Вы находитесь на странице: 1из 297

CITRIX®

N
ot

Education
fo
rr
es
al

CNS-220-2I:
e

Citrix NetScaler 12.x Essentials and


or

Traffic Management (4-5 Day)


d is
t
rib
ut
io
n
Contents
Module 0 - Course Overview..........................................................................................................1
Module 1 - Classic Policies...........................................................................................................15
Policy Overview................................................................................................................17
Content Filtering...............................................................................................................40
Module 2 - AppExpert Default Policies.........................................................................................49
Default Policy Overview....................................................................................................51
Default Expression Syntax................................................................................................58
Policy Bindings.................................................................................................................67
AppExpert Additional Features.........................................................................................80
Module 3 - Rewrite, Responder and URL Transform.................................................................103
N

Rewrite............................................................................................................................105
ot

Responder......................................................................................................................122
fo

DNS Rewrite and Responder.........................................................................................137


rr

URL Transform...............................................................................................................144
Module 4 - Content Switching.....................................................................................................149
es

Content Switching...........................................................................................................151
al

Content-Switching Configuration....................................................................................160
e

Module 5 - Secure Web Gateway...............................................................................................175


Secure Web Gateway.....................................................................................................177
or

Module 6 - Global Server Load Balancing..................................................................................193


d

GSLB DNS Concepts.....................................................................................................196


is

GSLB Concepts and Architecture...................................................................................208


t rib

Content-Switching GSLB................................................................................................222
GSLB MEP and Monitoring.............................................................................................226
ut

Customizing GSLB.........................................................................................................236
io

Module 7 - NetScaler Clustering.................................................................................................263


n

NetScaler Clustering.......................................................................................................265
NetScaler Cluster Configuration.....................................................................................278

CITRIX

Citrix NetScaler Traffic


Management

Course Overview
N

CNS-219-2i
ot

Version: 1
Lab Guide: v1
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

1 © 2017 Citrix Authorized Content



CITRIX

• Identify the hardware and software components of a
NetScaler.
• Perform initial setup and configuration .
• Describe basic networking , IP address types , VLANs ,
static routes and ACLs.
Learning • Set up and configure a high-availability pair.
Objectives • Configure basic load balancing and SSL .
• Secure the NetScaler with RBA and Ad min Partitions .
• Understand management, mon itoring and
troubleshooting.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

2 © 2017 Citrix Authorized Content



CITRIX

Introduce yourself to the class .
Include the following information:
• Name and company
• Job title
Student
Introductions • Job responsibility
• Networking and virtualization experience
• Citrix hardware and software experience
• Class expectations
N
ot
fo
rr
es
al
e
or
d
is
t rib
ut
io
n

3 © 2017 Citrix Authorized Content



CITRIX

Review:
• Parking and transportation information
Facilities • Class policies
• Break and lunch schedules
• Emergency contact information
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

4 © 2017 Citrix Authorized Content



CITRIX

• Knowledge of TCP/IP, HTTP, and of the OSI model.
• Experience with network devices , networking
protocols, and aspects of application and site
architecture.
• Moderate exposure to UNIX or Linux.

Course • Exposure to basic systems administration concepts ,


including logging , software upgrade procedures , and
Prerequisites high-availability operations.
• Familiarity with web server software.
• Knowledge of network security threats and the site
protection concept.
• An understanding of basic concepts related to server
N

load balancing.
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

5 © 2017 Citrix Authorized Content



CITRIX

• Module 1: Classic Policies
Day One
Course Outline • Module 2: Default Policies

• Module 3: Rewrite, Responder, and URL Transform


N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

6 © 2017 Citrix Authorized Content



CITRIX

• Module 4: Content Switching
Day Two • Module 5: Optimization
Course Outline
• Module 6: GSLB

• Module 7: Clustering (Optional Self Study)


N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

7 © 2017 Citrix Authorized Content



CITRIX

local

110004

....... , r:::...·· ··· ···


=0omlin eor.ea....

Lab 1---+----,
: .: : :::::::::::::: I.OAP
................
:- :

•....• r• ••• ••• ••••• •,

Requirements SIUOentOeslelop
(LanOong VM)
: :::::::::::::: MyS<l.
:- :
.................
• Check connectivity to •............. ,
the environment and
HA Pat
~::-......... ,;
::::........... : WebS--
report any issues. .................
.............,
.. .. .. ... . . . .. , 4

:- :.

• All lab environment


details are also
provided in the lab ::::........ ... : Web~
guide. •• ••• ••• • • • •• , 4
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

8 © 2017 Citrix Authorized Content



CITRIX

Visit http://training.citrix.com/checklist to learn how to:
• Access your student materials
• Use eCourseware features
• Access your labs
Student
• Redeem an exam voucher
Resource
• Complete the course survey
Checklist
Have more questions?
Browse our FAQ at:
http://training.citrix.com/cms/ed ucation/faq
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

9 © 2017 Citrix Authorized Content



CITRIX

• You can download , save, and print electronic
courseware.
Printing • Follow these steps to print to a PDF file :
- Student Resources > Courseware > Student Manual > Launch
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

10 © 2017 Citrix Authorized Content



CITRIX

... (

cmpc - 0

Education

Classroom
Support
How do I open a
Classroom Support ticket?

---- --a..--
------....-
__ -----
.. ..
....,._____ __
...... . ....~-
~ ~ ==:.:::.--
-
o,, ___ c-.....
-~-- -.:.t0,0-...... --·-----
~ .,
0 Cl
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

11 © 2017 Citrix Authorized Content



CITRIX

Citrix Measures your Feedback with NPS
How is Net Promoter Score Calculated?

How likely is it you would recommend Citrix Courses to a friend? Not at all
Extremely
Likely Likely

Promoter Passive Detractor


N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

12 © 2017 Citrix Authorized Content



CITRIX

Connect with Citrix Education

Facebook Twitter Linkedln


Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education group

Visit http://training.citrix.com to find more information on training, certifications, and exams .


N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

13 © 2017 Citrix Authorized Content



CITRIX

1,;l Help shape the next course.
Looking ahead -
End of
Course Survey . , . Tell us what you liked!
Your opinion matters!

Oo
0
What can we do better?
N
ot
fo
rr
es
al
e
or
d
is
t
rib
ut
io
n

14 © 2017 Citrix Authorized Content



CITRIX


CITRIX

NetScaler Traffic
Management
Classic Policies
N

CNS..219-2i
ot

Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

15 © 2017 Citrix Authorized Content



CITRIX

• Discuss the basics of the NetScaler classic policy
engine.
Learning
• Describe the NetScaler content-filtering feature and
Objectives how to configure it.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

16 © 2017 Citrix Authorized Content



CITRIX

Policy Overview
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

17 © 2017 Citrix Authorized Content



CITRIX

• Policies contro l how a feature evaluates data and then
determines what to do with it.
Policies • A policy uses a logical expression , also called a rule ,
to evaluate requests , responses , or other data , and
applies one or more actions determ ined by the
outcome of the evaluation .
N
ot
fo
rr

Key Notes:
es

Policies control how a feature evaluates data, which ultimately determines what the feature does with the 
al

data. A policy uses a logical expression, also called a rule, to evaluate requests, responses, or other data, 
e

and applies one or more actions determined by the outcome of the evaluation. Alternatively, a policy can 
or

apply a profile, which defines a complex action.
Some NetScaler features use default syntax policies, which provide greater capabilities than do the older, 
d is

classic policies. If you migrated to a newer release of the NetScaler software and have configured classic 
t

policies for features that now use default syntax policies, you might have to manually migrate policies to 
rib

the default syntax.
ut

Basic Components of a Classic or Default Syntax Policy:
io

• Name.
n

• Each policy has a unique name.
• Rule.
• The rule is a logical expression that enables the NetScaler feature to evaluate a piece of traffic or 
another object. For example, a rule can enable the NetScaler to determine whether an HTTP 
request originated from a particular IP address, or whether a Cache‐Control header in an HTTP 
request has the value “No‐Cache.”
• Default syntax policies can use all of the expressions that are available in a classic policy, with the 
exception of classic expressions for the SSL VPN client. In addition, default syntax policies enable 
you to configure more complex expressions.
• Bindings.
• To ensure that the NetScaler can invoke a policy when it is needed, you associate the policy, or 
bind it, to one or   more  bind points. You can bind a policy globally or to a virtual server. 

18 © 2017 Citrix Authorized Content



CITRIX

• An associated action.  
• An action is a separate entity from a policy. Policy evaluation ultimately results in 
the NetScaler performing an action. For example, a policy in the integrated cache can 
identify HTTP requests for .gif or .jpeg files. An action that you associate with this policy 
determines that the responses to these types of requests are served from the cache.

Additional Resources:
• How Different NetScaler Features Use Policies
http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐
pol‐exp‐wrapper‐con/ns‐pi‐adv‐class‐pol‐con.html
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

18 © 2017 Citrix Authorized Content •


CITRIX

The NetScaler supports two types of policy engines:
• Classic - evaluated on basic characteristics of traffic
and other data.
• Default (Advanced) - performs the same evaluations
as classic policies, and in addition can enable the
analysis of more data.
N
ot
fo
rr

Key Notes:
es

Both classic and default policies derive their ability to control the NetScaler’s behavior from the evaluation 
al

of a logical expression, or rule, in the policy. The NetScaler evaluates requests, responses, or other data 
e

based on the rule and takes one or more actions based on the outcome of the evaluation.
or

Policy expression engines include:
d

• Classic policy expression engine
is

• Policy Infrastructure engine
t rib

Expression languages include:
ut

• Classic policy 
io

• Advanced policy
n

19 © 2017 Citrix Authorized Content



CITRIX

• A policy consists of an expression to identify the traffic
Classic and an action associated with the expression.
Policies • Expression language can be used across any feature
that supports classic policy engine.
• Actions are feature specific .
N
ot
fo
rr

Key Notes:
es

Classic policies are evaluated according to bind points and priority level.
al

Classic policies evaluate basic characteristics of traffic and other data. For example, classic policies can 
e

identify whether an HTTP request or response contains a particular type of header or URL.
or

The Classic Expressions are being deprecated after NetScaler 12.0
d is
t rib
ut
io
n

20 © 2017 Citrix Authorized Content



CITRIX

Classic policies always begin by specifying the flow
type , which makes them easy to identify.
Classic
The flow type is REQ for incoming connections and
Policies RES for outgoing connections.
Cont. Below are protocols that classic policies support:
• HTTP
• TCP
• IP
• SSL
N
ot
fo
rr

Key Notes:
es

Flow is always in the first position of a classic policy expression. For example, REQ.HTTP or RES.IP 
al

For Classic policies, policy groups and policies within a group are evaluated in a particular order, depending 
e

on the following:
or

• 1. The bind point for the policy, for example at request time, the NetScaler evaluates all request‐
d

time classic policies before evaluating any virtual server‐specific policies.
is

• 2. The priority level for the policy, for each point in the evaluation process, a priority level 
t rib

assigned to a policy determines the order of evaluation relative to other policies that share the 
same bind point.
ut
io
n

21 © 2017 Citrix Authorized Content



CITRIX

• Expressions can be named or inline:
• Named expressions are reusable pieces of logic.
• lnline expressions are defined inline when the policy is created .
Expression • Expressions on a NetScaler system:
Structures • Can be simple or compound
• Consist of a name, qualifier, and operator

• Expressions on a NetScaler system can be viewed


and configured using the :
• Configuration Utility
. cu
N
ot
fo
rr

Key Notes:
es

Named expressions are saved reusable pieces of logic. If you think you will need the same piece of logic in 
al

multiple features, you can create a named expression and use it in policies across features.
e

Named Expressions are named logical statements.
or

Expressions are applied to content that enters the system. 
d

Named expressions are created once, and can then be referenced a number of times by different feature 
is

sets in the Citrix NetScaler. Decreasing administrative overhead for policy expressions. For example you 
t rib

write an expression to identify ASP pages, you then use this expression in both a compression policy (to 
compress the pages) and a content switching policy (to direct the connection to the correct servers). 
ut

Even if expressions are written inline, the same syntax to define the expression can be used across different 
io

feature sets, simplifying the use of the NetScaler appliance.
n

Additional Resources:
Configuring Classic Polices and Expressions: http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐
and‐expressions.html
You can also download a list of all the expressions supported on a legacy NetScaler appliance and the 
hierarchical order in which they can be invoked. The reference is in a zip file which you can download from:
• For NetScaler 10.5: http://support.citrix.com/article/CTX141344
• For NetScaler 10.1: http://support.citrix.com/article/CTX137705

22 © 2017 Citrix Authorized Content



CITRIX

Qualifiers, Operators, and Expression Values

Flow Type Protocol Qualifier Operator Value


1.

REQ.HTTP.HEADER Host CONTAINS Citrix

2. REQ.TCP.DESTPORT == 80

• Qualifiers specify what the policy examines.


• Operators determine how the qualifier will be examined.
N
ot

• A qualifier is compared with the expression value , which can be literal text, a
substring of text, or a numeric value .
fo
rr

Key Notes:
es

An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—
al

that manipulates one or more objects, or operands. The first section in this topic defines the operators you 
e

can use and provides a definition. The second section lists the operators you can use with specific 
or

qualifiers, such as method, URL and query.
Operators:
d is

• ==
t rib

• Boolean.
• Returns TRUE if the current expression equals the argument. For text operations, the items being 
ut

compared must exactly match one another. For numeric operations, the items must evaluate to the 
io

same number.
n

• !=
• Boolean.
• Returns TRUE if the current expression does not equal the argument. For text operations, the items 
being compared must not exactly match one another. For numeric operations, the items must not 
evaluate to the same number.
• CONTAINS
• Boolean.
• Returns TRUE if the current expression contains the string that is designated in the argument.
• NOTCONTAINS
• Boolean.
• Returns TRUE if the current expression does not contain the string that is designated in the argument.

23 © 2017 Citrix Authorized Content



CITRIX

• CONTENTS
• Text.
• Returns the contents of the current expression.
• EXISTS
• Boolean.
• Returns TRUE if the item designated by the current expression exists.
• NOTEXISTS
• Boolean.
• Returns TRUE if the item designated by the current expression does not exist.
• >
• Boolean.
N

• Returns TRUE if the current expression evaluates to a number that is greater than the 
ot

argument.
fo

• <
rr

• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than the 
es

argument.
al

• >=
e

• Boolean.
or

• Returns TRUE if the current expression evaluates to a number that is greater than or 
d

equal to the argument.
is

• <=
t rib

• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than or equal 
ut

to the argument.
io
n

23 © 2017 Citrix Authorized Content •


CITRIX

Classic Policy Protocols

• Classic policies can operate on the following protocols:

• Source Port
IP
II source IP

TCP • Destination Port - Destination IP

. MSS

. Method
- Client Cert
. URL
Client Cert- Subject, Issuer, SigAlgo
. URLTokens
SSL

Client Cert- Version, Validity . Version
N

Client Cipher - Type, Bits . Header


ot

Client SSL Version • URL- Length. Query, Query Length


;-
fo
rr
es
al
e
or
d is
t rib
ut
io
n

24 © 2017 Citrix Authorized Content



CITRIX

When might you use a named expression in your
environment, instead of writing your expression inline?
N
ot
fo
rr

Key Notes:
es

If you are not going to reuse the logic, then just write it inline, but if you know it is something you might 
al

reuse, then a named expression saves time and trouble.
e
or
d is
t rib
ut
io
n

25 © 2017 Citrix Authorized Content



CITRIX

• HTTP
• Request-Response based protocolApplication-level protocol for
distributed , collaborative, hypermedia information systems.

HTTP • Request/Response Based Data Transfer [MIME Like]


• Inherently Stateless protocol.

r.:-:1 • With HTTP 1.1 Cookies are used for storing session information .

~
• HTTPS implements encryption of HTTP traffic.
• Versions: HTTP 0.9,HTTP 0.1,HTTP 1.1,HTTP 2.0
N
ot
fo
rr

Key Notes:
es

Short for HyperTextTransferProtocol , HTTP is the underlying protocol for the World Wide Web. HTTP 
al

defines how messages are formatted and transmitted and what actions web servers and browsers should 
e

take in response to various commands. 
or
d

Additional Resources:
is

Http 1.0 :https://tools.ietf.org/html/rfc1945
t rib

HTTP 1.1 : https://tools.ietf.org/html/rfc7231
ut

HTTP2.0 : https://tools.ietf.org/html/rfc7540
io

NetScaler Support for 2.0: https://docs.citrix.com/en‐us/netscaler/11/system/http‐
n

configurations/configuring‐http2.html

26 © 2017 Citrix Authorized Content



CITRIX

HTTP Request Headers
Here is an example of an HTTP request initiated from a client browser:

GET http : //training . citrix . com/ HTTP/1 . 1

Host : training . citrix . com


Connection : keep - alive
User - Agent : Mozilla/5 . 0 (Windows NT 10 . 0 ; Win64 ; x64 )
AppleWebKit/537 . 36 (KHTML , like Gecko) Chrome/57 . 0 . 2987 . 133
Safari/537 . 36
Accept : text/html , application/xhtml+xml , application/xml ; q=0 . 9 , imag
e/webp , */* ; q=0 . 8
Accept - Encoding : gzip , deflate , sdch
Accept - Language : en - US , en ; q=0 . 8
! Cookie : insight session=ce854757-6707 - 4ec0 - 9191-9fa9c5fcbb4c ;
N
ot
fo
rr

Key Notes:
es

A request message from a client to a server includes, within the first line of that message, the method to be 
al

applied to the resource, the identifier of the resource, and the protocol version in use. The general format 
e

of Request is as following:
or

Request       = Request‐Line              
d

*(( general‐header        
is

| request‐header         
t rib

| entity‐header ) CRLF)  
ut

CRLF
io

[ message‐body ]          
n

Additional resources:
HTTP Request Format : https://www.w3.org/Protocols/rfc2616/rfc2616‐sec5.html

27 © 2017 Citrix Authorized Content



CITRIX

HTTP Response Headers
Here is an example of an HTTP response from a web server:

HTTP/1. 1 200 OK
Date : Wed , 19 Apr 2017 18 : 52 : 05 GMT
Server : Apache
Set - Cookie : MoodleSession=eolrrnmdtrv29nblqlu0ipleupl ; path=/
Expires : Cache - Control : private , pre - check=0 , post - check=0 , max -
age=0
Pragma : no - cache
Content - Language : en
Accept - Ranges : none
Keep - Alive : timeout=2 , max=l00
Connection : Keep - Alive
N

Content - Type : text/html ; charset=utf - 8


ot

Content - Encoding : gzip


fo
rr

Key Notes:
es

A response message from a server to a client includes, within the first line of that message, the protocol 
al

version followed by a numeric status code and its associated textual. The general format of Request is as 
e

following:
or

Response      = Status‐Line              
d

*(( general‐header     
is

| response‐header       
t
rib

| entity‐header ) CRLF) 
ut

CRLF
io

[ message‐body ] 
n

The Status‐Code is a 3‐digit integer result code of the attempt to understand and satisfy the request.
It can be classified as following:
• 1xx: Informational ‐ Request received, continuing process.
• 2xx: Success ‐ The action was successfully received, understood, and accepted.
• 3xx: Redirection ‐ Further action must be taken in order to complete the request.
• 4xx: Client Error ‐ The request contains bad syntax or cannot be fulfilled.
• 5xx: Server Error ‐ The server failed to fulfil an apparently valid request.

28 © 2017 Citrix Authorized Content



CITRIX

Additional resources:
HTTP Response Format : https://www.w3.org/Protocols/rfc2616/rfc2616‐sec6.html

N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

28 © 2017 Citrix Authorized Content •


CITRIX

Identifying
• The simple expression is the basic building block of
Simple policies.
Expressions • A simple expression consists of a single , logical
comparison.
N
ot
fo
rr

Key Notes:
es

Simple expressions check for a single condition. 
al

An example of a simple expression is:
e
or

Consider the url https://mail.google.com/mail/u/0/#inbox
Expression : REQ.HTTP.URL == /mail/u/0/#inbox
d
is
trib

Additional Resources:
ut

Link to Citrix Prod Docs on Policies and Expressions
io

https://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions.html
n

29 © 2017 Citrix Authorized Content



CITRIX

Simple Expression Examples

• Traffic from a subnet:


add pol exp bad_boys " REQ . IP . SOURCEIP 65 . 219 . 20 . 0 - netmask 255 . 255 . 255 . 0 "

• Request for specific content:


add pol exp big_java " REQ . HTTP . URL contains big_job . jsp"

• Long request:
add pol exp big_url " REQ . HTTP . URLLEN > 256 "

• HTTP request header-based expressions:


add pol exp accepts_html "REQ . HTTP . HEADER accept contains text/html "
N

add pol exp has_cookie_header " REQ . HTTP . HEADER cookie exists "
ot
fo
rr

Key Notes:
es

Named expressions are created once, and can then be referenced a number of times by different feature 
al

sets in the Citrix NetScaler. Decreasing administrative overhead for policy expressions. For example you 
e

write an expression to identify ASP pages, you then use this expression in both a compression policy (to 
or

compress the pages) and a content switching policy (to direct the connection to the correct servers). 
To create a named expression:
d is

• In the configuration utility, on the Configuration tab, in the navigation pane, expand AppExpert and 


t

then click Expressions.
rib

• In the details pane, click Add.
ut

• In the Create Policy Expression dialog box, in Expression Name, type a name for the expression.


io

• To create an expression, click Add.
n

• Do one of the following:
• In Frequently Used Expression, select an expression from the list, click OK, click Create and then 
click Close.
• Under Construct Expression, select the parameters for the expression string, click OK, click Create 
and then click Close.

30 © 2017 Citrix Authorized Content



CITRIX

Identifying The following named compound expressions are built
Compound from named simple expressions:
Expressions add pol exp big_bad " (bad_boys &&
big_java) "
add pol exp big_bad_or_long " (big bad
11 big_url) "
N
ot
fo
rr

Key Notes:
es

A compound expression can contain any number of logical and arithmetic operators.
al

Booleans in Compound Expressions
e

• && :  This operator is a logical AND. For the expression to evaluate to TRUE, all components that are 
or

joined by the And must evaluate to TRUE.
d

• ||  :  This operator is a logical OR. If any component of the expression that is joined by the OR evaluates 
is

to TRUE, the entire expression is TRUE.
t rib

• !  :  Performs a logical NOT on the expression.
ut

Compound expressions check for multiple conditions. You create compound expressions by connecting to 
one or more expression names using the logical operators && and ||. You can use the symbols to group the 
io

expression in the order of evaluation.
n

Compound expressions can be categorized as:
Named expressions. As an independent entity, a named expression can be reused by other policies and are 
part of the policy. You configure named expressions at the system level in the configuration utility. You can 
use a predefined named expression in the policy or create one of your own.
Inline expressions. An inline expression is one that you build within the policy that is specific to the policy.
Configuring Policies with the AND (&&) Operator:
• The AND (&&) operator works by combining two client security strings so that the compound check 
passes only when both checks are true. The expression is evaluated from left to right and if the first 
check fails, the second check is not carried out.
• You can configure the AND (&&) operator using the keyword ‘AND’ or the symbols ‘&&’.

