTP callout policy named myCalloutPolicy1, and invoke it from a rewrite policy named rewriteCalloutPolicy1.
PAGE 210
196 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 211
C HAPTER 12 Configuring Classic Policies and Expressions A number of NetScaler features use classic policies and classic expressions. As with advanced policies, classic policies can be global or specific to a virtual server. The configuration method and bind points for classic policies are somewhat different from those of advanced policies. As with advanced expressions, you can configure named expressions and use each named expression in multiple classic policies.
PAGE 212
198 Citrix NetScaler Policy Configuration and Reference Guide Policy Type and Bind Points for Policies in Features That Use Classic Policies Feature Virtual Servers Supported Policies Policy Bind Points How You Use the Policies SSL None SSL policies • Global To determine when to apply • Load Balancing an encryption function and add certificate information virtual server to clear text. To provide end-to-end security.
PAGE 213
Chapter 12 Configuring Classic Policies and Expressions 199 Policy Type and Bind Points for Policies in Features That Use Classic Policies Feature Virtual Servers Supported Policies Policy Bind Points How You Use the Policies HTML Injection None HTML Injection Policies • Global • Load Balancing virtual server • Content Switching virtual server • SSL Offload virtual server AAA - Traffic Management None Authentication, Authorization, Auditing, and Session policies • Authentication To configure ru
PAGE 214
200 Citrix NetScaler Policy Configuration and Reference Guide Policy Type and Bind Points for Policies in Features That Use Classic Policies Feature Virtual Servers Supported Policies Policy Bind Points How You Use the Policies PreAuthentication policies • AAA Global • VPN vserver Authentication policies • System Global • AAA Global • VPN vserver To determine how the Access Gateway performs • User authentication, • User group authorization, auditing, and • VPN vserver other functions and To define re
PAGE 215
Chapter 12 Configuring Classic Policies and Expressions 201 Cache Redirection, SureConnect, Priority Queuing, or Access Gateway Authorization policy globally. To view classic policies and policy bindings using the command line Type the following command: show featureName policy policyName Note that if you omit the policy name, all policies are listed without the binding details.
PAGE 216
202 Citrix NetScaler Policy Configuration and Reference Guide • For Filter, SureConnect, and Priority Queuing, expand Protection Features, click the appropriate function, and then select the Policies tab. • For the Access Gateway, expand Access Gateway, expand Policies, select the appropriate function, and then select the Policies tab. 3. For most features, click the Add button. 4. In the Policy Name or Name text box, enter a name for the policy.
PAGE 217
Chapter 12 Configuring Classic Policies and Expressions 203 • For feature, substitute the feature for which you are creating the policy. For example, for Access Gateway policies, type accessgw. For Application Firewall policies, type appfw. For SSL policies, type ssl. • For name, substitute a name for the policy. You must begin a policy name with a letter or underscore. A policy name can consist of 1 to 127 characters, including letters, numbers, hyphen (-), period (.
PAGE 218
204 Citrix NetScaler Policy Configuration and Reference Guide You read the expression from left to right. The leftmost term is either REQ, designating a request, or RES, designating a response. Successive terms define a specific type of connection and specific attribute of that connection type. Each term is separated from any preceding or following terms with a period. Arguments appear in parentheses following the term to which they apply.
PAGE 219
Chapter 12 Configuring Classic Policies and Expressions 205 For a complete list of protocols and qualifiers, see “Classic Expressions,” on page 224. The following choices appear for the HTTP protocol: 5. 6. • METHOD. Filters HTTP requests that use a particular HTTP method. • URL. Filters HTTP requests to a specific Web page. • URLQUERY. Filters HTTP requests that contain a particular query string, choose URLQUERY as your qualifier. • VERSION. Filters HTTP requests to a particular host.
PAGE 220
206 Citrix NetScaler Policy Configuration and Reference Guide field and the header type for which you want to match the string in the Header Name text box. 7. Click OK. 8. To create a compound expression, click Add. Note that the type of compounding that is done depends on the following choices on the Create Policy dialog box: • Match Any Expression. The expressions are in a logical OR relationship. • Match All Expressions. The expressions are in a logical AND relationship. • Tabular Expressions.
PAGE 221
Chapter 12 Configuring Classic Policies and Expressions 207 • Protocol. The protocol of the connections that this policy will filter. This can be HTTP, SSL, TCP, or IP. • Qualifier. The aspect of the protocol that the policy should consider. The list of valid qualifiers varies depending on which protocol you chose. For a list of all valid qualifiers for each Protocol, and a description of each, see “Classic Expressions,” on page 224. • Operator.
PAGE 222
208 Citrix NetScaler Policy Configuration and Reference Guide policy that a connection matches. So policy priority is important to get the results you intended. As a best practice, leave room to add policies by setting priorities with intervals of 50 (or 100) between each policy. 4. Click OK. To bind a classic policy globally using the NetScaler command line At the command line, type: bind feature global policy_name priority • For feature, for Application Firewall policies, you substitute appfw.
PAGE 223
Chapter 12 Configuring Classic Policies and Expressions 5. In the Priority field, set the priority. 6. If you are binding policy to a Content Switching virtual server, in the Target field select a load balancing virtual server to which traffic that matches the policy is sent. 7. Click OK. 209 Creating Named Classic Expressions Named classic expressions are expressions that are given a name and can be used in any classic policy.
