Integrating Cleafy with Citrix NetScaler

Transcription

1 Integrating Cleafy with Citrix NetScaler

2 Table of Contents Integrating Cleafy with Citrix NetScaler... 1 Scope... 3 Supported releases... 3 Prerequisites... 3 Introduction... 4 Reference Architecture... 5 Sizing Guidelines... 6 Installation script... 7 Configuration Parameters... 7 Integrating Cleafy DETECT... 8 Integration flow... 8 Install commands... 8 NS Variables... 8 NS Assignments... 9 HTTP Callouts... 9 Rewrite Policies and Actions Virtual Servers Context Switching Cleafy PROTECT Integration flow Install commands HTTP Callouts Rewrite Policies and Actions Virtual Servers Appendix A Install script for Cleafy DETECT Appendix B Install script for Cleafy DETECT and PROTECT

3 Scope This document describes how to integrate Cleafy with Citrix NetScaler solutions to leverage Cleafy advanced threat detection and protection capabilities in a NetScaler environment. Supported releases Cleafy 4.x versions support the following Citrix NetScaler families: NetScaler VPX NetScaler MPX NetScaler SDX NetScaler CDX The integration has been certified and validated as Citrix Ready with both version 10.5E and later, including 11.0 and Prerequisites The only prerequisite is represented by a working installation of a supported version of the Citrix NetScaler families. Of course, a working installation of Cleafy with valid license is also required. It is also assumed that both Citrix NetScaler and Cleafy need to be correctly sized for the expected amount of traffic generated for the managed applications once the respective application perimeters are defined. 3

4 Introduction The Cleafy integration with NetScaler is based on the possibility to switch requests between the original application to be managed and the Cleafy application and more importantly on the ability to modify request and response flows thanks to Rewrite Policies and HTTP Callouts. Please refer to Cleafy Installation guide for understanding the general integration mechanisms with Application Delivery Controllers (ADCs) and reading a detailed description of the expected sequence flows. Notice that the actual configuration of the integration between Cleafy and Citrix NetScaler may vary based on both the architecture of the specific application to be managed by Cleafy and on the original configuration of Citrix NetScaler. Therefore, in the rest of this document, a reference implementation is described which can be easily adapted to any other specific implementation. 4

5 Reference Architecture The integration architecture requires configuring several NetScaler components, including Context Switching and Load Balancing components, and defining several NetScaler constructs, including Rewrite Actions and HTTP Callouts. Please refer to Citrix on-line documentation (e.g. for version 12: to get started with NetScaler concepts. The following figure represent a NetScaler architecture with the required components and constructs required to have a single application (named ProBank in the following) managed by Cleafy. Fig. 1: Reference architecture of the Cleafy and Citrix NetScaler integration For simplicity reasons, this reference architecture only shows only one server defined both for the Virtual Server associated to the ProBank application and for the Cleafy applications. Of course, the number of servers configured for either of these applications is likely to be larger, in a specific installation based on different criteria (e.g. for scaling reasons). The configuration can be easily extended by adding more server to the appropriate Virtual Service, as no specific configuration is required to implement the Cleafy integration to to NetScaler. Also notice that since a single Cleafy implementation usually manages more than one application, some of these components and constructs defined in the following need to be replicated to manage multiple applications, as it will be clear once their role in the reference architecture will described in the following. 5

6 Sizing Guidelines NetScaler needs to be correctly sized for the expected amount of traffic generated once Cleafy is configured for the applications of interest and the required application perimeters. Because Cleafy generates additional traffic both inside the ADC and between the client and the Cleafy engine via the ADC, the integrated NetScaler may need to be resized accordingly (both in terms of resources and required licenses). The increase may vary depending on several factors, including the defined application perimeter (i.e. which pages are being monitored). An educated guess for Cleafy implementation where only a limited perimeter is monitored, typically ranges from 15% (DETECT only) to 30% upward (both DETECT and PROTECT). The additional bandwidth required by Cleafy DETECT is determined by two key factors: i) all events (both HTTP requests and responses, XHR/API calls) being logged; ii) the rendered DOM and other environmental info being (asynchronously) sent back for each response event. For a monitored page, the multiplying factor with respect to the already consumed bandwidth can be estimated as about 2.5 (i.e. a 150% increase in bandwidth) of the source code. For PROTECT these numbers may need to be doubled. Notice that this theoretical increase needs to be adjusted considering that: iii) only non-static resources are monitored; iv) at least initially only selected pages are monitored and v) protection is typically only applied selectively (e.g. on endpoint, sessions and users detected as infected). All these factors are difficult to evaluate the general case. For example, the contribute from iii) depends on whether caching mechanisms or CDN being in place. In a scenario where the first two parameters can be estimated respectively as 50% and 20%, the additional increase in bandwidth could be estimated starting from 15% for Cleafy DETECT, and 30% for (a full) Cleafy PROTECT. 6

