CNS 220 2I en StudentManual 4 5 Days v01

•
CITRIX®
•
N
ot
Education
fo
rr
es
al
CNS-220-2I:
e
Citrix NetScaler 12.x Essentials and

or
Traffic Management (4-5 Day)

d is
t
rib
ut
io
n
Contents
Module 0 - Course Overview..........................................................................................................1
Module 1 - Classic Policies...........................................................................................................15
Policy Overview................................................................................................................17
Content Filtering...............................................................................................................40
Module 2 - AppExpert Default Policies.........................................................................................49
Default Policy Overview....................................................................................................51
Default Expression Syntax................................................................................................58
Policy Bindings.................................................................................................................67
AppExpert Additional Features.........................................................................................80
Module 3 - Rewrite, Responder and URL Transform.................................................................103
N
Rewrite............................................................................................................................105
ot
Responder......................................................................................................................122
fo
DNS Rewrite and Responder.........................................................................................137

rr
URL Transform...............................................................................................................144
Module 4 - Content Switching.....................................................................................................149
es
Content Switching...........................................................................................................151
al
Content-Switching Configuration....................................................................................160
e
Module 5 - Secure Web Gateway...............................................................................................175

Secure Web Gateway.....................................................................................................177
or
Module 6 - Global Server Load Balancing..................................................................................193

d
GSLB DNS Concepts.....................................................................................................196

is
GSLB Concepts and Architecture...................................................................................208

t rib
Content-Switching GSLB................................................................................................222
GSLB MEP and Monitoring.............................................................................................226
ut
Customizing GSLB.........................................................................................................236
io
Module 7 - NetScaler Clustering.................................................................................................263

n
NetScaler Clustering.......................................................................................................265
NetScaler Cluster Configuration.....................................................................................278
•
CITRIX
•
Citrix NetScaler Traffic

Management
Course Overview
N
CNS-219-2i
ot
Version: 1
Lab Guide: v1
fo
rr
es
al
e
or
d is
t
rib
ut
io
n
1 © 2017 Citrix Authorized Content

•
CITRIX
•
• Identify the hardware and software components of a
NetScaler.
• Perform initial setup and configuration .
• Describe basic networking , IP address types , VLANs ,
static routes and ACLs.
Learning • Set up and configure a high-availability pair.
Objectives • Configure basic load balancing and SSL .
• Secure the NetScaler with RBA and Ad min Partitions .
• Understand management, mon itoring and
troubleshooting.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Introduce yourself to the class .
Include the following information:
• Name and company
• Job title
Student
Introductions • Job responsibility
• Networking and virtualization experience
• Citrix hardware and software experience
• Class expectations
N
ot
fo
rr
es
al
e
or
d
is
t rib
ut
io
n

•
CITRIX
•
Review:
• Parking and transportation information
Facilities • Class policies
• Break and lunch schedules
• Emergency contact information
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• Knowledge of TCP/IP, HTTP, and of the OSI model.
• Experience with network devices , networking
protocols, and aspects of application and site
architecture.
• Moderate exposure to UNIX or Linux.
Course • Exposure to basic systems administration concepts ,

including logging , software upgrade procedures , and
Prerequisites high-availability operations.
• Familiarity with web server software.
• Knowledge of network security threats and the site
protection concept.
• An understanding of basic concepts related to server
N
load balancing.
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Module 1: Classic Policies
Day One
Course Outline • Module 2: Default Policies
• Module 3: Rewrite, Responder, and URL Transform

N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Module 4: Content Switching
Day Two • Module 5: Optimization
Course Outline
• Module 6: GSLB
• Module 7: Clustering (Optional Self Study)

N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
local
110004
....... , r:::...·· ··· ···

=0omlin eor.ea....
Lab 1---+----,
: .: : :::::::::::::: I.OAP
................
:- :
•....• r• ••• ••• ••••• •,
Requirements SIUOentOeslelop
(LanOong VM)
: :::::::::::::: MyS<l.
:- :
.................
• Check connectivity to •............. ,
the environment and
HA Pat
~::-......... ,;
::::........... : WebS--
report any issues. .................
.............,
.. .. .. ... . . . .. , 4
:- :.
• All lab environment

details are also
provided in the lab ::::........ ... : Web~
guide. •• ••• ••• • • • •• , 4
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Visit http://training.citrix.com/checklist to learn how to:
• Access your student materials
• Use eCourseware features
• Access your labs
Student
• Redeem an exam voucher
Resource
• Complete the course survey
Checklist
Have more questions?
Browse our FAQ at:
http://training.citrix.com/cms/ed ucation/faq
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• You can download , save, and print electronic
courseware.
Printing • Follow these steps to print to a PDF file :
- Student Resources > Courseware > Student Manual > Launch
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
... (
cmpc - 0
Education
Classroom
Support
How do I open a
Classroom Support ticket?
---- --a..--
------....-
__ -----
.. ..
....,._____ __
...... . ....~-
~ ~ ==:.:::.--
-
o,, ___ c-.....
-~-- -.:.t0,0-...... --·-----
~ .,
0 Cl
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Citrix Measures your Feedback with NPS
How is Net Promoter Score Calculated?
How likely is it you would recommend Citrix Courses to a friend? Not at all
Extremely
Likely Likely
Promoter Passive Detractor

N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Connect with Citrix Education
Facebook Twitter Linkedln

Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education group
Visit http://training.citrix.com to find more information on training, certifications, and exams .

N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
1,;l Help shape the next course.
Looking ahead -
End of
Course Survey . , . Tell us what you liked!
Your opinion matters!
Oo
0
What can we do better?
N
ot
fo
rr
es
al
e
or
d
is
t
rib
ut
io
n

•
CITRIX
•
•
CITRIX
•
NetScaler Traffic
Management
Classic Policies
N
CNS..219-2i
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Discuss the basics of the NetScaler classic policy
engine.
Learning
• Describe the NetScaler content-filtering feature and
Objectives how to configure it.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Policy Overview
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Policies contro l how a feature evaluates data and then
determines what to do with it.
Policies • A policy uses a logical expression , also called a rule ,
to evaluate requests , responses , or other data , and
applies one or more actions determ ined by the
outcome of the evaluation .
N
ot
fo
rr
Key Notes:
es
Policies control how a feature evaluates data, which ultimately determines what the feature does with the
al
data. A policy uses a logical expression, also called a rule, to evaluate requests, responses, or other data,
e
and applies one or more actions determined by the outcome of the evaluation. Alternatively, a policy can
or
apply a profile, which defines a complex action.
Some NetScaler features use default syntax policies, which provide greater capabilities than do the older,
d is
classic policies. If you migrated to a newer release of the NetScaler software and have configured classic
t
policies for features that now use default syntax policies, you might have to manually migrate policies to
rib
the default syntax.
ut
Basic Components of a Classic or Default Syntax Policy:
io
• Name.
n
• Each policy has a unique name.
• Rule.
• The rule is a logical expression that enables the NetScaler feature to evaluate a piece of traffic or
another object. For example, a rule can enable the NetScaler to determine whether an HTTP
request originated from a particular IP address, or whether a Cache‐Control header in an HTTP
request has the value “No‐Cache.”
• Default syntax policies can use all of the expressions that are available in a classic policy, with the
exception of classic expressions for the SSL VPN client. In addition, default syntax policies enable
you to configure more complex expressions.
• Bindings.
• To ensure that the NetScaler can invoke a policy when it is needed, you associate the policy, or
bind it, to one or more bind points. You can bind a policy globally or to a virtual server.

•
CITRIX
•
• An associated action.
• An action is a separate entity from a policy. Policy evaluation ultimately results in
the NetScaler performing an action. For example, a policy in the integrated cache can
identify HTTP requests for .gif or .jpeg files. An action that you associate with this policy
determines that the responses to these types of requests are served from the cache.
Additional Resources:
• How Different NetScaler Features Use Policies
http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐
pol‐exp‐wrapper‐con/ns‐pi‐adv‐class‐pol‐con.html
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n
18 © 2017 Citrix Authorized Content •

CITRIX
•
The NetScaler supports two types of policy engines:
• Classic - evaluated on basic characteristics of traffic
and other data.
• Default (Advanced) - performs the same evaluations
as classic policies, and in addition can enable the
analysis of more data.
N
ot
fo
rr
Key Notes:
es
Both classic and default policies derive their ability to control the NetScaler’s behavior from the evaluation
al
of a logical expression, or rule, in the policy. The NetScaler evaluates requests, responses, or other data
e
based on the rule and takes one or more actions based on the outcome of the evaluation.
or
Policy expression engines include:
d
• Classic policy expression engine
is
• Policy Infrastructure engine
t rib
Expression languages include:
ut
• Classic policy
io
• Advanced policy
n

•
CITRIX
•
• A policy consists of an expression to identify the traffic
Classic and an action associated with the expression.
Policies • Expression language can be used across any feature
that supports classic policy engine.
• Actions are feature specific .
N
ot
fo
rr
Key Notes:
es
Classic policies are evaluated according to bind points and priority level.
al
Classic policies evaluate basic characteristics of traffic and other data. For example, classic policies can
e
identify whether an HTTP request or response contains a particular type of header or URL.
or
The Classic Expressions are being deprecated after NetScaler 12.0
d is
t rib
ut
io
n

•
CITRIX
•
Classic policies always begin by specifying the flow
type , which makes them easy to identify.
Classic
The flow type is REQ for incoming connections and
Policies RES for outgoing connections.
Cont. Below are protocols that classic policies support:
• HTTP
• TCP
• IP
• SSL
N
ot
fo
rr
Key Notes:
es
Flow is always in the first position of a classic policy expression. For example, REQ.HTTP or RES.IP
al
For Classic policies, policy groups and policies within a group are evaluated in a particular order, depending
e
on the following:
or
• 1. The bind point for the policy, for example at request time, the NetScaler evaluates all request‐
d
time classic policies before evaluating any virtual server‐specific policies.
is
• 2. The priority level for the policy, for each point in the evaluation process, a priority level
t rib
assigned to a policy determines the order of evaluation relative to other policies that share the
same bind point.
ut
io
n

•
CITRIX
•
• Expressions can be named or inline:
• Named expressions are reusable pieces of logic.
• lnline expressions are defined inline when the policy is created .
Expression • Expressions on a NetScaler system:
Structures • Can be simple or compound
• Consist of a name, qualifier, and operator
• Expressions on a NetScaler system can be viewed

and configured using the :
• Configuration Utility
. cu
N
ot
fo
rr
Key Notes:
es
Named expressions are saved reusable pieces of logic. If you think you will need the same piece of logic in
al
multiple features, you can create a named expression and use it in policies across features.
e
Named Expressions are named logical statements.
or
Expressions are applied to content that enters the system.
d
Named expressions are created once, and can then be referenced a number of times by different feature
is
sets in the Citrix NetScaler. Decreasing administrative overhead for policy expressions. For example you
t rib
write an expression to identify ASP pages, you then use this expression in both a compression policy (to
compress the pages) and a content switching policy (to direct the connection to the correct servers).
ut
Even if expressions are written inline, the same syntax to define the expression can be used across different
io
feature sets, simplifying the use of the NetScaler appliance.
n
Configuring Classic Polices and Expressions: http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐
and‐expressions.html
You can also download a list of all the expressions supported on a legacy NetScaler appliance and the
hierarchical order in which they can be invoked. The reference is in a zip file which you can download from:
• For NetScaler 10.5: http://support.citrix.com/article/CTX141344
• For NetScaler 10.1: http://support.citrix.com/article/CTX137705

•
CITRIX
•
Qualifiers, Operators, and Expression Values
Flow Type Protocol Qualifier Operator Value

1.
REQ.HTTP.HEADER Host CONTAINS Citrix
2. REQ.TCP.DESTPORT == 80
• Qualifiers specify what the policy examines.

• Operators determine how the qualifier will be examined.
N
ot
• A qualifier is compared with the expression value , which can be literal text, a
substring of text, or a numeric value .
fo
rr
Key Notes:
es
An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—
al
that manipulates one or more objects, or operands. The first section in this topic defines the operators you
e
can use and provides a definition. The second section lists the operators you can use with specific
or
qualifiers, such as method, URL and query.
Operators:
d is
• ==
t rib
• Boolean.
• Returns TRUE if the current expression equals the argument. For text operations, the items being
ut
compared must exactly match one another. For numeric operations, the items must evaluate to the
io
same number.
n
• !=
• Boolean.
• Returns TRUE if the current expression does not equal the argument. For text operations, the items
being compared must not exactly match one another. For numeric operations, the items must not
evaluate to the same number.
• CONTAINS
• Boolean.
• Returns TRUE if the current expression contains the string that is designated in the argument.
• NOTCONTAINS
• Boolean.
• Returns TRUE if the current expression does not contain the string that is designated in the argument.

•
CITRIX
•
• CONTENTS
• Text.
• Returns the contents of the current expression.
• EXISTS
• Boolean.
• Returns TRUE if the item designated by the current expression exists.
• NOTEXISTS
• Boolean.
• Returns TRUE if the item designated by the current expression does not exist.
• >
• Boolean.
N
• Returns TRUE if the current expression evaluates to a number that is greater than the
ot
argument.
fo
• <
rr
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than the
es
argument.
al
• >=
e
• Boolean.
or
• Returns TRUE if the current expression evaluates to a number that is greater than or
d
equal to the argument.
is
• <=
t rib
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than or equal
ut
to the argument.
io
n

CITRIX
•
Classic Policy Protocols
• Classic policies can operate on the following protocols:
• Source Port
IP
II source IP
TCP • Destination Port - Destination IP
. MSS
. Method
- Client Cert
. URL
Client Cert- Subject, Issuer, SigAlgo
. URLTokens
SSL
•
Client Cert- Version, Validity . Version
N
Client Cipher - Type, Bits . Header

ot
Client SSL Version • URL- Length. Query, Query Length

;-
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
When might you use a named expression in your
environment, instead of writing your expression inline?
N
ot
fo
rr
Key Notes:
es
If you are not going to reuse the logic, then just write it inline, but if you know it is something you might
al
reuse, then a named expression saves time and trouble.
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• HTTP
• Request-Response based protocolApplication-level protocol for
distributed , collaborative, hypermedia information systems.
HTTP • Request/Response Based Data Transfer [MIME Like]

• Inherently Stateless protocol.
r.:-:1 • With HTTP 1.1 Cookies are used for storing session information .
~
• HTTPS implements encryption of HTTP traffic.
• Versions: HTTP 0.9,HTTP 0.1,HTTP 1.1,HTTP 2.0
N
ot
fo
rr
Key Notes:
es
Short for HyperTextTransferProtocol , HTTP is the underlying protocol for the World Wide Web. HTTP
al
defines how messages are formatted and transmitted and what actions web servers and browsers should
e
take in response to various commands.
or
d
is
Http 1.0 :https://tools.ietf.org/html/rfc1945
t rib
HTTP 1.1 : https://tools.ietf.org/html/rfc7231
ut
HTTP2.0 : https://tools.ietf.org/html/rfc7540
io
NetScaler Support for 2.0: https://docs.citrix.com/en‐us/netscaler/11/system/http‐
n
configurations/configuring‐http2.html

•
CITRIX
•
HTTP Request Headers
Here is an example of an HTTP request initiated from a client browser:
GET http : //training . citrix . com/ HTTP/1 . 1
Host : training . citrix . com

Connection : keep - alive
User - Agent : Mozilla/5 . 0 (Windows NT 10 . 0 ; Win64 ; x64 )
AppleWebKit/537 . 36 (KHTML , like Gecko) Chrome/57 . 0 . 2987 . 133
Safari/537 . 36
Accept : text/html , application/xhtml+xml , application/xml ; q=0 . 9 , imag
e/webp , */* ; q=0 . 8
Accept - Encoding : gzip , deflate , sdch
Accept - Language : en - US , en ; q=0 . 8
! Cookie : insight session=ce854757-6707 - 4ec0 - 9191-9fa9c5fcbb4c ;
N
ot
fo
rr
Key Notes:
es
A request message from a client to a server includes, within the first line of that message, the method to be
al
applied to the resource, the identifier of the resource, and the protocol version in use. The general format
e
of Request is as following:
or
Request = Request‐Line
d
*(( general‐header
is
| request‐header
t rib
| entity‐header ) CRLF)
ut
CRLF
io
[ message‐body ]
n
Additional resources:
HTTP Request Format : https://www.w3.org/Protocols/rfc2616/rfc2616‐sec5.html

•
CITRIX
•
HTTP Response Headers
Here is an example of an HTTP response from a web server:
HTTP/1. 1 200 OK
Date : Wed , 19 Apr 2017 18 : 52 : 05 GMT
Server : Apache
Set - Cookie : MoodleSession=eolrrnmdtrv29nblqlu0ipleupl ; path=/
Expires : Cache - Control : private , pre - check=0 , post - check=0 , max -
age=0
Pragma : no - cache
Content - Language : en
Accept - Ranges : none
Keep - Alive : timeout=2 , max=l00
Connection : Keep - Alive
N
Content - Type : text/html ; charset=utf - 8

ot
Content - Encoding : gzip

fo
rr
Key Notes:
es
A response message from a server to a client includes, within the first line of that message, the protocol
al
version followed by a numeric status code and its associated textual. The general format of Request is as
e
following:
or
Response = Status‐Line
d
*(( general‐header
is
| response‐header
t
rib
| entity‐header ) CRLF)
ut
CRLF
io
[ message‐body ]
n
The Status‐Code is a 3‐digit integer result code of the attempt to understand and satisfy the request.
It can be classified as following:
• 1xx: Informational ‐ Request received, continuing process.
• 2xx: Success ‐ The action was successfully received, understood, and accepted.
• 3xx: Redirection ‐ Further action must be taken in order to complete the request.
• 4xx: Client Error ‐ The request contains bad syntax or cannot be fulfilled.
• 5xx: Server Error ‐ The server failed to fulfil an apparently valid request.

•
CITRIX
•
Additional resources:
HTTP Response Format : https://www.w3.org/Protocols/rfc2616/rfc2616‐sec6.html
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
Identifying
• The simple expression is the basic building block of
Simple policies.
Expressions • A simple expression consists of a single , logical
comparison.
N
ot
fo
rr
Key Notes:
es
Simple expressions check for a single condition.
al
An example of a simple expression is:
e
or
Consider the url https://mail.google.com/mail/u/0/#inbox
Expression : REQ.HTTP.URL == /mail/u/0/#inbox
d
is
trib
ut
Link to Citrix Prod Docs on Policies and Expressions
io
https://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions.html
n

•
CITRIX
•
Simple Expression Examples
• Traffic from a subnet:

add pol exp bad_boys " REQ . IP . SOURCEIP 65 . 219 . 20 . 0 - netmask 255 . 255 . 255 . 0 "
• Request for specific content:

add pol exp big_java " REQ . HTTP . URL contains big_job . jsp"
• Long request:
add pol exp big_url " REQ . HTTP . URLLEN > 256 "
• HTTP request header-based expressions:

add pol exp accepts_html "REQ . HTTP . HEADER accept contains text/html "
N
add pol exp has_cookie_header " REQ . HTTP . HEADER cookie exists "
ot
fo
rr
Key Notes:
es
Named expressions are created once, and can then be referenced a number of times by different feature
al
sets in the Citrix NetScaler. Decreasing administrative overhead for policy expressions. For example you
e
write an expression to identify ASP pages, you then use this expression in both a compression policy (to
or
compress the pages) and a content switching policy (to direct the connection to the correct servers).
To create a named expression:
d is
• In the configuration utility, on the Configuration tab, in the navigation pane, expand AppExpert and

t
then click Expressions.
rib
• In the details pane, click Add.
ut
• In the Create Policy Expression dialog box, in Expression Name, type a name for the expression.

io
• To create an expression, click Add.
n
• Do one of the following:
• In Frequently Used Expression, select an expression from the list, click OK, click Create and then
click Close.
• Under Construct Expression, select the parameters for the expression string, click OK, click Create
and then click Close.

•
CITRIX
•
Identifying The following named compound expressions are built
Compound from named simple expressions:
Expressions add pol exp big_bad " (bad_boys &&
big_java) "
add pol exp big_bad_or_long " (big bad
11 big_url) "
N
ot
fo
rr
Key Notes:
es
A compound expression can contain any number of logical and arithmetic operators.
al
Booleans in Compound Expressions
e
• && : This operator is a logical AND. For the expression to evaluate to TRUE, all components that are
or
joined by the And must evaluate to TRUE.
d
• || : This operator is a logical OR. If any component of the expression that is joined by the OR evaluates
is
to TRUE, the entire expression is TRUE.
t rib
• ! : Performs a logical NOT on the expression.
ut
Compound expressions check for multiple conditions. You create compound expressions by connecting to
one or more expression names using the logical operators && and ||. You can use the symbols to group the
io
expression in the order of evaluation.
n
Compound expressions can be categorized as:
Named expressions. As an independent entity, a named expression can be reused by other policies and are
part of the policy. You configure named expressions at the system level in the configuration utility. You can
use a predefined named expression in the policy or create one of your own.
Inline expressions. An inline expression is one that you build within the policy that is specific to the policy.
Configuring Policies with the AND (&&) Operator:
• The AND (&&) operator works by combining two client security strings so that the compound check
passes only when both checks are true. The expression is evaluated from left to right and if the first
check fails, the second check is not carried out.
• You can configure the AND (&&) operator using the keyword ‘AND’ or the symbols ‘&&’.

•
CITRIX
•
• Example:
• The following is a client security check that determines if the user device has Version
7.0 of Sophos AntiVirus installed and running. It also checks if the netlogon service is
running on the same computer.
• CLIENT.APPLICATION.AV(sophos).version==7.0 AND CLIENT.SVC(netlogon) EXISTS
• This string can also be configured as
• CLIENT.APPLICATION.AV(sophos).version==7.0 && CLIENT.SVC(netlogon) EXISTS
• Configuring Policies with the OR ( || ) Operator
• The OR (||) operator works by combining two security strings. The compound check
passes when either check is true. The expression is evaluated from left to right and if
the first check passes, the second check is not carried out. If the first check does not
pass, the second check is carried out.
N
• You can configure the OR (||) operator using the keyword ‘OR’ or the symbols '||'.

ot
• Example:
fo
• The following is a client security check that determines if the user device has either the
rr
file c:\file.txt on it or the putty.exe process running on it.
• client.file(c:\\\\file.txt) EXISTS) OR (client.proc(putty.exe) EXISTS
es
• This string can also be configured as
al
• client.file(c:\\\\file.txt) EXISTS) || (client.proc(putty.exe) EXISTS
e
• Configuring Policies Using the NOT ( ! ) Operator
or
• The NOT (!) or the negation operator negates the client security string.

d
• Example:
is
• The following client security check passes if the file c:\sophos_virus_defs.dat file is NOT
t rib
more than two days old:
• !(client.file(c:\\\\sophos_virus_defs.dat).timestamp==2dy)
ut
io
n

CITRIX
•
Features that support the classic policy engine include:
• Authentication
Features that • SSL
Support Classic • Content Switching
• Compression
Policies • Content Filtering
• SureConnect
• Priority Queuing
• HTML Injection
• AAA TM
• Application Firewall
• NetScaler Gateway
N
ot
fo
rr
Key Notes:
es
Policy Type and Bind Points for Policies in Features that Use Classic Policies Feature on NetScaler 12.0
al
System features, Authentication:
e
• Virtual Servers: None
or
• Supported Policies: Authentication policies
d
• Policy Bind Points: Global
is
t
• How you Use the Policy: For the Authentication feature, policies contain authentication schemes for
rib
different authentication methods. For example, you can configure LDAP and certificate‐based
ut
authentication schemes.
io
SSL:
n
• Supported Policies: SSL policies
• Policy Bind Points: Global and Load Balancing virtual server
• How you Use the Policies: To determine when to apply an encryption function and add certificate
information to clear text. To provide end‐to‐end security. After a message is decrypted, the SSL
feature re‐encrypts clear text and uses SSL to communicate with back‐end Web servers.
Content Switching:
• (Can use either classic or default syntax policies, but not both)
• Virtual Servers: Content Switching virtual server
• Supported Policies: Content Switching policies
• Policy Bind Points: Content Switching virtual server and Cache Redirection virtual server

•
CITRIX
•
• How you Use the Policies: To determine what server or group of servers is responsible
for serving responses, based on characteristics of an incoming request. Request
characteristics include device type, language, cookies, HTTP method, content type and
associated cache server.
Compression:
• Supported Policies: HTTP Compression policies
• Policy Bind Points: Global, Content Switching virtual server, Load Balancing virtual
server, SSL Offload virtual server, and Service
• How you Use the Policies: To determine what type of HTTP traffic is compressed.
Protection features, Filter:
N
• Supported Policies: Content Filtering policies
ot
• Policy Bind Points: Global, Content Switching virtual server, Load Balancing virtual
fo
server, SSL Offload virtual server, and Service
rr
• How you Use the Policies: To configure the behavior of the filter function.
es
Protection features, SureConnect:
al
e
• Supported Policies: SureConnect policies
or
• Policy Bind Points: Load Balancing virtual server, SSL Offload virtual server, and Service
• How you Use the Policies: To configure the behavior of the SureConnect function.
d is
Protection features, Priority Queuing:
t
rib
• Supported Policies: Priority Queuing policies
ut
• Policy Bind Points: Load Balancing virtual server and SSL Offload virtual server
io
• How you Use the Policies: To configure the behavior of the Priority Queuing function.
n
HTML Injection:
• Virtual Server: None
• Supported Policies: HTML Injection Policies
• Policy Bind Points: Global, Load Balancing virtual server, Content Switching virtual
server, and SSL Offload virtual server
• How you Use the Policies: To enable the NetScaler to insert text or scripts into an HTTP
response that it serves to a client.
AAA ‐ Traffic Management:

CITRIX
•
• Supported Policies: Authentication, Authorization, Auditing, and Session policies
• Policy Bind Points: Authentication virtual server (authentication, session, and auditing
policies), Load Balancing or Content Switching virtual server (authorization and auditing
policies), Global (session and audit policies), and AAA group or user (session, auditing,
and authorization policies)
• How you Use the Policies: To configure rules for user access to specific sessions and
auditing of user access.
Cache Redirection:
• Virtual Servers: Cache Redirection virtual server
• Supported Policies: Cache Redirection policies and Map policies
• Policy Bind Points: Cache Redirection virtual server
• How you Use the Policy: To determine whether HTTP responses are served from a
N
cache or an origin server.
ot
Application firewall:
fo
rr
• Supported Policies: Application firewall policies
es
• Policy Bind Points: Global
al
• How you Use the Policies: To identify characteristics of traffic and data that should or
e
should not be admitted through the firewall.
or
NetScaler Gateway:
• Virtual Servers: VPN server
d is
• Supported Policies: Pre‐Authentication policies
t
• Policy Bind Points: AAA Global and VPN vserver
rib
• How you Use the Policies: To determine how the NetScaler Gateway performs
ut
authentication, authorization, auditing, and other functions, and to define rewrite
io
rules for general Web access using the NetScaler Gateway.
n
• Supported Policies: Authentication policies
• Policy Bind Points: System Global, AAA Global, and VPN vserver
• Supported Policies: Auditing policies
• Policy Bind Points: User, User group, and VPN vserver
• Supported Policies: Session policies

CITRIX
•
• Policy Bind Points: VPN Global, User, User Group, and VPN vserver
• Supported Policies: Authorization policies
• Policy Bind Points: User, User Group
• Supported Policies: Traffic policies
• Policy Bind Points: VPN Global, User, User Group, and VPN vserver
N
ot
fo
• Supported Policies: TCP Compression policies
rr
• Policy Bind Points: VPN Global
es
al
e
or
d
To see all features see: http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐
is
expressions/ns‐pi‐config‐classic‐pols‐exprs‐wrapper‐con.html
trib
ut
io
n

CITRIX
•
Content Filtering
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Content filtering offers protection from malicious
attacks at the HTTP content level.
Content
• The NetScaler system inspects each incoming
Filtering HTTP request or response with the configured
rules.
• Two commonly used content-filtering actions are
DROP and RESET.
N
ot
fo
rr
Key Notes:
es
Usually the same functions can be handled by Responder policies, however unlike Responder, which only
al
operates on the REQ traffic, Content Filtering can operate on the REQ or RES.
e
Following are some examples of things you can do with content filtering policies: Prevent users from
or
accessing certain parts of your Web sites unless they are connecting from authorized locations.
d
Prevent inappropriate HTTP headers from being sent to your Web server, possibly breaching security.
is
Redirect specified requests to a different server or service.
t
rib
ut
io
n

•
CITRIX
•
The content filtering actions below can be configured
on the NetScaler:
• Pre-configured -which allow you to drop or reset
traffic
Filter • RESET
Actions • DROP
• User-defined - which have to be ability to drop or
reset and provide custom functions
• Add
• Corrupt
• Forward
• ErrorCode
N
ot
fo
rr
Key Notes:
es
The Content Filter can be used for following functionality:
al
• ADD ‐ Adds the specified HTTP header.
e
• RESET ‐ Terminates the connection, sending the appropriate termination notice to the user's browser.
or
• FORWARD ‐ Redirects the request to the designated service. You must specify either a service name or a
d
page, but not both.
is
• DROP ‐ Silently deletes the request, without sending a response to the user's browser.
t
rib
• CORRUPT ‐ Modifies the designated HTTP header to prevent it from performing the function it was
intended to perform, then sends the request/response to the server/browser.
ut
• ERRORCODE. Returns the designated HTTP error code to the user's browser (for example, 404, the
io
standard HTTP code for a non‐existent Web page).
n
The Content Filter will be deprecated after NetScaler version 12.0. We can use other features to achieve the
functionality of the content filtering
• The Rewrite Policy can be used to ADD,CORRUPT the HTTP headers.
• The rewrite/responder policy can be used to DROP/RESET or to respond with ERROR CODE.
• The Content Switching provides the functionality equivalent to FORWARD action of Content Filtering.