PAGE 224
210 Citrix NetScaler Policy Configuration and Reference Guide 3. In the Create Policy Expression dialog box, in the Expression Name field, enter a name for your new expression. You must begin a policy name with a letter or underscore. A policy name can consist of 1 to 127 characters, including letters, numbers, hyphen (-), period (.), pound sign (#), space ( ), and underscore (_). 4. In the Create Policy Expression dialog box, in the Client Security Message dialog box, type an error message.
PAGE 225
A PPENDIX A Expressions Reference The following tables list expressions and expression elements that you can use to identify specific types of data. The first table applies to advanced expressions, in alphabetic order. The remaining tables cover the different types of classic expressions.
PAGE 226
212 Citrix NetScaler Policy Configuration and Reference Guide Expression Prefix Notes and Links to Prefix and Applicable Operator Descriptions CLIENT.ETHER.[DSTMAC | SRCMAC] “Prefixes for MAC Addresses,” on page 154 CLIENT.INTERFACE Designates an expression that refers to the ID of the network interface through which the current packet entered the Application Switch. See the other CLIENT.INTERFACE prefix descriptions in this table. CLIENT.INTERFACE.
PAGE 227
Appendix A Expression Prefix Expressions Reference 213 Notes and Links to Prefix and Applicable Operator Descriptions CLIENT.SSL Operates on the SSL protocol data for the current packet. See the other CLIENT.SSL prefixes in this table. CLIENT.SSL.CIPHER_BITS “Prefixes for Numeric Data in SSL Certificates,” on page 143 “Compound Operations for Numbers,” on page 48 CLIENT.SSL.
PAGE 228
214 Citrix NetScaler Policy Configuration and Reference Guide Expression Prefix Notes and Links to Prefix and Applicable Operator Descriptions CLIENT.UDP.DNS. “Expressions for TCP, UDP, and VLAN Data,” on [IS_AAAAREC | IS_ANYREC | page 134 IS_AREC | IS_CNAMEREC | “Booleans in Compound Expressions,” on page 46 IS_MXREC | IS_NSREC | IS_PTRREC | IS_SOAREC | IS_SRVREC] CLIENT.UDP.
PAGE 229
Appendix A Expression Prefix HTTP.REQ.HEADER("header_n ame") Expressions Reference 215 Notes and Links to Prefix and Applicable Operator Descriptions “Expression Prefixes for Text in HTTP Requests and Responses,” on page 67 “Prefixes for HTTP Headers,” on page 116 “Operations for HTTP Headers,” on page 122 HTTP.REQ.FULL_HEADER("hea der_name") HTTP.REQ.
PAGE 230
216 Citrix NetScaler Policy Configuration and Reference Guide Expression Prefix HTTP.REQ.URL.[CVPN_ENCODE | HOSTNAME | HOSTNAME.DOMAIN | SERVER | PATH | PATH_AND_QUERY | PROTOCOL | QUERY | SUFFIX | VERSION] Notes and Links to Prefix and Applicable Operator Descriptions “Expression Prefixes for Text in HTTP Requests and Responses,” on page 67 “Operations on Text,” on page 86 “Complex Operations on Text,” on page 88 HTTP.REQ.URL.HOSTNAME.
PAGE 231
Appendix A Expression Prefix HTTP.RES.DATE Expressions Reference 217 Notes and Links to Prefix and Applicable Operator Descriptions “Format of Dates and Times in an Expression,” on page 96 “Expressions for HTTP Request and Response Dates,” on page 110 “Expression Prefixes for Text in HTTP Requests and Responses,” on page 67 “Compound Operations for Numbers,” on page 48 “Operations for HTTP Headers,” on page 122 HTTP.RES.
PAGE 232
218 Citrix NetScaler Policy Configuration and Reference Guide Expression Prefix Notes and Links to Prefix and Applicable Operator Descriptions HTTP.RES.SET_COOKIE.COOKI Obtains the Expires field of the cookie as a date string. The value of the Expires attribute can be E.EXPIRES operated upon as a time object. If multiple Expires fields are present, this expression operates on the first one. If the Expires attribute is absent, a string of length zero is returned.
PAGE 233
Appendix A Expression Prefix Expressions Reference 219 Notes and Links to Prefix and Applicable Operator Descriptions HTTP.RES.SET_COOKIE2.COOK “Prefixes for HTTP Headers,” on page 116 IE.[DOMAIN | PATH | PORT ] “Operations for HTTP Headers,” on page 122 “Advanced Expressions: Evaluating Text,” on page 63 HTTP.RES.SET_COOKIE2. Ignores spaces in the data. For an example, see the COOKIE.PATH.IGNORE_EMPTY_ table “HTTP Expression Prefixes that Return Text,” on page 67. ELEMENTS HTTP.RES.SET_COOKIE2.
