Professional Documents
Culture Documents
CITRIX®
•
N
ot
Education
fo
rr
es
al
CNS-220-2I:
e
Rewrite............................................................................................................................105
ot
Responder......................................................................................................................122
fo
URL Transform...............................................................................................................144
Module 4 - Content Switching.....................................................................................................149
es
Content Switching...........................................................................................................151
al
Content-Switching Configuration....................................................................................160
e
Content-Switching GSLB................................................................................................222
GSLB MEP and Monitoring.............................................................................................226
ut
Customizing GSLB.........................................................................................................236
io
NetScaler Clustering.......................................................................................................265
NetScaler Cluster Configuration.....................................................................................278
•
CITRIX
•
Course Overview
N
CNS-219-2i
ot
Version: 1
Lab Guide: v1
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
load balancing.
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
110004
Lab 1---+----,
: .: : :::::::::::::: I.OAP
................
:- :
Requirements SIUOentOeslelop
(LanOong VM)
: :::::::::::::: MyS<l.
:- :
.................
• Check connectivity to •............. ,
the environment and
HA Pat
~::-......... ,;
::::........... : WebS--
report any issues. .................
.............,
.. .. .. ... . . . .. , 4
:- :.
cmpc - 0
Education
Classroom
Support
How do I open a
Classroom Support ticket?
---- --a..--
------....-
__ -----
.. ..
....,._____ __
...... . ....~-
~ ~ ==:.:::.--
-
o,, ___ c-.....
-~-- -.:.t0,0-...... --·-----
~ .,
0 Cl
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
How likely is it you would recommend Citrix Courses to a friend? Not at all
Extremely
Likely Likely
Oo
0
What can we do better?
N
ot
fo
rr
es
al
e
or
d
is
t
rib
ut
io
n
NetScaler Traffic
Management
Classic Policies
N
CNS..219-2i
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Key Notes:
es
Policies control how a feature evaluates data, which ultimately determines what the feature does with the
al
data. A policy uses a logical expression, also called a rule, to evaluate requests, responses, or other data,
e
and applies one or more actions determined by the outcome of the evaluation. Alternatively, a policy can
or
apply a profile, which defines a complex action.
Some NetScaler features use default syntax policies, which provide greater capabilities than do the older,
d is
classic policies. If you migrated to a newer release of the NetScaler software and have configured classic
t
policies for features that now use default syntax policies, you might have to manually migrate policies to
rib
the default syntax.
ut
Basic Components of a Classic or Default Syntax Policy:
io
• Name.
n
• Each policy has a unique name.
• Rule.
• The rule is a logical expression that enables the NetScaler feature to evaluate a piece of traffic or
another object. For example, a rule can enable the NetScaler to determine whether an HTTP
request originated from a particular IP address, or whether a Cache‐Control header in an HTTP
request has the value “No‐Cache.”
• Default syntax policies can use all of the expressions that are available in a classic policy, with the
exception of classic expressions for the SSL VPN client. In addition, default syntax policies enable
you to configure more complex expressions.
• Bindings.
• To ensure that the NetScaler can invoke a policy when it is needed, you associate the policy, or
bind it, to one or more bind points. You can bind a policy globally or to a virtual server.
Additional Resources:
• How Different NetScaler Features Use Policies
http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐
pol‐exp‐wrapper‐con/ns‐pi‐adv‐class‐pol‐con.html
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
Both classic and default policies derive their ability to control the NetScaler’s behavior from the evaluation
al
of a logical expression, or rule, in the policy. The NetScaler evaluates requests, responses, or other data
e
based on the rule and takes one or more actions based on the outcome of the evaluation.
or
Policy expression engines include:
d
• Classic policy expression engine
is
• Policy Infrastructure engine
t rib
Expression languages include:
ut
• Classic policy
io
• Advanced policy
n
Key Notes:
es
Classic policies are evaluated according to bind points and priority level.
al
Classic policies evaluate basic characteristics of traffic and other data. For example, classic policies can
e
identify whether an HTTP request or response contains a particular type of header or URL.
or
The Classic Expressions are being deprecated after NetScaler 12.0
d is
t rib
ut
io
n
Key Notes:
es
Flow is always in the first position of a classic policy expression. For example, REQ.HTTP or RES.IP
al
For Classic policies, policy groups and policies within a group are evaluated in a particular order, depending
e
on the following:
or
• 1. The bind point for the policy, for example at request time, the NetScaler evaluates all request‐
d
time classic policies before evaluating any virtual server‐specific policies.
is
• 2. The priority level for the policy, for each point in the evaluation process, a priority level
t rib
assigned to a policy determines the order of evaluation relative to other policies that share the
same bind point.
ut
io
n
Key Notes:
es
Named expressions are saved reusable pieces of logic. If you think you will need the same piece of logic in
al
multiple features, you can create a named expression and use it in policies across features.
e
Named Expressions are named logical statements.
or
Expressions are applied to content that enters the system.
d
Named expressions are created once, and can then be referenced a number of times by different feature
is
sets in the Citrix NetScaler. Decreasing administrative overhead for policy expressions. For example you
t rib
write an expression to identify ASP pages, you then use this expression in both a compression policy (to
compress the pages) and a content switching policy (to direct the connection to the correct servers).
ut
Even if expressions are written inline, the same syntax to define the expression can be used across different
io
feature sets, simplifying the use of the NetScaler appliance.
n
Additional Resources:
Configuring Classic Polices and Expressions: http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐
and‐expressions.html
You can also download a list of all the expressions supported on a legacy NetScaler appliance and the
hierarchical order in which they can be invoked. The reference is in a zip file which you can download from:
• For NetScaler 10.5: http://support.citrix.com/article/CTX141344
• For NetScaler 10.1: http://support.citrix.com/article/CTX137705
2. REQ.TCP.DESTPORT == 80
• A qualifier is compared with the expression value , which can be literal text, a
substring of text, or a numeric value .
fo
rr
Key Notes:
es
An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—
al
that manipulates one or more objects, or operands. The first section in this topic defines the operators you
e
can use and provides a definition. The second section lists the operators you can use with specific
or
qualifiers, such as method, URL and query.
Operators:
d is
• ==
t rib
• Boolean.
• Returns TRUE if the current expression equals the argument. For text operations, the items being
ut
compared must exactly match one another. For numeric operations, the items must evaluate to the
io
same number.
n
• !=
• Boolean.
• Returns TRUE if the current expression does not equal the argument. For text operations, the items
being compared must not exactly match one another. For numeric operations, the items must not
evaluate to the same number.
• CONTAINS
• Boolean.
• Returns TRUE if the current expression contains the string that is designated in the argument.
• NOTCONTAINS
• Boolean.
• Returns TRUE if the current expression does not contain the string that is designated in the argument.
• Returns TRUE if the current expression evaluates to a number that is greater than the
ot
argument.
fo
• <
rr
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than the
es
argument.
al
• >=
e
• Boolean.
or
• Returns TRUE if the current expression evaluates to a number that is greater than or
d
equal to the argument.
is
• <=
t rib
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than or equal
ut
to the argument.
io
n
• Source Port
IP
II source IP
. MSS
. Method
- Client Cert
. URL
Client Cert- Subject, Issuer, SigAlgo
. URLTokens
SSL
•
Client Cert- Version, Validity . Version
N
Key Notes:
es
If you are not going to reuse the logic, then just write it inline, but if you know it is something you might
al
reuse, then a named expression saves time and trouble.
e
or
d is
t rib
ut
io
n
r.:-:1 • With HTTP 1.1 Cookies are used for storing session information .
~
• HTTPS implements encryption of HTTP traffic.
• Versions: HTTP 0.9,HTTP 0.1,HTTP 1.1,HTTP 2.0
N
ot
fo
rr
Key Notes:
es
Short for HyperTextTransferProtocol , HTTP is the underlying protocol for the World Wide Web. HTTP
al
defines how messages are formatted and transmitted and what actions web servers and browsers should
e
take in response to various commands.
or
d
Additional Resources:
is
Http 1.0 :https://tools.ietf.org/html/rfc1945
t rib
HTTP 1.1 : https://tools.ietf.org/html/rfc7231
ut
HTTP2.0 : https://tools.ietf.org/html/rfc7540
io
NetScaler Support for 2.0: https://docs.citrix.com/en‐us/netscaler/11/system/http‐
n
configurations/configuring‐http2.html
Key Notes:
es
A request message from a client to a server includes, within the first line of that message, the method to be
al
applied to the resource, the identifier of the resource, and the protocol version in use. The general format
e
of Request is as following:
or
Request = Request‐Line
d
*(( general‐header
is
| request‐header
t rib
| entity‐header ) CRLF)
ut
CRLF
io
[ message‐body ]
n
Additional resources:
HTTP Request Format : https://www.w3.org/Protocols/rfc2616/rfc2616‐sec5.html
HTTP/1. 1 200 OK
Date : Wed , 19 Apr 2017 18 : 52 : 05 GMT
Server : Apache
Set - Cookie : MoodleSession=eolrrnmdtrv29nblqlu0ipleupl ; path=/
Expires : Cache - Control : private , pre - check=0 , post - check=0 , max -
age=0
Pragma : no - cache
Content - Language : en
Accept - Ranges : none
Keep - Alive : timeout=2 , max=l00
Connection : Keep - Alive
N
Key Notes:
es
A response message from a server to a client includes, within the first line of that message, the protocol
al
version followed by a numeric status code and its associated textual. The general format of Request is as
e
following:
or
Response = Status‐Line
d
*(( general‐header
is
| response‐header
t
rib
| entity‐header ) CRLF)
ut
CRLF
io
[ message‐body ]
n
The Status‐Code is a 3‐digit integer result code of the attempt to understand and satisfy the request.
It can be classified as following:
• 1xx: Informational ‐ Request received, continuing process.
• 2xx: Success ‐ The action was successfully received, understood, and accepted.
• 3xx: Redirection ‐ Further action must be taken in order to complete the request.
• 4xx: Client Error ‐ The request contains bad syntax or cannot be fulfilled.
• 5xx: Server Error ‐ The server failed to fulfil an apparently valid request.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
Key Notes:
es
Simple expressions check for a single condition.
al
An example of a simple expression is:
e
or
Consider the url https://mail.google.com/mail/u/0/#inbox
Expression : REQ.HTTP.URL == /mail/u/0/#inbox
d
is
trib
Additional Resources:
ut
Link to Citrix Prod Docs on Policies and Expressions
io
https://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions.html
n
• Long request:
add pol exp big_url " REQ . HTTP . URLLEN > 256 "
add pol exp has_cookie_header " REQ . HTTP . HEADER cookie exists "
ot
fo
rr
Key Notes:
es
Named expressions are created once, and can then be referenced a number of times by different feature
al
sets in the Citrix NetScaler. Decreasing administrative overhead for policy expressions. For example you
e
write an expression to identify ASP pages, you then use this expression in both a compression policy (to
or
compress the pages) and a content switching policy (to direct the connection to the correct servers).
To create a named expression:
d is
then click Expressions.
rib
• In the details pane, click Add.
ut
• To create an expression, click Add.
n
• Do one of the following:
• In Frequently Used Expression, select an expression from the list, click OK, click Create and then
click Close.
• Under Construct Expression, select the parameters for the expression string, click OK, click Create
and then click Close.
Key Notes:
es
A compound expression can contain any number of logical and arithmetic operators.
al
Booleans in Compound Expressions
e
• && : This operator is a logical AND. For the expression to evaluate to TRUE, all components that are
or
joined by the And must evaluate to TRUE.
d
• || : This operator is a logical OR. If any component of the expression that is joined by the OR evaluates
is
to TRUE, the entire expression is TRUE.
t rib
• ! : Performs a logical NOT on the expression.
ut
Compound expressions check for multiple conditions. You create compound expressions by connecting to
one or more expression names using the logical operators && and ||. You can use the symbols to group the
io
expression in the order of evaluation.
n
Compound expressions can be categorized as:
Named expressions. As an independent entity, a named expression can be reused by other policies and are
part of the policy. You configure named expressions at the system level in the configuration utility. You can
use a predefined named expression in the policy or create one of your own.
Inline expressions. An inline expression is one that you build within the policy that is specific to the policy.
Configuring Policies with the AND (&&) Operator:
• The AND (&&) operator works by combining two client security strings so that the compound check
passes only when both checks are true. The expression is evaluated from left to right and if the first
check fails, the second check is not carried out.
• You can configure the AND (&&) operator using the keyword ‘AND’ or the symbols ‘&&’.
• Example:
fo
• The following is a client security check that determines if the user device has either the
rr
file c:\file.txt on it or the putty.exe process running on it.
• client.file(c:\\\\file.txt) EXISTS) OR (client.proc(putty.exe) EXISTS
es
• This string can also be configured as
al
• client.file(c:\\\\file.txt) EXISTS) || (client.proc(putty.exe) EXISTS
e
• Configuring Policies Using the NOT ( ! ) Operator
or
• Example:
is
• The following client security check passes if the file c:\sophos_virus_defs.dat file is NOT
t rib
more than two days old:
• !(client.file(c:\\\\sophos_virus_defs.dat).timestamp==2dy)
ut
io
n
Key Notes:
es
Policy Type and Bind Points for Policies in Features that Use Classic Policies Feature on NetScaler 12.0
al
System features, Authentication:
e
• Virtual Servers: None
or
• Supported Policies: Authentication policies
d
• Policy Bind Points: Global
is
t
• How you Use the Policy: For the Authentication feature, policies contain authentication schemes for
rib
different authentication methods. For example, you can configure LDAP and certificate‐based
ut
authentication schemes.
io
SSL:
n
• Virtual Servers: None
• Supported Policies: SSL policies
• Policy Bind Points: Global and Load Balancing virtual server
• How you Use the Policies: To determine when to apply an encryption function and add certificate
information to clear text. To provide end‐to‐end security. After a message is decrypted, the SSL
feature re‐encrypts clear text and uses SSL to communicate with back‐end Web servers.
Content Switching:
• (Can use either classic or default syntax policies, but not both)
• Virtual Servers: Content Switching virtual server
• Supported Policies: Content Switching policies
• Policy Bind Points: Content Switching virtual server and Cache Redirection virtual server
• Supported Policies: Content Filtering policies
ot
• Policy Bind Points: Global, Content Switching virtual server, Load Balancing virtual
fo
server, SSL Offload virtual server, and Service
rr
• How you Use the Policies: To configure the behavior of the filter function.
es
Protection features, SureConnect:
al
• Virtual Servers: None
e
• Supported Policies: SureConnect policies
or
• Policy Bind Points: Load Balancing virtual server, SSL Offload virtual server, and Service
• How you Use the Policies: To configure the behavior of the SureConnect function.
d is
Protection features, Priority Queuing:
t
rib
• Virtual Servers: None
• Supported Policies: Priority Queuing policies
ut
• Policy Bind Points: Load Balancing virtual server and SSL Offload virtual server
io
• How you Use the Policies: To configure the behavior of the Priority Queuing function.
n
HTML Injection:
• Virtual Server: None
• Supported Policies: HTML Injection Policies
• Policy Bind Points: Global, Load Balancing virtual server, Content Switching virtual
server, and SSL Offload virtual server
• How you Use the Policies: To enable the NetScaler to insert text or scripts into an HTTP
response that it serves to a client.
AAA ‐ Traffic Management:
• Virtual Servers: None
cache or an origin server.
ot
Application firewall:
fo
• Virtual Servers: None
rr
• Supported Policies: Application firewall policies
es
• Policy Bind Points: Global
al
• How you Use the Policies: To identify characteristics of traffic and data that should or
e
should not be admitted through the firewall.
or
NetScaler Gateway:
• Virtual Servers: VPN server
d is
• Supported Policies: Pre‐Authentication policies
t
• Policy Bind Points: AAA Global and VPN vserver
rib
• How you Use the Policies: To determine how the NetScaler Gateway performs
ut
authentication, authorization, auditing, and other functions, and to define rewrite
io
rules for general Web access using the NetScaler Gateway.
n
• Supported Policies: Authentication policies
• Policy Bind Points: System Global, AAA Global, and VPN vserver
• How you Use the Policies: To determine how the NetScaler Gateway performs
authentication, authorization, auditing, and other functions, and to define rewrite
rules for general Web access using the NetScaler Gateway.
• Supported Policies: Auditing policies
• Policy Bind Points: User, User group, and VPN vserver
• How you Use the Policies: To determine how the NetScaler Gateway performs
authentication, authorization, auditing, and other functions, and to define rewrite
rules for general Web access using the NetScaler Gateway.