•
CITRIX
•
Configuring Content Filters
Crute Fil1or Policy
I ew_Fd ~r
To enable the content filtering feature on

NetScaler, create a Filter Policy which REQ,HTTP.HEADfR Host fXlSTsj
consists of:
R~tAct10t1 • R~~Act,on
• Expression
• Action [ RESET • + /
CloH
N
ot
fo
rr
Key Notes:
es
CLI for adding Content filters.
al
• add filter action <name> <qualifier> [<serviceName>] [<value>] [<respCode>] [<page>]
e
• add filter policy <name> ‐rule <expression> (‐reqAction <action> | ‐resAction <string>

or
To implement content filtering, you must configure at least one policy to tell your NetScaler appliance how
d
to distinguish the connections you want to filter. You must first have configured at least one filtering action,
is
because when you configure a policy, you associate it with an action.
t rib
Content filtering policies examine a combination of one or more of the following elements to select
requests or responses for filtering:
ut
• URL : The URL in the HTTP request.
io
• URL query : Only the query portion of the URL, which is the portion after the query (?) symbol.
n
• URL token : Only the tokens in the URL, if any, which are the parts that begin with an ampersand (&) and
consist of the token name, followed by an equals sign (=), followed by the token value.
• HTTP method : The HTTP method used in the request, which is usually GET or POST, but can be any of
the eight defined HTTP methods.
• HTTP version : The HTTP version in the request, which is usually HTTP 1.1.
• Standard HTTP header : Any of the standard HTTP headers defined in the HTTP 1.1 specification.
• Standard HTTP header value : The value portion of the HTTP header, which is the portion after the colon
and space (: ).
• Custom HTTP header : A non‐standard HTTP header issued by your Web site or that appears in a user
request.
• Custom header value :The value portion of the custom HTTP header, which (as with the standard HTTP

•
CITRIX
•
header) is the portion after the colon and space (: ).
• Client Source IP :The IP from which the client request was sent.
• Content filtering policies use the simpler of two NetScaler expressions languages, called
classic expressions.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
A filter:
Binding
Filters • Must be bound to be active.
• May be bound globally or to a specific virtual server.
• Must be unbound to be removed .
N
ot
fo
rr
Key Notes:
es
If traffic does not match any content filtering policy the virtual server will send it to a default load balancing
al
server if one is defined. If no default server is defined on the content switching virtual server, the non
e
matched traffic will be dropped.
or
d is
t rib
ut
io
n

•
CITRIX
•
• What are some of the use cases for Forwarding
requests?
• What types of issues could this solve in your
environment?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• The two components of a classic policy are
expression and action .
• Simple expressions are a single logical comparison .
• Compound expressions are built using a simple
Key Takeaways expression joined by compound operators.
• Content filtering allows the administrator to easily
DROP or RESET unwanted traffic.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Exercise 1-1: Configuring Content Filtering with
Classic Policies
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
•
CITRIX
•
NetScaler Traffic
Management
AppExpert Default Policies
N
CNS..219-2i
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Describe Default Policy including basic components.
• Discuss the syntax of Default Policy expression .
Learning • Explain Actions in policy expression evaluation.
Objectives • Distinguish key attributes of policy binding and bind

types .
• Discuss constructing and managing Default Policies
with AppExpert.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Default Policy Overview
N
ot
fo
rr
Key Notes:
es
Default syntax policies can perform the same type of evaluations as classic policies. In addition, default
al
syntax policies enable you to analyze more data (for example, the body of a request into an HTTP header).
e
Default syntax policies use a powerful expression language that is built on a class‐object model, and they
or
offer several options that enhance your ability to configure the behavior of various NetScaler features. With
default syntax policies, you can do the following: Perform fine‐grained analyzes of network traffic from
d is
layers 2 through 7.
trib
Evaluate any part of the header or body of an HTTP or HTTPS request or response.
Bind policies to the multiple bind points that the default syntax policy infrastructure supports at the default,
ut
override, and virtual server levels.
io
Use Goto expressions to transfer control to other policies and bind points, as determined by the result of
n
expression evaluation.
Use special tools such as pattern sets, policy labels, rate limit identifiers, and HTTP callouts, which enable
you to configure policies effectively for complex use cases.
Additionally, the configuration utility extends robust graphical user interface support for default syntax
policies and expressions and enables users who have limited knowledge of networking protocols to
configure policies quickly and easily. The configuration utility also includes a policy evaluation feature for
default syntax policies. You can use this feature to evaluate a default syntax policy and test its behavior
before you commit it, thus reducing the risk of configuration errors.
Evaluate the body of an HTTP request) and to configure more operations in the policy rule (for example,
transforming data in the body of a request into an HTTP header).

•
CITRIX
•
The NetScaler system uses policies to evaluate
specified conditions and to define actions to be taken if
conditions are met.
• The order and flow of policy evaluation depends on
the feature set and policy-expression type .
Policies • Defined actions are always feature specific.
• Policy evaluation outcomes include:
• True
• False
• Undefined
N
ot
fo
rr
Key Notes:
es
For many NetScaler features, policies control how a feature evaluates data, which ultimately determines
al
what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate
e
requests, responses, or other data, and applies one or more actions determined by the outcome of the
or
evaluation. Alternatively, a policy can apply a profile, which defines a complex action.
d is
t rib
ut
io
n

•
CITRIX
•
Classic Policies: vs. Default Policies:
• Original policy engine (PE) before • Newer policy engine (Pl)

default
• Can evaluate more traffic and perform
• Evaluate basic characteristics of more complex actions than classic
traffic and perform basic actions providing more control over the
evaluation .
• Classic Syntax:
REQ . HTTP . HEADER Host CONTAINS • Default Syntax:
Citrix HTTP . REQ . HEADER( " Host " ) . CONTAINS
( " Citrix " )
N
ot
fo
rr
Key Notes:
es
Citrix suggests using default policies instead of classic when possible. Exceptions are if the service does not
al
support default policies, or, if a company is heavily invested in classic, it may not make sense to try and
e
switch. When in doubt though, use default policies.
or
Please note that the Classic policies are being deprecated after version 12.0.
d
Example of classic vs default: Classic can evaluate the http header, whereas default policies can evaluate
is
the http header and/or body.
trib
ut
io
n

•
CITRIX
•
Classic and Default Policy Application
Feature Policy Usage
System Classic Authentication and auditing
DNS Default Determines DNS resolution requests
SSL Both Determine when and what to encrypt
Compression Both What to compress
Integrated Caching Default Determine whether HTTP responses are cacheable
Responder Default Behavior of Responder
Protection Features Classic Behavior of the Filter, SureConnect, and Priority Queuing
Content Switching Both Determines which server should process request
AAA Both* AAA and SSO
Cache Redirection Classic Whether to respond with cache or from server
N
Rewrite Default Identify HTTP data to be modified

ot
AppFW Both Determine whether traffic is allowed

fo
rr
Key Notes:
es
AAA Exceptions
al
• Traffic policies only support Default.
e
• Authorization policies support Both.
or
d is
t rib
ut
io
n

•
CITRIX
•
Basic Components of Classic and Default Syntax
Policies
Name Each policy must have a unique name, bound by NetScaler naming rules .
Rule/Expression Logical expression that defines the evaluation parameters.
A separate entity from the policy that dictates what NetScaler should do in
Actions the case of a positive expression evaluation .
N
ot
fo
rr
Key Notes:
es
We recommend creating simple rules and compounding them, instead of creating complex rules. This
al
makes for simpler management and provides modularity.
e
• Names should follow a logical convention.
or
• Default syntax policies can use all of the expressions that are available in a classic policy, with the
d
exception of classic expressions for the SSL VPN client.
is
trib
ut
io
n

•
CITRIX
•
Convert Classic Policies to Default Policies
• Only supported for features that support default policies.
• nspepi -e <classic expression> converts single policy.
• nspepi -f <ns config file> converts all expressions in file.
• Makes a new copy of the file and edits that; it does not touch the source file.
• v switch for verbose: it displays status and logs results .
root@NS# nspepi - f ns . conf

OUTPUT: New configuration file created : new ns.conf
OUTPUT: New warning file created : warn_ns . conf
WARNINGS: Total number of warnings due to bind commands: 18
WARNINGS: Line numbers which has bind command issues: 305, 306, 706, 707, 708, 709, 710, 711, 712,
N
714, 715, 767, 768, 774, 775 , 776 , 777

ot
fo
rr
Key Notes:
es
Only for features that support default policy along with classic policies– For example, you cannot convert
al
SSL VPN policies.
e
nspepi –f prepends new_ to the file (e.g. nspepi –f ns.conf makes a converted file called new_ns.conf)

or
‐v logs results to warn_ns.conf file
d
It is critical to verify and test after conversion.
is
t rib
ut
Citrix edocs on NetScaler 12 expression conversion:
io
http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐pol‐exp‐
n
wrapper‐con/ns‐pi‐pe‐to‐pi‐conversion‐tool‐wrapper‐con.html

•
CITRIX
•
Why should you be converting your Classic policies to
Default?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Default Expression Syntax
N
ot
fo
rr
Key Notes:
es
You can create default syntax policies for various NetScaler features, including DNS, Rewrite, Responder,
al
and Integrated Caching, and the clientless access function in the NetScaler Gateway. Policies control the
e
behavior of these features.
or
When you create a policy, you assign it a name, a rule (an expression), feature‐specific attributes, and an
action that is taken when data matches the policy. After creating the policy, you determine when it is
d is
invoked by binding it globally or to either request‐time or response‐time processing for a virtual server.
t rib
Policies that share the same bind point are known as a policy bank. For example, all policies that are bound
to a virtual server constitute the policy bank for the virtual server. When binding the policy, you assign it a
ut
priority level to specify when it is invoked relative to other policies in the bank. In addition to assigning a
io
priority level, you can configure an arbitrary evaluation order for policies in a bank by specifying Goto
expressions.
n
In addition to policy banks that are associated with a built‐in bind point or a virtual server, you can
configure policy labels. A policy label is a policy bank that is identified by an arbitrary name. You invoke a
policy label, and the policies in it, from a global or virtual‐server‐specific policy bank. A policy label or a
virtual‐server policy bank can be invoked from multiple policy banks.

•
CITRIX
•
Default Policy Expressions
When working with default polices, first define the expression, which is the condition
under which the policy will apply.
• Expressions on a NetScaler system can be configured using:
• The Configuration Utility.
• The CLI .
• Expressions can be inline or named:

• In line is a simple or compound expression written inside a policy.
• Named expressions are saved logic and:
• Can be simple or compound .
• Consist of a name , qualifier and operator.
• Can be used many times in polices for any feature that supports the default engine .
N
ot
fo
rr
Key Notes:
es
The Policy Infrastructure engine uses the default policy expression language. Expression language is
al
universal and can be reused across feature sets that support the default policy engine.
e
You can configure text expressions to be case sensitive or case insensitive and to use or ignore spaces. You
or
can also configure complex text expressions by combining text expressions with Boolean operators.
d
Default Syntax Expressions can be used for Parsing HTTP, TCP, and UDP Data.
is
t rib
ut
io
n

•
CITRIX
•
Default Policy Expressions: Syntax
Expression Editor
• "Dotted function" chains in NetScaler default policy expressions
read from left to right.
Select
• The element at furthest left designates which part of the connection Select
the expression is analyzing . Start With Variable
HTTP
Some possible top-level (furthest left) elements include:
CLIENT
• CLIENT SERVER
ANALYTICS
• HTTP SIP
Pr TEXT
•SERVER
MYSQL
• SYS MSSQL
DS
DIAMETER
Default policy expression examples include: RADIUS
• CLIENT.IP.SRC.IN_SUBNET ("10.60.1.0/24") ORACLE
N
CONNECTION
• HTTP.REQ .HOSTNAME.EQ("www.citrix.com") SMPP
ot
SUBSCRIBER
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Default Syntax Expressions: Basic Components
Describes information to be evaluated - what the policy

Qualifier
examines.
Operator Describes how the qualifier will be examined.
OperandNalue Values to compare to qualifiers.

N
ot
fo
rr
Key Notes:
es
The elements of the rule can themselves return TRUE or FALSE, string, or numeric values.
al
e
that manipulates one or more objects, or operands.
or
d
that manipulates one or more objects, or operands. The first section in this topic defines the operators you
is
can use and provides a definition. The second section lists the operators you can use with specific
t rib
qualifiers, such as method, URL and query.
Operators:
ut
• ==
io
• Boolean.
n
• Returns TRUE if the current expression equals the argument. For text operations, the items being
compared must exactly match one another. For numeric operations, the items must evaluate to the
same number.
• !=
• Boolean.
• Returns TRUE if the current expression does not equal the argument. For text operations, the items
being compared must not exactly match one another. For numeric operations, the items must not
evaluate to the same number.
• CONTAINS
• Boolean.
• Returns TRUE if the current expression contains the string that is designated in the argument.

•
CITRIX
•
• NOTCONTAINS
• Boolean.
• Returns TRUE if the current expression does not contain the string that is designated in
the argument.
• CONTENTS
• Text.
• Returns the contents of the current expression.
• EXISTS
• Boolean.
• Returns TRUE if the item designated by the current expression exists.
• NOTEXISTS
N
• Boolean.
ot
• Returns TRUE if the item designated by the current expression does not exist.
fo
• >
rr
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is greater than the
es
argument.
al
• <
e
• Boolean.
or
• Returns TRUE if the current expression evaluates to a number that is less than the
d
argument.
is
• >=
trib
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is greater than or
ut
equal to the argument.
io
• <=
n
• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than or equal
to the argument.

CITRIX
•
After being evaluated , an expression can have one of
the follow ing results :
• Boolean values - HTTP.REQ .URL.CONTAINS("Citrix")
Expression
• Integer values - HTTP.REQ.URL.LENGTH
Result Types
• String values -
TEXT.AFTER_ STR("abc") .BEFORE_STR("ghi")
N
ot
fo
rr
Key Notes:
es
Boolean – will return a TRUE or FALSE value – the URL either contains “Citrix” or it does not

al
Integer ‐ this syntax will return the length of the URL in integer format
e
or
String – if we were looking at the alphabet we would be grabbing the string after “abc” but before “ghi” –
abcdefghi…
d is
trib
ut
io
n

•
CITRIX
•
Default Policy Expressions: Syntax Example
Policy Expression:
HTTP.REQ.HEADER("Referer").BEFORE_STR("//").EQ("https:")
Sample HTTP Request:
GET https://www.citrix.com/etc/core.min.1.128.0-20170602.153542-485.css HTTP/1.1

Host: www.citrix.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/css,*/*;q=0.1
I
N
Relerer: https ://www.citrix.com/

ot
fo
rr
Key Notes:
es
“HTTP.REQ.HEADER (“Referer”).BEFORE_STR (\”//”\)”.EQ(“https:”)
al
In our example, we are looking for whatever is before // and then seeing if it equals “https:” ‐
e
or
Observe the example provided in the slide. We can see the expression evaluates to TRUE.
d is
t rib
ut
io
n

•
CITRIX
•
• An action:
• Is owned by individual NetScaler features .
• Is bound to or activated by policies.
Actions • Cannot depend on results of other actions.
• Is applied at the end of the policy evaluation process.
• A single HTTP header cannot be modified by multiple

actions.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Using Advanced Expressions to Create Actions
Action Name Rewrite Action HTTP Header

Name
r1-i
add rewrite action ClientlP INSERT- HTTP- HEADE CIP LIENT.IP.SR
Value: Individual Client IP address

N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Policy Bindings
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Policies remain inactive if they are NOT bound to an
entity.
• Policies are bound or activated either globally or to
specific bind points.
• Available specific bind points vary by feature set.
Policy • The default policy engine also allows you to bind
policies in this manner, but it offers more flexibility on
Bindings how policies are bound and evaluated.
• Priorities are required for advanced policy
expressions.
• If a priority is assigned, policies are evaluated in the
order of their assigned priority.
N
ot
fo
rr
Key Notes:
es
For a policy to be evaluated on the NetScaler, it must be bound.
al
In Classic Policy Engine ‐ we already have the concept of bind points – basically a name to which policies

e
are bound. These names can implicit (like global) or names of other user configured entities like vServers,
or
users or groups.
d
For advanced syntax we can use Policy labels (banks). These are a generalization of the classic bind point
is
concept. A policy label is a name to which advanced policies can be bound
trib
ut
io
n

•
CITRIX
•
• Global bind points:
• Policies bound to the default label are evaluated after virtual server-
specific evaluation .
• Policies bound to the override label are evaluated before virtual server-
specific evaluation .
• VServer bind points:

Bind • Policies can be bound to a vServer.
Point Types • User-defined bind points:

• Policies can be created and bound to policy label bind points.
• Policies bound are evaluated only on invoke.
• These are similar to named subroutines.
• Policies Labels can be invoked.
N
ot
fo
rr
Key Notes:
es
Bind points are a very powerful aspect of policies. A bind point is a collection of active policies and is
al
invoked by other policies.
e
Bind points were carried over from classic policies, which used virtual server or global, even though it is not
or
explicitly displayed with classic policies. The bind point and binding to request or response capability is an
important consideration. Where a policy is bound affects when the action is taken.
d is
One major difference between bind points for classic and default is the process of evaluation. For example,
t rib
if a classic policy is bound to a virtual server and is globally bound, then priorities determine the result.
With default policies, it is policy bank‐specific. The level of bank‐specific policies are evaluated before the
ut
global‐default banks. Global override happens before the virtual server bound items. Global default is last.
io
When a bind point is invoked, the NetScaler system evaluates the policies that comprise the bind point in
n
the order of the assigned priorities. The scope of the priority assigned to a policy is limited to the bind point
to which the policy is bound. The priority of a policy is only relative to the priorities of the other policies
bound to the same bind point. This function allows grouping of policies and effective implementation.

•
CITRIX
•
A policy label is a user-defined point to which policies
can be bound.
• Using a policy label , an administrator can logically
Policy group policies and define the order in which they are
Labels evaluated .
• Policy labels are invoked from other policies .
N
ot
fo
rr
Key Notes:
es
When a policy label is invoked, all of the policies bound to it are evaluated in the order of the configured
al
priority. When a policy is matched, the appropriate action is performed and control is returned to the policy
e
that invoked the policy label.
or
Policy Labels are generally defined to be reusable.
d is
t rib
ut
io
n

•
CITRIX
•
Request and Response Bind Points:
• Default global
Policy • Virtual server
Bind Points • Override global
• Policy label
N
ot
fo
rr
Key Notes:
es
User‐Defined Policy Label ‐ For default syntax policies, you can configure custom groupings of policies
al
(policy banks) by defining a policy label and collecting a set of related policies under the policy label.
e
Additional bind points depend on the type of policy ‐ for example, the NetScaler Gateway policies can be
or
bound to users or groups.
If no policies match, then the normal behavior of the bind point occurs.
d is
You can bind the policy to one of the following bind points:
t rib
A global policy bank. These are the request‐time default, request‐time override, response‐time default, and
response‐time override policy banks.
ut
A virtual server. Policies that you bind to a virtual server are processed after the global override policies
io
and before the global default policies. Note that when binding a policy to a virtual server, you bind it to
n
either request‐time or response‐time processing.
An ad‐hoc policy label. A policy label is a name assigned to a policy bank. In addition to the global labels,
the integrated cache has two built‐in custom policy labels:_reqBuiltinDefaults. This policy label, by default,
is invoked from the request‐time default policy bank.
_resBuiltinDefaults. This policy label, by default, is invoked from the response‐time default policy bank.
You can also define new policy labels. Policies bound to a user‐defined policy label must be invoked from
within a policy bank for one of the built‐in bind points. Important: You should bind a policy with an INVAL
action to a request‐time override or a response‐time override bind point. To delete a policy, you must first
unbind it.
Order of Policy Evaluation
For an advanced policy to take effect, you must ensure that the policy is invoked at some point during the

•
CITRIX
•
NetScaler appliance’s processing of traffic. To specify the invocation time, you associate the
policy with a bind point. The following are the bind points, listed in order of evaluation:
Request‐time override. If a request matches a request‐time override policy, by default
request‐time policy evaluation ends and the NetScaler appliance stores the action that is
associated with the matching policy.
Request‐time load balancing virtual server. If policy evaluation cannot be completed after all
the request‐time override policies are evaluated, the NetScaler appliance processes request‐
time policies that are bound to load balancing virtual servers. If the request matches one of
these policies, evaluation ends and the NetScaler appliance stores the action that is
associated with the matching policy.
Request‐time content switching virtual server. Policies that are bound to this bind point are
evaluated after request‐time policies that are bound to load balancing virtual servers.
N
Request‐time default. If policy evaluation cannot be completed after all request‐time, virtual
ot
server‐specific policies are evaluated, the NetScaler appliance processes request‐time default
policies. If the request matches a request‐time default policy, by default request‐time policy
fo
evaluation ends and the NetScaler appliance stores the action that is associated with the
rr
matching policy.
es
Response‐time override. Similar to request‐time override policy evaluation.
al
Response‐time load balancing virtual server. Similar to request‐time virtual server policy
evaluation.
e
or
Response‐time content switching virtual server. Similar to request‐time virtual server policy
evaluation.
d
Response‐time default. Similar to request‐time default policy evaluation.
is
trib
ut
io
n

CITRIX
•
gotoPriorityExpression
Determines how to continue processing when a policy has evaluated as TRUE and the
action has been determined .
gotoPriorityExpression Result
NEXT Evaluate policy with next priority.
END Stop evaluating policies.
<integer> Evaluate policy with priority of <integer>.
Go To NEXT or END depending on

N
INVOCATION LIST
INVOCATION LIST
ot
fo
rr
Key Notes:
es
Goto expression is used to control the flow of policy evaluation and it also acts as a logical tool to get to the
al
appropriate policy without going through everything bound sequentially. When binding the policy, you
e
assign it a priority level to specify when it is invoked relative to other policies in the bank. In addition to
or
assigning a priority level, you can configure an arbitrary evaluation order for policies in a bank by specifying
Goto expressions. A Goto expression indicates the next policy to be evaluated, typically within the same
d
policy bank. Goto expressions can only proceed forward in a bank to avoid looping scenarios
is
t
Correct usage of Goto expression will always simplify the configuration and will result in correct behavior. It
rib
also enhances system performance by ensuring that correct set of required policies are evaluated. If a
policy evaluates to FALSE, the NetScaler continues the evaluation in the order of priority.
ut
io
If a policy evaluates to UNDEFINED (cannot be evaluated on the received traffic due to an error), the
NetScaler performs the action assigned to the UNDEFINED condition (referred to as undefAction) and stops
n
further evaluation of polices.
Ensure that the policies do not specify conflicting or overlapping actions on the same part of the HTTP
header or body, or TCP payload. When such a conflict occurs, the NetScaler encounters an undefined
situation and aborts the rewrite.

•
CITRIX
•
• If the policy evaluates as TRUE , the NetScaler adds
the action to the result set.
• If a policy evaluates as FALSE , the NetScaler
continues the evaluation in the order of priority.
Policy • If a policy evaluates as UNDEFINED (cannot be
Result evaluated on the received traffic due to an error), the
NetScaler performs the action assigned to the
UNDEFINED condition (referred to as undefAction)
and stops further evaluation of polices.
N
ot
fo
rr
Key Notes:
es
When prioritizing policies, it is a good practice to leave space between priorities to accommodate potential
al
growth in future.
e
An UNDEFINED occurs when there is an expression match on the policy but the policy cannot be evaluated.
or
For example, you write an expression to capture a piece of information, the information is captured as text,
d
but you think it is a number and you attempt to perform a mathematical function on it. This would cause an
is
UNDEFINED.
t rib
It is important to emphasize that when an UNDEFINED occurs, all other policy processing stops.
ut
io
n

•
CITRIX
•
Simplified Policy Evaluation Flow
, - - - - - - - - - - - True - - - - - - - - - - - ,
Evaluation
Evaluate the policy ... Next Policy
Goes to the next policy
Action
Executes the action
r
expressoons lor a match on the policy 11st
assigned to the policy
Yes
I
Undefined
Check for Un defAction
Perfonn the rule- Log
Policies spec,roc or default Logs actions
Check ror untested undefActoon
policoes ,n the pobcy bst
0
l
N
DONE
ot
- Incoming Connection
L Outgoing Connection -
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
As traffic flows through the NetScaler, it is evaluated by
each enabled feature .
Packet • The NetScaler system will process all polices for a

feature and typically applies all matching actions after
Processing processing is complete within a feature .
• Integrated caching is one exception .
Flow
• Traffic flows through the NetScaler Modules in a
particular order which may effect how polices get
applied .
N
ot
fo
rr
Key Notes:
es
Evaluation Order
al
• Classic policies are evaluated according to bind points and priority level
e
• Advanced policies are evaluated in the following order for basic groupings:
or
• Request‐time global override
d
• Request‐time, virtual server‐specific
is
• Request‐time global default
t rib
• Response‐time global override
ut
• Response‐time virtual server‐specific
io
• Response‐time global default
n

•
CITRIX
•
Understanding Processing Order
C7 NetScaler sends processed response to
client
Client sends request to NetScaler
l
-·
NotS<alef
.........
,_.,
"""'
a..,_
ftlQUHI 10
NetSaltf HTML PatHffConlenl
Yes
R-,ro
!
,,,, 1
I-
_
IH!Sc....
i....
--·
""1S<alef
--·!
NIIS<alef
..........
._.,
N
ot
Server sends response to NetScaler NetScaler sends processed request to

I- server
fo
rr
Key Notes:
es
This diagram shows only the policy‐relevant features.
al
e
or
Citrix edocs getting started link: https://docs.citrix.com/en‐us/netscaler/12/getting‐started‐with‐
d
netscaler.html#par_richtext_8
is
t rib
ut
io
n

•
CITRIX
•
The Policy Manager dialog box provides an easy
interface for managing bind points and policy banks.
Using the The most commonly used bind-point levels are:
Policy • Global
Manager • Load-balancing virtual server
• Content-switching virtual server
N
ot
fo
rr
Key Notes:
es
The Policy Manager is available for the Rewrite, Integrated Caching, Responder, and Compression features.
al
To remove unused policies by using the Policy Manager
e
• In the navigation pane, click the feature for which you want to configure the policy bank. The choices are
or
Responder, Integrated Caching, or Rewrite.

d
• In the details pane, click <Feature Name> policy manager.
is
• In the <Feature Name> Policy Manager dialog box, click Cleanup Configuration.

trib
• In the Cleanup Configuration dialog box, select the items that you want to delete, and then

ut
click Remove.
• In the Remove dialog box, click Yes.
io
n
• Click Close. A message in the status bar indicates that the policy is removed successfully.

