Deployment Guide Policy Engine (PE) Deployment Guide A Technical Reference
Deployment Guide Notice: The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. ( CITRIX ), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix. The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Copyright 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved.
Table of Contents Introduction...4 Prerequisites...5 Policy Expressions (PE)...6 Components of Policy Expression...6 Qualifiers...6 Operators...7 Operands...7 Policy Limitations...8 Performance Considerations...8 Important Policy Behavior - Policy Engine (PE)...9 Sample Expressions using the CLI...10 Sample Expressions using the GUI...10 Compound Expressions...12 Sample Compound Expressions using the CLI...12 Sample Compound Expressions using the GUI...12
Introduction Citrix NetScaler optimizes the delivery of web applications increasing security and improving performance and Web server capacity. This approach ensures the best total cost of ownership (TCO), security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive network system that combines high-speed load balancing and content switching with state-of-the-art application acceleration, layer 4-7 traffic management, data compression, dynamic content caching, SSL acceleration, network optimization, and robust application security into a single, tightly integrated solution. Deployed in front of application servers, the system significantly reduces processing overhead on application and database servers, reducing hardware and bandwidth costs. Policies are used to configure various Application Switch features. For example, the parameters for compressing content are defined in a compression policy. The features that use policies are: Content Switching Content Filtering AppCompress Cache Redirection SSL VPN Priority Queuing DoS Protection Sure Connect Policy expressions are applied to content that enters the system. Expressions are shared among features, but actions are feature-specific. For example, you can create an expression to identify.pdf files being sent through the system. You can then create a compression policy that uses this expression to compress those files. The Policy Engine refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x. The architecture for Policy Engine and the manner in which it operates is presented in this guide. 4
Prerequisites Citrix NetScaler Application Switch, running version 8.x, (Quantity x 1 for single deployment, Quantity x 2 for HA deployment). Client laptop/workstation running Internet Explorer 6.0+, Ethernet port 9-pin serial cable -or- USB-to-serial cable NOTE: The policies in this guide are based on the Policy Engine (PE) architecture in NetScaler version 8.0. The policies for NetScaler version 9.0+ use the Policy Infrastructure (PI) architecture which are different in syntax and methodology. Policy Infrastructure (PI) is not discussed in this guide. 5
Policy Expressions (PE) Components of Policy Expression The Policy Expressions (PE) language is a basic expressions language that is used to define policy conditions on the NetScaler Application Switch. Because it is the original expressions language on the NetScaler, the expressions written in it are often called classic expressions. A Policy consists of an expression and an action. Expressions are shared among features on the switch. Actions are feature-specific. For example you can create an expression to identify.pdf files being sent through the system. You can then create a compression policy that uses this expression to compress (take action) those files. Policy Expressions are like an If-Then-Else language. The Expression is the If, the Action is the Then. Expressions consist of the following components: Name: expression name Qualifier: The information to be tested. Operator: Operation to perform. Operand: Values to compare to Qualifiers. Expression Syntax: add expression <name> <qualifier> <operator> <operand> Example: add expression mpost REQ.HTTP.METHOD == POST Qualifiers Qualifiers are directional, or flow based. In other words they are relevant to requests coming from clients and responses being sent from backend servers. Most often they are based on components of HTTP flows. In the Policy Expression language you will see flow based expressions start with REQ for request based expressions and RES for response based expressions. The qualifier format is: [<flow.type>.<protocol>.]qualifier For example: REQ.HTTP.METHOD REQ.HTTP.URL REQ.HTTP.HEADER 6
Operators The Operator identifies the operation to perform on the operands. The following table defines the operators. Operator Description ==,!=, EQ, NEQ Test for exact matches. These are case sensitive. GT CONTAINS, NOTCONTAINS EXIST, NOTEXISTS CONTENTS Use for numerical comparisons on the length of the URLs and query strings. Determine if the specified string is contained in the qualifier. These are not case sensitive. Checks for the existence of particular qualifier. For example, to check is a specific HTTP header exists or if a URL query exists. Checks for the existence of the qualifier and it s contents. Operands An Operand defines the values for the corresponding qualifiers, or the values being compared to the corresponding qualifiers. Wildcard characters can sometimes be used in Operands. For example /*. gif. 7