• Supported Policies: Session policies
authentication, authorization, auditing, and other functions, and to define rewrite
ot
rules for general Web access using the NetScaler Gateway.
fo
• Supported Policies: TCP Compression policies
rr
• Policy Bind Points: VPN Global
• How you Use the Policies: To determine how the NetScaler Gateway performs
es
authentication, authorization, auditing, and other functions, and to define rewrite
al
rules for general Web access using the NetScaler Gateway.
e
or
Additional Resources:
d
To see all features see: http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐
is
expressions/ns‐pi‐config‐classic‐pols‐exprs‐wrapper‐con.html
trib
ut
io
n
Key Notes:
es
Usually the same functions can be handled by Responder policies, however unlike Responder, which only
al
operates on the REQ traffic, Content Filtering can operate on the REQ or RES.
e
Following are some examples of things you can do with content filtering policies: Prevent users from
or
accessing certain parts of your Web sites unless they are connecting from authorized locations.
d
Prevent inappropriate HTTP headers from being sent to your Web server, possibly breaching security.
is
Redirect specified requests to a different server or service.
t
rib
ut
io
n
Key Notes:
es
The Content Filter can be used for following functionality:
al
• ADD ‐ Adds the specified HTTP header.
e
• RESET ‐ Terminates the connection, sending the appropriate termination notice to the user's browser.
or
• FORWARD ‐ Redirects the request to the designated service. You must specify either a service name or a
d
page, but not both.
is
• DROP ‐ Silently deletes the request, without sending a response to the user's browser.
t
rib
• CORRUPT ‐ Modifies the designated HTTP header to prevent it from performing the function it was
intended to perform, then sends the request/response to the server/browser.
ut
• ERRORCODE. Returns the designated HTTP error code to the user's browser (for example, 404, the
io
standard HTTP code for a non‐existent Web page).
n
The Content Filter will be deprecated after NetScaler version 12.0. We can use other features to achieve the
functionality of the content filtering
• The Rewrite Policy can be used to ADD,CORRUPT the HTTP headers.
• The rewrite/responder policy can be used to DROP/RESET or to respond with ERROR CODE.
• The Content Switching provides the functionality equivalent to FORWARD action of Content Filtering.
I ew_Fd ~r
consists of:
R~tAct10t1 • R~~Act,on
• Expression
• Action [ RESET • + /
CloH
N
ot
fo
rr
Key Notes:
es
CLI for adding Content filters.
al
• add filter action <name> <qualifier> [<serviceName>] [<value>] [<respCode>] [<page>]
e
To implement content filtering, you must configure at least one policy to tell your NetScaler appliance how
d
to distinguish the connections you want to filter. You must first have configured at least one filtering action,
is
because when you configure a policy, you associate it with an action.
t rib
Content filtering policies examine a combination of one or more of the following elements to select
requests or responses for filtering:
ut
• URL : The URL in the HTTP request.
io
• URL query : Only the query portion of the URL, which is the portion after the query (?) symbol.
n
• URL token : Only the tokens in the URL, if any, which are the parts that begin with an ampersand (&) and
consist of the token name, followed by an equals sign (=), followed by the token value.
• HTTP method : The HTTP method used in the request, which is usually GET or POST, but can be any of
the eight defined HTTP methods.
• HTTP version : The HTTP version in the request, which is usually HTTP 1.1.
• Standard HTTP header : Any of the standard HTTP headers defined in the HTTP 1.1 specification.
• Standard HTTP header value : The value portion of the HTTP header, which is the portion after the colon
and space (: ).
• Custom HTTP header : A non‐standard HTTP header issued by your Web site or that appears in a user
request.
• Custom header value :The value portion of the custom HTTP header, which (as with the standard HTTP
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
If traffic does not match any content filtering policy the virtual server will send it to a default load balancing
al
server if one is defined. If no default server is defined on the content switching virtual server, the non
e
matched traffic will be dropped.
or
d is
t rib
ut
io
n
NetScaler Traffic
Management
AppExpert Default Policies
N
CNS..219-2i
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Key Notes:
es
Default syntax policies can perform the same type of evaluations as classic policies. In addition, default
al
syntax policies enable you to analyze more data (for example, the body of a request into an HTTP header).
e
Default syntax policies use a powerful expression language that is built on a class‐object model, and they
or
offer several options that enhance your ability to configure the behavior of various NetScaler features. With
default syntax policies, you can do the following: Perform fine‐grained analyzes of network traffic from
d is
layers 2 through 7.
trib
Evaluate any part of the header or body of an HTTP or HTTPS request or response.
Bind policies to the multiple bind points that the default syntax policy infrastructure supports at the default,
ut
override, and virtual server levels.
io
Use Goto expressions to transfer control to other policies and bind points, as determined by the result of
n
expression evaluation.
Use special tools such as pattern sets, policy labels, rate limit identifiers, and HTTP callouts, which enable
you to configure policies effectively for complex use cases.
Additionally, the configuration utility extends robust graphical user interface support for default syntax
policies and expressions and enables users who have limited knowledge of networking protocols to
configure policies quickly and easily. The configuration utility also includes a policy evaluation feature for
default syntax policies. You can use this feature to evaluate a default syntax policy and test its behavior
before you commit it, thus reducing the risk of configuration errors.
Evaluate the body of an HTTP request) and to configure more operations in the policy rule (for example,
transforming data in the body of a request into an HTTP header).
Key Notes:
es
For many NetScaler features, policies control how a feature evaluates data, which ultimately determines
al
what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate
e
requests, responses, or other data, and applies one or more actions determined by the outcome of the
or
evaluation. Alternatively, a policy can apply a profile, which defines a complex action.
d is
t rib
ut
io
n
Key Notes:
es
Citrix suggests using default policies instead of classic when possible. Exceptions are if the service does not
al
support default policies, or, if a company is heavily invested in classic, it may not make sense to try and
e
switch. When in doubt though, use default policies.
or
Please note that the Classic policies are being deprecated after version 12.0.
d
Example of classic vs default: Classic can evaluate the http header, whereas default policies can evaluate
is
the http header and/or body.
trib
ut
io
n
Key Notes:
es
AAA Exceptions
al
• Traffic policies only support Default.
e
• Authorization policies support Both.
or
d is
t rib
ut
io
n
Name Each policy must have a unique name, bound by NetScaler naming rules .
A separate entity from the policy that dictates what NetScaler should do in
Actions the case of a positive expression evaluation .
N
ot
fo
rr
Key Notes:
es
We recommend creating simple rules and compounding them, instead of creating complex rules. This
al
makes for simpler management and provides modularity.
e
• Names should follow a logical convention.
or
• Default syntax policies can use all of the expressions that are available in a classic policy, with the
d
exception of classic expressions for the SSL VPN client.
is
trib
ut
io
n
Key Notes:
es
Only for features that support default policy along with classic policies– For example, you cannot convert
al
SSL VPN policies.
e
‐v logs results to warn_ns.conf file
d
It is critical to verify and test after conversion.
is
t rib
Additional Resources:
ut
Citrix edocs on NetScaler 12 expression conversion:
io
http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐pol‐exp‐
n
wrapper‐con/ns‐pi‐pe‐to‐pi‐conversion‐tool‐wrapper‐con.html
Key Notes:
es
You can create default syntax policies for various NetScaler features, including DNS, Rewrite, Responder,
al
and Integrated Caching, and the clientless access function in the NetScaler Gateway. Policies control the
e
behavior of these features.
or
When you create a policy, you assign it a name, a rule (an expression), feature‐specific attributes, and an
action that is taken when data matches the policy. After creating the policy, you determine when it is
d is
invoked by binding it globally or to either request‐time or response‐time processing for a virtual server.
t rib
Policies that share the same bind point are known as a policy bank. For example, all policies that are bound
to a virtual server constitute the policy bank for the virtual server. When binding the policy, you assign it a
ut
priority level to specify when it is invoked relative to other policies in the bank. In addition to assigning a
io
priority level, you can configure an arbitrary evaluation order for policies in a bank by specifying Goto
expressions.
n
In addition to policy banks that are associated with a built‐in bind point or a virtual server, you can
configure policy labels. A policy label is a policy bank that is identified by an arbitrary name. You invoke a
policy label, and the policies in it, from a global or virtual‐server‐specific policy bank. A policy label or a
virtual‐server policy bank can be invoked from multiple policy banks.
When working with default polices, first define the expression, which is the condition
under which the policy will apply.
• Expressions on a NetScaler system can be configured using:
• The Configuration Utility.
• The CLI .
Key Notes:
es
The Policy Infrastructure engine uses the default policy expression language. Expression language is
al
universal and can be reused across feature sets that support the default policy engine.
e
You can configure text expressions to be case sensitive or case insensitive and to use or ignore spaces. You
or
can also configure complex text expressions by combining text expressions with Boolean operators.
d
Default Syntax Expressions can be used for Parsing HTTP, TCP, and UDP Data.
is
t rib
ut
io
n
CONNECTION
• HTTP.REQ .HOSTNAME.EQ("www.citrix.com") SMPP
ot
SUBSCRIBER
fo
rr
es
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
The elements of the rule can themselves return TRUE or FALSE, string, or numeric values.
al
An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—
e
that manipulates one or more objects, or operands.
or
An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—
d
that manipulates one or more objects, or operands. The first section in this topic defines the operators you
is
can use and provides a definition. The second section lists the operators you can use with specific
t rib
qualifiers, such as method, URL and query.
Operators:
ut
• ==
io
• Boolean.
n
• Returns TRUE if the current expression equals the argument. For text operations, the items being
compared must exactly match one another. For numeric operations, the items must evaluate to the
same number.
• !=
• Boolean.
• Returns TRUE if the current expression does not equal the argument. For text operations, the items
being compared must not exactly match one another. For numeric operations, the items must not
evaluate to the same number.
• CONTAINS
• Boolean.
• Returns TRUE if the current expression contains the string that is designated in the argument.
• Boolean.
ot
• Returns TRUE if the item designated by the current expression does not exist.
fo
• >
rr
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is greater than the
es
argument.
al
• <
e
• Boolean.
or
• Returns TRUE if the current expression evaluates to a number that is less than the
d
argument.
is
• >=
trib
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is greater than or
ut
equal to the argument.
io
• <=
n
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than or equal
to the argument.
Key Notes:
es
Integer ‐ this syntax will return the length of the URL in integer format
e
or
String – if we were looking at the alphabet we would be grabbing the string after “abc” but before “ghi” –
abcdefghi…
d is
trib
ut
io
n
I
N
Key Notes:
es
“HTTP.REQ.HEADER (“Referer”).BEFORE_STR (\”//”\)”.EQ(“https:”)
al
In our example, we are looking for whatever is before // and then seeing if it equals “https:” ‐
e
or
Observe the example provided in the slide. We can see the expression evaluates to TRUE.
d is
t rib
ut
io
n
Key Notes:
es
For a policy to be evaluated on the NetScaler, it must be bound.
al
are bound. These names can implicit (like global) or names of other user configured entities like vServers,
or
users or groups.
d
For advanced syntax we can use Policy labels (banks). These are a generalization of the classic bind point
is
concept. A policy label is a name to which advanced policies can be bound
trib
ut
io
n
Key Notes:
es
Bind points are a very powerful aspect of policies. A bind point is a collection of active policies and is
al
invoked by other policies.
e
Bind points were carried over from classic policies, which used virtual server or global, even though it is not
or
explicitly displayed with classic policies. The bind point and binding to request or response capability is an
important consideration. Where a policy is bound affects when the action is taken.
d is
One major difference between bind points for classic and default is the process of evaluation. For example,
t rib
if a classic policy is bound to a virtual server and is globally bound, then priorities determine the result.
With default policies, it is policy bank‐specific. The level of bank‐specific policies are evaluated before the
ut
global‐default banks. Global override happens before the virtual server bound items. Global default is last.
io
When a bind point is invoked, the NetScaler system evaluates the policies that comprise the bind point in
n
the order of the assigned priorities. The scope of the priority assigned to a policy is limited to the bind point
to which the policy is bound. The priority of a policy is only relative to the priorities of the other policies
bound to the same bind point. This function allows grouping of policies and effective implementation.
Key Notes:
es
When a policy label is invoked, all of the policies bound to it are evaluated in the order of the configured
al
priority. When a policy is matched, the appropriate action is performed and control is returned to the policy
e
that invoked the policy label.
or
Policy Labels are generally defined to be reusable.
d is
t rib
ut
io
n
Key Notes:
es
User‐Defined Policy Label ‐ For default syntax policies, you can configure custom groupings of policies
al
(policy banks) by defining a policy label and collecting a set of related policies under the policy label.
e
Additional bind points depend on the type of policy ‐ for example, the NetScaler Gateway policies can be
or
bound to users or groups.
If no policies match, then the normal behavior of the bind point occurs.
d is
You can bind the policy to one of the following bind points:
t rib
A global policy bank. These are the request‐time default, request‐time override, response‐time default, and
response‐time override policy banks.
ut
A virtual server. Policies that you bind to a virtual server are processed after the global override policies
io
and before the global default policies. Note that when binding a policy to a virtual server, you bind it to
n
either request‐time or response‐time processing.
An ad‐hoc policy label. A policy label is a name assigned to a policy bank. In addition to the global labels,
the integrated cache has two built‐in custom policy labels:_reqBuiltinDefaults. This policy label, by default,
is invoked from the request‐time default policy bank.
_resBuiltinDefaults. This policy label, by default, is invoked from the response‐time default policy bank.
You can also define new policy labels. Policies bound to a user‐defined policy label must be invoked from
within a policy bank for one of the built‐in bind points. Important: You should bind a policy with an INVAL
action to a request‐time override or a response‐time override bind point. To delete a policy, you must first
unbind it.
Order of Policy Evaluation
For an advanced policy to take effect, you must ensure that the policy is invoked at some point during the
Request‐time default. If policy evaluation cannot be completed after all request‐time, virtual
ot
server‐specific policies are evaluated, the NetScaler appliance processes request‐time default
policies. If the request matches a request‐time default policy, by default request‐time policy
fo
evaluation ends and the NetScaler appliance stores the action that is associated with the
rr
matching policy.
es
Response‐time override. Similar to request‐time override policy evaluation.
al
Response‐time load balancing virtual server. Similar to request‐time virtual server policy
evaluation.
e
or
Response‐time content switching virtual server. Similar to request‐time virtual server policy
evaluation.
d
Response‐time default. Similar to request‐time default policy evaluation.
is
trib
ut
io
n
gotoPriorityExpression Result
NEXT Evaluate policy with next priority.
INVOCATION LIST
INVOCATION LIST
ot
fo
rr
Key Notes:
es
Goto expression is used to control the flow of policy evaluation and it also acts as a logical tool to get to the
al
appropriate policy without going through everything bound sequentially. When binding the policy, you
e
assign it a priority level to specify when it is invoked relative to other policies in the bank. In addition to
or
assigning a priority level, you can configure an arbitrary evaluation order for policies in a bank by specifying
Goto expressions. A Goto expression indicates the next policy to be evaluated, typically within the same
d
policy bank. Goto expressions can only proceed forward in a bank to avoid looping scenarios
is
t
Correct usage of Goto expression will always simplify the configuration and will result in correct behavior. It
rib
also enhances system performance by ensuring that correct set of required policies are evaluated. If a
policy evaluates to FALSE, the NetScaler continues the evaluation in the order of priority.
ut
io
If a policy evaluates to UNDEFINED (cannot be evaluated on the received traffic due to an error), the
NetScaler performs the action assigned to the UNDEFINED condition (referred to as undefAction) and stops
n
further evaluation of polices.
Ensure that the policies do not specify conflicting or overlapping actions on the same part of the HTTP
header or body, or TCP payload. When such a conflict occurs, the NetScaler encounters an undefined
situation and aborts the rewrite.