7 Installation script Installing the Cleafy integration with Citrix NetScaler requires executing a set of NetScaler commands. All these commands required by the integration can be issued either from the command line interface or from the NetScaler Console. In the following they are introduced in an order that helps explaining them, while the appendixes at the end of this document provides the full integration script where they are listed in the expected execution order. Notice that all IP addresses (and ports) in the following (and in the install script in the appendixes) need to be replaced with those referring to the specific environment which is being implemented. As described in the following section, there are other Cleafy-related configuration parameters that also need to be changed. Configuration Parameters When configuring the NetScaler environment to implement the Cleafy integration, that there some key configuration parameters (described in the following table) than need to be set to values aligned to the Cleafy configuration. To facilitate their identification in the different contexts, these parameters are highlighted in the sample commands listed below. Parameter Sample value Recommended value URL prefix for Cleafy incoming calls Access Token for Cleafy incoming calls FQDN of the managed application Context Switching, Virtual Server and server names and IP addresses cleafy (used in several contexts: NS Assignment, Rewrite Rule, Context Switching Policy) cleafycitrix (used in the HTTP Callout context) app.citrix.test (used in the HTTP Callout context) probank, probank_vs (managed application), ceafy_vs (Cleafy application) and all IP Addresses referenced The actual value should reflect the Cleafy configuration (INGESTION PATH PREFIX) and be application specific. Notice: it is suggested to use a keyword that resembles the name of the managed app (e.g. probank01 ) to avoid exposing any reference to Cleafy. The actual value should reflect the Cleafy configuration (INGESTION ACCESS TOKEN). This parameter is configured when adding a new application to the environment (please refer to the Cleafy manuals). The actual value should represent the FQDN of the managed application. These will differ from what indicated in the sample commands so there are also highlighted to facilitate their replacement 7

8 Integrating Cleafy DETECT This chapter describes the NetScaler configuration required for leveraging Cleafy DETECT capabilities, while the following chapter describes how to modify this integration to also get the Cleafy PROTECT capabilities implemented. Integration flow The following picture illustrates the integration flow for Cleafy DETECT. Fig. 2: Flow diagram for Cleafy DETECT Install commands Notice that is assumed that this integration is implemented on top of the Cleafy DETECT. All commands are documented in Appendix A at the end of the document. NS Variables The integration requires 7 NS Variables to be defined. These NS Variables are used by the corresponding NS Assignments to store values of the Session ID, Event ID, Browser ID, Request Header, Request Body, Timestamp and Cleafy-injected script. Their values are taken (or set) from an application request and used by Rewrite Policies to change the application response as required. The following commands can be used to define these NS Variables: add ns variable sid_var -type "text(512)" -scope transaction -comment "SID variable per transaction" add ns variable bid_var -type "text(512)" -scope transaction -comment "BID variable per transaction" 8

9 add ns variable eid_var -type "text(512)" -scope transaction -comment "Event ID variable per transaction" add ns variable req_header -type "text(50000)" -scope transaction -comment "Req Header full Dump" add ns variable req_body -type "text(50000)" -scope transaction -comment "Req Body full Dump" add ns variable time_var -type "text(20)" -scope transaction -comment "Request timedate" add ns variable script_var -type "text(1024)" -scope transaction -comment "Injected Cleafy Script" NS Assignments The integration requires 8 NS Assignments to be defined. These NS Assignments are used to retrieve and set the value of the Session ID and the Browser ID, and to set the values of the Event ID, Request Header, Timestamp and Cleafy-injected Script. The NS Assignments for Session ID and Browser ID are defined so that the values of their associated NS Variables are either taken from the associated request cookie or are generated by using a unique ID based on the request. The following commands defining these NS Assignments: add ns assignment Set_REQ_Header -variable "$req_header" -set "HTTP.REQ.FULL_HEADER.PREFIX(HTTP.REQ.FULL_HEADER.LENGTH - 4)" add ns assignment Set_REQ_Body -variable "$req_body" -set "HTTP.REQ.BODY(5000)" add ns assignment Get_BID_from_Cookie -variable "$bid_var" -set "HTTP.REQ.COOKIE.VALUE(\"bid\")" add ns assignment Set_BID_var -variable "$bid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Get_SID_from_Cookie -variable "$sid_var" -set "HTTP.REQ.COOKIE.VALUE(\"sid\")" add ns assignment Set_SID_var -variable "$sid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_EID_var -variable "$eid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_TIME_var -variable "$time_var" -set "SYS.TIME.YEAR + \"-\" + SYS.TIME.MONTH + \"-\" + SYS.TIME.DAY + \"T\" + SYS.TIME.HOURS + \":\" + SYS.TIME.MINUTES + \":\" + SYS.TIME.SECONDS + \"Z\"" add ns assignment Set_Script_var -variable "$script_var" -set "\"<noscript><img src=\'/cleafy/in/\" + $eid_var + \"/1/1\' style=\'display:none;\'/></noscript><script src=\'/cleafy/in/\" + $eid_var + \"/2/1\' type=\'text/javascript\'></script></body>\"" All definitions of NS Assignments do not require to be changed as they reflect the general logic of Cleafy integration with NetScaler. The only exception is represented by the value cleafy in the expression associated to Set_Script_var that need to be changed to the INGESTION PATH PREFIX configured in the Cleafy configuration for the managed application. HTTP Callouts The integration requires an HTTP Callout to be defined for the Virtual Server associated to the Cleafy application to ensure that all (asynchronous) calls to Cleafy services are correctly executed. As already mentioned, since a Cleafy implementation can manage multiple applications, an HTTP Callout definition for each managed application will need to be defined. 9