PAGE 234
220 Citrix NetScaler Policy Configuration and Reference Guide Expression Prefix Notes and Links to Prefix and Applicable Operator Descriptions HTTP.RES.STATUS_MSG “Expression Prefixes for Text in HTTP Requests and Responses,” on page 67 HTTP.RES.TRACKING Returns the HTTP body tracking mechanism. See the descriptions of other HTTP.REQ.TRACKING prefixes in this table. HTTP.RES.TRACKING.EQ ("tracking_method") Returns TRUE or FALSE. See “Booleans in Compound Expressions,” on page 46 HTTP.RES.
PAGE 235
Appendix A Expression Prefix SERVER.IP.[DST | SRC] Expressions Reference 221 Notes and Links to Prefix and Applicable Operator Descriptions “Prefixes for IPV4 Addresses and IP Subnets,” on page 150 “Operations for IPV4 Addresses,” on page 150 “Compound Operations for Numbers,” on page 48 SERVER.IPV6 Operates on IPv6 protocol data. See the other SERVER.IPV6 prefixes in this table. SERVER.IPV6.
PAGE 236
222 Citrix NetScaler Policy Configuration and Reference Guide Expression Prefix Notes and Links to Prefix and Applicable Operator Descriptions SYS.TIME.[BETWEEN(time1, time2) | EQ(time) | GE(time) | GT(time) | LE(time) | LT(time) | WITHIN(time1, time2)] “Expressions for the NetScaler System Time,” on page 97 SYS.TIME.
PAGE 237
Appendix A Expression Prefix Expressions Reference 223 Notes and Links to Prefix and Applicable Operator Descriptions VPN.CLIENTLESS_BASEURL.PA Ignores spaces in the data. For an example, see the TH.IGNORE_EMPTY_ELEMENTS table “HTTP Expression Prefixes that Return Text,” on page 67. VPN.CLIENTLESS_BASEURL.QU Ignores spaces in the data. For an example, see the ERY.IGNORE_EMPTY_ELEMENTS table “HTTP Expression Prefixes that Return Text,” on page 67. VPN.
PAGE 238
224 Citrix NetScaler Policy Configuration and Reference Guide Classic Expressions The following tables provide a complete list of NetScaler classic expressions. These expressions continue to be supported for backward compatibility with NetScaler versions earlier than 8.1, and for features that have not yet implemented the PI expression language. In the table of operators, the result type of each operator is shown at the beginning of the description.
PAGE 239
Appendix A Expression Element Definition > Boolean. Expressions Reference 225 Returns TRUE if the current expression evaluates to a number that is greater than the argument. < Boolean. Returns TRUE if the current expression evaluates to a number that is less than the argument. >= Boolean. Returns TRUE if the current expression evaluates to a number that is greater than or equal to the argument. <= Boolean.
PAGE 240
226 Citrix NetScaler Policy Configuration and Reference Guide Expression Element Definition REQ.HTTP.URLQUERYLEN Qualifier Designates the length of the query portion of the URL. REQ.SSL Protocol Operates on SSL requests. REQ.SSL.CLIENT.CERT Qualifier Designates the entire client certificate. REQ.SSL.CLIENT.CERT.SUBJEC T Qualifier REQ.SSL.CLIENT.CERT.ISSUER Qualifier Designates the client certificate subject. Designates the issuer of the client certificate. REQ.SSL.CLIENT.CERT.
PAGE 241
Appendix A Expression Element Definition REQ.TCP.SOURCEPORT Qualifier Expressions Reference 227 Designates the source port of the incoming packet. REQ.TCP.DESTPORT Qualifier Designates the destination port of the incoming packet. REQ.IP Protocol Operates on incoming IP packets. REQ.IP.SOURCEIP Qualifier Designates the source IP of the incoming packet. REQ.IP.DESTIP Qualifier Designates the destination IP of the incoming packet. RES Flow Type Operates on outgoing (or response) packets. RES.
PAGE 242
228 Citrix NetScaler Policy Configuration and Reference Guide Expression Element Definition RES.IP.SOURCEIP Qualifier Designates the source IP of the outgoing packet. This can be in IPv4 or IPv6 format. For example: add expr exp3 “sourceip == 10.102.32.123 –netmask 255.255.255.0 && destip == 2001::23/120”. RES.IP.DESTIP Qualifier Designates the destination IP of the outgoing packet. Client Security Expressions Actual Expression Definition CLIENT.APPLICATION.AV({NAME}.
PAGE 243
Appendix A Expressions Reference 229 Network-Based Expressions Expression Definition REQ Flow Type. Operates on incoming, or request, packets. REQ.VLANID Qualifier. Operates on the virtual LAN (VLAN) ID. REQ.INTERFACE.ID Qualifier. Operates on the ID of the designated NetScaler interface. REQ.INTERFACE.RXTHROUGH PUT Qualifier. REQ.INTERFACE.TXTHROUGH PUT Qualifier. REQ.INTERFACE.RXTXTHROU GHPUT Qualifier. REQ.ETHER.SOURCEMAC Qualifier.
PAGE 244
230 Citrix NetScaler Policy Configuration and Reference Guide Expression Definition RES.INTERFACE.RXTXTHROU GHPUT Qualifier. RES.ETHER.SOURCEMAC Qualifier. Operates on the raw received and transmitted packet throughput of the designated NetScaler interface. Operates on the source MAC address. RES.ETHER.DESTMAC Qualifier. Operates on the destination MAC address. Date/Time Expressions Expression Definition TIME Qualifier. Operates on the date and time of day, GMT. DATE Qualifier.