Key Notes:
es
When prioritizing policies, it is a good practice to leave space between priorities to accommodate potential
al
growth in future.
e
An UNDEFINED occurs when there is an expression match on the policy but the policy cannot be evaluated.
or
For example, you write an expression to capture a piece of information, the information is captured as text,
d
but you think it is a number and you attempt to perform a mathematical function on it. This would cause an
is
UNDEFINED.
t rib
It is important to emphasize that when an UNDEFINED occurs, all other policy processing stops.
ut
io
n
Evaluation
Evaluate the policy ... Next Policy
Goes to the next policy
Action
Executes the action
r
expressoons lor a match on the policy 11st
assigned to the policy
Yes
I
Undefined
Check for Un defAction
Perfonn the rule- Log
Policies spec,roc or default Logs actions
Check ror untested undefActoon
policoes ,n the pobcy bst
0
l
N
DONE
ot
- Incoming Connection
L Outgoing Connection -
fo
rr
es
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
Evaluation Order
al
• Classic policies are evaluated according to bind points and priority level
e
• Advanced policies are evaluated in the following order for basic groupings:
or
• Request‐time global override
d
• Request‐time, virtual server‐specific
is
• Request‐time global default
t rib
• Response‐time global override
ut
• Response‐time virtual server‐specific
io
• Response‐time global default
n
l
-·
NotS<alef
.........
,_.,
"""'
a..,_
ftlQUHI 10
NetSaltf HTML PatHffConlenl
Yes
R-,ro
!
,,,, 1
I-
_
IH!Sc....
i....
--·
""1S<alef
--·!
NIIS<alef
..........
._.,
N
ot
Key Notes:
es
This diagram shows only the policy‐relevant features.
al
e
or
Additional Resources:
Citrix edocs getting started link: https://docs.citrix.com/en‐us/netscaler/12/getting‐started‐with‐
d
netscaler.html#par_richtext_8
is
t rib
ut
io
n
Key Notes:
es
The Policy Manager is available for the Rewrite, Integrated Caching, Responder, and Compression features.
al
To remove unused policies by using the Policy Manager
e
• In the navigation pane, click the feature for which you want to configure the policy bank. The choices are
or
• In the details pane, click <Feature Name> policy manager.
is
click Remove.
• In the Remove dialog box, click Yes.
io
n
HTTP Callouts
Panem sets
Data Sets
URL Sets
•AppExpert policy engine is a powerful set of s nng Maps
tools for easy control and management of XML Namespace.s
almost any type of traffic. Location
NSVanables
NS Assignments
Policy Extensions
Expressions
Rate L1m1tmg
Ac1:1on Analytic.s
AppQoE
N
Rewrite
ot
Responder
Spillover
fo
rr
Key Notes:
es
For many NetScaler features, policies control how a feature evaluates data, which ultimately determines
al
what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate
e
requests, responses, or other data, and applies one or more actions determined by the outcome of the
or
evaluation. Alternatively, a policy can apply a profile, which defines a complex action.
d is
Additional Resources:
t rib
Citrix Product Documentation on a conceptual reference and configuration instructions for the AppExpert
and other features of the NetScaler appliance. http://docs.citrix.com/en‐us/netscaler/12/appexpert.html
ut
Citrix Product Documentation Introduction to Policies and Expressions: http://docs.citrix.com/en‐
io
us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐pol‐exp‐wrapper‐con.html
n
Key Notes:
es
A Pattern set or data set contains a set of patterns, and each pattern is assigned a unique index. When a
al
policy is applied to a packet, an expression identifies a string to be evaluated, and the operator compares
e
the string to the patterns defined in the pattern set or data set until a match is found or all patterns have
or
been compared. Then, depending on its function, the operator returns either a boolean value that indicates
whether or not a matching pattern was found or the index of the pattern that matches the string.
d is
Pattern sets and data sets work the same way. The only difference between pattern sets and data sets is
t
the type of patterns defined in the set.
rib
To use pattern sets or data sets, first create the pattern set or data set and bind patterns to it. Then, when
ut
you configure a policy for comparing a string in a packet, use an appropriate operator and pass the name of
io
the pattern set or data set as an argument.
n
Additional Resources:
Citrix Product Documentation on Pattern Sets and Data Sets: http://docs.citrix.com/en‐
us/netscaler/12/appexpert/pattern‐sets‐data‐seta.html
Key Notes:
es
Depending on the type of patterns that you want to match, you can use one of the following features to
al
implement pattern matching:
e
A pattern set is an array of indexed patterns used for string matching during default syntax policy
or
evaluation. Example of a pattern set: imagetypes {svg, bmp, png, gif, tiff, jpg}.
d
A data set is a specialized form of pattern set. It is an array of patterns of types number (integer), IPv4
is
address, or IPv6 address.
trib
A pattern set or data set contains a set of patterns, and each pattern is assigned a unique index. When a
policy is applied to a packet, an expression identifies a string to be evaluated, and the operator compares
ut
the string to the patterns defined in the pattern set or data set until a match is found or all patterns have
io
been compared. Then, depending on its function, the operator returns either a boolean value that indicates
n
whether or not a matching pattern was found or the index of the pattern that matches the string.
Pattern sets and Data sets work the same way. The only difference between pattern sets and data sets is
the type of patterns defined in the set.
Key Notes:
es
A pattern set defines a mapping of index values to strings.
al
After you configure a pattern set, you can use it in an advanced expression that passes the pattern set as an
e
argument to an appropriate operator.
or
When you use an operator, replace <text> with the default syntax expression that identifies the string with
d
which you want to perform string matching, and replace <pattern_set_name> with the name of the pattern
is
set.
t
rib
ut
io
n
Key Notes:
es
A string map defines a mapping of strings to strings.
al
Use Case – prior to strings maps, if you needed to do redirects based on URL, you needed a unique
e
responder Policy to be bound to each redirect. Now, using string maps, you can just bind a single policy.
or
d is
t rib
ut
io
n
Key Notes:
es
The HTTP callout expression:
al
SYS.HTTP_CALLOUT(<name of HTTP Callout>)
e
or
To define the HTTP callout:
• set policy httpCallout <name> [‐IPAddress < ip_addr|ipv6_addr>] [‐port <port>] [‐vServer <string>] [‐
d
Additional Resources:
io
Citrix Product Documentation on HTTP Callouts: http://docs.citrix.com/en‐
n
us/netscaler/11/appexpert/http‐callout.html
1
-e.2-~ .
- 6 ~
• 4
service.
• The policy uses the result like other policy expression
evaluation results.
N
ot
fo
rr
Key Notes:
es
For certain types of requests, or when certain criteria are met during policy evaluation, you might want to
al
stall policy evaluation briefly, retrieve information from a server, and then perform a specific action that
e
depends on the information that is retrieved.
or
At other times, when you receive certain types of requests, you might want to update a database or the
content hosted on a Web server.
d is
HTTP callouts enable you to perform all these tasks.
trib
ut
io
n
Service
Callout •••
.,-.., - - -
"'Ti'~o
I
____. .__.
...
.... I - - -
1-
1-======
=·
- 1-
Diagram Users
Citrix
NetScafer Destination
Servers
NetScafer Policy
N
ot
fo
rr
Key Notes:
es
When the NetScaler appliance receives a client request, the appliance evaluates the request against the
al
policies bound to various bind points. During this evaluation, if the appliance encounters the HTTP callout
e
expression, SYS.HTTP_CALLOUT(<name>), it stalls policy evaluation briefly and sends a request to the HTTP
or
callout agent by using the parameters configured for the specified HTTP callout. Upon receiving the
response, the appliance inspects the specified portion of the response, and then either performs an action
d
or evaluates the next policy, depending on whether the evaluation of the response from the HTTP callout
is
agent evaluates to TRUE or FALSE, respectively. For example, if the HTTP callout is included in a responder
t rib
policy, if the evaluation of the response evaluates to TRUE, the appliance performs the action associated
with the responder policy.
ut
If the HTTP callout configuration is incorrect or incomplete, or if the callout invokes itself recursively, the
io
appliance raises an UNDEF condition, and updates the undefined hits counter.
n
Key Notes:
es
of the request, the expected format of the response, and, finally, the portion of the response that you want
e
to analyze.
or
For the destination, you either specify the IP address and port of the HTTP callout agent or engage a load
balancing, content switching, or cache redirection virtual server to manage the HTTP callout requests. In
d is
the first case, the HTTP callout requests will be sent directly to the HTTP callout agent. In the second case,
t
the HTTP callout requests will be sent to the virtual IP address (VIP) of the specified virtual server. The
rib
virtual server will then process the request in the same way as it processes a client request. For example, if
you expect a large number of callouts to be generated, you can configure instances of the HTTP callout
ut
agent on multiple servers, bind these instances (as services) to a load balancing virtual server, and then
io
specify the load balancing virtual server in the HTTP callout configuration. The load balancing virtual server
n
then balances the load on those configured instances as determined by the load balancing algorithm.
For the format of the HTTP callout request, you can specify the individual attributes of the HTTP callout
request (an attribute‐based HTTP callout), or you can specify the entire HTTP callout request as a default
syntax expression (an expression‐based HTTP callout).
In the expression , provide a condition that will prevent the HTTP Recursion.
http://docs.citrix.com/en‐us/netscaler/12/appexpert/http‐callout/avoiding‐http‐callout‐recursion.html
Invoking an HTTP Callout:
• After you configure an HTTP callout, you invoke the callout by including
the SYS.HTTP_CALLOUT(<name>)expression in a default syntax policy rule. In this expression, <name> is
the name of the HTTP callout that you want to invoke.
• You can use default syntax expression operators with the callout expression to process the response and
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
Key Notes:
es
The NetScaler appliance does not check for the validity of the HTTP callout request. Therefore, before you
al
configure HTTP callouts, you must know the format of an HTTP request. You must also know the format of
e
an HTTP response, because configuring an HTTP callout involves configuring expressions that evaluate the
or
response from the HTTP callout agent.
d is
t rib
ut
io
n
Key Notes:
es
To monitor the rate of traffic for a given scenario, we configure a rate limit identifier.
al
A rate limit identifier specifies numeric thresholds such as the maximum number of requests or
e
connections (of a particular type) that are permitted in a specified time period called a time slice.
or
identifiers when we configure the identifiers.
is
We can invoke identifiers from any feature in which the identifier may be useful, including rewrite,
responder, DNS, and integrated caching.
io
n
Additional Resources:
http://docs.citrix.com/en‐us/netscaler/12/appexpert/rate‐limiting.html
Key Notes:
es
You can extract almost anything. For example, you can extract an attribute from system time and return
al
integer (such as hour returns number 1‐24) then set policies based on integer.
e
You can extract data of one type (for example, text or an integer) from requests and responses and
or
transform it to data of another type. For example, you can extract a string and transform the string to time
format. You can also extract a string from an HTTP request body and treat it like an HTTP header or extract
d is
a value from one type of request header and insert it in a response header of a different type.
t rib
After typecasting the data, you can apply any operation that is appropriate for the new data type. For
example, if you typecast text to an HTTP header, you can apply any operation that is applicable to HTTP
ut
headers to the returned value.
io
n
Additional Resources:
Many excellent examples of use cases: http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐
expressions/ns‐typecasting‐data‐wrapper‐con.html
IExpression :
• HTTP.REQ .URL.QUERY.AFTER_STR(\" what=zone :\" ).BEFORE_ STR(\" &block\" ).TYPECAST _NUM
_ T(DECIMAL) .GE(399 )
URL string :
.__ ---------------------------~
ot
fo
rr
Key Notes:
es
Some Typecasting Function:
al
• <text>.TYPECAST_LIST_T(<separator>)
e
• Treats the text in an HTTP request or response body as a list whose elements are delimited by
or
the character in the <separator> argument. Index values in the list that is created start with zero
d
(0).
is
• Text mode settings have no effect on the separator. For example, even if you set the text mode
t rib
to IGNORECASE, and the separator is the letter “p,” an uppercase “P” is not treated as a
separator.
ut
• <text>.TYPECAST_TIME_T
io
• Treats the designated text as a date string. The following formats are supported:
n
• RFC822: Sun, 06 Nov 1994 08:49:37 GMT
• RFC850: Sunday, 06‐Nov‐94 08:49:37 GMT
• ASCII TIME: Sun Nov 6 08:49:37 1994
• HTTP Set‐Cookie Expiry date: Sun, 06‐Nov‐1994 08:49:37 GMT
• <numeric string>.TYPECAST_IP_ ADDRESS_T
• Treats a numeric string as an IP address.
• <numeric string>.TYPECAST_IPV6_ADDRESS_T
• Treats a string as an IPv6 address in the following format:
• 0000:0000:CD00:0000:0000:00AB:0000:CDEF
• <text>.TYPECAST_HTTP_ URL_T
• HTTP.REQ.URL.QUERY.VALUE(7).TYPECAST_NUM_T(DECIMAL)
URL String :
1&utmcc=_ utma%3D70478348.3261219735.1
162245583.1171842907.1173146399.9%3B%2B_ utmb%3D704 78348%3B%2B_ utmc%3D704 78348%3
ot
B%2B
fo
rr
Key Notes:
es
The index used to read into the Name‐Value Lists (nvlist_t) is zero‐based. This means the first element in
al
the list is numbered as element 0. To retrieve the eighth value, an administrator must specify element #7.
e
Since the QUERY object is already a name‐value list, using the query is the more efficient way to create the
or
expression. However, for the sake of the example, we are able to show two typecasts by using the second
expression. The net result is functionally identical.
d is
t rib
ut
io
n
• The eighth entry in the VALUE column is extracted (at index #7 - counting begins at
ot
Key Notes:
es
The index used to read into the Name‐Value Lists (nvlist_t) is zero‐based. This means the first element in
al
the list is numbered as element 0. To retrieve the eighth value, an administrator must specify element #7.
e
• 1. Text is parsed to create an object of type NVLIST_T, and the result can be represented as a table as
or
shown above.
• 2. The string “90” is converted to a number (explicitly in DECIMAL format. HEX is also supported).
d is
t rib
ut
io
n
HTTP .REQ.URL.AFT ER_ STR("?").TYPECAST _ NVLIST _ T .VALUE(7) .TYPECAST _ NUM_ T (DEC IMAL)
Extending expression :
HTTP.REQ.URL.AFTER_STR("?"). TYPECAST_NVLIST_ T .VALUE (?) .TYPECAST_NUM_ T (DECIMAL).GE(120)
N
ot
fo
rr
Key Notes:
es
The index used to read into the Name‐Value Lists (nvlist_t) is zero‐based. This means the first element in
al
the list is numbered as element 0. To retrieve the eighth value, an administrator must specify element #7.
e
or
d is
t rib
ut
io
n
NetScaler Traffic
Management
Rewrite , Responder, and URL
Transform
N
C, .;r'L'
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Key Notes:
es
Rewrite refers to the rewriting of some information in the requests or responses handled by the NetScaler
al
appliance. Rewriting can help in providing access to the requested content without exposing unnecessary
e
details about the Web site's actual configuration. A few situations in which the rewrite feature is useful are
or
described below:
• To improve security, the NetScaler can rewrite all the http:// links to https:// in the response body.
d is
• In the SSL offload deployment, the insecure links in the response have to be converted into secure
t
outgoing responses from NetScaler to the client have the secured links.
ut
• If a Web site has to show an error page, you can show a custom error page instead of the default 404
io
Error page. For example, if you show the home page or site map of the Web site instead of an error
page, the visitor remains on the site instead of moving away from the Web site.
n
Additional Resources:
A few situations in which the rewrite feature is useful: http://docs.citrix.com/en‐
us/netscaler/12/appexpert/rewrite.html
-
Ev luabon
The cheot browser sends a The NetScaler system The NetScaler system
~
request to tile Wabserver checks tile request bme bullds 8 set of 8CtJonS 10
through tile NetScaler policy bank for appl,cebte apply after evaluabng tile hst
system pobcaes of pnon112ed pohc,as
l
Rewrite
0 Rewnbng
Process
fOtWardS ~ to the Wab
server L _ I-
I-
l_j
I
forwards at to the Wab
server
I- I
l l
0 EvaluaUon 0 Check for Poficles 0
-
Server Response
The NetScaler system The NetScaler system
~ The Wab server racer,es
builds a set of actJons to checks the request tJme
the request and sends a
apply after ovaluabng the hst policy bank for apphcabte
response
of pnonllZed policies polacaes
N
ot
fo
rr
Key Notes:
es
The NetScaler appliance checks for global policies and then checks for policies at individual bind points.
al
If multiple policies are bound to a bind point, the NetScaler evaluates the policies in the order of their
e
priority.
or
The policy with the highest priority is evaluated first. After evaluating each policy, if the policy is evaluated
d
to TRUE (the traffic matches the rule), it adds the action associated with the policy to a list of actions to be
is
performed. For any policy, in addition to the action, you can specify the policy that should be evaluated
t
rib
after the current policy is evaluated. This policy is referred to as the 'Go to Expression'.