31 © 2017 Citrix Authorized Content



CITRIX

• Example:
• The following is a client security check that determines if the user device has Version 
7.0 of Sophos AntiVirus installed and running. It also checks if the netlogon service is 
running on the same computer.
• CLIENT.APPLICATION.AV(sophos).version==7.0 AND CLIENT.SVC(netlogon) EXISTS
• This string can also be configured as
• CLIENT.APPLICATION.AV(sophos).version==7.0 && CLIENT.SVC(netlogon) EXISTS
• Configuring Policies with the OR ( || ) Operator
• The OR (||) operator works by combining two security strings. The compound check 
passes when either check is true. The expression is evaluated from left to right and if 
the first check passes, the second check is not carried out. If the first check does not 
pass, the second check is carried out.
N

• You can configure the OR (||) operator using the keyword ‘OR’ or the symbols '||'.


ot

• Example:
fo

• The following is a client security check that determines if the user device has either the 
rr

file c:\file.txt on it or the putty.exe process running on it.
• client.file(c:\\\\file.txt) EXISTS) OR (client.proc(putty.exe) EXISTS
es

• This string can also be configured as
al

• client.file(c:\\\\file.txt) EXISTS) || (client.proc(putty.exe) EXISTS
e

• Configuring Policies Using the NOT ( ! ) Operator
or

• The NOT (!) or the negation operator negates the client security string.


d

• Example:
is

• The following client security check passes if the file c:\sophos_virus_defs.dat file is NOT 
t rib

more than two days old:
• !(client.file(c:\\\\sophos_virus_defs.dat).timestamp==2dy)
ut
io
n

31 © 2017 Citrix Authorized Content •


CITRIX

Features that support the classic policy engine include:
• Authentication
Features that • SSL
Support Classic • Content Switching
• Compression
Policies • Content Filtering
• SureConnect
• Priority Queuing
• HTML Injection
• AAA TM
• Application Firewall
• NetScaler Gateway
N
ot
fo
rr

Key Notes:
es

Policy Type and Bind Points for Policies in Features that Use Classic Policies Feature on NetScaler 12.0
al

System features, Authentication:
e

• Virtual Servers: None
or

• Supported Policies:  Authentication policies
d

• Policy Bind Points:  Global
is
t

• How you Use the Policy:  For the Authentication feature, policies contain authentication schemes for 
rib

different authentication methods. For example, you can configure LDAP and certificate‐based 
ut

authentication schemes.
io

SSL:
n

• Virtual Servers:  None
• Supported Policies: SSL policies
• Policy Bind Points: Global and Load Balancing virtual server
• How you Use the Policies: To determine when to apply an encryption function and add certificate 
information to clear text.  To provide end‐to‐end security. After a message is decrypted, the SSL 
feature re‐encrypts clear text and uses SSL to communicate with back‐end Web servers.
Content Switching:
• (Can use either classic or default syntax policies, but not both)
• Virtual Servers: Content Switching virtual server
• Supported Policies:  Content Switching policies
• Policy Bind Points: Content Switching virtual server and Cache Redirection virtual server

32 © 2017 Citrix Authorized Content



CITRIX

• How you Use the Policies: To determine what server or group of servers is responsible 
for serving responses, based on characteristics of an incoming request.  Request 
characteristics include device type, language, cookies, HTTP method, content type and 
associated cache server.
Compression:
• Virtual Servers: None
• Supported Policies: HTTP Compression policies
• Policy Bind Points: Global, Content Switching virtual server, Load Balancing virtual 
server, SSL Offload virtual server, and Service
• How you Use the Policies: To determine what type of HTTP traffic is compressed.
Protection features, Filter:
• Virtual Servers: None
N

• Supported Policies: Content Filtering policies
ot

• Policy Bind Points: Global, Content Switching virtual server, Load Balancing virtual 
fo

server, SSL Offload virtual server, and Service
rr

• How you Use the Policies: To configure the behavior of the filter function.
es

Protection features, SureConnect:
al

• Virtual Servers: None
e

• Supported Policies: SureConnect policies
or

• Policy Bind Points: Load Balancing virtual server, SSL Offload virtual server, and Service
• How you Use the Policies: To configure the behavior of the SureConnect function.
d is

Protection features, Priority Queuing:
t
rib

• Virtual Servers: None
• Supported Policies: Priority Queuing policies
ut

• Policy Bind Points: Load Balancing virtual server and SSL Offload virtual server
io

• How you Use the Policies: To configure the behavior of the Priority Queuing function.
n

HTML Injection:
• Virtual Server: None
• Supported Policies: HTML Injection Policies
• Policy Bind Points: Global, Load Balancing virtual server, Content Switching virtual 
server, and SSL Offload virtual server
• How you Use the Policies: To enable the NetScaler to insert text or scripts into an HTTP 
response that it serves to a client.
AAA ‐ Traffic Management:
• Virtual Servers: None

32 © 2017 Citrix Authorized Content •


CITRIX

• Supported Policies: Authentication, Authorization, Auditing, and Session policies
• Policy Bind Points: Authentication virtual server (authentication, session, and auditing 
policies), Load Balancing or Content Switching virtual server (authorization and auditing 
policies), Global (session and audit policies), and AAA group or user (session, auditing, 
and authorization policies)
• How you Use the Policies: To configure rules for user access to specific sessions and 
auditing of user access.
Cache Redirection:
• Virtual Servers: Cache Redirection virtual server
• Supported Policies: Cache Redirection policies and Map policies
• Policy Bind Points: Cache Redirection virtual server
• How you Use the Policy: To determine whether HTTP responses are served from a 
N

cache or an origin server.
ot

Application firewall:
fo

• Virtual Servers: None
rr

• Supported Policies: Application firewall policies
es

• Policy Bind Points: Global
al

• How you Use the Policies: To identify characteristics of traffic and data that should or 
e

should not be admitted through the firewall.
or

NetScaler Gateway:
• Virtual Servers: VPN server
d is

• Supported Policies: Pre‐Authentication policies
t

• Policy Bind Points: AAA Global and VPN vserver
rib

• How you Use the Policies: To determine how the NetScaler Gateway performs 
ut

authentication, authorization, auditing, and other functions, and to define rewrite 
io

rules for general Web access using the NetScaler Gateway.
n

• Supported Policies: Authentication policies
• Policy Bind Points: System Global, AAA Global, and VPN vserver
• How you Use the Policies: To determine how the NetScaler Gateway performs 
authentication, authorization, auditing, and other functions, and to define rewrite 
rules for general Web access using the NetScaler Gateway.
• Supported Policies: Auditing policies
• Policy Bind Points: User, User group, and VPN vserver
• How you Use the Policies: To determine how the NetScaler Gateway performs 
authentication, authorization, auditing, and other functions, and to define rewrite 
rules for general Web access using the NetScaler Gateway.
• Supported Policies: Session policies

32 © 2017 Citrix Authorized Content •


CITRIX

• Policy Bind Points: VPN Global, User, User Group, and VPN vserver
• How you Use the Policies: To determine how the NetScaler Gateway performs 
authentication, authorization, auditing, and other functions, and to define rewrite 
rules for general Web access using the NetScaler Gateway.
• Supported Policies: Authorization policies
• Policy Bind Points: User, User Group
• How you Use the Policies: To determine how the NetScaler Gateway performs 
authentication, authorization, auditing, and other functions, and to define rewrite 
rules for general Web access using the NetScaler Gateway.
• Supported Policies: Traffic policies
• Policy Bind Points: VPN Global, User, User Group, and VPN vserver
• How you Use the Policies: To determine how the NetScaler Gateway performs 
N

authentication, authorization, auditing, and other functions, and to define rewrite 
ot

rules for general Web access using the NetScaler Gateway.
fo

• Supported Policies: TCP Compression policies
rr

• Policy Bind Points: VPN Global
• How you Use the Policies: To determine how the NetScaler Gateway performs 
es

authentication, authorization, auditing, and other functions, and to define rewrite 
al

rules for general Web access using the NetScaler Gateway.
e
or

Additional Resources:
d

To see all features see:  http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐
is

expressions/ns‐pi‐config‐classic‐pols‐exprs‐wrapper‐con.html
trib
ut
io
n

32 © 2017 Citrix Authorized Content •


CITRIX

Content Filtering
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

33 © 2017 Citrix Authorized Content



CITRIX

• Content filtering offers protection from malicious
attacks at the HTTP content level.
Content
• The NetScaler system inspects each incoming
Filtering HTTP request or response with the configured
rules.
• Two commonly used content-filtering actions are
DROP and RESET.
N
ot
fo
rr

Key Notes:
es

Usually the same functions can be handled by Responder policies, however unlike Responder, which only 
al

operates on the REQ traffic, Content Filtering can operate on the REQ or RES.
e

Following are some examples of things you can do with content filtering policies: Prevent users from 
or

accessing certain parts of your Web sites unless they are connecting from authorized locations.
d

Prevent inappropriate HTTP headers from being sent to your Web server, possibly breaching security.
is

Redirect specified requests to a different server or service.
t
rib
ut
io
n

34 © 2017 Citrix Authorized Content



CITRIX

The content filtering actions below can be configured
on the NetScaler:
• Pre-configured -which allow you to drop or reset
traffic
Filter • RESET
Actions • DROP
• User-defined - which have to be ability to drop or
reset and provide custom functions
• Add
• Corrupt
• Forward
• ErrorCode
N
ot
fo
rr

Key Notes:
es

The Content Filter can be used for following functionality: 
al

• ADD ‐ Adds the specified HTTP header.
e

• RESET ‐ Terminates the connection, sending the appropriate termination notice to the user's browser.
or

• FORWARD ‐ Redirects the request to the designated service. You must specify either a service name or a 
d

page, but not both.
is

• DROP ‐ Silently deletes the request, without sending a response to the user's browser.
t
rib

• CORRUPT ‐ Modifies the designated HTTP header to prevent it from performing the function it was 
intended to perform, then sends the request/response to the server/browser.
ut

• ERRORCODE. Returns the designated HTTP error code to the user's browser (for example, 404, the 
io

standard HTTP code for a non‐existent Web page).
n

The Content Filter will be deprecated after NetScaler version 12.0. We can use other features to achieve the 
functionality of the content filtering
• The Rewrite Policy can be used to ADD,CORRUPT the HTTP headers.
• The rewrite/responder policy can be used to DROP/RESET or to respond with ERROR CODE.
• The Content Switching provides the functionality equivalent to FORWARD action of Content Filtering.

35 © 2017 Citrix Authorized Content



CITRIX

Configuring Content Filters
Crute Fil1or Policy

I ew_Fd ~r

To enable the content filtering feature on


NetScaler, create a Filter Policy which REQ,HTTP.HEADfR Host fXlSTsj

consists of:
R~tAct10t1 • R~~Act,on
• Expression
• Action [ RESET • + /

CloH
N
ot
fo
rr

Key Notes:
es

CLI for adding Content filters.
al

• add filter action <name> <qualifier> [<serviceName>] [<value>] [<respCode>] [<page>]
e

• add filter policy <name> ‐rule <expression> (‐reqAction <action> | ‐resAction <string>


or

To implement content filtering, you must configure at least one policy to tell your NetScaler appliance how 
d

to distinguish the connections you want to filter. You must first have configured at least one filtering action, 
is

because when you configure a policy, you associate it with an action.
t rib

Content filtering policies examine a combination of one or more of the following elements to select 
requests or responses for filtering:
ut

• URL : The URL in the HTTP request.
io

• URL query : Only the query portion of the URL, which is the portion after the query (?) symbol.
n

• URL token : Only the tokens in the URL, if any, which are the parts that begin with an ampersand (&) and 
consist of the token name, followed by an equals sign (=), followed by the token value.
• HTTP method : The HTTP method used in the request, which is usually GET or POST, but can be any of 
the eight defined HTTP methods.
• HTTP version : The HTTP version in the request, which is usually HTTP 1.1.
• Standard HTTP header : Any of the standard HTTP headers defined in the HTTP 1.1 specification.
• Standard HTTP header value : The value portion of the HTTP header, which is the portion after the colon 
and space (: ).
• Custom HTTP header : A non‐standard HTTP header issued by your Web site or that appears in a user 
request.
• Custom header value :The value portion of the custom HTTP header, which (as with the standard HTTP 

36 © 2017 Citrix Authorized Content



CITRIX

header) is the portion after the colon and space (: ).
• Client Source IP :The IP from which the client request was sent.
• Content filtering policies use the simpler of two NetScaler expressions languages, called 
classic expressions.

N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

36 © 2017 Citrix Authorized Content •


CITRIX

A filter:
Binding
Filters • Must be bound to be active.
• May be bound globally or to a specific virtual server.
• Must be unbound to be removed .
N
ot
fo
rr

Key Notes:
es

If traffic does not match any content filtering policy the virtual server will send it to a default load balancing 
al

server if one is defined. If no default server is defined on the content switching virtual server, the non 
e

matched traffic will be dropped.
or
d is
t rib
ut
io
n

37 © 2017 Citrix Authorized Content



CITRIX

• What are some of the use cases for Forwarding
requests?
• What types of issues could this solve in your
environment?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

38 © 2017 Citrix Authorized Content



CITRIX

• The two components of a classic policy are
expression and action .
• Simple expressions are a single logical comparison .
• Compound expressions are built using a simple
Key Takeaways expression joined by compound operators.
• Content filtering allows the administrator to easily
DROP or RESET unwanted traffic.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

39 © 2017 Citrix Authorized Content



CITRIX

• Exercise 1-1: Configuring Content Filtering with
Classic Policies
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

40 © 2017 Citrix Authorized Content



CITRIX


CITRIX

NetScaler Traffic
Management
AppExpert Default Policies
N

CNS..219-2i
ot

Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

41 © 2017 Citrix Authorized Content



CITRIX

• Describe Default Policy including basic components.
• Discuss the syntax of Default Policy expression .
Learning • Explain Actions in policy expression evaluation.

Objectives • Distinguish key attributes of policy binding and bind


types .
• Discuss constructing and managing Default Policies
with AppExpert.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

42 © 2017 Citrix Authorized Content



CITRIX

Default Policy Overview
N
ot
fo
rr

Key Notes:
es

Default syntax policies can perform the same type of evaluations as classic policies. In addition, default 
al

syntax policies enable you to analyze more data (for example, the body of a request into an HTTP header).
e

Default syntax policies use a powerful expression language that is built on a class‐object model, and they 
or

offer several options that enhance your ability to configure the behavior of various NetScaler features. With 
default syntax policies, you can do the following:  Perform fine‐grained analyzes of network traffic from 
d is

layers 2 through 7.
trib

Evaluate any part of the header or body of an HTTP or HTTPS request or response.
Bind policies to the multiple bind points that the default syntax policy infrastructure supports at the default, 
ut

override, and virtual server levels.
io

Use Goto expressions to transfer control to other policies and bind points, as determined by the result of 
n

expression evaluation.
Use special tools such as pattern sets, policy labels, rate limit identifiers, and HTTP callouts, which enable 
you to configure policies effectively for complex use cases.
Additionally, the configuration utility extends robust graphical user interface support for default syntax 
policies and expressions and enables users who have limited knowledge of networking protocols to 
configure policies quickly and easily. The configuration utility also includes a policy evaluation feature for 
default syntax policies. You can use this feature to evaluate a default syntax policy and test its behavior 
before you commit it, thus reducing the risk of configuration errors.
Evaluate the body of an HTTP request) and to configure more operations in the policy rule (for example, 
transforming data in the body of a request into an HTTP header).

43 © 2017 Citrix Authorized Content



CITRIX

The NetScaler system uses policies to evaluate
specified conditions and to define actions to be taken if
conditions are met.
• The order and flow of policy evaluation depends on
the feature set and policy-expression type .
Policies • Defined actions are always feature specific.
• Policy evaluation outcomes include:
• True
• False
• Undefined
N
ot
fo
rr

Key Notes:
es

For many NetScaler features, policies control how a feature evaluates data, which ultimately determines 
al

what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate 
e

requests, responses, or other data, and applies one or more actions determined by the outcome of the 
or

evaluation. Alternatively, a policy can apply a profile, which defines a complex action.
d is
t rib
ut
io
n

44 © 2017 Citrix Authorized Content



CITRIX

Classic Policies: vs. Default Policies:

• Original policy engine (PE) before • Newer policy engine (Pl)


default
• Can evaluate more traffic and perform
• Evaluate basic characteristics of more complex actions than classic
traffic and perform basic actions providing more control over the
evaluation .
• Classic Syntax:
REQ . HTTP . HEADER Host CONTAINS • Default Syntax:
Citrix HTTP . REQ . HEADER( " Host " ) . CONTAINS
( " Citrix " )
N
ot
fo
rr

Key Notes:
es

Citrix suggests using default policies instead of classic when possible. Exceptions are if the service does not 
al

support default policies, or, if a company is heavily invested in classic, it may not make sense to try and 
e

switch. When in doubt though, use default policies.
or

Please note that the Classic policies are being deprecated after version 12.0.
d

Example of classic vs default: Classic can evaluate the http header, whereas default policies can evaluate 
is

the http header and/or body.
trib
ut
io
n

45 © 2017 Citrix Authorized Content



CITRIX

Classic and Default Policy Application
Feature Policy Usage
System Classic Authentication and auditing
DNS Default Determines DNS resolution requests
SSL Both Determine when and what to encrypt
Compression Both What to compress
Integrated Caching Default Determine whether HTTP responses are cacheable
Responder Default Behavior of Responder
Protection Features Classic Behavior of the Filter, SureConnect, and Priority Queuing
Content Switching Both Determines which server should process request
AAA Both* AAA and SSO
Cache Redirection Classic Whether to respond with cache or from server
N

Rewrite Default Identify HTTP data to be modified


ot

AppFW Both Determine whether traffic is allowed


fo
rr

Key Notes:
es

AAA Exceptions 
al

• Traffic policies only support Default. 
e

• Authorization policies support Both.
or
d is
t rib
ut
io
n

46 © 2017 Citrix Authorized Content



CITRIX

Basic Components of Classic and Default Syntax
Policies

Name Each policy must have a unique name, bound by NetScaler naming rules .

Rule/Expression Logical expression that defines the evaluation parameters.

A separate entity from the policy that dictates what NetScaler should do in
Actions the case of a positive expression evaluation .
N
ot
fo
rr

Key Notes:
es

We recommend creating simple rules and compounding them, instead of creating complex rules. This 
al

makes for simpler management and provides modularity.
e

• Names should follow a logical convention.
or

• Default syntax policies can use all of the expressions that are available in a classic policy, with the 
d

exception of classic expressions for the SSL VPN client. 
is
trib
ut
io
n

47 © 2017 Citrix Authorized Content



CITRIX

Convert Classic Policies to Default Policies
• Only supported for features that support default policies.
• nspepi -e <classic expression> converts single policy.
• nspepi -f <ns config file> converts all expressions in file.
• Makes a new copy of the file and edits that; it does not touch the source file.
• v switch for verbose: it displays status and logs results .

root@NS# nspepi - f ns . conf


OUTPUT: New configuration file created : new ns.conf
OUTPUT: New warning file created : warn_ns . conf
WARNINGS: Total number of warnings due to bind commands: 18
WARNINGS: Line numbers which has bind command issues: 305, 306, 706, 707, 708, 709, 710, 711, 712,
N

714, 715, 767, 768, 774, 775 , 776 , 777


ot
fo
rr

Key Notes:
es

Only for features that support default policy along with classic policies– For example, you cannot convert 
al

SSL VPN policies.
e

nspepi –f prepends new_ to the file (e.g. nspepi –f ns.conf makes a converted file called new_ns.conf)


or

‐v logs results to warn_ns.conf file
d

It is critical to verify and test after conversion.
is
t rib

Additional Resources:
ut

Citrix edocs on NetScaler 12 expression conversion:  
io

http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐pol‐exp‐
n

wrapper‐con/ns‐pi‐pe‐to‐pi‐conversion‐tool‐wrapper‐con.html

48 © 2017 Citrix Authorized Content



CITRIX

Why should you be converting your Classic policies to
Default?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

49 © 2017 Citrix Authorized Content



CITRIX

Default Expression Syntax
N
ot
fo
rr

Key Notes:
es

You can create default syntax policies for various NetScaler features, including DNS, Rewrite, Responder, 
al

and Integrated Caching, and the clientless access function in the NetScaler Gateway. Policies control the 
e

behavior of these features.
or

When you create a policy, you assign it a name, a rule (an expression), feature‐specific attributes, and an 
action that is taken when data matches the policy. After creating the policy, you determine when it is 
d is

invoked by binding it globally or to either request‐time or response‐time processing for a virtual server.
t rib

Policies that share the same bind point are known as a policy bank. For example, all policies that are bound 
to a virtual server constitute the policy bank for the virtual server. When binding the policy, you assign it a 
ut

priority level to specify when it is invoked relative to other policies in the bank. In addition to assigning a 
io

priority level, you can configure an arbitrary evaluation order for policies in a bank by specifying Goto
expressions.
n

In addition to policy banks that are associated with a built‐in bind point or a virtual server, you can 
configure policy labels. A policy label is a policy bank that is identified by an arbitrary name. You invoke a 
policy label, and the policies in it, from a global or virtual‐server‐specific policy bank. A policy label or a 
virtual‐server policy bank can be invoked from multiple policy banks.

50 © 2017 Citrix Authorized Content



CITRIX

Default Policy Expressions

When working with default polices, first define the expression, which is the condition
under which the policy will apply.
• Expressions on a NetScaler system can be configured using:
• The Configuration Utility.
• The CLI .

• Expressions can be inline or named:


• In line is a simple or compound expression written inside a policy.
• Named expressions are saved logic and:
• Can be simple or compound .
• Consist of a name , qualifier and operator.
• Can be used many times in polices for any feature that supports the default engine .
N
ot
fo
rr

Key Notes:
es

The Policy Infrastructure engine uses the default policy expression language. Expression language is 
al

universal and can be reused across feature sets that support the default policy engine.
e

You can configure text expressions to be case sensitive or case insensitive and to use or ignore spaces. You 
or

can also configure complex text expressions by combining text expressions with Boolean operators.
d

Default Syntax Expressions can be used for  Parsing HTTP, TCP, and UDP Data.
is
t rib
ut
io
n

51 © 2017 Citrix Authorized Content



CITRIX

Default Policy Expressions: Syntax
Expression Editor
• "Dotted function" chains in NetScaler default policy expressions
read from left to right.
Select
• The element at furthest left designates which part of the connection Select
the expression is analyzing . Start With Variable
HTTP
Some possible top-level (furthest left) elements include:
CLIENT
• CLIENT SERVER
ANALYTICS
• HTTP SIP
Pr TEXT
•SERVER
MYSQL
• SYS MSSQL
DS
DIAMETER
Default policy expression examples include: RADIUS
• CLIENT.IP.SRC.IN_SUBNET ("10.60.1.0/24") ORACLE
N

CONNECTION
• HTTP.REQ .HOSTNAME.EQ("www.citrix.com") SMPP
ot

SUBSCRIBER
fo
rr
es
al
e
or
d is
t rib
ut
io
n

52 © 2017 Citrix Authorized Content



CITRIX

Default Syntax Expressions: Basic Components

Describes information to be evaluated - what the policy


Qualifier
examines.

Operator Describes how the qualifier will be examined.

OperandNalue Values to compare to qualifiers.


N
ot
fo
rr

Key Notes:
es

The elements of the rule can themselves return TRUE or FALSE, string, or numeric values. 
al

An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—
e

that manipulates one or more objects, or operands. 
or

An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—
d

that manipulates one or more objects, or operands. The first section in this topic defines the operators you 
is

can use and provides a definition. The second section lists the operators you can use with specific 
t rib

qualifiers, such as method, URL and query.
Operators:
ut

• ==
io

• Boolean.
n

• Returns TRUE if the current expression equals the argument. For text operations, the items being 
compared must exactly match one another. For numeric operations, the items must evaluate to the 
same number.
• !=
• Boolean.
• Returns TRUE if the current expression does not equal the argument. For text operations, the items 
being compared must not exactly match one another. For numeric operations, the items must not 
evaluate to the same number.
• CONTAINS
• Boolean.
• Returns TRUE if the current expression contains the string that is designated in the argument.

53 © 2017 Citrix Authorized Content



CITRIX

• NOTCONTAINS
• Boolean.
• Returns TRUE if the current expression does not contain the string that is designated in 
the argument.
• CONTENTS
• Text.
• Returns the contents of the current expression.
• EXISTS
• Boolean.
• Returns TRUE if the item designated by the current expression exists.
• NOTEXISTS
N

• Boolean.
ot

• Returns TRUE if the item designated by the current expression does not exist.
fo

• >
rr

• Boolean.
• Returns TRUE if the current expression evaluates to a number that is greater than the 
es

argument.
al

• <
e

• Boolean.
or

• Returns TRUE if the current expression evaluates to a number that is less than the 
d

argument.
is

• >=
trib

• Boolean.
• Returns TRUE if the current expression evaluates to a number that is greater than or 
ut

equal to the argument.
io

• <=
n

• Boolean.
• Returns TRUE if the current expression evaluates to a number that is less than or equal 
to the argument.

53 © 2017 Citrix Authorized Content •


CITRIX

After being evaluated , an expression can have one of
the follow ing results :
• Boolean values - HTTP.REQ .URL.CONTAINS("Citrix")
Expression
• Integer values - HTTP.REQ.URL.LENGTH
Result Types
• String values -
TEXT.AFTER_ STR("abc") .BEFORE_STR("ghi")
N
ot
fo
rr

Key Notes:
es

Boolean – will return a TRUE or FALSE value – the URL either contains “Citrix” or it does not


al

Integer  ‐ this syntax will return the length of the URL in integer format 
e
or

String – if we were looking at the alphabet we would be grabbing the string after “abc” but before “ghi” –
abcdefghi…
d is
trib
ut
io
n

54 © 2017 Citrix Authorized Content



CITRIX

Default Policy Expressions: Syntax Example
Policy Expression:
HTTP.REQ.HEADER("Referer").BEFORE_STR("//").EQ("https:")
Sample HTTP Request:

GET https://www.citrix.com/etc/core.min.1.128.0-20170602.153542-485.css HTTP/1.1


Host: www.citrix.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/css,*/*;q=0.1

I
N

Relerer: https ://www.citrix.com/


ot
fo
rr

Key Notes:
es

“HTTP.REQ.HEADER (“Referer”).BEFORE_STR (\”//”\)”.EQ(“https:”)
al

In our example, we are looking for whatever is before // and then seeing if it equals “https:”  ‐
e
or

Observe the example provided in the slide. We can see the expression evaluates to TRUE.
d is
t rib
ut
io
n

55 © 2017 Citrix Authorized Content



CITRIX

• An action:
• Is owned by individual NetScaler features .
• Is bound to or activated by policies.
Actions • Cannot depend on results of other actions.
• Is applied at the end of the policy evaluation process.

• A single HTTP header cannot be modified by multiple


actions.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

56 © 2017 Citrix Authorized Content



CITRIX

Using Advanced Expressions to Create Actions

Action Name Rewrite Action HTTP Header


Name
r1-i
add rewrite action ClientlP INSERT- HTTP- HEADE CIP LIENT.IP.SR

Value: Individual Client IP address


N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

57 © 2017 Citrix Authorized Content



CITRIX

Policy Bindings
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

58 © 2017 Citrix Authorized Content



CITRIX

• Policies remain inactive if they are NOT bound to an
entity.
• Policies are bound or activated either globally or to
specific bind points.
• Available specific bind points vary by feature set.
Policy • The default policy engine also allows you to bind
policies in this manner, but it offers more flexibility on
Bindings how policies are bound and evaluated.
• Priorities are required for advanced policy
expressions.
• If a priority is assigned, policies are evaluated in the
order of their assigned priority.
N
ot
fo
rr

Key Notes:
es

For a policy to be evaluated on the NetScaler, it must be bound.
al

In Classic Policy Engine ‐ we already have the concept of bind points – basically a name to which policies 


e

are bound. These names can implicit (like global) or names of other user configured entities like vServers, 
or

users or groups. 
d

For advanced syntax we can use Policy labels (banks). These  are a generalization of the classic bind point 
is

concept. A policy label is a name to which advanced policies can be bound 
trib
ut
io
n

59 © 2017 Citrix Authorized Content



CITRIX

• Global bind points:
• Policies bound to the default label are evaluated after virtual server-
specific evaluation .
• Policies bound to the override label are evaluated before virtual server-
specific evaluation .