10 The sample command defining this HTTP Callout is: add policy httpcallout send_hitlog -vserver cleafy_vs -returntype BOOL -httpmethod POST - hostexpr "\" \"" -urlstemexpr "\"/in/\" + $eid_var +\"/ /cleafycitrix/hitlog\"" -bodyexpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.b64encode + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \" \" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.b64encode + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultexpr TRUE set policy httpcallout send_hitlog -vserver cleafy_vs -returntype BOOL -httpmethod POST - hostexpr "\" \"" -urlstemexpr "\"/in/\" + $eid_var +\"/ /cleafycitrix/hitlog\"" -bodyexpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.b64encode + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \" \" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.b64encode + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultexpr TRUE In these commands, the value in URL Stem Expression needs to be replaced by the FQDN or IP Address of the managed application while the value cleafycitrix needs to be replaced by the access token configured in the Cleafy implementation for the managed application. It is also suggested to replace the value the Host Expression by the FQDN of the managed application, even if the specific value for this field is irrelevant for the Cleafy integration. Rewrite Policies and Actions The integration requires several Rewrite Policies/Actions (both for HTTP requests and for HTTP responses) to be defined for the Virtual Server defined associated to the managed application and a single Rewrite Policy/Action (for HTTP requests, while none is required for HTTP responses) defined for the Virtual Server associated to the Cleafy application. The following commands can be used for defining the Rewrite Actions and Policies for the Virtual Server associated to the Cleafy application: add rewrite action req_act_removecleafypath replace HTTP.REQ.URL "\"/\" + HTTP.REQ.URL.PATH_AND_QUERY.STRIP_START_CHARS(\"/cleafy/\")" add rewrite policy req_pol_removecleafypath "HTTP.REQ.URL.STARTSWITH(\"/cleafy\")" req_act_removecleafypath The URL fragment cleafy in both this Rewrite Action and Rewrite Policy should be changed to reflect the Cleafy configuration (i.e. the INGESTION PATH PREFIX), as they take care of removing of the Cleafy ingestion path prefix from the URLs, thus making calls received by Cleafy the same in every Cleafy implementation. The following commands can be used for defining the Rewrite Actions for the Virtual Server associated to the managed application: add rewrite action req_act_replacehttpver replace HTTP.REQ.VERSION "\"HTTP/1.0\"" add rewrite action req_act_insertconnkalive insert_http_header Connection "\"Keep- Alive\"" add rewrite action req_act_removeacceptencoding delete_http_header Accept-Encoding add rewrite action Set-BID-Cookie insert_http_header Set-Cookie "\"bid=\" + $bid_var + \";expires=\" + SYS.TIME.ADD(86400).TYPECAST_TIME_AT + \";path=/;\"" 10

11 add rewrite action Set-SID-Cookie insert_http_header Set-Cookie "\"sid=\" + $sid_var + \";expires=\" + SYS.TIME.ADD(1200).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Inject_Script insert_before_all "HTTP.RES.BODY( ).SET_TEXT_MODE(ignorecase)" "$script_var" -search "regex(re~<\\/body>~)" add rewrite action Insert-EID-Header insert_http_header uniqueid "$eid_var" Most of the Rewrite Actions are used to set all the different IDs. A specific Rewrite Action Inject_Script is used to inject the Cleafy script by rewriting the fragment </body> with the NS Variable containing the Cleafy script at the end of the response, which also takes care of restoring </body> (see definition of the corresponding NS Assignment). The following commands can be used to define the corresponding Rewrite Policies for the Virtual Server associated to the managed application: add rewrite policy req_pol_insertconnheader TRUE req_act_insertconnkalive add rewrite policy req_pol_removeacceptencoding TRUE req_act_removeacceptencoding add rewrite policy req_pol_replacehttpver TRUE req_act_replacehttpver add rewrite policy Policy-Rewrite-Set-TIME-var TRUE Set_TIME_var add rewrite policy Policy-Rewrite-Set_EID_var TRUE Set_EID_var add rewrite policy Policy-Rewrite-Set_SID_var TRUE Set_SID_var add rewrite policy Policy-Rewrite-Set_BID_var TRUE Set_BID_var add rewrite policy Policy-Rewrite-Get_BID_Cookie "HTTP.REQ.COOKIE.VALUE(\"bid\").LENGTH >4" Get_BID_from_Cookie add rewrite policy Policy-Rewrite-Get_SID_Cookie "HTTP.REQ.COOKIE.VALUE(\"sid\").LENGTH >4" Get_SID_from_Cookie add rewrite policy Policy-Rewrite-Set-REQ-Header TRUE Set_REQ_Header add rewrite policy Policy-Rewrite-Set-REQ-Body TRUE Set_REQ_Body add rewrite policy Policy-Rewrite-Set-Script-var TRUE Set_Script_var add rewrite policy Policy-Rewrite-Insert-EID-Header TRUE Insert-EID-Header add rewrite policy Policy-Rewrite-Set_BID_Cookie "$bid_var.eq(\"\").not" Set-BID-Cookie add rewrite policy Policy-Rewrite-Set_SID_Cookie "$sid_var.eq(\"\").not" Set-SID-Cookie add rewrite policy Policy-Rewrite-Inject-Script "HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\")" Inject_Script add rewrite policy Policy-Rewrite-Send-LOG "(HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\") HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"application/json\") HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/xml\")) && SYS.NON_BLOCKING_HTTP_CALLOUT(send_hitlog)" NOREWRITE NOREWRITE All definitions of Rewrite Actions and Rewrite Policies should not be changed as they reflect the general logic of Cleafy integration with an ADC. Virtual Servers As indicated in the reference architecture, two Virtual Servers need be defined: one for the ProBank application to be managed and another for the Cleafy application. For simplicity sake only one server is associate to each Virtual Servers. The following commands can be used to define the defined servers are: add service probank_server HTTP gslb NONE -maxclient 0 -maxreq 0 - cip DISABLED -usip NO -useproxyport YES -sp OFF -clttimeout 180 -svrtimeout 360 -CKA NO - TCPB NO -CMP NO add service cleafy_server HTTP gslb NONE -maxclient 0 -maxreq 0 - cip DISABLED -usip NO -useproxyport YES -sp OFF -clttimeout 180 -svrtimeout 360 -CKA NO - TCPB NO -CMP NO 11

