SYN504 - UNLEASHING THE POWER OF THE
NETSCALER POLICY AND EXPRESSIONS ENGINE
MAY 6 – 4.00PM
Henrik Johansson
Twitter: @Hen...
Tweet about this session with hashtag
#SYN504 and #CitrixSynergy
CTP, CCIA and AWS certified Architect.
Director of Professional Services.
13+ years Citrix experience,17+ years IT.
NetSca...
Founded in 2000, nGenx is a pioneer in cloud-based application delivery.
Throughout our history, we have always pushed the...
• What is a policy
• NetScaler Policies Use cases
• Classic vs default
• RegEx intro
• Optimizing expressions
Agenda at a ...
• Policies control how a feature evaluate data and thru that determine
what action to take for the data thru the use of lo...
Expression Hierarchy
HTTP
SYS
CLIENT
SERVER
REQ
RES
URL
METHOD
BODY
HEADER
…
STATUS
BODY
DATE
HEADER
…DAY
HOUR
…
EXPR
PATH...
• Enables you to route, modify, control traffic based on:
• Phone model, browser type, OS
• Control content delivery
• Blo...
• Enables you actively modify and rewrite content on the fly
• For example requested URL’s, text, metadata
• Example:
add ...
• Use HTTP CallOut to verify client IP or username
• Fetch back end-pages for response replacement.
• Can be used to trigg...
Only support Classic
Support Default
• Authentication, Pre-authentication
• SSL
• Cache redirection
• VPN (session, traffi...
Manual
• root@ns# nspepi -e "RES.HTTP.HEADER Content-Type CONTAINS
application/msword"
• "HTTP.RES.HEADER("Content-
Type")...
Full config
root@ns# cd /nsconfig
root@ns# nspepi -f ns.conf
OUTPUT: New configuration file created: new_ns.conf
OUTPUT: N...
Remember:
• The commands that exceed 1499 character limit must be manually
updated.
• Multiple classic can share priority ...
What is RegEx
A regular expression is a sequence or pattern of characters that is matched
against a string of text when pe...
RegEx
Metacharacter Function Example What if Matches
^ Beginning-of-line anchor /^love/ Matches all lines beginning with l...
RegEx
Metacharacter Function Definition
d Match any digit [0-9]
w Match any word character [A-Za-z0-9_]
s Match any whites...
Example
I have a lovely time on our little picnic.
Lovers were all around us. It is springtime. Oh
love, how much I adore ...
• What are you trying to find, don’t evaluate full result
• http.req.url.suffix.contains("jpeg”)
• http.req.url.suffix.eq(...
• A PatternSet is an excellent way to match multiple values
• Example: Checking for filetypes or hosts
add policy patset P...
• StringMap can be used for dynamic renaming
add policy stringmap SM_Name
bind policy stringmap SM_Name site1.domain.com ”...
• Expression policy simplifies reusing frequently used expressions
add policy expression Exp1
"!HTTP.REQ.HOSTNAME.SET_TEXT...
• Always use the correct policy expression
Example:
HTTP.REQ.URL.QUERY
Performs better than
HTTP.REQ.URL.AFTER_STR("?")
wh...
• TypeCasting allow you to convert data
HTTP.REQ.HEADER("Example").AFTER_STR(",").BEFORE_STR(",")
Can be optimized by chan...
Citrix NetScaler Policy Expression Reference - Release 10.1
http://support.citrix.com/article/CTX137705
Typecasting
http:/...
Henrik Johansson
Twitter: @HenrikJay
Web: https://www.ngenx.com || https://henrikjay.com
Email: henrik.johansson@ngenx.com...
Before you leave…
Conference surveys are available online at www.citrixsynergy.com starting
Thursday, May 8 at 9:00 a.m.
ᵒ...
Upcoming SlideShare
Loading in …5
×

Syn504 unleashing the power of the net scaler policy and expressions engine - final

2,128 views

Published on

Citrix NetScaler has one of the most powerful policy and expressions engine on the market. We will show how to optimize and avoid lengthy expressions. We will demo how to use some of the powerful yet simple features like pattern-sets for powerful rewrite rules and how to convert those old standard expressions to advanced. How to identify different types of devices like smartphones and tablets in your XenMobile/web deliveries.