After all the policies are evaluated or when a policy has the Go to Expression set as END, the NetScaler
ut
starts performing the actions according to the list of actions.
io
n
Action Result
Key Notes:
es
After enabling the rewrite feature, you need to configure one or more actions unless a built‐in rewrite
al
action is sufficient. All of the built‐in actions have names beginning with the string ns_cvpn, followed by a
e
string of letters and underscore characters. Built‐in actions perform useful and complex tasks such as
or
decoding parts of a clientless VPN request or response or modifying JavaScript or XML data. The built‐in
actions can be viewed, enabled, and disabled, but cannot be modified or deleted.
d is
Additional built‐in actions have names beginning with the string ns_cvpn, followed by a string of letters and
t
underscore characters. Built‐in actions perform useful and complex tasks such as decoding parts of a
rib
clientless VPN request or response or modifying JavaScript or XML data. The built‐in actions can be viewed,
enabled, and disabled, but cannot be modified or deleted.
ut
io
To create a new rewrite action by using the command line interface:
n
• At the command prompt, type the following commands to create a new rewrite action and verify the
configuration:
• add rewrite action <name> <type> <target> [<stringBuilderExpr>] [(‐pattern <expression> | ‐
patset <string>)] [‐bypassSafetyCheck (YES|NO)]
• show rewrite action <name>
To modify an existing rewrite action by using the command line interface:
• At the command prompt, type the following commands to modify an existing rewrite action and verify
the configuration:
• set rewrite action <name> [‐target <string>] [‐stringBuilderExpr <string>] [(‐pattern <expression>
| ‐patset <string>)] [‐bypassSafetyCheck (YES|NO)]
• show rewrite action <name>
• Click Close.
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
CORRUPT_SIP_HEADER
ot
REPLACE_SIP_RES
fo
rr
Key Notes:
es
You can use all types of existing string manipulation functions with these prefixes to identify the strings that
al
you want to rewrite. To configure a rewrite action, you assign it a name, specify an action type, and add one
e
or more arguments specifying additional data. The following table describes the action types and the
or
arguments you use with them.
d is
trib
ut
io
n
HTTPREQOATE
CLI Syntax:
add rewrite action <action_ name> <Type> < Expression>
[ l
ot
f@i Close
fo
rr
Key Notes:
es
To create a new rewrite action by using the command line interface
al
• At the command prompt, type the following commands to create a new rewrite action and verify the
e
configuration:
or
I\Ctlon
• Assign it a name. actl y + /
LogActlOn
• Select the Action. y +
• Add one or more expressions specifying condition Undefined-Result Actlon*
-Global-undefined-~ -action
for rewrite . y ]
Expres51on
• Add Undefined Result Action .(Optional)
• Add Log Action.(Optional) f-:-~
CLI Syntax: Comments
N
1§1 Close
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Key Notes:
es
• undefAction NOREWRITE This means that the NetScaler continues to process requests and responses
al
that do not match any rewrite policy, and eventually forwards them to the requested URL unless another
e
feature intervenes and blocks or redirects the request. This action is appropriate for normal requests to
or
your Web servers, and is the default setting.
undefAction RESETResets the client connection. This means that the NetScaler tells the client that it must
d
re‐establish its session with the Web server. This action is appropriate for repeat requests for Web pages
is
that do not exist, or for connections that might be attempts to hack or probe your protected Web site(s)
t rib
the NetScaler simply discards the connection without responding to the client. This action is appropriate for
requests that appear to be part of a DDoS attack or another sustained attack on your servers.
io
n
Note: Undefined events can be triggered for both request and response flow specific policies.
Parameters • bypassSafetyCheck
• target
• stringBuilderExpr
• search
• refineSearch
N
ot
fo
rr
Key Notes:
es
Target:
al
• Expression that specifies which part of the connection to rewrite. Maximum Length: 1499
e
or
stringBuilderExpr:
• Default syntax expression that specifies the content to insert into the request or response at the
d
specified location, or that replaces the specified string. Maximum Length: 8191
is
When you create a rewrite action, the NetScaler verifies that the expression you used to create the action is
t rib
safe – you can bypass this safety check if you know your rewrite is safe
ut
Pattern:
io
• Pattern that is used to match multiple strings in the request or response. The pattern may be a string
n
literal (without quotes) or a PCRE‐format regular expression with a delimiter that consists of any
printable ASCII non‐alphanumeric character except for the underscore (_) and space ( ) that is not
otherwise used in the expression. Example: re~https?://|HTTPS?://~ The preceding regular expression
can use the tilde (~) as the delimiter because that character does not appear in the regular expression
itself. Used in the INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL action
types. Maximum Length: 271
Search:
• Search facility that is used to match multiple strings in the request or response.
RefineSearch:
• Specify additional criteria to refine the results of the search. Always starts with the "extend(m,n)"
operation, where 'm’ specifies number of bytes to the left of selected data and 'n’
• Specifies number of bytes to the right of selected data. You can use refineSearch only on body
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
Key Notes:
es
Adding Policy:
al
• add rewrite policy <name> <expression> <action> [<undefaction>]
e
• show rewrite policy <name>
or
To rewrite HTTP requests and responses, you can use protocol‐aware NetScaler policy expressions in the
d
rewrite policies you configure. The virtual servers that manage the HTTP requests and responses must be of
is
Modify the URL of a request ,Add modify or delete headers .Add, replace, or delete any specific string
within the body or headers.
ut
io
To rewrite TCP payloads, consider the payload as a raw stream of bytes. Each of the virtual servers that
managing the TCP connections must be of type TCP or SSL_TCP. The term TCP rewrite is used to refer to the
n
rewrite of TCP payloads that are not HTTP data. In TCP traffic, you can add, modify, or delete any part of the
TCP payload.
Key Notes:
es
The main difference between the rewrite feature and the responder feature is as follows:
al
Responder cannot be used for response or server‐based expressions. Responder can be used only for the
e
following scenarios depending on client parameters:
or
• Redirecting a http request to new Web sites or Web pages
d
• Responding with some custom response
is
• Dropping or resetting a connection at request level
t rib
In case of a responder policy, the NetScaler examines the request from the client, takes action according to
ut
the applicable policies, sends the response to the client, and closes the connection with the client.
io
In case of a rewrite policy, the NetScaler examines the request from the client or response from the server,
n
takes action according to the applicable policies, and forwards the traffic to the client or the server.
In general, it is recommended to use responder if you want the NetScaler to reset or drop a connection
based on a client or request‐based parameter. Use responder to redirect traffic, or respond with custom
messages. Use rewrite for manipulating data on HTTP requests and responses.
Key Notes:
es
To enable the rewrite feature by using the command line interface
al
• At the command prompt, type the following commands to enable the rewrite feature and verify the
e
configuration:
or
• enable ns feature REWRITE
d
• show ns feature
is
To enable the rewrite feature by using the configuration utility
t
rib
GET/ HTTP/1.1
Host: training.citrix.lab
Connection : keep-alive
Ex: The following NetScaler policy Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
will modify the HTTP version is User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
every HTTP request before like Gecko) Chrome/58.0.3029.110 Safari/537.36
forwarding it. I HTTP Request after Rewrite I
GET/ HTTP/1.0
add rewrite action Act_ l replace Host: training.citrix.lab
http.r q. r ion " "HTTP 1.0\'"' Connection : keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
add rewrit policy Pol_ 1 true Act_ l User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
N
Key Notes:
es
Today’s complex Web configurations often require different responses to HTTP requests that appear, on the
al
surface, to be similar. When users request a Web site’s home page, you may want to provide a different
e
home page depending on where each user is located, which browser the user is using, or which language(s)
or
the browser accepts and the order of preference. You might want to break the connection immediately if
the request is coming from an IP range that has been generating DDoS attacks or initiating hacking
d
attempts..
is
t
For handling sensitive data such as financial information, if you want to ensure that the client uses a secure
rib
connection to browse a site, you can redirect the request to secure connection by using https:// instead of
http://.
ut
io
n
Additional Resources:
Citrix Product Documentation Responder Feature: http://docs.citrix.com/en‐
us/netscaler/12/appexpert/responder.html.
•
© Response
Key Notes:
es
Responder only operates on the REQ side of the
al
Responses can be based on who sends the request, where it is sent from, and other criteria with security
e
and system management implications. The feature is simple and quick to use. By avoiding the invocation of
or
more complex features, it reduces CPU cycles and time spent in handling requests that do not require
complex processing.
d is
t rib
ut
io
n
Key Notes:
es
NOOP
al
• The NOOP action aborts responder processing but does not alter the packet flow. This means that the
e
appliance continues to process requests that do not match any responder policy, and eventually
or
forwards them to the requested URL unless another feature intervenes and blocks or redirects the
request. This action is appropriate for normal requests to your Web servers and is the default setting.
d is
RESET
t rib
• If the undefined action is set to RESET, the appliance resets the client connection, informing the client
that it must re‐establish its session with the Web server. This action is appropriate for repeat requests for
ut
Web pages that do not exist, or for connections that might be attempts to hack or probe your protected
io
Web site(s).
n
DROP
• If the undefined action is set to DROP, the appliance silently drops the request without responding to the
client in any way. This action is appropriate for requests that appear to be part of a DDoS attack or other
sustained attack on your servers.
Note: UNDEF events are triggered only for client requests. No UNDEF events are triggered for responses.
The NetScaler appliance generates an undefined event (UNDEF event) when a request does not match a
responder policy, and then carries out the default action assigned to undefined events. By default, that
action is to forward the request to the next feature without changing it. This default behavior is normally
what you want; it ensures that requests that do not require special handling by a specific responder action
are sent to your Web servers and clients receive access to the content that they requested.
If the Web site(s) your NetScaler appliance protects receive a significant number of invalid or malicious
requests, however, you may want to change the default action to either reset the client connection or drop
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
After enabling the responder feature, you must configure one or more actions for handling requests. The
al
responder supports the following types of actions:
e
Respond with
or
• Sends the response defined by the Target expression without forwarding the request to a web server.
d
(The NetScaler appliance substitutes for and acts as a web server.) Use this type of action to manually
is
define a simple HTML‐based response. Normally the text for a Respond with action consists of a web
t
server error code and brief HTML page.
rib
Respond with SQL OK
ut
• Sends the designated SQL OK response defined by the Target expression. Use this type of action to send
io
an SQL OK response to an SQL query.
n
Respond with SQL Error
• Sends the designated SQL Error response defined by the Target expression. Use this type of action to
send an SQL Error response to an SQL query.
Respond with HTML page
• Sends the designated HTML page as the response. You can choose from a drop‐down list of HTML pages
that were previously uploaded, or upload a new HTML page. Use this type of action to send an imported
HTML page as the response.
Redirect
Redirects the request to a different web page or web server. A Redirect action can redirect requests
originally sent to a "dummy" web site that exists in DNS, but for which there is no actual web server, to an
actual web site. It can also redirect search requests to an appropriate URL. Normally, the redirection target
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
I I
Sends the designated SQL OK Sends the designated SQL Error
response to a SQL query response to a SQL query
N
ot
fo
rr
Key Notes:
es
Released in Version 10 of NetScaler
al
Respond with SQL OK
e
• Sends the designated SQL OK response defined by the Target expression. Use this type of action to send
or
an SQL OK response to an SQL query.
d
Respond with SQL Error
is
• Sends the designated SQL Error response defined by the Target expression. Use this type of action to
t rib
send an SQL Error response to an SQL query.
ut
io
n
Key Notes:
es
To configure a responder action by using the command line interface
al
• At the command prompt, type the following commands to configure a responder action and verify the
e
configuration:
or
• show responder action
is
To modify an existing responder action by using the command line interface
t rib
• At the command prompt, type the following command to modify an existing responder action and verify
ut
the configuration:
• set responder action <name> ‐target <string> [‐bypassSafetyCheck ( YES | NO )]
io
n
• show responder action
To remove a responder action by using the command line interface
• At the command prompt, type the following command to remove a responder action and verify the
configuration:
• rm responder action <name>
• show responder action
• Expression
• Action
• UndefAction
N
ot
fo
rr
Key Notes:
es
To configure a responder policy by using the NetScaler command line:
al
• At the NetScaler command prompt, type the following command to add a new responder policy and
e
verify the configuration:
or
• The Responder feature can respond to designated requests by sending the client an
HTML-based web page, it supports the import of custom HTML-pages to the
NetScaler. N
ot
fo
rr
Key Notes:
es
At times, when the services for a website are not available because of a planned outage or an unexpected
al
event, you might want to display a maintenance or an apology page to the customer. You can use the
e
Responder feature of the NetScaler appliance to create such a notification page during these events.
or
To configure a maintenance webpage by using the Responder feature of the NetScaler appliance, complete
the following procedure:
d is
If not already done, run the following command to configure the required services:
t rib
add service server1 <IP_Address_of_Service> HTTP 80
You have to create a service that is always UP and bind it to this backup virtual server so that it will always
ut
use any dummy IP for the server and add a ping monitor, and click Create.
n
Alternately you can also make the monitor as type Reverse so that even if the service is down it will be
always up for the dummy IP.
Run the following command to configure a Load Balancing virtual server:
add lb vserver vserver1 HTTP <IP_Address_of_VServer> 80
Run the following command to configure a backup Load Balancing virtual server:
add lb vserver backup HTTP 0.0.0.0 0
Run the following command to bind a service to the backup virtual server to ensure that the status of the
backup virtual server is marked as UP:
bind lb vserver backup always‐up
Run the following command to configure the main virtual server with the backup virtual server:
set lb vserver vserver1 ‐backupVServer backup
Key Notes:
es
To put a policy into effect, you must bind it either globally, so that it applies to all traffic that flows through
al
the NetScaler, or to a specific virtual server, so that the policy applies only to requests whose destination IP
e
address is the VIP of that virtual server.
or
When you bind a policy, you assign a priority to it. The priority determines the order in which the policies
you define are evaluated. You can set the priority to any positive integer.
d is
In the NetScaler operating system, policy priorities work in reverse order—the higher the number, the
t rib
lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy
assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy
ut
assigned an order of 1000. The responder feature implements only the first policy that a request matches,
io
not any additional policies that it might also match, so policy priority is important for getting the results you
intend.
n
You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the
order you want, by setting priorities with intervals of 50 or 100 between each policy when you globally bind
it. You can then add additional policies at any time without having to reassign the priority of an existing
policy.
To globally bind a responder policy by using the command line interface
• At the command prompt, type the following command to globally bind a responder policy and verify the
configuration:
• bind responder global <policyName> <priority> [<gotoPriorityExpression [‐type <type>] [‐
invoke (<labelType> <labelName>)]
• show responder global
There are some limitations to the gotoexpression in Responder, since multiple Responder policies can be
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
GET/ HTTP/1.1
Host: serverl.training.lab
Connection: keep-alive
Cache-Control : max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/58.0.3029.110 Safari/537.36
Connection : close
Cache-Control : no-cache
ot
Pragma: no-cache
fo
rr
es
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
NetScaler supports Rewrite and Responder policies for various protocols.
al
• TCP and HTTP
e
or
Responder policies allows sending custom responses to client.
Rewrite policies allow modification of requests sent to back‐end as well as the server responses sent to
d
client.
is
t
The support has now been extended to DNS.
rib
You can configure the responder feature to respond to DNS requests as it does to HTTP and TCP requests.
ut
For example, you could configure it to send DNS responses over UDP and ensure that the DNS requests
io
from the client are sent over TCP. A number of NetScaler expressions support examination of the DNS
n
header in the request. These expressions examine specific header fields and send an appropriate response.
• For proxy mode, the policy is evaluated only in event of a cache miss.
• RA flag will always be set if Recursion Available is set to YES , irrespective
of rewrites done.
• CD flag will be honored if Recursion Available is set to YES irrespective of
N
rewrites done.
ot
fo
rr
Key Notes:
es
The various policy expressions are:
al
1. DNS.REQ.HEADER.FLAGS.IS_SET(),SET(),UNSET(): QR,AA,TC,RD,RA,AD,CD
e
or
2. DNS.REQ.HEADER.OPCODE.EQ,NE,SET:QUERY,IQUERY,STATUS
3. DNS.RES.HEADER.RCODE.SET
d is
4. DNS.NEW_RESPONSE()
t rib
5. DNS.NEW_RESPONSE(Boolean AA, Boolean TC, dns_rcode_e rcode):
ut
6. DNS.NEW_RRSET_A()
io
7. DNS.NEW_RRSET_AAAA ()
n
Key Notes:
es
Configuring Responder Policies for DNS
al
• The following procedure uses the NetScaler command line to configure a responder action and policy
e
and bind the policy to a responder‐specific global bind point.
or
• To configure Responder to respond to a DNS request
d
<actType>For <actname>, substitute a name for your new action. The name can be 1 to 127
t rib
characters in length, and can contain letters, numbers, hyphen (‐), and underscore (_) symbols. For
<actType>, substitute a responder action type, respondWith.
ut
• add responder policy <polName> <rule> <actName>For <polname>, substitute a name for your
io
new policy. For <actname>, the name can be 1 to 127 characters in length, and can contain letters,
n
numbers, hyphen (‐), and underscore (_) sym bols. For <actname>, substitute the name of the
action that you just created.