12 Notice that here the HTTP port associated to Cleafy is expected to be the standard value 9091 associated to Cleafy ingestion APIs, so it has not been highlighted as a potential value to be changed. The following commands can be used to define these Virtual Servers: add lb vserver probank_vs HTTP persistencetype NONE -cookiename testingsid -clttimeout 180 add lb vserver cleafy_vs HTTP persistencetype NONE -clttimeout 180 The following commands can be used to define the binding between the defined servers (only two in the simplified reference architecture) and Virtual Servers: bind lb vserver probank_vs probank_server1 bind lb vserver cleafy_vs cleafy_server1 The following commands can be used to define the binding between Rewrite Policies (both for HTTP Requests and HTTP Responses) and the Virtual Server associated to the managed application: bind lb vserver probank_vs -policyname Policy-Rewrite-Set-TIME-var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_EID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_SID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_BID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Get_SID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Get_BID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-REQ-Header -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-REQ-Body -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-Script-var -priority gotopriorityexpression END -type REQUEST bind lb vserver probank_vs -policyname Policy-Rewrite-Set_SID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_BID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Insert-EID-Header -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Inject-Script -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Send-LOG -priority gotopriorityexpression END -type RESPONSE The following command can be used to define the binding between Rewrite Policies (only 1) and the Virtual Server associated to the Cleafy application: bind lb vserver cleafy_vs -policyname req_pol_removecleafypath -priority gotopriorityexpression END -type REQUEST 12

13 Context Switching As indicated in the reference architecture (Figure 1), a Context Switching component should be configured to manage the traffic directed to the application to be managed by Cleafy from the traffic directed to the Cleafy application (its associated virtual server). Since a Cleafy implementation can manage multiple applications, the Context Switching commands need to be replicated for each managed application. The sample command defining the Context Switching is: add cs vserver probank HTTP clttimeout 180 The sample commands defining the required Context Switching Policy and Action are: add cs action To_Cleafy -targetlbvserver cleafy_vs add cs policy Traffic_to_cleafy -rule "HTTP.REQ.URL.STARTSWITH(\"/cleafy/\")" -action To_Cleafy As already noted, in the string cleafy the Context Switching Policy needs to changed to reflect the Cleafy configuration (i.e. the configured INGESTION PATH PREFIX). The sample commands defining the binding between Context Switching and defined Context Switching Policy and Action are: bind cs vserver probank -policyname Traffic_to_cleafy -priority 100 bind cs vserver probank -lbvserver probank_vs 13

14 Cleafy PROTECT This chapter describes the NetScaler configuration required for leveraging Cleafy PROTECT capabilities. Integration flow The following picture illustrates the integration flow required by Cleafy PROTECT. This picture also clarifies the high-level idea of Cleafy PROTECT of first delivering a secured container, before delivering the content originally requested so that it can be safely executed in this container (which is unwraps it in its place). For more details about Cleafy PROTECT please refer to the Cleafy documentation. Fig. 3: Flow diagram for Cleafy PROTECT when integrated with Install commands Notice that is assumed that this integration is implemented on top of the Cleafy DETECT. The full set of commands required by Cleafy DETECT and PROTECT are documented in Appendix B at the end of the document. HTTP Callouts The integration requires two HTTP Callouts to be defined for the Virtual Server associated to the Cleafy application to request a Cleafy container and. As already mentioned, since a Cleafy implementation can manage multiple applications, an HTTP Callout definition for each managed application will need to be defined. The sample commands defining these HTTP Callouts are: 14

15 add policy httpcallout get_box_container -vserver cleafy_vs -returntype TEXT -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/container/\"" -scheme http -resultexpr "HTTP.RES.BODY(999999)" set policy httpcallout get_box_container -vserver cleafy_vs -returntype TEXT -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/container/\"" -scheme http -resultexpr "HTTP.RES.BODY(999999)" add policy httpcallout save_page_to_protect -vserver cleafy_vs -returntype BOOL - httpmethod POST -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/\"" -bodyexpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultexpr TRUE set policy httpcallout save_page_to_protect -vserver cleafy_vs -returntype BOOL - httpmethod POST -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/\"" -bodyexpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultexpr TRUE Rewrite Policies and Actions The integration requires some Rewrite Policies/Actions (for HTTP responses) to be defined for the Virtual Server defined associated to the managed application. The following commands can be used for defining the Rewrite Actions for the Virtual Server associated to the managed application: add rewrite action Replace_with_Container replace "HTTP.RES.BODY(999999)" "SYS.HTTP_CALLOUT(get_box_container)" The following commands can be used to define the corresponding Rewrite Policies for the Virtual Server associated to the managed application: add rewrite policy Policy_Replace_with_Container "HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\")" Replace_with_Container add rewrite policy Policy_Save_Page "HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\") && SYS.HTTP_CALLOUT(save_page_to_protect)" NOREWRITE NOREWRITE Virtual Servers The following commands can be used for defining the Rewrite Actions for the Virtual Server associated to the managed application: bind lb vserver probank_vs -policyname Policy_Save_Page -priority bind lb vserver probank_vs -policyname Policy_Replace_with_Container -priority gotopriorityexpression END -type RESPONSE Notice that in case the NetScaler configuration has been already implemented to support Cleafy DETECT, the following binding needs to be re-created with NEXT as go-to expression (in place of END): bind lb vserver probank_vs -policyname Policy-Rewrite-Send-LOG -priority