•
CITRIX
•
When should you bind the policy to the global bind
point?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
AppExpert Additional Features
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
I AppExpert
App Expert Apphcat1ons
HTTP Callouts
Panem sets
Data Sets
URL Sets
•AppExpert policy engine is a powerful set of s nng Maps
tools for easy control and management of XML Namespace.s
almost any type of traffic. Location
NSVanables
NS Assignments
Policy Extensions
Expressions
Rate L1m1tmg
Ac1:1on Analytic.s
AppQoE
N
Rewrite
ot
Responder
Spillover
fo
rr
Key Notes:
es
For many NetScaler features, policies control how a feature evaluates data, which ultimately determines
al
what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate
e
requests, responses, or other data, and applies one or more actions determined by the outcome of the
or
evaluation. Alternatively, a policy can apply a profile, which defines a complex action.
d is
t rib
Citrix Product Documentation on a conceptual reference and configuration instructions for the AppExpert
and other features of the NetScaler appliance. http://docs.citrix.com/en‐us/netscaler/12/appexpert.html
ut
Citrix Product Documentation Introduction to Policies and Expressions: http://docs.citrix.com/en‐
io
us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐pol‐exp‐wrapper‐con.html
n

•
CITRIX
•
Which AppExpert features do you think will be useful in
your environments , and why?
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• A Pattern set or data set contains a set of patterns,
and each pattern is assigned a unique index.
• A pattern set is an array of indexed patterns used for
string matching during default syntax policy
evaluation.
Pattern Sets
• A data set is a specialized form of pattern set. It is an
and Data Sets array of patterns of types number (integer), 1Pv4
address, or 1Pv6 address.
• The only difference between pattern sets and data
sets is the type of patterns defined in the set.
N
ot
fo
rr
Key Notes:
es
A Pattern set or data set contains a set of patterns, and each pattern is assigned a unique index. When a
al
policy is applied to a packet, an expression identifies a string to be evaluated, and the operator compares
e
the string to the patterns defined in the pattern set or data set until a match is found or all patterns have
or
been compared. Then, depending on its function, the operator returns either a boolean value that indicates
whether or not a matching pattern was found or the index of the pattern that matches the string.
d is
Pattern sets and data sets work the same way. The only difference between pattern sets and data sets is
t
the type of patterns defined in the set.
rib
To use pattern sets or data sets, first create the pattern set or data set and bind patterns to it. Then, when
ut
you configure a policy for comparing a string in a packet, use an appropriate operator and pass the name of
io
the pattern set or data set as an argument.
n
Citrix Product Documentation on Pattern Sets and Data Sets: http://docs.citrix.com/en‐
us/netscaler/12/appexpert/pattern‐sets‐data‐seta.html

•
CITRIX
•
• Policy expressions for string matching on a large set
of string patterns are long and complex.
Pattern Sets
• Resources consumed are significant in terms of
and Data Sets processing cycles , memory, and configuration size.
Cont. • Use pattern matching to create simpler, less resource-
intensive expressions .
N
ot
fo
rr
Key Notes:
es
Depending on the type of patterns that you want to match, you can use one of the following features to
al
implement pattern matching:
e
A pattern set is an array of indexed patterns used for string matching during default syntax policy
or
evaluation. Example of a pattern set: imagetypes {svg, bmp, png, gif, tiff, jpg}.
d
A data set is a specialized form of pattern set. It is an array of patterns of types number (integer), IPv4
is
address, or IPv6 address.
trib
A pattern set or data set contains a set of patterns, and each pattern is assigned a unique index. When a
policy is applied to a packet, an expression identifies a string to be evaluated, and the operator compares
ut
the string to the patterns defined in the pattern set or data set until a match is found or all patterns have
io
been compared. Then, depending on its function, the operator returns either a boolean value that indicates
n
whether or not a matching pattern was found or the index of the pattern that matches the string.
Pattern sets and Data sets work the same way. The only difference between pattern sets and data sets is
the type of patterns defined in the set.

•
CITRIX
•
• During policy evaluation , the operator compares the
Pattern Set: string in the packet with the patterns defined in the
pattern set until a match is found .
String
• The operator returns either a Boolean value that
Matching indicates whether a matching pattern was found or the
index of the pattern that matches the string .
N
ot
fo
rr
Key Notes:
es
A pattern set defines a mapping of index values to strings.
al
After you configure a pattern set, you can use it in an advanced expression that passes the pattern set as an
e
argument to an appropriate operator.
or
When you use an operator, replace <text> with the default syntax expression that identifies the string with
d
which you want to perform string matching, and replace <pattern_set_name> with the name of the pattern
is
set.
t
rib
ut
io
n

•
CITRIX
•
• A string map is an entity that consists of key-value
pairs.
• A policy configuration that uses string maps performs
better than one using string matching through policy
expressions.
String • Fewer policies are needed to perform string matching
with a large number of key-value pairs.
Maps
• String maps are also intuitive, simple to configure ,
and result in a smaller configuration.
• Utilize maps to perform pattern matching in all
features that use the default policy syntax.
N
ot
fo
rr
Key Notes:
es
A string map defines a mapping of strings to strings.
al
Use Case – prior to strings maps, if you needed to do redirects based on URL, you needed a unique
e
responder Policy to be bound to each redirect. Now, using string maps, you can just bind a single policy.
or
d is
t rib
ut
io
n

•
CITRIX
•
• An HTTP callout is an HTTP or HTTPS request that
the NetScaler appliance generates and sends to an
external server when certain criteria are met during
policy evaluation.
HTTP • An HTTP callout waits for a response from the
Callouts external server and performs the action depending on
the information received.
• The external server is the HTTP Callout Server.
N
ot
fo
rr
Key Notes:
es
The HTTP callout expression:
al
SYS.HTTP_CALLOUT(<name of HTTP Callout>)
e
or
To define the HTTP callout:
• set policy httpCallout <name> [‐IPAddress < ip_addr|ipv6_addr>] [‐port <port>] [‐vServer <string>] [‐
d
returnType <returnType>] [‐httpMethod ( GET | POST )] [‐hostExpr <string>] [‐urlStemExpr <string>] [‐

is
headers <name(value)> ...] [‐parameters <name(value)> ...] [‐fullReqExpr <string>] [‐resultExpr <string>]

trib
ut
io
Citrix Product Documentation on HTTP Callouts: http://docs.citrix.com/en‐
n
us/netscaler/11/appexpert/http‐callout.html

•
CITRIX
•
HTTP HTTP service callouts invoke external functionality from
within NetScaler policies and are available for multiple
Callouts features .
Cont. During the HTTP service callout process:
• The user sends a request.
• The policy sends the HTTP request to an external
1
-e.2-~ .
- 6 ~
• 4
service.
• The policy uses the result like other policy expression
evaluation results.
N
ot
fo
rr
Key Notes:
es
For certain types of requests, or when certain criteria are met during policy evaluation, you might want to
al
stall policy evaluation briefly, retrieve information from a server, and then perform a specific action that
e
depends on the information that is retrieved.
or
At other times, when you receive certain types of requests, you might want to update a database or the
content hosted on a Web server.
d is
HTTP callouts enable you to perform all these tasks.
trib
ut
io
n

•
CITRIX
•
I ~ I- - · L.....-1-____,
HTTP Server
HTTP Callout
Service
Callout •••
.,-.., - - -
"'Ti'~o
I
____. .__.
...
.... I - - -
1-
1-======
=·
- 1-
Diagram Users
Citrix
NetScafer Destination
Servers
NetScafer Policy
N
ot
fo
rr
Key Notes:
es
When the NetScaler appliance receives a client request, the appliance evaluates the request against the
al
policies bound to various bind points. During this evaluation, if the appliance encounters the HTTP callout
e
expression, SYS.HTTP_CALLOUT(<name>), it stalls policy evaluation briefly and sends a request to the HTTP
or
callout agent by using the parameters configured for the specified HTTP callout. Upon receiving the
response, the appliance inspects the specified portion of the response, and then either performs an action
d
or evaluates the next policy, depending on whether the evaluation of the response from the HTTP callout
is
agent evaluates to TRUE or FALSE, respectively. For example, if the HTTP callout is included in a responder
t rib
policy, if the evaluation of the response evaluates to TRUE, the appliance performs the action associated
with the responder policy.
ut
If the HTTP callout configuration is incorrect or incomplete, or if the callout invokes itself recursively, the
io
appliance raises an UNDEF condition, and updates the undefined hits counter.
n

•
CITRIX
•
Configuring HTTP Callouts
To configure an HTTP callout, an administrator must:
1. Create the HTTP callout.
2. Specify the server.
3. Define the request to send to the server.
4. Define the server response.
5. Configure the external server.

N
ot
fo
rr
Key Notes:
es
When configuring an HTTP callout, you specify the type of request (HTTP or HTTPS), destination and format

al
of the request, the expected format of the response, and, finally, the portion of the response that you want
e
to analyze.
or
For the destination, you either specify the IP address and port of the HTTP callout agent or engage a load
balancing, content switching, or cache redirection virtual server to manage the HTTP callout requests. In
d is
the first case, the HTTP callout requests will be sent directly to the HTTP callout agent. In the second case,
t
the HTTP callout requests will be sent to the virtual IP address (VIP) of the specified virtual server. The
rib
virtual server will then process the request in the same way as it processes a client request. For example, if
you expect a large number of callouts to be generated, you can configure instances of the HTTP callout
ut
agent on multiple servers, bind these instances (as services) to a load balancing virtual server, and then
io
specify the load balancing virtual server in the HTTP callout configuration. The load balancing virtual server
n
then balances the load on those configured instances as determined by the load balancing algorithm.
For the format of the HTTP callout request, you can specify the individual attributes of the HTTP callout
request (an attribute‐based HTTP callout), or you can specify the entire HTTP callout request as a default
syntax expression (an expression‐based HTTP callout).
In the expression , provide a condition that will prevent the HTTP Recursion.
http://docs.citrix.com/en‐us/netscaler/12/appexpert/http‐callout/avoiding‐http‐callout‐recursion.html
Invoking an HTTP Callout:
• After you configure an HTTP callout, you invoke the callout by including
the SYS.HTTP_CALLOUT(<name>)expression in a default syntax policy rule. In this expression, <name> is
the name of the HTTP callout that you want to invoke.
• You can use default syntax expression operators with the callout expression to process the response and

•
CITRIX
•
then perform an appropriate action. The return type of the response from the HTTP
callout agent determines the set of operators that you can use on the response. If the part
of the response that you want to analyze is text, you can use a text operator to analyze
the response.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
Scenario 1: Filter Clients Based on an IP Address
Blacklist
To implement this configuration:
1. Enable the Responder feature.
2. Create an HTTP callout and configure it with details about

the external server and other required parameters .
3. Create a Responder policy to analyze the response.
4. Bind the Responder policy globally.

N
ot
5. Create a callout agent on the remote server.

fo
rr
Key Notes:
es
The NetScaler appliance does not check for the validity of the HTTP callout request. Therefore, before you
al
configure HTTP callouts, you must know the format of an HTTP request. You must also know the format of
e
an HTTP response, because configuring an HTTP callout involves configuring expressions that evaluate the
or
response from the HTTP callout agent.
d is
t rib
ut
io
n

•
CITRIX
•
• Rate Limiting enables the administrators to monitor
the rate of traffic for the entity and take the real time
Rate Limiting based preventive action to protect the resources from
the flooding attacks.
• The Rate based policies can be applied to HTTP,
TCP, and DNS requests
N
ot
fo
rr
Key Notes:
es
To monitor the rate of traffic for a given scenario, we configure a rate limit identifier.
al
A rate limit identifier specifies numeric thresholds such as the maximum number of requests or
e
connections (of a particular type) that are permitted in a specified time period called a time slice.
or
Optionally, we can configure filters, known as stream selectors, and associate them with rate limit

d
identifiers when we configure the identifiers.
is
After we configure the optional stream selector and the limit identifier, we must invoke the limit identifier

trib
from a default syntax policy.

ut
We can invoke identifiers from any feature in which the identifier may be useful, including rewrite,
responder, DNS, and integrated caching.
io
n
http://docs.citrix.com/en‐us/netscaler/12/appexpert/rate‐limiting.html

•
CITRIX
•
• The components for configuring the Rate Limiting on
NetScaler are :
• Limit identifier
• Stream selectors
• To implement the Rate Limiting , configure a policy

Configure Rate using NetScaler feature that uses default syntax
policies .
Limiting
• The policy expression must contain the following
expression prefix to enable the feature to analyze the
traffic rate:
• SYS.CHECK_LIMIT{<limit_identifier>)
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Configuring Rate Limiting
To configure an HTTP callout, an administrator must:
1. Create a Limit Selector .
2. Create a Limit Identifier.
3. Create action using features using default policy.
4. Create policy with expression

SYS.CHECK_LIMIT(<limit_identifier>)
N
4. Bind the Policy to appropriate bind point

ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Typecasting extracts data of one from requests and
responses and transforms it to data of another type:
• It extracts a string from an HTTP request body and
treats it like an HTTP header.
• It extracts a string from an HTTP header and treats it
Typecasting like an HTTP request body.
Functionality • It extracts a value from one type of request header
and inserts it in a response header of a different type .
After typecast, the NetScaler can apply any appropriate
policy action to the new data type .
N
ot
fo
rr
Key Notes:
es
You can extract almost anything. For example, you can extract an attribute from system time and return
al
integer (such as hour returns number 1‐24) then set policies based on integer.
e
You can extract data of one type (for example, text or an integer) from requests and responses and
or
transform it to data of another type. For example, you can extract a string and transform the string to time
format. You can also extract a string from an HTTP request body and treat it like an HTTP header or extract
d is
a value from one type of request header and insert it in a response header of a different type.
t rib
After typecasting the data, you can apply any operation that is appropriate for the new data type. For
example, if you typecast text to an HTTP header, you can apply any operation that is applicable to HTTP
ut
headers to the returned value.
io
n
Many excellent examples of use cases: http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐
expressions/ns‐typecasting‐data‐wrapper‐con.html

•
CITRIX
•
Typecasting Example: What=Zone
In this example, the policy engine will retrieve 399 as a string.
The typecast element tells the policy engine to evaluate 399 as a number of type
decimal.
IExpression :
• HTTP.REQ .URL.QUERY.AFTER_STR(\" what=zone :\" ).BEFORE_ STR(\" &block\" ).TYPECAST _NUM
_ T(DECIMAL) .GE(399 )
URL string :
• http ://ads .example.com /ads/adjs .php?n=829983570& what=zone399 &block=1 &blockcampaign=1 &

exclude= ,
N
.__ ---------------------------~
ot
fo
rr
Key Notes:
es
Some Typecasting Function:
al
• <text>.TYPECAST_LIST_T(<separator>)
e
• Treats the text in an HTTP request or response body as a list whose elements are delimited by
or
the character in the <separator> argument. Index values in the list that is created start with zero
d
(0).
is
• Text mode settings have no effect on the separator. For example, even if you set the text mode
t rib
to IGNORECASE, and the separator is the letter “p,” an uppercase “P” is not treated as a
separator.
ut
• <text>.TYPECAST_TIME_T
io
• Treats the designated text as a date string. The following formats are supported:
n
• RFC822: Sun, 06 Nov 1994 08:49:37 GMT
• RFC850: Sunday, 06‐Nov‐94 08:49:37 GMT
• ASCII TIME: Sun Nov 6 08:49:37 1994
• HTTP Set‐Cookie Expiry date: Sun, 06‐Nov‐1994 08:49:37 GMT
• <numeric string>.TYPECAST_IP_ ADDRESS_T
• Treats a numeric string as an IP address.
• <numeric string>.TYPECAST_IPV6_ADDRESS_T
• Treats a string as an IPv6 address in the following format:
• 0000:0000:CD00:0000:0000:00AB:0000:CDEF
• <text>.TYPECAST_HTTP_ URL_T

•
CITRIX
•
• Treats the designated text as the URL in the first line of an HTTP request header.
The supported format is [<protocol>://<hostname>]<path>?<query>, and the text
mode is set to URLENCODED by default.
Example expression:
HTTP.REQ.URL.QUERY.AFTER_STR(\”what=zone:\”).BEFORE_STR(\”&block\”).TYPECAST_NU
M_T(DECIMAL).GE(399)
This example expression takes the string after “what=zone:” converts it into an integer value
and checks if it is greater than or equal to 399
Example string:
http://ads.sun.com/ads/adjs.php?n=829983570&what=zone:399&block=1&bl
ockcampaign=1&exclude=,
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
Typecasting Example: URL String
In this example, the policy engine will retrieve 90 as a string.
The typecast element tells the policy engine to evaluate 90 as a number of type
decimal.
Expression:
• HTTP.REQ.URL.QUERY.VALUE(7).TYPECAST_NUM_T(DECIMAL)
URL String :
• http://www.example-an alytics. com/_ utm .gif? utmwv= 1&utmn=2096883363&utmcs=utf-

8&utmsr= 1600x1200&utmsc=32-bit&utmul=en-
us&utmje= 1&utmfl=90&utmdt=Surf%20Reports%2C%20Surf%20Forecasts%20and%20Surfing%20Photos
&utmhn=magicseaweed.com&utmr=-&utmp=/&utmac=UA-244865-
N
1&utmcc=_ utma%3D70478348.3261219735.1
162245583.1171842907.1173146399.9%3B%2B_ utmb%3D704 78348%3B%2B_ utmc%3D704 78348%3
ot
B%2B
fo
rr
Key Notes:
es
The index used to read into the Name‐Value Lists (nvlist_t) is zero‐based. This means the first element in
al
the list is numbered as element 0. To retrieve the eighth value, an administrator must specify element #7.
e
Since the QUERY object is already a name‐value list, using the query is the more efficient way to create the
or
expression. However, for the sake of the example, we are able to show two typecasts by using the second
expression. The net result is functionally identical.
d is
t rib
ut
io
n

•
CITRIX
•
Typecasting Example: Identifying the 8th Value
INDEX NAME VALUE
0 utmwv 1
1 utmn 2096883363
2 utmcs utf-8
3 utmsr 1600x1200
4 utmsc 32-bit
5 utmul en-us
6 utmje 1
7 utmfl 90 1
8 utmdt ::.urr%20Reports%2C%20Surf0/420Forecasts%20a
nd%20Surfing%20Photos
9 utmhn maoicseaweed.com
10 utmr -
11 utmp I
12 utmac UA- 244865-1
13 utmcc utma%3O70478348 .3261219735 .1162245583. 1
171842907 .1173146399.9%3B%2B utmb%3O70
4 78348%3B%2B u tmc%3O704 78348%3B%2B
N
• The eighth entry in the VALUE column is extracted (at index #7 - counting begins at
ot
0) and interpreted as a decimal number.

fo
rr
Key Notes:
es
al
e
• 1. Text is parsed to create an object of type NVLIST_T, and the result can be represented as a table as
or
shown above.
• 2. The string “90” is converted to a number (explicitly in DECIMAL format. HEX is also supported).
d is
t rib
ut
io
n

•
CITRIX
•
Typecasting Example: Extending the Expression
Expression that returns the number 90:
HTTP .REQ.URL.AFT ER_ STR("?").TYPECAST _ NVLIST _ T .VALUE(7) .TYPECAST _ NUM_ T (DEC IMAL)
Extending expression :
HTTP.REQ.URL.AFTER_STR("?"). TYPECAST_NVLIST_ T .VALUE (?) .TYPECAST_NUM_ T (DECIMAL).GE(120)
N
ot
fo
rr
Key Notes:
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• AppExpert policy engine is a powerful set of tools for
easy control and management of almost any type of
traffic .
• With the powerful default policy engine , almost any
Key Takeaways policy and expression can be written .
• Policies determine when to do something, while
actions determine what to do when the policy is true .
• Default polices are more powerful than classic
policies.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
•
CITRIX
•
NetScaler Traffic
Management
Rewrite , Responder, and URL
Transform
N
C, .;r'L'
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Describe what the Rewrite feature of NetScaler does
and explain how it works.
Learning • Discuss the functionality of Responder policies and
how to configure them.
Objectives
• Explain the benefits of using URL Transformation .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Rewrite
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• The Rewrite feature on the NetScaler rewrites
information in the requests or responses of the
packet.
• The Rewrite support is available for HTTP, SIP,

DIAMETER,DNS ,TCP.
Rewrite
• Common use cases include:
• Provide users with custom error pages.
• Hosting of a new website using an old URL.
• Mod ifying an HTTP request.
• Adding , editing, or deleting headers and strings in
headers.
• Modify the DNS flags in response.
N
ot
fo
rr
Key Notes:
es
Rewrite refers to the rewriting of some information in the requests or responses handled by the NetScaler
al
appliance. Rewriting can help in providing access to the requested content without exposing unnecessary
e
details about the Web site's actual configuration. A few situations in which the rewrite feature is useful are
or
described below:
• To improve security, the NetScaler can rewrite all the http:// links to https:// in the response body.
d is
• In the SSL offload deployment, the insecure links in the response have to be converted into secure
t
links. Using the rewrite option, you can rewrite all the http:// links to https:// for making sure that the

rib
outgoing responses from NetScaler to the client have the secured links.
ut
• If a Web site has to show an error page, you can show a custom error page instead of the default 404
io
Error page. For example, if you show the home page or site map of the Web site instead of an error
page, the visitor remains on the site instead of moving away from the Web site.
n
• If you want to launch a new Web site, but use the old URL, you can use the Rewrite option.

• When a topic in a site has a complicated URL, you can rewrite it with a simple, easy‐to‐remember URL
(also referred to as 'cool URL').
• You can append the default page name to the URL of a Web site. For example, if the default page of a
company's Web site is 'http://www.abc.com/index.php', when the user types 'abc.com' in the address
bar of the browser, you can rewrite the URL to 'abc.com/index.php'.
A few situations in which the rewrite feature is useful: http://docs.citrix.com/en‐
us/netscaler/12/appexpert/rewrite.html

•
CITRIX
•
0 Browser Request 0 Check for Policies 0
-
Ev luabon
The cheot browser sends a The NetScaler system The NetScaler system
~
request to tile Wabserver checks tile request bme bullds 8 set of 8CtJonS 10
through tile NetScaler policy bank for appl,cebte apply after evaluabng tile hst
system pobcaes of pnon112ed pohc,as
l
Rewrite
0 Rewnbng
The NetScaler system

I-
r J:l-i
I-
::::! :::: !
0 Rewribng

rewntas the request and rewntes the request and
Process
fOtWardS ~ to the Wab
server L _ I-
I-
l_j
I
forwards at to the Wab
server
I- I
l l
0 EvaluaUon 0 Check for Poficles 0
-
Server Response
The NetScaler system The NetScaler system
~ The Wab server racer,es
builds a set of actJons to checks the request tJme
the request and sends a
apply after ovaluabng the hst policy bank for apphcabte
response
of pnonllZed policies polacaes
N
ot
fo
rr
Key Notes:
es
The NetScaler appliance checks for global policies and then checks for policies at individual bind points.
al
If multiple policies are bound to a bind point, the NetScaler evaluates the policies in the order of their
e
priority.
or
The policy with the highest priority is evaluated first. After evaluating each policy, if the policy is evaluated
d
to TRUE (the traffic matches the rule), it adds the action associated with the policy to a list of actions to be
is
performed. For any policy, in addition to the action, you can specify the policy that should be evaluated
t
rib
after the current policy is evaluated. This policy is referred to as the 'Go to Expression'.
After all the policies are evaluated or when a policy has the Go to Expression set as END, the NetScaler
ut
starts performing the actions according to the list of actions.
io
n

•
CITRIX
•
Rewrite Built-In Actions
Action Result
NOREWRITE NetScaler forwards request without rewriting
RESET Connection aborted at TCP level
DROP Message dropped

N
ot
fo
rr
Key Notes:
es
After enabling the rewrite feature, you need to configure one or more actions unless a built‐in rewrite
al
action is sufficient. All of the built‐in actions have names beginning with the string ns_cvpn, followed by a
e
string of letters and underscore characters. Built‐in actions perform useful and complex tasks such as
or
decoding parts of a clientless VPN request or response or modifying JavaScript or XML data. The built‐in
actions can be viewed, enabled, and disabled, but cannot be modified or deleted.
d is
Additional built‐in actions have names beginning with the string ns_cvpn, followed by a string of letters and
t
underscore characters. Built‐in actions perform useful and complex tasks such as decoding parts of a
rib
clientless VPN request or response or modifying JavaScript or XML data. The built‐in actions can be viewed,
enabled, and disabled, but cannot be modified or deleted.
ut
io
To create a new rewrite action by using the command line interface:
n
• At the command prompt, type the following commands to create a new rewrite action and verify the
configuration:
• add rewrite action <name> <type> <target> [<stringBuilderExpr>] [(‐pattern <expression> | ‐
patset <string>)] [‐bypassSafetyCheck (YES|NO)]
• show rewrite action <name>
To modify an existing rewrite action by using the command line interface:
• At the command prompt, type the following commands to modify an existing rewrite action and verify
the configuration:
• set rewrite action <name> [‐target <string>] [‐stringBuilderExpr <string>] [(‐pattern <expression>
| ‐patset <string>)] [‐bypassSafetyCheck (YES|NO)]
• show rewrite action <name>