• bind responder policy <polName> <priority> <nextExpr> ‐type <bindPoint>For <bindPoint>, specify
one of the responder‐specific global bind points. For <polName>, substitute the name of the policy
that you just created. For <priority>, specify the priority of the policy.
Additional Resources:
Citrix Product Documentation on DNS Support for the Responder Feature:
http://docs.citrix.com/en‐us/netscaler/12/appexpert/responder/dns‐support‐responder.html
cltrix.com: type A. doss IN. odd, 162.221.156.156 dtrix.com: type A. doss IN. add, 162.221.156.156
N
Name: citrix.com
ot
Oass: IN (OxOOOl)
rr
es
al
e
or
d is
t rib
ut
io
n
Additional Resources:
es
Citrix Discussions on actual environment use case for a Responder Action.
al
e
or
d is
trib
ut
io
n
Q ---- 1-_=
. . . ......===1 - - - - I-_
..... .....
NetScaler Web Server
Client requests
transforms URL Web site URL seen as
browser URL www.citrix.com/customers/home
N
www .citrix.com/home
ot
fo
rr
Key Notes:
es
URL Transformation uses AppFW engine. Rewrite uses PE engine. For a large amount of transactions, URL
al
Transformation is more efficient. For small amounts, Rewrite is more efficient.
e
You can use it to modify a URL so that it can be different for internal or external access or a different URL
or
for a different set of users, even the ability to append a folder path to an existing host so that users don’t
need to know the entire path.
d is
The URL transformation feature provides a method for modifying all URLs in designated requests from an
t
rib
external version seen by outside users to an internal URL seen only by your Web servers and IT staff. You
can redirect user requests seamlessly, without exposing your network structure to users. You can also
ut
modify complex internal URLs that users may find difficult to remember into simpler, more easily
io
remembered external URLs.
n
Note: Before you can use the URL transformation feature, you must enable the Rewrite feature. To enable
the Rewrite feature, see Enabling the Rewrite Feature.
To begin configuring URL transformation, you create profiles, each describing a specific transformation.
Within each profile, you create one or more actions that describe the transformation in detail. Next, you
create policies, each of which identifies a type of HTTP request to transform, and you associate each policy
with an appropriate profile. Finally, you globally bind each policy to put it into effect.
A profile describes a specific URL transformation as a series of actions. The profile functions primarily as a
container for the actions, determining the order in which the actions are performed. Most transformations
transform an external hostname and optional path into a different, internal hostname and path. Most
useful transformations are simple and require only a single action, but you can use multiple actions to
perform complex transformations.
You cannot create actions and then add them to a profile. You must create the profile first, and then add
Additional Resources:
Differences between URL Transformation and Rewrite:
fo
http://support.citrix.com/article/CTX123094
rr
NetScaler Product Documentation URL Transformation: https://docs.citrix.com/en‐
es
us/netscaler/12/appexpert/rewrite/url‐transformation.html
al
e
or
d is
trib
ut
io
n
NetScaler Traffic
Management
Content Switching
N
CNS..219-2i
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Key Notes:
es
In today's complex Web sites, you may want to present different content to different users. For example,
al
you may want to allow users from the IP address range of a customer or partner to have access to a special
e
Web portal. You may want to present content relevant to a specific geographical area to users from that
or
area. You may want to present content in different languages to the speakers of those languages. You may
want to present content tailored to specific devices, such as smartphones, to those who use the devices.
d is
Content Switching enables the NetScaler appliance to direct requests sent to the same Web host to
t
different servers with different content.
rib
When switching both static and dynamic requests, you must configure one load‐balancing virtual server for
ut
static requests and a separate load‐balancing virtual server for dynamic requests.
io
n
Additional Resources:
Citrix Product Documentation on Content Switching: http://docs.citrix.com/en‐us/netscaler/12/content‐
switching.html
Service 1 Server 1
Load-Balancing App1
Client
Virtual Server Dynamic content
Service 2 Server 2
App2
Content-
Switching
Virtual Server
Static content
Internet Service 3 Server 3
Load-Balancing lmage1
Virtual Server Static content
N
Service 4 Server 4
ot
lmage2
L-----------------------------------------------------------------------------
fo
rr
Key Notes:
es
A content‐switching configuration consists of a content‐switching virtual server, a load‐balancing setup
al
consisting of load‐balancing virtual servers and services, and content‐switching policies.
e
To configure content switching, you must configure a content‐switching virtual server and associate it with
or
policies and load‐balancing virtual servers.
d
This process creates a content group — a group of all virtual servers and policies involved in a particular
is
content‐switching configuration.
t rib
ut
Additional Resources:
io
Citrix Product Documentation on Basic Content Switching: http://docs.citrix.com/en‐
n
us/netscaler/12/content‐switching/basic‐configuration.html
Key Notes:
es
After you configure a basic content switching setup, you might need to customize it to meet your
al
requirements.
e
If your web servers are UNIX‐based and rely on case sensitive pathnames, you can configure case sensitivity
or
for policy evaluation.
d
You can also set precedence for evaluation of the content switching policies that you configured.
is
You can configure HTTP and SSL content switching virtual servers to listen on multiple ports instead of
trib
creating separate virtual servers.
ut
If you want to configure content switching for a specific a virtual LAN, you can configure a content switching
virtual server with a listen policy.
io
n
Key Notes:
es
Device Type ‐ The appliance examines the user agent or custom HTTP header in the client request for the
al
type of device from which the request originated. Based on the device type, it directs the request to a
e
specific Web server. For example, if the request came from a cell phone, the request is directed to a server
or
that is capable of serving content that the user can view on his or her cell phone. A request from a
computer is directed to a different server that is capable of serving content designed for a computer screen.
d is
Language ‐ The appliance examines the Accept‐Language HTTP header in the client request and determines
t
the language used by the client's browser. The appliance then sends the request to a server that serves
rib
content in that language. For example, using content switching based on language, the appliance can send
someone whose browser is configured to request content in French to a server with the French version of a
ut
newspaper. It can send someone else whose browser is configured to request content in English to a server
io
with the English version.
n
Cookie ‐ The appliance examines the HTTP request headers for a cookie that the server set previously. If it
finds the cookie, it directs requests to the appropriate server, which hosts custom content. For example, if a
cookie is found that indicates that the client is a member of a customer loyalty program, the request is
directed to a faster server or one with special content. If it does not find a cookie, or if the cookie indicates
that the user is not a member, the request is directed to a server for the general public.
HTTP Method ‐ The appliance examines the HTTP header for the method used and sends the client request
to the right server. For example, GET requests for images can be directed to an image server, while POST
requests can be directed to a faster server that handles dynamic content.
Layer 3/4 Data. The appliance examines requests for the source or destination IP, source or destination
port, or any other information present in the TCP or UDP headers, and directs the client request to the right
server. For example, requests from source IPs that belong to customers can be directed to a custom web
portal on a faster server, or one with special content.
Key Notes:
es
When a request reaches the content‐switching virtual server, the virtual server applies the associated
al
content‐switching policies to that request.
e
Content switching can point to load‐balancing Vserver, NG Vserver and GSLB, AAATM vserver
or
You can add, modify, and remove content switching virtual servers. The state of a virtual server is DOWN
d
when you create it, because the load balancing virtual server is not yet bound to it.
is
To create a virtual server by using the command line interface
t rib
• At the command prompt, type:
ut
Additional Resources:
For dynamically identifying target vserver : http://docs.citrix.com/en‐us/netscaler/12/content‐
switching/basic‐configuration.html
Key Notes:
es
The content‐switching feature supports either classic or default (advanced) policies. On the same content‐
al
switching vserver, you can bind all classic policies, and on another content‐switching vserver, you can bind
e
all default but you cannot mix and match on the same content‐switching vserver.
or
A content‐switching vserver has policies bound and the “action” of the policy is typically a load‐balancing
vserver or possibly another content‐switching vserver.
d is
A default load‐balancing vserver must be defined. If not, then any un‐matched traffic will result in a 503
t rib
error.
ut
Additional Resources:
io
n
Creating Content Switching Virtual Servers: http://docs.citrix.com/en‐us/netscaler/12/content‐
switching/basic‐configuration/create‐virtual‐servers.html
Key Notes:
es
Specifies whether the virtual server checks the attached load‐balancing server for state information.
al
e
or
d is
t rib
ut
io
n
Additional Resources:
es
Use Case: Dynamic Content Switching: https://docs.citrix.com/en‐us/netscaler/12/appexpert/http‐
al
callout/use‐case‐dynamic‐content‐switching.html
e
or
d is
t rib
ut
io
n
Key Notes:
es
The priority of the policy defines the order in which the policies bound to the content‐switching virtual
al
server are evaluated. If you are using default syntax policies, when you bind a policy to the content‐
e
switching virtual server, you must assign a priority to that policy. If you are using NetScaler classic policies,
or
you can assign a priority to your policies, but are not required to do so. If you assign priorities, the policies
are evaluated in the order that you set. If you do not, the NetScaler appliance evaluates your policies in the
d
order in which they were created.
is
t
In addition to configuring policy priorities, you can manipulate the order of policy evaluation by using Goto
rib
expressions and policy label invocations.
ut
After it evaluates the policies, the content‐switching virtual server routes the request to the appropriate
io
load‐balancing virtual server, which sends it to the appropriate service.
n
Content switching virtual servers can only send requests to other virtual servers. If you are using an external
load balancer, you must create a load balancing virtual server for it and bind its virtual server as a service to
the content switching virtual server.
CS is a blocker module, meaning if traffic is not matched then it is blocked and cannot go anywhere
(because it has no where to go)
You specify the target load balancing virtual server for a content switching policy when binding the policy to
the content switching virtual server. Consequently, you have to configure one policy for each load balancing
virtual server to which to direct traffic.
However, if your content switching policy uses a default syntax rule, you can configure an action for the
policy. In the action, you can specify the name of the target load balancing virtual server, or you can
configure a request‐based expression that, at run time, computes the name of the load balancing virtual
server to which to send the request. The action expression must be specified in the default syntax.
policy to a content switching virtual server.
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
• A target VServer can be specified for a content-switching policy when binding the
policy to the content-switching VServer.
• Consequently, only one policy can be configured for each VServer to direct traffic .
• When using default policies , configure an action for the policy instead of a target
VServer.
• When configuring the action:
• Specify the name of the target VServer.
• Configure a request-based expression that computes the name of the VServer to send the request.
• This option can drastically reduce the size of the content-switching configuration , because only one policy for
each content-switching VServer is needed .
N
Key Notes:
es
You specify the target load‐balancing virtual server for a content‐switching policy when binding the policy
al
to the content‐switching virtual server. Consequently, you have to configure one policy for each load‐
e
balancing virtual server to which to direct traffic.
or
However, if your content‐switching policy uses a default syntax rule, you can configure an action for the
policy. In the action, you can specify the name of the target load‐balancing virtual server, or you can
d is
configure a request‐based expression that, at run time, computes the name of the load‐balancing virtual
t
server to which to send the request. The action expression must be specified in the default syntax.
rib
The expression option can drastically reduce the size of your content‐switching configuration, because you
ut
need only one policy per content switching virtual server. Content‐switching policies that use an action can
io
also be bound to multiple content‐switching virtual servers, because the target load‐balancing virtual server
is no longer specified in the content‐switching policy. The ability to bind a single policy to multiple content‐
n
switching virtual servers helps to further reduce the size of your content‐switching configuration.
Key Notes:
es
After you create your content switching virtual server and policies, you bind each policy to the content
al
switching virtual server. When binding the policy to the content switching virtual server, you specify the
e
target load balancing virtual server.
or
If your content switching policy uses a default syntax rule, you can configure a content switching action for
the policy. If you configure an action, you must specify the target load balancing virtual server when you are
d is
configuring the action, not when you are binding the policy to the content switching virtual server. For more
t
information about configuring a content switching action, see Configuring a Content Switching Action.
rib
A policy label is a user‐defined bind point to which policies are bound. When a policy label is invoked, all
ut
the policies bound to it are evaluated in the order of the priority that you assigned to them. A policy label
io
can include one or more policies, each of which can be assigned its own result. A match on one policy in
the policy label can result in proceeding to the next policy, invoking a different policy label or appropriate
n
resource, or an immediate end to policy evaluation and return of control to the policy that invoked the
policy label. You can create policy labels for default syntax policies only.
A content switching policy label consists of a name, a label type, and a list of policies bound to the policy
label. The policy label type specifies the protocol that was assigned to the policies bound to the label. It
must match the service type of the content switching virtual server to which the policy that invokes the
policy label is bound. For example, you can bind TCP Payload policies to a policy label of type TCP only.
Binding TCP Payload policies to a policy label of type HTTP is not supported.
Each policy in a content switching policy label is associated with either a target (which is equivalent to the
action that is associated with other types of policies, such as rewrite and responder policies) or a
gotoPriorityExpression option and/or an invoke option. That is, for a given policy in a content switching
policy label, you can specify a target, or you can set the gotoPriorityExpression option and/or the invoke
option. Additionally, if multiple policies evaluate to true, only the target of the last policy that evaluates to
Key Notes:
es
Depending on your desired result the default virtual server could be a separate internal resource or a trap
al
like a honey pot server to all further diagnosis. A default server is not required but remember any traffic
e
that does not match a Content Switching policy will be denied.
or
d is
trib
ut
io
n
Key Notes:
es
After a content switching setup is configured, it may require periodic changes. When operating systems or
al
software are updated, or hardware wears out and is replaced, you may need to take down your setup. Load
e
on your setup may increase, requiring additional resources. You may also modify the configuration to
or
improve performance.
These tasks may require unbinding policies from the content switching virtual server, or disabling or
d is
removing content switching virtual servers. After you have made changes to your setup, you may need to
t
re‐enable servers and rebind policies. You might also want to rename your virtual servers.
rib
ut
io
n
Key Notes:
es
Content switching may fail when the content‐switching virtual server goes DOWN or fails to handle
al
excessive traffic, or for other reasons. To reduce the chances of failure, you can take the following measures
e
(see additional resources below) to protect the content‐switching setup against failure.
or
d
Additional Resources:
is
Probable Reasons for the Status of a Virtual Server Being Marked as DOWN on NetScaler:
trib
http://support.citrix.com/article/CTX108960
ut
Protecting the Content Switching Setup against Failure: https://docs.citrix.com/en‐
us/netscaler/12/content‐switching/protecting‐against‐failure.html
io
n
Flushing the Surge Queue: http://docs.citrix.com/en‐us/netscaler/12/load‐balancing/load‐balancing‐
protect‐configuration/flush‐surge‐queue.html
J
Evaluation Virtual Sf'"t"Ve't IP Port Insertion
OFF
PASS IVE
Ca :he ble
.,, Down State: f"lush
R d•r , t Port Rewnte
, .., Cae:e:nttv l
2 I J .Jii ce:rs
S§t
..
State Update
N
RULE
ot
fo
rr
Key Notes:
es
When case sensitivity is configured, the NetScaler appliance considers case when evaluating policies.
al
For example, if case sensitivity is off, the URLs /a/1.htm and /A/1.HTM are treated as identical.
e
or
d is
t rib
ut
io
n
Additional Resources:
es
Citrix eDocs Customizing Content Switching: http://docs.citrix.com/en‐us/netscaler/12/content‐
al
switching/customizing‐configuration.html
e
or
d is
t rib
ut
io
n
NetScaler Traffic
Management
Secure Web Gateway
CNS-219-21
N
Version 1 0
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Secure Web gateway (SWG) enhances the network security by enabling the
adm inistrator to do fo llowing :
Key Notes:
es
with leading industry performance and smart URL filtering that provides real‐time protection against
e
malicious websites, which blocks access to malware, spam, and phishing sites along with Industry leading
or
website categorization. With the NetScaler SWG solution, customers can now offload URL and content
filtering for encrypted traffic and avoid expensive upgrades to their dedicated security deployments. In
d
addition, this solution helps customers meet compliance requirements like CIPA (Child Internet Protection
is
Act).
t rib
One of the biggest concerns for security professionals is insider data breaches. Employees can easily click
on malvertising ads, malicious links contained in phishing emails or visit websites that download malware
ut
or ransomware. Third‐party adverts can be blocked and end users can be prevented from visiting websites
io
known to contain malware. Websites can also be blocked by category to prevent end users from engaging
n
in a risky online behavior. NetScaler SWG is an excellent defense against malicious threats and ransomware.