• VServer bind points:


Bind • Policies can be bound to a vServer.

Point Types • User-defined bind points:


• Policies can be created and bound to policy label bind points.
• Policies bound are evaluated only on invoke.
• These are similar to named subroutines.
• Policies Labels can be invoked.
N
ot
fo
rr

Key Notes:
es

Bind points are a very powerful aspect of policies. A bind point is a collection of active policies and is 
al

invoked by other policies.
e

Bind points were carried over from classic policies, which used virtual server or global, even though it is not 
or

explicitly displayed with classic policies. The bind point and binding to request or response capability is an 
important consideration. Where a policy is bound affects when the action is taken.
d is

One major difference between bind points for classic and default is the process of evaluation. For example, 
t rib

if a classic policy is bound to a virtual server and is globally bound, then priorities determine the result. 
With default policies, it is policy bank‐specific. The level of bank‐specific policies are evaluated before the 
ut

global‐default banks. Global override happens before the virtual server bound items. Global default is last.  
io

When a bind point is invoked, the NetScaler system evaluates the policies that comprise the bind point in 
n

the order of the assigned priorities. The scope of the priority assigned to a policy is limited to the bind point 
to which the policy is bound. The priority of a policy is only relative to the priorities of the other policies 
bound to the same bind point.  This function allows grouping of policies and effective implementation.

60 © 2017 Citrix Authorized Content



CITRIX

A policy label is a user-defined point to which policies
can be bound.
• Using a policy label , an administrator can logically
Policy group policies and define the order in which they are
Labels evaluated .
• Policy labels are invoked from other policies .
N
ot
fo
rr

Key Notes:
es

When a policy label is invoked, all of the policies bound to it are evaluated in the order of the configured 
al

priority. When a policy is matched, the appropriate action is performed and control is returned to the policy 
e

that invoked the policy label.
or

Policy Labels are generally defined to be reusable.
d is
t rib
ut
io
n

61 © 2017 Citrix Authorized Content



CITRIX

Request and Response Bind Points:
• Default global
Policy • Virtual server
Bind Points • Override global
• Policy label
N
ot
fo
rr

Key Notes:
es

User‐Defined Policy Label ‐ For default syntax policies, you can configure custom groupings of policies 
al

(policy banks) by defining a policy label and collecting a set of related policies under the policy label.
e

Additional bind points depend on the type of policy ‐ for example, the NetScaler Gateway policies can be 
or

bound to users or groups.
If no policies match, then  the normal behavior of the bind point occurs.
d is

You can bind the policy to one of the following bind points:
t rib

A global policy bank. These are the request‐time default, request‐time override, response‐time default, and 
response‐time override policy banks.
ut

A virtual server. Policies that you bind to a virtual server are processed after the global override policies 
io

and before the global default policies.  Note that when binding a policy to a virtual server, you bind it to 
n

either request‐time or response‐time processing.
An ad‐hoc policy label. A policy label is a name assigned to a policy bank. In addition to the global labels, 
the integrated cache has two built‐in custom policy labels:_reqBuiltinDefaults. This policy label, by default, 
is invoked from the request‐time default policy bank.
_resBuiltinDefaults. This policy label, by default, is invoked from the response‐time default policy bank.
You can also define new policy labels. Policies bound to a user‐defined policy label must be invoked from 
within a policy bank for one of the built‐in bind points. Important: You should bind a policy with an INVAL 
action to a request‐time override or a response‐time override bind point. To delete a policy, you must first 
unbind it.
Order of Policy Evaluation
For an advanced policy to take effect, you must ensure that the policy is invoked at some point during the 

62 © 2017 Citrix Authorized Content



CITRIX

NetScaler appliance’s processing of traffic. To specify the invocation time, you associate the 
policy with a bind point. The following are the bind points, listed in order of evaluation:
Request‐time override. If a request matches a request‐time override policy, by default 
request‐time policy evaluation ends and the NetScaler appliance stores the action that is 
associated with the matching policy.
Request‐time load balancing virtual server. If policy evaluation cannot be completed after all 
the request‐time override policies are evaluated, the NetScaler appliance processes request‐
time policies that are bound to load balancing virtual servers. If the request matches one of 
these policies, evaluation ends and the NetScaler appliance stores the action that is 
associated with the matching policy.
Request‐time content switching virtual server. Policies that are bound to this bind point are 
evaluated after request‐time policies that are bound to load balancing virtual servers.
N

Request‐time default. If policy evaluation cannot be completed after all request‐time, virtual 
ot

server‐specific policies are evaluated, the NetScaler appliance processes request‐time default 
policies. If the request matches a request‐time default policy, by default request‐time policy 
fo

evaluation ends and the NetScaler appliance stores the action that is associated with the 
rr

matching policy.
es

Response‐time override. Similar to request‐time override policy evaluation.
al

Response‐time load balancing virtual server. Similar to request‐time virtual server policy 
evaluation.
e
or

Response‐time content switching virtual server. Similar to request‐time virtual server policy 
evaluation.
d

Response‐time default. Similar to request‐time default policy evaluation.
is
trib
ut
io
n

62 © 2017 Citrix Authorized Content •


CITRIX

gotoPriorityExpression
Determines how to continue processing when a policy has evaluated as TRUE and the
action has been determined .

gotoPriorityExpression Result
NEXT Evaluate policy with next priority.

END Stop evaluating policies.

<integer> Evaluate policy with priority of <integer>.

Go To NEXT or END depending on


N

INVOCATION LIST
INVOCATION LIST
ot
fo
rr

Key Notes:
es

Goto expression is used to control the flow of policy evaluation and it also acts as a logical tool to get to the 
al

appropriate policy without going through everything bound sequentially. When binding the policy, you 
e

assign it a priority level to specify when it is invoked relative to other policies in the bank. In addition to 
or

assigning a priority level, you can configure an arbitrary evaluation order for policies in a bank by specifying 
Goto expressions. A Goto expression indicates the next policy to be evaluated, typically within the same 
d

policy bank. Goto expressions can only proceed forward in a bank to avoid looping scenarios
is
t

Correct usage of Goto expression will always simplify the configuration and will result in correct behavior. It 
rib

also enhances system performance by ensuring that correct set of required policies are evaluated. If a 
policy evaluates to FALSE, the NetScaler continues the evaluation in the order of priority.
ut
io

If a policy evaluates to UNDEFINED (cannot be evaluated on the received traffic due to an error), the 
NetScaler performs the action assigned to the UNDEFINED condition (referred to as undefAction) and stops 
n

further evaluation of polices.
Ensure that the policies do not specify conflicting or overlapping actions on the same part of the HTTP 
header or body, or TCP payload. When such a conflict occurs, the NetScaler encounters an undefined 
situation and aborts the rewrite.

63 © 2017 Citrix Authorized Content



CITRIX

• If the policy evaluates as TRUE , the NetScaler adds
the action to the result set.
• If a policy evaluates as FALSE , the NetScaler
continues the evaluation in the order of priority.
Policy • If a policy evaluates as UNDEFINED (cannot be
Result evaluated on the received traffic due to an error), the
NetScaler performs the action assigned to the
UNDEFINED condition (referred to as undefAction)
and stops further evaluation of polices.
N
ot
fo
rr

Key Notes:
es

When prioritizing policies, it is a good practice to leave space between priorities to accommodate potential 
al

growth in future.
e

An UNDEFINED occurs when there is an expression match on the policy but the policy cannot be evaluated. 
or

For example, you write an expression to capture a piece of information, the information is captured as text, 
d

but you think it is a number and you attempt to perform a mathematical function on it. This would cause an 
is

UNDEFINED.
t rib

It is important to emphasize that when an UNDEFINED occurs, all other policy processing stops. 
ut
io
n

64 © 2017 Citrix Authorized Content



CITRIX

Simplified Policy Evaluation Flow
, - - - - - - - - - - - True - - - - - - - - - - - ,

Evaluation
Evaluate the policy ... Next Policy
Goes to the next policy
Action
Executes the action

r
expressoons lor a match on the policy 11st
assigned to the policy

Yes
I
Undefined
Check for Un defAction
Perfonn the rule- Log
Policies spec,roc or default Logs actions
Check ror untested undefActoon
policoes ,n the pobcy bst

0
l
N

DONE
ot

- Incoming Connection

L Outgoing Connection -
fo
rr
es
al
e
or
d is
t rib
ut
io
n

65 © 2017 Citrix Authorized Content



CITRIX

As traffic flows through the NetScaler, it is evaluated by
each enabled feature .

Packet • The NetScaler system will process all polices for a


feature and typically applies all matching actions after
Processing processing is complete within a feature .
• Integrated caching is one exception .
Flow
• Traffic flows through the NetScaler Modules in a
particular order which may effect how polices get
applied .
N
ot
fo
rr

Key Notes:
es

Evaluation Order
al

• Classic policies are evaluated according to bind points and priority level
e

• Advanced policies are evaluated in the following order for basic groupings:
or

• Request‐time global override
d

• Request‐time, virtual server‐specific
is

• Request‐time global default
t rib

• Response‐time global override
ut

• Response‐time virtual server‐specific
io

• Response‐time global default
n

66 © 2017 Citrix Authorized Content



CITRIX

Understanding Processing Order
C7 NetScaler sends processed response to
client
Client sends request to NetScaler

l

NotS<alef
.........
,_.,
"""'
a..,_
ftlQUHI 10
NetSaltf HTML PatHffConlenl
Yes
R-,ro

!
,,,, 1
I-

_
IH!Sc....

i....
--·
""1S<alef

--·!
NIIS<alef

..........
._.,
N
ot

Server sends response to NetScaler NetScaler sends processed request to


I- server
fo
rr

Key Notes:
es

This diagram shows only the policy‐relevant features.
al
e
or

Additional Resources:
Citrix edocs getting started link:   https://docs.citrix.com/en‐us/netscaler/12/getting‐started‐with‐
d

netscaler.html#par_richtext_8
is
t rib
ut
io
n

67 © 2017 Citrix Authorized Content



CITRIX

The Policy Manager dialog box provides an easy
interface for managing bind points and policy banks.
Using the The most commonly used bind-point levels are:
Policy • Global
Manager • Load-balancing virtual server
• Content-switching virtual server
N
ot
fo
rr

Key Notes:
es

The Policy Manager is available for the Rewrite, Integrated Caching, Responder, and Compression features.
al

To remove unused policies by using the Policy Manager
e

• In the navigation pane, click the feature for which you want to configure the policy bank. The choices are 
or

Responder, Integrated Caching, or Rewrite.


d

• In the details pane, click <Feature Name> policy manager.
is

• In the <Feature Name> Policy Manager dialog box, click Cleanup Configuration.


trib

• In the Cleanup Configuration dialog box, select the items that you want to delete, and then 


ut

click Remove.
• In the Remove dialog box, click Yes.
io
n

• Click Close. A message in the status bar indicates that the policy is removed successfully.

68 © 2017 Citrix Authorized Content



CITRIX

When should you bind the policy to the global bind
point?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

69 © 2017 Citrix Authorized Content



CITRIX

AppExpert Additional Features
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

70 © 2017 Citrix Authorized Content



CITRIX

I AppExpert

App Expert Apphcat1ons

HTTP Callouts

Panem sets

Data Sets

URL Sets
•AppExpert policy engine is a powerful set of s nng Maps
tools for easy control and management of XML Namespace.s
almost any type of traffic. Location

NSVanables

NS Assignments

Policy Extensions

Expressions

Rate L1m1tmg

Ac1:1on Analytic.s

AppQoE
N

Rewrite
ot

Responder

Spillover
fo
rr

Key Notes:
es

For many NetScaler features, policies control how a feature evaluates data, which ultimately determines 
al

what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate 
e

requests, responses, or other data, and applies one or more actions determined by the outcome of the 
or

evaluation. Alternatively, a policy can apply a profile, which defines a complex action.
d is

Additional Resources:
t rib

Citrix Product Documentation on a conceptual reference and configuration instructions for the AppExpert
and other features of the NetScaler appliance. http://docs.citrix.com/en‐us/netscaler/12/appexpert.html
ut

Citrix Product Documentation Introduction to Policies and Expressions:  http://docs.citrix.com/en‐
io

us/netscaler/12/appexpert/policies‐and‐expressions/ns‐pi‐intro‐pol‐exp‐wrapper‐con.html
n

71 © 2017 Citrix Authorized Content



CITRIX

Which AppExpert features do you think will be useful in
your environments , and why?
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

72 © 2017 Citrix Authorized Content



CITRIX

• A Pattern set or data set contains a set of patterns,
and each pattern is assigned a unique index.
• A pattern set is an array of indexed patterns used for
string matching during default syntax policy
evaluation.
Pattern Sets
• A data set is a specialized form of pattern set. It is an
and Data Sets array of patterns of types number (integer), 1Pv4
address, or 1Pv6 address.
• The only difference between pattern sets and data
sets is the type of patterns defined in the set.
N
ot
fo
rr

Key Notes:
es

A Pattern set or data set contains a set of patterns, and each pattern is assigned a unique index. When a 
al

policy is applied to a packet, an expression identifies a string to be evaluated, and the operator compares 
e

the string to the patterns defined in the pattern set or data set until a match is found or all patterns have 
or

been compared. Then, depending on its function, the operator returns either a boolean value that indicates 
whether or not a matching pattern was found or the index of the pattern that matches the string.
d is

Pattern sets and data sets work the same way. The only difference between pattern sets and data sets is 
t

the type of patterns defined in the set.
rib

To use pattern sets or data sets, first create the pattern set or data set and bind patterns to it. Then, when 
ut

you configure a policy for comparing a string in a packet, use an appropriate operator and pass the name of 
io

the pattern set or data set as an argument.
n

Additional Resources:
Citrix Product Documentation on Pattern Sets and Data Sets:   http://docs.citrix.com/en‐
us/netscaler/12/appexpert/pattern‐sets‐data‐seta.html

73 © 2017 Citrix Authorized Content



CITRIX

• Policy expressions for string matching on a large set
of string patterns are long and complex.
Pattern Sets
• Resources consumed are significant in terms of
and Data Sets processing cycles , memory, and configuration size.
Cont. • Use pattern matching to create simpler, less resource-
intensive expressions .
N
ot
fo
rr

Key Notes:
es

Depending on the type of patterns that you want to match, you can use one of the following features to 
al

implement pattern matching:
e

A pattern set is an array of indexed patterns used for string matching during default syntax policy 
or

evaluation. Example of a pattern set: imagetypes {svg, bmp, png, gif, tiff, jpg}.
d

A data set is a specialized form of pattern set. It is an array of patterns of types number (integer), IPv4 
is

address, or IPv6 address.
trib

A pattern set or data set contains a set of patterns, and each pattern is assigned a unique index. When a 
policy is applied to a packet, an expression identifies a string to be evaluated, and the operator compares 
ut

the string to the patterns defined in the pattern set or data set until a match is found or all patterns have 
io

been compared. Then, depending on its function, the operator returns either a boolean value that indicates 
n

whether or not a matching pattern was found or the index of the pattern that matches the string.

Pattern sets and Data sets work the same way. The only difference between pattern sets and data sets is 
the type of patterns defined in the set.

74 © 2017 Citrix Authorized Content



CITRIX

• During policy evaluation , the operator compares the
Pattern Set: string in the packet with the patterns defined in the
pattern set until a match is found .
String
• The operator returns either a Boolean value that
Matching indicates whether a matching pattern was found or the
index of the pattern that matches the string .
N
ot
fo
rr

Key Notes:
es

A pattern set defines a mapping of index values to strings. 
al

After you configure a pattern set, you can use it in an advanced expression that passes the pattern set as an 
e

argument to an appropriate operator.
or

When you use an operator, replace <text> with the default syntax expression that identifies the string with 
d

which you want to perform string matching, and replace <pattern_set_name> with the name of the pattern 
is

set.
t
rib
ut
io
n

75 © 2017 Citrix Authorized Content



CITRIX

• A string map is an entity that consists of key-value
pairs.
• A policy configuration that uses string maps performs
better than one using string matching through policy
expressions.
String • Fewer policies are needed to perform string matching
with a large number of key-value pairs.
Maps
• String maps are also intuitive, simple to configure ,
and result in a smaller configuration.
• Utilize maps to perform pattern matching in all
features that use the default policy syntax.
N
ot
fo
rr

Key Notes:
es

A string map defines a mapping of strings to strings.
al

Use Case – prior to strings maps, if you needed to do redirects based on URL, you needed a unique 
e

responder Policy to be bound to each redirect. Now, using string maps, you can just bind a single policy.
or
d is
t rib
ut
io
n

76 © 2017 Citrix Authorized Content



CITRIX

• An HTTP callout is an HTTP or HTTPS request that
the NetScaler appliance generates and sends to an
external server when certain criteria are met during
policy evaluation.
HTTP • An HTTP callout waits for a response from the
Callouts external server and performs the action depending on
the information received.
• The external server is the HTTP Callout Server.
N
ot
fo
rr

Key Notes:
es

The HTTP callout expression:
al

SYS.HTTP_CALLOUT(<name of HTTP Callout>)
e
or

To define the HTTP callout:
• set policy httpCallout <name> [‐IPAddress < ip_addr|ipv6_addr>] [‐port <port>] [‐vServer <string>] [‐
d

returnType <returnType>] [‐httpMethod ( GET | POST )] [‐hostExpr <string>] [‐urlStemExpr <string>] [‐


is

headers <name(value)> ...] [‐parameters <name(value)> ...] [‐fullReqExpr <string>] [‐resultExpr <string>]


trib
ut

Additional Resources:
io

Citrix Product Documentation on HTTP Callouts:  http://docs.citrix.com/en‐
n

us/netscaler/11/appexpert/http‐callout.html

77 © 2017 Citrix Authorized Content



CITRIX

HTTP HTTP service callouts invoke external functionality from
within NetScaler policies and are available for multiple
Callouts features .
Cont. During the HTTP service callout process:
• The user sends a request.
• The policy sends the HTTP request to an external

1
-e.2-~ .
- 6 ~
• 4
service.
• The policy uses the result like other policy expression
evaluation results.
N
ot
fo
rr

Key Notes:
es

For certain types of requests, or when certain criteria are met during policy evaluation, you might want to 
al

stall policy evaluation briefly, retrieve information from a server, and then perform a specific action that 
e

depends on the information that is retrieved. 
or

At other times, when you receive certain types of requests, you might want to update a database or the 
content hosted on a Web server. 
d is

HTTP callouts enable you to perform all these tasks.
trib
ut
io
n

78 © 2017 Citrix Authorized Content



CITRIX

I ~ I- - · L.....-1-____,
HTTP Server
HTTP Callout

Service
Callout •••
.,-.., - - -
"'Ti'~o
I
____. .__.
...
.... I - - -
1-
1-======

- 1-
Diagram Users
Citrix
NetScafer Destination
Servers

NetScafer Policy
N
ot
fo
rr

Key Notes:
es

When the NetScaler appliance receives a client request, the appliance evaluates the request against the 
al

policies bound to various bind points. During this evaluation, if the appliance encounters the HTTP callout 
e

expression, SYS.HTTP_CALLOUT(<name>), it stalls policy evaluation briefly and sends a request to the HTTP 
or

callout agent by using the parameters configured for the specified HTTP callout. Upon receiving the 
response, the appliance inspects the specified portion of the response, and then either performs an action 
d

or evaluates the next policy, depending on whether the evaluation of the response from the HTTP callout 
is

agent evaluates to TRUE or FALSE, respectively. For example, if the HTTP callout is included in a responder 
t rib

policy, if the evaluation of the response evaluates to TRUE, the appliance performs the action associated 
with the responder policy.
ut

If the HTTP callout configuration is incorrect or incomplete, or if the callout invokes itself recursively, the 
io

appliance raises an UNDEF condition, and updates the undefined hits counter.
n

79 © 2017 Citrix Authorized Content



CITRIX

Configuring HTTP Callouts
To configure an HTTP callout, an administrator must:

1. Create the HTTP callout.

2. Specify the server.

3. Define the request to send to the server.

4. Define the server response.

5. Configure the external server.


N
ot
fo
rr

Key Notes:
es

When configuring an HTTP callout, you specify the type of request (HTTP or HTTPS), destination and format 


al

of the request, the expected format of the response, and, finally, the portion of the response that you want 
e

to analyze.
or

For the destination, you either specify the IP address and port of the HTTP callout agent or engage a load 
balancing, content switching, or cache redirection virtual server to manage the HTTP callout requests. In 
d is

the first case, the HTTP callout requests will be sent directly to the HTTP callout agent. In the second case, 
t

the HTTP callout requests will be sent to the virtual IP address (VIP) of the specified virtual server. The 
rib

virtual server will then process the request in the same way as it processes a client request. For example, if 
you expect a large number of callouts to be generated, you can configure instances of the HTTP callout 
ut

agent on multiple servers, bind these instances (as services) to a load balancing virtual server, and then 
io

specify the load balancing virtual server in the HTTP callout configuration. The load balancing virtual server 
n

then balances the load on those configured instances as determined by the load balancing algorithm.
For the format of the HTTP callout request, you can specify the individual attributes of the HTTP callout 
request (an attribute‐based HTTP callout), or you can specify the entire HTTP callout request as a default 
syntax expression (an expression‐based HTTP callout).
In the expression , provide a condition that will prevent the HTTP Recursion.
http://docs.citrix.com/en‐us/netscaler/12/appexpert/http‐callout/avoiding‐http‐callout‐recursion.html
Invoking an HTTP Callout:
• After you configure an HTTP callout, you invoke the callout by including 
the SYS.HTTP_CALLOUT(<name>)expression in a default syntax policy rule. In this expression, <name> is 
the name of the HTTP callout that you want to invoke.
• You can use default syntax expression operators with the callout expression to process the response and 

80 © 2017 Citrix Authorized Content



CITRIX

then perform an appropriate action. The return type of the response from the HTTP 
callout agent determines the set of operators that you can use on the response. If the part 
of the response that you want to analyze is text, you can use a text operator to analyze 
the response.

N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

80 © 2017 Citrix Authorized Content •


CITRIX

Scenario 1: Filter Clients Based on an IP Address
Blacklist
To implement this configuration:

1. Enable the Responder feature.

2. Create an HTTP callout and configure it with details about


the external server and other required parameters .

3. Create a Responder policy to analyze the response.

4. Bind the Responder policy globally.


N
ot

5. Create a callout agent on the remote server.


fo
rr

Key Notes:
es

The NetScaler appliance does not check for the validity of the HTTP callout request. Therefore, before you 
al

configure HTTP callouts, you must know the format of an HTTP request. You must also know the format of 
e

an HTTP response, because configuring an HTTP callout involves configuring expressions that evaluate the 
or

response from the HTTP callout agent.
d is
t rib
ut
io
n

81 © 2017 Citrix Authorized Content



CITRIX

• Rate Limiting enables the administrators to monitor
the rate of traffic for the entity and take the real time
Rate Limiting based preventive action to protect the resources from
the flooding attacks.
• The Rate based policies can be applied to HTTP,
TCP, and DNS requests
N
ot
fo
rr

Key Notes:
es

To monitor the rate of traffic for a given scenario, we configure a rate limit identifier. 
al

A rate limit identifier specifies numeric thresholds such as the maximum number of requests or 
e

connections (of a particular type) that are permitted in a specified time period called a time slice.
or

Optionally, we can configure filters, known as stream selectors, and associate them with rate limit 


d

identifiers when we configure the identifiers. 
is

After we configure the optional stream selector and the limit identifier, we must invoke the limit identifier 


trib

from a default syntax policy. 


ut

We can invoke identifiers from any feature in which the identifier may be useful, including rewrite, 
responder, DNS, and integrated caching.
io
n

Additional Resources:
http://docs.citrix.com/en‐us/netscaler/12/appexpert/rate‐limiting.html

82 © 2017 Citrix Authorized Content



CITRIX

• The components for configuring the Rate Limiting on
NetScaler are :
• Limit identifier
• Stream selectors

• To implement the Rate Limiting , configure a policy


Configure Rate using NetScaler feature that uses default syntax
policies .
Limiting
• The policy expression must contain the following
expression prefix to enable the feature to analyze the
traffic rate:
• SYS.CHECK_LIMIT{<limit_identifier>)
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

83 © 2017 Citrix Authorized Content



CITRIX

Configuring Rate Limiting
To configure an HTTP callout, an administrator must:

1. Create a Limit Selector .

2. Create a Limit Identifier.

3. Create action using features using default policy.

4. Create policy with expression


SYS.CHECK_LIMIT(<limit_identifier>)
N

4. Bind the Policy to appropriate bind point


ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

84 © 2017 Citrix Authorized Content



CITRIX

Typecasting extracts data of one from requests and
responses and transforms it to data of another type:
• It extracts a string from an HTTP request body and
treats it like an HTTP header.
• It extracts a string from an HTTP header and treats it
Typecasting like an HTTP request body.
Functionality • It extracts a value from one type of request header
and inserts it in a response header of a different type .
After typecast, the NetScaler can apply any appropriate
policy action to the new data type .
N
ot
fo
rr

Key Notes:
es

You can extract almost anything.  For example, you can extract an attribute from system time and return 
al

integer (such as hour returns number 1‐24) then set policies based on integer.
e

You can extract data of one type (for example, text or an integer) from requests and responses and 
or

transform it to data of another type. For example, you can extract a string and transform the string to time 
format. You can also extract a string from an HTTP request body and treat it like an HTTP header or extract 
d is

a value from one type of request header and insert it in a response header of a different type.
t rib

After typecasting the data, you can apply any operation that is appropriate for the new data type. For 
example, if you typecast text to an HTTP header, you can apply any operation that is applicable to HTTP 
ut

headers to the returned value.
io
n

Additional Resources:
Many excellent examples of use cases:   http://docs.citrix.com/en‐us/netscaler/12/appexpert/policies‐and‐
expressions/ns‐typecasting‐data‐wrapper‐con.html

85 © 2017 Citrix Authorized Content



CITRIX

Typecasting Example: What=Zone
In this example, the policy engine will retrieve 399 as a string.
The typecast element tells the policy engine to evaluate 399 as a number of type
decimal.