PAGE 245
Appendix A Expression Definition FS.COMMAND Qualifier. Expressions Reference 231 Operates on a file system command. The user can issue multiple commands on a file transfer portal. (For example, ls to list files or mkdir to create a directory). This expression returns the current action that the user is taking. Possible values: Neighbor, login, ls, get, put, rename, mkdir, rmdir, del, logout, any. Following is an example: Add authorization policy pol1 “fs.command eq login && (fs.
PAGE 246
232 Citrix NetScaler Policy Configuration and Reference Guide Expression Definition FS.DIR Returns the directory being accessed. For example, if a user accesses the file \\hostname\service1\dir1\file1.doc, FS.DIR will return \service\dir1. FS.FILE.ACCESSTIME Returns the time at which the file was last accessed. This is one of several options that provide you with granular control over actions that the user performs. (See the following entries in this table.) FS.FILE.
PAGE 247
Appendix A Expressions Reference 233 Expression Definition ns_cmpclient Tests the client to determine if it accepts compressed content. ns_content_type Tests for connections with an HTTP Content-Type header that contains “text”. ns_css Tests for connections with an HTTP Content-Type header that contains “text/css”. ns_ext_asp Tests for HTTP connections to any URL that contains the string .asp—in other words, any connection to an active server page (ASP).
PAGE 248
234 Citrix NetScaler Policy Configuration and Reference Guide Expression Definition ns_farclient Client is in a different geographical region from the NetScaler, as determined by the geographical region in the client’s IP address. The following regions are predefined: • • • • • 192.0.0.0 – 193.255.255.255: Multi-regional 194.0.0.0 – 195.255.255.255: European Union 196.0.0.0 – 197.255.255.255: Other1 198.0.0.0 – 199.255.255.255: North America 200.0.0.0 – 201.255.255.
PAGE 249
Appendix A Expressions Reference Expression Definition ns_url_path_cgibin Tests the URL path to see if it points to the CGI-BIN directory. ns_url_path_exec Tests the URL path to see if it points to the 235 /exec/ directory. ns_url_tokens Tests for the presence of URL tokens. ns_xmldata Tests for the presence of XML data. Built-In Named Expressions (Anti-Virus) Expression Definition McAfee Virus Scan 11 Tests to determine whether the client is running the latest version of McAfee VirusScan.
PAGE 250
236 Citrix NetScaler Policy Configuration and Reference Guide Expression Definition Sygate Personal Firewall 5.6 Tests to determine whether the client is running the Sygate Personal Firewall, version 5.6. ZoneAlarm Personal Firewall 6.5 Tests to determine whether the client is running the ZoneAlarm Personal Firewall, version 6.5.
PAGE 251
A PPENDIX B Summary Examples of Advanced Expressions and Policies The following table provides examples of advanced expressions that you can use as the basis for your own advanced expressions. Examples of Advanced Expressions Expression Type Sample Expressions Look at the method used in the HTTP request. http.req.method.eq(post) Check the Cache-Control or Pragma header value in an HTTP request (req) or response (res). http.req.header("Cache-Control").cont ains("no-store") http.req.method.
PAGE 252
238 Citrix NetScaler Policy Configuration and Reference Guide Examples of Advanced Expressions Expression Type Look for a particular file type in an HTTP request based on the file extension. Sample Expressions http.req.url.contains(".html") http.req.url.contains(".cgi") http.req.url.contains(".asp") http.req.url.contains(".exe") http.req.url.contains(".cfm") http.req.url.contains(".ex") http.req.url.contains(".shtml") http.req.url.contains(".htx") http.req.url.contains("/cgi-bin/") http.req.url.
PAGE 253
Appendix B Summary Examples of Advanced Expressions and Policies 239 Examples of Advanced Expressions Expression Type Sample Expressions Check if the first 1024 bytes of the body of a request starts with the string “some text”. http.req.body(1024).contains("some text") The following table shows examples of policy configurations and bindings for commonly-used functions.
PAGE 254
240 Citrix NetScaler Policy Configuration and Reference Guide Examples of Advanced Expressions and Policies Purpose Rewrite instances of http:/ / to https:// in all URLs. This policy uses Responder functionality. Example add responder action httpToHttpsAction redirect "\"https://\" + http.req.hostname + http.req.url" -bypassSafetyCheck YES add responder policy httpToHttpsPolicy "!CLIENT.SSL.
PAGE 255
Appendix B Summary Examples of Advanced Expressions and Policies 241 Examples of Advanced Expressions and Policies Purpose Limit the number of requests per second from a URL. Example add ns limitSelector ip_limit_selector http.req.url "client.ip.src" add ns limitIdentifier ip_limit_identifier -threshold 4 -timeSlice 3600 -mode request_rate -limitType smooth -selectorName ip_limit_selector add responder action my_Web_site_redirect_action redirect "\"http://www.mycompany.