New Advanced User Behavior Security Analytics
This solution in NetScaler MAS leverages multiple machine learning algorithms and provides context aware
security analytics, to identify compromised insider credentials and prevents data breaches to sensitive
corporate data.
New Ciphers and Hybrid SSL support
We continue to add newer ciphers to our SSL security suite across all NetScaler platforms. With our hybrid
SSL, now customers can achieve significant hardware and software SSL performance improvement. For
example, customers can achieve almost 800% ECDHE transactions per second (TPS) hardware improvement
on their 115xxx series. With Hybrid FIPS, customers can increase the SSL throughput and SSL TPS by
leveraging non‐FIPS cards along with the FIPS card.
1-0 I
....
•••
Internal
usen
I- • I
1- 11 I
I -"----••i=--••--
.••.. "
,,,C-•
__:::_,,)
NetScaler SWG
w-- ::
-•G •
•••
Network Firewall Usen
F •Sen.er Web
I- ~ I
C.tr Xr1Dnctcp
Key Notes:
es
Secure Web Gateway utilizes a Content Switching virtual server where we will apply authentication and
al
rules to allow / disallow URLS or addresses. This is also where we will configure for instance SSL
e
interception as well. So how illustrate how to configure Secure Web Gateway on NetScaler 12. In its
or
simplest form we can configure a content switching virtual server like this.
Configure a SNIP which has internet access, or you can define an net profile to specify which SNIP should be
d is
used for outbound traffic to internet, also ensure that you have configured DNS properly so it can resolve
t
DNS. After this is done we can just define the IP address in the proxy configuration of the browser of the
rib
endpoint and they can now browse the internet.
ut
io
n
• This mode is used when it is possible to specify the proxy settings on the client
ot
browser.
fo
rr
es
al
e
or
d is
trib
ut
io
n
SWG_vs
IPAOclr
~ ent
Pon·
[·
.......
N
- Con<ol
ot
fo
rr
Key Notes:
es
• Transparent forward proxy
al
• The SWG vServer is configured with wildcard (*) IP address.
e
• In this mode the clients are not aware that a proxy server is mediating their requests.
or
d is
t
rib
ut
io
n
lswG_vs
IP MclteSS Type·
IP Address
IP -'<ldren •
Pon"
[so
..
ieo
N
~ M ore
ot
Canct~I
fo
rr
Key Notes:
es
• Explicit Forward Proxy
al
• The SWG virtual server configured with an IP address and 80 as the port number.
e
• All client requests are sent to this IP address.
or
• This mode is used when it is possible to specify the proxy settings on the client browser.
d is
t
rib
ut
io
n
• Authentication provides the flexib ility to define specific policies for a user or a group
of users on the basis of their roles.
• After authentication , requests and responses from and to the user are tagged to
identify the user.
Modes supported for Explicit Proxy Modes supported for Transparent Proxy
• RADIUS
ot
• TACACS+
fo
rr
Key Notes:
es
Currently only LDAP is supported for Transparent Proxy
al
e
or
d is
t rib
ut
io
n
protocol (OCSP).
• It regenerates the seNer certificate, signs it by using '7) Client Key Exchange
the key of the CA certificate installed on the ··1Change Cipher spec ~ Change Cipher spec
finished Finished
appliance, and presents it to the client.
• The proxy decrypts the traffic , accesses the clear "o
text HTTP requesUresponse .
• Inspect the data on the basis of the corporate policy
/URL reputation . 9~ Tran.:_j
• The proxy virtual seNer then re-encrypts the
response and forwards it to the client.
If the policy decision is to block the request to the
N
response
fo
rr
Key Notes:
es
The CA certificate that is used to sign the server certificate must be preinstalled on all the client devices, so
al
that the regenerated server certificate is trusted by the client
e
one certificate is used between the client and the NetScaler appliance, and another certificate between the
or
appliance and the back‐end server.
d is
t rib
ut
io
n
Key Notes:
es
SSL Intercept (or SSL forward proxy) provides a way to inspect encrypted traffic.
al
e
or
d is
trib
ut
io
n
Key Notes:
es
To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm.
al
The algorithm uses a URL set that can contain a list of URLs up to one million (1,000,000) blacklisted
e
entries. Each entry can include metadata that defines URL categories and category groups as indexed
or
patterns. The appliance can also periodically download URLs of highly sensitive URL sets managed by
internet enforcement agencies (with government websites) or independent internet organizations such as
d
the Internet Watch Foundation (IWF). Once the URL set is downloaded from a website and imported into
is
the appliance, the appliance encrypts the URL sets in the appliance (as required by these agencies) and
t rib
kept confidential so that the entries are not tampered.
The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked,
ut
allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against
io
blacklisted entries. An entry can include metadata. For entries that have no metadata, you might want to
n
use an expression that evaluates the URL on the basis of an exact string match. For other URLs, you might
want to use an expression that evaluates the URL’s metadata, in addition to an expression that checks for
an exact string match.
Configuring URL Set
You can perform the following tasks to configure a URL set and restrict URLs on a NetScaler platform:
1. Import a URL set (download and encrypt it). Importing a URL set in a NetScaler appliance allows you to
download the URL file, adding the file to the appliance, and then encrypting the file. Until you add the URL
set to the system, it will not be visible to the user.
You can download a set in the following ways:
1. Download a URL set once from a specific URL using HTTP and HTTPS supported for the file download.
2. Download a URL set using FTP.
2. Updating a URL set on the NetScaler appliance. Once you have pushed the file into the
appliance, at this interval you can manually update a URL file by using command line
fo
interface.
rr
3. Exporting a URL set. If you prefer a backup of the URL set, you can export the list of URL
es
patterns and save a copy of it to a destination URL. Before you export, check whether the
URL set is marked as private. If is marked private, the URL set cannot be exported.
al
4. Removing a URL set. If you want to delete a URL set of blacklisted entries, you can use the
e
remove command to delete the URL set from the NetScaler appliance.
or
5. Displaying a URL set. You can display the properties of a URL set by using the show
d
command.
is
t rib
Additional Resources:
ut
sets.html
n
HTTP.REQ .URL .EQUALS_ Evaluates to TRUE if the matched metadata is equal to <METADATA>.
WITH_METADATA{<URLSET>).EQ{<METADATA
)
HTTP.REQ .URL Evaluates to TRUE if the matched metadata is at the beginning of the
.EQUALS_WITH_METADATA( <URLSET>) category. This pattern can be used to encode separate fields with in
.TYPECAST_LIST_T(' , ').GET(O).EQ(<CATEGOR metadata, but match only the 1st field
Y>
HTTP.REQ .URL .APPEND(HTTP.REQ .URL Joins the host and URL parameters , which can then be used as a <URL
N
(HTTP.REQ.URL).URLSET_MATCHES_ANY Evaluates to TRUE if the URL set name configured in the advanced
policies identifies the correct URL set during incoming URL evaluation
fo
rr
es
al
e
or
d is
t rib
ut
io
n
• Intercept and examine all the traffic , including SSL/TLS (encrypted traffic) , coming in
and going out of the enterprise network.
• Block access to URLs identified as serving harmful content.
• Identify end users (employees) in the enterprise who are accessing malicious
websites.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
NetScaler Traffic
Management
Global Server Load Balancing
N
CNS-219-21
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Key Notes:
es
Global server load balancing (GSLB) provides for disaster recovery and ensures continuous availability of
al
applications by protecting against points of failure in a wide area network (WAN).
e
GSLB can balance the load across data centers by directing client requests to the closest or best performing
or
data center, or to surviving data centers in case of an outage.
d
The GSLB entities that you must configure are the GSLB sites, the GSLB services, the GSLB virtual servers,
is
load‐balancing or content‐switching virtual servers, and authoritative DNS (ADNS) services. You also must
t rib
configure MEP. You also can configure DNS views to expose different parts of your network to clients
accessing the network from different locations.
ut
In a typical configuration, a local DNS server sends client requests to a GSLB virtual server, to which are
io
bound GSLB services. A GSLB service identifies a load‐balancing or content‐switching virtual server, which
n
can be at the local site or a remote site. If the GSLB virtual server selects a load‐balancing or content‐
switching virtual server at a remote site, it sends the virtual server’s IP address to the DNS server, which
sends it to the client. The client then resends the request to the new virtual server at the new IP address.
• Monitoring: GSLB servers perform monitoring of the entities and the IP address is
provided after confirming that the entity status is up .
• Proximity Based Load balancing : The IP address closest to the user can be
provided ,
• DNS View : In the case where in different resources share the same domain name, IP
address can be provided accordingly to the corresponding users.
(e.g. Internal User Vs. External Users)
N
ot
fo
rr
es
al
e
or
dis
trib
ut
io
n
Key Notes:
es
When you configure GSLB on NetScaler appliances and enable Metric Exchange Protocol (MEP), the
al
appliances use the DNS infrastructure to connect the client to the data center that best meets the criteria
e
that you set.
or
An ADNS service is a special kind of service that responds only to DNS requests for domains for which the
NetScaler appliance is authoritative – you would create a sub‐delegation from your DNS infrastructure.
d is
A DNS virtual IP is a virtual IP (VIP) address that represents a load‐balancing DNS virtual server on the
t rib
NetScaler appliance.
Name servers store information about one or more zones.
ut
DNS features.
io
• Record Types:
n
• AAAA, A, CNAME, NS, PTR, SRV, SOA
• Recursion
• Ability to look up addresses not owned by the NS
• Negative Caching
• Only happens in proxy mode
• Any Queries
• Respond to queries with type any
• Delegation with NS records
• DNS Views
• Internal and External clients
Additional Resources:
http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐dns‐zone.html
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
Key Notes:
es
For clients making DNS requests, two different scenarios exist:
al
• Scenario 1
e
• Create a type local DNS server on the NetScaler system
or
• This is a authoritative DNS server for the zone configured
d
• Listens on an IP address provided in the configuration
is
• Clients can configure their local TCP/IP stack to forward queries to this IP address
t rib
• Scenario 2
ut
• Create a load‐balancing virtual server type DNS, provide an IP address.
io
• Add services redirecting traffic to backend DNS servers
n
• Clients configure the load balancing virtual server IP address as their DNS server IP address
Additional Resources:
• http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐netscaler‐proxy‐server.html
• http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐netscaler‐adns‐server.html
• The NetScaler system can be configured with single or multiple instances of an authoritative
DNS server:
• Each instance listens on a different IP address.
• All instances are referencing the same name table.
• An ADNS service is a local service type listening to incoming DNS requests on port 53 UDP.
• The ADNS service:
• Is locally configured as service oriented architecture (SOA) for the GSLB domain.
N
• ADNS Service can be configured using CLI or .., Load Balancing Service
WebUI. Basic Settings
seMceName·
• CLI Syntax : l
ADNS_Serv,ce
r
10 107 149 240
AONS
Port·
• More
N
- Cancel
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
Key Notes:
es
For clients making DNS requests two different scenarios exist:
al
• Scenario 1
e
• Create a type local DNS server on the NetScaler system
or
• This is a authoritative DNS server for the zone configured.
d
• Listens on an IP address provided in the configuration.
is
• Clients can configure their local TCP/IP stack to forward queries to this IP address.
t rib
• Scenario 2
ut
• Create a load‐balancing virtual server type DNS, provide an IP address.
io
• Add services redirecting traffic to backend DNS servers.
n
• Clients configure the load‐balancing virtual server IP address as their DNS server IP address.
-.......
~ Load Balancing Virtual Server ... Load Balancing Service Serv,ct s,ncs.ng
(oNS_Servlce I>J + /
Blnd,ng ~tails
·-· -·
N
'°
.....
0 • J
a --
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Multi-IP Address Response (MIR) lookup returns all active virtual IP addresses with the
optimal virtual IP address first in the response .
MIR Enabled MIR Disabled
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
Key Notes:
es
This module provides an introduction to the Global Server Load‐Balancing (GSLB) feature. The GSLB feature
al
ensures that client requests are directed to a best‐performing site available in a global enterprise and
e
distributed Internet environment. To access a URL, the user agent, such as a Web browser, needs to first
or
resolve the host name in the URL to an IP address. A DNS query is sent to a DNS server to resolve the host
name. The NetScaler system can be configured to act either as an authoritative DNS (ADNS) server or as a
d
DNS proxy.
is
t
GSLB enables the NetScaler system to make intelligent decisions. For example, if a site fails, the NetScaler
rib
system detects the failure and directs traffic to another available site. This feature prevents client requests
from being sent to a site that is down or overloaded.
ut
io
n
Key Notes:
es
GSLB is a DNS‐based solution that load balances services between geographically distributed locations.
al
The NetScaler system can be configured to act either as an authoritative DNS (ADNS) server or a DNS Proxy.
e
or
GSLB operates under many of the same general principles as load balancing but relies on DNS for directing
client requests.
d
Typical uses of GSLB include:
is
t
• Distribution of network traffic across multiple sites
rib
• Distribution of server load across multiple sites
ut
• Disaster recovery
io
A major benefit of GSLB includes reduction of application latency.
n
Key Notes:
es
An active‐active setup ensures that data is consistently available at each distributed data center. Make sure
al
a single site can handle the load if one goes down.
e
or
d is
trib
ut
io
n
I-
••
Client
-I
I- -I
Root
Servers @---§ fil-EB
Switch
Client's
LONS
Switch (ISP NS)
GSLB Site A GSLB Site B
NetScaler NetScaler
1-
oNs·
[g] [g] 1:x:1 [g] -I
ONS*
Switch Switch Switch Switch
I I I
I- I- -I -I
I- I- -I -I
N
I- I- -I -I
ot
Key Notes:
es
Back‐end DNS server is necessary in Proxy DNS configurations only. This graphic shows DNS vserver for our
al
DNS implementation – this is how we will do it in the lab.
e
An administrator can use the above diagram to understand the general GSLB architecture.
or
The NetScaler system will answer the site DNS request in authoritative DNS configurations.
d
The following example demonstrates the process of a GSLB conversation.
is
t
• 1. The client enters www.gslbsite.com in to browser.
rib
• 2. The system of the client sends DNS lookup query for www.gslbsite.com to the name server that is
ut
configured.
io
• 3. The name server returns the IP address for a known name server who is authoritative for
n
www.gslbsite.com as delivered by the root server. The returned address will be one of those
registered for site www.sitexyz.com. The top‐level servers (rootservers) circle through the list round
robin and will return next IP address in line.
• 4. The client queries the NetScaler system in the GSLB configuration at the IP address returned in the
prior step. The NetScaler system, based on its configured load‐balancing method, returns the IP
address the client needs to query for the service it is looking for, such as HTTP and HTTPs.
• 5. If the GSLB configuration is a proxy DNS configuration, the responding NetScaler system will query
the back‐end DNS server for the address to serve to the lookup request.
The site the NetScaler system directs the client to may be:
A site the NetScaler system is hosting within the load balancing configuration
Another GSLB site within the membership of sites
Key Notes:
es
A GSLB site is a representation of a data center in your network and is a logical grouping of GSLB virtual
al
servers, services, and other network entities.
e
type the following commands to create a GSLB site and verify the configuration:
or
A GSLB service is a representation of a load balancing or content switching virtual server.
t rib
type the following commands to create a GSLB service and verify the configuration:
ut
A GSLB virtual server is an entity that represents one or more GSLB services and balances traffic between
them.
type the following commands to add a GSLB virtual server and verify the configuration:
• add gslb vserver <name> <serviceType> ‐ipType (IPv4 | IPv6)
• show gslb vserver <name>
Additional Resources:
How GSLB Works: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐balancing/how‐gslb‐
works.html
Configuring a GSLB Site: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐
LB vserver
A_LB
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
Key Notes:
es
A GSLB site is a representation of a data center in your network and is a logical grouping of GSLB virtual
al
servers, services, and other network entities. Typically, in a GSLB set up, many GSLB sites are equipped to
e
serve the same content to a client. These are usually geographically separated to ensure that the domain is
or
active even if one site goes down completely. All of the sites in the GSLB configuration must be configured
on every.
d is
NetScaler appliance hosting a GSLB site. In other words, at each site, you configure the local GSLB site and
t
each remote GSLB site.
rib
Once GSLB sites are created for a domain, the NetScaler appliance sends client requests to the appropriate
ut
GSLB site as determined by the GSLB algorithms configured.
io
add gslb site <siteName> <siteIPAddress>
n
show gslb site <siteName>
In a typical GSLB setup:
• Many GSLB sites are equipped to serve the same content to a client.