IExpression :
• HTTP.REQ .URL.QUERY.AFTER_STR(\" what=zone :\" ).BEFORE_ STR(\" &block\" ).TYPECAST _NUM
_ T(DECIMAL) .GE(399 )

URL string :

• http ://ads .example.com /ads/adjs .php?n=829983570& what=zone399 &block=1 &blockcampaign=1 &


exclude= ,
N

.__ ---------------------------~
ot
fo
rr

Key Notes:
es

Some Typecasting Function:
al

• <text>.TYPECAST_LIST_T(<separator>)
e

• Treats the text in an HTTP request or response body as a list whose elements are delimited by 
or

the character in the <separator> argument. Index values in the list that is created start with zero 
d

(0).
is

• Text mode settings have no effect on the separator. For example, even if you set the text mode 
t rib

to IGNORECASE, and the separator is the letter “p,” an uppercase “P” is not treated as a 
separator.
ut

• <text>.TYPECAST_TIME_T
io

• Treats the designated text as a date string. The following formats are supported:
n

• RFC822: Sun, 06 Nov 1994 08:49:37 GMT
• RFC850: Sunday, 06‐Nov‐94 08:49:37 GMT
• ASCII TIME: Sun Nov 6 08:49:37 1994
• HTTP Set‐Cookie Expiry date: Sun, 06‐Nov‐1994 08:49:37 GMT
• <numeric string>.TYPECAST_IP_ ADDRESS_T
• Treats a numeric string as an IP address. 
• <numeric string>.TYPECAST_IPV6_ADDRESS_T
• Treats a string as an IPv6 address in the following format:
• 0000:0000:CD00:0000:0000:00AB:0000:CDEF
• <text>.TYPECAST_HTTP_ URL_T

86 © 2017 Citrix Authorized Content



CITRIX

• Treats the designated text as the URL in the first line of an HTTP request header. 
The supported format is [<protocol>://<hostname>]<path>?<query>, and the text 
mode is set to URLENCODED by default.
Example expression: 
HTTP.REQ.URL.QUERY.AFTER_STR(\”what=zone:\”).BEFORE_STR(\”&block\”).TYPECAST_NU
M_T(DECIMAL).GE(399)
This example expression takes the string after “what=zone:” converts it into an integer value 
and checks if it is greater than or equal to 399
Example string:
http://ads.sun.com/ads/adjs.php?n=829983570&what=zone:399&block=1&bl
ockcampaign=1&exclude=,
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

86 © 2017 Citrix Authorized Content •


CITRIX

Typecasting Example: URL String
In this example, the policy engine will retrieve 90 as a string.
The typecast element tells the policy engine to evaluate 90 as a number of type
decimal.
Expression:

• HTTP.REQ.URL.QUERY.VALUE(7).TYPECAST_NUM_T(DECIMAL)

URL String :

• http://www.example-an alytics. com/_ utm .gif? utmwv= 1&utmn=2096883363&utmcs=utf-


8&utmsr= 1600x1200&utmsc=32-bit&utmul=en-
us&utmje= 1&utmfl=90&utmdt=Surf%20Reports%2C%20Surf%20Forecasts%20and%20Surfing%20Photos
&utmhn=magicseaweed.com&utmr=-&utmp=/&utmac=UA-244865-
N

1&utmcc=_ utma%3D70478348.3261219735.1
162245583.1171842907.1173146399.9%3B%2B_ utmb%3D704 78348%3B%2B_ utmc%3D704 78348%3
ot

B%2B
fo
rr

Key Notes:
es

The index used to read into the Name‐Value Lists (nvlist_t) is zero‐based. This means the first element in 
al

the list is numbered as element 0.  To retrieve the eighth value, an administrator must specify element #7.
e

Since the QUERY object is already a name‐value list, using the query is the more efficient way to create the 
or

expression. However, for the sake of the example, we are able to show two typecasts by using the second 
expression. The net result is functionally identical.
d is
t rib
ut
io
n

87 © 2017 Citrix Authorized Content



CITRIX

Typecasting Example: Identifying the 8th Value
INDEX NAME VALUE
0 utmwv 1
1 utmn 2096883363
2 utmcs utf-8
3 utmsr 1600x1200
4 utmsc 32-bit
5 utmul en-us
6 utmje 1
7 utmfl 90 1
8 utmdt ::.urr%20Reports%2C%20Surf0/420Forecasts%20a
nd%20Surfing%20Photos
9 utmhn maoicseaweed.com
10 utmr -
11 utmp I
12 utmac UA- 244865-1
13 utmcc utma%3O70478348 .3261219735 .1162245583. 1
171842907 .1173146399.9%3B%2B utmb%3O70
4 78348%3B%2B u tmc%3O704 78348%3B%2B
N

• The eighth entry in the VALUE column is extracted (at index #7 - counting begins at
ot

0) and interpreted as a decimal number.


fo
rr

Key Notes:
es

The index used to read into the Name‐Value Lists (nvlist_t) is zero‐based. This means the first element in 
al

the list is numbered as element 0. To retrieve the eighth value, an administrator must specify element #7.
e

• 1. Text is parsed to create an object of type NVLIST_T, and the result can be represented as a table as 
or

shown above.
• 2. The string “90” is converted to a number (explicitly in DECIMAL format.  HEX is also supported).
d is
t rib
ut
io
n

88 © 2017 Citrix Authorized Content



CITRIX

Typecasting Example: Extending the Expression

Expression that returns the number 90:

HTTP .REQ.URL.AFT ER_ STR("?").TYPECAST _ NVLIST _ T .VALUE(7) .TYPECAST _ NUM_ T (DEC IMAL)

Extending expression :
HTTP.REQ.URL.AFTER_STR("?"). TYPECAST_NVLIST_ T .VALUE (?) .TYPECAST_NUM_ T (DECIMAL).GE(120)
N
ot
fo
rr

Key Notes:
es

The index used to read into the Name‐Value Lists (nvlist_t) is zero‐based. This means the first element in 
al

the list is numbered as element 0. To retrieve the eighth value, an administrator must specify element #7.
e
or
d is
t rib
ut
io
n

89 © 2017 Citrix Authorized Content



CITRIX

• AppExpert policy engine is a powerful set of tools for
easy control and management of almost any type of
traffic .
• With the powerful default policy engine , almost any
Key Takeaways policy and expression can be written .
• Policies determine when to do something, while
actions determine what to do when the policy is true .
• Default polices are more powerful than classic
policies.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

90 © 2017 Citrix Authorized Content



CITRIX


CITRIX

NetScaler Traffic
Management
Rewrite , Responder, and URL
Transform
N

C, .;r'L'
ot

Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

91 © 2017 Citrix Authorized Content



CITRIX

• Describe what the Rewrite feature of NetScaler does
and explain how it works.
Learning • Discuss the functionality of Responder policies and
how to configure them.
Objectives
• Explain the benefits of using URL Transformation .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

92 © 2017 Citrix Authorized Content



CITRIX

Rewrite
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

93 © 2017 Citrix Authorized Content



CITRIX

• The Rewrite feature on the NetScaler rewrites
information in the requests or responses of the
packet.

• The Rewrite support is available for HTTP, SIP,


DIAMETER,DNS ,TCP.
Rewrite
• Common use cases include:
• Provide users with custom error pages.
• Hosting of a new website using an old URL.
• Mod ifying an HTTP request.
• Adding , editing, or deleting headers and strings in
headers.
• Modify the DNS flags in response.
N
ot
fo
rr

Key Notes:
es

Rewrite refers to the rewriting of some information in the requests or responses handled by the NetScaler 
al

appliance. Rewriting can help in providing access to the requested content without exposing unnecessary 
e

details about the Web site's actual configuration. A few situations in which the rewrite feature is useful are 
or

described below:
• To improve security, the NetScaler can rewrite all the http:// links to https:// in the response body.
d is

• In the SSL offload deployment, the insecure links in the response have to be converted into secure 
t

links. Using the rewrite option, you can rewrite all the http:// links to https:// for making sure that the 


rib

outgoing responses from NetScaler to the client have the secured links.
ut

• If a Web site has to show an error page, you can show a custom error page instead of the default 404 
io

Error page. For example, if you show the home page or site map of the Web site instead of an error 
page, the visitor remains on the site instead of moving away from the Web site.
n

• If you want to launch a new Web site, but use the old URL, you can use the Rewrite option.


• When a topic in a site has a complicated URL, you can rewrite it with a simple, easy‐to‐remember URL 
(also referred to as 'cool URL').
• You can append the default page name to the URL of a Web site. For example, if the default page of a 
company's Web site is 'http://www.abc.com/index.php', when the user types 'abc.com' in the address 
bar of the browser, you can rewrite the URL to 'abc.com/index.php'.

Additional Resources:
A few situations in which the rewrite feature is useful:  http://docs.citrix.com/en‐
us/netscaler/12/appexpert/rewrite.html

94 © 2017 Citrix Authorized Content



CITRIX

0 Browser Request 0 Check for Policies 0

-
Ev luabon

The cheot browser sends a The NetScaler system The NetScaler system
~
request to tile Wabserver checks tile request bme bullds 8 set of 8CtJonS 10
through tile NetScaler policy bank for appl,cebte apply after evaluabng tile hst
system pobcaes of pnon112ed pohc,as

l
Rewrite
0 Rewnbng

The NetScaler system


I-
r J:l-i
I-
::::! :::: !
0 Rewribng

The NetScaler system


rewntas the request and rewntes the request and

Process
fOtWardS ~ to the Wab
server L _ I-
I-
l_j
I
forwards at to the Wab
server

I- I
l l
0 EvaluaUon 0 Check for Poficles 0

-
Server Response
The NetScaler system The NetScaler system
~ The Wab server racer,es
builds a set of actJons to checks the request tJme
the request and sends a
apply after ovaluabng the hst policy bank for apphcabte
response
of pnonllZed policies polacaes
N
ot
fo
rr

Key Notes:
es

The NetScaler appliance checks for global policies and then checks for policies at individual bind points.
al

If multiple policies are bound to a bind point, the NetScaler evaluates the policies in the order of their 
e

priority. 
or

The policy with the highest priority is evaluated first. After evaluating each policy, if the policy is evaluated 
d

to TRUE (the traffic matches the rule), it adds the action associated with the policy to a list of actions to be 
is

performed. For any policy, in addition to the action, you can specify the policy that should be evaluated 
t
rib

after the current policy is evaluated. This policy is referred to as the 'Go to Expression'.
After all the policies are evaluated or when a policy has the Go to Expression set as END, the NetScaler 
ut

starts performing the actions according to the list of actions.
io
n

95 © 2017 Citrix Authorized Content



CITRIX

Rewrite Built-In Actions

Action Result

NOREWRITE NetScaler forwards request without rewriting

RESET Connection aborted at TCP level

DROP Message dropped


N
ot
fo
rr

Key Notes:
es

After enabling the rewrite feature, you need to configure one or more actions unless a built‐in rewrite 
al

action is sufficient. All of the built‐in actions have names beginning with the string ns_cvpn, followed by a 
e

string of letters and underscore characters. Built‐in actions perform useful and complex tasks such as 
or

decoding parts of a clientless VPN request or response or modifying JavaScript or XML data. The built‐in 
actions can be viewed, enabled, and disabled, but cannot be modified or deleted.
d is

Additional built‐in actions have names beginning with the string ns_cvpn, followed by a string of letters and 
t

underscore characters. Built‐in actions perform useful and complex tasks such as decoding parts of a 
rib

clientless VPN request or response or modifying JavaScript or XML data. The built‐in actions can be viewed, 
enabled, and disabled, but cannot be modified or deleted.
ut
io

To create a new rewrite action by using the command line interface:
n

• At the command prompt, type the following commands to create a new rewrite action and verify the 
configuration:
• add rewrite action <name> <type> <target> [<stringBuilderExpr>] [(‐pattern <expression> | ‐
patset <string>)] [‐bypassSafetyCheck (YES|NO)]
• show rewrite action <name>
To modify an existing rewrite action by using the command line interface:
• At the command prompt, type the following commands to modify an existing rewrite action and verify 
the configuration:
• set rewrite action <name> [‐target <string>] [‐stringBuilderExpr <string>] [(‐pattern <expression> 
| ‐patset <string>)] [‐bypassSafetyCheck (YES|NO)]
• show rewrite action <name>

96 © 2017 Citrix Authorized Content



CITRIX

To remove a rewrite action by using the command line interface:
• At the command prompt, type the following commands to remove a rewrite action :
• rm rewrite action <name>
To configure a rewrite action by using the configuration utility:
• Navigate to AppExpert > Rewrite > Actions.
• In the details pane, do one of the following:
• To create a new action, click Add.
• To modify an existing action, select the action, and then click Open.
• Click Create or OK. A message appears in the status bar, stating that the Action has been 
configured successfully.
• Repeat steps 2 through 4 to create or modify as many rewrite actions as you wish.
N

• Click Close.
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

96 © 2017 Citrix Authorized Content •


CITRIX

Rewrite Custom Actions
INSERT_BEFORE
INSERT_AFTER
REPLACE
DELETE
DELETE_HTTP_HEADER
• After enabling the Rewrite feature, CORRUPT_HTTP_HEADER
configure one or more actions-unless a REPLACE_HTTP_RES
built-in rewrite action is sufficient. REPLACE_ALL
DELETE_ALL
• Utilize custom actions to: INSERT_AFTER_ALL
INSERT_BEFORE_ALL
• Insert or delete a header or content in the body.
CLIENTLESS_VP _ENCODE
• Replace headers or content. CLINETLESS_VP _ENCODE_ALL
• Insert or delete information before or after CLIENTLESS_VP _DECODE
another string . CLIENTLESS_VP _DECODE_ALL
INSERT_SIP_HEADER
DELETE_SIP_HEADER
N

CORRUPT_SIP_HEADER
ot

REPLACE_SIP_RES
fo
rr

Key Notes:
es

You can use all types of existing string manipulation functions with these prefixes to identify the strings that 
al

you want to rewrite. To configure a rewrite action, you assign it a name, specify an action type, and add one 
e

or more arguments specifying additional data. The following table describes the action types and the 
or

arguments you use with them.
d is
trib
ut
io
n

97 © 2017 Citrix Authorized Content



CITRIX

Create Rewrite Action

Configuring a Rewrite Action Name


Rewrite_Act
To configure a Rewrite Action: Type
I SERT_HTTP_HEADER
• Assign it a name.
Use this action type to insert a header.
• Specify an action type. Header ame
Custom_Header
• Add one or more expressions specifying
additional data . ~essoon

Operators Saved Polley Expressions •

HTTPREQOATE
CLI Syntax:
add rewrite action <action_ name> <Type> < Expression>

In smng expressions. stnng constants and express1ons can


Comments
N

[ l
ot

f@i Close
fo
rr

Key Notes:
es

To create a new rewrite action by using the command line interface
al

• At the command prompt, type the following commands to create a new rewrite action and verify the 
e

configuration:
or

• add rewrite action <name> <type> <target> [<stringBuilderExpr>] [(‐pattern <expression> | ‐


d

patset <string>)] [‐bypassSafetyCheck (YES|NO)]


is
t
rib
ut
io
n

98 © 2017 Citrix Authorized Content



CITRIX

Configuring a Rewrite Policy .., Create Rewrite Policy
Name

WEB-UI ~ ite_Policy _ _ ___.

I\Ctlon
• Assign it a name. actl y + /
LogActlOn
• Select the Action. y +
• Add one or more expressions specifying condition Undefined-Result Actlon*
-Global-undefined-~ -action
for rewrite . y ]

Expres51on
• Add Undefined Result Action .(Optional)
• Add Log Action.(Optional) f-:-~
CLI Syntax: Comments
N

add rewrite policy <name> <expres ion> <action_ name>


ot

1§1 Close
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

99 © 2017 Citrix Authorized Content



CITRIX

When the Rewrite Policy Evaluation results in an error,
Rewrite the specified undefined action is carried out.

Undefined • NetScaler supports three types of undefined actions :

Actions • undefAction NOREWRITE


• undefAction RESET
• undefAction DROP

While the undefined action is defined globally at the feature


level , it can be overridden within a specific policy.
N
ot
fo
rr

Key Notes:
es

• undefAction NOREWRITE This means that the NetScaler continues to process requests and responses 
al

that do not match any rewrite policy, and eventually forwards them to the requested URL unless another 
e

feature intervenes and blocks or redirects the request. This action is appropriate for normal requests to 
or

your Web servers, and is the default setting.
undefAction RESETResets the client connection. This means that the NetScaler tells the client that it must 
d

re‐establish its session with the Web server. This action is appropriate for repeat requests for Web pages 
is

that do not exist, or for connections that might be attempts to hack or probe your protected Web site(s)
t rib

undefAction DROPSilently drops the request without responding to the client in any way. This means that 


ut

the NetScaler simply discards the connection without responding to the client. This action is appropriate for 
requests that appear to be part of a DDoS attack or another sustained attack on your servers.
io
n

Note: Undefined events can be triggered for both request and response flow specific policies.

100 © 2017 Citrix Authorized Content



CITRIX

Additional parameters that can be configured in
Rewrite Rewrite are:
Action • pattern or patset

Parameters • bypassSafetyCheck
• target
• stringBuilderExpr
• search
• refineSearch
N
ot
fo
rr

Key Notes:
es

Target:  
al

• Expression that specifies which part of the connection to rewrite.  Maximum Length: 1499
e
or

stringBuilderExpr:
• Default syntax expression that specifies the content to insert into the request or response at the 
d

specified location, or that replaces the specified string.  Maximum Length: 8191
is

When you create a rewrite action, the NetScaler verifies that the expression you used to create the action is 
t rib

safe – you can bypass this safety check if you know your rewrite is safe
ut

Pattern:
io

• Pattern that is used to match multiple strings in the request or response. The pattern may be a string 
n

literal (without quotes) or a PCRE‐format regular expression with a delimiter that consists of any 
printable ASCII non‐alphanumeric character except for the underscore (_) and space ( ) that is not 
otherwise used in the expression. Example: re~https?://|HTTPS?://~ The preceding regular expression 
can use the tilde (~) as the delimiter because that character does not appear in the regular expression 
itself. Used in the INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL action 
types.  Maximum Length: 271
Search:
• Search facility that is used to match multiple strings in the request or response.
RefineSearch:
• Specify additional criteria to refine the results of the search. Always starts with the "extend(m,n)" 
operation, where 'm’ specifies number of bytes to the left of selected data and 'n’
• Specifies number of bytes to the right of selected data. You can use refineSearch only on body 

101 © 2017 Citrix Authorized Content



CITRIX

expressions, and for the INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and 
DELETE_ALL action types.  Maximum Length: 1499

N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

101 © 2017 Citrix Authorized Content •


CITRIX

A Rewrite Policy consists of an expression and an
action:

Rewrite • The expression determines the traffic on which Rewrite is


Pol icies applied .
• The action determines the action to be taken by the
NetScaler.
• A bind point must be specified for each policy.
• A priority should be specified for multiple policies .
N
ot
fo
rr

Key Notes:
es

Adding Policy:
al

• add rewrite policy <name> <expression> <action> [<undefaction>]
e

• show rewrite policy <name>
or

To rewrite HTTP requests and responses, you can use protocol‐aware NetScaler policy expressions in the 
d

rewrite policies you configure. The virtual servers that manage the HTTP requests and responses must be of 
is

type HTTP or SSL. In HTTP traffic, you can take the following actions : 


t rib

Modify the URL of a request ,Add modify or delete headers .Add, replace, or delete any specific string 
within the body or headers.
ut
io

To rewrite TCP payloads, consider the payload as a raw stream of bytes. Each of the virtual servers that 
managing the TCP connections must be of type TCP or SSL_TCP. The term TCP rewrite is used to refer to the 
n

rewrite of TCP payloads that are not HTTP data. In TCP traffic, you can add, modify, or delete any part of the 
TCP payload.

102 © 2017 Citrix Authorized Content



CITRIX

Rewrite polices must be bound to an available bind
Binding point in order to be applied.
Rewrite You can bind policies in the Configuration Utility and in
the CLI.
Policies
Each policy needs a priority assigned to it:

• Value must be a positive integer.

• Lower numbers have higher priority.


N
ot
fo
rr

Key Notes:
es

The main difference between the rewrite feature and the responder feature is as follows:
al

Responder cannot be used for response or server‐based expressions. Responder can be used only for the 
e

following scenarios depending on client parameters: 
or

• Redirecting a http request to new Web sites or Web pages
d

• Responding with some custom response
is

• Dropping or resetting a connection at request level
t rib

In case of a responder policy, the NetScaler examines the request from the client, takes action according to 
ut

the applicable policies, sends the response to the client, and closes the connection with the client.
io

In case of a rewrite policy, the NetScaler examines the request from the client or response from the server, 
n

takes action according to the applicable policies, and forwards the traffic to the client or the server.
In general, it is recommended to use responder if you want the NetScaler to reset or drop a connection 
based on a client or request‐based parameter. Use responder to redirect traffic, or respond with custom 
messages. Use rewrite for manipulating data on HTTP requests and responses.

103 © 2017 Citrix Authorized Content



CITRIX

Using Rewrite
To configure the Rewrite feature, follow the steps below:

1. Enable the Rewrite feature.

2. Create Rewrite actions.

3. Create Rewrite policies.

4. Bind the policies to a bind point.


I
N
ot
fo
rr

Key Notes:
es

To enable the rewrite feature by using the command line interface
al

• At the command prompt, type the following commands to enable the rewrite feature and verify the 
e

configuration:
or

• enable ns feature REWRITE
d

• show ns feature
is

To enable the rewrite feature by using the configuration utility
t
rib

• In the navigation pane, click System, and then click Settings.


ut

• In the details pane, under Modes and Features, click Configure basic features.


io

• In the Configure Basic Features dialog box, select the Rewrite check box, and then click OK.


n

• In the Enable/Disable Feature(s) dialog box, click Yes. A message appears in the status bar, stating that 


the selected feature was enabled.

104 © 2017 Citrix Authorized Content



CITRIX

USE CASE : Modify HTTP Request
I I Original HTTP Request

GET/ HTTP/1.1
Host: training.citrix.lab
Connection : keep-alive
Ex: The following NetScaler policy Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
will modify the HTTP version is User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
every HTTP request before like Gecko) Chrome/58.0.3029.110 Safari/537.36
forwarding it. I HTTP Request after Rewrite I
GET/ HTTP/1.0
add rewrite action Act_ l replace Host: training.citrix.lab
http.r q. r ion " "HTTP 1.0\'"' Connection : keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
add rewrit policy Pol_ 1 true Act_ l User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
N

like Gecko) Chrome/58.0.3029.110 Safari/537.36


ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

105 © 2017 Citrix Authorized Content



CITRIX

What reasons would you have to create custom
Rewrite actions?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

106 © 2017 Citrix Authorized Content



CITRIX

• Exercise 3-1: Rewrite Policy: Modify a URL
• Exercise 3-2: Rewrite Policy: Delete HTTP Headers
• Exercise 3-3: Rewrite Policy: Insert HTTP Headers
• Exercise 3-4: Rewrite Policy: Convert URL Paths to
Lowercase
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

107 © 2017 Citrix Authorized Content



CITRIX

Responder
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

108 © 2017 Citrix Authorized Content



CITRIX

A Responder Policy:

• Examines the request from the client


• Takes action according to the policy
• Sends the response to the client
• Terminates the connection with the client
The Responder is simple to use, and responds based
on attributes such as sender identity, sender location ,
Responder and many others.

The following are some use cases for Responder


policies:

• Redirecting an HTTP request.


• Responding with a custom response.
N

• Dropping or Resetting connections at the request level.


ot
fo
rr

Key Notes:
es

Today’s complex Web configurations often require different responses to HTTP requests that appear, on the 
al

surface, to be similar. When users request a Web site’s home page, you may want to provide a different 
e

home page depending on where each user is located, which browser the user is using, or which language(s) 
or

the browser accepts and the order of preference. You might want to break the connection immediately if 
the request is coming from an IP range that has been generating DDoS attacks or initiating hacking 
d

attempts..
is
t

For handling sensitive data such as financial information, if you want to ensure that the client uses a secure 
rib

connection to browse a site, you can redirect the request to secure connection by using https:// instead of 
http://.
ut
io
n

Additional Resources:
Citrix Product Documentation Responder Feature:  http://docs.citrix.com/en‐
us/netscaler/12/appexpert/responder.html.

109 © 2017 Citrix Authorized Content



CITRIX

Responder Process
(D Browser Request ® Check for Policies @ Evaluation

The client browser The NetScaler system The NetScaler system


sends a request to the checks the request builds a set of actions to
web server through the time policy bank for apply after evaluating the
NetScaler system. applicable policies . list of prioritized policies.