In this seesion you will learn how to:
• Convert from standard to advanced expressions
• Identify clients (smartphones, tablets, etc.)
• Use features like Pattern sets/String maps for effective expressions when modifying data on the fly
• An introduction to using regex and what it can do for you

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,128
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Info on tweets

    This session will focus some time on requirements for implementing HDX Insight and why but quickly move on and show live demos How to implement and especially how easy it is.
  • Will change…
  • Before moving on with some of the actual code, lets take a look at some use cases for policies and expressions
  • Before moving on with some of the actual code, lets take a look at some use cases for policies and expressions
  • Before moving on with some of the actual code, lets take a look at some use cases for policies and expressions
  • Syn504 unleashing the power of the net scaler policy and expressions engine - final

    1. 1. SYN504 - UNLEASHING THE POWER OF THE NETSCALER POLICY AND EXPRESSIONS ENGINE MAY 6 – 4.00PM Henrik Johansson Twitter: @HenrikJay Web: https://www.ngenx.com || https://henrikjay.com Email: henrik.johansson@ngenx.com || henrik@henrikjay.com
    2. 2. Tweet about this session with hashtag #SYN504 and #CitrixSynergy
    3. 3. CTP, CCIA and AWS certified Architect. Director of Professional Services. 13+ years Citrix experience,17+ years IT. NetScaler Wizard, Public Cloud, Security, Evangelist and Speaker. Speaker bio compressed Henrik Johansson Twitter: @HenrikJay Web: https://www.ngenx.com || https://henrikjay.com Email: henrik.johansson@ngenx.com || henrik@henrikjay.com
    4. 4. Founded in 2000, nGenx is a pioneer in cloud-based application delivery. Throughout our history, we have always pushed the envelope with technology while working to build bridges between all of our technology partners, including Microsoft, Citrix, Cisco, Amazon Web Services, NetApp, RES, Google Chrome, Dell/Compellent, Intuit and others. Working with these partners, we have developed a dynamic set of cloud solutions. nGenx – White label CSP
    5. 5. • What is a policy • NetScaler Policies Use cases • Classic vs default • RegEx intro • Optimizing expressions Agenda at a glance
    6. 6. • Policies control how a feature evaluate data and thru that determine what action to take for the data thru the use of logical expressions. • A policy can trigger a simple effect like DROP, nothing (NOOP) or a complex action/chain thru profiles. What are NetScaler policies
    7. 7. Expression Hierarchy HTTP SYS CLIENT SERVER REQ RES URL METHOD BODY HEADER … STATUS BODY DATE HEADER …DAY HOUR … EXPR PATH PROTOCOL QUERY SUFFIX HOSTNAME EQ CONTAINS BETWEEN SKIP TRUNCATE SUBSTR REGEX_MATCH HTTP_URL_SAFE TYPECAST_TEXT_T … DST SRC ID VERSION CLIENT_CERT … SRCPORT PAYLOAD() … DNS SRCPORT DSTPORT ID THROUGHPUT … SRCMAC DSTMAC NTIME CLASSIC CHECK_LIMIT HTTP_CALLOUT IP VLAN SSL TCP UDP INTERFACE ETHER IPv6 IP VLAN TCP INTERFACE ETHER IPv6 Analytics SIP MySQL MSSQL
    8. 8. • Enables you to route, modify, control traffic based on: • Phone model, browser type, OS • Control content delivery • Block unsecure features on certain browsers • Can be used to trigger other policies like: • Redirect thru responder, Rewrite, • Example: add responder policy RESP_BLOCK_FF_POL "HTTP.REQ.HEADER("User- Agent").SET_TEXT_MODE(IGNORECASE).CONTAINS("Mozilla")" DROP Use case - Client/browser identification
    9. 9. • Enables you actively modify and rewrite content on the fly • For example requested URL’s, text, metadata • Example: add rewrite action RW_RES_CMPMode_ACT insert_before "HTTP.RES.BODY(10000).SUBSTR(”<meta")" q{"<meta http-equiv="X-UA- Compatible" content="IE=EmulateIE7" />"} Use case - Rewrites
    10. 10. • Use HTTP CallOut to verify client IP or username • Fetch back end-pages for response replacement. • Can be used to trigger other policies like: • Redirect thru responder, Rewrite, • Example: set policy httpcallout CheckUser –ipaddress 10.10.10.10 –port 80 -returntype text –httpmethod get –urlstemexpr '"/CheckIP&”+HTTP.REQ.USER.NAME"' - resultexpr 'http.res.body(5)' sys.http_callout(CheckUser) Use case - White/blacklisting
    11. 11. Only support Classic Support Default • Authentication, Pre-authentication • SSL • Cache redirection • VPN (session, traffic, and tunnel traffic) • Content filtering (use Responder instead) Classic to Default • Application firewall policies • Authorization policies • Named expressions • Compression policies • Content switching policies • User-defined, rule-based tokens/persistency
    12. 12. Manual • root@ns# nspepi -e "RES.HTTP.HEADER Content-Type CONTAINS application/msword" • "HTTP.RES.HEADER("Content- Type").AFTER_STR("application/msword").LENGTH.GT(0)” • root@ns# nspepi -e "URL != '/*.gif'" • "HTTP.REQ.URL.REGEX_MATCH(re#/(.*).gif#).NOT” • Is this the most optimal rule? Expression conversion
