Policy Engine (PE)Deployment GuideA Technical Reference

Deployment Guide

Deployment Guide

Notice:

The information in this publication is subject to change without notice.

THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix.

The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own.

Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved.

Table of ContentsIntroduction ..........................................................................................................................................4Prerequisites .........................................................................................................................................5Policy Expressions (PE) .........................................................................................................................6

Components of Policy Expression ....................................................................................................6Qualifiers ..........................................................................................................................................6Operators ........................................................................................................................................7Operands ........................................................................................................................................7Policy Limitations .............................................................................................................................8Performance Considerations ............................................................................................................8Important Policy Behavior - Policy Engine (PE) .................................................................................9Sample Expressions using the CLI .................................................................................................10Sample Expressions using the GUI ................................................................................................10Compound Expressions .................................................................................................................12Sample Compound Expressions using the CLI ..............................................................................12Sample Compound Expressions using the GUI ..............................................................................12

4

IntroductionCitrix® NetScaler® optimizes the delivery of web applications — increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership (TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive network system that combines high-speed load balancing and content switching with state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization, and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs.

Policies are used to configure various Application Switch features. For example, the parameters for compressing content are defined in a compression policy.

The features that use policies are:

Content Switching

Content Filtering

AppCompress

Cache Redirection

SSL VPN

Priority Queuing

DoS Protection

Sure Connect

Policy expressions are applied to content that enters the system. Expressions are shared among features, but actions are feature-specific. For example, you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress those files.

The Policy Engine refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x. The architecture for Policy Engine and the manner in which it operates is presented in this guide.

•

•

•

•

•

•

•

•

5

PrerequisitesCitrix NetScaler Application Switch, running version 8.x, (Quantity x 1 for single deployment, Quantity x 2 for HA deployment).

Client laptop/workstation running Internet Explorer 6.0+, Ethernet port

9-pin serial cable -or- USB-to-serial cable

•

•

•

NOTE: The policies in this guide are based on the Policy Engine (PE) architecture in NetScaler version 8.0. The policies for NetScaler version 9.0+ use the Policy Infrastructure (PI) architecture which are different in syntax and methodology. Policy Infrastructure (PI) is not discussed in this guide.

6

Policy Expressions (PE)Components of Policy Expression

The Policy Expressions (PE) language is a basic expressions language that is used to define policy conditions on the NetScaler Application Switch. Because it is the original expressions language on the NetScaler, the expressions written in it are often called classic expressions.

A Policy consists of an expression and an action. Expressions are “shared” among features on the switch. Actions are “feature-specific”. For example you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress (take action) those files.

Policy Expressions are like an If-Then-Else language. The Expression is the “If”, the Action is the “Then”.

Expressions consist of the following components:

Name: expression name

Qualifier: The information to be tested.

Operator: Operation to perform.

Operand: Values to compare to Qualifiers.

Expression Syntax:

add expression <name> <qualifier> <operator> <operand>

Example:

add expression mpost “REQ.HTTP.METHOD == POST”

Qualifiers

Qualifiers are directional, or flow based. In other words they are relevant to requests coming from clients and responses being sent from backend servers. Most often they are based on components of HTTP flows. In the Policy Expression language you will see flow based expressions start with REQ for request based expressions and RES for response based expressions.

The qualifier format is:

[<flow.type>.<protocol>.]qualifier

For example:

REQ.HTTP.METHOD

REQ.HTTP.URL

REQ.HTTP.HEADER

•

•

•

•

•

•

•

•

•

•

7

Operators

The Operator identifies the operation to perform on the operands. The following table defines the operators.

Operator Description

==, !=, EQ, NEQ Test for exact matches. These are case sensitive.

GT Use for numerical comparisons on the length of the URLs and query strings.

CONTAINS, NOTCONTAINS

Determine if the specified string is contained in the qualifier. These are not case sensitive.

EXIST,NOTEXISTS

Checks for the existence of particular qualifier. For example, to check is a specific HTTP header exists or if a URL query exists.

CONTENTS Checks for the existence of the qualifier and it’s contents.

Operands

An Operand defines the values for the corresponding qualifiers, or the values being compared to the corresponding qualifiers. Wildcard characters can sometimes be used in Operands. For example “/*.gif”.

8

Policy Limitations

The Cache Redirection feature has a maximum of 128 expressions and Content Switching has a maximum of 512 expressions, which are hard-coded and cannot be changed.