© Response

The NetScaler system


responds to the client
request
N
ot
fo
rr

Key Notes:
es

Responder only operates on the REQ side of the
al

Responses can be based on who sends the request, where it is sent from, and other criteria with security 
e

and system management implications. The feature is simple and quick to use. By avoiding the invocation of 
or

more complex features, it reduces CPU cycles and time spent in handling requests that do not require 
complex processing.
d is
t rib
ut
io
n

110 © 2017 Citrix Authorized Content



CITRIX

Responder
You can assign any of the following actions to a
Built-In responder policy or undefined event:
Actions • NOOP - no operation occurs .
• RESET - rests the client connection .
• DROP - silently drops the request.
N
ot
fo
rr

Key Notes:
es

NOOP
al

• The NOOP action aborts responder processing but does not alter the packet flow. This means that the 
e

appliance continues to process requests that do not match any responder policy, and eventually 
or

forwards them to the requested URL unless another feature intervenes and blocks or redirects the 
request. This action is appropriate for normal requests to your Web servers and is the default setting.
d is

RESET
t rib

• If the undefined action is set to RESET, the appliance resets the client connection, informing the client 
that it must re‐establish its session with the Web server. This action is appropriate for repeat requests for 
ut

Web pages that do not exist, or for connections that might be attempts to hack or probe your protected 
io

Web site(s).
n

DROP
• If the undefined action is set to DROP, the appliance silently drops the request without responding to the 
client in any way. This action is appropriate for requests that appear to be part of a DDoS attack or other 
sustained attack on your servers.
Note: UNDEF events are triggered only for client requests. No UNDEF events are triggered for responses.
The NetScaler appliance generates an undefined event (UNDEF event) when a request does not match a 
responder policy, and then carries out the default action assigned to undefined events. By default, that 
action is to forward the request to the next feature without changing it. This default behavior is normally 
what you want; it ensures that requests that do not require special handling by a specific responder action 
are sent to your Web servers and clients receive access to the content that they requested.
If the Web site(s) your NetScaler appliance protects receive a significant number of invalid or malicious 
requests, however, you may want to change the default action to either reset the client connection or drop 

111 © 2017 Citrix Authorized Content



CITRIX

the request. In this type of configuration, you would write one or more responder policies 
that would match any legitimate requests, and simply redirect those requests to their 
original destinations. Your NetScaler appliance would then block any other requests as 
specified by the default action you configured.

N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

111 © 2017 Citrix Authorized Content •


CITRIX

Custom Responder Actions for HTTP

Respond Respond with HTML Redirect

Redirects the request to a


Responds with HTML. Sends HTML page as response . different URL, web page ,
or Web server.

HTML pages can be uploaded


NetScaler acts like Web server. to NetScaler and selected from The Web server may not exist.
pull down menu.
I I
N
ot
fo
rr

Key Notes:
es

After enabling the responder feature, you must configure one or more actions for handling requests. The 
al

responder supports the following types of actions:
e

Respond with
or

• Sends the response defined by the Target expression without forwarding the request to a web server. 
d

(The NetScaler appliance substitutes for and acts as a web server.) Use this type of action to manually 
is

define a simple HTML‐based response. Normally the text for a Respond with action consists of a web 
t

server error code and brief HTML page.
rib

Respond with SQL OK
ut

• Sends the designated SQL OK response defined by the Target expression. Use this type of action to send 
io

an SQL OK response to an SQL query.
n

Respond with SQL Error
• Sends the designated SQL Error response defined by the Target expression. Use this type of action to 
send an SQL Error response to an SQL query.
Respond with HTML page
• Sends the designated HTML page as the response. You can choose from a drop‐down list of HTML pages 
that were previously uploaded, or upload a new HTML page. Use this type of action to send an imported 
HTML page as the response.
Redirect
Redirects the request to a different web page or web server. A Redirect action can redirect requests 
originally sent to a "dummy" web site that exists in DNS, but for which there is no actual web server, to an 
actual web site. It can also redirect search requests to an appropriate URL. Normally, the redirection target 

112 © 2017 Citrix Authorized Content



CITRIX

for a Redirect action consists of a complete URL.

N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

112 © 2017 Citrix Authorized Content •


CITRIX

Custom Responder Actions for DataStream

Respond Respond with SQL Error

I I
Sends the designated SQL OK Sends the designated SQL Error
response to a SQL query response to a SQL query
N
ot
fo
rr

Key Notes:
es

Released in Version 10 of NetScaler
al

Respond with SQL OK
e

• Sends the designated SQL OK response defined by the Target expression. Use this type of action to send 
or

an SQL OK response to an SQL query.
d

Respond with SQL Error
is

• Sends the designated SQL Error response defined by the Target expression. Use this type of action to 
t rib

send an SQL Error response to an SQL query.
ut
io
n

113 © 2017 Citrix Authorized Content



CITRIX

Responder Action for Timeouts
When an HTTP request times out, a responder action can be invoked .

• To configure the responder actions, follow the steps below:

1. Create the Responder action that you want to invoke.

2. Configure the global HTTP timeout action


N
ot
fo
rr

Key Notes:
es

To configure a responder action by using the command line interface
al

• At the command prompt, type the following commands to configure a responder action and verify the 
e

configuration:
or

• add responder action <name> <type> <target> [‐bypassSafetyCheck (YES | NO) ]


d

• show responder action
is

To modify an existing responder action by using the command line interface
t rib

• At the command prompt, type the following command to modify an existing responder action and verify 
ut

the configuration:
• set responder action <name> ‐target <string> [‐bypassSafetyCheck ( YES | NO )]
io
n

• show responder action
To remove a responder action by using the command line interface
• At the command prompt, type the following command to remove a responder action and verify the 
configuration:
• rm responder action <name>
• show responder action

114 © 2017 Citrix Authorized Content



CITRIX

Responder po licies are configured in the Configuration
Utility and in the CLI.
Responder The following arguments are identified when adding a
Policies Responder policy:

• Expression
• Action
• UndefAction
N
ot
fo
rr

Key Notes:
es

To configure a responder policy by using the NetScaler command line:
al

• At the NetScaler command prompt, type the following command to add a new responder policy and 
e

verify the configuration:
or

• add responder policy <name> <expression> <action> [<undefaction>]‐appFlow action<actionName>


d is
t
rib
ut
io
n

115 © 2017 Citrix Authorized Content



CITRIX

Responder HTML Page Imports

• The Responder feature can respond to designated requests by sending the client an
HTML-based web page, it supports the import of custom HTML-pages to the
NetScaler. N
ot
fo
rr

Key Notes:
es

At times, when the services for a website are not available because of a planned outage or an unexpected 
al

event, you might want to display a maintenance or an apology page to the customer. You can use the 
e

Responder feature of the NetScaler appliance to create such a notification page during these events.
or

To configure a maintenance webpage by using the Responder feature of the NetScaler appliance, complete 
the following procedure:
d is

If not already done, run the following command to configure the required services:
t rib

add service server1 <IP_Address_of_Service> HTTP 80
You have to create a service that is always UP and bind it to this backup virtual server so that it will always 
ut

remain UP. Go to Load Balancing > Services, and click Add and then create a service called "always‐up" and 


io

use any dummy IP for the server and add a ping monitor, and click Create.
n

Alternately you can also make the monitor as type Reverse so that even if the service is down it will be 
always up for the dummy IP.
Run the following command to configure a Load Balancing virtual server:
add lb vserver vserver1 HTTP <IP_Address_of_VServer> 80
Run the following command to configure a backup Load Balancing virtual server:
add lb vserver backup HTTP 0.0.0.0 0
Run the following command to bind a service to the backup virtual server to ensure that the status of the 
backup virtual server is marked as UP:
bind lb vserver backup always‐up
Run the following command to configure the main virtual server with the backup virtual server:
set lb vserver vserver1 ‐backupVServer backup

116 © 2017 Citrix Authorized Content



CITRIX

Run the following command to create a Responder action with an appropriate target web 
page:
add responder action mtn_pg_act respondwith q{"HTTP/1.0 200 OK" +"\r\n\r\n" + 
"<html><body>Sorry, this page is currently not available. Please try after some 
time.</body></html>" + "\r\n"}
Note: To avoid caching of the maintenance web page, you can set the HTTP code to 503 
Service Unavailable instead of 200 OK.
Run the following command to create a Responder policy:
add responder policy sorryPol HTTP.REQ.IS_VALID mtn_pg_act
Run the following command to bind the policy to the backup virtual server:
bind lb vserver backup ‐policyName sorryPol ‐priority 4
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

116 © 2017 Citrix Authorized Content •


CITRIX

Binding Responder polices must be bound to an available bind
point in order to be applied .
Responder • You can bind policies in the Configuration Utility and
Policies in the CLI.
• Each policy needs a priority assigned to it:
• Value must be a positive integer.
• Lower numbers have higher priority.
N
ot
fo
rr

Key Notes:
es

To put a policy into effect, you must bind it either globally, so that it applies to all traffic that flows through 
al

the NetScaler, or to a specific virtual server, so that the policy applies only to requests whose destination IP 
e

address is the VIP of that virtual server.
or

When you bind a policy, you assign a priority to it. The priority determines the order in which the policies 
you define are evaluated. You can set the priority to any positive integer.
d is

In the NetScaler operating system, policy priorities work in reverse order—the higher the number, the 
t rib

lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy 
assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy 
ut

assigned an order of 1000. The responder feature implements only the first policy that a request matches, 
io

not any additional policies that it might also match, so policy priority is important for getting the results you 
intend.
n

You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the 
order you want, by setting priorities with intervals of 50 or 100 between each policy when you globally bind 
it. You can then add additional policies at any time without having to reassign the priority of an existing 
policy.
To globally bind a responder policy by using the command line interface
• At the command prompt, type the following command to globally bind a responder policy and verify the 
configuration:
• bind responder global <policyName> <priority> [<gotoPriorityExpression [‐type <type>] [‐
invoke (<labelType> <labelName>)]
• show responder global
There are some limitations to the gotoexpression in Responder, since multiple Responder policies can be 

117 © 2017 Citrix Authorized Content



CITRIX

applied to the same request. So you cannot have a gotoexpression of NEXT or an integer 
value referring to another policy’s priority.

N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

117 © 2017 Citrix Authorized Content •


CITRIX

Use case
The following responder policy will redirect the user trying to access root
location to the location /cs1
add re ponder action ct_ l redirect" "http: erverl .training.lab c I '\"" -re pon e tatu Code 302

add re ponder po licy Pol_ l "http .REQ . RL.P TH A D_ QU RY.EQ("/ 11


)" Act_ l

GET/ HTTP/1.1
Host: serverl.training.lab
Connection: keep-alive
Cache-Control : max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/58.0.3029.110 Safari/537.36

HTTP/1.1 302 Found : Moved Temporarily


Location : http://serverl.training.lab/csl
N

Connection : close
Cache-Control : no-cache
ot

Pragma: no-cache
fo
rr
es
al
e
or
d is
t rib
ut
io
n

118 © 2017 Citrix Authorized Content



CITRIX

DNS Rewrite and Responder
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

119 © 2017 Citrix Authorized Content



CITRIX

The Responder feature can be configured to respond to
DNS requests , as it does to HTTP and TCP requests .
DNS Rewrite Configure the Rewrite feature to modify DNS requests
and Responder and responses , similar to rewriting HTTP or TCP
requests and responses .
DNS Rewrite can be used to manage the flow of DNS
requests and make necessary modifications in the
header or in the answer section .
N
ot
fo
rr

Key Notes:
es

NetScaler supports Rewrite and Responder policies for various protocols.
al

• TCP and HTTP
e
or

Responder policies allows sending custom responses to client.
Rewrite policies allow modification of requests sent to back‐end as well as the server responses sent to 
d

client.
is
t

The support has now been extended to DNS.
rib

You can configure the responder feature to respond to DNS requests as it does to HTTP and TCP requests. 
ut

For example, you could configure it to send DNS responses over UDP and ensure that the DNS requests 
io

from the client are sent over TCP. A number of NetScaler expressions support examination of the DNS 
n

header in the request. These expressions examine specific header fields and send an appropriate response.

120 © 2017 Citrix Authorized Content



CITRIX

DNS Responder and Rewrite Framework
• Sends a DNS response with an empty answer section and header flags
(TC, AA, and RCODE set to the desired value).
• Drops a DNS query.
• Modifies the answer section before sending response to client.(Only A and
AAAA records are supported.)
• Modifies the header bits before sending a response to the client.
• Modifies the header bits before sending a request to the backend.

• For proxy mode, the policy is evaluated only in event of a cache miss.
• RA flag will always be set if Recursion Available is set to YES , irrespective
of rewrites done.
• CD flag will be honored if Recursion Available is set to YES irrespective of
N

rewrites done.
ot
fo
rr

Key Notes:
es

The various policy expressions are:
al

1. DNS.REQ.HEADER.FLAGS.IS_SET(),SET(),UNSET(): QR,AA,TC,RD,RA,AD,CD
e
or

2. DNS.REQ.HEADER.OPCODE.EQ,NE,SET:QUERY,IQUERY,STATUS
3. DNS.RES.HEADER.RCODE.SET
d is

4. DNS.NEW_RESPONSE()
t rib

5. DNS.NEW_RESPONSE(Boolean AA, Boolean TC, dns_rcode_e rcode): 
ut

6. DNS.NEW_RRSET_A()
io

7. DNS.NEW_RRSET_AAAA ()
n

121 © 2017 Citrix Authorized Content



CITRIX

• The DNS Responder can be used to:
• Send TC bit on receiving queries over UDP.
• Effectively allowing querying over TCP only.
DNS Rewrite and • The DNS Rewrite Framework is commonly used to:
Responder: • Set AA bit in responses sent to the client.
Use Cases • Allow NetScaler to act as authoritative DNS server for all queries it
responds to.
N
ot
fo
rr

Key Notes:
es

Configuring Responder Policies for DNS
al

• The following procedure uses the NetScaler command line to configure a responder action and policy 
e

and bind the policy to a responder‐specific global bind point.
or

• To configure Responder to respond to a DNS request
d

• At the command prompt, type the following commands:add responder action <actName> 


is

<actType>For <actname>, substitute a name for your new action. The name can be 1 to 127 
t rib

characters in length, and can contain letters, numbers, hyphen (‐), and underscore (_) symbols. For 
<actType>, substitute a responder action type, respondWith.
ut

• add responder policy <polName> <rule> <actName>For <polname>, substitute a name for your 
io

new policy. For <actname>, the name can be 1 to 127 characters in length, and can contain letters, 
n

numbers, hyphen (‐), and underscore (_) sym bols. For <actname>, substitute the name of the 
action that you just created.
• bind responder policy <polName> <priority> <nextExpr> ‐type <bindPoint>For <bindPoint>, specify 
one of the responder‐specific global bind points. For <polName>, substitute the name of the policy 
that you just created. For <priority>, specify the priority of the policy.

Additional Resources:
Citrix Product Documentation on DNS Support for the Responder Feature:   
http://docs.citrix.com/en‐us/netscaler/12/appexpert/responder/dns‐support‐responder.html

122 © 2017 Citrix Authorized Content



CITRIX

Use the Rewrite Po icy to modify DNS Packets
add rewrite action . t aa r replace_dn _ head r_ field "dn .re .header.nag . et(aa)"
add rewrite policy ct re aa true et aa re

IThe original DNS response


Oornoln N•rne 5'/Stom (response)
!The DNS response after the rewrite
Oornoln Nomo 5'/Stern (response)
I
Transoctlon 10: Oxb516 Transoctlon ID: OxlodS
Rap: o.8180 5tandard quer, response. No error Rags: o.8500 Standord quer, response. No error
1... ........... ,., Response: Messa1e l.s a response 1... ............ • Response: ~ e Is a rHl)OnSe
.000 O..••..•••.. • ()pc,oM: Standord quer, (OJ .000 o_ -· .... • Clpc,oM: Stondord quo,y (OJ
_ ..L -- ··- =Authoritatiw: s.twr ii an authority for domain
··- .D•• ··- · - =Authoribtiw: - Is - on outhoritv for clomoin
.•..•.0.•••.•••• • Truncated: - - Is not truncated ......o. ·-· .... =Truncated: Me5Saie ls not truncoted
....... 1 .-. ·-· • Recunlon desired: Do quer, rocu"1vely •... ... 1 ......•. • R<aJn1on desired: Do quer, recu"1vely
.... .... 1... .... • Rea.trslon avai~: 5efvtr an do recursive queries •••••••• 0 .•• ··- • Recur>lon ovolloble: 5o<vor can't do r<OJnlw queries
•••••••.•0•••••. • Z: rosenied (OJ ......•..O•• ..•. • Z:rtiO<Wd(O)
··- ·-· ..0. -· • Answe< authentlcoted: Answe</outhority portion was not outhentlcoted by tho__. ........ ..0. .... = Answer authentiated: Answer/authority portion wu no1 authentJated by the sen,er
•••• •••••••0 ·-· • Non-outhentlated data: Una«epuble ........ - 0 .... • Non-outhenticoted dot>: Unoccepti1blo
.... ··- .... 0000 • ~ code: No error (OJ •••••••••••• 0000 • Reply code: No trror (OJ
Questions: 1 Quostlons: 1
Answe<RRs: 1 Answe<RRs: 1
Authority RRs: 0 Ai.nhority RRs: 0
Additional RRs: 0 Additional RRs: 0
Queries
_,
Queries

cltrix.com: type A. doss IN. odd, 162.221.156.156 dtrix.com: type A. doss IN. add, 162.221.156.156
N

Name: dtrht.com Name: citttx.com


Type: A (Host Add.-ess) (1) Type: A (Host Address) (1)
ot

Ooss: IN (0.0001) Ooss: IN (0.0001)


Time to llw: 622 T1rne to live: 1200
O.t> lencth: 4 O.ta ift,gth: 4
Address: 162.221.156.156 Address: 162.221.156.156
fo
rr
es
al
e
or
d is
t rib
ut
io
n

123 © 2017 Citrix Authorized Content



CITRIX

Use Case : Enforce all DNS request over TCP

Response by the NetScaler with the Responder Policy


Domain Name System (response)
L1 SYNTAX : Transaction ID: Oxlb3d
Flags: Ox8700 Standard query response, No error
1 ............... = Response: Message is a response
add re ponder action re p_act_ et_ tc_bit .000 0 ....... .... = Opoode: Standard query (0)
.... . 1.......... = Authoritative: Server is an authority for domain
re. pondwith D . E\: RE PO E(true, true, .... .. 1...... ... =Truncated: Messacc is truncated
OERROR) .......1 .... .... = Recursion desired: Do query recursively
........ 0 ....... = Recursion available: Server can't do recursive queries
.........0...... = Z: reserved (0)
add re ·ponder policy enforce tcp ..........0 ..... =Answer authenticated: Answer/authority portion was not authenticated by the server
dns.R · Q .TR PORT.EQ(udp) ...........0 .... = Non-authenticated data: Unacceptable
............ 0000 = Reply code: No error (0)
re p act et tc bit Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
citrix.com: type A, class IN
N

Name: citrix.com
ot

(Name length: 10]


(Label Count: 2]
Type: A (Host Address) (1)
fo

Oass: IN (OxOOOl)
rr
es
al
e
or
d is
t rib
ut
io
n

124 © 2017 Citrix Authorized Content



CITRIX

How do you currently use Rewrite and Responder in
your environments?
N
ot
fo
rr

Additional Resources:
es

Citrix Discussions on actual environment use case for a Responder Action.
al
e
or
d is
trib
ut
io
n

125 © 2017 Citrix Authorized Content



CITRIX

URL Transform
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

126 © 2017 Citrix Authorized Content



CITRIX

URL Transformation
URL Transformation provides a method for modifying all URLs in designated requests
from an external version seen by outside users, to an internal URL seen only by your
web servers and IT staff.
This feature is similar to Rewrite and requires that the Rewrite feature is enabled.

Q ---- 1-_=
. . . ......===1 - - - - I-_
..... .....
NetScaler Web Server
Client requests
transforms URL Web site URL seen as
browser URL www.citrix.com/customers/home
N

www .citrix.com/home
ot
fo
rr

Key Notes:
es

URL Transformation uses AppFW engine. Rewrite uses PE engine. For a large amount of transactions, URL 
al

Transformation is more efficient. For small amounts,  Rewrite is more efficient.
e

You can use it to modify a URL so that it can be different for internal or external access or a different URL 
or

for a different set of users, even the ability to append a folder path to an existing host so that users don’t 
need to know the entire path.
d is

The URL transformation feature provides a method for modifying all URLs in designated requests from an 
t
rib

external version seen by outside users to an internal URL seen only by your Web servers and IT staff. You 
can redirect user requests seamlessly, without exposing your network structure to users. You can also 
ut

modify complex internal URLs that users may find difficult to remember into simpler, more easily 
io

remembered external URLs.
n

Note: Before you can use the URL transformation feature, you must enable the Rewrite feature. To enable 
the Rewrite feature, see Enabling the Rewrite Feature.
To begin configuring URL transformation, you create profiles, each describing a specific transformation. 
Within each profile, you create one or more actions that describe the transformation in detail. Next, you 
create policies, each of which identifies a type of HTTP request to transform, and you associate each policy 
with an appropriate profile. Finally, you globally bind each policy to put it into effect.
A profile describes a specific URL transformation as a series of actions. The profile functions primarily as a 
container for the actions, determining the order in which the actions are performed. Most transformations 
transform an external hostname and optional path into a different, internal hostname and path. Most 
useful transformations are simple and require only a single action, but you can use multiple actions to 
perform complex transformations.
You cannot create actions and then add them to a profile. You must create the profile first, and then add 

127 © 2017 Citrix Authorized Content



CITRIX

actions to it. In the CLI, creating an action and configuring the action are separate steps. 
Creating a profile and configuring the profile are separate steps in both the CLI and the 
configuration utility.
After you create a URL transformation profile, you next create a URL transformation policy to 
select the requests and responses that the NetScaler should transform by using the profile. 
URL transformation considers each request and the response to it as a single unit, so URL 
transformation policies are evaluated only when a request is received. If a policy matches, 
the NetScaler transforms both the request and the response.
Note: The URL transformation and rewrite features cannot both operate on the same HTTP 
header during request processing. Because of this, if you want to apply a URL transformation 
to a request, you must make sure that none of the HTTP headers it will modify are 
manipulated by any rewrite action.
N
ot

Additional Resources:
Differences between URL Transformation and Rewrite: 
fo

http://support.citrix.com/article/CTX123094
rr

NetScaler Product Documentation URL Transformation:  https://docs.citrix.com/en‐
es

us/netscaler/12/appexpert/rewrite/url‐transformation.html
al
e
or
d is
trib
ut
io
n

127 © 2017 Citrix Authorized Content •


CITRIX

• Exercise 3-5 : Responder Policy: Redirect to SSL
• Exercise 3-6: Responder Policy: Redirect using String
Maps
• Exercise 3-7 : Responder Policy: Redirect to Imported
Maintenance Page
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

128 © 2017 Citrix Authorized Content



CITRIX

• The standard principles of policies , expressions,
actions , and bindings apply to the Rewrite and
Responder features.
• TCP, HTTP, DNS ,DIAMETER, RADIUS , SIP requests
and responses and bodies can be rewritten.
Key Takeaways
• With the powerful default policy engine, almost any
policy and expression can be written .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

129 © 2017 Citrix Authorized Content



CITRIX


CITRIX

NetScaler Traffic
Management
Content Switching
N

CNS..219-2i
ot

Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

130 © 2017 Citrix Authorized Content



CITRIX

• Explain Content Switching and how it works .
• Discuss the importance of a Content-Switching
VServer.
Learning • Distinguish what Content-Switching policies are and
how to use them.
Objectives
• Explain what rule precedence is and the way it affects
policies.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

131 © 2017 Citrix Authorized Content



CITRIX

Content Switching
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

132 © 2017 Citrix Authorized Content



CITRIX

Content • Content switching can enable you to distribute
incoming requests based on a parameter of the
Switching incoming request.
Overview • Content switching allows the system to:
• Distribute client requests across multiple servers on the basis of
specific content that you want to present to users.
• Manage the application and web hosting site separately.
• Switch static and dynamic content.
N
ot
fo
rr

Key Notes:
es

In today's complex Web sites, you may want to present different content to different users. For example, 
al

you may want to allow users from the IP address range of a customer or partner to have access to a special 
e

Web portal. You may want to present content relevant to a specific geographical area to users from that 
or

area. You may want to present content in different languages to the speakers of those languages. You may 
want to present content tailored to specific devices, such as smartphones, to those who use the devices.
d is

Content Switching enables the NetScaler appliance to direct requests sent to the same Web host to 
t

different servers with different content.
rib

When switching both static and dynamic requests, you must configure one load‐balancing virtual server for 
ut

static requests and a separate load‐balancing virtual server for dynamic requests.
io
n

Additional Resources:
Citrix Product Documentation on Content Switching:   http://docs.citrix.com/en‐us/netscaler/12/content‐
switching.html

133 © 2017 Citrix Authorized Content



CITRIX

Content Switching
1---------------------------------N-;ts~~,~;--------------------------------- !
'- - - - - - - - - - - - - - - - - - - - - - - - - -,
Dynamic content

Service 1 Server 1

Load-Balancing App1
Client
Virtual Server Dynamic content

Service 2 Server 2
App2
Content-
Switching
Virtual Server
Static content
Internet Service 3 Server 3
Load-Balancing lmage1
Virtual Server Static content
N

Service 4 Server 4
ot

lmage2

L-----------------------------------------------------------------------------
fo
rr

Key Notes:
es

A content‐switching configuration consists of a content‐switching virtual server, a load‐balancing setup 
al

consisting of load‐balancing virtual servers and services, and content‐switching policies.
e

To configure content switching, you must configure a content‐switching virtual server and associate it with 
or

policies and load‐balancing virtual servers. 
d

This process creates a content group — a group of all virtual servers and policies involved in a particular 
is

content‐switching configuration.
t rib
ut

Additional Resources:
io

Citrix Product Documentation on Basic Content Switching:  http://docs.citrix.com/en‐
n

us/netscaler/12/content‐switching/basic‐configuration.html

134 © 2017 Citrix Authorized Content



CITRIX

Content-Switching Support

Key characteristics include:

Source/Destination Source/Destination IP TCP/UDP HTTP


VLANID address Source/Destination
port

Source/Destination TCP max segment DNS


MAC Address size (MSS) value

Buffered TCP payload MSSQL


N
ot
fo
rr

Key Notes:
es

After you configure a basic content switching setup, you might need to customize it to meet your 
al

requirements. 
e

If your web servers are UNIX‐based and rely on case sensitive pathnames, you can configure case sensitivity 
or

for policy evaluation. 
d

You can also set precedence for evaluation of the content switching policies that you configured.
is

You can configure HTTP and SSL content switching virtual servers to listen on multiple ports instead of 
trib

creating separate virtual servers.
ut

If you want to configure content switching for a specific a virtual LAN, you can configure a content switching 
virtual server with a listen policy.
io
n

135 © 2017 Citrix Authorized Content



CITRIX

• Utilize content switching to redirect requests to
different servers with different content on the basis of
various client attributes.
Some of those client attributes are:
Content
Switching: • Device type
• Language
Based on Client • Cookie
Attributes • HTTP method
• Layer 3 or Layer 4 data
• Client SSL Parameters
N
ot
fo
rr

Key Notes:
es

Device Type ‐ The appliance examines the user agent or custom HTTP header in the client request for the 
al

type of device from which the request originated. Based on the device type, it directs the request to a 
e

specific Web server. For example, if the request came from a cell phone, the request is directed to a server 
or

that is capable of serving content that the user can view on his or her cell phone. A request from a 
computer is directed to a different server that is capable of serving content designed for a computer screen.
d is

Language ‐ The appliance examines the Accept‐Language HTTP header in the client request and determines 
t

the language used by the client's browser. The appliance then sends the request to a server that serves 
rib

content in that language. For example, using content switching based on language, the appliance can send 
someone whose browser is configured to request content in French to a server with the French version of a 
ut

newspaper. It can send someone else whose browser is configured to request content in English to a server 
io

with the English version.
n

Cookie ‐ The appliance examines the HTTP request headers for a cookie that the server set previously. If it 
finds the cookie, it directs requests to the appropriate server, which hosts custom content. For example, if a 
cookie is found that indicates that the client is a member of a customer loyalty program, the request is 
directed to a faster server or one with special content. If it does not find a cookie, or if the cookie indicates 
that the user is not a member, the request is directed to a server for the general public.
HTTP Method ‐ The appliance examines the HTTP header for the method used and sends the client request 
to the right server. For example, GET requests for images can be directed to an image server, while POST 
requests can be directed to a faster server that handles dynamic content.
Layer 3/4 Data. The appliance examines requests for the source or destination IP, source or destination 
port, or any other information present in the TCP or UDP headers, and directs the client request to the right 
server. For example, requests from source IPs that belong to customers can be directed to a custom web 
portal on a faster server, or one with special content.