16 Appendix A Install script for Cleafy DETECT For convenience sake, the following lists all commands for the integration of Cleafy DETECT in the reference architecture. Since they are listed so as to take into account dependencies among the defined constructs, so the following can be directly used as install script (once the appropriate values are set for the specific environment of interest). Cleafy integration to Citrix NetScaler Architecture disclaimer Content Switch: Cleafy Virtual Server: App Virtual Server: Cleafy Server: App Server: Cleafy Ingestion Access Token: cleafycitrix Cleafy Application FQDN: Cleafy Ingestion Post URI: cleafy Server Pools add service probank_server HTTP gslb NONE -maxclient 0 -maxreq 0 - cip DISABLED -usip NO -useproxyport YES -sp OFF -clttimeout 180 -svrtimeout 360 -CKA NO - TCPB NO -CMP NO add service cleafy_server HTTP gslb NONE -maxclient 0 -maxreq 0 - cip DISABLED -usip NO -useproxyport YES -sp OFF -clttimeout 180 -svrtimeout 360 -CKA NO - TCPB NO -CMP NO Virtual Servers add lb vserver probank_vs HTTP persistencetype NONE -clttimeout 180 add lb vserver cleafy_vs HTTP persistencetype NONE -clttimeout 180 Bind Server Pools to Virtual Servers bind lb vserver probank_vs probank_server1 bind lb vserver cleafy_vs cleafy_server1 Context Switching add cs vserver probank HTTP clttimeout 180 Switching Actions add cs action To_Cleafy -targetlbvserver cleafy_vs Switching Policies 16

17 add cs policy Traffic_to_cleafy -rule "HTTP.REQ.URL.STARTSWITH(\"/cleafy/\")" -action To_Cleafy bind cs vserver probank -policyname Traffic_to_cleafy -priority 100 bind cs vserver probank -lbvserver probank_vs Rewrite Action and Policy add rewrite action req_act_removecleafypath replace HTTP.REQ.URL "\"/\" + HTTP.REQ.URL.PATH_AND_QUERY.STRIP_START_CHARS(\"/cleafy/\")" add rewrite policy req_pol_removecleafypath "HTTP.REQ.URL.STARTSWITH(\"/cleafy\")" req_act_removecleafypath bind lb vserver cleafy_vs -policyname req_pol_removecleafypath -priority gotopriorityexpression END -type REQUEST add rewrite action req_act_replacehttpver replace HTTP.REQ.VERSION "\"HTTP/1.0\"" add rewrite action req_act_insertconnkalive insert_http_header Connection "\"Keep- Alive\"" add rewrite action req_act_removeacceptencoding delete_http_header Accept-Encoding add rewrite policy req_pol_insertconnheader TRUE req_act_insertconnkalive add rewrite policy req_pol_removeacceptencoding TRUE req_act_removeacceptencoding add rewrite policy req_pol_replacehttpver TRUE req_act_replacehttpver bind lb vserver probank_vs -policyname req_pol_insertconnheader -priority bind lb vserver probank_vs -policyname req_pol_replacehttpver -priority bind lb vserver probank_vs -policyname req_pol_removeacceptencoding -priority NS Variables add ns variable sid_var -type "text(512)" -scope transaction -comment "SID variable per transaction" add ns variable bid_var -type "text(512)" -scope transaction -comment "BID variable per transaction" add ns variable eid_var -type "text(512)" -scope transaction -comment "Event ID variable per transaction" add ns variable req_header -type "text(50000)" -scope transaction -comment "Req Header full Dump" add ns variable req_body -type "text(50000)" -scope transaction -comment "Req Body full Dump" add ns variable time_var -type "text(20)" -scope transaction -comment "Request timedate" add ns variable script_var -type "text(1024)" -scope transaction -comment "Injected Cleafy Script" NS Assignements add ns assignment Set_REQ_Header -variable "$req_header" -set "HTTP.REQ.FULL_HEADER.PREFIX(HTTP.REQ.FULL_HEADER.LENGTH - 4)" add ns assignment Set_REQ_Body -variable "$req_body" -set "HTTP.REQ.BODY(5000)" add ns assignment Get_BID_from_Cookie -variable "$bid_var" -set "HTTP.REQ.COOKIE.VALUE(\"bid\")" 17