•
CITRIX
•
To remove a rewrite action by using the command line interface:
• At the command prompt, type the following commands to remove a rewrite action :
• rm rewrite action <name>
To configure a rewrite action by using the configuration utility:
• Navigate to AppExpert > Rewrite > Actions.
• In the details pane, do one of the following:
• To create a new action, click Add.
• To modify an existing action, select the action, and then click Open.
• Click Create or OK. A message appears in the status bar, stating that the Action has been
configured successfully.
• Repeat steps 2 through 4 to create or modify as many rewrite actions as you wish.
N
• Click Close.
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
Rewrite Custom Actions
INSERT_BEFORE
INSERT_AFTER
REPLACE
DELETE
DELETE_HTTP_HEADER
• After enabling the Rewrite feature, CORRUPT_HTTP_HEADER
configure one or more actions-unless a REPLACE_HTTP_RES
built-in rewrite action is sufficient. REPLACE_ALL
DELETE_ALL
• Utilize custom actions to: INSERT_AFTER_ALL
INSERT_BEFORE_ALL
• Insert or delete a header or content in the body.
CLIENTLESS_VP _ENCODE
• Replace headers or content. CLINETLESS_VP _ENCODE_ALL
• Insert or delete information before or after CLIENTLESS_VP _DECODE
another string . CLIENTLESS_VP _DECODE_ALL
INSERT_SIP_HEADER
DELETE_SIP_HEADER
N
CORRUPT_SIP_HEADER
ot
REPLACE_SIP_RES
fo
rr
Key Notes:
es
You can use all types of existing string manipulation functions with these prefixes to identify the strings that
al
you want to rewrite. To configure a rewrite action, you assign it a name, specify an action type, and add one
e
or more arguments specifying additional data. The following table describes the action types and the
or
arguments you use with them.
d is
trib
ut
io
n

•
CITRIX
•
Create Rewrite Action
Configuring a Rewrite Action Name

Rewrite_Act
To configure a Rewrite Action: Type
I SERT_HTTP_HEADER
• Assign it a name.
Use this action type to insert a header.
• Specify an action type. Header ame
Custom_Header
• Add one or more expressions specifying
additional data . ~essoon
Operators Saved Polley Expressions •
HTTPREQOATE
CLI Syntax:
add rewrite action <action_ name> <Type> < Expression>
In smng expressions. stnng constants and express1ons can

Comments
N
[ l
ot
f@i Close
fo
rr
Key Notes:
es
To create a new rewrite action by using the command line interface
al
• At the command prompt, type the following commands to create a new rewrite action and verify the
e
configuration:
or
• add rewrite action <name> <type> <target> [<stringBuilderExpr>] [(‐pattern <expression> | ‐

d
patset <string>)] [‐bypassSafetyCheck (YES|NO)]

is
t
rib
ut
io
n

•
CITRIX
•
Configuring a Rewrite Policy .., Create Rewrite Policy
Name
WEB-UI ~ ite_Policy _ _ ___.
I\Ctlon
• Assign it a name. actl y + /
LogActlOn
• Select the Action. y +
• Add one or more expressions specifying condition Undefined-Result Actlon*
-Global-undefined-~ -action
for rewrite . y ]
Expres51on
• Add Undefined Result Action .(Optional)
• Add Log Action.(Optional) f-:-~
CLI Syntax: Comments
N
add rewrite policy <name> <expres ion> <action_ name>

ot
1§1 Close
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
When the Rewrite Policy Evaluation results in an error,
Rewrite the specified undefined action is carried out.
Undefined • NetScaler supports three types of undefined actions :
Actions • undefAction NOREWRITE

• undefAction RESET
• undefAction DROP
While the undefined action is defined globally at the feature

level , it can be overridden within a specific policy.
N
ot
fo
rr
Key Notes:
es
• undefAction NOREWRITE This means that the NetScaler continues to process requests and responses
al
that do not match any rewrite policy, and eventually forwards them to the requested URL unless another
e
feature intervenes and blocks or redirects the request. This action is appropriate for normal requests to
or
your Web servers, and is the default setting.
undefAction RESETResets the client connection. This means that the NetScaler tells the client that it must
d
re‐establish its session with the Web server. This action is appropriate for repeat requests for Web pages
is
that do not exist, or for connections that might be attempts to hack or probe your protected Web site(s)
t rib
undefAction DROPSilently drops the request without responding to the client in any way. This means that

ut
the NetScaler simply discards the connection without responding to the client. This action is appropriate for
requests that appear to be part of a DDoS attack or another sustained attack on your servers.
io
n
Note: Undefined events can be triggered for both request and response flow specific policies.

•
CITRIX
•
Additional parameters that can be configured in
Rewrite Rewrite are:
Action • pattern or patset
Parameters • bypassSafetyCheck
• target
• stringBuilderExpr
• search
• refineSearch
N
ot
fo
rr
Key Notes:
es
Target:
al
• Expression that specifies which part of the connection to rewrite. Maximum Length: 1499
e
or
stringBuilderExpr:
• Default syntax expression that specifies the content to insert into the request or response at the
d
specified location, or that replaces the specified string. Maximum Length: 8191
is
When you create a rewrite action, the NetScaler verifies that the expression you used to create the action is
t rib
safe – you can bypass this safety check if you know your rewrite is safe
ut
Pattern:
io
• Pattern that is used to match multiple strings in the request or response. The pattern may be a string
n
literal (without quotes) or a PCRE‐format regular expression with a delimiter that consists of any
printable ASCII non‐alphanumeric character except for the underscore (_) and space ( ) that is not
otherwise used in the expression. Example: re~https?://|HTTPS?://~ The preceding regular expression
can use the tilde (~) as the delimiter because that character does not appear in the regular expression
itself. Used in the INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL action
types. Maximum Length: 271
Search:
• Search facility that is used to match multiple strings in the request or response.
RefineSearch:
• Specify additional criteria to refine the results of the search. Always starts with the "extend(m,n)"
operation, where 'm’ specifies number of bytes to the left of selected data and 'n’
• Specifies number of bytes to the right of selected data. You can use refineSearch only on body

•
CITRIX
•
expressions, and for the INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and
DELETE_ALL action types. Maximum Length: 1499
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
A Rewrite Policy consists of an expression and an
action:
Rewrite • The expression determines the traffic on which Rewrite is

Pol icies applied .
• The action determines the action to be taken by the
NetScaler.
• A bind point must be specified for each policy.
• A priority should be specified for multiple policies .
N
ot
fo
rr
Key Notes:
es
Adding Policy:
al
• add rewrite policy <name> <expression> <action> [<undefaction>]
e
• show rewrite policy <name>
or
To rewrite HTTP requests and responses, you can use protocol‐aware NetScaler policy expressions in the
d
rewrite policies you configure. The virtual servers that manage the HTTP requests and responses must be of
is
type HTTP or SSL. In HTTP traffic, you can take the following actions :

t rib
Modify the URL of a request ,Add modify or delete headers .Add, replace, or delete any specific string
within the body or headers.
ut
io
To rewrite TCP payloads, consider the payload as a raw stream of bytes. Each of the virtual servers that
managing the TCP connections must be of type TCP or SSL_TCP. The term TCP rewrite is used to refer to the
n
rewrite of TCP payloads that are not HTTP data. In TCP traffic, you can add, modify, or delete any part of the
TCP payload.

•
CITRIX
•
Rewrite polices must be bound to an available bind
Binding point in order to be applied.
Rewrite You can bind policies in the Configuration Utility and in
the CLI.
Policies
Each policy needs a priority assigned to it:
• Value must be a positive integer.
• Lower numbers have higher priority.

N
ot
fo
rr
Key Notes:
es
The main difference between the rewrite feature and the responder feature is as follows:
al
Responder cannot be used for response or server‐based expressions. Responder can be used only for the
e
following scenarios depending on client parameters:
or
• Redirecting a http request to new Web sites or Web pages
d
• Responding with some custom response
is
• Dropping or resetting a connection at request level
t rib
In case of a responder policy, the NetScaler examines the request from the client, takes action according to
ut
the applicable policies, sends the response to the client, and closes the connection with the client.
io
In case of a rewrite policy, the NetScaler examines the request from the client or response from the server,
n
takes action according to the applicable policies, and forwards the traffic to the client or the server.
In general, it is recommended to use responder if you want the NetScaler to reset or drop a connection
based on a client or request‐based parameter. Use responder to redirect traffic, or respond with custom
messages. Use rewrite for manipulating data on HTTP requests and responses.

•
CITRIX
•
Using Rewrite
To configure the Rewrite feature, follow the steps below:
1. Enable the Rewrite feature.
2. Create Rewrite actions.
3. Create Rewrite policies.
4. Bind the policies to a bind point.

I
N
ot
fo
rr
Key Notes:
es
To enable the rewrite feature by using the command line interface
al
• At the command prompt, type the following commands to enable the rewrite feature and verify the
e
configuration:
or
• enable ns feature REWRITE
d
• show ns feature
is
To enable the rewrite feature by using the configuration utility
t
rib
• In the navigation pane, click System, and then click Settings.

ut
• In the details pane, under Modes and Features, click Configure basic features.

io
• In the Configure Basic Features dialog box, select the Rewrite check box, and then click OK.

n
• In the Enable/Disable Feature(s) dialog box, click Yes. A message appears in the status bar, stating that

the selected feature was enabled.

•
CITRIX
•
USE CASE : Modify HTTP Request
I I Original HTTP Request
GET/ HTTP/1.1
Host: training.citrix.lab
Connection : keep-alive
Ex: The following NetScaler policy Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
will modify the HTTP version is User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
every HTTP request before like Gecko) Chrome/58.0.3029.110 Safari/537.36
forwarding it. I HTTP Request after Rewrite I
GET/ HTTP/1.0
add rewrite action Act_ l replace Host: training.citrix.lab
http.r q. r ion " "HTTP 1.0\'"' Connection : keep-alive
Cache-Control: max-age=0
add rewrit policy Pol_ 1 true Act_ l User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
N
like Gecko) Chrome/58.0.3029.110 Safari/537.36

ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
What reasons would you have to create custom
Rewrite actions?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Exercise 3-1: Rewrite Policy: Modify a URL
• Exercise 3-2: Rewrite Policy: Delete HTTP Headers
• Exercise 3-3: Rewrite Policy: Insert HTTP Headers
• Exercise 3-4: Rewrite Policy: Convert URL Paths to
Lowercase
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Responder
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
A Responder Policy:
• Examines the request from the client

• Takes action according to the policy
• Sends the response to the client
• Terminates the connection with the client
The Responder is simple to use, and responds based
on attributes such as sender identity, sender location ,
Responder and many others.
The following are some use cases for Responder

policies:
• Redirecting an HTTP request.

• Responding with a custom response.
N
• Dropping or Resetting connections at the request level.

ot
fo
rr
Key Notes:
es
Today’s complex Web configurations often require different responses to HTTP requests that appear, on the
al
surface, to be similar. When users request a Web site’s home page, you may want to provide a different
e
home page depending on where each user is located, which browser the user is using, or which language(s)
or
the browser accepts and the order of preference. You might want to break the connection immediately if
the request is coming from an IP range that has been generating DDoS attacks or initiating hacking
d
attempts..
is
t
For handling sensitive data such as financial information, if you want to ensure that the client uses a secure
rib
connection to browse a site, you can redirect the request to secure connection by using https:// instead of
http://.
ut
io
n
Citrix Product Documentation Responder Feature: http://docs.citrix.com/en‐
us/netscaler/12/appexpert/responder.html.

•
CITRIX
•
Responder Process
(D Browser Request ® Check for Policies @ Evaluation
The client browser The NetScaler system The NetScaler system

sends a request to the checks the request builds a set of actions to
web server through the time policy bank for apply after evaluating the
NetScaler system. applicable policies . list of prioritized policies.
•
© Response

responds to the client
request
N
ot
fo
rr
Key Notes:
es
Responder only operates on the REQ side of the
al
Responses can be based on who sends the request, where it is sent from, and other criteria with security
e
and system management implications. The feature is simple and quick to use. By avoiding the invocation of
or
more complex features, it reduces CPU cycles and time spent in handling requests that do not require
complex processing.
d is
t rib
ut
io
n

•
CITRIX
•
Responder
You can assign any of the following actions to a
Built-In responder policy or undefined event:
Actions • NOOP - no operation occurs .
• RESET - rests the client connection .
• DROP - silently drops the request.
N
ot
fo
rr
Key Notes:
es
NOOP
al
• The NOOP action aborts responder processing but does not alter the packet flow. This means that the
e
appliance continues to process requests that do not match any responder policy, and eventually
or
forwards them to the requested URL unless another feature intervenes and blocks or redirects the
request. This action is appropriate for normal requests to your Web servers and is the default setting.
d is
RESET
t rib
• If the undefined action is set to RESET, the appliance resets the client connection, informing the client
that it must re‐establish its session with the Web server. This action is appropriate for repeat requests for
ut
Web pages that do not exist, or for connections that might be attempts to hack or probe your protected
io
Web site(s).
n
DROP
• If the undefined action is set to DROP, the appliance silently drops the request without responding to the
client in any way. This action is appropriate for requests that appear to be part of a DDoS attack or other
sustained attack on your servers.
Note: UNDEF events are triggered only for client requests. No UNDEF events are triggered for responses.
The NetScaler appliance generates an undefined event (UNDEF event) when a request does not match a
responder policy, and then carries out the default action assigned to undefined events. By default, that
action is to forward the request to the next feature without changing it. This default behavior is normally
what you want; it ensures that requests that do not require special handling by a specific responder action
are sent to your Web servers and clients receive access to the content that they requested.
If the Web site(s) your NetScaler appliance protects receive a significant number of invalid or malicious
requests, however, you may want to change the default action to either reset the client connection or drop

•
CITRIX
•
the request. In this type of configuration, you would write one or more responder policies
that would match any legitimate requests, and simply redirect those requests to their
original destinations. Your NetScaler appliance would then block any other requests as
specified by the default action you configured.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
Custom Responder Actions for HTTP
Respond Respond with HTML Redirect
Redirects the request to a

Responds with HTML. Sends HTML page as response . different URL, web page ,
or Web server.
HTML pages can be uploaded

NetScaler acts like Web server. to NetScaler and selected from The Web server may not exist.
pull down menu.
I I
N
ot
fo
rr
Key Notes:
es
After enabling the responder feature, you must configure one or more actions for handling requests. The
al
responder supports the following types of actions:
e
Respond with
or
• Sends the response defined by the Target expression without forwarding the request to a web server.
d
(The NetScaler appliance substitutes for and acts as a web server.) Use this type of action to manually
is
define a simple HTML‐based response. Normally the text for a Respond with action consists of a web
t
server error code and brief HTML page.
rib
Respond with SQL OK
ut
• Sends the designated SQL OK response defined by the Target expression. Use this type of action to send
io
an SQL OK response to an SQL query.
n
Respond with SQL Error
• Sends the designated SQL Error response defined by the Target expression. Use this type of action to
send an SQL Error response to an SQL query.
Respond with HTML page
• Sends the designated HTML page as the response. You can choose from a drop‐down list of HTML pages
that were previously uploaded, or upload a new HTML page. Use this type of action to send an imported
HTML page as the response.
Redirect
Redirects the request to a different web page or web server. A Redirect action can redirect requests
originally sent to a "dummy" web site that exists in DNS, but for which there is no actual web server, to an
actual web site. It can also redirect search requests to an appropriate URL. Normally, the redirection target

•
CITRIX
•
for a Redirect action consists of a complete URL.
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

CITRIX
•
Custom Responder Actions for DataStream
Respond Respond with SQL Error
I I
Sends the designated SQL OK Sends the designated SQL Error
response to a SQL query response to a SQL query
N
ot
fo
rr
Key Notes:
es
Released in Version 10 of NetScaler
al
Respond with SQL OK
e
• Sends the designated SQL OK response defined by the Target expression. Use this type of action to send
or
an SQL OK response to an SQL query.
d
Respond with SQL Error
is
• Sends the designated SQL Error response defined by the Target expression. Use this type of action to
t rib
send an SQL Error response to an SQL query.
ut
io
n

•
CITRIX
•
Responder Action for Timeouts
When an HTTP request times out, a responder action can be invoked .
• To configure the responder actions, follow the steps below:
1. Create the Responder action that you want to invoke.
2. Configure the global HTTP timeout action

N
ot
fo
rr
Key Notes:
es
To configure a responder action by using the command line interface
al
• At the command prompt, type the following commands to configure a responder action and verify the
e
configuration:
or
• add responder action <name> <type> <target> [‐bypassSafetyCheck (YES | NO) ]

d
• show responder action
is
To modify an existing responder action by using the command line interface
t rib
• At the command prompt, type the following command to modify an existing responder action and verify
ut
the configuration:
• set responder action <name> ‐target <string> [‐bypassSafetyCheck ( YES | NO )]
io
n
To remove a responder action by using the command line interface
• At the command prompt, type the following command to remove a responder action and verify the
configuration:
• rm responder action <name>

•
CITRIX
•
Responder po licies are configured in the Configuration
Utility and in the CLI.
Responder The following arguments are identified when adding a
Policies Responder policy:
• Expression
• Action
• UndefAction
N
ot
fo
rr
Key Notes:
es
To configure a responder policy by using the NetScaler command line:
al
• At the NetScaler command prompt, type the following command to add a new responder policy and
e
verify the configuration:
or
• add responder policy <name> <expression> <action> [<undefaction>]‐appFlow action<actionName>

d is
t
rib
ut
io
n

•
CITRIX
•
Responder HTML Page Imports
• The Responder feature can respond to designated requests by sending the client an
HTML-based web page, it supports the import of custom HTML-pages to the
NetScaler. N
ot
fo
rr
Key Notes:
es
At times, when the services for a website are not available because of a planned outage or an unexpected
al
event, you might want to display a maintenance or an apology page to the customer. You can use the
e
Responder feature of the NetScaler appliance to create such a notification page during these events.
or
To configure a maintenance webpage by using the Responder feature of the NetScaler appliance, complete
the following procedure:
d is
If not already done, run the following command to configure the required services:
t rib
add service server1 <IP_Address_of_Service> HTTP 80
You have to create a service that is always UP and bind it to this backup virtual server so that it will always
ut
remain UP. Go to Load Balancing > Services, and click Add and then create a service called "always‐up" and

io
use any dummy IP for the server and add a ping monitor, and click Create.
n
Alternately you can also make the monitor as type Reverse so that even if the service is down it will be
always up for the dummy IP.
Run the following command to configure a Load Balancing virtual server:
add lb vserver vserver1 HTTP <IP_Address_of_VServer> 80
Run the following command to configure a backup Load Balancing virtual server:
add lb vserver backup HTTP 0.0.0.0 0
Run the following command to bind a service to the backup virtual server to ensure that the status of the
backup virtual server is marked as UP:
bind lb vserver backup always‐up
Run the following command to configure the main virtual server with the backup virtual server:
set lb vserver vserver1 ‐backupVServer backup

•
CITRIX
•
Run the following command to create a Responder action with an appropriate target web
page:
add responder action mtn_pg_act respondwith q{"HTTP/1.0 200 OK" +"\r\n\r\n" +
"<html><body>Sorry, this page is currently not available. Please try after some
time.</body></html>" + "\r\n"}
Note: To avoid caching of the maintenance web page, you can set the HTTP code to 503
Service Unavailable instead of 200 OK.
Run the following command to create a Responder policy:
add responder policy sorryPol HTTP.REQ.IS_VALID mtn_pg_act
Run the following command to bind the policy to the backup virtual server:
bind lb vserver backup ‐policyName sorryPol ‐priority 4
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
Binding Responder polices must be bound to an available bind
point in order to be applied .
Responder • You can bind policies in the Configuration Utility and
Policies in the CLI.
• Each policy needs a priority assigned to it:
• Value must be a positive integer.
• Lower numbers have higher priority.
N
ot
fo
rr
Key Notes:
es
To put a policy into effect, you must bind it either globally, so that it applies to all traffic that flows through
al
the NetScaler, or to a specific virtual server, so that the policy applies only to requests whose destination IP
e
address is the VIP of that virtual server.
or
When you bind a policy, you assign a priority to it. The priority determines the order in which the policies
you define are evaluated. You can set the priority to any positive integer.
d is
In the NetScaler operating system, policy priorities work in reverse order—the higher the number, the
t rib
lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy
assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy
ut
assigned an order of 1000. The responder feature implements only the first policy that a request matches,
io
not any additional policies that it might also match, so policy priority is important for getting the results you
intend.
n
You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the
order you want, by setting priorities with intervals of 50 or 100 between each policy when you globally bind
it. You can then add additional policies at any time without having to reassign the priority of an existing
policy.
To globally bind a responder policy by using the command line interface
• At the command prompt, type the following command to globally bind a responder policy and verify the
configuration:
• bind responder global <policyName> <priority> [<gotoPriorityExpression [‐type <type>] [‐
invoke (<labelType> <labelName>)]
• show responder global
There are some limitations to the gotoexpression in Responder, since multiple Responder policies can be

•
CITRIX
•
applied to the same request. So you cannot have a gotoexpression of NEXT or an integer
value referring to another policy’s priority.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
Use case
The following responder policy will redirect the user trying to access root
location to the location /cs1
add re ponder action ct_ l redirect" "http: erverl .training.lab c I '\"" -re pon e tatu Code 302
add re ponder po licy Pol_ l "http .REQ . RL.P TH A D_ QU RY.EQ("/ 11

)" Act_ l
GET/ HTTP/1.1
Host: serverl.training.lab
Connection: keep-alive
Cache-Control : max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/58.0.3029.110 Safari/537.36
HTTP/1.1 302 Found : Moved Temporarily

Location : http://serverl.training.lab/csl
N
Connection : close
Cache-Control : no-cache
ot
Pragma: no-cache
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
DNS Rewrite and Responder
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
The Responder feature can be configured to respond to
DNS requests , as it does to HTTP and TCP requests .
DNS Rewrite Configure the Rewrite feature to modify DNS requests
and Responder and responses , similar to rewriting HTTP or TCP
requests and responses .
DNS Rewrite can be used to manage the flow of DNS
requests and make necessary modifications in the
header or in the answer section .
N
ot
fo
rr
Key Notes:
es
NetScaler supports Rewrite and Responder policies for various protocols.
al
• TCP and HTTP
e
or
Responder policies allows sending custom responses to client.
Rewrite policies allow modification of requests sent to back‐end as well as the server responses sent to
d
client.
is
t
The support has now been extended to DNS.
rib
You can configure the responder feature to respond to DNS requests as it does to HTTP and TCP requests.
ut
For example, you could configure it to send DNS responses over UDP and ensure that the DNS requests
io
from the client are sent over TCP. A number of NetScaler expressions support examination of the DNS
n
header in the request. These expressions examine specific header fields and send an appropriate response.

•
CITRIX
•
DNS Responder and Rewrite Framework
• Sends a DNS response with an empty answer section and header flags
(TC, AA, and RCODE set to the desired value).
• Drops a DNS query.
• Modifies the answer section before sending response to client.(Only A and
AAAA records are supported.)
• Modifies the header bits before sending a response to the client.
• Modifies the header bits before sending a request to the backend.
• For proxy mode, the policy is evaluated only in event of a cache miss.
• RA flag will always be set if Recursion Available is set to YES , irrespective
of rewrites done.
• CD flag will be honored if Recursion Available is set to YES irrespective of
N
rewrites done.
ot
fo
rr
Key Notes:
es
The various policy expressions are:
al
1. DNS.REQ.HEADER.FLAGS.IS_SET(),SET(),UNSET(): QR,AA,TC,RD,RA,AD,CD
e
or
2. DNS.REQ.HEADER.OPCODE.EQ,NE,SET:QUERY,IQUERY,STATUS
3. DNS.RES.HEADER.RCODE.SET
d is
4. DNS.NEW_RESPONSE()
t rib
5. DNS.NEW_RESPONSE(Boolean AA, Boolean TC, dns_rcode_e rcode):
ut
6. DNS.NEW_RRSET_A()
io
7. DNS.NEW_RRSET_AAAA ()
n

•
CITRIX
•
• The DNS Responder can be used to:
• Send TC bit on receiving queries over UDP.
• Effectively allowing querying over TCP only.
DNS Rewrite and • The DNS Rewrite Framework is commonly used to:
Responder: • Set AA bit in responses sent to the client.
Use Cases • Allow NetScaler to act as authoritative DNS server for all queries it
responds to.
N
ot
fo
rr
Key Notes:
es
Configuring Responder Policies for DNS
al
• The following procedure uses the NetScaler command line to configure a responder action and policy
e
and bind the policy to a responder‐specific global bind point.
or
• To configure Responder to respond to a DNS request
d
• At the command prompt, type the following commands:add responder action <actName>

is
<actType>For <actname>, substitute a name for your new action. The name can be 1 to 127
t rib
characters in length, and can contain letters, numbers, hyphen (‐), and underscore (_) symbols. For
<actType>, substitute a responder action type, respondWith.
ut
• add responder policy <polName> <rule> <actName>For <polname>, substitute a name for your
io
new policy. For <actname>, the name can be 1 to 127 characters in length, and can contain letters,
n
numbers, hyphen (‐), and underscore (_) sym bols. For <actname>, substitute the name of the
action that you just created.
• bind responder policy <polName> <priority> <nextExpr> ‐type <bindPoint>For <bindPoint>, specify
one of the responder‐specific global bind points. For <polName>, substitute the name of the policy
that you just created. For <priority>, specify the priority of the policy.
Citrix Product Documentation on DNS Support for the Responder Feature:
http://docs.citrix.com/en‐us/netscaler/12/appexpert/responder/dns‐support‐responder.html

•
CITRIX
•
Use the Rewrite Po icy to modify DNS Packets
add rewrite action . t aa r replace_dn _ head r_ field "dn .re .header.nag . et(aa)"
add rewrite policy ct re aa true et aa re
IThe original DNS response

Oornoln N•rne 5'/Stom (response)
!The DNS response after the rewrite
Oornoln Nomo 5'/Stern (response)
I
Transoctlon 10: Oxb516 Transoctlon ID: OxlodS
Rap: o.8180 5tandard quer, response. No error Rags: o.8500 Standord quer, response. No error
1... ........... ,., Response: Messa1e l.s a response 1... ............ • Response: ~ e Is a rHl)OnSe
.000 O..••..•••.. • ()pc,oM: Standord quer, (OJ .000 o_ -· .... • Clpc,oM: Stondord quo,y (OJ
_ ..L -- ··- =Authoritatiw: s.twr ii an authority for domain
··- .D•• ··- · - =Authoribtiw: - Is - on outhoritv for clomoin
.•..•.0.•••.•••• • Truncated: - - Is not truncated ......o. ·-· .... =Truncated: Me5Saie ls not truncoted
....... 1 .-. ·-· • Recunlon desired: Do quer, rocu"1vely •... ... 1 ......•. • R<aJn1on desired: Do quer, recu"1vely
.... .... 1... .... • Rea.trslon avai~: 5efvtr an do recursive queries •••••••• 0 .•• ··- • Recur>lon ovolloble: 5o<vor can't do r<OJnlw queries
•••••••.•0•••••. • Z: rosenied (OJ ......•..O•• ..•. • Z:rtiO<Wd(O)
··- ·-· ..0. -· • Answe< authentlcoted: Answe</outhority portion was not outhentlcoted by tho__. ........ ..0. .... = Answer authentiated: Answer/authority portion wu no1 authentJated by the sen,er
•••• •••••••0 ·-· • Non-outhentlated data: Una«epuble ........ - 0 .... • Non-outhenticoted dot>: Unoccepti1blo
.... ··- .... 0000 • ~ code: No error (OJ •••••••••••• 0000 • Reply code: No trror (OJ
Questions: 1 Quostlons: 1
Answe<RRs: 1 Answe<RRs: 1
Authority RRs: 0 Ai.nhority RRs: 0
Additional RRs: 0 Additional RRs: 0
Queries
_,
Queries
cltrix.com: type A. doss IN. odd, 162.221.156.156 dtrix.com: type A. doss IN. add, 162.221.156.156
N
Name: dtrht.com Name: citttx.com