136 © 2017 Citrix Authorized Content



CITRIX

• An administrator should consider the points below
when creating virtual servers for content switching.
• A content-switching virtual server points to a virtual
Content server or expression (which would be used to
Switching: dynamically identify the target VServer) .
Virtual Server • The content distribution is controlled by a content-
Creation switching policy.
• The non-matched traffic is sent to the default load
balancing virtual server, if one is defined .
N
ot
fo
rr

Key Notes:
es

When a request reaches the content‐switching virtual server, the virtual server applies the associated 
al

content‐switching policies to that request.
e

Content switching can point to load‐balancing Vserver, NG Vserver and GSLB, AAATM vserver
or

You can add, modify, and remove content switching virtual servers. The state of a virtual server is DOWN 
d

when you create it, because the load balancing virtual server is not yet bound to it.
is

To create a virtual server by using the command line interface
t rib

• At the command prompt, type:
ut

• add cs vserver <name> <protocol> <IPAddress> <port>


io
n

Additional Resources:
For dynamically identifying target vserver : http://docs.citrix.com/en‐us/netscaler/12/content‐
switching/basic‐configuration.html

137 © 2017 Citrix Authorized Content



CITRIX

Content Switching: Virtual Server Configuration

Consider the following information before configuring Content-Switching VServers :


• You can configure the content-switching feature using classic or default policies but
not both on a single content-switching VServer.
• The content-switching virtual server does not directly address services.
• The process of distributing traffic among the associated load-balancing virtual servers
is determined by the bound content-switching policies.
• If the traffic does not match any bound content-switching policies, then the virtual
server sends the traffic to a default load-balancing virtual server.
N
ot
fo
rr

Key Notes:
es

The content‐switching feature supports either classic or default (advanced) policies. On the same content‐
al

switching vserver, you can bind all classic policies, and on another content‐switching  vserver, you can bind 
e

all default but you cannot mix and match on the same content‐switching vserver.
or

A content‐switching vserver has policies bound and the “action” of the policy is typically a load‐balancing 
vserver or possibly another content‐switching vserver.
d is

A default load‐balancing vserver must be defined. If not, then any un‐matched traffic will result in a 503 
t rib

error.
ut

Additional Resources:
io
n

Creating Content Switching Virtual Servers:  http://docs.citrix.com/en‐us/netscaler/12/content‐
switching/basic‐configuration/create‐virtual‐servers.html

138 © 2017 Citrix Authorized Content



CITRIX

Content Switching: Parameters

• By default, the state of a content-


switching VServer is always UP unless .., Set Content Switching Parameters
an administrator changes the state to
DOWN . ~ State Update

• By changing the global content-


switching parameters , you can make the - Close

state of the content-switching VServer


dependent on the attached load-
balancing VServers .
N
ot
fo
rr

Key Notes:
es

Specifies whether the virtual server checks the attached load‐balancing server for state information.
al
e
or
d is
t rib
ut
io
n

139 © 2017 Citrix Authorized Content



CITRIX

How would you use content switching in your
environment?
N
ot
fo
rr

Additional Resources:
es

Use Case: Dynamic Content Switching:   https://docs.citrix.com/en‐us/netscaler/12/appexpert/http‐
al

callout/use‐case‐dynamic‐content‐switching.html
e
or
d is
t rib
ut
io
n

140 © 2017 Citrix Authorized Content



CITRIX

Content-Switching Configuration
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

141 © 2017 Citrix Authorized Content



CITRIX

Some important points about creating content-switching
policies are:

• A content-switching policy defines a type of request that


Content is to be directed to a virtual server.
Switching: • Policies are evaluated in order of priority.

Policies • If using classic policies and no specific priorities are set,


the policies are evaluated by the order in which they
were bound.
N
ot
fo
rr

Key Notes:
es

The priority of the policy defines the order in which the policies bound to the content‐switching virtual 
al

server are evaluated. If you are using default syntax policies, when you bind a policy to the content‐
e

switching virtual server, you must assign a priority to that policy. If you are using NetScaler classic policies, 
or

you can assign a priority to your policies, but are not required to do so. If you assign priorities, the policies 
are evaluated in the order that you set. If you do not, the NetScaler appliance evaluates your policies in the 
d

order in which they were created.
is
t

In addition to configuring policy priorities, you can manipulate the order of policy evaluation by using Goto
rib

expressions and policy label invocations.
ut

After it evaluates the policies, the content‐switching virtual server routes the request to the appropriate 
io

load‐balancing virtual server, which sends it to the appropriate service.
n

Content switching virtual servers can only send requests to other virtual servers. If you are using an external 
load balancer, you must create a load balancing virtual server for it and bind its virtual server as a service to 
the content switching virtual server.
CS is a blocker module, meaning if traffic is not matched then it is blocked and cannot go anywhere 
(because it has no where to go)
You specify the target load balancing virtual server for a content switching policy when binding the policy to 
the content switching virtual server. Consequently, you have to configure one policy for each load balancing 
virtual server to which to direct traffic.
However, if your content switching policy uses a default syntax rule, you can configure an action for the 
policy. In the action, you can specify the name of the target load balancing virtual server, or you can 
configure a request‐based expression that, at run time, computes the name of the load balancing virtual 
server to which to send the request. The action expression must be specified in the default syntax.

142 © 2017 Citrix Authorized Content



CITRIX

The expression option can drastically reduce the size of your content switching configuration, 
because you need only one policy per content switching virtual server. Content switching 
policies that use an action can also be bound to multiple content switching virtual servers, 
because the target load balancing virtual server is no longer specified in the content 
switching policy. The ability to bind a single policy to multiple content switching virtual 
servers helps to further reduce the size of your content switching configuration.
After you create an action, you create a content switching policy and specify the action in the 
policy, so that the action is performed when that policy matches a request.
Note: You can also, for a content switching policy that uses a default syntax rule, specify the 
target load balancing virtual server when binding the policy to a content switching virtual 
server, instead of using a separate action. For domain‐based policies, URL‐based policies, and 
rule based policies that use classic expressions, an action is not available. So, for these types 
of policies, you specify the name of the target load balancing virtual server when binding the 
N

policy to a content switching virtual server.
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

142 © 2017 Citrix Authorized Content •


CITRIX

Content Switching: Action Expression

• A target VServer can be specified for a content-switching policy when binding the
policy to the content-switching VServer.
• Consequently, only one policy can be configured for each VServer to direct traffic .
• When using default policies , configure an action for the policy instead of a target
VServer.
• When configuring the action:
• Specify the name of the target VServer.
• Configure a request-based expression that computes the name of the VServer to send the request.
• This option can drastically reduce the size of the content-switching configuration , because only one policy for
each content-switching VServer is needed .
N

• You can bind a single policy to multiple content-switching VServers .


ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

143 © 2017 Citrix Authorized Content



CITRIX

• When naming the load-balancing virtual servers,
switch requests on the basis of the URL suffix (file
Content extension of the requested resource).
Switching: • Follow the convention of appending the URL suffix to
Action a predetermined string, such as mylb_
Expression Use • Create the action expression as follows :
Case • "'mylb_" + HTTP.REQ.URL.SUFFIX'
• If the URL suffix was .jpeg , the content-switching
vserver would send the connection to mylb_j peg
N
ot
fo
rr

Key Notes:
es

You specify the target load‐balancing virtual server for a content‐switching policy when binding the policy 
al

to the content‐switching virtual server. Consequently, you have to configure one policy for each load‐
e

balancing virtual server to which to direct traffic.
or

However, if your content‐switching policy uses a default syntax rule, you can configure an action for the 
policy. In the action, you can specify the name of the target load‐balancing virtual server, or you can 
d is

configure a request‐based expression that, at run time, computes the name of the load‐balancing virtual 
t

server to which to send the request. The action expression must be specified in the default syntax.
rib

The expression option can drastically reduce the size of your content‐switching configuration, because you 
ut

need only one policy per content switching virtual server. Content‐switching policies that use an action can 
io

also be bound to multiple content‐switching virtual servers, because the target load‐balancing virtual server 
is no longer specified in the content‐switching policy. The ability to bind a single policy to multiple content‐
n

switching virtual servers helps to further reduce the size of your content‐switching configuration.

144 © 2017 Citrix Authorized Content



CITRIX

After creating content-switching virtual server and
policies , bind each policy to the content-switching
virtual server.
When binding the policy:
Content
• Specify the target load-balancing virtual server in the
Switching: action parameter to determine the destination for
Binding Policies forwarding the traffic .
• The content-swijching process will not work properly until
the policy to be matched is specified.
N
ot
fo
rr

Key Notes:
es

After you create your content switching virtual server and policies, you bind each policy to the content 
al

switching virtual server. When binding the policy to the content switching virtual server, you specify the 
e

target load balancing virtual server.
or

If your content switching policy uses a default syntax rule, you can configure a content switching action for 
the policy. If you configure an action, you must specify the target load balancing virtual server when you are 
d is

configuring the action, not when you are binding the policy to the content switching virtual server. For more 
t

information about configuring a content switching action, see Configuring a Content Switching Action.
rib

A policy label is a user‐defined bind point to which policies are bound. When a policy label is invoked, all 
ut

the policies bound to it are evaluated in the order of the priority that you assigned to them. A policy label 
io

can include one or more policies, each of which can be assigned its own result. A match on one policy in 
the policy label can result in proceeding to the next policy, invoking a different policy label or appropriate 
n

resource, or an immediate end to policy evaluation and return of control to the policy that invoked the 
policy label. You can create policy labels for default syntax policies only.
A content switching policy label consists of a name, a label type, and a list of policies bound to the policy 
label. The policy label type specifies the protocol that was assigned to the policies bound to the label. It 
must match the service type of the content switching virtual server to which the policy that invokes the 
policy label is bound. For example, you can bind TCP Payload policies to a policy label of type TCP only. 
Binding TCP Payload policies to a policy label of type HTTP is not supported.
Each policy in a content switching policy label is associated with either a target (which is equivalent to the 
action that is associated with other types of policies, such as rewrite and responder policies) or a 
gotoPriorityExpression option and/or an invoke option. That is, for a given policy in a content switching 
policy label, you can specify a target, or you can set the gotoPriorityExpression option and/or the invoke 
option. Additionally, if multiple policies evaluate to true, only the target of the last policy that evaluates to 

145 © 2017 Citrix Authorized Content



CITRIX

true is considered.
You can use either the NetScaler command line or the configuration utility to configure 
content switching policy labels. In the NetScaler command‐line interface (CLI), you first 
create a policy label by using the add cs policylabel command. Then, you bind policies to the 
policy label, one policy at a time, by using the bind cs policylabel command. In the NetScaler 
configuration utility, you perform both tasks in a single dialog box.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

145 © 2017 Citrix Authorized Content •


CITRIX

• If a default vserver is configured for the content-
switching virtual server, the request is forwarded to
that vserver.
Content • If the configured default vserver is DOWN , or no
Switching : defau lt vserver is configured , an HTTP 503 Not Found
Unmatched error message is sent to the client by the default
vserver.
Traffic Handling
• It is a best practice to always configure a default
vserver.
N
ot
fo
rr

Key Notes:
es

Depending on your desired result the default virtual server could be a separate internal resource or a trap 
al

like a honey pot server to all further diagnosis.  A default server is not required but remember any traffic 
e

that does not match a Content Switching policy will be denied.  
or
d is
trib
ut
io
n

146 © 2017 Citrix Authorized Content



CITRIX

• It is a best practice to always define a priority to
control the order of processing .
Content
• The priority parameter can be configured when the
Switching: rule is bound to the virtual server using a policy.
Policy Rule • If a priority is provided , the rules are processed from
Precedence lowest priority value to highest.
N
ot
fo
rr

Key Notes:
es

After a content switching setup is configured, it may require periodic changes. When operating systems or 
al

software are updated, or hardware wears out and is replaced, you may need to take down your setup. Load 
e

on your setup may increase, requiring additional resources. You may also modify the configuration to 
or

improve performance.
These tasks may require unbinding policies from the content switching virtual server, or disabling or 
d is

removing content switching virtual servers. After you have made changes to your setup, you may need to 
t

re‐enable servers and rebind policies. You might also want to rename your virtual servers.
rib
ut
io
n

147 © 2017 Citrix Authorized Content



CITRIX

Discuss the following scenario:
• Policies are bound to a content-switching vserver, and
Policy A has a priority of 20 and Policy B has a priority
of 10.
• Which one has precedence and why?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

148 © 2017 Citrix Authorized Content



CITRIX

Content switching may fail for several reasons ,
including when the content-switching VServer goes
DOWN or fails to handle excessive traffic.
Take the following measures to reduce the chances of
Content failure:
Switching:
• Configure a backup content-switching VServer.
Configuration
• Configure spillover to prevent overload on the primary
Protection content-switching VServer, by diverting excess traffic to
a backup content-switching VServer.
• Specify a redirect URL.
N
ot
fo
rr

Key Notes:
es

Content switching may fail when the content‐switching virtual server goes DOWN or fails to handle 
al

excessive traffic, or for other reasons. To reduce the chances of failure, you can take the following measures 
e

(see additional resources below) to protect the content‐switching setup against failure.
or
d

Additional Resources:
is

Probable Reasons for the Status of a Virtual Server Being Marked as DOWN on NetScaler:   
trib

http://support.citrix.com/article/CTX108960
ut

Protecting the Content Switching Setup against Failure:  https://docs.citrix.com/en‐
us/netscaler/12/content‐switching/protecting‐against‐failure.html
io
n

Flushing the Surge Queue: http://docs.citrix.com/en‐us/netscaler/12/load‐balancing/load‐balancing‐
protect‐configuration/flush‐surge‐queue.html

149 © 2017 Citrix Authorized Content



CITRIX

• If case sensitivity is on, those URLs are treated as
separate and can be switched to different targets .
• CLI Syntax:
ct c v crvcr <name> -ca en ·itivc (0 !OFF)
Configuring
Case Sensitivity WEBUI
Traffic Settings

for Policy Client di r,me-o• t

J
Evaluation Virtual Sf'"t"Ve't IP Port Insertion
OFF

Virtual Sf!Ner IP Port Insert.ton Value:•

PASS IVE

Ca :he ble
.,, Down State: f"lush
R d•r , t Port Rewnte
, .., Cae:e:nttv l
2 I J .Jii ce:rs
S§t

..
State Update
N

RULE
ot
fo
rr

Key Notes:
es

When case sensitivity is configured, the NetScaler appliance considers case when evaluating policies. 
al

For example, if case sensitivity is off, the URLs /a/1.htm and /A/1.HTM are treated as identical.
e
or
d is
t rib
ut
io
n

150 © 2017 Citrix Authorized Content



CITRIX

• Support for Multiple Ports
• NertScaler supports the Content switching Vserver with
wildcard port. (*).
• This saves the overhead of configuring multiple virtual servers
with the same IP address and different ports.
• CLI Syntax:
Wildcard add c v erver <name> < erviceType> < IPAddre Port *
Virtual Servers
• Configuring per-VLAN Wildcarded Virtual Servers
• The wildcard virtual server with a listen policy restricts it to
processing traffic only on the specified VLAN.
• CLI Syntax:
add c erver <nam < erviceTyp IPAddre *Port* -
Ii tenpolicy <e pre ion> [-Ii tenpriority <po itive_ integer>]
N
ot
fo
rr

Additional Resources:
es

Citrix eDocs Customizing Content Switching:  http://docs.citrix.com/en‐us/netscaler/12/content‐
al

switching/customizing‐configuration.html
e
or
d is
t rib
ut
io
n

151 © 2017 Citrix Authorized Content



CITRIX

• Exercise 4-1: Configure Content Switching by User-
Agent
• Exercise 4-2: Configure Content Switching by
Content-Type
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

152 © 2017 Citrix Authorized Content



CITRIX

• Content Switching involves making a decision about
where to direct a session based on characteristics of
the traffic flow.
• Content Switching policies can be used to evaluate
Key Takeaways and route traffic-they consist of an expression and
an action referring to a target.
• Configuring a policy priority is recommended .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

153 © 2017 Citrix Authorized Content



CITRIX


CITRIX

NetScaler Traffic
Management
Secure Web Gateway
CNS-219-21
N

Version 1 0
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

154 © 2017 Citrix Authorized Content



CITRIX

• Explain Secure Web Gateway technology.
• Discuss the importance of Secure Web Gateway.
• Explain SSL Interception .
Learning
• Explain URL Set.
Objectives • Discuss the use cases for Secure Web Gateway.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

155 © 2017 Citrix Authorized Content



CITRIX

Secure Web Gateway
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

156 © 2017 Citrix Authorized Content



CITRIX

Secure Web Gateway

Secure Web gateway (SWG) enhances the network security by enabling the
adm inistrator to do fo llowing :

• Gain visibility into the otherwise bypassed secure traffic .


• Block access to malicious sites and avoid infecting users with in the enterprise.
• Control access to some websites , such as personal mail , social networking , and job
search websites , from the enterprise network.
N
ot
fo
rr

Key Notes:
es

The new NetScaler Secure Web Gateway (SWG) solution provides visibility and control for encrypted traffic 


al

with leading industry performance and smart URL filtering that provides real‐time protection against 
e

malicious websites, which blocks access to malware, spam, and phishing sites along with Industry leading 
or

website categorization. With the NetScaler SWG solution, customers can now offload URL and content 
filtering for encrypted traffic and avoid expensive upgrades to their dedicated security deployments. In 
d

addition, this solution helps customers meet compliance requirements like CIPA (Child Internet Protection 
is

Act).
t rib

One of the biggest concerns for security professionals is insider data breaches. Employees can easily click 
on malvertising ads, malicious links contained in phishing emails or visit websites that download malware 
ut

or ransomware. Third‐party adverts can be blocked and end users can be prevented from visiting websites 
io

known to contain malware. Websites can also be blocked by category to prevent end users from engaging 
n

in a risky online behavior. NetScaler SWG is an excellent defense against malicious threats and ransomware.
New Advanced User Behavior Security Analytics
This solution in NetScaler MAS leverages multiple machine learning algorithms and provides context aware 
security analytics, to identify compromised insider credentials and prevents data breaches to sensitive 
corporate data.
New Ciphers and Hybrid SSL support
We continue to add newer ciphers to our SSL security suite across all NetScaler platforms. With our hybrid 
SSL, now customers can achieve significant hardware and software SSL performance improvement. For 
example, customers can achieve almost 800% ECDHE transactions per second (TPS) hardware improvement 
on their 115xxx series. With Hybrid FIPS, customers can increase the SSL throughput and SSL TPS by 
leveraging non‐FIPS cards along with the FIPS card.

157 © 2017 Citrix Authorized Content



CITRIX

Deployment Topology
'
[ _,•3 ,:.r •.-r ..,.,, .i;'',

1-0 I
....
•••
Internal
usen

I- • I

1- 11 I
I -"----••i=--••--
.••.. "
,,,C-•
__:::_,,)
NetScaler SWG
w-- ::
-•G •
•••
Network Firewall Usen
F •Sen.er Web

I- ~ I
C.tr Xr1Dnctcp

• SWG should be deployed at the edge of the network .


• It acts as forward proxy to all the outbound traffic.
N

• The SSL interception is implemented to look into encrypted


ot

data and take security actions.


fo
rr

Key Notes:
es

Secure Web Gateway utilizes a Content Switching virtual server where we will apply authentication and 
al

rules to allow / disallow URLS or addresses. This is also where we will configure for instance SSL 
e

interception as well. So how illustrate how to configure Secure Web Gateway on NetScaler 12. In its 
or

simplest form we can configure a content switching virtual server like this.
Configure a SNIP which has internet access, or you can define an net profile to specify which SNIP should be 
d is

used for outbound traffic to internet, also ensure that you have configured DNS properly so it can resolve 
t

DNS. After this is done we can just define the IP address in the proxy configuration of the browser of the 
rib

endpoint and they can now browse the internet.
ut
io
n

158 © 2017 Citrix Authorized Content



CITRIX

Proxy Modes
• In the SWG deployment, NetScaler resides as the Proxy device between the clients
and origin server.
• The appliance acts as a server to the client and acts as a client to the origin server.
• The Proxy can be configured in two modes:
1) Transparent forward proxy
• The SWG vServer is configured with wildcard (*) IP address.
• In this mode the clients are not aware that a proxy server is mediating their
requests.
2) Explicit Forward Proxy
• The SWG virtual server configured with an IP address and 80 as the port number.
• All client requests are sent to this IP address.
N

• This mode is used when it is possible to specify the proxy settings on the client
ot

browser.
fo
rr
es
al
e
or
d is
trib
ut
io
n

159 © 2017 Citrix Authorized Content



CITRIX

Configuring Transparent Proxy

Using WEBUI Using Secure Web Gateway Wizard Using CLI

O Proxy Virtua l Server


hslc Setting•
O Secure Web Gateway Configuration
Proxy settlngs
[sWG_VS

SWG_vs
IPAOclr

~ ent
Pon·

.......
N

- Con<ol
ot
fo
rr

Key Notes:
es

• Transparent forward proxy
al

• The SWG vServer is configured with wildcard (*)  IP address.
e

• In this mode the clients are not aware that a proxy server is mediating their requests. 
or
d is
t
rib
ut
io
n

160 © 2017 Citrix Authorized Content



CITRIX

Configuring Explicit Proxy
I
Using WEBUI Using Secure Web Gateway Using CLI
Wizard
0 Proxy Virtual Server
Basic St!ttlngs O Secure Web Gateway Configuration
ProlC)' sett1n9s

lswG_vs
IP MclteSS Type·
IP Address

IP -'<ldren •

110 107 149 243

Pon"

[so

..
ieo
N

~ M ore
ot

Canct~I
fo
rr

Key Notes:
es

• Explicit Forward Proxy
al

• The SWG virtual server configured with an IP address and 80 as the port number. 
e

• All client requests are sent to this IP address.
or

• This mode is used when it is possible to specify the proxy settings on the client browser.
d is
t
rib
ut
io
n

161 © 2017 Citrix Authorized Content



CITRIX

ABC corp. has implemented a BYOD (Bring Your Own
Device) policy in their organization. Also, the
employees are allowed to work from home, by
connecting through the VPN.
How should administrator deploy the Secure Web
Gateway (SWG) to protect the environment?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

162 © 2017 Citrix Authorized Content



CITRIX

Authentication Modes

• Authentication provides the flexib ility to define specific policies for a user or a group
of users on the basis of their roles.
• After authentication , requests and responses from and to the user are tagged to
identify the user.