    13. 13. Full config root@ns# cd /nsconfig root@ns# nspepi -f ns.conf OUTPUT: New configuration file created: new_ns.conf OUTPUT: New warning file created: warn_ns.conf root@ns# Expression conversion
    14. 14. Remember: • The commands that exceed 1499 character limit must be manually updated. • Multiple classic can share priority 0. Not supported in Default • Error lines shown after command and in warning file • Use as guidance • Test…Test…and when done…Test again! Expression conversion
    15. 15. What is RegEx A regular expression is a sequence or pattern of characters that is matched against a string of text when performing searches. NetScaler uses PCRE Patterns are selective and can search any part of the string. Searches can use different entry points and look back and forward RegEx uses delimeters to select text: re~test|test2~ These can be anything that is unique RegEx
    16. 16. RegEx Metacharacter Function Example What if Matches ^ Beginning-of-line anchor /^love/ Matches all lines beginning with love $ End-of-line anchor /love$/ Matches all lines ending with love . Matches one character /l..e/ Matches lines containing an l, followed by two characters, followed by an e * Matches zero or more of the preceding characters / *love/ Matches lines with zero or more spaces, followed by the pattern love [] Matches one character in the set /[Ll]ove Matches lines containing love or Love [x-y] Matches one character within a range in the set /[A-Z]ove/ Matches letters from A through Z followed by ove [^] Matches one character not on a set /[^A-Z]/ Matches any character not in the range between A and Z. Used to escape a character /love./ Matches lines containing love, followed by a literal period
    17. 17. RegEx Metacharacter Function Definition d Match any digit [0-9] w Match any word character [A-Za-z0-9_] s Match any whitespace character [ tn] D Match any NON-digit [^d] W Match any NON-word character [^w] S Match any NON-whitespace character [^s]
    18. 18. Example I have a lovely time on our little picnic. Lovers were all around us. It is springtime. Oh love, how much I adore you. Do you know the extent of my love? Oh, by the way, I think I lost my gloves somewhere out in that field of clover. Did you see them? I can only hope love is forever. I live for you. It's hard to get back in the groove. /ove[^a-zA-Z0-9]/ RegEx
    19. 19. • What are you trying to find, don’t evaluate full result • http.req.url.suffix.contains("jpeg”) • http.req.url.suffix.eq("jpeg") • Regex takes more resources, but can match multiple values • Match multiple items in single request • HTTP.REQ.HOSTNAME.SERVER.REGEX_MATCH(re~host1|host2~) • HTTP.REQ.HEADER("Example").AFTER_STR("more”) • Is better then • HTTP.REQ.HEADER("Example").AFTER_REGEX(re/more/) Policy optimization
    20. 20. • A PatternSet is an excellent way to match multiple values • Example: Checking for filetypes or hosts add policy patset PatSet_AllowedHosts bind policy patset PatSet_AllowedHosts host1 -index 1 bind policy patset PatSet_AllowedHosts host3 -index 2 HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY("PatSet _AllowedHosts")" Policy optimization – PatternSet
    21. 21. • StringMap can be used for dynamic renaming add policy stringmap SM_Name bind policy stringmap SM_Name site1.domain.com ”Desktop1" bind policy stringmap SM_Name site2.domain.com “Desktop2” add rewrite action RW_RES_DesktopName_ACT replace_all "HTTP.RES.BODY(100000)" "HTTP.REQ.HOSTNAME.SERVER.MAP_STRING("SM_Name”)" -pattern "re~(Other Desktop)|(Real Desktop)~" -bypassSafetyCheck YES Policy optimization - StringMap
    22. 22. • Expression policy simplifies reusing frequently used expressions add policy expression Exp1 "!HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY("PatS et_AllowedHosts")" add responder policy RESP_DROP_Unsecure_Hosts_POL Exp1 DROP Policy optimization - ExpressionPolicy
    23. 23. • Always use the correct policy expression Example: HTTP.REQ.URL.QUERY Performs better than HTTP.REQ.URL.AFTER_STR("?") which is based on string parsing that have to look thru the whole query Policy optimization – Correct policy
    24. 24. • TypeCasting allow you to convert data HTTP.REQ.HEADER("Example").AFTER_STR(",").BEFORE_STR(",") Can be optimized by changing into HTTP.REQ.HEADER("Example").TYPECAST_LIST_T(',').GET(1) SET_TEXT_MODE(IGNORECASE) is excellent when working with rewrite Policy optimization - TypeCasting
    25. 25. Citrix NetScaler Policy Expression Reference - Release 10.1 http://support.citrix.com/article/CTX137705 Typecasting http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-1-map/ns- typecasting-data-wrapper-con.html#ns-typecasting-data-wrapper-con Online resources
    26. 26. Henrik Johansson Twitter: @HenrikJay Web: https://www.ngenx.com || https://henrikjay.com Email: henrik.johansson@ngenx.com || henrik@henrikjay.com Questions?
    27. 27. Before you leave… Conference surveys are available online at www.citrixsynergy.com starting Thursday, May 8 at 9:00 a.m. ᵒ Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes Download presentations starting Monday, May 19, from your My Event Planning Tool

    ×