Type: A (Host Add.-ess) (1) Type: A (Host Address) (1)
ot
Ooss: IN (0.0001) Ooss: IN (0.0001)

Time to llw: 622 T1rne to live: 1200
O.t> lencth: 4 O.ta ift,gth: 4
Address: 162.221.156.156 Address: 162.221.156.156
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Use Case : Enforce all DNS request over TCP
Response by the NetScaler with the Responder Policy

Domain Name System (response)
L1 SYNTAX : Transaction ID: Oxlb3d
Flags: Ox8700 Standard query response, No error
1 ............... = Response: Message is a response
add re ponder action re p_act_ et_ tc_bit .000 0 ....... .... = Opoode: Standard query (0)
.... . 1.......... = Authoritative: Server is an authority for domain
re. pondwith D . E\: RE PO E(true, true, .... .. 1...... ... =Truncated: Messacc is truncated
OERROR) .......1 .... .... = Recursion desired: Do query recursively
........ 0 ....... = Recursion available: Server can't do recursive queries
.........0...... = Z: reserved (0)
add re ·ponder policy enforce tcp ..........0 ..... =Answer authenticated: Answer/authority portion was not authenticated by the server
dns.R · Q .TR PORT.EQ(udp) ...........0 .... = Non-authenticated data: Unacceptable
............ 0000 = Reply code: No error (0)
re p act et tc bit Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
citrix.com: type A, class IN
N
Name: citrix.com
ot
(Name length: 10]

(Label Count: 2]
Type: A (Host Address) (1)
fo
Oass: IN (OxOOOl)
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
How do you currently use Rewrite and Responder in
your environments?
N
ot
fo
rr
es
Citrix Discussions on actual environment use case for a Responder Action.
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
URL Transform
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
URL Transformation
URL Transformation provides a method for modifying all URLs in designated requests
from an external version seen by outside users, to an internal URL seen only by your
web servers and IT staff.
This feature is similar to Rewrite and requires that the Rewrite feature is enabled.
Q ---- 1-_=
. . . ......===1 - - - - I-_
..... .....
NetScaler Web Server
Client requests
transforms URL Web site URL seen as
browser URL www.citrix.com/customers/home
N
www .citrix.com/home
ot
fo
rr
Key Notes:
es
URL Transformation uses AppFW engine. Rewrite uses PE engine. For a large amount of transactions, URL
al
Transformation is more efficient. For small amounts, Rewrite is more efficient.
e
You can use it to modify a URL so that it can be different for internal or external access or a different URL
or
for a different set of users, even the ability to append a folder path to an existing host so that users don’t
need to know the entire path.
d is
The URL transformation feature provides a method for modifying all URLs in designated requests from an
t
rib
external version seen by outside users to an internal URL seen only by your Web servers and IT staff. You
can redirect user requests seamlessly, without exposing your network structure to users. You can also
ut
modify complex internal URLs that users may find difficult to remember into simpler, more easily
io
remembered external URLs.
n
Note: Before you can use the URL transformation feature, you must enable the Rewrite feature. To enable
the Rewrite feature, see Enabling the Rewrite Feature.
To begin configuring URL transformation, you create profiles, each describing a specific transformation.
Within each profile, you create one or more actions that describe the transformation in detail. Next, you
create policies, each of which identifies a type of HTTP request to transform, and you associate each policy
with an appropriate profile. Finally, you globally bind each policy to put it into effect.
A profile describes a specific URL transformation as a series of actions. The profile functions primarily as a
container for the actions, determining the order in which the actions are performed. Most transformations
transform an external hostname and optional path into a different, internal hostname and path. Most
useful transformations are simple and require only a single action, but you can use multiple actions to
perform complex transformations.
You cannot create actions and then add them to a profile. You must create the profile first, and then add

•
CITRIX
•
actions to it. In the CLI, creating an action and configuring the action are separate steps.
Creating a profile and configuring the profile are separate steps in both the CLI and the
configuration utility.
After you create a URL transformation profile, you next create a URL transformation policy to
select the requests and responses that the NetScaler should transform by using the profile.
URL transformation considers each request and the response to it as a single unit, so URL
transformation policies are evaluated only when a request is received. If a policy matches,
the NetScaler transforms both the request and the response.
Note: The URL transformation and rewrite features cannot both operate on the same HTTP
header during request processing. Because of this, if you want to apply a URL transformation
to a request, you must make sure that none of the HTTP headers it will modify are
manipulated by any rewrite action.
N
ot
Differences between URL Transformation and Rewrite:
fo
http://support.citrix.com/article/CTX123094
rr
NetScaler Product Documentation URL Transformation: https://docs.citrix.com/en‐
es
us/netscaler/12/appexpert/rewrite/url‐transformation.html
al
e
or
d is
trib
ut
io
n

CITRIX
•
• Exercise 3-5 : Responder Policy: Redirect to SSL
• Exercise 3-6: Responder Policy: Redirect using String
Maps
• Exercise 3-7 : Responder Policy: Redirect to Imported
Maintenance Page
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• The standard principles of policies , expressions,
actions , and bindings apply to the Rewrite and
Responder features.
• TCP, HTTP, DNS ,DIAMETER, RADIUS , SIP requests
and responses and bodies can be rewritten.
Key Takeaways
• With the powerful default policy engine, almost any
policy and expression can be written .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
•
CITRIX
•
NetScaler Traffic
Management
Content Switching
N
CNS..219-2i
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Explain Content Switching and how it works .
• Discuss the importance of a Content-Switching
VServer.
Learning • Distinguish what Content-Switching policies are and
how to use them.
Objectives
• Explain what rule precedence is and the way it affects
policies.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Content Switching
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Content • Content switching can enable you to distribute
incoming requests based on a parameter of the
Switching incoming request.
Overview • Content switching allows the system to:
• Distribute client requests across multiple servers on the basis of
specific content that you want to present to users.
• Manage the application and web hosting site separately.
• Switch static and dynamic content.
N
ot
fo
rr
Key Notes:
es
In today's complex Web sites, you may want to present different content to different users. For example,
al
you may want to allow users from the IP address range of a customer or partner to have access to a special
e
Web portal. You may want to present content relevant to a specific geographical area to users from that
or
area. You may want to present content in different languages to the speakers of those languages. You may
want to present content tailored to specific devices, such as smartphones, to those who use the devices.
d is
Content Switching enables the NetScaler appliance to direct requests sent to the same Web host to
t
different servers with different content.
rib
When switching both static and dynamic requests, you must configure one load‐balancing virtual server for
ut
static requests and a separate load‐balancing virtual server for dynamic requests.
io
n
Citrix Product Documentation on Content Switching: http://docs.citrix.com/en‐us/netscaler/12/content‐
switching.html

•
CITRIX
•
Content Switching
1---------------------------------N-;ts~~,~;--------------------------------- !
'- - - - - - - - - - - - - - - - - - - - - - - - - -,
Dynamic content
Service 1 Server 1
Load-Balancing App1
Client
Virtual Server Dynamic content
Service 2 Server 2
App2
Content-
Switching
Virtual Server
Static content
Internet Service 3 Server 3
Load-Balancing lmage1
Virtual Server Static content
N
Service 4 Server 4
ot
lmage2
L-----------------------------------------------------------------------------
fo
rr
Key Notes:
es
A content‐switching configuration consists of a content‐switching virtual server, a load‐balancing setup
al
consisting of load‐balancing virtual servers and services, and content‐switching policies.
e
To configure content switching, you must configure a content‐switching virtual server and associate it with
or
policies and load‐balancing virtual servers.
d
This process creates a content group — a group of all virtual servers and policies involved in a particular
is
content‐switching configuration.
t rib
ut
io
Citrix Product Documentation on Basic Content Switching: http://docs.citrix.com/en‐
n
us/netscaler/12/content‐switching/basic‐configuration.html

•
CITRIX
•
Content-Switching Support
Key characteristics include:
Source/Destination Source/Destination IP TCP/UDP HTTP

VLANID address Source/Destination
port
Source/Destination TCP max segment DNS

MAC Address size (MSS) value
Buffered TCP payload MSSQL

N
ot
fo
rr
Key Notes:
es
After you configure a basic content switching setup, you might need to customize it to meet your
al
requirements.
e
If your web servers are UNIX‐based and rely on case sensitive pathnames, you can configure case sensitivity
or
for policy evaluation.
d
You can also set precedence for evaluation of the content switching policies that you configured.
is
You can configure HTTP and SSL content switching virtual servers to listen on multiple ports instead of
trib
creating separate virtual servers.
ut
If you want to configure content switching for a specific a virtual LAN, you can configure a content switching
virtual server with a listen policy.
io
n

•
CITRIX
•
• Utilize content switching to redirect requests to
different servers with different content on the basis of
various client attributes.
Some of those client attributes are:
Content
Switching: • Device type
• Language
Based on Client • Cookie
Attributes • HTTP method
• Layer 3 or Layer 4 data
• Client SSL Parameters
N
ot
fo
rr
Key Notes:
es
Device Type ‐ The appliance examines the user agent or custom HTTP header in the client request for the
al
type of device from which the request originated. Based on the device type, it directs the request to a
e
specific Web server. For example, if the request came from a cell phone, the request is directed to a server
or
that is capable of serving content that the user can view on his or her cell phone. A request from a
computer is directed to a different server that is capable of serving content designed for a computer screen.
d is
Language ‐ The appliance examines the Accept‐Language HTTP header in the client request and determines
t
the language used by the client's browser. The appliance then sends the request to a server that serves
rib
content in that language. For example, using content switching based on language, the appliance can send
someone whose browser is configured to request content in French to a server with the French version of a
ut
newspaper. It can send someone else whose browser is configured to request content in English to a server
io
with the English version.
n
Cookie ‐ The appliance examines the HTTP request headers for a cookie that the server set previously. If it
finds the cookie, it directs requests to the appropriate server, which hosts custom content. For example, if a
cookie is found that indicates that the client is a member of a customer loyalty program, the request is
directed to a faster server or one with special content. If it does not find a cookie, or if the cookie indicates
that the user is not a member, the request is directed to a server for the general public.
HTTP Method ‐ The appliance examines the HTTP header for the method used and sends the client request
to the right server. For example, GET requests for images can be directed to an image server, while POST
requests can be directed to a faster server that handles dynamic content.
Layer 3/4 Data. The appliance examines requests for the source or destination IP, source or destination
port, or any other information present in the TCP or UDP headers, and directs the client request to the right
server. For example, requests from source IPs that belong to customers can be directed to a custom web
portal on a faster server, or one with special content.

•
CITRIX
•
• An administrator should consider the points below
when creating virtual servers for content switching.
• A content-switching virtual server points to a virtual
Content server or expression (which would be used to
Switching: dynamically identify the target VServer) .
Virtual Server • The content distribution is controlled by a content-
Creation switching policy.
• The non-matched traffic is sent to the default load
balancing virtual server, if one is defined .
N
ot
fo
rr
Key Notes:
es
When a request reaches the content‐switching virtual server, the virtual server applies the associated
al
content‐switching policies to that request.
e
Content switching can point to load‐balancing Vserver, NG Vserver and GSLB, AAATM vserver
or
You can add, modify, and remove content switching virtual servers. The state of a virtual server is DOWN
d
when you create it, because the load balancing virtual server is not yet bound to it.
is
To create a virtual server by using the command line interface
t rib
• At the command prompt, type:
ut
• add cs vserver <name> <protocol> <IPAddress> <port>

io
n
For dynamically identifying target vserver : http://docs.citrix.com/en‐us/netscaler/12/content‐
switching/basic‐configuration.html

•
CITRIX
•
Content Switching: Virtual Server Configuration
Consider the following information before configuring Content-Switching VServers :

• You can configure the content-switching feature using classic or default policies but
not both on a single content-switching VServer.
• The content-switching virtual server does not directly address services.
• The process of distributing traffic among the associated load-balancing virtual servers
is determined by the bound content-switching policies.
• If the traffic does not match any bound content-switching policies, then the virtual
server sends the traffic to a default load-balancing virtual server.
N
ot
fo
rr
Key Notes:
es
The content‐switching feature supports either classic or default (advanced) policies. On the same content‐
al
switching vserver, you can bind all classic policies, and on another content‐switching vserver, you can bind
e
all default but you cannot mix and match on the same content‐switching vserver.
or
A content‐switching vserver has policies bound and the “action” of the policy is typically a load‐balancing
vserver or possibly another content‐switching vserver.
d is
A default load‐balancing vserver must be defined. If not, then any un‐matched traffic will result in a 503
t rib
error.
ut
io
n
Creating Content Switching Virtual Servers: http://docs.citrix.com/en‐us/netscaler/12/content‐
switching/basic‐configuration/create‐virtual‐servers.html

•
CITRIX
•
Content Switching: Parameters
• By default, the state of a content-

switching VServer is always UP unless .., Set Content Switching Parameters
an administrator changes the state to
DOWN . ~ State Update
• By changing the global content-

switching parameters , you can make the - Close
state of the content-switching VServer

dependent on the attached load-
balancing VServers .
N
ot
fo
rr
Key Notes:
es
Specifies whether the virtual server checks the attached load‐balancing server for state information.
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
How would you use content switching in your
environment?
N
ot
fo
rr
es
Use Case: Dynamic Content Switching: https://docs.citrix.com/en‐us/netscaler/12/appexpert/http‐
al
callout/use‐case‐dynamic‐content‐switching.html
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Content-Switching Configuration
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Some important points about creating content-switching
policies are:
• A content-switching policy defines a type of request that

Content is to be directed to a virtual server.
Switching: • Policies are evaluated in order of priority.
Policies • If using classic policies and no specific priorities are set,

the policies are evaluated by the order in which they
were bound.
N
ot
fo
rr
Key Notes:
es
The priority of the policy defines the order in which the policies bound to the content‐switching virtual
al
server are evaluated. If you are using default syntax policies, when you bind a policy to the content‐
e
switching virtual server, you must assign a priority to that policy. If you are using NetScaler classic policies,
or
you can assign a priority to your policies, but are not required to do so. If you assign priorities, the policies
are evaluated in the order that you set. If you do not, the NetScaler appliance evaluates your policies in the
d
order in which they were created.
is
t
In addition to configuring policy priorities, you can manipulate the order of policy evaluation by using Goto
rib
expressions and policy label invocations.
ut
After it evaluates the policies, the content‐switching virtual server routes the request to the appropriate
io
load‐balancing virtual server, which sends it to the appropriate service.
n
Content switching virtual servers can only send requests to other virtual servers. If you are using an external
load balancer, you must create a load balancing virtual server for it and bind its virtual server as a service to
the content switching virtual server.
CS is a blocker module, meaning if traffic is not matched then it is blocked and cannot go anywhere
(because it has no where to go)
You specify the target load balancing virtual server for a content switching policy when binding the policy to
the content switching virtual server. Consequently, you have to configure one policy for each load balancing
virtual server to which to direct traffic.
However, if your content switching policy uses a default syntax rule, you can configure an action for the
policy. In the action, you can specify the name of the target load balancing virtual server, or you can
configure a request‐based expression that, at run time, computes the name of the load balancing virtual
server to which to send the request. The action expression must be specified in the default syntax.

•
CITRIX
•
The expression option can drastically reduce the size of your content switching configuration,
because you need only one policy per content switching virtual server. Content switching
policies that use an action can also be bound to multiple content switching virtual servers,
because the target load balancing virtual server is no longer specified in the content
switching policy. The ability to bind a single policy to multiple content switching virtual
servers helps to further reduce the size of your content switching configuration.
After you create an action, you create a content switching policy and specify the action in the
policy, so that the action is performed when that policy matches a request.
Note: You can also, for a content switching policy that uses a default syntax rule, specify the
target load balancing virtual server when binding the policy to a content switching virtual
server, instead of using a separate action. For domain‐based policies, URL‐based policies, and
rule based policies that use classic expressions, an action is not available. So, for these types
of policies, you specify the name of the target load balancing virtual server when binding the
N
policy to a content switching virtual server.
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
Content Switching: Action Expression
• A target VServer can be specified for a content-switching policy when binding the
policy to the content-switching VServer.
• Consequently, only one policy can be configured for each VServer to direct traffic .
• When using default policies , configure an action for the policy instead of a target
VServer.
• When configuring the action:
• Specify the name of the target VServer.
• Configure a request-based expression that computes the name of the VServer to send the request.
• This option can drastically reduce the size of the content-switching configuration , because only one policy for
each content-switching VServer is needed .
N
• You can bind a single policy to multiple content-switching VServers .

ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• When naming the load-balancing virtual servers,
switch requests on the basis of the URL suffix (file
Content extension of the requested resource).
Switching: • Follow the convention of appending the URL suffix to
Action a predetermined string, such as mylb_
Expression Use • Create the action expression as follows :
Case • "'mylb_" + HTTP.REQ.URL.SUFFIX'
• If the URL suffix was .jpeg , the content-switching
vserver would send the connection to mylb_j peg
N
ot
fo
rr
Key Notes:
es
You specify the target load‐balancing virtual server for a content‐switching policy when binding the policy
al
to the content‐switching virtual server. Consequently, you have to configure one policy for each load‐
e
balancing virtual server to which to direct traffic.
or
However, if your content‐switching policy uses a default syntax rule, you can configure an action for the
policy. In the action, you can specify the name of the target load‐balancing virtual server, or you can
d is
configure a request‐based expression that, at run time, computes the name of the load‐balancing virtual
t
server to which to send the request. The action expression must be specified in the default syntax.
rib
The expression option can drastically reduce the size of your content‐switching configuration, because you
ut
need only one policy per content switching virtual server. Content‐switching policies that use an action can
io
also be bound to multiple content‐switching virtual servers, because the target load‐balancing virtual server
is no longer specified in the content‐switching policy. The ability to bind a single policy to multiple content‐
n
switching virtual servers helps to further reduce the size of your content‐switching configuration.

•
CITRIX
•
After creating content-switching virtual server and
policies , bind each policy to the content-switching
virtual server.
When binding the policy:
Content
• Specify the target load-balancing virtual server in the
Switching: action parameter to determine the destination for
Binding Policies forwarding the traffic .
• The content-swijching process will not work properly until
the policy to be matched is specified.
N
ot
fo
rr
Key Notes:
es
After you create your content switching virtual server and policies, you bind each policy to the content
al
switching virtual server. When binding the policy to the content switching virtual server, you specify the
e
target load balancing virtual server.
or
If your content switching policy uses a default syntax rule, you can configure a content switching action for
the policy. If you configure an action, you must specify the target load balancing virtual server when you are
d is
configuring the action, not when you are binding the policy to the content switching virtual server. For more
t
information about configuring a content switching action, see Configuring a Content Switching Action.
rib
A policy label is a user‐defined bind point to which policies are bound. When a policy label is invoked, all
ut
the policies bound to it are evaluated in the order of the priority that you assigned to them. A policy label
io
can include one or more policies, each of which can be assigned its own result. A match on one policy in
the policy label can result in proceeding to the next policy, invoking a different policy label or appropriate
n
resource, or an immediate end to policy evaluation and return of control to the policy that invoked the
policy label. You can create policy labels for default syntax policies only.
A content switching policy label consists of a name, a label type, and a list of policies bound to the policy
label. The policy label type specifies the protocol that was assigned to the policies bound to the label. It
must match the service type of the content switching virtual server to which the policy that invokes the
policy label is bound. For example, you can bind TCP Payload policies to a policy label of type TCP only.
Binding TCP Payload policies to a policy label of type HTTP is not supported.
Each policy in a content switching policy label is associated with either a target (which is equivalent to the
action that is associated with other types of policies, such as rewrite and responder policies) or a
gotoPriorityExpression option and/or an invoke option. That is, for a given policy in a content switching
policy label, you can specify a target, or you can set the gotoPriorityExpression option and/or the invoke
option. Additionally, if multiple policies evaluate to true, only the target of the last policy that evaluates to

•
CITRIX
•
true is considered.
You can use either the NetScaler command line or the configuration utility to configure
content switching policy labels. In the NetScaler command‐line interface (CLI), you first
create a policy label by using the add cs policylabel command. Then, you bind policies to the
policy label, one policy at a time, by using the bind cs policylabel command. In the NetScaler
configuration utility, you perform both tasks in a single dialog box.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
• If a default vserver is configured for the content-
switching virtual server, the request is forwarded to
that vserver.
Content • If the configured default vserver is DOWN , or no
Switching : defau lt vserver is configured , an HTTP 503 Not Found
Unmatched error message is sent to the client by the default
vserver.
Traffic Handling
• It is a best practice to always configure a default
vserver.
N
ot
fo
rr
Key Notes:
es
Depending on your desired result the default virtual server could be a separate internal resource or a trap
al
like a honey pot server to all further diagnosis. A default server is not required but remember any traffic
e
that does not match a Content Switching policy will be denied.
or
d is
trib
ut
io
n

•
CITRIX
•
• It is a best practice to always define a priority to
control the order of processing .
Content
• The priority parameter can be configured when the
Switching: rule is bound to the virtual server using a policy.
Policy Rule • If a priority is provided , the rules are processed from
Precedence lowest priority value to highest.
N
ot
fo
rr
Key Notes:
es
After a content switching setup is configured, it may require periodic changes. When operating systems or
al
software are updated, or hardware wears out and is replaced, you may need to take down your setup. Load
e
on your setup may increase, requiring additional resources. You may also modify the configuration to
or
improve performance.
These tasks may require unbinding policies from the content switching virtual server, or disabling or
d is
removing content switching virtual servers. After you have made changes to your setup, you may need to
t
re‐enable servers and rebind policies. You might also want to rename your virtual servers.
rib
ut
io
n

•
CITRIX
•
Discuss the following scenario:
• Policies are bound to a content-switching vserver, and
Policy A has a priority of 20 and Policy B has a priority
of 10.
• Which one has precedence and why?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Content switching may fail for several reasons ,
including when the content-switching VServer goes
DOWN or fails to handle excessive traffic.
Take the following measures to reduce the chances of
Content failure:
Switching:
• Configure a backup content-switching VServer.
Configuration
• Configure spillover to prevent overload on the primary
Protection content-switching VServer, by diverting excess traffic to
a backup content-switching VServer.
• Specify a redirect URL.
N
ot
fo
rr
Key Notes:
es
Content switching may fail when the content‐switching virtual server goes DOWN or fails to handle
al
excessive traffic, or for other reasons. To reduce the chances of failure, you can take the following measures
e
(see additional resources below) to protect the content‐switching setup against failure.
or
d
is
Probable Reasons for the Status of a Virtual Server Being Marked as DOWN on NetScaler:
trib
http://support.citrix.com/article/CTX108960
ut
Protecting the Content Switching Setup against Failure: https://docs.citrix.com/en‐
us/netscaler/12/content‐switching/protecting‐against‐failure.html
io
n
Flushing the Surge Queue: http://docs.citrix.com/en‐us/netscaler/12/load‐balancing/load‐balancing‐
protect‐configuration/flush‐surge‐queue.html

•
CITRIX
•
• If case sensitivity is on, those URLs are treated as
separate and can be switched to different targets .
• CLI Syntax:
ct c v crvcr <name> -ca en ·itivc (0 !OFF)
Configuring
Case Sensitivity WEBUI
Traffic Settings
for Policy Client di r,me-o• t
J
Evaluation Virtual Sf'"t"Ve't IP Port Insertion
OFF
Virtual Sf!Ner IP Port Insert.ton Value:•
PASS IVE
Ca :he ble
.,, Down State: f"lush
R d•r , t Port Rewnte
, .., Cae:e:nttv l
2 I J .Jii ce:rs
S§t
..
State Update
N
RULE
ot
fo
rr
Key Notes:
es
When case sensitivity is configured, the NetScaler appliance considers case when evaluating policies.
al
For example, if case sensitivity is off, the URLs /a/1.htm and /A/1.HTM are treated as identical.
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• Support for Multiple Ports
• NertScaler supports the Content switching Vserver with
wildcard port. (*).
• This saves the overhead of configuring multiple virtual servers
with the same IP address and different ports.
• CLI Syntax:
Wildcard add c v erver <name> < erviceType> < IPAddre Port *
Virtual Servers
• Configuring per-VLAN Wildcarded Virtual Servers
• The wildcard virtual server with a listen policy restricts it to
processing traffic only on the specified VLAN.
• CLI Syntax:
add c erver <nam < erviceTyp IPAddre *Port* -
Ii tenpolicy <e pre ion> [-Ii tenpriority <po itive_ integer>]
N
ot
fo
rr
es
Citrix eDocs Customizing Content Switching: http://docs.citrix.com/en‐us/netscaler/12/content‐
al
switching/customizing‐configuration.html
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• Exercise 4-1: Configure Content Switching by User-
Agent
• Exercise 4-2: Configure Content Switching by
Content-Type
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Content Switching involves making a decision about
where to direct a session based on characteristics of
the traffic flow.
• Content Switching policies can be used to evaluate
Key Takeaways and route traffic-they consist of an expression and
an action referring to a target.
• Configuring a policy priority is recommended .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
•
CITRIX
•
NetScaler Traffic
Management
Secure Web Gateway
CNS-219-21
N
Version 1 0
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Explain Secure Web Gateway technology.
• Discuss the importance of Secure Web Gateway.
• Explain SSL Interception .
Learning
• Explain URL Set.
Objectives • Discuss the use cases for Secure Web Gateway.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Secure Web Gateway
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Secure Web Gateway
Secure Web gateway (SWG) enhances the network security by enabling the
adm inistrator to do fo llowing :
• Gain visibility into the otherwise bypassed secure traffic .

• Block access to malicious sites and avoid infecting users with in the enterprise.
• Control access to some websites , such as personal mail , social networking , and job
search websites , from the enterprise network.
N
ot
fo
rr
Key Notes:
es
The new NetScaler Secure Web Gateway (SWG) solution provides visibility and control for encrypted traffic

al
with leading industry performance and smart URL filtering that provides real‐time protection against
e
malicious websites, which blocks access to malware, spam, and phishing sites along with Industry leading
or
website categorization. With the NetScaler SWG solution, customers can now offload URL and content
filtering for encrypted traffic and avoid expensive upgrades to their dedicated security deployments. In
d
addition, this solution helps customers meet compliance requirements like CIPA (Child Internet Protection
is
Act).
t rib
One of the biggest concerns for security professionals is insider data breaches. Employees can easily click
on malvertising ads, malicious links contained in phishing emails or visit websites that download malware
ut
or ransomware. Third‐party adverts can be blocked and end users can be prevented from visiting websites
io
known to contain malware. Websites can also be blocked by category to prevent end users from engaging
n
in a risky online behavior. NetScaler SWG is an excellent defense against malicious threats and ransomware.
New Advanced User Behavior Security Analytics
This solution in NetScaler MAS leverages multiple machine learning algorithms and provides context aware
security analytics, to identify compromised insider credentials and prevents data breaches to sensitive
corporate data.
New Ciphers and Hybrid SSL support
We continue to add newer ciphers to our SSL security suite across all NetScaler platforms. With our hybrid
SSL, now customers can achieve significant hardware and software SSL performance improvement. For
example, customers can achieve almost 800% ECDHE transactions per second (TPS) hardware improvement
on their 115xxx series. With Hybrid FIPS, customers can increase the SSL throughput and SSL TPS by
leveraging non‐FIPS cards along with the FIPS card.