• Sites are usually geographically separated to make sure that the domain is active, even if one site goes
DOWN completely.
• At each site, the local GSLB site and remote GSLB site is configured.
Key Notes:
es
A GSLB service is a representation of a load balancing or content switching virtual server. A local GSLB
al
service represents a local load balancing or content switching virtual server. A remote GSLB service
e
represents a load balancing or content switching virtual server configured at one of the other sites in the
or
GSLB setup. At each site in the GSLB setup, you can create one local GSLB service and any number of
remote GSLB services
d is
show gslb service <serviceName>
stat gslb service <serviceName>
ut
Services are enabled by default when you create them. You can disable or enable each service individually.
io
n
Key Notes:
es
A GSLB virtual server has one or more GSLB services bound to it and load balances traffic among those
al
services. It evaluates the configured GSLB methods (algorithms) to select the appropriate service to which
e
to send a client request.
or
Because the GSLB services can represent either local or remote vServers, selecting the optimal GSLB service
for a request has the effect of selecting the data center that should serve the client request.
d is
The domain for which global server load balancing is configured must be bound to the GSLB virtual server,
trib
because one or more services bound to the virtual server will serve requests made for that domain.
Unlike other virtual servers configured on a NetScaler appliance, a GSLB virtual server does not have its
ut
own virtual IP address (VIP).
io
n
Key Notes:
es
An administrator can use the following process to configure a GSLB implementation. Each step is repeated
al
on the NetScaler system of each site.
e
These configurations can be done on a single system and synchronized:
or
• 1. Enable required features.
d
• 2. Create the GSLB sites. MEP starts up and the sites come up.
is
• 3. Configure load‐balancing virtual servers and services and bind them. Load‐balancing virtual servers
t
rib
change to UP status.
• 4. Create GSLB virtual server and services, local and remotes for all the remote sites.
ut
• 5. Bind GSLB virtual servers to load‐balancing virtual servers and GSLB domain. GSLB virtual servers up
io
n
Note – This will not work until the FQDN is bound to the vServer.
Once all sites, virtual servers, services are reported as UP, an administrator can customize DNS, GSLB
methods, persistence, and site affinity as necessary.
This is an absolute configuration – so create the site information on the other NetScalers, then copy the
configuration over. This handles the unique IP addressing.
In a hierarchical configuration, this is between parents only.
We recommend first doing GSLB config –preview to see what will happen.
Key Notes:
es
In a typical GSLB deployment, you can prioritize the selection of a set of GSLB services bound to a GSLB
al
virtual server, but you cannot do the following:
e
• Restrict the selection of a GSLB service from a subset of GSLB services bound to a GSLB virtual server for
or
the given domain.
• Apply different load‐balancing methods on the different subsets of GSLB services in the deployment.
d is
• Apply spillover policies on a subset of GSLB services, and you cannot have a backup for a subset of GSLB
t
rib
services.
• Configure a subset of GSLB services to serve different content. That is, you cannot content switch
ut
between servers in different GSLB sites. The GSLB configuration assumes that the servers contain the
io
same content.
n
• Define a subset GSLB services with different priorities and specify an order in which the services in the
subset are applied to a request.
• You can now configure a content‐switching (CS) policy to customize the GSLB deployment. First,
configure a set of GSLB services and bind it to a GSLB virtual server. Then, configure a CS virtual server of
target type GSLB, define a CS policy and action with the GSLB virtual server as target virtual server, and
bind the CS policy to CS virtual server.
Important:
• Only CS policies with DNS‐based expressions can be bound to a CS virtual server of target type GSLB.
• If a GLSB service is bound to a CS virtual server through a GSLB virtual server, you cannot bind another
GSLB virtual server bound with the same GSLB service to the CS virtual server.
Consider a GLSB deployment that includes two GSLB sites.
Perform the following steps to configure GSLB Service Selection using Content
Switching:
1. Configure GSLB.
2. Configure a Content-Switching virtual server of target type GSLB.
3. Configure CS policies.
4. Configure CS actions that designate a GSLB virtual server as the target virtual
server.
5. Bind the CS policies to the CS virtual server.
N
6. Bind the domain to the CS virtual server instead of the GSLB virtual server.
ot
*Only CS policies with DNS based expressions can be bound to a CS virtual server of target type GSLB.
fo
rr
es
al
e
or
d is
t rib
ut
io
n
The data centers in a GSLB setup exchange metrics with each other through the Metric
Exchange Protocol (MEP).
• The exchange of the metric information begins once you create a GSLB site.
• It enabled by default.
• It uses port 3011 or port 3009 for secure communications.
• These metrics are comprised of load , network, and persistence information.
• This data exchange is not encrypted by default.
• DNS query responses are based on information gathered through MEP.
N
ot
fo
rr
Key Notes:
es
MEP is required for health checking of data centers to ensure their availability. A connection for exchanging
al
network metrics can be initiated by either of the data centers involved in the exchange, but a connection
e
for exchanging site metrics is always initiated by the data center with the lower IP address. By default, the
or
data center uses a subnet IP address (SNIP) or a mapped IP address (MIP) to establish a connection to the
IP address of a different data center. However, you can configure a specific SNIP, MIP, the NetScaler IP
d
address (NSIP), or a virtual IP address (VIP) as the source IP address for metrics exchange. The
is
communication process between GSLB sites uses TCP port 3011 or 3009, so this port must be open on
trib
firewalls that are between the NetScaler appliances.
You can also bind monitors to check the health of remote services. When monitors are bound, metric
ut
exchange does not control the state of the remote service.
io
To allow controlled access, user authentication is performed before metric information is exchanged. All of
n
the sites taking part in metric exchange should have the same nsroot user ID and password. A system can
handle a maximum of 32 sites.
Note: This limit can be extended by configuring aggregator sites.
If the system is deployed behind the firewall, the administrator needs to allow connections from one site to
the other.
The GSLB site metric exchange interval is 1 second.
Site metric information
• Information about load‐balancing virtual server such as the current number of connections and current
packet rate.
Network metric information
The public IP address of the site needs to be allowed on any blocking firewall.
ot
MEP can be disabled, but limits GSLB methods to RR, static proximity, source IP hash. All
fo
other methods revert to round robin when MEP is off/inactive
rr
• After the password for the RPC node of the local site is changed , it is possible to
manually propagate the change to the RPC node at each remote site and encrypt
MEP.
• Unsecured RPC nodes use TCP port 3011
• Secured RPC nodes use TCP port 3009
• NetScaler uses a GSLB site IP address (which can be shared with a SNIP or MIP)
as the source IP address for an RPC node for GSLB communication.
Key Notes:
es
If a SNIP address is not available, you must configure either the NSIP or a VIP as the source IP address.
al
e
or
d is
t rib
ut
io
n
LOCAL
Site metrics exchanged between the GSLB sites
include: L
• Status of each virtual server PuDhc: IP Addttn
r
• Current number of connections
• htent s.· 8.lc up P-Ment s, H
• Current packet rate
• Current bandwidth usage information
Tngga Moniton•
- - - -
Ch.r.t 1JP
.,, e nc Ex-tnange
show gslb site <GS~BSiteNamL> .,, twork M tnc hchange,
ot
Im OOle
fo
rr
Key Notes:
es
If you disable metrics exchange, you can use only static load‐balancing methods (such as round robin, static
al
proximity, or the hash‐based methods), and if you disable metrics exchange when a dynamic load‐balancing
e
method (such as least connection) is in operation, the appliance falls back to round robin.
or
d is
trib
ut
io
n
• Enable or disable the exchange of RTT information about the client's local DNS when
the GSLB dynamic method RTT is enabled with :
set gs~b site <GSLBS~teName> -nwmetriclxchange {ENABLED I DISABLED}
Key Notes:
es
The data centers in a GSLB setup exchange metrics with each other through the metrics exchange protocol
al
(MEP), which is a proprietary protocol for the Citrix NetScaler. The exchange of the metric information
e
begins when you create a GSLB site. These metrics comprise load, network, and persistence information.
or
MEP is required for health checking of data centers to ensure their availability. A connection for exchanging
network metrics can be initiated by either of the data centers involved in the exchange, but a connection
d is
for exchanging site metrics is always initiated by the data center with the lower IP address. By default, the
t
data center uses a subnet IP address (SNIP) or a mapped IP address (MIP) to establish a connection to the
rib
IP address of a different data center. However, you can configure a specific SNIP, MIP, the NetScaler IP
address (NSIP), or a virtual IP address (VIP) as the source IP address for metrics exchange. The
ut
communication process between GSLB sites uses TCP port 3011 or 3009, so this port must be open on
io
firewalls that are between the NetScaler appliances.
n
Note: You cannot configure a GSLB site IP address as the source IP address for site metrics exchange.
If the source and target sites for a MEP connection (the site that initiates a MEP connection and the site
that receives the connection request, respectively) have both private and public IP addresses configured,
the sites exchange MEP information by using the public IP addresses.
You can also bind monitors to check the health of remote services. When monitors are bound, metric
exchange does not control the state of the remote service. If a monitor is bound to a remote service and
metrics exchange is enabled, the monitor controls the health status. Binding the monitors to the remote
service allows the NetScaler to interact with a non‐NetScaler load balancing device. The NetScaler can
monitor non‐NetScaler devices but cannot perform load balancing on them. The NetScaler can monitor
non‐NetScaler devices, and can perform load balancing on them if monitors are bound to all GSLB services
and only static load balancing methods (such as the round robin, static proximity, or hash‐based methods)
are used.
No Explicit Monitors (Default) MEP determines health All services marked DOWN .
status (default)
N
ot
fo
rr
Key Notes:
es
MEP determines status of GSLB services by default. If a monitor is bound to a gslb service, then the monitor
al
determines status (not MEP).
e
NetScaler monitors can be used instead or in addition to MEP.
or
• By default Precludes MEP health monitoring when used with MEP.
d
• MEP is used to exchange all stats, including service health state, related to a gslb service. If explicit
is
state reported by the monitor. An administrator can use the table in this slide to understand the
interaction between MEP and monitors.
ut
You can also bind monitors to check the health of remote services. When monitors are bound, metric
io
exchange does not control the state of the remote service.
n
You can configure NetScaler to use monitors to evaluate services in the following situations:
• Always use monitors (default)
• Use monitors when MEP shows as DOWN
• Use monitors when remote services and MEP shows as DOWN
• You can set both the weight and the monitoring threshold at the same time that you
bind the monitor.
N
ot
fo
rr
Key Notes:
es
Once you create monitors, you must bind them to GSLB services. When binding monitors to the services,
al
you can specify a weight for the monitor. After binding one or more weighted monitors, you can configure a
e
monitor threshold for the service. This threshold takes the service down if the sum of the bound monitor
or
weights falls below the threshold value.
When you bind a remote service to a GSLB virtual server, the GSLB sites exchange metric information,
d is
including network metric Information, which is the round‐trip‐time and persistence Information.
t rib
If a metric exchange connection is momentarily lost between any of the participating sites, the remote site
is marked as DOWN and load balancing is performed on the remaining sites that are UP. When metric
ut
exchange for a site is DOWN, the remote services belonging to the site are marked DOWN as well.
io
The NetScaler appliance periodically evaluates the state of the remote GSLB services by using either MEP or
n
monitors that are explicitly bound to the remote services. Binding explicit monitors to local services is not
required, because the state of the local GSLB service is updated by default using the MEP. However, you can
bind explicit monitors to a remote service. When monitors are explicitly bound, the state of the remote
service is not controlled by the metric exchange.
By default, when you bind a monitor to a remote GSLB service, the NetScaler appliance uses the state of
the service reported by the monitor. However, you can configure the NetScaler appliance to use monitors to
evaluate services in the following situations: Always use monitors (default setting).
Use monitors when MEP is DOWN.
Use monitors when remote services and MEP are DOWN.
The second and third of the above settings enable the NetScaler to stop monitoring when MEP is UP. For
example, in a hierarchical GSLB setup, a GSLB site provides the MEP information about its child sites to its
parent site. Such an intermediate site may evaluate the state of the child site as DOWN because of network
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
Key Notes:
es
Once your basic GSLB configuration is operational, you can customize it by modifying the bandwidth of a
al
GSLB service, configuring CNAME based GSLB services, static proximity, dynamic RTT, persistent
e
connections, or dynamic weights for services, or changing the GSLB Method.
or
You can also configure monitoring for GSLB services to determine their states.
d
These settings depend on your network deployment and the types of clients you expect to connect to your
is
servers.
t rib
Creating CNAME‐Based GSLB Services
ut
To configure a GSLB service, you can use the IP address of the server or a canonical name of the server. If
you want to run multiple services (like an FTP and a Web server, each running on different ports) from a
io
single IP address or run multiple HTTP services on the same port, with different names, on the same
n
physical host, you can use canonical names (CNAMES) for the services.
For example, you can have two entries in DNS as ftp.example.com and www.example.com for FTP services
and HTTP services on the same domain, example.com. CNAME‐based GSLB services are useful in a
multilevel domain resolver configuration or in multilevel domain load balancing. Configuring a CNAME‐
based GSLB service can also help if the IP address of the physical server is likely to change.
If you configure CNAME‐based GSLB services for a GSLB domain, when a query is sent for the GSLB domain,
the NetScaler appliance provides a CNAME instead of an IP address. If the A record for this CNAME record is
not configured, the client must query the CNAME domain for the IP address. If the A record for this CNAME
record is configured, the NetScaler provides the CNAME with the corresponding A record (IP address). The
NetScaler appliance handles the final resolution of the DNS query, as determined by the GSLB method. The
CNAME records can be maintained on a different NetScaler appliance or on a third‐party system.
In an IP‐address‐based GSLB service, the state of a service is determined by the state of the server that it
supported, because the service referenced by a CNAME can be present at any third‐party
ot
location.
Multiple‐IP‐address response is not supported because one domain cannot have multiple
fo
CNAME entries.
rr
Source IP Hash and Round Robin are the only load balancing methods supported. The Static
es
Proximity method is not supported because a CNAME is not associated with an IP address
al
and static proximity can be maintained only according to the IP addresses.
e
or
d is
trib
ut
io
n
Key Notes:
es
An administrator should be familiar with the following information when configuring GSLB persistence.
al
Site Persistence:
e
• Ensure LDNS requests are sent the same site and not load balanced.
or
• Source IP persistence set with:
d
Cookie‐based persistence and connection proxy
rib
• Allows setting of HTTP level persistence
ut
• Configured on local gslb services with options:
io
• ‐SitePersistence ConnectionProxy
n
• ‐cookieTimeout <integer>
• ‐CIP ENABLED <cipheader>
You can configure GSLB so that the clients coming from the branch office or any other internal network are
directed to a particular GSLB site that is geographically close to the client network. For all other requests,
you can use dynamic RTT.
Key Notes:
es
Persistence ensures that a series of client requests for a particular domain name is sent to the same data
al
center instead of being load balanced.
e
Unless you configure persistence, a load balancing stateless protocol, such as HTTP, disrupts the
or
maintenance of state information about client connections. Different transmissions from the same client
might be directed to different servers even though all of the transmissions are part of the same session. You
d is
must configure persistence on a load balancing virtual server that handles certain types of Web
t
applications, such as shopping cart applications.
rib
Before you can configure persistence, you need to understand the different types of persistence, how they
ut
are used, and what the implications of each type is. You then need to configure the NetScaler appliance to
io
provide persistent connections for those Web sites and Web applications that require them.
n
You can also configure backup persistence, which takes effect in the event that the primary type of
persistence configured for a load balancing virtual server fails. You can configure persistence groups, so that
a client transmission to any virtual server in a group can be directed to a server that has received previous
transmissions from the same client.
Key Notes:
es
When the DNS request from the resolver of the client is received by the NetScaler system, the load‐
al
balancing and site fault tolerance decision will be made based on the health status and load of the
e
participating sites. When the host name of the URL is resolved, all traffic from the client is sent directly to
or
the resolved site.