Modes supported for Explicit Proxy Modes supported for Transparent Proxy

• Local • Lightweight Directory Access Protocol


(LDAP)
• Lightweight Directory Access
Protocol(LDAP)
N

• RADIUS
ot

• TACACS+
fo
rr

Key Notes:
es

Currently only LDAP is supported for Transparent Proxy
al
e
or
d is
t rib
ut
io
n

163 © 2017 Citrix Authorized Content



CITRIX

SSL Interception
• The client and NetScaler appliance establish a
SSL/TLS handshake. [ 5ecure Web Gateway J
• The appliance establishes another SSL/TLS 'L' Client Hello
handshake with the seNer and receives the seNer
certificate.
1u . 1 Server Hello,
The appliance verifies the seNer certificate on '--' Certificate,
behalf of the clients using online certificate status I Server Hello Done,

protocol (OCSP).
• It regenerates the seNer certificate, signs it by using '7) Client Key Exchange
the key of the CA certificate installed on the ··1Change Cipher spec ~ Change Cipher spec
finished Finished
appliance, and presents it to the client.
• The proxy decrypts the traffic , accesses the clear "o
text HTTP requesUresponse .
• Inspect the data on the basis of the corporate policy
/URL reputation . 9~ Tran.:_j
• The proxy virtual seNer then re-encrypts the
response and forwards it to the client.
If the policy decision is to block the request to the
N

origin seNer, the proxy virtual seNer sends an error


ot

response
fo
rr

Key Notes:
es

The CA certificate that is used to sign the server certificate must be preinstalled on all the client devices, so 
al

that the regenerated server certificate is trusted by the client
e

one certificate is used between the client and the NetScaler appliance, and another certificate between the 
or

appliance and the back‐end server. 
d is
t rib
ut
io
n

164 © 2017 Citrix Authorized Content



CITRIX

Configure SSL Interception

• Bind the CA certificate-key pair to the proxy virtual server.


• Enable the default SSL profile
• Create SSL Profile with SSL Interception enabled .
N

• Enable SSL Interception in the syslog parameters


ot
fo
rr

Key Notes:
es

SSL Intercept (or SSL forward proxy) provides a way to inspect encrypted traffic.
al
e
or
d is
trib
ut
io
n

165 © 2017 Citrix Authorized Content



CITRIX

URL Set
• A URL set enables an Internet Service Provider (ISP) or a Telco customer to enforce
government mandated safe internet access policies such as:
• Block access to illegal internet sites (child abuse, drugs, and so on )
• Safe browsing for ch ildren

• Administrators can periodically download URL sets managed by internet enforcement


agencies or independent internet organizations.
• In case of the private URL set, the contents of the list are kept confidential and the
network administrator does not know about the blacklisted URLs present in the list.
An internal URL called a Canary URL as added to the URL set.
• Using the Canary URL , the administrator can request that the appliance to use the
private URL set for every URL request.
N
ot
fo
rr

Key Notes:
es

To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. 
al

The algorithm uses a URL set that can contain a list of URLs up to one million (1,000,000) blacklisted 
e

entries. Each entry can include metadata that defines URL categories and category groups as indexed 
or

patterns. The appliance can also periodically download URLs of highly sensitive URL sets managed by 
internet enforcement agencies (with government websites) or independent internet organizations such as 
d

the Internet Watch Foundation (IWF). Once the URL set is downloaded from a website and imported into 
is

the appliance, the appliance encrypts the URL sets in the appliance (as required by these agencies) and 
t rib

kept confidential so that the entries are not tampered.
The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, 
ut

allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against 
io

blacklisted entries. An entry can include metadata. For entries that have no metadata, you might want to 
n

use an expression that evaluates the URL on the basis of an exact string match. For other URLs, you might 
want to use an expression that evaluates the URL’s metadata, in addition to an expression that checks for 
an exact string match.
Configuring URL Set
You can perform the following tasks to configure a URL set and restrict URLs on a NetScaler platform:
1. Import a URL set (download and encrypt it). Importing a URL set in a NetScaler appliance allows you to 
download the URL file, adding the file to the appliance, and then encrypting the file. Until you add the URL 
set to the system, it will not be visible to the user.
You can download a set in the following ways:
1. Download a URL set once from a specific URL using HTTP and HTTPS supported for the file download.
2. Download a URL set using FTP.

166 © 2017 Citrix Authorized Content



CITRIX

3. Downloading a URL set periodically, using a scheduler that periodically downloads or 
imports URL sets for example, IWF URL set. The time interval is set in seconds for 
example, http://10.29.102.200/urls.txt ‐interval 3600.
Once you have downloaded the file, it is pushed into the appliance and at this point of 
interval, you can update, delete or display file properties. After the file is pushed into the 
appliance, you can modify the entries by adding further rows as it remains static.
The imported set is then stored in an encrypted file format on the NetScaler directory. The 
imported list contains millions of URL entries. Otherwise, the appliance returns an error 
message saying that the value exceeds the limit. If the imported URL set has blacklisted 
entries with metadata, the metadata it is detected by the appliance when it is imported.
Once you import a URL set and add it into the appliance, the URL set is available for 
advanced policies to identify the correct URL set during incoming URL evaluation. 
HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URLSET_MATCHES_ANY(<URL set name>)
N
ot

2. Updating a URL set on the NetScaler appliance. Once you have pushed the file into the 
appliance, at this interval you can manually update a URL file by using command line 
fo

interface.
rr

3. Exporting a URL set. If you prefer a backup of the URL set, you can export the list of URL 
es

patterns and save a copy of it to a destination URL. Before you export, check whether the 
URL set is marked as private. If is marked private, the URL set cannot be exported.
al

4. Removing a URL set. If you want to delete a URL set of blacklisted entries, you can use the 
e

remove command to delete the URL set from the NetScaler appliance.
or

5. Displaying a URL set. You can display the properties of a URL set by using the show 
d

command.
is
t rib

Additional Resources:
ut

Appexpert Version 12 Url Sets:  http://docs.citrix.com/en‐us/netscaler/12/appexpert/url‐


io

sets.html
n

166 © 2017 Citrix Authorized Content •


CITRIX

Advanced Policy Expressions for URL Evaluation
Expression Operation
EQUALS_ANY with URLSET_MATCHES_ANY Evaluates to TRUE if the URL exactly matches any entry in the URL
set.
HTTP.REQ. URL The GET_URLSET_METADATA() expression returns the associated
.GET_ URLSET_METADATA{<URLSET>) metadata if the URL exactly matches any pattern within the URL set. An
empty string is returned if there was no match .

HTTP.REQ .URL .EQUALS_ Evaluates to TRUE if the matched metadata is equal to <METADATA>.
WITH_METADATA{<URLSET>).EQ{<METADATA
)
HTTP.REQ .URL Evaluates to TRUE if the matched metadata is at the beginning of the
.EQUALS_WITH_METADATA( <URLSET>) category. This pattern can be used to encode separate fields with in
.TYPECAST_LIST_T(' , ').GET(O).EQ(<CATEGOR metadata, but match only the 1st field
Y>
HTTP.REQ .URL .APPEND(HTTP.REQ .URL Joins the host and URL parameters , which can then be used as a <URL
N

expression> for matching .


ot

(HTTP.REQ.URL).URLSET_MATCHES_ANY Evaluates to TRUE if the URL set name configured in the advanced
policies identifies the correct URL set during incoming URL evaluation
fo
rr
es
al
e
or
d is
t rib
ut
io
n

167 © 2017 Citrix Authorized Content



CITRIX

Secure Web Gateway : Use cases

• Intercept and examine all the traffic , including SSL/TLS (encrypted traffic) , coming in
and going out of the enterprise network.
• Block access to URLs identified as serving harmful content.
• Identify end users (employees) in the enterprise who are accessing malicious
websites.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

168 © 2017 Citrix Authorized Content



CITRIX

N • Exercise 5-1: Configure Secure Web gateway
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

169 © 2017 Citrix Authorized Content



CITRIX

• Secure Web gateway (SWG) acts as forward proxy.
• The proxy modes available are transparent and
explicit
Key Takeaways • The SSL Interception is performed by installing a root
certificate key-par and enabling the SSL interception
in the SSL profile .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

170 © 2017 Citrix Authorized Content



CITRIX


CITRIX

NetScaler Traffic
Management
Global Server Load Balancing
N

CNS-219-21
ot

Version 1 O
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

171 © 2017 Citrix Authorized Content



CITRIX

• Describe the Global Server Load Balancing (GSLB)
feature.
• Explain the concept of deploying the Domain Name
System (DNS) to support GSLB.
Learning • Explain the GSLB concepts and its Architecture .
Objectives • Discuss the advantages of Content Switching to
implement GSLB.
• Explain the GSLB Metric Exchange Protocol and
Monitoring.
• Explain customizing the GSLB Configuration .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

172 © 2017 Citrix Authorized Content



CITRIX

GSLB Overview

• Global Server Load Balancing (GSLB) is a DNS-based technology that provides


disaster recovery and ensures continuous availability of applications by protecting
against points of fa ilure in a wide area network (WAN).
• GSLB can balance the load across data centers by directing client requests to the
closest or best-performing data center, or to surviving data centers in case of an
outage .
• DNS is a key component in a GSLB environment.
N
ot
fo
rr

Key Notes:
es

Global server load balancing (GSLB) provides for disaster recovery and ensures continuous availability of 
al

applications by protecting against points of failure in a wide area network (WAN). 
e

GSLB can balance the load across data centers by directing client requests to the closest or best performing 
or

data center, or to surviving data centers in case of an outage.
d

The GSLB entities that you must configure are the GSLB sites, the GSLB services, the GSLB virtual servers, 
is

load‐balancing or content‐switching virtual servers, and authoritative DNS (ADNS) services. You also must 
t rib

configure MEP. You also can configure DNS views to expose different parts of your network to clients 
accessing the network from different locations.
ut

In a typical configuration, a local DNS server sends client requests to a GSLB virtual server, to which are 
io

bound GSLB services. A GSLB service identifies a load‐balancing or content‐switching virtual server, which 
n

can be at the local site or a remote site. If the GSLB virtual server selects a load‐balancing or content‐
switching virtual server at a remote site, it sends the virtual server’s IP address to the DNS server, which 
sends it to the client. The client then resends the request to the new virtual server at the new IP address.

173 © 2017 Citrix Authorized Content



CITRIX

GSLB DNS Concepts
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

174 © 2017 Citrix Authorized Content



CITRIX

Difference between GSLB over DNS
The GSLB Vserver consider following while processing the DNS request and providing
the DNS reply:

• Monitoring: GSLB servers perform monitoring of the entities and the IP address is
provided after confirming that the entity status is up .
• Proximity Based Load balancing : The IP address closest to the user can be
provided ,
• DNS View : In the case where in different resources share the same domain name, IP
address can be provided accordingly to the corresponding users.
(e.g. Internal User Vs. External Users)
N
ot
fo
rr
es
al
e
or
dis
trib
ut
io
n

175 © 2017 Citrix Authorized Content



CITRIX

DNS Zone

• A DNS zone entity indicates the ownership of a domain on the appliance.


• You must create a DNS zone on the appliance in the following scenarios:
• NetScaler is operating as the authoritative DNS server for the zone.
• NetScaler owns only a subset of the records in a zone. All the other resource records in the zone are hosted on
a set of back-end name servers for which the NetScaler is configured as a DNS proxy server
• You want to offload DNSSEC operations for a zone from the authoritative DNS servers to the appliance .
N
ot
fo
rr

Key Notes:
es

When you configure GSLB on NetScaler appliances and enable Metric Exchange Protocol (MEP), the 
al

appliances use the DNS infrastructure to connect the client to the data center that best meets the criteria 
e

that you set. 
or

An ADNS service is a special kind of service that responds only to DNS requests for domains for which the 
NetScaler appliance is authoritative – you would create a sub‐delegation from your DNS infrastructure.
d is

A DNS virtual IP is a virtual IP (VIP) address that represents a load‐balancing DNS virtual server on the 
t rib

NetScaler appliance. 
Name servers store information about one or more zones.
ut

DNS features.
io

• Record Types:
n

• AAAA, A, CNAME, NS, PTR, SRV, SOA
• Recursion
• Ability to look up addresses not owned by the NS
• Negative Caching
• Only happens in proxy mode
• Any Queries
• Respond to queries with type any
• Delegation with NS records
• DNS Views
• Internal and External clients

176 © 2017 Citrix Authorized Content



CITRIX

• Interface DNS expression
• Interface throughput

Additional Resources:
http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐dns‐zone.html
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

176 © 2017 Citrix Authorized Content •


CITRIX

Types of DNS implementation

• ADNS Server (ADNS Service)


• NetScaler can be configured to function as an authoritative domain name server (ADNS) for a domain.
• As an ADNS server for a domain, the NetScaler resolves DNS requests for all types of DNS records that
belong to the domain .
• To configure the NetScaler to function as an ADNS server for a domain, you must create an ADNS service and
configure NS and Address records for the domain on the NetScaler.

• DNS proxy (DNS Virtual Server)


• A virtual server that listens for DNS requests.
• A service that (externally) monitors and directs traffic to a DNS server on the backend.
• NetScaler can be s a proxy for either a single DNS server or a group of DNS servers .
N
ot
fo
rr

Key Notes:
es

For clients making DNS requests, two different scenarios exist:
al

• Scenario 1
e

• Create a  type local DNS server on the NetScaler system
or

• This is a authoritative DNS server for the zone configured
d

• Listens on an IP address provided in the configuration
is

• Clients can configure their local TCP/IP stack to forward queries to this IP address
t rib

• Scenario 2
ut

• Create a load‐balancing virtual server type DNS, provide an IP address.
io

• Add services redirecting traffic to backend DNS servers
n

• Clients configure the load balancing virtual server IP address as their DNS server IP address 

Additional Resources:
• http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐netscaler‐proxy‐server.html
• http://docs.citrix.com/en‐us/netscaler/12/dns/configure‐netscaler‐adns‐server.html

177 © 2017 Citrix Authorized Content CITRIX




Authoritative DNS Service

• The NetScaler system can be configured with single or multiple instances of an authoritative
DNS server:
• Each instance listens on a different IP address.
• All instances are referencing the same name table.

• An ADNS service is a local service type listening to incoming DNS requests on port 53 UDP.
• The ADNS service:
• Is locally configured as service oriented architecture (SOA) for the GSLB domain.
N

• Can be configured for a maximum of 32 sites.


ot

• Does not support zone transfers or recursive query.


• Can be set to participate as authoritative.
fo
rr
es
al
e
or
dis
t rib
ut
io
n

178 © 2017 Citrix Authorized Content



CITRIX

Configure ADNS Service

• ADNS Service can be configured using CLI or .., Load Balancing Service
WebUI. Basic Settings

seMceName·
• CLI Syntax : l
ADNS_Serv,ce

add service <name> <IPAddress> ADNS


<port> IP Ad<lress •

r
10 107 149 240

AONS
Port·

• More
N

- Cancel
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

179 © 2017 Citrix Authorized Content



CITRIX

Configuring DNS Virtual Servers
,----- §

• Create a load-balancing virtual server of type DNS and configure it with an IP


address.
• Add services redirecting traffic to back-end DNS servers.
• Configure the load-balancing virtual server IP address.
• When the NetScaler receives a DNS query, it calculates the best metric, based on the
load balancing algorithm used to distribute requests to the back-end DNS servers.
N

• Clients can configure the VIP as their DNS server IP address.


ot
fo
rr

Key Notes:
es

For clients making DNS requests two different scenarios exist:
al

• Scenario 1
e

• Create a  type local DNS server on the NetScaler system
or

• This is a authoritative DNS server for the zone configured.
d

• Listens on an IP address provided in the configuration.
is

• Clients can configure their local TCP/IP stack to forward queries to this IP address.
t rib

• Scenario 2
ut

• Create a load‐balancing virtual server type DNS, provide an IP address.
io

• Add services redirecting traffic to backend DNS servers.
n

• Clients configure the load‐balancing virtual server IP address as their DNS server IP address.

180 © 2017 Citrix Authorized Content



CITRIX

Configure DNS Vserver
Add DNS VServer Add DNS Service Bind Service to the Vserver

• CLI CLI CLI


add lb vserver <name> add service <name> bind lb vserver <vserver
<IPAddress> DNS <port> <IPAddress> DNS <port> name> <service name>

• WEB-UI WEB-UI WEBUI

-.......
~ Load Balancing Virtual Server ... Load Balancing Service Serv,ct s,ncs.ng

Basic Set tJnos. Servi ce Binding

(oNS_Servlce I>J + /
Blnd,ng ~tails

·-· -·
N


.....
0 • J

."..... Ill ,,_


ot

a --
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

181 © 2017 Citrix Authorized Content



CITRIX

GSLB DNS Response Options :Empty Down Response
• When a GSLB vServer is disabled or DOWN , configure it to send an Empty Down
Response (EDR) which sends a positive response. No records are returned if the
virtual IP address is DOWN.
EDR Enabled : EDR Disabled :

N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

182 © 2017 Citrix Authorized Content



CITRIX

GSLB DNS Response Options : Multi-IP Address
Response

Multi-IP Address Response (MIR) lookup returns all active virtual IP addresses with the
optimal virtual IP address first in the response .
MIR Enabled MIR Disabled
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

183 © 2017 Citrix Authorized Content



CITRIX

What DNS Method is currently in use in your
environment? If you could start from scratch would you
change it?
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

184 © 2017 Citrix Authorized Content



CITRIX

GSLB Concepts and Architecture
N
ot
fo
rr

Key Notes:
es

This module provides an introduction to the Global Server Load‐Balancing (GSLB) feature. The GSLB feature 
al

ensures that client requests are directed to a best‐performing site available in a global enterprise and 
e

distributed Internet environment. To access a URL, the user agent, such as a Web browser, needs to first 
or

resolve the host name in the URL to an IP address. A DNS query is sent to a DNS server to resolve the host 
name. The NetScaler system can be configured to act either as an authoritative DNS (ADNS) server or as a 
d

DNS proxy.
is
t

GSLB enables the NetScaler system to make intelligent decisions.  For example, if a site fails, the NetScaler 
rib

system detects the failure and directs traffic to another available site. This feature prevents client requests 
from being sent to a site that is down or overloaded.
ut
io
n

185 © 2017 Citrix Authorized Content



CITRIX

GSLB Use Cases

GSLB load balances services between geographically distributed locations and


operates under many of the same general principles as load balancing , but relies on
DNS for directing client requests.
Typical uses of GSLB include:

• Distribution of network traffic across multiple sites.


• Distribution of server load across multiple sites.
• Disaster recovery.
• Protection against points of failure in a wide area network (YVAN).
N
ot
fo
rr

Key Notes:
es

GSLB is a DNS‐based solution that load balances services between geographically distributed locations.  
al

The NetScaler system can be configured to act either as an authoritative DNS (ADNS) server or a DNS Proxy.
e
or

GSLB operates under many of the same general principles as load balancing but relies on DNS for directing 
client requests.
d

Typical uses of GSLB include:
is
t

• Distribution of network traffic across multiple sites
rib

• Distribution of server load across multiple sites
ut

• Disaster recovery
io

A major benefit of GSLB includes reduction of application latency.
n

186 © 2017 Citrix Authorized Content



CITRIX

Which methods of disaster recovery are you currently
N using in your environment, and why?
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

187 © 2017 Citrix Authorized Content



CITRIX

An Active-Standby disaster recovery setup can include:
GSLB • An active data center
Configuration: • A standby data center (remote s~e)
Active-Standby When a failover occurs as a result of a disaster event,
Datacenter it causes the primary active data center to become
inactive, and the standby datacenter becomes
operational.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

188 © 2017 Citrix Authorized Content



CITRIX

• An active-active disaster recovery setup includes two
GSLB active data center locations.
Configuration:
• An active-active GSLB deployment allows
Active-Active connections to be distributed to multiple sites.
Data center • Web or application content can be mirrored in
geographically separate locations.
N
ot
fo
rr

Key Notes:
es

An active‐active setup ensures that data is consistently available at each distributed data center. Make sure 
al

a single site can handle the load if one goes down.
e
or
d is
trib
ut
io
n

189 © 2017 Citrix Authorized Content



CITRIX

GSLB Architecture

I-
••
Client
-I
I- -I
Root
Servers @---§ fil-EB
Switch
Client's
LONS
Switch (ISP NS)
GSLB Site A GSLB Site B

NetScaler NetScaler

1-
oNs·
[g] [g] 1:x:1 [g] -I
ONS*
Switch Switch Switch Switch
I I I
I- I- -I -I
I- I- -I -I
N

I- I- -I -I
ot

Servers Servers Servers Servers

'At least one ONS is required per GSLB site.


fo
rr

Key Notes:
es

Back‐end DNS server is necessary in Proxy DNS configurations only. This graphic shows DNS vserver for our 
al

DNS implementation – this is how we will do it in the lab.
e

An administrator can use the above diagram to understand the general GSLB architecture.
or

The NetScaler system will answer the site DNS request in authoritative DNS configurations.
d

The following example demonstrates the process of a GSLB conversation.
is
t

• 1. The client enters www.gslbsite.com in to browser.
rib

• 2. The system of the client sends DNS lookup query for www.gslbsite.com to the name server that is 
ut

configured.
io

• 3. The name server returns the IP address for a known name server who is authoritative for 
n

www.gslbsite.com as delivered by the root server. The returned address will be one of those 
registered for site www.sitexyz.com. The top‐level servers (rootservers) circle through the list round 
robin and will return next IP address in line.
• 4. The client queries the NetScaler system in the GSLB configuration at the IP address returned in the 
prior step. The NetScaler system, based on its configured load‐balancing method, returns the IP 
address the client needs to query for the service it is looking for, such as HTTP and HTTPs. 
• 5. If the GSLB configuration is a proxy DNS configuration, the responding NetScaler system will query 
the back‐end DNS server for the address to serve to the lookup request.
The site the NetScaler system directs the client to may be:
A site the NetScaler system is hosting within the load balancing configuration
Another GSLB site within the membership of sites

190 © 2017 Citrix Authorized Content



CITRIX

• A GSLB configuration consists of a group of GSLB
entities on each appliance in the configuration.
• Below are the entities used when configuring GSLB:
GSLB Entities • GSLB Sites
• GSLB Services
• GSLB Virtual Servers
• Load-Balancing or Content-Switching Virtual Servers
• ADNS Services or DNS VIPs
N
ot
fo
rr

Key Notes:
es

A GSLB site is a representation of a data center in your network and is a logical grouping of GSLB virtual 
al

servers, services, and other network entities.
e

type the following commands to create a GSLB site and verify the configuration:
or

• add gslb site <siteName> <siteIPAddress>


d

• show gslb site <siteName>


is

A GSLB service is a representation of a load balancing or content switching virtual server.
t rib

type the following commands to create a GSLB service and verify the configuration:
ut

• add gslb service <serviceName> <serverName | IP> <serviceType> <port>‐siteName <string>


io

• show gslb service <serviceName>


n

A GSLB virtual server is an entity that represents one or more GSLB services and balances traffic between 
them.
type the following commands to add a GSLB virtual server and verify the configuration:
• add gslb vserver <name> <serviceType> ‐ipType (IPv4 | IPv6)
• show gslb vserver <name>

Additional Resources:
How GSLB Works: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐balancing/how‐gslb‐
works.html
Configuring a GSLB Site:  http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐

191 © 2017 Citrix Authorized Content



CITRIX

balancing/configure/configure‐basic‐gslb‐site.html
Configuring a GSLB Service: http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐
balancing/configure/configure‐gslb‐service.html
Configuring a GSLB Virtual Server:  http://docs.citrix.com/en‐us/netscaler/12/global‐server‐
load‐balancing/configure/configure‐gslb‐virtual‐server.html
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

191 © 2017 Citrix Authorized Content •


CITRIX

GSLB Entities
GSLB Site A

GSLB vserver ADNS vserver

LB vserver
A_LB
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

192 © 2017 Citrix Authorized Content



CITRIX

• A GSLB site is a representation of a data center in
your network and is a logical grouping of GSLB virtual
servers, services, and other network entities.
• At each site, you configure the local GSLB site and
GSLB Sites each remote GSLB site.
• Once you create GSLB sites, MEP starts up , then
sites come up.
• The GSLB site IP is used for MEP between other
sites .
N
ot
fo
rr

Key Notes:
es

A GSLB site is a representation of a data center in your network and is a logical grouping of GSLB virtual 
al

servers, services, and other network entities. Typically, in a GSLB set up, many GSLB sites are equipped to 
e

serve the same content to a client. These are usually geographically separated to ensure that the domain is 
or

active even if one site goes down completely. All of the sites in the GSLB configuration must be configured 
on every.
d is

NetScaler appliance hosting a GSLB site. In other words, at each site, you configure the local GSLB site and 
t

each remote GSLB site.
rib

Once GSLB sites are created for a domain, the NetScaler appliance sends client requests to the appropriate 
ut

GSLB site as determined by the GSLB algorithms configured.
io

add gslb site <siteName> <siteIPAddress>
n

show gslb site <siteName>
In a typical GSLB setup:
• Many GSLB sites are equipped to serve the same content to a client.
• Sites are usually geographically separated to make sure that the domain is active, even if one site goes 
DOWN completely.
• At each site, the local GSLB site and remote GSLB site is configured.