•
CITRIX
•
Deployment Topology
'
[ _,•3 ,:.r •.-r ..,.,, .i;'',
1-0 I
....
•••
Internal
usen
I- • I
1- 11 I
I -"----••i=--••--
.••.. "
,,,C-•
__:::_,,)
NetScaler SWG
w-- ::
-•G •
•••
Network Firewall Usen
F •Sen.er Web
I- ~ I
C.tr Xr1Dnctcp
• SWG should be deployed at the edge of the network .

• It acts as forward proxy to all the outbound traffic.
N
• The SSL interception is implemented to look into encrypted

ot
data and take security actions.

fo
rr
Key Notes:
es
Secure Web Gateway utilizes a Content Switching virtual server where we will apply authentication and
al
rules to allow / disallow URLS or addresses. This is also where we will configure for instance SSL
e
interception as well. So how illustrate how to configure Secure Web Gateway on NetScaler 12. In its
or
simplest form we can configure a content switching virtual server like this.
Configure a SNIP which has internet access, or you can define an net profile to specify which SNIP should be
d is
used for outbound traffic to internet, also ensure that you have configured DNS properly so it can resolve
t
DNS. After this is done we can just define the IP address in the proxy configuration of the browser of the
rib
endpoint and they can now browse the internet.
ut
io
n

•
CITRIX
•
Proxy Modes
• In the SWG deployment, NetScaler resides as the Proxy device between the clients
and origin server.
• The appliance acts as a server to the client and acts as a client to the origin server.
• The Proxy can be configured in two modes:
1) Transparent forward proxy
• The SWG vServer is configured with wildcard (*) IP address.
• In this mode the clients are not aware that a proxy server is mediating their
requests.
2) Explicit Forward Proxy
• The SWG virtual server configured with an IP address and 80 as the port number.
• All client requests are sent to this IP address.
N
• This mode is used when it is possible to specify the proxy settings on the client
ot
browser.
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Configuring Transparent Proxy
Using WEBUI Using Secure Web Gateway Wizard Using CLI
O Proxy Virtua l Server

hslc Setting•
O Secure Web Gateway Configuration
Proxy settlngs
[sWG_VS
SWG_vs
IPAOclr
~ ent
Pon·
[·
.......
N
- Con<ol
ot
fo
rr
Key Notes:
es
• Transparent forward proxy
al
• The SWG vServer is configured with wildcard (*) IP address.
e
• In this mode the clients are not aware that a proxy server is mediating their requests.
or
d is
t
rib
ut
io
n

•
CITRIX
•
Configuring Explicit Proxy
I
Using WEBUI Using Secure Web Gateway Using CLI
Wizard
0 Proxy Virtual Server
Basic St!ttlngs O Secure Web Gateway Configuration
ProlC)' sett1n9s
lswG_vs
IP MclteSS Type·
IP Address
IP -'<ldren •
110 107 149 243
Pon"
[so
..
ieo
N
~ M ore
ot
Canct~I
fo
rr
Key Notes:
es
• Explicit Forward Proxy
al
• The SWG virtual server configured with an IP address and 80 as the port number.
e
• All client requests are sent to this IP address.
or
• This mode is used when it is possible to specify the proxy settings on the client browser.
d is
t
rib
ut
io
n

•
CITRIX
•
ABC corp. has implemented a BYOD (Bring Your Own
Device) policy in their organization. Also, the
employees are allowed to work from home, by
connecting through the VPN.
How should administrator deploy the Secure Web
Gateway (SWG) to protect the environment?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Authentication Modes
• Authentication provides the flexib ility to define specific policies for a user or a group
of users on the basis of their roles.
• After authentication , requests and responses from and to the user are tagged to
identify the user.
Modes supported for Explicit Proxy Modes supported for Transparent Proxy
• Local • Lightweight Directory Access Protocol

(LDAP)
• Lightweight Directory Access
Protocol(LDAP)
N
• RADIUS
ot
• TACACS+
fo
rr
Key Notes:
es
Currently only LDAP is supported for Transparent Proxy
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
SSL Interception
• The client and NetScaler appliance establish a
SSL/TLS handshake. [ 5ecure Web Gateway J
• The appliance establishes another SSL/TLS 'L' Client Hello
handshake with the seNer and receives the seNer
certificate.
1u . 1 Server Hello,
The appliance verifies the seNer certificate on '--' Certificate,
behalf of the clients using online certificate status I Server Hello Done,
protocol (OCSP).
• It regenerates the seNer certificate, signs it by using '7) Client Key Exchange
the key of the CA certificate installed on the ··1Change Cipher spec ~ Change Cipher spec
finished Finished
appliance, and presents it to the client.
• The proxy decrypts the traffic , accesses the clear "o
text HTTP requesUresponse .
• Inspect the data on the basis of the corporate policy
/URL reputation . 9~ Tran.:_j
• The proxy virtual seNer then re-encrypts the
response and forwards it to the client.
If the policy decision is to block the request to the
N
origin seNer, the proxy virtual seNer sends an error

ot
response
fo
rr
Key Notes:
es
The CA certificate that is used to sign the server certificate must be preinstalled on all the client devices, so
al
that the regenerated server certificate is trusted by the client
e
one certificate is used between the client and the NetScaler appliance, and another certificate between the
or
appliance and the back‐end server.
d is
t rib
ut
io
n

•
CITRIX
•
Configure SSL Interception
• Bind the CA certificate-key pair to the proxy virtual server.

• Enable the default SSL profile
• Create SSL Profile with SSL Interception enabled .
N
• Enable SSL Interception in the syslog parameters

ot
fo
rr
Key Notes:
es
SSL Intercept (or SSL forward proxy) provides a way to inspect encrypted traffic.
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
URL Set
• A URL set enables an Internet Service Provider (ISP) or a Telco customer to enforce
government mandated safe internet access policies such as:
• Block access to illegal internet sites (child abuse, drugs, and so on )
• Safe browsing for ch ildren
• Administrators can periodically download URL sets managed by internet enforcement

agencies or independent internet organizations.
• In case of the private URL set, the contents of the list are kept confidential and the
network administrator does not know about the blacklisted URLs present in the list.
An internal URL called a Canary URL as added to the URL set.
• Using the Canary URL , the administrator can request that the appliance to use the
private URL set for every URL request.
N
ot
fo
rr
Key Notes:
es
To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm.
al
The algorithm uses a URL set that can contain a list of URLs up to one million (1,000,000) blacklisted
e
entries. Each entry can include metadata that defines URL categories and category groups as indexed
or
patterns. The appliance can also periodically download URLs of highly sensitive URL sets managed by
internet enforcement agencies (with government websites) or independent internet organizations such as
d
the Internet Watch Foundation (IWF). Once the URL set is downloaded from a website and imported into
is
the appliance, the appliance encrypts the URL sets in the appliance (as required by these agencies) and
t rib
kept confidential so that the entries are not tampered.
The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked,
ut
allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against
io
blacklisted entries. An entry can include metadata. For entries that have no metadata, you might want to
n
use an expression that evaluates the URL on the basis of an exact string match. For other URLs, you might
want to use an expression that evaluates the URL’s metadata, in addition to an expression that checks for
an exact string match.
Configuring URL Set
You can perform the following tasks to configure a URL set and restrict URLs on a NetScaler platform:
1. Import a URL set (download and encrypt it). Importing a URL set in a NetScaler appliance allows you to
download the URL file, adding the file to the appliance, and then encrypting the file. Until you add the URL
set to the system, it will not be visible to the user.
You can download a set in the following ways:
1. Download a URL set once from a specific URL using HTTP and HTTPS supported for the file download.
2. Download a URL set using FTP.

•
CITRIX
•
3. Downloading a URL set periodically, using a scheduler that periodically downloads or
imports URL sets for example, IWF URL set. The time interval is set in seconds for
example, http://10.29.102.200/urls.txt ‐interval 3600.
Once you have downloaded the file, it is pushed into the appliance and at this point of
interval, you can update, delete or display file properties. After the file is pushed into the
appliance, you can modify the entries by adding further rows as it remains static.
The imported set is then stored in an encrypted file format on the NetScaler directory. The
imported list contains millions of URL entries. Otherwise, the appliance returns an error
message saying that the value exceeds the limit. If the imported URL set has blacklisted
entries with metadata, the metadata it is detected by the appliance when it is imported.
Once you import a URL set and add it into the appliance, the URL set is available for
advanced policies to identify the correct URL set during incoming URL evaluation.
HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URLSET_MATCHES_ANY(<URL set name>)
N
ot
2. Updating a URL set on the NetScaler appliance. Once you have pushed the file into the
appliance, at this interval you can manually update a URL file by using command line
fo
interface.
rr
3. Exporting a URL set. If you prefer a backup of the URL set, you can export the list of URL
es
patterns and save a copy of it to a destination URL. Before you export, check whether the
URL set is marked as private. If is marked private, the URL set cannot be exported.
al
4. Removing a URL set. If you want to delete a URL set of blacklisted entries, you can use the
e
remove command to delete the URL set from the NetScaler appliance.
or
5. Displaying a URL set. You can display the properties of a URL set by using the show
d
command.
is
t rib
ut
Appexpert Version 12 Url Sets: http://docs.citrix.com/en‐us/netscaler/12/appexpert/url‐

io
sets.html
n

CITRIX
•
Advanced Policy Expressions for URL Evaluation
Expression Operation
EQUALS_ANY with URLSET_MATCHES_ANY Evaluates to TRUE if the URL exactly matches any entry in the URL
set.
HTTP.REQ. URL The GET_URLSET_METADATA() expression returns the associated
.GET_ URLSET_METADATA{<URLSET>) metadata if the URL exactly matches any pattern within the URL set. An
empty string is returned if there was no match .
HTTP.REQ .URL .EQUALS_ Evaluates to TRUE if the matched metadata is equal to <METADATA>.
WITH_METADATA{<URLSET>).EQ{<METADATA
)
HTTP.REQ .URL Evaluates to TRUE if the matched metadata is at the beginning of the
.EQUALS_WITH_METADATA( <URLSET>) category. This pattern can be used to encode separate fields with in
.TYPECAST_LIST_T(' , ').GET(O).EQ(<CATEGOR metadata, but match only the 1st field
Y>
HTTP.REQ .URL .APPEND(HTTP.REQ .URL Joins the host and URL parameters , which can then be used as a <URL
N
expression> for matching .

ot
(HTTP.REQ.URL).URLSET_MATCHES_ANY Evaluates to TRUE if the URL set name configured in the advanced
policies identifies the correct URL set during incoming URL evaluation
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Secure Web Gateway : Use cases
• Intercept and examine all the traffic , including SSL/TLS (encrypted traffic) , coming in
and going out of the enterprise network.
• Block access to URLs identified as serving harmful content.
• Identify end users (employees) in the enterprise who are accessing malicious
websites.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
N • Exercise 5-1: Configure Secure Web gateway
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Secure Web gateway (SWG) acts as forward proxy.
• The proxy modes available are transparent and
explicit
Key Takeaways • The SSL Interception is performed by installing a root
certificate key-par and enabling the SSL interception
in the SSL profile .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
•
CITRIX
•
NetScaler Traffic
Management
Global Server Load Balancing
N
CNS-219-21
ot
Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• Describe the Global Server Load Balancing (GSLB)
feature.
• Explain the concept of deploying the Domain Name
System (DNS) to support GSLB.
Learning • Explain the GSLB concepts and its Architecture .
Objectives • Discuss the advantages of Content Switching to
implement GSLB.
• Explain the GSLB Metric Exchange Protocol and
Monitoring.
• Explain customizing the GSLB Configuration .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
GSLB Overview
• Global Server Load Balancing (GSLB) is a DNS-based technology that provides

disaster recovery and ensures continuous availability of applications by protecting
against points of fa ilure in a wide area network (WAN).
• GSLB can balance the load across data centers by directing client requests to the
closest or best-performing data center, or to surviving data centers in case of an
outage .
• DNS is a key component in a GSLB environment.
N
ot
fo
rr
Key Notes:
es
Global server load balancing (GSLB) provides for disaster recovery and ensures continuous availability of
al
applications by protecting against points of failure in a wide area network (WAN).
e
GSLB can balance the load across data centers by directing client requests to the closest or best performing
or
data center, or to surviving data centers in case of an outage.
d
The GSLB entities that you must configure are the GSLB sites, the GSLB services, the GSLB virtual servers,
is
load‐balancing or content‐switching virtual servers, and authoritative DNS (ADNS) services. You also must
t rib
configure MEP. You also can configure DNS views to expose different parts of your network to clients
accessing the network from different locations.
ut
In a typical configuration, a local DNS server sends client requests to a GSLB virtual server, to which are
io
bound GSLB services. A GSLB service identifies a load‐balancing or content‐switching virtual server, which
n
can be at the local site or a remote site. If the GSLB virtual server selects a load‐balancing or content‐
switching virtual server at a remote site, it sends the virtual server’s IP address to the DNS server, which
sends it to the client. The client then resends the request to the new virtual server at the new IP address.

•
CITRIX
•
GSLB DNS Concepts
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Difference between GSLB over DNS
The GSLB Vserver consider following while processing the DNS request and providing
the DNS reply:
• Monitoring: GSLB servers perform monitoring of the entities and the IP address is
provided after confirming that the entity status is up .
• Proximity Based Load balancing : The IP address closest to the user can be
provided ,
• DNS View : In the case where in different resources share the same domain name, IP
address can be provided accordingly to the corresponding users.
(e.g. Internal User Vs. External Users)
N
ot
fo
rr
es
al
e
or
dis
trib
ut
io
n

•
CITRIX
•
DNS Zone
• A DNS zone entity indicates the ownership of a domain on the appliance.

• You must create a DNS zone on the appliance in the following scenarios:
• NetScaler is operating as the authoritative DNS server for the zone.
• NetScaler owns only a subset of the records in a zone. All the other resource records in the zone are hosted on
a set of back-end name servers for which the NetScaler is configured as a DNS proxy server
• You want to offload DNSSEC operations for a zone from the authoritative DNS servers to the appliance .
N
ot
fo
rr
Key Notes:
es
When you configure GSLB on NetScaler appliances and enable Metric Exchange Protocol (MEP), the
al
appliances use the DNS infrastructure to connect the client to the data center that best meets the criteria
e
that you set.
or
An ADNS service is a special kind of service that responds only to DNS requests for domains for which the
NetScaler appliance is authoritative – you would create a sub‐delegation from your DNS infrastructure.
d is
A DNS virtual IP is a virtual IP (VIP) address that represents a load‐balancing DNS virtual server on the
t rib
NetScaler appliance.
Name servers store information about one or more zones.
ut
DNS features.
io
• Record Types:
n
• AAAA, A, CNAME, NS, PTR, SRV, SOA
• Recursion
• Ability to look up addresses not owned by the NS
• Negative Caching
• Only happens in proxy mode
• Any Queries
• Respond to queries with type any
• Delegation with NS records
• DNS Views
• Internal and External clients

•
CITRIX
•
• Interface DNS expression
• Interface throughput
http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐dns‐zone.html
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
Types of DNS implementation
• ADNS Server (ADNS Service)

• NetScaler can be configured to function as an authoritative domain name server (ADNS) for a domain.
• As an ADNS server for a domain, the NetScaler resolves DNS requests for all types of DNS records that
belong to the domain .
• To configure the NetScaler to function as an ADNS server for a domain, you must create an ADNS service and
configure NS and Address records for the domain on the NetScaler.
• DNS proxy (DNS Virtual Server)

• A virtual server that listens for DNS requests.
• A service that (externally) monitors and directs traffic to a DNS server on the backend.
• NetScaler can be s a proxy for either a single DNS server or a group of DNS servers .
N
ot
fo
rr
Key Notes:
es
For clients making DNS requests, two different scenarios exist:
al
• Scenario 1
e
• Create a type local DNS server on the NetScaler system
or
• This is a authoritative DNS server for the zone configured
d
• Listens on an IP address provided in the configuration
is
• Clients can configure their local TCP/IP stack to forward queries to this IP address
t rib
• Scenario 2
ut
• Create a load‐balancing virtual server type DNS, provide an IP address.
io
• Add services redirecting traffic to backend DNS servers
n
• Clients configure the load balancing virtual server IP address as their DNS server IP address
• http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐netscaler‐proxy‐server.html
• http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐netscaler‐adns‐server.html
177 © 2017 Citrix Authorized Content CITRIX

•
•
Authoritative DNS Service
• The NetScaler system can be configured with single or multiple instances of an authoritative
DNS server:
• Each instance listens on a different IP address.
• All instances are referencing the same name table.
• An ADNS service is a local service type listening to incoming DNS requests on port 53 UDP.
• The ADNS service:
• Is locally configured as service oriented architecture (SOA) for the GSLB domain.
N
• Can be configured for a maximum of 32 sites.

ot
• Does not support zone transfers or recursive query.

• Can be set to participate as authoritative.
fo
rr
es
al
e
or
dis
t rib
ut
io
n

•
CITRIX
•
Configure ADNS Service
• ADNS Service can be configured using CLI or .., Load Balancing Service
WebUI. Basic Settings
seMceName·
• CLI Syntax : l
ADNS_Serv,ce
add service <name> <IPAddress> ADNS

<port> IP Ad<lress •
r
10 107 149 240
AONS
Port·
• More
N
- Cancel
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Configuring DNS Virtual Servers
,----- §
• Create a load-balancing virtual server of type DNS and configure it with an IP

address.
• Add services redirecting traffic to back-end DNS servers.
• Configure the load-balancing virtual server IP address.
• When the NetScaler receives a DNS query, it calculates the best metric, based on the
load balancing algorithm used to distribute requests to the back-end DNS servers.
N
• Clients can configure the VIP as their DNS server IP address.

ot
fo
rr
Key Notes:
es
For clients making DNS requests two different scenarios exist:
al
• Scenario 1
e
• Create a type local DNS server on the NetScaler system
or
• This is a authoritative DNS server for the zone configured.
d
• Listens on an IP address provided in the configuration.
is
• Clients can configure their local TCP/IP stack to forward queries to this IP address.
t rib
• Scenario 2
ut
• Create a load‐balancing virtual server type DNS, provide an IP address.
io
• Add services redirecting traffic to backend DNS servers.
n
• Clients configure the load‐balancing virtual server IP address as their DNS server IP address.

•
CITRIX
•
Configure DNS Vserver
Add DNS VServer Add DNS Service Bind Service to the Vserver
• CLI CLI CLI

add lb vserver <name> add service <name> bind lb vserver <vserver
<IPAddress> DNS <port> <IPAddress> DNS <port> name> <service name>
• WEB-UI WEB-UI WEBUI
-.......
~ Load Balancing Virtual Server ... Load Balancing Service Serv,ct s,ncs.ng
Basic Set tJnos. Servi ce Binding
(oNS_Servlce I>J + /
Blnd,ng ~tails
·-· -·
N
'°
.....
0 • J
."..... Ill ,,_

ot
a --
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
GSLB DNS Response Options :Empty Down Response
• When a GSLB vServer is disabled or DOWN , configure it to send an Empty Down
Response (EDR) which sends a positive response. No records are returned if the
virtual IP address is DOWN.
EDR Enabled : EDR Disabled :
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
GSLB DNS Response Options : Multi-IP Address
Response
Multi-IP Address Response (MIR) lookup returns all active virtual IP addresses with the
optimal virtual IP address first in the response .
MIR Enabled MIR Disabled
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
What DNS Method is currently in use in your
environment? If you could start from scratch would you
change it?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
GSLB Concepts and Architecture
N
ot
fo
rr
Key Notes:
es
This module provides an introduction to the Global Server Load‐Balancing (GSLB) feature. The GSLB feature
al
ensures that client requests are directed to a best‐performing site available in a global enterprise and
e
distributed Internet environment. To access a URL, the user agent, such as a Web browser, needs to first
or
resolve the host name in the URL to an IP address. A DNS query is sent to a DNS server to resolve the host
name. The NetScaler system can be configured to act either as an authoritative DNS (ADNS) server or as a
d
DNS proxy.
is
t
GSLB enables the NetScaler system to make intelligent decisions. For example, if a site fails, the NetScaler
rib
system detects the failure and directs traffic to another available site. This feature prevents client requests
from being sent to a site that is down or overloaded.
ut
io
n

•
CITRIX
•
GSLB Use Cases
GSLB load balances services between geographically distributed locations and

operates under many of the same general principles as load balancing , but relies on
DNS for directing client requests.
Typical uses of GSLB include:
• Distribution of network traffic across multiple sites.

• Distribution of server load across multiple sites.
• Disaster recovery.
• Protection against points of failure in a wide area network (YVAN).
N
ot
fo
rr
Key Notes:
es
GSLB is a DNS‐based solution that load balances services between geographically distributed locations.
al
The NetScaler system can be configured to act either as an authoritative DNS (ADNS) server or a DNS Proxy.
e
or
GSLB operates under many of the same general principles as load balancing but relies on DNS for directing
client requests.
d
Typical uses of GSLB include:
is
t
• Distribution of network traffic across multiple sites
rib
• Distribution of server load across multiple sites
ut
• Disaster recovery
io
A major benefit of GSLB includes reduction of application latency.
n

•
CITRIX
•
Which methods of disaster recovery are you currently
N using in your environment, and why?
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
An Active-Standby disaster recovery setup can include:
GSLB • An active data center
Configuration: • A standby data center (remote s~e)
Active-Standby When a failover occurs as a result of a disaster event,
Datacenter it causes the primary active data center to become
inactive, and the standby datacenter becomes
operational.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• An active-active disaster recovery setup includes two
GSLB active data center locations.
Configuration:
• An active-active GSLB deployment allows
Active-Active connections to be distributed to multiple sites.
Data center • Web or application content can be mirrored in
geographically separate locations.
N
ot
fo
rr
Key Notes:
es
An active‐active setup ensures that data is consistently available at each distributed data center. Make sure
al
a single site can handle the load if one goes down.
e
or
d is
trib
ut
io
n

•
CITRIX
•
GSLB Architecture
I-
••
Client
-I
I- -I
Root
Servers @---§ fil-EB
Switch
Client's
LONS
Switch (ISP NS)
GSLB Site A GSLB Site B
NetScaler NetScaler
1-
oNs·
[g] [g] 1:x:1 [g] -I
ONS*
Switch Switch Switch Switch
I I I
I- I- -I -I
I- I- -I -I
N
I- I- -I -I
ot
Servers Servers Servers Servers
'At least one ONS is required per GSLB site.

fo
rr
Key Notes:
es
Back‐end DNS server is necessary in Proxy DNS configurations only. This graphic shows DNS vserver for our
al
DNS implementation – this is how we will do it in the lab.
e
An administrator can use the above diagram to understand the general GSLB architecture.
or
The NetScaler system will answer the site DNS request in authoritative DNS configurations.
d
The following example demonstrates the process of a GSLB conversation.
is
t
• 1. The client enters www.gslbsite.com in to browser.
rib
• 2. The system of the client sends DNS lookup query for www.gslbsite.com to the name server that is
ut
configured.
io
• 3. The name server returns the IP address for a known name server who is authoritative for
n
www.gslbsite.com as delivered by the root server. The returned address will be one of those
registered for site www.sitexyz.com. The top‐level servers (rootservers) circle through the list round
robin and will return next IP address in line.
• 4. The client queries the NetScaler system in the GSLB configuration at the IP address returned in the
prior step. The NetScaler system, based on its configured load‐balancing method, returns the IP
address the client needs to query for the service it is looking for, such as HTTP and HTTPs.
• 5. If the GSLB configuration is a proxy DNS configuration, the responding NetScaler system will query
the back‐end DNS server for the address to serve to the lookup request.
The site the NetScaler system directs the client to may be:
A site the NetScaler system is hosting within the load balancing configuration
Another GSLB site within the membership of sites

•
CITRIX
•
• A GSLB configuration consists of a group of GSLB
entities on each appliance in the configuration.
• Below are the entities used when configuring GSLB:
GSLB Entities • GSLB Sites
• GSLB Services
• GSLB Virtual Servers
• Load-Balancing or Content-Switching Virtual Servers
• ADNS Services or DNS VIPs
N
ot
fo
rr
Key Notes:
es
A GSLB site is a representation of a data center in your network and is a logical grouping of GSLB virtual
al
servers, services, and other network entities.
e
type the following commands to create a GSLB site and verify the configuration:
or
• add gslb site <siteName> <siteIPAddress>

d
• show gslb site <siteName>

is
A GSLB service is a representation of a load balancing or content switching virtual server.
t rib
type the following commands to create a GSLB service and verify the configuration:
ut
• add gslb service <serviceName> <serverName | IP> <serviceType> <port>‐siteName <string>

io
• show gslb service <serviceName>

n
A GSLB virtual server is an entity that represents one or more GSLB services and balances traffic between
them.
type the following commands to add a GSLB virtual server and verify the configuration:
• add gslb vserver <name> <serviceType> ‐ipType (IPv4 | IPv6)
• show gslb vserver <name>
How GSLB Works: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐balancing/how‐gslb‐
works.html
Configuring a GSLB Site: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐

•
CITRIX
•
balancing/configure/configure‐basic‐gslb‐site.html
Configuring a GSLB Service: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐
balancing/configure/configure‐gslb‐service.html
Configuring a GSLB Virtual Server: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐
load‐balancing/configure/configure‐gslb‐virtual‐server.html
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

CITRIX
•
GSLB Entities
GSLB Site A
GSLB vserver ADNS vserver
LB vserver
A_LB
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
• A GSLB site is a representation of a data center in
your network and is a logical grouping of GSLB virtual
servers, services, and other network entities.
• At each site, you configure the local GSLB site and
GSLB Sites each remote GSLB site.
• Once you create GSLB sites, MEP starts up , then
sites come up.
• The GSLB site IP is used for MEP between other
sites .
N
ot
fo
rr
Key Notes:
es
A GSLB site is a representation of a data center in your network and is a logical grouping of GSLB virtual
al
servers, services, and other network entities. Typically, in a GSLB set up, many GSLB sites are equipped to
e
serve the same content to a client. These are usually geographically separated to ensure that the domain is
or
active even if one site goes down completely. All of the sites in the GSLB configuration must be configured
on every.
d is
NetScaler appliance hosting a GSLB site. In other words, at each site, you configure the local GSLB site and
t
each remote GSLB site.
rib
Once GSLB sites are created for a domain, the NetScaler appliance sends client requests to the appropriate
ut
GSLB site as determined by the GSLB algorithms configured.
io
add gslb site <siteName> <siteIPAddress>
n
show gslb site <siteName>
In a typical GSLB setup:
• Many GSLB sites are equipped to serve the same content to a client.
• Sites are usually geographically separated to make sure that the domain is active, even if one site goes
DOWN completely.
• At each site, the local GSLB site and remote GSLB site is configured.

