Deployment Guide - Citrix.comcdn.ws.citrix.com/wp-content/uploads/2008/05/Citrix_NSPE.pdf · The...
Transcript of Deployment Guide - Citrix.comcdn.ws.citrix.com/wp-content/uploads/2008/05/Citrix_NSPE.pdf · The...
Deployment Guide
Notice:
The information in this publication is subject to change without notice.
THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.
Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved.
Table of ContentsIntroduction ..........................................................................................................................................4Prerequisites .........................................................................................................................................5Policy Expressions (PE) .........................................................................................................................6
Components of Policy Expression ....................................................................................................6Qualifiers ..........................................................................................................................................6Operators ........................................................................................................................................7Operands ........................................................................................................................................7Policy Limitations .............................................................................................................................8Performance Considerations ............................................................................................................8Important Policy Behavior - Policy Engine (PE) .................................................................................9Sample Expressions using the CLI .................................................................................................10Sample Expressions using the GUI ................................................................................................10Compound Expressions .................................................................................................................12Sample Compound Expressions using the CLI ..............................................................................12Sample Compound Expressions using the GUI ..............................................................................12
4
IntroductionCitrix® NetScaler® optimizes the delivery of web applications — increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership (TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive network system that combines high-speed load balancing and content switching with state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization, and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs.
Policies are used to configure various Application Switch features. For example, the parameters for compressing content are defined in a compression policy.
The features that use policies are:
Content Switching
Content Filtering
AppCompress
Cache Redirection
SSL VPN
Priority Queuing
DoS Protection
Sure Connect
Policy expressions are applied to content that enters the system. Expressions are shared among features, but actions are feature-specific. For example, you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress those files.
The Policy Engine refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x. The architecture for Policy Engine and the manner in which it operates is presented in this guide.
•
•
•
•
•
•
•
•
5
PrerequisitesCitrix NetScaler Application Switch, running version 8.x, (Quantity x 1 for single deployment, Quantity x 2 for HA deployment).
Client laptop/workstation running Internet Explorer 6.0+, Ethernet port
9-pin serial cable -or- USB-to-serial cable
•
•
•
NOTE: The policies in this guide are based on the Policy Engine (PE) architecture in NetScaler version 8.0. The policies for NetScaler version 9.0+ use the Policy Infrastructure (PI) architecture which are different in syntax and methodology. Policy Infrastructure (PI) is not discussed in this guide.
6
Policy Expressions (PE)Components of Policy Expression
The Policy Expressions (PE) language is a basic expressions language that is used to define policy conditions on the NetScaler Application Switch. Because it is the original expressions language on the NetScaler, the expressions written in it are often called classic expressions.
A Policy consists of an expression and an action. Expressions are “shared” among features on the switch. Actions are “feature-specific”. For example you can create an expression to identify .pdf files being sent through the system. You can then create a compression policy that uses this expression to compress (take action) those files.
Policy Expressions are like an If-Then-Else language. The Expression is the “If”, the Action is the “Then”.
Expressions consist of the following components:
Name: expression name
Qualifier: The information to be tested.
Operator: Operation to perform.
Operand: Values to compare to Qualifiers.
Expression Syntax:
add expression <name> <qualifier> <operator> <operand>
Example:
add expression mpost “REQ.HTTP.METHOD == POST”
Qualifiers
Qualifiers are directional, or flow based. In other words they are relevant to requests coming from clients and responses being sent from backend servers. Most often they are based on components of HTTP flows. In the Policy Expression language you will see flow based expressions start with REQ for request based expressions and RES for response based expressions.
The qualifier format is:
[<flow.type>.<protocol>.]qualifier
For example:
REQ.HTTP.METHOD
REQ.HTTP.URL
REQ.HTTP.HEADER
•
•
•
•
•
•
•
•
•
•
7
Operators
The Operator identifies the operation to perform on the operands. The following table defines the operators.
Operator Description
==, !=, EQ, NEQ Test for exact matches. These are case sensitive.
GT Use for numerical comparisons on the length of the URLs and query strings.
CONTAINS, NOTCONTAINS
Determine if the specified string is contained in the qualifier. These are not case sensitive.
EXIST,NOTEXISTS
Checks for the existence of particular qualifier. For example, to check is a specific HTTP header exists or if a URL query exists.
CONTENTS Checks for the existence of the qualifier and it’s contents.
Operands
An Operand defines the values for the corresponding qualifiers, or the values being compared to the corresponding qualifiers. Wildcard characters can sometimes be used in Operands. For example “/*.gif”.