PAGE 256
242 Citrix NetScaler Policy Configuration and Reference Guide Examples of Advanced Expressions and Policies Purpose Remove old headers from a request and insert an NS-Client header Example add rewrite action del_x_forwarded_for delete_http_header x-forwarded-for add rewrite action del_client_ip delete_http_header client-ip add rewrite policy check_x_forwarded_for_policy 'HTTP.REQ.HEADER("x-forwarded-for").EXISTS' del_x_forwarded_for add rewrite policy check_client_ip_policy 'HTTP.REQ.HEADER("client-ip").
PAGE 257
Appendix B Summary Examples of Advanced Expressions and Policies 243 Examples of Advanced Expressions and Policies Purpose Remove old headers from a request, insert an NS-Client header, and then modify the “insert header” action so that the value of the inserted header contains the client IP values from the old headers and the NetScaler’s connection IP address. Note that this example repeats the previous example, with the exception of the final set rewrite action.
PAGE 258
244 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 259
A PPENDIX C Tutorial Examples of Advanced Policies for Rewrite With the rewrite feature, you can modify any part of an HTTP header, and, for responses, you can modify the HTTP body. You can use this feature to accomplish a number of useful tasks, such as removing unnecessary HTTP headers, masking internal URLs, redirecting Web pages, and redirecting queries or keywords. In the following examples, you first create a rewrite action and a rewrite policy. Then you bind the policy globally.
PAGE 260
246 Citrix NetScaler Policy Configuration and Reference Guide add rewrite action act_external_to_internal REPLACE 'http.req.hostname.server' '"host_name_of_internal_Web_server"' To create the rewrite policy, at the NetScaler command prompt, type: add rewrite policy pol_external_to_internal 'http.req.hostname.server.eq("host_name_of_external_Web_server ")' act_external_to_internal Bind the policy globally. To redirect an external URL to an internal URL by using the configuration utility 1.
PAGE 261
Appendix C Tutorial Examples of Advanced Policies for Rewrite 247 Redirecting a Query This example describes how to create a Rewrite action and Rewrite policy that redirects a query to the proper URL. The example assumes that the request contains a Host header set to www.example.com and a GET method with the string /query.cgi?server=5. The redirect extracts the domain name from the host header and the number from the query string, and redirects the user’s query to the server Web5.example.
PAGE 262
248 Citrix NetScaler Policy Configuration and Reference Guide To redirect HTTP URLs to HTTPS by using the command line 1. To create a Rewrite action named act_replace_http_with_https that replaces all instances of the string “http” with the string “https”, at the NetScaler command prompt, type: add rewrite action act_replace_http_with_https replace_all 'http.res.body(100)' '"https"' -pattern http 2.
PAGE 263
Appendix C Tutorial Examples of Advanced Policies for Rewrite 249 add rewrite policy "pol_remove-ae" true "act_remove-ae" add rewrite policy "pol_remove-cl" true "act_remove-cl" To bind the policy globally by using the NetScaler command line At the NetScaler command prompt, type one of the following commands, as appropriate, to globally bind the policy that you have created: bind rewrite global pol_remove_ae 100 bind rewrite global pol_remove_cl 200 Reducing Web Server Redirects This example explains
PAGE 264
250 Citrix NetScaler Policy Configuration and Reference Guide add rewrite action "act_mask-server" replace "http.RES.HEADER(\"Server\")" "\"Web Server 1.0\"" 2. To create a Rewrite policy named pol_mask-server that detects all connections, type: add rewrite policy "pol_mask-server" true "act_mask-server" 3. Globally bind your new policy to put it into effect.
PAGE 265
A PPENDIX D Tutorial Examples of Classic Policies Following are useful examples of classic policy configuration for certain NetScaler features such as Access Gateway, Application Firewall, and SSL.
PAGE 266
252 Citrix NetScaler Policy Configuration and Reference Guide add ssl policy client_cert_policy 'REQ.SSL.CLIENT.CERT.VALIDFROM >= "Mon, 01 Jan 2008 00:00:00 GMT"' act_block_ssl 3. Globally bind your new policy to put it into effect. Since this SSL policy should apply to any user’s SSL connection unless a more specific SSL policy applies, you may want to assign a large priority value.
PAGE 267
Appendix D Tutorial Examples of Classic Policies 253 2. In the Create Application Firewall Profile dialog box, in the Profile Name field, enter shopping_cart. 3. In the Profile Type drop-down list, select Web Application. 4. In the Configure Select Advanced defaults. 5. Click Create and then click Close. 6. In the details view, double-click the new profile. 7. In the Configure Web Application Profile dialog box, configure your new profile as described below: A.
PAGE 268
254 Citrix NetScaler Policy Configuration and Reference Guide D. For the Credit Card check, disable blocking; enable logging, statistics, and masking of credit card numbers; and enable protection for those credit cards you accept as forms of payment. • If you are using the configuration utility, you configure blocking, logging, statistics, and masking (or x-out) in the Modify Credit Card Check dialog box, General tab, Check Actions section.
PAGE 269
Appendix D 9. Tutorial Examples of Classic Policies 255 Globally bind your new policy to put it into effect. Since you want to ensure that this policy will match all connections to the shopping cart, and not be preempted by another more general policy, you should assign a high priority to it. If you assign one (1) as the priority, no other policy can preempt this one.