•
CITRIX
•
• A GSLB service is a representation of a local load-
balancing VServer or content-switching VServer.
• A remote GSLB service represents a load-balancing
GSLB Services VServer or content-switching VServer configured at
one of the other sites in the GSLB setup .
• At each site in the GSLB setup:
• You can create one local GSLB service and any number of remote
GSLB services.
• Configure your public IP address on the service.
N
ot
fo
rr
Key Notes:
es
A GSLB service is a representation of a load balancing or content switching virtual server. A local GSLB
al
service represents a local load balancing or content switching virtual server. A remote GSLB service
e
represents a load balancing or content switching virtual server configured at one of the other sites in the
or
GSLB setup. At each site in the GSLB setup, you can create one local GSLB service and any number of
remote GSLB services
d is
add gslb service <serviceName> <serverName | IP> <serviceType> <port>‐siteName <string>

t rib
show gslb service <serviceName>
stat gslb service <serviceName>
ut
Services are enabled by default when you create them. You can disable or enable each service individually.
io
n

•
CITRIX
•
• A GSLB vServer has one or more GSLB services
bound to it and load balances traffic between those
services.
• It evaluates the configured GSLB methods
(algorithms) to select the appropriate service to send
the client request and responds with the associated A
GSLB Virtual record.
Server • GSLB services are bound to a GSLB vServer and
refer to local or remote vServers.
• The domain for which GSLB is configured must be
bound to the GSLB vServer.
• Unlike other vServers , a GSLB vServer does not have
its own VIP.
N
ot
fo
rr
Key Notes:
es
A GSLB virtual server has one or more GSLB services bound to it and load balances traffic among those
al
services. It evaluates the configured GSLB methods (algorithms) to select the appropriate service to which
e
to send a client request.
or
Because the GSLB services can represent either local or remote vServers, selecting the optimal GSLB service
for a request has the effect of selecting the data center that should serve the client request.
d is
The domain for which global server load balancing is configured must be bound to the GSLB virtual server,
trib
because one or more services bound to the virtual server will serve requests made for that domain.
Unlike other virtual servers configured on a NetScaler appliance, a GSLB virtual server does not have its
ut
own virtual IP address (VIP).
io
n

•
CITRIX
•
Binding of
Once the GSLB services and virtual server are
GSLB Services configured , relevant GSLB services must be bound to
to a GSLB the GSLB virtual server to activate the configuration.
Virtual Server Command-line syntax:
bind gsLb vseLver nam~~ -serviceName <string>
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Synchronizing a GSLB Configuration
Prior to performing a GSLB config synchronization , the following must be manually

configured on all participating NetScalers:
1. Enable required features.
2. Create the GSLB sites.
For the remaining configuration , it is recommended to Auto-sync the GSLB

configuration to other participating NetScalers:
• This aids in configuring GSLB in multiple locations.
• It requires configurations only on one unit.
• It overrides any GSLB configurations on the target units.
N
ot
fo
rr
Key Notes:
es
An administrator can use the following process to configure a GSLB implementation. Each step is repeated
al
on the NetScaler system of each site.
e
These configurations can be done on a single system and synchronized:
or
• 1. Enable required features.
d
• 2. Create the GSLB sites. MEP starts up and the sites come up.
is
• 3. Configure load‐balancing virtual servers and services and bind them. Load‐balancing virtual servers
t
rib
change to UP status.
• 4. Create GSLB virtual server and services, local and remotes for all the remote sites.
ut
• 5. Bind GSLB virtual servers to load‐balancing virtual servers and GSLB domain. GSLB virtual servers up
io
n
Note – This will not work until the FQDN is bound to the vServer.
Once all sites, virtual servers, services are reported as UP, an administrator can customize DNS, GSLB
methods, persistence, and site affinity as necessary.
This is an absolute configuration – so create the site information on the other NetScalers, then copy the
configuration over. This handles the unique IP addressing.
In a hierarchical configuration, this is between parents only.
We recommend first doing GSLB config –preview to see what will happen.

•
CITRIX
•
Content-Switching GSLB
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Content-Switching Virtual Server Support for
GSLB
• Using Content Switching for GSLB can overcome current GSLB limitations.
• Current GSLB Deployment Limitations include:
• Cannot restrict the selection of a GSLB service from a subset of GSLB services bound to a GSLB virtual server
for the given domain.
• Cannot apply different load-balancing methods on the different subsets of GSLB services in the deployment.
• Cannot apply spillover policies on a subset of GSLB services.
• Cannot have a backup for a subset of GSLB services.
• Limited support for selecting services on basis of traffic.
N
ot
fo
rr
Key Notes:
es
In a typical GSLB deployment, you can prioritize the selection of a set of GSLB services bound to a GSLB
al
virtual server, but you cannot do the following:
e
• Restrict the selection of a GSLB service from a subset of GSLB services bound to a GSLB virtual server for
or
the given domain.
• Apply different load‐balancing methods on the different subsets of GSLB services in the deployment.
d is
• Apply spillover policies on a subset of GSLB services, and you cannot have a backup for a subset of GSLB
t
rib
services.
• Configure a subset of GSLB services to serve different content. That is, you cannot content switch
ut
between servers in different GSLB sites. The GSLB configuration assumes that the servers contain the
io
same content.
n
• Define a subset GSLB services with different priorities and specify an order in which the services in the
subset are applied to a request.
• You can now configure a content‐switching (CS) policy to customize the GSLB deployment. First,
configure a set of GSLB services and bind it to a GSLB virtual server. Then, configure a CS virtual server of
target type GSLB, define a CS policy and action with the GSLB virtual server as target virtual server, and
bind the CS policy to CS virtual server.
Important:
• Only CS policies with DNS‐based expressions can be bound to a CS virtual server of target type GSLB.
• If a GLSB service is bound to a CS virtual server through a GSLB virtual server, you cannot bind another
GSLB virtual server bound with the same GSLB service to the CS virtual server.
Consider a GLSB deployment that includes two GSLB sites.

•
CITRIX
•
At each site, four GSLB services (S‐1, S‐2, S‐3, and S‐4) are bound to GSLB virtual server VS‐1.
You can configure a content switching (CS) virtual server of target type GSLB and define a CS
policy and action with VS‐1 as the target virtual server, so that requests for content in English
are served only by S‐1 and S‐2, and requests for content in Spanish are served only by S‐3
and S‐4.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

CITRIX
•
Content Switching for GSLB
Perform the following steps to configure GSLB Service Selection using Content
Switching:
1. Configure GSLB.
2. Configure a Content-Switching virtual server of target type GSLB.
3. Configure CS policies.
4. Configure CS actions that designate a GSLB virtual server as the target virtual
server.
5. Bind the CS policies to the CS virtual server.
N
6. Bind the domain to the CS virtual server instead of the GSLB virtual server.
ot
*Only CS policies with DNS based expressions can be bound to a CS virtual server of target type GSLB.
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
GSLB MEP and Monitoring
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Metric Exchange Protocol
The data centers in a GSLB setup exchange metrics with each other through the Metric
Exchange Protocol (MEP).
• The exchange of the metric information begins once you create a GSLB site.
• It enabled by default.
• It uses port 3011 or port 3009 for secure communications.
• These metrics are comprised of load , network, and persistence information.
• This data exchange is not encrypted by default.
• DNS query responses are based on information gathered through MEP.
N
ot
fo
rr
Key Notes:
es
MEP is required for health checking of data centers to ensure their availability. A connection for exchanging
al
network metrics can be initiated by either of the data centers involved in the exchange, but a connection
e
for exchanging site metrics is always initiated by the data center with the lower IP address. By default, the
or
data center uses a subnet IP address (SNIP) or a mapped IP address (MIP) to establish a connection to the
IP address of a different data center. However, you can configure a specific SNIP, MIP, the NetScaler IP
d
address (NSIP), or a virtual IP address (VIP) as the source IP address for metrics exchange. The
is
communication process between GSLB sites uses TCP port 3011 or 3009, so this port must be open on
trib
firewalls that are between the NetScaler appliances.
You can also bind monitors to check the health of remote services. When monitors are bound, metric
ut
exchange does not control the state of the remote service.
io
To allow controlled access, user authentication is performed before metric information is exchanged. All of
n
the sites taking part in metric exchange should have the same nsroot user ID and password. A system can
handle a maximum of 32 sites.
Note: This limit can be extended by configuring aggregator sites.
If the system is deployed behind the firewall, the administrator needs to allow connections from one site to
the other.
The GSLB site metric exchange interval is 1 second.
Site metric information
• Information about load‐balancing virtual server such as the current number of connections and current
packet rate.
Network metric information

•
CITRIX
•
• When dynamic proximity based GSLB is enabled the GSLB sites exchange RTT information
about the clients LDNS (learned DNS). Exchange five seconds.
Persistence information
• GSLB site information exchanged every five seconds.
Note: All of the sites participating in MEP should have the same nsroot ID and password.
Key information regarding Metric Exchange Protocol (MEP) includes:
• Site‐to‐site monitoring
• Distributes site metrics, network metrics, persistence information
Enabled by default
The communication process is accomplished between each GSLB site on TCP port 3011 and
therefore must be open on firewalls that are between the NetScaler systems.
N
The public IP address of the site needs to be allowed on any blocking firewall.
ot
MEP can be disabled, but limits GSLB methods to RR, static proximity, source IP hash. All
fo
other methods revert to round robin when MEP is off/inactive
rr
• set gslb site siteA –metricExchange DISABLED

es
al
e
or
d is
trib
ut
io
n

CITRIX
•
RPC Node
• After the password for the RPC node of the local site is changed , it is possible to
manually propagate the change to the RPC node at each remote site and encrypt
MEP.
• Unsecured RPC nodes use TCP port 3011
• Secured RPC nodes use TCP port 3009
• NetScaler uses a GSLB site IP address (which can be shared with a SNIP or MIP)
as the source IP address for an RPC node for GSLB communication.
• If the GSLB site IP address is unavailable, there will be no GSLB communication

between sites.
N
ot
fo
rr
Key Notes:
es
If a SNIP address is not available, you must configure either the NSIP or a VIP as the source IP address.
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
.., Create GSLB Site
Metric Exchange Configuration
-·
(s1tet
LOCAL
Site metrics exchanged between the GSLB sites
include: L
• Status of each virtual server PuDhc: IP Addttn
r
• Current number of connections
• htent s.· 8.lc up P-Ment s, H
• Current packet rate
• Current bandwidth usage information
Tngga Moniton•
- - - -
• Command-line syntax for editing a GSLB site: ALWAYS
Ch.r.t 1JP
set gslb site <GSLBSiteName> - metricExchange L

Publie Ctuste:r IP
{ENABLED I DISABLED} r
NAPTR Repfxemen St./
• Command-line syntax for viewing a GSLB site

N
.,, e nc Ex-tnange
show gslb site <GS~BSiteNamL> .,, twork M tnc hchange,
ot
.,, Pt. tstence, SHs.on Entty E•CJ\~
Im OOle
fo
rr
Key Notes:
es
If you disable metrics exchange, you can use only static load‐balancing methods (such as round robin, static
al
proximity, or the hash‐based methods), and if you disable metrics exchange when a dynamic load‐balancing
e
method (such as least connection) is in operation, the appliance falls back to round robin.
or
d is
trib
ut
io
n

•
CITRIX
•
Configuring Network Metric Information Exchange
• Enable or disable the exchange of RTT information about the client's local DNS when
the GSLB dynamic method RTT is enabled with :
set gs~b site <GSLBS~teName> -nwmetriclxchange {ENABLED I DISABLED}
• You can enable or disable the exchange of persistence information:
set gslb site <GSLBSiteName> -sessionExchange {ENABLED I DISABLED}

N
ot
fo
rr
Key Notes:
es
The data centers in a GSLB setup exchange metrics with each other through the metrics exchange protocol
al
(MEP), which is a proprietary protocol for the Citrix NetScaler. The exchange of the metric information
e
begins when you create a GSLB site. These metrics comprise load, network, and persistence information.
or
MEP is required for health checking of data centers to ensure their availability. A connection for exchanging
network metrics can be initiated by either of the data centers involved in the exchange, but a connection
d is
for exchanging site metrics is always initiated by the data center with the lower IP address. By default, the
t
data center uses a subnet IP address (SNIP) or a mapped IP address (MIP) to establish a connection to the
rib
IP address of a different data center. However, you can configure a specific SNIP, MIP, the NetScaler IP
address (NSIP), or a virtual IP address (VIP) as the source IP address for metrics exchange. The
ut
communication process between GSLB sites uses TCP port 3011 or 3009, so this port must be open on
io
firewalls that are between the NetScaler appliances.
n
Note: You cannot configure a GSLB site IP address as the source IP address for site metrics exchange.
If the source and target sites for a MEP connection (the site that initiates a MEP connection and the site
that receives the connection request, respectively) have both private and public IP addresses configured,
the sites exchange MEP information by using the public IP addresses.
exchange does not control the state of the remote service. If a monitor is bound to a remote service and
metrics exchange is enabled, the monitor controls the health status. Binding the monitors to the remote
service allows the NetScaler to interact with a non‐NetScaler load balancing device. The NetScaler can
monitor non‐NetScaler devices but cannot perform load balancing on them. The NetScaler can monitor
non‐NetScaler devices, and can perform load balancing on them if monitors are bound to all GSLB services
and only static load balancing methods (such as the round robin, static proximity, or hash‐based methods)
are used.

•
CITRIX
•
RTT information is exchanged every five seconds.
You can enable or disable the exchange of round trip time (RTT) information about the
client's local DNS when the GSLB dynamic method (RTT) is enabled. This information is
exchanged every 5 seconds.
You can enable or disable the exchange of persistence information at each site. This
information is exchanged every 5 seconds between NetScaler appliances participating in
GSLB.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
GSLB Monitoring Configuration
Monitoring MEP-Enabled (Default) MEP-Disabled
Explicit Monitors Monitor determines health Monitor determines health

status status
No Explicit Monitors (Default) MEP determines health All services marked DOWN .
status (default)
N
ot
fo
rr
Key Notes:
es
MEP determines status of GSLB services by default. If a monitor is bound to a gslb service, then the monitor
al
determines status (not MEP).
e
NetScaler monitors can be used instead or in addition to MEP.
or
• By default Precludes MEP health monitoring when used with MEP.
d
• MEP is used to exchange all stats, including service health state, related to a gslb service. If explicit
is
monitor is bound, the system ignores gslb service state collected through MEP and instead GSLB uses

t rib
state reported by the monitor. An administrator can use the table in this slide to understand the
interaction between MEP and monitors.
ut
io
exchange does not control the state of the remote service.
n
You can configure NetScaler to use monitors to evaluate services in the following situations:
• Always use monitors (default)
• Use monitors when MEP shows as DOWN
• Use monitors when remote services and MEP shows as DOWN

•
CITRIX
•
Adding and Binding Monitors
• To add a monitor, you specify the type and the port.

• Command-line interface syntax:
add lb monitor <name> -~ype <monitor type> -destPort <portNumber>
• You can set both the weight and the monitoring threshold at the same time that you
bind the monitor.
N
ot
fo
rr
Key Notes:
es
Once you create monitors, you must bind them to GSLB services. When binding monitors to the services,
al
you can specify a weight for the monitor. After binding one or more weighted monitors, you can configure a
e
monitor threshold for the service. This threshold takes the service down if the sum of the bound monitor
or
weights falls below the threshold value.
When you bind a remote service to a GSLB virtual server, the GSLB sites exchange metric information,
d is
including network metric Information, which is the round‐trip‐time and persistence Information.
t rib
If a metric exchange connection is momentarily lost between any of the participating sites, the remote site
is marked as DOWN and load balancing is performed on the remaining sites that are UP. When metric
ut
exchange for a site is DOWN, the remote services belonging to the site are marked DOWN as well.
io
The NetScaler appliance periodically evaluates the state of the remote GSLB services by using either MEP or
n
monitors that are explicitly bound to the remote services. Binding explicit monitors to local services is not
required, because the state of the local GSLB service is updated by default using the MEP. However, you can
bind explicit monitors to a remote service. When monitors are explicitly bound, the state of the remote
service is not controlled by the metric exchange.
By default, when you bind a monitor to a remote GSLB service, the NetScaler appliance uses the state of
the service reported by the monitor. However, you can configure the NetScaler appliance to use monitors to
evaluate services in the following situations: Always use monitors (default setting).
Use monitors when MEP is DOWN.
Use monitors when remote services and MEP are DOWN.
The second and third of the above settings enable the NetScaler to stop monitoring when MEP is UP. For
example, in a hierarchical GSLB setup, a GSLB site provides the MEP information about its child sites to its
parent site. Such an intermediate site may evaluate the state of the child site as DOWN because of network

•
CITRIX
•
issues, though the actual state of the site is UP. In this case, you can bind monitors to the
services of the parent site and disable MEP to determine the actual state of the remote
service. This option enables you to control the manner in which the states of the remote
services are determined.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
Customizing GSLB
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Customizing the GSLB Configuration
Once the basic GSLB configuration is operational , it can be customized by:
• Configuring persistent connections.

• Configuring static proximity.
• Configuring dynamic RTT.
• Changing the GSLB load-balancing method.
• Setting up GSLB for disaster recovery.
• Sample configurations.
• Configuring dynamic weights for services.
• Modifying the bandwidth of a GSLB service.
N
• Configuring CNAME-based GSLB services.

ot
fo
rr
Key Notes:
es
Once your basic GSLB configuration is operational, you can customize it by modifying the bandwidth of a
al
GSLB service, configuring CNAME based GSLB services, static proximity, dynamic RTT, persistent
e
connections, or dynamic weights for services, or changing the GSLB Method.
or
You can also configure monitoring for GSLB services to determine their states.
d
These settings depend on your network deployment and the types of clients you expect to connect to your
is
servers.
t rib
Creating CNAME‐Based GSLB Services
ut
To configure a GSLB service, you can use the IP address of the server or a canonical name of the server. If
you want to run multiple services (like an FTP and a Web server, each running on different ports) from a
io
single IP address or run multiple HTTP services on the same port, with different names, on the same
n
physical host, you can use canonical names (CNAMES) for the services.
For example, you can have two entries in DNS as ftp.example.com and www.example.com for FTP services
and HTTP services on the same domain, example.com. CNAME‐based GSLB services are useful in a
multilevel domain resolver configuration or in multilevel domain load balancing. Configuring a CNAME‐
based GSLB service can also help if the IP address of the physical server is likely to change.
If you configure CNAME‐based GSLB services for a GSLB domain, when a query is sent for the GSLB domain,
the NetScaler appliance provides a CNAME instead of an IP address. If the A record for this CNAME record is
not configured, the client must query the CNAME domain for the IP address. If the A record for this CNAME
record is configured, the NetScaler provides the CNAME with the corresponding A record (IP address). The
NetScaler appliance handles the final resolution of the DNS query, as determined by the GSLB method. The
CNAME records can be maintained on a different NetScaler appliance or on a third‐party system.
In an IP‐address‐based GSLB service, the state of a service is determined by the state of the server that it

•
CITRIX
•
represents. However, a CNAME‐based GSLB service has its state set to UP by default; the
virtual server IP (VIP) address or metric exchange protocol (MEP) are not used for
determining its state. If a desktop‐based monitor is bound to a CNAME‐based GSLB service,
the state of the service is determined according to the result of the monitor probes.
You can bind a CNAME‐based GSLB service only to a GSLB virtual server that has the DNS
Record Type as CNAME. Also, a NetScaler appliance can contain at most one GSLB service
with a given CNAME entry.
The following are some of the features supported for a CNAME‐based GSLB service : GSLB‐
policy based site affinity is supported, with the CNAME as the preferred location.
Source IP persistence is supported. The persistency entry contains the CNAME information
instead of the IP address and port of the selected service.
The following are the limitations of CNAME‐based GSLB services: Site persistence is not
N
supported, because the service referenced by a CNAME can be present at any third‐party
ot
location.
Multiple‐IP‐address response is not supported because one domain cannot have multiple
fo
CNAME entries.
rr
Source IP Hash and Round Robin are the only load balancing methods supported. The Static
es
Proximity method is not supported because a CNAME is not associated with an IP address
al
and static proximity can be maintained only according to the IP addresses.
e
or
d is
trib
ut
io
n

CITRIX
•
With GSLB persistence:
GSLB • Site persistence ensures that LONS requests are sent
to the same site and are not load balanced .
Persistence
• Cookie-based persistence allows setting HTTP level
persistence.
N
ot
fo
rr
Key Notes:
es
An administrator should be familiar with the following information when configuring GSLB persistence.
al
Site Persistence:
e
• Ensure LDNS requests are sent the same site and not load balanced.
or
• Source IP persistence set with:
d
• set gslb vserver gslbvip ‐persistenceType SOURCEIP –persistenceID <positive_integer>

is
t
Cookie‐based persistence and connection proxy
rib
• Allows setting of HTTP level persistence
ut
• Configured on local gslb services with options:
io
• ‐SitePersistence ConnectionProxy
n
• ‐cookieTimeout <integer>
• ‐CIP ENABLED <cipheader>
You can configure GSLB so that the clients coming from the branch office or any other internal network are
directed to a particular GSLB site that is geographically close to the client network. For all other requests,
you can use dynamic RTT.

•
CITRIX
•
• If persistence is configured for a particular domain , it
Persistence takes precedence over the configured GSLB method.
Connections • Persistence is useful for e-commerce deployments,

where the server needs to maintain the state of the
connection to track the transaction .
N
ot
fo
rr
Key Notes:
es
Persistence ensures that a series of client requests for a particular domain name is sent to the same data
al
center instead of being load balanced.
e
Unless you configure persistence, a load balancing stateless protocol, such as HTTP, disrupts the
or
maintenance of state information about client connections. Different transmissions from the same client
might be directed to different servers even though all of the transmissions are part of the same session. You
d is
must configure persistence on a load balancing virtual server that handles certain types of Web
t
applications, such as shopping cart applications.
rib
Before you can configure persistence, you need to understand the different types of persistence, how they
ut
are used, and what the implications of each type is. You then need to configure the NetScaler appliance to
io
provide persistent connections for those Web sites and Web applications that require them.
n
You can also configure backup persistence, which takes effect in the event that the primary type of
persistence configured for a load balancing virtual server fails. You can configure persistence groups, so that
a client transmission to any virtual server in a group can be directed to a server that has received previous
transmissions from the same client.

•
CITRIX
•
• When a DNS request is received at a data center in
which source-IP-address-persistence is configured ,
the NetScaler system attempts to locate an entry in
Persistence the persistence table.
Based on • If an entry for the LONS server exists and the server
Source IP mentioned in the entry is configured , the IP address
of that server is sent as the DNS response.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
The NetScaler system provides persistence at the
HTTP-request level by using HTTP cookie persistence:
Persistence • The client is reconnected to the same server through
Based on an HTTP cookie .
HTTP Cookies • The NetScaler system inserts the site cookie in the
first HTTP response.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Load Balancing GSLB sites
• Load-balancing methods typically used on the NetScaler system include:

Least Connections Least Bandwidth Custom Load
(default)
Round Robin and Least Packets Round Trip Time (RTT}

Weighted Round Robin
Least Response Time Source IP Hash Static Proximity

N
ot
fo
rr
Key Notes:
es
When the DNS request from the resolver of the client is received by the NetScaler system, the load‐
al
balancing and site fault tolerance decision will be made based on the health status and load of the
e
participating sites. When the host name of the URL is resolved, all traffic from the client is sent directly to
or
the resolved site.
When the DNS request from resolver of the client is received by the NetScaler system, the site load
d is
information is exchanged between the GSLB sites. When the host name of the URL is resolved, all traffic
t
from the client is sent directly to the resolved site. For the GSLB methods to work as defined either the
rib
MEP should be enabled or explicit monitors should be bound to the remote services. When creating a load‐
balancing virtual server, GSLB methods can be configured using the add gslb vServer command in the CLI.
ut
io
Least Connections:
n
• As the name implies, in this method, the request is routed to the site with the least number of
connections. Connection statistics for the configured service are exchanged between the sites through
MEP. The DNS response, generated by the NetScaler system, contains the address of the IP address of
the site with the least number of connections. MEP must be enabled for this method to work.
• Due to external factors such as during network congestion or when a firewall drop packets, if the MEP
fails for any of the participating sites, then the default method round robin is used instead of least
connections. In this case, if the remote service belonging to the site for which MEP has failed has an
explicit monitor bound to it, and its state is UP, then it will be included in the round robin rotation;
otherwise, it will not.
Weighted Round Robin:
• Round robin is one of the simplest load‐balancing methods. In this method, the request is routed to the
sites based on the rotation, regardless of the load on the sites. MEP is not required for the round‐robin

•
CITRIX
•
method to work, if explicit monitoring is configured.
Least Response Time:
• When this method is enabled, the NetScaler system directs the request to the site with
the least response time. MEP must be enabled for this method to work as defined.
Average response time statistics for the configured services are exchanged through MEP.
The DNS response contains the IP address of the GSLB site with the least current response
time. Due to external factors such as during network congestion or when a firewall drops
packets, if the MEP fails for any of the participating sites, then the default method round
robin is used instead of least response time method. In this case, if the remote service
belonging to the site for which MEP has failed has an explicit monitor bound to it and its
state is UP, then it will be included in the round robin rotation. Otherwise, it will not.
Least Bandwidth:
N
the least bandwidth. MEP must be enabled for this method to work as defined. MEP is
ot
used to exchange statistics corresponding to the total and current bytes transferred
fo
between the configured services. The DNS response of the NetScaler system contains the
rr
IP address of the GSLB site with least current bandwidth, which is the site that is currently
serving least traffic in Mbps.
es
• Due to external factors such as during network congestion or when a firewall drops
al
e
robin is used instead of least bandwidth. In this case, if the remote service belonging to
the site for which MEP has failed has an explicit monitor bound to it and its state is UP,
or
then it will be included in the round‐robin rotation. Otherwise, it will not.
d
Least Packets:
is
t rib
the least packets. MEP must be enabled for this method to work as defined. Statistics
corresponding to the total and current number of packets transferred for the configured
ut
service are exchanged between sites through MEP. The DNS response of the NetScaler
io
system contains the IP address of the site with the least current packets.
n
• Due to external factors such as during network congestion or when a firewall drops
robin is used instead of least packets. In this case, if the remote service belonging to the
site for which MEP has failed has an explicit monitor bound to it and its state is UP, then it
will be included in the round‐robin rotation. Otherwise, it will not.
SourceIP Hash:
• The NetScaler system responds with the IP address of each site selected based on the
hash of the IP address of the DNS resolver. MEP is not required for this method to work if
an explicit monitor is bound.
Proximity‐Based Global Server Load Balancing:
• When enabled, the proximity‐based GSLB method allows the NetScaler system to make

CITRIX
•
load‐balancing decisions based on the proximity of the client’s local DNS server (LDNS) in
relation to different sites. Proximity can be measured both dynamically and statically. The
dynamic determination of proximity is based on the current network status, while the
static determination of proximity is based on the geographic location of the client’s LDNS
and the sites the client is accessing. The main benefit of the proximity‐based GSLB
method is faster response time resulting from the selection of the closest available site.
• Note: To use the proximity based GSLB method, the proximity based GSLB license is
necessary.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
• When you configure GSLB to use the weighted round-
GSLB with robin method:
Weighted • Weights are added to the GSLB services
• The configured percentage of incoming traffic is sent to each GSLB
Round Robin site
N
ot
fo
rr
Key Notes:
es
For example, you can configure your GSLB setup to forward 80 percent of the traffic to one site and 20
al
percent of the traffic to another. After you do this, the NetScaler system will send four requests to the first
e
site for each request that it sends to the second.
or
Weighted Round Robin:
d
• Round robin is one of the simplest load‐balancing methods. In this method, the request is routed to the
is
sites based on the rotation, regardless of the load on the sites. MEP is not required for the round‐robin
t
method to work, if explicit monitoring is configured.
rib
ut
io
n