When the DNS request from resolver of the client is received by the NetScaler system, the site load
d is
information is exchanged between the GSLB sites. When the host name of the URL is resolved, all traffic
t
from the client is sent directly to the resolved site. For the GSLB methods to work as defined either the
rib
MEP should be enabled or explicit monitors should be bound to the remote services. When creating a load‐
balancing virtual server, GSLB methods can be configured using the add gslb vServer command in the CLI.
ut
io
Least Connections:
n
• As the name implies, in this method, the request is routed to the site with the least number of
connections. Connection statistics for the configured service are exchanged between the sites through
MEP. The DNS response, generated by the NetScaler system, contains the address of the IP address of
the site with the least number of connections. MEP must be enabled for this method to work.
• Due to external factors such as during network congestion or when a firewall drop packets, if the MEP
fails for any of the participating sites, then the default method round robin is used instead of least
connections. In this case, if the remote service belonging to the site for which MEP has failed has an
explicit monitor bound to it, and its state is UP, then it will be included in the round robin rotation;
otherwise, it will not.
Weighted Round Robin:
• Round robin is one of the simplest load‐balancing methods. In this method, the request is routed to the
sites based on the rotation, regardless of the load on the sites. MEP is not required for the round‐robin
the least bandwidth. MEP must be enabled for this method to work as defined. MEP is
ot
used to exchange statistics corresponding to the total and current bytes transferred
fo
between the configured services. The DNS response of the NetScaler system contains the
rr
IP address of the GSLB site with least current bandwidth, which is the site that is currently
serving least traffic in Mbps.
es
• Due to external factors such as during network congestion or when a firewall drops
al
packets, if the MEP fails for any of the participating sites, then the default method round
e
robin is used instead of least bandwidth. In this case, if the remote service belonging to
the site for which MEP has failed has an explicit monitor bound to it and its state is UP,
or
then it will be included in the round‐robin rotation. Otherwise, it will not.
d
Least Packets:
is
• When this method is enabled, the NetScaler system directs the request to the site with
t rib
the least packets. MEP must be enabled for this method to work as defined. Statistics
corresponding to the total and current number of packets transferred for the configured
ut
service are exchanged between sites through MEP. The DNS response of the NetScaler
io
system contains the IP address of the site with the least current packets.
n
• Due to external factors such as during network congestion or when a firewall drops
packets, if the MEP fails for any of the participating sites, then the default method round
robin is used instead of least packets. In this case, if the remote service belonging to the
site for which MEP has failed has an explicit monitor bound to it and its state is UP, then it
will be included in the round‐robin rotation. Otherwise, it will not.
SourceIP Hash:
• The NetScaler system responds with the IP address of each site selected based on the
hash of the IP address of the DNS resolver. MEP is not required for this method to work if
an explicit monitor is bound.
Proximity‐Based Global Server Load Balancing:
• When enabled, the proximity‐based GSLB method allows the NetScaler system to make
Key Notes:
es
For example, you can configure your GSLB setup to forward 80 percent of the traffic to one site and 20
al
percent of the traffic to another. After you do this, the NetScaler system will send four requests to the first
e
site for each request that it sends to the second.
or
Weighted Round Robin:
d
• Round robin is one of the simplest load‐balancing methods. In this method, the request is routed to the
is
sites based on the rotation, regardless of the load on the sites. MEP is not required for the round‐robin
t
method to work, if explicit monitoring is configured.
rib
ut
io
n
Key Notes:
es
All sites that are bound as services to the GSLB virtual IP address are considered primary sites. If the site IP
al
address is configured as the backup, then the site is considered as the backup site. If the GSLB virtual IP
e
address is UP, the GSLB virtual server will send the DNS response with one of the primary site IP addresses
or
as selected by the configured load‐balancing policy. If all of the configured primary sites in the GSLB virtual
IP address are DOWN, the authoritative domain name server (ADNS) or DNS load‐balancing virtual server
d
will send the DNS response with the backup IP address as configured in the above command. Persistence
is
will not be honored when the backup IP address is configured.
trib
ut
io
n
On all NetScalers that are part of the GSLB configuration , perform the steps shown:
1. Enable the GSLB feature:
2. Configure DNS :
adJ dns nameserver <IP> - local
Key Notes:
es
A GSLB policy can be used to implement site‐affinity by directing traffic from an IP address or network of a
al
LDNS resolver to a predefined target site. GSLB policies operate on a static and custom IP address‐based
e
location database. Incoming request attributes are evaluated in an expression and the target site is
or
designated as part of the action.
The following considerations apply when using site affinity:
d is
• Can use the wildcard * to define more than one location
trib
• Applies globally in GSLB
• Has a limit of 64 policies
ut
io
n
Key Notes:
es
Methods to measure RTT:
al
• PING: ICMP Echo Request or Reply.
e
• If there is a reply to the ping request, then the appliance calculates the RTT.
or
• If the ICMP reply mechanism is turned off at any of the intermediate routers or at the LDNS, then on
d
timeout try to send a DNS query.
is
• For RTT calculation ICMP request is initiated from GSLB SNIP.
trib
• DNS: Query or Response.
ut
• If there is a response to the DNS query, then the appliance calculates the RTT.
io
• If the DNS response is for a specific set of client IP addresses or DNS queries are not answered, then
n
on timeout try to send a TCP request.
• TCP: Synchronize to a higher order port.
• If there is a SYN+ACK, or RST, or a FIN response, then the appliance calculates the RTT.
• If there is no response, then send a ping request again.
Key Notes:
es
When enabled, the proximity‐based GSLB method allows the NetScaler system to make load‐balancing
al
decisions based on the proximity of the client’s local DNS server (LDNS) in relation to different sites.
e
Proximity can be measured both statically and dynamically. The dynamic determination of proximity is
or
based on the current network status, while the static determination of proximity is based on the geographic
location of the client’s LDNS and the sites the client is accessing.
d is
The main benefit of the proximity‐based GSLB method is faster response time resulting from the selection
t
of the closest available site.
rib
The two methods of proximity load‐balancing methods include:
ut
• Dynamic Network Proximity/Round Trip Time (RTT)
io
• Determine site to send client to based on client’s local DNS (LDNS) proximity to various sites
n
• Gauged by RTT to the LDNS host
• Static Proximity
• Determine site to direct client to based on proximity to geographic locations in a static location
database.
• Use location commands in configuring and populating the location database.
Static Proximity
• Determine the site to direct client to based on proximity to geographic locations in a static
location database.
• Use location commands in configuring and populating the location database.
• The default location of the database file on the appliance is /var/netscaler/locdb.
To add a static location file by using the Configuration Utility:
• Navigate to AppExpert > Location , click the Static Database tab.
• Click Add to add a static location file.
N
ot
fo
rr
Key Notes:
es
When enabled, the proximity‐based GSLB method allows the NetScaler system to make load‐balancing
al
decisions based on the proximity of the client’s local DNS server (LDNS) in relation to different sites.
e
Proximity can be measured both statically and dynamically. The dynamic determination of proximity is
or
based on the current network status, while the static determination of proximity is based on the geographic
location of the client’s LDNS and the sites the client is accessing.
d is
The main benefit of the proximity‐based GSLB method is faster response time resulting from the selection
t
of the closest available site.
rib
• Static Proximity
ut
• Determine site to direct client to based on proximity to geographic locations in a static location
io
database
n
• Use location commands in configuring and populating the location database
Run the following command from the command‐line interface of the appliance to add a static location
file:
add locationfile <locationfile Name> ‐format LocationFormat
Note: Refer to ICG for supported
formats.
Run the following command to ensure that the location database is loaded:
show locationparameter
This
command displays the parameters such as, number of static entries and error messages if the database is
not loaded correctly. A maximum of 3M‐1 (3 million minus one) entries can be loaded.
Run the following command to view the location of the GSLB site:
show gslb service
Notes:
If the database is loaded correctly, the location of the GSLB sites are automatically populated in the
database.
At any point in time, only one location file can be specified in the configuration on the appliance.
Additional Resources:
Citrix Product Documentation on How to Configure Static
N
Proximity:http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐
ot
balancing/configuring‐static‐proximity.html
fo
rr
es
al
e
or
d is
trib
ut
io
n
Weights for OR
• Enhancement:
• A single, backup VServer can now act as a backup VServer for multiple GSLB VServers.
• A backup VServer will take traffic for all the primary VServers which go down or spill over.
Additional Resources:
es
GSLB load Balancing: https://www.citrix.com/blogs/2015/08/25/global‐server‐load‐balancing‐part‐1‐2/
al
https://support.citrix.com/article/CTX123792
e
or
https://support.citrix.com/article/CTX128999
https://support.citrix.com/article/CTX130163
d is
trib
ut
io
n
NetScaler Traffic
Management
NetScaler Clustering
N
CNS-219-21
ot
Version 1 O
fo
rr
Key Notes:
es
This is an additional module included for Self Study.
al
e
or
dis
t
rib
ut
io
n
Key Notes:
es
A NetScaler cluster can include as few as two or as many as 32 NetScaler hardware or virtual appliances.
al
Benefits of Clustering.
e
or
When implementing a clustering, you can:
• Increase the efficiency by using idle resources. This immediately addresses any scalability requirements.
d
• Add capacity as needed to satisfy any throughput requirements by scaling out to 32 units acting as a
is
single logical appliance
trib
• Simplify administration
ut
• Eliminate downtime by providing a highly fault tolerant solution alternative to an HA pair
io
• Ensure there is no network downtime
n
Configuration
other nodes.
ot
fo
rr
Key Notes:
es
When a new cluster is defined, a new IP address is used for managing the cluster. This IP address is owned
al
by the CCO (cluster coordinator node), who is responsible for replicating the configuration on all the cluster
e
nodes.
or
If, at any point, any node in the cluster becomes out‐of‐sync with the latest cluster configuration, there is a
configuration synchronization module running on each node that will ensure the configuration is the same
d is
on all nodes.
t rib
Additionally, a file synchronization module running on each node, replicates certificates, CRLs, and so on …
to all cluster nodes.
ut
Election criteria for CCO has many decision points and the algorithm keeps running in the background to
io
figure out best node… thus, even without a node, complete failure there can be changes in CCO. It looks at
n
interface stats, ssl card stats and many similar points to make the decision.
1/2 1/ 1 1/4
NetScaler Cluster
Key Notes:
es
To identify the node to which an interface belongs, the standard NetScaler interface‐naming convention is
al
prefixed with a node ID. That is, the interface identifier c/u, where c is the controller number and u is the
e
unit number, becomes n/c/u, where n is the node ID.
or
d is
t
rib
ut
io
n
-•Admin
Cluster IP
Address
N
I
I
~---------------------------------..1
ot
NetScaler Cluster
fo
rr
Key Notes:
es
One important concept is the cluster backplane where the nodes communicate with each other. This
al
should have a dedicated interface on each node and a dedicated switch.
e
or
d is
t rib
ut
io
n
..
C
.
a:
:.
0
c
~-, -~~
.!1
u
• =::- -c:J:11a11
Back Plane
• These identify the relevant information that is passed between client, servers, and
nodes in the cluster.
ot
fo
rr
Key Notes:
es
There are four logical traffic flows in a cluster system that identify the relevant information that is passed
al
between client, servers, and nodes in the cluster:
e
The control plane, client data plane and server can be shared
or
Client Data Plane ‐ Carries traffic to/from the clients to the cluster.
d
Server Data Plane ‐ Carries traffic to/from real servers to the cluster.
is
t
Cluster Back Plane ‐ Carries inter‐node message passing and inter‐node forwarding traffic. Should be on a
rib
dedicated switch and interfaces
ut
Control Plane ‐ Carries configuration and control traffic from the admin/user to the cluster.
io
n
• Spotted config
• Active on a single node
Entities Within • Striped config
a Cluster • Active on multiple nodes
• Fully striped (all nodes)
• Partially striped (subset of nodes which
belong to a node group)
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n
In a clustered deployment, VIP, MIP, and SNIP addresses can be striped or spotted
NetScaler-Owned
Striped IP Address Spotted IP Address
IP Address
NSIP No Yes (Read-Only)
VIP Yes No
N
Key Notes:
es
In a clustered deployment, VIP, MIP, and SNIP addresses can be striped or spotted.
al
Striped IP addresses are active on all nodes of the cluster.
e
or
Spotted IP addresses are active on and owned exclusively by one node.
d is
t
rib
ut
io
n
SNIP: 10.102.29.100
VIP: 10.1 02.29 .66 VIP: 10.1 02.29 .66 VIP: 10.102.29.66
Key Notes:
es
By default, all newly created entities in a cluster are stripped when they are defined on a CLIP.
al
If you would like an entity to be “partially stripped” then bind it to a node group – you bind to a node group
e
by binding to a single node that is a member of that group.
or
Using the “‐ownerNode” switch designates entity as spotted.
d
Note: You cannot change the ownership of a spotted SNIP address at run time. To change the ownership,
is
you must first delete the SNIP address and add it again by specifying the new owner.
t rib
ut
io
n
Key Notes:
es
ted Flow Distributor controls how traffic flow happens in a cluster system. Whenever the operational view
al
of the system changes (node online/offline), all the connections that are served by the cluster entity are
e
affected. In order to guarantee even traffic distribution among, the distributed flow distributor module will
or
uniformly control how traffic flows to each module.
Interface Manager (external traffic distribution)
d is
Interface Manager deals with how traffic is distributed by the external router/switch to cluster. Three
trib
approaches
ECMP
ut
Link Aggregation
io
n
Link Sets
Flow Distributor (internal traffic distribution)
The node which receives the traffic finds out the flow processor for the traffic and internally steers the
traffic to the flow processor.
The flow processor is determined as follows:
• Compute hash h on 4‐tuple for TCP/UDP, 2‐tuple for other IP
• Flow Processor = prl_first(V, h)
• Steer packet to the flow processor
Flow Distributor / Flow Receiver (FR)
• Determines FP and steers packet to the FP.
• Flow processor (FP)
• Spotted entity: processing set is single node. FP = node in processing set.
• Striped entity: processing set = multiple nodes. Hash computed on the packet
parameters and an ACTIVE node from processing set is selected as FP based on the
hash. Global RSS Key synchronized across all the nodes to compute consistent hash.
• ACLs are applied at FP.
N
Flow processor (FP)
ot
• Spotted entity: processing set is single node. FP = node in processing set.
fo
• Striped entity: processing set = multiple nodes. Hash computed on the packet parameters
and an ACTIVE node from processing set is selected as FP based on the hash. Global RSS
rr
Key synchronized across all the nodes to compute consistent hash.
es
• ACLs are applied at FP.
al
e
Flow Processor
or
• The node which finally processes the traffic is called flow processor.
d is
t rib
ut
io
n
Key Notes:
es
The Cluster Interface Manager is responsible to distribute incoming traffic flows. This can be achieved using
al
different mechanisms:
e
ECMP: Equal Cost Multipath Routing – requires upstream router configuration
or
CLAG: Cluster Link Aggregation Channels – requires upstream switch configuration
d
Link Set
is
t rib
ut
io
n
Key Notes:
es
When a node is removed from the cluster, the cluster configurations are cleared from the node (by
al
configurations (except the default VLAN and NSVLAN) are also cleared from the appliance.
or
If the deleted node was the cluster configuration coordinator, another node is automatically selected as the
cluster configuration coordinator, and the cluster IP address is assigned to that node. All the current cluster
d is
IP address sessions will be invalid and you will have to start a new session.
t rib
To delete the whole cluster, you must remove each node individually. When you remove the last node, the
cluster IP addresses are deleted.
ut
When an active node is removed, the traffic serving capability of the cluster is reduced by one node.
io
Existing connections on this node are terminated.
n
Key Notes:
es
All nodes will have their own independent set of counters and logs and they will reside on each node.
al
Aggregation is only done on‐demand, for instance when issuing a stat command.
e
or
d is
t rib
ut
io
n
Additional Resources:
es
Clustering Guide: https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler‐
al
adc/citrix_netscaler_clustering_guide_v2.pdf
e
Using Clustering: https://docs.citrix.com/en‐us/netscaler‐gateway/12/clustering.html
or
Creating a NetScaler Cluster: http://docs.citrix.com/en‐us/netscaler/12/clustering/cluster‐setup/cluster‐
d
create.html
is
Prerequisites for Cluster Nodes: http://docs.citrix.com/en‐us/netscaler/12/clustering/cluster‐
t rib
prerequisites.html
ut
io
n