PAGE 270
256 Citrix NetScaler Policy Configuration and Reference Guide To protect Web pages with cross-site scripting by using the configuration utility 1. In the navigation pane, expand Application Firewall, and then click Profiles. 2. In the details view, click Add. 3. In the Create Application Firewall Profile dialog box, create a Web Application profile with advanced defaults and name it pr_xssokay. Click Create and then click Close. 4.
PAGE 271
Appendix D Tutorial Examples of Classic Policies 257 To drop packets from specific IPs by using the NetScaler command line 1. To create a DNS policy named pol_ddos_drop that detects connections from hostile networks and drops those packets, type: add dns policy pol_ddos_drop 'client.ip.src.in_subnet(192.168.253.128/25) || client.ip.src.in_subnet(192.168.254.32/27)' -drop YES' For the example networks in the 192.168.0.0/16 range, you substitute the IP and netmask in ###.###.###.
PAGE 272
258 Citrix NetScaler Policy Configuration and Reference Guide
PAGE 273
A PPENDIX E Migration of Apache mod_rewrite Rules to Advanced Policies The Apache HTTP Server provides an engine known as mod_rewrite for rewriting HTTP request URLs. If you migrate the mod_rewrite rules from Apache to the NetScaler, you boost back-end server performance. In addition, because the NetScaler typically load balances multiple (sometimes thousands of) Web servers, after migrating the rules to the NetScaler you will have a single point of control for these rules.
PAGE 274
260 Citrix NetScaler Policy Configuration and Reference Guide Converting URL Variations into Canonical URLs On some Web servers you can have multiple URLs for a resource. Although the canonical URLs should be used and distributed, other URLs can exist as shortcuts or internal URLs. You can make sure that users see the canonical URL regardless of the URL used to make an initial request. In the following examples, the URL /~user is converted to /u/user.
PAGE 275
Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies 261 NetScaler solution for enforcing a particular host name for sites running on a port other than 80 add responder action act1 redirect '"http:// www.example.com:"+CLIENT.TCP.DSTPORT+HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 '!HTTP.REQ.HOSTNAME.CONTAINS("www.example.com")&&!HTTP.REQ.HOSTNAME .EQ("")&&!HTTP.REQ.HOSTNAME.PORT.EQ(80)&&HTTP.REQ.HOSTNAME.CONTAINS ("example.
PAGE 276
262 Citrix NetScaler Policy Configuration and Reference Guide NetScaler solution for moving the document root and appending path information to the request add responder action act1 redirect '"/e/www"+HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 '!HTTP.REQ.URL.STARTSWITH("/e/www/")' act1 bind responder global pol1 100 END Moving Home Directories to a New Web Server You may want to redirect requests that are sent to home directories on a Web server to a different Web server.
PAGE 277
Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies 263 The following examples redirect requests to the home directory. Apache mod_rewrite solution for structured home directories RewriteRule ^/~(([a-z])[a-z0-9]+)(.*) /home/$2/$1/.www$3 NetScaler solution for structured home directories add rewrite action act1 replace 'HTTP.REQ.URL' '"/home/"+ HTTP.REQ.URL.AFTER_STR("~").PREFIX(1)+"/"+ HTTP.REQ.URL.AFTER_STR("~").BEFORE_STR("/")+"/ .www"+HTTP.REQ.URL.
PAGE 278
264 Citrix NetScaler Policy Configuration and Reference Guide add responder policy pol1 '!HTTP.REQ.HEADER("Name").EXISTS !SYS.HTTP_CALLOUT(call)' act1 && bind responder global pol1 100 NetScaler solution for redirection if a URL is wrong (method 2) add HTTPCallout Call set policy httpCallout Call -IPAddress 10.102.59.101 -port 80 -hostExpr '"10.102.59.101"' -returnType BOOL -ResultExpr 'HTTP.RES.BODY(100).CONTAINS("True")' -urlStemExpr '"/cgi-bin/ file_check.cgi"' -parameters query=http.req.url.
PAGE 279
Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies 265 Redirecting to a New File Name (Invisible to the User) If you rename a Web page, you can continue to support the old URL for backward compatibility while preventing users from recognizing that the page was renamed. In the first two of the following examples, the base directory is /~quux/. The third example accommodates any base directory and the presence of query strings in the URL.
PAGE 280
266 Citrix NetScaler Policy Configuration and Reference Guide Apache mod_rewrite solution for changing the file name and the URL displayed in the browser RewriteEngine on RewriteBase /~quux/ RewriteRule ^old\.html$ new.html [R] NetScaler solution for changing the file name and the URL displayed in the browser add responder action act1 redirect 'HTTP.REQ.URL.BEFORE_STR("foo.html")+"new.html"' -bypassSafetyCheck yes add responder policy pol1 'HTTP.REQ.URL.ENDSWITH("/~quux/ old.
PAGE 281
Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies 267 RewriteRule ^MyPage\.html$ MyPage.20.html [L] RewriteRule ^fMyPage\.html$ MyPage.32.html [L] NetScaler solution for browser-specific settings add patset pat1 bind patset pat1 Mozilla/1 bind Patset pat1 Mozilla/2 bind patset pat1 Lynx bind Patset pat1 Mozilla/3 add rewrite action act1 insert_before 'HTTP.REQ.URL.SUFFIX' '"NS."' add rewrite action act2 insert_before 'HTTP.REQ.URL.SUFFIX' '"20.