Policy Limitations The Cache Redirection feature has a maximum of 128 expressions and Content Switching has a maximum of 512 expressions, which are hard-coded and cannot be changed. For the remaining features, there is a built-in maximum limit of 1024 expressions in the NetScaler Application Switch, but this can be changed by entering the following through the command line interface: nsapimgr -ys maxexpr=<new limit number Performance Considerations Some operators behave differently, so you might want to take note of the behavior and the potential impact to performance. The operator == is: Case Sensitive Accepts Wildcards * Is not CPU intensive The operator CONTAINS is: Not Case Sensitive Does Not Accept Wildcards * Is CPU Intensive 8
Requests SSL Decryption AAA App Fw Responder Caching TCP Buffering SSL Encryption TCP Compression Responses Important Policy Behavior - Policy Engine (PE) Policies get evaluated in the order that they are classified in, that is with their priority numbers. Policies operate on a first-match principle. In a policy classification, the action associated with the first policy that matches gets applied. Once a match is determined, the policy evaluation exits the evaluation logic tree and no more policies are evaluated. If there is no match, the GOTO expression is evaluated, which can be goto the END of the logic tree, or go to the NEXT priority number, or goto a specific priority number. Each Feature has it s own set of priority numbers for it s own set of policies. Policy priority numbers don t overlap between feature sets. Having a policy for rewrite with priority 20 doesn t interfere with a policy for caching with priority 20 or 10 or 30. Request flow policy priorities come before (lower numbers) Response flow policy priorities (higher numbers). Priority numbers increment in units of 10. Content Switching Caching Load Balancing HTTP Compression Content Filtering App Fw HTTP DoS Response Rewrite Sure Connect Content Filtering Priority Queueing SSL Decryption Request Rewrite SSL Encryption 9
Sample Expressions using the CLI add policy expression mget REQ.HTTP.METHOD == GET add policy expression uhtml REQ.HTTP.URL == /*.html add policy expression hhdr REQ.HTTP.HEADER Host CONTAINS myhost.com add policy expression srcip REQ.IP.SOURCEIP == 192.168.10.1 add policy expression dstip REQ.IP.DESTIP == 192.168.12.2 Sample Expressions using the GUI To add a expression in the NetScaler GUI, navigate to NetScaler System Expressions Add. Add each expression and click on Create. 10
11
Compound Expressions Compound expressions check for multiple conditions. Compound expression logic is formed with one or more expressions connected using the logical operators && and, and are grouped for order of evaluation using the symbols ( and ). Processing of compound expressions is done from left to right, and is done with lazy evaluation, i.e. once the final result is known, evaluation is terminated. Sample Compound Expressions using the CLI Sample using and && operators: add policy expression not_get REQ.HTTP.METHOD!= GET add policy expression not_post REQ.HTTP.METHOD!= POST add policy expression not_head REQ.HTTP.METHOD!= HEAD add policy expression not_normal_method not_get && not_post && not_head Sample using or operators: add policy expression no_hdr_host REQ.HTTP.HEADER Host NOTEXISTS add policy expression no_hdr_user_agent REQ.HTTP.HEADER User-Agent NOTEXISTS add policy expression not_normal_hdrs no_hdr_host no_hdr_user_agent add policy expression bad_request not_normal_method not_normal_hdrs Sample Compound Expressions using the GUI Sample using and && operators: 12
13
14 Sample using or operators:
15
Citrix Worldwide Worldwide headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA T +1 800 393 1888 T +1 954 267 3000 Regional headquarters Americas Citrix Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054 USA T +1 408 790 8000 Europe Citrix Systems International GmbH Rheinweg 9 8200 Schaffhausen Switzerland T +41 52 635 7700 Asia Pacific Citrix Systems Hong Kong Ltd. Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central Hong Kong T +852 2100 5000 Citrix Online division 5385 Hollister Avenue Santa Barbara, CA 93111 USA T +1 805 690 6400 www.citrix.com About Citrix Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2006 was $1.1 billion. Citrix, NetScaler, GoToMyPC, GoToMeeting, GoToAssist, Citrix Presentation Server, Citrix Password Manager, Citrix Access Gateway, Citrix Access Essentials, Citrix Access Suite, Citrix SmoothRoaming and Citrix Subscription Advantage and are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX is a registered trademark of The Open Group in the U.S. and other countries. Microsoft, Windows and Windows Server are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. www.citrix.com