18 add ns assignment Set_BID_var -variable "$bid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Get_SID_from_Cookie -variable "$sid_var" -set "HTTP.REQ.COOKIE.VALUE(\"sid\")" add ns assignment Set_SID_var -variable "$sid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_EID_var -variable "$eid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_TIME_var -variable "$time_var" -set "SYS.TIME.YEAR + \"-\" + SYS.TIME.MONTH + \"-\" + SYS.TIME.DAY + \"T\" + SYS.TIME.HOURS + \":\" + SYS.TIME.MINUTES + \":\" + SYS.TIME.SECONDS + \"Z\"" add ns assignment Set_Script_var -variable "$script_var" -set "\"<noscript><img src=\'/cleafy/in/\" + $eid_var + \"/1/1\' style=\'display:none;\'/></noscript><script src=\'/cleafy/in/\" + $eid_var + \"/2/1\' type=\'text/javascript\'></script></body>\"" HTTP Callout add policy httpcallout send_hitlog -vserver cleafy_vs -returntype BOOL -httpmethod POST - hostexpr "\" \"" -urlstemexpr "\"/in/\" + $eid_var +\"/ /cleafycitrix/hitlog\"" -bodyexpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.b64encode + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \" \" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.b64encode + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultexpr TRUE set policy httpcallout send_hitlog -vserver cleafy_vs -returntype BOOL -httpmethod POST - hostexpr "\" \"" -urlstemexpr "\"/in/\" + $eid_var +\"/ /cleafycitrix/hitlog\"" -bodyexpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.b64encode + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \" \" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.b64encode + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultexpr TRUE Rewrite Actions add rewrite action Set-BID-Cookie insert_http_header Set-Cookie "\"bid=\" + $bid_var + \";expires=\" + SYS.TIME.ADD(86400).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Set-SID-Cookie insert_http_header Set-Cookie "\"sid=\" + $sid_var + \";expires=\" + SYS.TIME.ADD(1200).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Inject_Script insert_before_all "HTTP.RES.BODY( ).SET_TEXT_MODE(ignorecase)" "$script_var" -search "regex(re~<\\/body>~)" add rewrite action Insert-EID-Header insert_http_header uniqueid "$eid_var" Rewrite Policies add rewrite policy Policy-Rewrite-Set-TIME-var TRUE Set_TIME_var add rewrite policy Policy-Rewrite-Set_EID_var TRUE Set_EID_var add rewrite policy Policy-Rewrite-Set_SID_var TRUE Set_SID_var add rewrite policy Policy-Rewrite-Set_BID_var TRUE Set_BID_var add rewrite policy Policy-Rewrite-Get_BID_Cookie "HTTP.REQ.COOKIE.VALUE(\"bid\").LENGTH >4" Get_BID_from_Cookie 18

19 add rewrite policy Policy-Rewrite-Get_SID_Cookie "HTTP.REQ.COOKIE.VALUE(\"sid\").LENGTH >4" Get_SID_from_Cookie add rewrite policy Policy-Rewrite-Set-REQ-Header TRUE Set_REQ_Header add rewrite policy Policy-Rewrite-Set-REQ-Body TRUE Set_REQ_Body add rewrite policy Policy-Rewrite-Set-Script-var TRUE Set_Script_var add rewrite policy Policy-Rewrite-Insert-EID-Header TRUE Insert-EID-Header add rewrite policy Policy-Rewrite-Set_BID_Cookie "$bid_var.eq(\"\").not" Set-BID-Cookie add rewrite policy Policy-Rewrite-Set_SID_Cookie "$sid_var.eq(\"\").not" Set-SID-Cookie add rewrite policy Policy-Rewrite-Inject-Script "HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\")" Inject_Script add rewrite policy Policy-Rewrite-Send-LOG "(HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\") HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"application/json\") HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/xml\")) && SYS.NON_BLOCKING_HTTP_CALLOUT(send_hitlog)" NOREWRITE NOREWRITE Bind Rewirte Policies to Virtual Servers bind lb vserver probank_vs -policyname Policy-Rewrite-Set-TIME-var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_EID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_SID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_BID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Get_SID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Get_BID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-REQ-Header -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-REQ-Body -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-Script-var -priority gotopriorityexpression END -type REQUEST bind lb vserver probank_vs -policyname Policy-Rewrite-Set_SID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_BID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Insert-EID-Header -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Inject-Script -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Send-LOG -priority gotopriorityexpression END -type RESPONSE END Please remember to delete first any pre-existing definition of these constructs before issuing these commands to get their configuration updated. Alternatively, a direct editing from the NetScaler Console is also an option. 19

20 Appendix B Install script for Cleafy DETECT and PROTECT For convenience sake, the following lists all commands for the integration of Cleafy DETECT and PROTECT in the reference architecture. Since they are listed so as to take into account dependencies among the defined constructs, so the following can be directly used as install script (once the appropriate values are set for the specific environment of interest). Cleafy integration to Citrix NetScaler Architecture disclaimer Content Switch: Cleafy Virtual Server: App Virtual Server: Cleafy Server: App Server: Cleafy Ingestion Access Token: cleafycitrix Cleafy Application FQDN: Cleafy Ingestion Post URI: cleafy Server Pools add service probank_server HTTP gslb NONE -maxclient 0 -maxreq 0 - cip DISABLED -usip NO -useproxyport YES -sp OFF -clttimeout 180 -svrtimeout 360 -CKA NO - TCPB NO -CMP NO add service cleafy_server HTTP gslb NONE -maxclient 0 -maxreq 0 - cip DISABLED -usip NO -useproxyport YES -sp OFF -clttimeout 180 -svrtimeout 360 -CKA NO - TCPB NO -CMP NO Virtual Servers add lb vserver probank_vs HTTP persistencetype NONE -clttimeout 180 add lb vserver cleafy_vs HTTP persistencetype NONE -clttimeout 180 Bind Server Pools to Virtual Servers bind lb vserver probank_vs probank_server1 bind lb vserver cleafy_vs cleafy_server1 Context Switching add cs vserver probank HTTP clttimeout 180 Switching Actions add cs action To_Cleafy -targetlbvserver cleafy_vs Switching Policies 20