PAGE 282
268 Citrix NetScaler Policy Configuration and Reference Guide NetScaler solution for blocking a path and a User-Agent header add responder action act1 respondwith '"HTTP/1.1 403 Forbidden\r\n\r\n"' add responder policy pol1 'HTTP.REQ.HEADER("User_Agent").STARTSWITH("NameOfBadRobot")&&CLIENT .IP.SRC.EQ(123.45.67.8)&&CLIENT.IP.SRC.EQ(123.45.67.9) && HTTP.REQ.URL.
PAGE 283
Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies 269 The first two of the following examples show adding an extension to all request URLs. In the last example, one of two file extensions is added. Note that in the last example, the mod_rewrite module can easily find the file extension because this module resides on the Web server. In contrast, the NetScaler must invoke an HTTP callout to check the extension of the requested file on the Web server.
PAGE 284
270 Citrix NetScaler Policy Configuration and Reference Guide bind patset pat1 .html bind patset pat1 .php bind patset pat1 .asp bind patset pat1 .cgi add rewrite '".html"' action act1 insert_after 'HTTP.REQ.URL.PATH' add rewrite action act2 insert_after "HTTP.REQ.URL.PATH" '".php"' add rewrite policy pol1 '!HTTP.REQ.URL.CONTAINS_ANY("pat1") && SYS.HTTP_CALLOUT(Call_html)' act1 add rewrite policy pol2 '!HTTP.REQ.URL.CONTAINS_ANY("pat1") && SYS.
PAGE 285
Appendix E Migration of Apache mod_rewrite Rules to Advanced Policies 271 NetScaler solution add responder action act_redirect redirect 'HTTP.REQ.URL.PATH.BEFORE_STR("index.php")+HTTP.REQ.URL.QUERY.VALUE ("id")' -bypassSafetyCheck yes add responder policy pol_redirect '!HTTP.REQ.URL.QUERY.CONTAINS("marker")&& HTTP.REQ.URL.QUERY.VALUE("id").REGEX_MATCH(re/[-a-zA-Z0-9_+]+/) && HTTP.REQ.URL.PATH.CONTAINS("index.
PAGE 286
272 Citrix NetScaler Policy Configuration and Reference Guide bind patset pat1 page4 bind patset pat1 page5 add responder action res_redirect redirect '"https:// www.example.com"+HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol_redirect '!CLIENT.TCP.DSTPORT.EQ(443)&&HTTP.REQ.URL.
PAGE 287
A PPENDIX F New Advanced Expression Operators in This Release NetScaler 9.2 supports new advanced expression operators for extracting and evaluating numeric data, text, HTTP data, XML and JSON data, and user groups. NetScaler 9.2 also supports new operators and methods for the CLIENT and ipv6 expression prefixes.
PAGE 288
274 Citrix NetScaler Policy Configuration and Reference Guide New Operators for Extracting and Evaluating Numeric Data Operators Operation number.TYPECAST_TIME_AT Transform, extract, and evaluate time values. and operators of the format "number.TYPECAST_TIME_AT.." For example, number.TYPECAST_TIME_AT.DAY, number.TYPECAST_TIME_AT.BETWEEN(t ime1, time2), and number.TYPECAST_TIME_AT.EQ(t). Operators of the format "double.." For example, double.ADD (i), double.
PAGE 289
Appendix F New Advanced Expression Operators in This Release 275 Operators for Extracting and Evaluating HTTP Data The following operators have been introduced for extracting and evaluating HTTP data. New Operators for Extracting and Evaluating HTTP data Operators Operation HTTP.REQ.IS_NTLM_OR_NEGOTIATE Determine whether a request is a part of an NTLM or NEGOTIATE connection. HTTP.REQ.USER Extract the AAA user associated with the current HTTP transaction. HTTP.REQ.USER.
PAGE 290
276 Citrix NetScaler Policy Configuration and Reference Guide XPath and JSON Operators for Evaluating XML and JSON Data The following operators have been introduced for evaluating XML and JSON text. XPath and JSON Operators for Evaluating XML and JSON Text Operators Operations Operators of the format text.XPATH(xpathex) Evaluate XML text. Operators of the format text.XPATH_JSON(xpathex) Evaluate JSON text.