For the remaining features, there is a built-in maximum limit of 1024 expressions in the NetScaler Application Switch, but this can be changed by entering the following through the command line interface:

nsapimgr -ys maxexpr=<new limit number

Performance Considerations

Some operators behave differently, so you might want to take note of the behavior and the potential impact to performance.

The operator “==” is:

Case Sensitive

Accepts Wildcards “*”

Is not CPU intensive

The operator “CONTAINS” is:

Not Case Sensitive

Does Not Accept Wildcards “*”

Is CPU Intensive

•

•

•

•

•

•

•

9

Important Policy Behavior - Policy Engine (PE)

Policies get evaluated in the order that they are classified in, that is with their priority numbers. Policies operate on a first-match principle. In a policy classification, the action associated with the first policy that matches gets applied. Once a match is determined, the policy evaluation exits the evaluation logic tree and no more policies are evaluated.

If there is no match, the GOTO expression is evaluated, which can be goto the ‘END’ of the logic tree, or go to the ‘NEXT’ priority number, or goto a specific priority number.

Each Feature has it’s own set of priority numbers for it’s own set of policies. Policy priority numbers don’t overlap between feature sets. Having a policy for rewrite with priority 20 doesn’t interfere with a policy for caching with priority 20 or 10 or 30. Request flow policy priorities come before (lower numbers) Response flow policy priorities (higher numbers).

Priority numbers increment in units of 10.

Requests Responses

App Fw

AAA

SSLDecryption

Responder

Caching

Content Switching

Load Balancing

Content Filtering

HTTPDoS

SureConnect

PriorityQueueing

RequestRewrite

SSLEncryption

SSLDecryption

ResponseRewrite

HTTP Compression

TCPCompression

TCPBuffering

Content Filtering

Caching

App Fw

SSLEncryption

10

Sample Expressions using the CLIadd policy expression mget “REQ.HTTP.METHOD == GET”

add policy expression uhtml “REQ.HTTP.URL == /*.html”

add policy expression hhdr “REQ.HTTP.HEADER Host CONTAINS myhost.com”

add policy expression srcip “REQ.IP.SOURCEIP == 192.168.10.1”

add policy expression dstip “REQ.IP.DESTIP == 192.168.12.2”

Sample Expressions using the GUI

•

•

•

•

•

To add a expression in the NetScaler GUI, navigate to NetScaler System Expressions Add. Add each expression and click on Create.

11

12

Compound Expressions

Compound expressions check for multiple conditions. Compound expression logic is formed with one or more expressions connected using the logical operators “&&” and “||”, and are grouped for order of evaluation using the symbols “(“ and ”)”. Processing of compound expressions is done from left to right, and is done with “lazy” evaluation, i.e. once the final result is known, evaluation is terminated.

Sample Compound Expressions using the CLI

Sample using and “&&” operators:

add policy expression not_get “REQ.HTTP.METHOD != GET”

add policy expression not_post “REQ.HTTP.METHOD != POST”

add policy expression not_head “REQ.HTTP.METHOD != HEAD”

add policy expression not_normal_method “not_get && not_post && not_head”

Sample using or “||” operators:

add policy expression no_hdr_host “REQ.HTTP.HEADER Host NOTEXISTS”

add policy expression no_hdr_user_agent “REQ.HTTP.HEADER User-Agent NOTEXISTS”

add policy expression not_normal_hdrs “no_hdr_host || no_hdr_user_agent”

add policy expression bad_request “not_normal_method || not_normal_hdrs”

Sample Compound Expressions using the GUI

Sample using and “&&” operators:

•

•

•

•

•

•

•

•

13

14

Sample using or “||” operators:

15

www.citrix.com

Citrix WorldwideWorldwide headquarters

Citrix Systems, Inc.851 West Cypress Creek RoadFort Lauderdale, FL 33309USAT +1 800 393 1888T +1 954 267 3000

Regional headquarters

AmericasCitrix Silicon Valley4988 Great America ParkwaySanta Clara, CA 95054USAT +1 408 790 8000

EuropeCitrix Systems International GmbHRheinweg 98200 SchaffhausenSwitzerlandT +41 52 635 7700

Asia PacificCitrix Systems Hong Kong Ltd.Suite 3201, 32nd FloorOne International Finance Centre1 Harbour View StreetCentralHong KongT +852 2100 5000

Citrix Online division5385 Hollister AvenueSanta Barbara, CA 93111USAT +1 805 690 6400

www.citrix.com

About CitrixCitrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2006 was $1.1 billion.

Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.