8
Policy Limitations
The Cache Redirection feature has a maximum of 128 expressions and Content Switching has a maximum of 512 expressions, which are hard-coded and cannot be changed.
For the remaining features, there is a built-in maximum limit of 1024 expressions in the NetScaler Application Switch, but this can be changed by entering the following through the command line interface:
nsapimgr -ys maxexpr=<new limit number
Performance Considerations
Some operators behave differently, so you might want to take note of the behavior and the potential impact to performance.
The operator “==” is:
Case Sensitive
Accepts Wildcards “*”
Is not CPU intensive
The operator “CONTAINS” is:
Not Case Sensitive
Does Not Accept Wildcards “*”
Is CPU Intensive
•
•
•
•
•
•
•
9
Important Policy Behavior - Policy Engine (PE)
Policies get evaluated in the order that they are classified in, that is with their priority numbers. Policies operate on a first-match principle. In a policy classification, the action associated with the first policy that matches gets applied. Once a match is determined, the policy evaluation exits the evaluation logic tree and no more policies are evaluated.
If there is no match, the GOTO expression is evaluated, which can be goto the ‘END’ of the logic tree, or go to the ‘NEXT’ priority number, or goto a specific priority number.
Each Feature has it’s own set of priority numbers for it’s own set of policies. Policy priority numbers don’t overlap between feature sets. Having a policy for rewrite with priority 20 doesn’t interfere with a policy for caching with priority 20 or 10 or 30. Request flow policy priorities come before (lower numbers) Response flow policy priorities (higher numbers).
Priority numbers increment in units of 10.
Requests Responses
App Fw
AAA
SSLDecryption
Responder
Caching
Content Switching
Load Balancing
Content Filtering
HTTPDoS
SureConnect
PriorityQueueing
RequestRewrite
SSLEncryption
SSLDecryption
ResponseRewrite
HTTP Compression
TCPCompression
TCPBuffering
Content Filtering
Caching
App Fw
SSLEncryption
10
Sample Expressions using the CLIadd policy expression mget “REQ.HTTP.METHOD == GET”
add policy expression uhtml “REQ.HTTP.URL == /*.html”
add policy expression hhdr “REQ.HTTP.HEADER Host CONTAINS myhost.com”
add policy expression srcip “REQ.IP.SOURCEIP == 192.168.10.1”
add policy expression dstip “REQ.IP.DESTIP == 192.168.12.2”
Sample Expressions using the GUI
•
•
•
•
•
To add a expression in the NetScaler GUI, navigate to NetScaler System Expressions Add. Add each expression and click on Create.
12
Compound Expressions
Compound expressions check for multiple conditions. Compound expression logic is formed with one or more expressions connected using the logical operators “&&” and “||”, and are grouped for order of evaluation using the symbols “(“ and ”)”. Processing of compound expressions is done from left to right, and is done with “lazy” evaluation, i.e. once the final result is known, evaluation is terminated.
Sample Compound Expressions using the CLI
Sample using and “&&” operators:
add policy expression not_get “REQ.HTTP.METHOD != GET”
add policy expression not_post “REQ.HTTP.METHOD != POST”
add policy expression not_head “REQ.HTTP.METHOD != HEAD”
add policy expression not_normal_method “not_get && not_post && not_head”
Sample using or “||” operators:
add policy expression no_hdr_host “REQ.HTTP.HEADER Host NOTEXISTS”
add policy expression no_hdr_user_agent “REQ.HTTP.HEADER User-Agent NOTEXISTS”
add policy expression not_normal_hdrs “no_hdr_host || no_hdr_user_agent”
add policy expression bad_request “not_normal_method || not_normal_hdrs”
Sample Compound Expressions using the GUI
Sample using and “&&” operators:
•
•
•
•
•
•
•
•
www.citrix.com
Citrix WorldwideWorldwide headquarters
Citrix Systems, Inc.851 West Cypress Creek RoadFort Lauderdale, FL 33309USAT +1 800 393 1888T +1 954 267 3000
Regional headquarters
AmericasCitrix Silicon Valley4988 Great America ParkwaySanta Clara, CA 95054USAT +1 408 790 8000
EuropeCitrix Systems International GmbHRheinweg 98200 SchaffhausenSwitzerlandT +41 52 635 7700
Asia PacificCitrix Systems Hong Kong Ltd.Suite 3201, 32nd FloorOne International Finance Centre1 Harbour View StreetCentralHong KongT +852 2100 5000
Citrix Online division5385 Hollister AvenueSanta Barbara, CA 93111USAT +1 805 690 6400
www.citrix.com
About CitrixCitrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2006 was $1.1 billion.
Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.