PAGE 291
Index A AAA - Traffic Management use of actions and profiles 6 use of policies 4 Access Gateway 4, 43 and policy bindings 18 use of actions and profiles 6 use of policies 5 actions 14 about 5 how used in NetScaler modules 6 how used with policies 5 advanced expressions about 9 classic expressions within 57 client prefix 41 configuration outside of a policy 61 configuring in a policy 57 creating from a simple prefix 43 false 43 for clientless VPNs 76 for dates and times 97 for dates and times in a rewrite a
PAGE 292
278 Citrix NetScaler Policy Configuration and Reference Guide NOPOLICY invocation, removing 35 order of evaluation, configuration of 18 policy banks 19 configuring 27 entries 19 evaluation order within 20 example of configured bank 21 Goto expression values 20 invocation of 19–20 invocation of other banks within a bank 20 policy configuration in a policy label 29 policy configuration in a virtual server policy bank 32 policy label 19–20 configuring 27 configuring a user-defined label 27 policy name 20, 29
PAGE 293
Index named expressions 209, 232 ns_all_apps_ncomp 232 ns_cachecontrol_nocache 232 ns_cachecontrol_nostore 232 ns_cmpclient 233 ns_content_type 233 ns_css 233 ns_ext_asp 233 ns_ext_cfm 233 ns_ext_cgi 233 ns_ext_ex 233 ns_ext_exe 233 ns_ext_htx 233 ns_ext_not_gif 233 ns_ext_not_jpeg 233 ns_ext_shtml 233 ns_false 233 ns_farclient 234 ns_header_cookie 234 ns_header_pragma 234 ns_mozilla_47 234 ns_msexcel 234 ns_msie 234 ns_msppt 234 ns_msword 234 ns_non_get 234 ns_slowclient 234 ns_true 234 ns_url_path_bin 234
PAGE 294
280 Citrix NetScaler Policy Configuration and Reference Guide classic policies migration to advanced 11 Clientless Access function use of policies 4 clientless VPN 65, 76 compound expressions for text 65 Compression feature use of policies 3 Compression module use of actions and profiles 7 Content Switching 43 use of policies 4 Content Switching module and policy bindings 17 use of actions and profiles 7 cross-site scripting about 255 CVPN 65, 76 D DNS feature use of policies 3 DNS module 43 and policy b
PAGE 295
Index HTTP.REQ.USER.NAME 74 HTTP.REQ.VERSION 75 HTTP.RES.BODY 75 HTTP.RES.CACHE_CONTROL 126 HTTP.RES.CONTENT_LENGTH 130 HTTP.RES.DATE 110 HTTP.RES.FULL_HEADER 116 HTTP.RES.HEADER 116 HTTP.RES.SET_COOKIE 117 HTTP.RES.SET_COOKIE2 117 HTTP.RES.SET_COOKIE2(name).DOMAIN 117 HTTP.RES.SET_COOKIE2.COOKIE(name).EXP IRES 117 HTTP.RES.SET_COOKIE2.COOKIE(name).PAT H 118 HTTP.RES.SET_COOKIE2.COOKIE(name).PAT H.IGNORE_EMPTY_ELEMENTS 118 HTTP.RES.SET_COOKIE2.COOKIE(name).PO RT 119 HTTP.RES.SET_COOKIE2.COOKIE(name).PO RT.
PAGE 296
282 Citrix NetScaler Policy Configuration and Reference Guide SYS.TIME.RELATIVE_NOW 101 SYS.TIME.SECONDS 101 SYS.TIME.WEEKDAY 101 SYS.TIME.WITHIN 101 SYS.TIME.YEAR 101 VPN.BASEURL.CVPN_DECODE 77 VPN.BASEURL.CVPN_ENCODE 77 VPN.BASEURL.HOSTNAME 77 VPN.BASEURL.HOSTNAME.DOMAIN 77 VPN.BASEURL.HOSTNAME.EQ 77 VPN.BASEURL.HOSTNAME.SERVER 78 VPN.BASEURL.PATH 78 VPN.BASEURL.PATH.IGNORE_EMPTY_ELE MENTS 78 VPN.BASEURL.PATH_AND_QUERY 78 VPN.BASEURL.PROTOCOL 79 VPN.BASEURL.QUERY 79 VPN.BASEURL.QUERY.
PAGE 297
Index M migration 11 N named classic expressions 209 new features in this release xi O operations for advanced expressions 50–51 - 48 ADD 51 AFTER_REGEX 166, 168 AFTER_STR 89, 124 ALT 47 AUTHKEY_ID.ISSUER_NAME.IGNORE_EMP TY_ELEMENTS 145 AUTH_KEYID 144 AUTH_KEYID.CERTIFICATE_SERIALNUMB ER 144 AUTH_KEYID.EXISTS 145 AUTH_KEYID.ISSUER_NAME 145 AUTH_KEYID.
PAGE 298
284 Citrix NetScaler Policy Configuration and Reference Guide STARTSWITH_INDEX 159 STRIP_END_WS 90 STRIP_START_WS 90 SUB 51 SUBJECT 147 SUBJECT.
PAGE 299
Index policy bindings about 7 evaluation order based on binding 8 policy label 8 request-time global 7 request-time virtual server 7 response-time global 7 response-time virtual server 7 specialized 8 priority level 8 rule 2 See also advanced policies, classic policies types of policy 1 what NetScaler applications use them 3 policy banks See advanced policies policy bindings 7 policy labels binding 34–35 unbinding 35 POST body 65 POST body, parsing 63 prefixes 43 prefix.
PAGE 300
286 Citrix NetScaler Policy Configuration and Reference Guide To redirect an external URL to an internal URL using the command line 245 To redirect an external URL to an internal URL using the configuration utility 246 To redirect HTTP URLs to HTTPS using the command line 248 To remove invalid policies and policy labels using the Policy Manager 37 To ubbind an advanced policy globally from the configuration utility 26 To unbind a NOPOLICY invocation from a rewrite, integrated caching, or content switching
PAGE 301
Index V VPN 65, 76 Z " character 57 ? character 58 287
PAGE 302
288 Citrix NetScaler Policy Configuration and Reference Guide