•
CITRIX
•
• A site can be assigned to take over when all primary
GSLB Failover sites are down.
for Disaster • The GSLB domain will resolve to the IP address of the
backup site when all the services behind the virtual
Recovery server go down .
N
ot
fo
rr
Key Notes:
es
All sites that are bound as services to the GSLB virtual IP address are considered primary sites. If the site IP
al
address is configured as the backup, then the site is considered as the backup site. If the GSLB virtual IP
e
address is UP, the GSLB virtual server will send the DNS response with one of the primary site IP addresses
or
as selected by the configured load‐balancing policy. If all of the configured primary sites in the GSLB virtual
IP address are DOWN, the authoritative domain name server (ADNS) or DNS load‐balancing virtual server
d
will send the DNS response with the backup IP address as configured in the above command. Persistence
is
will not be honored when the backup IP address is configured.
trib
ut
io
n

•
CITRIX
•
GSLB Failover to Backup Site (CLI)
On all NetScalers that are part of the GSLB configuration , perform the steps shown:
1. Enable the GSLB feature:
enable ns feature gslb
2. Configure DNS :
adJ dns nameserver <IP> - local
3. Create GSLB Sites:
add gslb site SITEOl <Site IP>

N
add gslb site SITE02 <Site IP>

ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
These commands can be configured on a single NetScaler and synchronized
4. Create GSLB Services (Single Site only):
add gslb service SITE0l_HTTP_App <VIP> HTTP 80 -sitename SITE0l
add gslb service SITE02_HTTP_App <VIP> HTTP 80 -sitename SITE02
5. Create GSLB VServers :
add gslb vserver Global Primary_App HTTP
add gslb vserver Global_Backup_App HTTP
6. Bind GSLB VServer to GSLB Services:
bind gslb vserver Globa~ Primary_App -servicename SITE0l_HTTP_App
N
bind gslb vserver Global_Backup_App -servicename SITE02_HTTP_App

ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
These commands can be configured on a single NetScaler and synchronized
7. Bind GSLB VServer to the FQDN to Resolve:
bind gslb vserver Global_Primary_App - domainname <FQDN>
8. Set up Failover to Backup site:
set gslb vserver Global_ Primary_App - BackupVS Global_ Backup_ App
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
CNAME-based GSLB services are useful:
Creating • In a multi-level domain resolver configuration or in

multi-level domain load balancing.
CNAME-Based • If you want to have a single name associated with
GSLB Services multiple DNS sub-delegations.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Proximity load balancing allows for a faster response
resulting from the selection of the closest available
GSLB Site site:
Proximity • Dynamic Network Proximity {RTT)

• Static Proximity
N
ot
fo
rr
Key Notes:
es
A GSLB policy can be used to implement site‐affinity by directing traffic from an IP address or network of a
al
LDNS resolver to a predefined target site. GSLB policies operate on a static and custom IP address‐based
e
location database. Incoming request attributes are evaluated in an expression and the target site is
or
designated as part of the action.
The following considerations apply when using site affinity:
d is
• Can use the wildcard * to define more than one location
trib
• Applies globally in GSLB
• Has a limit of 64 policies
ut
io
n

•
CITRIX
•
• To measure dynamic RTT, the NetScaler system
probes the client's LONS server and gathers RTT
Dynamic RTT metric information .
Configuration • GSLB monitors the real-time status of the network
and dynamically directs the client request to the data
center with the lowest RTT value.
N
ot
fo
rr
Key Notes:
es
Methods to measure RTT:
al
• PING: ICMP Echo Request or Reply.
e
• If there is a reply to the ping request, then the appliance calculates the RTT.
or
• If the ICMP reply mechanism is turned off at any of the intermediate routers or at the LDNS, then on
d
timeout try to send a DNS query.
is
• For RTT calculation ICMP request is initiated from GSLB SNIP.
trib
• DNS: Query or Response.
ut
• If there is a response to the DNS query, then the appliance calculates the RTT.
io
• If the DNS response is for a specific set of client IP addresses or DNS queries are not answered, then
n
on timeout try to send a TCP request.
• TCP: Synchronize to a higher order port.
• If there is a SYN+ACK, or RST, or a FIN response, then the appliance calculates the RTT.
• If there is no response, then send a ping request again.

•
CITRIX
•
• Evaluate attributes of incoming client LONS requests
and conditionally directs clients to a specific GSLB
site.
Implementing • Load balance requests between the sites that match
Proximity- when the LONS characteristics match for more than
one site.
Based GSLB
• Select the best site based on the load-balancing
method if the entry is not found in either custom or
static databases .
N
ot
fo
rr
Key Notes:
es
When enabled, the proximity‐based GSLB method allows the NetScaler system to make load‐balancing
al
decisions based on the proximity of the client’s local DNS server (LDNS) in relation to different sites.
e
Proximity can be measured both statically and dynamically. The dynamic determination of proximity is
or
based on the current network status, while the static determination of proximity is based on the geographic
location of the client’s LDNS and the sites the client is accessing.
d is
The main benefit of the proximity‐based GSLB method is faster response time resulting from the selection
t
of the closest available site.
rib
The two methods of proximity load‐balancing methods include:
ut
• Dynamic Network Proximity/Round Trip Time (RTT)
io
• Determine site to send client to based on client’s local DNS (LDNS) proximity to various sites
n
• Gauged by RTT to the LDNS host
• Determine site to direct client to based on proximity to geographic locations in a static location
database.
• Use location commands in configuring and populating the location database.

•
CITRIX
•
Implementing Proximity-Based GSLB
Static Proximity
• Determine the site to direct client to based on proximity to geographic locations in a static
location database.
• Use location commands in configuring and populating the location database.
• The default location of the database file on the appliance is /var/netscaler/locdb.
To add a static location file by using the Configuration Utility:
• Navigate to AppExpert > Location , click the Static Database tab.
• Click Add to add a static location file.
N
ot
fo
rr
Key Notes:
es
When enabled, the proximity‐based GSLB method allows the NetScaler system to make load‐balancing
al
decisions based on the proximity of the client’s local DNS server (LDNS) in relation to different sites.
e
Proximity can be measured both statically and dynamically. The dynamic determination of proximity is
or
based on the current network status, while the static determination of proximity is based on the geographic
location of the client’s LDNS and the sites the client is accessing.
d is
The main benefit of the proximity‐based GSLB method is faster response time resulting from the selection
t
of the closest available site.
rib
ut
• Determine site to direct client to based on proximity to geographic locations in a static location
io
database
n
• Use location commands in configuring and populating the location database
Run the following command from the command‐line interface of the appliance to add a static location
file: add locationfile <locationfile Name> ‐format LocationFormat Note: Refer to ICG for supported
formats.
Run the following command to ensure that the location database is loaded: show locationparameter This
command displays the parameters such as, number of static entries and error messages if the database is
not loaded correctly. A maximum of 3M‐1 (3 million minus one) entries can be loaded.
Run the following command to view the location of the GSLB site: show gslb service Notes:
If the database is loaded correctly, the location of the GSLB sites are automatically populated in the
database.
At any point in time, only one location file can be specified in the configuration on the appliance.
224 © 2017 Citrix Authorized Content CITRIX

•
•
If the appliances are in a high availability setup, then one appliance needs to copy the
database from the other appliance.
If no match is found for an incoming IP address, the request is processed using the Round
Robin method.
Run the following command in the command‐line interface of the appliance to configure the
GSLB feature on the appliance:
•  set gslb vserver GSLBVserverName ‐lbMethod MethodType
• googleoff: all
Citrix Product Documentation on How to Configure Static
N
Proximity:http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐
ot
balancing/configuring‐static‐proximity.html
fo
rr
es
al
e
or
d is
trib
ut
io
n

CITRIX
•
Dynamic weights can be based on either:
• The total number of services bound to the virtual
Using Dynamic server.
Weights for OR
Services • The sum of the weights of the individual services

bound to the virtual server.
• Traffic distribution is then based on the weights configured for the
services.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Backup IP
Address
Configuration for • You can configure a backup site for your GSLB
configuration.
a GSLB Domain
• With this configuration in place , if all of the primary
sites go DOWN , the IP address of the backup site is
provided in the DNS response.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Single Backup for Multiple GSLB VServer
• Current NetScaler behavior:

• In previous versions, a given GSLB VServer could not act as backup for more than one GSLB VServer.
• Enhancement:
• A single, backup VServer can now act as a backup VServer for multiple GSLB VServers.
• A backup VServer will take traffic for all the primary VServers which go down or spill over.
• Deployment use case :

• A single backup VServer can be utilized for multiple GSLB VServers.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• Exercise 6-1: Configuring Active/Active GSLB
• Exercise 6-2: Testing GSLB with DNS Proxy
Configuration
• Exercise 6-3: Configuring GSLB for Active/Passive
Scenario
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• DNS is a critical component in a GSLB environment.
• For GSLB , the NetScaler can serve as a DNS proxy
Key Takeaways or ADNS service .
• GSLB can be customized in many ways including
load-balancing methods, persistence, and proximity.
N
ot
fo
rr
es
GSLB load Balancing: https://www.citrix.com/blogs/2015/08/25/global‐server‐load‐balancing‐part‐1‐2/
al
https://support.citrix.com/article/CTX123792
e
or
d is
trib
ut
io
n

•
CITRIX
•
Fi I out the
End of Course you
Survey
Your opinion matters!
we
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
•
CITRIX
•
NetScaler Traffic
Management
NetScaler Clustering
N
CNS-219-21
ot
Version 1 O
fo
rr
Key Notes:
es
This is an additional module included for Self Study.
al
e
or
dis
t
rib
ut
io
n

•
CITRIX
•
• Explain the NetScaler Clustering feature.
Learning • Identify methods for managing and configuring a
NetScaler Cluster.
Objectives • Discuss options for troubleshooting the NetScaler
Cluster.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
NetScaler Clustering
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Clustering
A NetScaler Cluster is formed by grouping NetScaler systems into an active-active

configuration.
• The NetScaler systems must satisfy specific hardware and software requirements to
be part of a cluster.
• One of the cluster nodes is designated as a configuration coordinator (CCO) and
coordinates all cluster configurations.
• Auto-detect NetScaler appliances in same subnet as NSIP of Configuration
Coordinator.
• Access to nodes using NSIP is read-only.
N
ot
fo
rr
Key Notes:
es
A NetScaler cluster can include as few as two or as many as 32 NetScaler hardware or virtual appliances.
al
Benefits of Clustering.
e
or
When implementing a clustering, you can:
• Increase the efficiency by using idle resources. This immediately addresses any scalability requirements.
d
• Add capacity as needed to satisfy any throughput requirements by scaling out to 32 units acting as a
is
single logical appliance
trib
• Simplify administration
ut
• Eliminate downtime by providing a highly fault tolerant solution alternative to an HA pair
io
• Ensure there is no network downtime
n

•
CITRIX
•
Cluster Configuration
Configuration
• CLIP: Cluster IP used for management.

• CCO (Cluster Coordinator) responsible to replicate the configuration to all
N
other nodes.
ot
fo
rr
Key Notes:
es
When a new cluster is defined, a new IP address is used for managing the cluster. This IP address is owned
al
by the CCO (cluster coordinator node), who is responsible for replicating the configuration on all the cluster
e
nodes.
or
If, at any point, any node in the cluster becomes out‐of‐sync with the latest cluster configuration, there is a
configuration synchronization module running on each node that will ensure the configuration is the same
d is
on all nodes.
t rib
Additionally, a file synchronization module running on each node, replicates certificates, CRLs, and so on …
to all cluster nodes.
ut
Election criteria for CCO has many decision points and the algorithm keeps running in the background to
io
figure out best node… thus, even without a node, complete failure there can be changes in CCO. It looks at
n
interface stats, ssl card stats and many similar points to make the decision.

•
CITRIX
•
The NetScaler configurations and the files that are
Clustering available on the CCO are synchronized on all the other
cluster nodes when:
Synchronization
• A node joins the cluster.
• A node rejoins the cluster.
• A sync command is executed on the CCO.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Cluster Connections
0/ 1/2 1/ 1/ 1 2/1 /4
1/2 1/ 1 1/4
NSO NS1 NS2
NetScaler Cluster
Cluster network interfaces are represented in 3-tuple (n/c/u) notation (node/controller/unit) .

N
ot
fo
rr
Key Notes:
es
To identify the node to which an interface belongs, the standard NetScaler interface‐naming convention is
al
prefixed with a node ID. That is, the interface identifier c/u, where c is the controller number and u is the
e
unit number, becomes n/c/u, where n is the node ID.
or
d is
t
rib
ut
io
n

•
CITRIX
•
Clustering Backplane
Cluster Backplane
-•Admin
Cluster IP
Address
N
I
I
~---------------------------------..1
ot
NetScaler Cluster
fo
rr
Key Notes:
es
One important concept is the cluster backplane where the nodes communicate with each other. This
al
should have a dedicated interface on each node and a dedicated switch.
e
or
d is
t rib
ut
io
n

•
CITRIX
•
Cluster Logical Topology
Control Plane
..
C
.
a:
:.
0
c
~-, -~~
.!1
u
• =::- -c:J:11a11
Back Plane
• There are four logical traffic flows in a cluster system.

N
• These identify the relevant information that is passed between client, servers, and
nodes in the cluster.
ot
fo
rr
Key Notes:
es
There are four logical traffic flows in a cluster system that identify the relevant information that is passed
al
between client, servers, and nodes in the cluster:
e
The control plane, client data plane and server can be shared
or
Client Data Plane ‐ Carries traffic to/from the clients to the cluster.
d
Server Data Plane ‐ Carries traffic to/from real servers to the cluster.
is
t
Cluster Back Plane ‐ Carries inter‐node message passing and inter‐node forwarding traffic. Should be on a
rib
dedicated switch and interfaces
ut
Control Plane ‐ Carries configuration and control traffic from the admin/user to the cluster.
io
n

•
CITRIX
•
Entities on a NetScaler can be available
on multiple nodes in the Cluster:
• Spotted config
• Active on a single node
Entities Within • Striped config
a Cluster • Active on multiple nodes
• Fully striped (all nodes)
• Partially striped (subset of nodes which
belong to a node group)
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Striped and Spotted IP Addresses
In a clustered deployment, VIP, MIP, and SNIP addresses can be striped or spotted
NetScaler-Owned
Striped IP Address Spotted IP Address
IP Address
NSIP No Yes (Read-Only)
Cluster IP Address No (floats) No (floats)
VIP Yes No
N
MIP/SNIP Yes Yes (recommended)

ot
fo
rr
Key Notes:
es
In a clustered deployment, VIP, MIP, and SNIP addresses can be striped or spotted.
al
Striped IP addresses are active on all nodes of the cluster.
e
or
Spotted IP addresses are active on and owned exclusively by one node.
d is
t
rib
ut
io
n

•
CITRIX
•
• Connection Sourcing - Port selected
in such a way that return traffic
Port Allocation comes back to the same node .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Creating IP Addresses in a Cluster
NetScaler cluster
SNIP: 10.102.29.100
SNIP: 10.102.29.99 SNIP: 10.1 02.29.99 S IP: 10.102.29.99
VIP: 10.1 02.29 .66 VIP: 10.1 02.29 .66 VIP: 10.102.29.66
NSO NS1 NS2
• add lb vserver LBVS 1 HTTP 10.102.29.66 80

• add ns ip 10.102.29.99 255.255.255.0 -type SNIP
N
• add ns ip 10.102.29.100 255.255.255.0 - type SNIP - ownerNode 2

ot
fo
rr
Key Notes:
es
By default, all newly created entities in a cluster are stripped when they are defined on a CLIP.
al
If you would like an entity to be “partially stripped” then bind it to a node group – you bind to a node group
e
by binding to a single node that is a member of that group.
or
Using the “‐ownerNode” switch designates entity as spotted.
d
Note: You cannot change the ownership of a spotted SNIP address at run time. To change the ownership,
is
you must first delete the SNIP address and add it again by specifying the new owner.
t rib
ut
io
n

•
CITRIX
•
Distributed Flow Distributor controls how traffic flow
happens in a Cluster system.
Client requests are sent to a VIP address on the

NetScaler, in a Cluster, are processed through these
Traffic components:
Distribution • Client-data plane
• Flow receiver
• Flow processor
N
ot
fo
rr
Key Notes:
es
ted Flow Distributor controls how traffic flow happens in a cluster system. Whenever the operational view
al
of the system changes (node online/offline), all the connections that are served by the cluster entity are
e
affected. In order to guarantee even traffic distribution among, the distributed flow distributor module will
or
uniformly control how traffic flows to each module.
Interface Manager (external traffic distribution)
d is
Interface Manager deals with how traffic is distributed by the external router/switch to cluster. Three
trib
approaches
ECMP
ut
Link Aggregation
io
n
Link Sets
Flow Distributor (internal traffic distribution)
The node which receives the traffic finds out the flow processor for the traffic and internally steers the
traffic to the flow processor.
The flow processor is determined as follows:
• Compute hash h on 4‐tuple for TCP/UDP, 2‐tuple for other IP
• Flow Processor = prl_first(V, h)
• Steer packet to the flow processor

•
CITRIX
•
• Route the packet to the flow processor
• Tunnel the packet to the flow processor
Flow Distributor / Flow Receiver (FR)
• Determines FP and steers packet to the FP.
• Flow processor (FP)
• Spotted entity: processing set is single node. FP = node in processing set.
• Striped entity: processing set = multiple nodes. Hash computed on the packet
parameters and an ACTIVE node from processing set is selected as FP based on the
hash. Global RSS Key synchronized across all the nodes to compute consistent hash.
• ACLs are applied at FP.
N
Flow processor (FP)
ot
• Spotted entity: processing set is single node. FP = node in processing set.
fo
• Striped entity: processing set = multiple nodes. Hash computed on the packet parameters
and an ACTIVE node from processing set is selected as FP based on the hash. Global RSS
rr
Key synchronized across all the nodes to compute consistent hash.
es
• ACLs are applied at FP.
al
e
Flow Processor
or
• The node which finally processes the traffic is called flow processor.
d is
t rib
ut
io
n

CITRIX
•
NetScaler Cluster Configuration
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
Follow these steps to set up a NetScaler Cluster:
1. Set up the Cluster backplane network.
2. Create the Cluster by adding the first node, which
NetScaler becomes the initial configuration coordinator (CCO).
Cluster Setup 3. Assign a Cluster IP address to that node.

4 . Once the Cluster IP address is defined on the CCO ,
you can add more nodes to the Cluster.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
To set up the Cluster backplane, perform the following
steps for every node:
To Set Up a 1. Identify the network interface that you want to use
Cluster for the backplane .
Backplane 2. Connect an Ethernet or optical cable from the

selected network interface to the cluster backplane
switch.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
Follow these steps to set up the Initial Configuration
Coordinator:
1. Add a Cluster instance: an entity that
identifies the Cluster.
Initial
2. Add the NetScaler system to the Cluster.
Configuration 3. Add the Cluster IP address to this node.
Coordinator 4. Enable the Cluster instance to create the cluster.
5. Save the configuration .
6. Warm restart the system.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
To seamlessly scale the size of a cluster to
include a maximum of 32 nodes:
• Ensure the system is added to the Cluster.

• Verify the licenses on that system are checked
against the licenses available on the CCO .
Cluster Node
Addition If the licenses match:
• The system is added to the Cluster.

• The existing configurations of the node are cleared.
• The cluster configurations are synchronized with the
node .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
The Cluster Interface Manager is responsible
for distributing incoming traffic flows .
• Equal Cost Multiple Path (ECMP) - All nodes must
NetScaler be connected. It can be used in combination with
LinkSets .
Cluster Traffic
• Linksets - Does not require all nodes to be connected .
Distribution
• Cluster Link Aggregation Group (CLAG) - All nodes
must be connected. It can be used in combination
with Linksets.
N
ot
fo
rr
Key Notes:
es
The Cluster Interface Manager is responsible to distribute incoming traffic flows. This can be achieved using
al
different mechanisms:
e
ECMP: Equal Cost Multipath Routing – requires upstream router configuration
or
CLAG: Cluster Link Aggregation Channels – requires upstream switch configuration
d
Link Set
is
t rib
ut
io
n

•
CITRIX
•
NetScaler
Cluster
Management
Common cluster-
management tasks
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
1. Remove the reference to the Cluster instance from
the node .
• This command internally executes the clear ns
config extended command on that node.
Remove a • The MIP and SNIP addresses and all VLAN
Cluster Node configurations (except default VLAN and
NSVLAN) are cleared from the node.
2 . Remove the node from the Cluster.
N
ot
fo
rr
Key Notes:
es
When a node is removed from the cluster, the cluster configurations are cleared from the node (by
al
internally executing the clear ns config ‐extended command). The SNIP addresses and all VLAN

e
configurations (except the default VLAN and NSVLAN) are also cleared from the appliance.
or
If the deleted node was the cluster configuration coordinator, another node is automatically selected as the
cluster configuration coordinator, and the cluster IP address is assigned to that node. All the current cluster
d is
IP address sessions will be invalid and you will have to start a new session.
t rib
To delete the whole cluster, you must remove each node individually. When you remove the last node, the
cluster IP addresses are deleted.
ut
When an active node is removed, the traffic serving capability of the cluster is reduced by one node.
io
Existing connections on this node are terminated.
n

•
CITRIX
•
• You can temporarily remove a node from a Cluster by
disabling the cluster instance on that node.
Disable a • A disabled node is not synchronized with the cluster
configuration and is unable to serve traffic .
Cluster Node
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• To synchronize cluster configurations
by using the NetScaler command-line
interface , type the following
command:
Cluster Configuration
Synchronization - force cluster sync
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
All Cluster nodes must be running the
same software version:
Cluster Node Software
• To upgrade or downgrade the
Upgrades and software of a cluster, you must
Downgrades upgrade or downgrade the software
on each node, one node at a time .
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•
An existing high availability (HA) setup
can be migrated to a cluster setup by
first removing the appliances from the
HA setup and then creating the
HA to c 1ustering Migration NetScaler cluster.
• Consider an HA setup with appliances
NS0 (10.102.97.131) and NS1
(10.102 .97 .132)
• NS0 is the primary and NS1 is the
secondary appliance of the HA setup .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
If a failure occurs in a NetScaler
cluster, the first step in troubleshooting
is to get cluster instance and node by
Troubleshooting running these commands:
NetScaler Cluster - show cluster instance <clid>
- show cluster node <nodeid>
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Independent:
• Each node maintains its own set of logs and counters.
• These reside on each node local storage as it is done today.
Logs and
• On-Demand :
Reporting • Aggregation is done on-demand. Counters are summarized, and logs
are merged in order.
• Tech Support File:

• Support file can be generated for the node or the entire cluster.
NSlO_nodel> ~how techsupport scop (Cluster or
NODE)
N
ot
fo
rr
Key Notes:
es
All nodes will have their own independent set of counters and logs and they will reside on each node.
al
Aggregation is only done on‐demand, for instance when issuing a stat command.
e
or
d is
t rib
ut
io
n

•
CITRIX
•
• Which methods of disaster recovery are you currently
N using in your environment, and why?
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

•
CITRIX
•
• Clustering is a configuration of multiple NetScalers
acting as active-active.
• A striped entity exists on multiple nodes in the cluster
Key Takeaways while a spotted entity exists on a single node .
• Cluster backplane should have a dedicated interface
and switch.
N
ot
fo
rr
es
Clustering Guide: https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler‐
al
adc/citrix_netscaler_clustering_guide_v2.pdf
e
Using Clustering: https://docs.citrix.com/en‐us/netscaler‐gateway/12/clustering.html
or
Creating a NetScaler Cluster: http://docs.citrix.com/en‐us/netscaler/12/clustering/cluster‐setup/cluster‐
d
create.html
is
Prerequisites for Cluster Nodes: http://docs.citrix.com/en‐us/netscaler/12/clustering/cluster‐
t rib
prerequisites.html
ut
io
n

•
CITRIX
•
Connect with Citrix Education
Facebook Twitter Linkedln

Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education group
Visit http://training.citrix.com to find more information on training, certifications, and exams .

N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

•
CITRIX
•
•
CITRIX•
•
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

•
CITRIX
•

CNS 220 2I en StudentManual 4 5 Days v01

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CNS 220 2I en StudentManual 4 5 Days v01

Uploaded by

Copyright:

Available Formats

•

Citrix NetScaler 12.x Essentials and

Traffic Management (4-5 Day)

DNS Rewrite and Responder.........................................................................................137

Module 5 - Secure Web Gateway...............................................................................................175

Module 6 - Global Server Load Balancing..................................................................................193

GSLB DNS Concepts.....................................................................................................196

GSLB Concepts and Architecture...................................................................................208

Module 7 - NetScaler Clustering.................................................................................................263

Citrix NetScaler Traffic

1 © 2017 Citrix Authorized Content

2 © 2017 Citrix Authorized Content

3 © 2017 Citrix Authorized Content

4 © 2017 Citrix Authorized Content

Course • Exposure to basic systems administration concepts ,

5 © 2017 Citrix Authorized Content

• Module 3: Rewrite, Responder, and URL Transform

6 © 2017 Citrix Authorized Content

• Module 7: Clustering (Optional Self Study)

7 © 2017 Citrix Authorized Content

....... , r:::...·· ··· ···

•....• r• ••• ••• ••••• •,

• All lab environment

8 © 2017 Citrix Authorized Content

9 © 2017 Citrix Authorized Content

10 © 2017 Citrix Authorized Content

11 © 2017 Citrix Authorized Content

Promoter Passive Detractor

12 © 2017 Citrix Authorized Content

Facebook Twitter Linkedln

Visit http://training.citrix.com to find more information on training, certifications, and exams .

13 © 2017 Citrix Authorized Content

14 © 2017 Citrix Authorized Content

15 © 2017 Citrix Authorized Content

16 © 2017 Citrix Authorized Content

17 © 2017 Citrix Authorized Content

18 © 2017 Citrix Authorized Content

18 © 2017 Citrix Authorized Content •

19 © 2017 Citrix Authorized Content

20 © 2017 Citrix Authorized Content

21 © 2017 Citrix Authorized Content

• Expressions on a NetScaler system can be viewed

22 © 2017 Citrix Authorized Content

Flow Type Protocol Qualifier Operator Value

REQ.HTTP.HEADER Host CONTAINS Citrix

• Qualifiers specify what the policy examines.

23 © 2017 Citrix Authorized Content

23 © 2017 Citrix Authorized Content •

• Classic policies can operate on the following protocols:

TCP • Destination Port - Destination IP

Client Cipher - Type, Bits . Header

Client SSL Version • URL- Length. Query, Query Length

24 © 2017 Citrix Authorized Content

25 © 2017 Citrix Authorized Content

HTTP • Request/Response Based Data Transfer [MIME Like]

26 © 2017 Citrix Authorized Content

GET http : //training . citrix . com/ HTTP/1 . 1

Host : training . citrix . com

27 © 2017 Citrix Authorized Content

Content - Type : text/html ; charset=utf - 8

Content - Encoding : gzip

28 © 2017 Citrix Authorized Content

28 © 2017 Citrix Authorized Content •

29 © 2017 Citrix Authorized Content