21 add cs policy Traffic_to_cleafy -rule "HTTP.REQ.URL.STARTSWITH(\"/cleafy/\")" -action To_Cleafy bind cs vserver probank -policyname Traffic_to_cleafy -priority 100 bind cs vserver probank -lbvserver probank_vs Rewrite Action and Policy add rewrite action req_act_removecleafypath replace HTTP.REQ.URL "\"/\" + HTTP.REQ.URL.PATH_AND_QUERY.STRIP_START_CHARS(\"/cleafy/\")" add rewrite policy req_pol_removecleafypath "HTTP.REQ.URL.STARTSWITH(\"/cleafy\")" req_act_removecleafypath bind lb vserver cleafy_vs -policyname req_pol_removecleafypath -priority gotopriorityexpression END -type REQUEST add rewrite action req_act_replacehttpver replace HTTP.REQ.VERSION "\"HTTP/1.0\"" add rewrite action req_act_insertconnkalive insert_http_header Connection "\"Keep- Alive\"" add rewrite action req_act_removeacceptencoding delete_http_header Accept-Encoding add rewrite policy req_pol_insertconnheader TRUE req_act_insertconnkalive add rewrite policy req_pol_removeacceptencoding TRUE req_act_removeacceptencoding add rewrite policy req_pol_replacehttpver TRUE req_act_replacehttpver bind lb vserver probank_vs -policyname req_pol_insertconnheader -priority bind lb vserver probank_vs -policyname req_pol_replacehttpver -priority bind lb vserver probank_vs -policyname req_pol_removeacceptencoding -priority NS Variables add ns variable sid_var -type "text(512)" -scope transaction -comment "SID variable per transaction" add ns variable bid_var -type "text(512)" -scope transaction -comment "BID variable per transaction" add ns variable eid_var -type "text(512)" -scope transaction -comment "Event ID variable per transaction" add ns variable req_header -type "text(50000)" -scope transaction -comment "Req Header full Dump" add ns variable req_body -type "text(50000)" -scope transaction -comment "Req Body full Dump" add ns variable time_var -type "text(20)" -scope transaction -comment "Request timedate" add ns variable script_var -type "text(1024)" -scope transaction -comment "Injected Cleafy Script" NS Assignements add ns assignment Set_REQ_Header -variable "$req_header" -set "HTTP.REQ.FULL_HEADER.PREFIX(HTTP.REQ.FULL_HEADER.LENGTH - 4)" add ns assignment Set_REQ_Body -variable "$req_body" -set "HTTP.REQ.BODY(5000)" add ns assignment Get_BID_from_Cookie -variable "$bid_var" -set "HTTP.REQ.COOKIE.VALUE(\"bid\")" 21

22 add ns assignment Set_BID_var -variable "$bid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Get_SID_from_Cookie -variable "$sid_var" -set "HTTP.REQ.COOKIE.VALUE(\"sid\")" add ns assignment Set_SID_var -variable "$sid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_EID_var -variable "$eid_var" -set "CLIENT.TCP.SRCPORT.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\") + SYS.RANDOM.TYPECAST_TEXT_T.DIGEST(MD5).BLOB_TO_HEX.STRIP_CHARS(\":\")" add ns assignment Set_TIME_var -variable "$time_var" -set "SYS.TIME.YEAR + \"-\" + SYS.TIME.MONTH + \"-\" + SYS.TIME.DAY + \"T\" + SYS.TIME.HOURS + \":\" + SYS.TIME.MINUTES + \":\" + SYS.TIME.SECONDS + \"Z\"" add ns assignment Set_Script_var -variable "$script_var" -set "\"<noscript><img src=\'/cleafy/in/\" + $eid_var + \"/1/1\' style=\'display:none;\'/></noscript><script src=\'/cleafy/in/\" + $eid_var + \"/2/1\' type=\'text/javascript\'></script></body>\"" HTTP Callout add policy httpcallout send_hitlog -vserver cleafy_vs -returntype BOOL -httpmethod POST - hostexpr "\" \"" -urlstemexpr "\"/in/\" + $eid_var +\"/ /cleafycitrix/hitlog\"" -bodyexpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.b64encode + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \" \" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.b64encode + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultexpr TRUE set policy httpcallout send_hitlog -vserver cleafy_vs -returntype BOOL -httpmethod POST - hostexpr "\" \"" -urlstemexpr "\"/in/\" + $eid_var +\"/ /cleafycitrix/hitlog\"" -bodyexpr "\"v.2.0.0;;;1;;;2;;;\" + $time_var + \";;;\" + $script_var.b64encode + \";;;;;;\" + $bid_var + \";;;\" + $sid_var + \";;;\" + $eid_var + \";;;\" + CLIENT.IP.SRC + \":\" + CLIENT.TCP.SRCPORT + \" \" + CLIENT.IP.DST + \":\" + CLIENT.TCP.DSTPORT + \";;;;;;\" + $req_header + \";;;\" + $req_body.b64encode + \";;;HTTP/\" + HTTP.RES.VERSION.MAJOR + \".\" + HTTP.RES.VERSION.MINOR.SUB(1) + \" \" + HTTP.RES.STATUS + \";;;\" + HTTP.RES.FULL_HEADER.PREFIX(HTTP.RES.FULL_HEADER.LENGTH - 10) + \";;;\"+ HTTP.RES.BODY(999999).B64ENCODE" -scheme http -resultexpr TRUE add policy httpcallout get_box_container -vserver cleafy_vs -returntype TEXT -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/container/\"" -scheme http -resultexpr "HTTP.RES.BODY(999999)" set policy httpcallout get_box_container -vserver cleafy_vs -returntype TEXT -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/container/\"" -scheme http -resultexpr "HTTP.RES.BODY(999999)" set policy httpcallout save_page_to_protect -vserver cleafy_vs -returntype BOOL - httpmethod POST -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/\"" -bodyexpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultexpr TRUE add policy httpcallout save_page_to_protect -vserver cleafy_vs -returntype BOOL - httpmethod POST -hostexpr "\" \"" -urlstemexpr "\"/b/\" + $eid_var +\"/ /cleafycitrix/\"" -bodyexpr "$script_var + \";;;\" + HTTP.RES.BODY(999999)" -scheme http -resultexpr TRUE Rewrite Actions add rewrite action Set-BID-Cookie insert_http_header Set-Cookie "\"bid=\" + $bid_var + \";expires=\" + SYS.TIME.ADD(86400).TYPECAST_TIME_AT + \";path=/;\"" 22

23 add rewrite action Set-SID-Cookie insert_http_header Set-Cookie "\"sid=\" + $sid_var + \";expires=\" + SYS.TIME.ADD(1200).TYPECAST_TIME_AT + \";path=/;\"" add rewrite action Inject_Script insert_before_all "HTTP.RES.BODY( ).SET_TEXT_MODE(ignorecase)" "$script_var" -search "regex(re~<\\/body>~)" add rewrite action Insert-EID-Header insert_http_header uniqueid "$eid_var" add rewrite action Replace_with_Container replace "HTTP.RES.BODY(999999)" "SYS.HTTP_CALLOUT(get_box_container)" Rewrite Policies add rewrite policy Policy-Rewrite-Set-TIME-var TRUE Set_TIME_var add rewrite policy Policy-Rewrite-Set_EID_var TRUE Set_EID_var add rewrite policy Policy-Rewrite-Set_SID_var TRUE Set_SID_var add rewrite policy Policy-Rewrite-Set_BID_var TRUE Set_BID_var add rewrite policy Policy-Rewrite-Get_BID_Cookie "HTTP.REQ.COOKIE.VALUE(\"bid\").LENGTH >4" Get_BID_from_Cookie add rewrite policy Policy-Rewrite-Get_SID_Cookie "HTTP.REQ.COOKIE.VALUE(\"sid\").LENGTH >4" Get_SID_from_Cookie add rewrite policy Policy-Rewrite-Set-REQ-Header TRUE Set_REQ_Header add rewrite policy Policy-Rewrite-Set-REQ-Body TRUE Set_REQ_Body add rewrite policy Policy-Rewrite-Set-Script-var TRUE Set_Script_var add rewrite policy Policy-Rewrite-Insert-EID-Header TRUE Insert-EID-Header add rewrite policy Policy-Rewrite-Set_BID_Cookie "$bid_var.eq(\"\").not" Set-BID-Cookie add rewrite policy Policy-Rewrite-Set_SID_Cookie "$sid_var.eq(\"\").not" Set-SID-Cookie add rewrite policy Policy-Rewrite-Inject-Script "HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\")" Inject_Script add rewrite policy Policy-Rewrite-Send-LOG "(HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\") HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"application/json\") HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/xml\")) && SYS.NON_BLOCKING_HTTP_CALLOUT(send_hitlog)" NOREWRITE NOREWRITE add rewrite policy Policy_Replace_with_Container "HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\")" Replace_with_Container add rewrite policy Policy_Save_Page "HTTP.RES.HEADER(\"Content- Type\").CONTAINS(\"text/html\") && SYS.HTTP_CALLOUT(save_page_to_protect)" NOREWRITE NOREWRITE Bind Rewirte Policies to Virtual Servers bind lb vserver probank_vs -policyname Policy-Rewrite-Set-TIME-var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_EID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_SID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_BID_var -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Get_SID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Get_BID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-REQ-Header -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set-REQ-Body -priority

24 bind lb vserver probank_vs -policyname Policy-Rewrite-Set-Script-var -priority gotopriorityexpression END -type REQUEST bind lb vserver probank_vs -policyname Policy-Rewrite-Set_SID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Set_BID_Cookie -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Insert-EID-Header -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Inject-Script -priority bind lb vserver probank_vs -policyname Policy-Rewrite-Send-LOG -priority bind lb vserver probank_vs -policyname Policy_Save_Page -priority bind lb vserver probank_vs -policyname Policy_Replace_with_Container -priority gotopriorityexpression END -type RESPONSE END Please remember to delete first any pre-existing definition of these constructs before issuing these commands to get their configuration updated. Alternatively, a direct editing from the NetScaler Console is also an option. 24