193 © 2017 Citrix Authorized Content



CITRIX

• A GSLB service is a representation of a local load-
balancing VServer or content-switching VServer.
• A remote GSLB service represents a load-balancing
GSLB Services VServer or content-switching VServer configured at
one of the other sites in the GSLB setup .
• At each site in the GSLB setup:
• You can create one local GSLB service and any number of remote
GSLB services.
• Configure your public IP address on the service.
N
ot
fo
rr

Key Notes:
es

A GSLB service is a representation of a load balancing or content switching virtual server. A local GSLB 
al

service represents a local load balancing or content switching virtual server. A remote GSLB service 
e

represents a load balancing or content switching virtual server configured at one of the other sites in the 
or

GSLB setup. At each site in the GSLB setup, you can create one local GSLB service and any number of 
remote GSLB services
d is

add gslb service <serviceName> <serverName | IP> <serviceType> <port>‐siteName <string>


t rib

show gslb service <serviceName>
stat gslb service <serviceName>
ut

Services are enabled by default when you create them. You can disable or enable each service individually.
io
n

194 © 2017 Citrix Authorized Content



CITRIX

• A GSLB vServer has one or more GSLB services
bound to it and load balances traffic between those
services.
• It evaluates the configured GSLB methods
(algorithms) to select the appropriate service to send
the client request and responds with the associated A
GSLB Virtual record.
Server • GSLB services are bound to a GSLB vServer and
refer to local or remote vServers.
• The domain for which GSLB is configured must be
bound to the GSLB vServer.
• Unlike other vServers , a GSLB vServer does not have
its own VIP.
N
ot
fo
rr

Key Notes:
es

A GSLB virtual server has one or more GSLB services bound to it and load balances traffic among those 
al

services. It evaluates the configured GSLB methods (algorithms) to select the appropriate service to which 
e

to send a client request.
or

Because the GSLB services can represent either local or remote vServers, selecting the optimal GSLB service 
for a request has the effect of selecting the data center that should serve the client request.
d is

The domain for which global server load balancing is configured must be bound to the GSLB virtual server, 
trib

because one or more services bound to the virtual server will serve requests made for that domain.
Unlike other virtual servers configured on a NetScaler appliance, a GSLB virtual server does not have its 
ut

own virtual IP address (VIP).
io
n

195 © 2017 Citrix Authorized Content



CITRIX

Binding of
Once the GSLB services and virtual server are
GSLB Services configured , relevant GSLB services must be bound to
to a GSLB the GSLB virtual server to activate the configuration.
Virtual Server Command-line syntax:
bind gsLb vseLver nam~~ -serviceName <string>
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

196 © 2017 Citrix Authorized Content



CITRIX

Synchronizing a GSLB Configuration

Prior to performing a GSLB config synchronization , the following must be manually


configured on all participating NetScalers:
1. Enable required features.
2. Create the GSLB sites.

For the remaining configuration , it is recommended to Auto-sync the GSLB


configuration to other participating NetScalers:
• This aids in configuring GSLB in multiple locations.
• It requires configurations only on one unit.
• It overrides any GSLB configurations on the target units.
N
ot
fo
rr

Key Notes:
es

An administrator can use the following process to configure a GSLB implementation. Each step is repeated 
al

on the NetScaler system of each site. 
e

These configurations can be done on a single system and synchronized:
or

• 1. Enable required features.
d

• 2. Create the GSLB sites. MEP starts up and the sites come up.
is

• 3. Configure load‐balancing virtual servers and services and bind them. Load‐balancing virtual servers 
t
rib

change to UP status.
• 4. Create GSLB virtual server and services, local and remotes for all the remote sites.
ut

• 5. Bind GSLB virtual servers to load‐balancing virtual servers and GSLB domain. GSLB virtual servers up
io
n

Note – This will not work until the FQDN is bound to the vServer.
Once all sites, virtual servers, services are reported as UP, an administrator can customize DNS, GSLB 
methods, persistence, and site affinity as necessary.
This is an absolute configuration – so create the site information on the other NetScalers, then copy the 
configuration over. This handles the unique IP addressing.
In a hierarchical configuration, this is between parents only.
We recommend first doing GSLB config –preview to see what will happen.

197 © 2017 Citrix Authorized Content



CITRIX

Content-Switching GSLB
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

198 © 2017 Citrix Authorized Content



CITRIX

Content-Switching Virtual Server Support for
GSLB
• Using Content Switching for GSLB can overcome current GSLB limitations.
• Current GSLB Deployment Limitations include:
• Cannot restrict the selection of a GSLB service from a subset of GSLB services bound to a GSLB virtual server
for the given domain.
• Cannot apply different load-balancing methods on the different subsets of GSLB services in the deployment.
• Cannot apply spillover policies on a subset of GSLB services.
• Cannot have a backup for a subset of GSLB services.
• Limited support for selecting services on basis of traffic.
N
ot
fo
rr

Key Notes:
es

In a typical GSLB deployment, you can prioritize the selection of a set of GSLB services bound to a GSLB 
al

virtual server, but you cannot do the following:
e

• Restrict the selection of a GSLB service from a subset of GSLB services bound to a GSLB virtual server for 
or

the given domain.
• Apply different load‐balancing methods on the different subsets of GSLB services in the deployment.
d is

• Apply spillover policies on a subset of GSLB services, and you cannot have a backup for a subset of GSLB 
t
rib

services.
• Configure a subset of GSLB services to serve different content. That is, you cannot content switch 
ut

between servers in different GSLB sites. The GSLB configuration assumes that the servers contain the 
io

same content.
n

• Define a subset GSLB services with different priorities and specify an order in which the services in the 
subset are applied to a request.
• You can now configure a content‐switching (CS) policy to customize the GSLB deployment. First, 
configure a set of GSLB services and bind it to a GSLB virtual server. Then, configure a CS virtual server of 
target type GSLB, define a CS policy and action with the GSLB virtual server as target virtual server, and 
bind the CS policy to CS virtual server.
Important:
• Only CS policies with DNS‐based expressions can be bound to a CS virtual server of target type GSLB.
• If a GLSB service is bound to a CS virtual server through a GSLB virtual server, you cannot bind another 
GSLB virtual server bound with the same GSLB service to the CS virtual server.
Consider a GLSB deployment that includes two GSLB sites.

199 © 2017 Citrix Authorized Content



CITRIX

At each site, four GSLB services (S‐1, S‐2, S‐3, and S‐4) are bound to GSLB virtual server VS‐1. 
You can configure a content switching (CS) virtual server of target type GSLB and define a CS 
policy and action with VS‐1 as the target virtual server, so that requests for content in English 
are served only by S‐1 and S‐2, and requests for content in Spanish are served only by S‐3 
and S‐4.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

199 © 2017 Citrix Authorized Content •


CITRIX

Content Switching for GSLB

Perform the following steps to configure GSLB Service Selection using Content
Switching:
1. Configure GSLB.
2. Configure a Content-Switching virtual server of target type GSLB.
3. Configure CS policies.
4. Configure CS actions that designate a GSLB virtual server as the target virtual
server.
5. Bind the CS policies to the CS virtual server.
N

6. Bind the domain to the CS virtual server instead of the GSLB virtual server.
ot

*Only CS policies with DNS based expressions can be bound to a CS virtual server of target type GSLB.
fo
rr
es
al
e
or
d is
t rib
ut
io
n

200 © 2017 Citrix Authorized Content



CITRIX

GSLB MEP and Monitoring
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

201 © 2017 Citrix Authorized Content



CITRIX

Metric Exchange Protocol

The data centers in a GSLB setup exchange metrics with each other through the Metric
Exchange Protocol (MEP).
• The exchange of the metric information begins once you create a GSLB site.
• It enabled by default.
• It uses port 3011 or port 3009 for secure communications.
• These metrics are comprised of load , network, and persistence information.
• This data exchange is not encrypted by default.
• DNS query responses are based on information gathered through MEP.
N
ot
fo
rr

Key Notes:
es

MEP is required for health checking of data centers to ensure their availability. A connection for exchanging 
al

network metrics can be initiated by either of the data centers involved in the exchange, but a connection 
e

for exchanging site metrics is always initiated by the data center with the lower IP address. By default, the 
or

data center uses a subnet IP address (SNIP) or a mapped IP address (MIP) to establish a connection to the 
IP address of a different data center. However, you can configure a specific SNIP, MIP, the NetScaler IP 
d

address (NSIP), or a virtual IP address (VIP) as the source IP address for metrics exchange. The 
is

communication process between GSLB sites uses TCP port 3011 or 3009, so this port must be open on 
trib

firewalls that are between the NetScaler appliances.
You can also bind monitors to check the health of remote services. When monitors are bound, metric 
ut

exchange does not control the state of the remote service. 
io

To allow controlled access, user authentication is performed before metric information is exchanged. All of 
n

the sites taking part in metric exchange should have the same nsroot user ID and password. A system can 
handle a maximum of 32 sites.
Note: This limit can be extended by configuring aggregator sites.
If the system is deployed behind the firewall, the administrator needs to allow connections from one site to 
the other.
The GSLB site metric exchange interval is 1 second.
Site metric information
• Information about load‐balancing virtual server such as the current number of connections and current 
packet rate.
Network metric information

202 © 2017 Citrix Authorized Content



CITRIX

• When dynamic proximity based GSLB is enabled the GSLB sites exchange RTT information 
about the clients LDNS (learned DNS).  Exchange five seconds.
Persistence information
• GSLB site information exchanged every five seconds.
Note: All of the sites participating in MEP should have the same nsroot ID and password.
Key information regarding Metric Exchange Protocol (MEP) includes:
• Site‐to‐site monitoring
• Distributes site metrics, network metrics, persistence information 
Enabled by default
The communication process is accomplished between each GSLB site on TCP port 3011 and 
therefore must be open on firewalls that are between the NetScaler systems.
N

The public IP address of the site needs to be allowed on any blocking firewall.
ot

MEP can be disabled, but limits GSLB methods to RR, static proximity, source IP hash. All 
fo

other methods revert to round robin when MEP is off/inactive
rr

• set gslb site siteA –metricExchange DISABLED


es
al
e
or
d is
trib
ut
io
n

202 © 2017 Citrix Authorized Content •


CITRIX

RPC Node

• After the password for the RPC node of the local site is changed , it is possible to
manually propagate the change to the RPC node at each remote site and encrypt
MEP.
• Unsecured RPC nodes use TCP port 3011
• Secured RPC nodes use TCP port 3009

• NetScaler uses a GSLB site IP address (which can be shared with a SNIP or MIP)
as the source IP address for an RPC node for GSLB communication.

• If the GSLB site IP address is unavailable, there will be no GSLB communication


between sites.
N
ot
fo
rr

Key Notes:
es

If a SNIP address is  not available, you must configure either the NSIP or a VIP as the source IP address.
al
e
or
d is
t rib
ut
io
n

203 © 2017 Citrix Authorized Content



CITRIX

.., Create GSLB Site
Metric Exchange Configuration

(s1tet

LOCAL
Site metrics exchanged between the GSLB sites
include: L
• Status of each virtual server PuDhc: IP Addttn
r
• Current number of connections
• htent s.· 8.lc up P-Ment s, H
• Current packet rate
• Current bandwidth usage information
Tngga Moniton•
- - - -

• Command-line syntax for editing a GSLB site: ALWAYS

Ch.r.t 1JP

set gslb site <GSLBSiteName> - metricExchange L


Publie Ctuste:r IP
{ENABLED I DISABLED} r

NAPTR Repfxemen St./

• Command-line syntax for viewing a GSLB site


N

.,, e nc Ex-tnange
show gslb site <GS~BSiteNamL> .,, twork M tnc hchange,
ot

.,, Pt. tstence, SHs.on Entty E•CJ\~

Im OOle
fo
rr

Key Notes:
es

If you disable metrics exchange, you can use only static load‐balancing methods (such as round robin, static 
al

proximity, or the hash‐based methods), and if you disable metrics exchange when a dynamic load‐balancing 
e

method (such as least connection) is in operation, the appliance falls back to round robin.
or
d is
trib
ut
io
n

204 © 2017 Citrix Authorized Content



CITRIX

Configuring Network Metric Information Exchange

• Enable or disable the exchange of RTT information about the client's local DNS when
the GSLB dynamic method RTT is enabled with :
set gs~b site <GSLBS~teName> -nwmetriclxchange {ENABLED I DISABLED}

• You can enable or disable the exchange of persistence information:

set gslb site <GSLBSiteName> -sessionExchange {ENABLED I DISABLED}


N
ot
fo
rr

Key Notes:
es

The data centers in a GSLB setup exchange metrics with each other through the metrics exchange protocol 
al

(MEP), which is a proprietary protocol for the Citrix NetScaler. The exchange of the metric information 
e

begins when you create a GSLB site. These metrics comprise load, network, and persistence information.
or

MEP is required for health checking of data centers to ensure their availability. A connection for exchanging 
network metrics can be initiated by either of the data centers involved in the exchange, but a connection 
d is

for exchanging site metrics is always initiated by the data center with the lower IP address. By default, the 
t

data center uses a subnet IP address (SNIP) or a mapped IP address (MIP) to establish a connection to the 
rib

IP address of a different data center. However, you can configure a specific SNIP, MIP, the NetScaler IP 
address (NSIP), or a virtual IP address (VIP) as the source IP address for metrics exchange. The 
ut

communication process between GSLB sites uses TCP port 3011 or 3009, so this port must be open on 
io

firewalls that are between the NetScaler appliances.
n

Note: You cannot configure a GSLB site IP address as the source IP address for site metrics exchange.
If the source and target sites for a MEP connection (the site that initiates a MEP connection and the site 
that receives the connection request, respectively) have both private and public IP addresses configured, 
the sites exchange MEP information by using the public IP addresses.
You can also bind monitors to check the health of remote services. When monitors are bound, metric 
exchange does not control the state of the remote service. If a monitor is bound to a remote service and 
metrics exchange is enabled, the monitor controls the health status. Binding the monitors to the remote 
service allows the NetScaler to interact with a non‐NetScaler load balancing device. The NetScaler can 
monitor non‐NetScaler devices but cannot perform load balancing on them. The NetScaler can monitor 
non‐NetScaler devices, and can perform load balancing on them if monitors are bound to all GSLB services 
and only static load balancing methods (such as the round robin, static proximity, or hash‐based methods) 
are used.

205 © 2017 Citrix Authorized Content



CITRIX

RTT information is exchanged every five seconds.
You can enable or disable the exchange of round trip time (RTT) information about the 
client's local DNS when the GSLB dynamic method (RTT) is enabled. This information is 
exchanged every 5 seconds.
You can enable or disable the exchange of persistence information at each site. This 
information is exchanged every 5 seconds between NetScaler appliances participating in 
GSLB.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

205 © 2017 Citrix Authorized Content •


CITRIX

GSLB Monitoring Configuration

Monitoring MEP-Enabled (Default) MEP-Disabled

Explicit Monitors Monitor determines health Monitor determines health


status status

No Explicit Monitors (Default) MEP determines health All services marked DOWN .
status (default)
N
ot
fo
rr

Key Notes:
es

MEP determines status of GSLB services by default. If a monitor is bound to a gslb service, then the monitor 
al

determines status (not MEP).
e

NetScaler monitors can be used instead or in addition to MEP.
or

• By default Precludes MEP health monitoring when used with MEP.
d

• MEP is used to exchange all stats, including service health state, related to a gslb service. If explicit 
is

monitor is bound, the system ignores gslb service state collected through MEP and instead GSLB uses 


t rib

state reported by the monitor.  An administrator can use the table in this slide to understand the 
interaction between MEP and monitors.
ut

You can also bind monitors to check the health of remote services. When monitors are bound, metric 
io

exchange does not control the state of the remote service. 
n

You can configure NetScaler to use monitors to evaluate services in the following situations:
• Always use monitors (default)
• Use monitors when MEP shows as DOWN
• Use monitors when remote services and MEP shows as DOWN

206 © 2017 Citrix Authorized Content



CITRIX

Adding and Binding Monitors

• To add a monitor, you specify the type and the port.


• Command-line interface syntax:
add lb monitor <name> -~ype <monitor type> -destPort <portNumber>

• You can set both the weight and the monitoring threshold at the same time that you
bind the monitor.
N
ot
fo
rr

Key Notes:
es

Once you create monitors, you must bind them to GSLB services. When binding monitors to the services, 
al

you can specify a weight for the monitor. After binding one or more weighted monitors, you can configure a 
e

monitor threshold for the service. This threshold takes the service down if the sum of the bound monitor 
or

weights falls below the threshold value.
When you bind a remote service to a GSLB virtual server, the GSLB sites exchange metric information, 
d is

including network metric Information, which is the round‐trip‐time and persistence Information.
t rib

If a metric exchange connection is momentarily lost between any of the participating sites, the remote site 
is marked as DOWN and load balancing is performed on the remaining sites that are UP. When metric 
ut

exchange for a site is DOWN, the remote services belonging to the site are marked DOWN as well.
io

The NetScaler appliance periodically evaluates the state of the remote GSLB services by using either MEP or 
n

monitors that are explicitly bound to the remote services. Binding explicit monitors to local services is not 
required, because the state of the local GSLB service is updated by default using the MEP. However, you can 
bind explicit monitors to a remote service. When monitors are explicitly bound, the state of the remote 
service is not controlled by the metric exchange.
By default, when you bind a monitor to a remote GSLB service, the NetScaler appliance uses the state of 
the service reported by the monitor. However, you can configure the NetScaler appliance to use monitors to 
evaluate services in the following situations: Always use monitors (default setting).
Use monitors when MEP is DOWN.
Use monitors when remote services and MEP are DOWN.
The second and third of the above settings enable the NetScaler to stop monitoring when MEP is UP. For 
example, in a hierarchical GSLB setup, a GSLB site provides the MEP information about its child sites to its 
parent site. Such an intermediate site may evaluate the state of the child site as DOWN because of network 

207 © 2017 Citrix Authorized Content



CITRIX

issues, though the actual state of the site is UP. In this case, you can bind monitors to the 
services of the parent site and disable MEP to determine the actual state of the remote 
service. This option enables you to control the manner in which the states of the remote 
services are determined.

N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

207 © 2017 Citrix Authorized Content •


CITRIX

Customizing GSLB
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

208 © 2017 Citrix Authorized Content



CITRIX

Customizing the GSLB Configuration

Once the basic GSLB configuration is operational , it can be customized by:

• Configuring persistent connections.


• Configuring static proximity.
• Configuring dynamic RTT.
• Changing the GSLB load-balancing method.
• Setting up GSLB for disaster recovery.
• Sample configurations.
• Configuring dynamic weights for services.
• Modifying the bandwidth of a GSLB service.
N

• Configuring CNAME-based GSLB services.


ot
fo
rr

Key Notes:
es

Once your basic GSLB configuration is operational, you can customize it by modifying the bandwidth of a 
al

GSLB service, configuring CNAME based GSLB services, static proximity, dynamic RTT, persistent 
e

connections, or dynamic weights for services, or changing the GSLB Method.
or

You can also configure monitoring for GSLB services to determine their states.
d

These settings depend on your network deployment and the types of clients you expect to connect to your 
is

servers.
t rib

Creating CNAME‐Based GSLB Services
ut

To configure a GSLB service, you can use the IP address of the server or a canonical name of the server. If 
you want to run multiple services (like an FTP and a Web server, each running on different ports) from a 
io

single IP address or run multiple HTTP services on the same port, with different names, on the same 
n

physical host, you can use canonical names (CNAMES) for the services.
For example, you can have two entries in DNS as ftp.example.com and www.example.com for FTP services 
and HTTP services on the same domain, example.com. CNAME‐based GSLB services are useful in a 
multilevel domain resolver configuration or in multilevel domain load balancing. Configuring a CNAME‐
based GSLB service can also help if the IP address of the physical server is likely to change.
If you configure CNAME‐based GSLB services for a GSLB domain, when a query is sent for the GSLB domain, 
the NetScaler appliance provides a CNAME instead of an IP address. If the A record for this CNAME record is 
not configured, the client must query the CNAME domain for the IP address. If the A record for this CNAME 
record is configured, the NetScaler provides the CNAME with the corresponding A record (IP address). The 
NetScaler appliance handles the final resolution of the DNS query, as determined by the GSLB method. The 
CNAME records can be maintained on a different NetScaler appliance or on a third‐party system.
In an IP‐address‐based GSLB service, the state of a service is determined by the state of the server that it 

209 © 2017 Citrix Authorized Content



CITRIX

represents. However, a CNAME‐based GSLB service has its state set to UP by default; the 
virtual server IP (VIP) address or metric exchange protocol (MEP) are not used for 
determining its state. If a desktop‐based monitor is bound to a CNAME‐based GSLB service, 
the state of the service is determined according to the result of the monitor probes.
You can bind a CNAME‐based GSLB service only to a GSLB virtual server that has the DNS 
Record Type as CNAME. Also, a NetScaler appliance can contain at most one GSLB service 
with a given CNAME entry.
The following are some of the features supported for a CNAME‐based GSLB service : GSLB‐
policy based site affinity is supported, with the CNAME as the preferred location.
Source IP persistence is supported. The persistency entry contains the CNAME information 
instead of the IP address and port of the selected service.
The following are the limitations of CNAME‐based GSLB services: Site persistence is not 
N

supported, because the service referenced by a CNAME can be present at any third‐party 
ot

location.
Multiple‐IP‐address response is not supported because one domain cannot have multiple 
fo

CNAME entries.
rr

Source IP Hash and Round Robin are the only load balancing methods supported. The Static 
es

Proximity method is not supported because a CNAME is not associated with an IP address 
al

and static proximity can be maintained only according to the IP addresses.
e
or
d is
trib
ut
io
n

209 © 2017 Citrix Authorized Content •


CITRIX

With GSLB persistence:
GSLB • Site persistence ensures that LONS requests are sent
to the same site and are not load balanced .
Persistence
• Cookie-based persistence allows setting HTTP level
persistence.
N
ot
fo
rr

Key Notes:
es

An administrator should be familiar with the following information when configuring GSLB persistence.
al

Site Persistence:
e

• Ensure LDNS requests are sent the same site and not load balanced.
or

• Source IP persistence set with:
d

• set gslb vserver gslbvip ‐persistenceType SOURCEIP –persistenceID <positive_integer>


is
t

Cookie‐based persistence and connection proxy
rib

• Allows setting of HTTP level persistence 
ut

• Configured on local gslb services with options: 
io

• ‐SitePersistence ConnectionProxy
n

• ‐cookieTimeout <integer>
• ‐CIP ENABLED <cipheader>
You can configure GSLB so that the clients coming from the branch office or any other internal network are 
directed to a particular GSLB site that is geographically close to the client network. For all other requests, 
you can use dynamic RTT.

210 © 2017 Citrix Authorized Content



CITRIX

• If persistence is configured for a particular domain , it
Persistence takes precedence over the configured GSLB method.

Connections • Persistence is useful for e-commerce deployments,


where the server needs to maintain the state of the
connection to track the transaction .
N
ot
fo
rr

Key Notes:
es

Persistence ensures that a series of client requests for a particular domain name is sent to the same data 
al

center instead of being load balanced. 
e

Unless you configure persistence, a load balancing stateless protocol, such as HTTP, disrupts the 
or

maintenance of state information about client connections. Different transmissions from the same client 
might be directed to different servers even though all of the transmissions are part of the same session. You 
d is

must configure persistence on a load balancing virtual server that handles certain types of Web 
t

applications, such as shopping cart applications.
rib

Before you can configure persistence, you need to understand the different types of persistence, how they 
ut

are used, and what the implications of each type is. You then need to configure the NetScaler appliance to 
io

provide persistent connections for those Web sites and Web applications that require them.
n

You can also configure backup persistence, which takes effect in the event that the primary type of 
persistence configured for a load balancing virtual server fails. You can configure persistence groups, so that 
a client transmission to any virtual server in a group can be directed to a server that has received previous 
transmissions from the same client.

211 © 2017 Citrix Authorized Content



CITRIX

• When a DNS request is received at a data center in
which source-IP-address-persistence is configured ,
the NetScaler system attempts to locate an entry in
Persistence the persistence table.
Based on • If an entry for the LONS server exists and the server
Source IP mentioned in the entry is configured , the IP address
of that server is sent as the DNS response.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

212 © 2017 Citrix Authorized Content



CITRIX

The NetScaler system provides persistence at the
HTTP-request level by using HTTP cookie persistence:
Persistence • The client is reconnected to the same server through
Based on an HTTP cookie .
HTTP Cookies • The NetScaler system inserts the site cookie in the
first HTTP response.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

213 © 2017 Citrix Authorized Content



CITRIX

Load Balancing GSLB sites

• Load-balancing methods typically used on the NetScaler system include:


Least Connections Least Bandwidth Custom Load
(default)

Round Robin and Least Packets Round Trip Time (RTT}


Weighted Round Robin

Least Response Time Source IP Hash Static Proximity


N
ot
fo
rr

Key Notes:
es

When the DNS request from the resolver of the client is received by the NetScaler system, the load‐
al

balancing and site fault tolerance decision will be made based on the health status and load of the 
e

participating sites. When the host name of the URL is resolved, all traffic from the client is sent directly to 
or

the resolved site.
When the DNS request from resolver of the client is received by the NetScaler system, the site load 
d is

information is exchanged between the GSLB sites. When the host name of the URL is resolved, all traffic 
t

from the client is sent directly to the resolved site. For the GSLB methods to work as defined either the 
rib

MEP should be enabled or explicit monitors should be bound to the remote services. When creating a load‐
balancing virtual server, GSLB methods can be configured using the add gslb vServer command in the CLI.
ut
io

Least Connections:
n

• As the name implies, in this method, the request is routed to the site with the least number of 
connections. Connection statistics for the configured service are exchanged between the sites through 
MEP. The DNS response, generated by the NetScaler system, contains the address of the IP address of 
the site with the least number of connections. MEP must be enabled for this method to work.
• Due to external factors such as during network congestion or when a firewall drop packets, if the MEP 
fails for any of the participating sites, then the default method round robin is used instead of least 
connections. In this case, if the remote service belonging to the site for which MEP has failed has an 
explicit monitor bound to it, and its state is UP, then it will be included in the round robin rotation; 
otherwise, it will not.
Weighted Round Robin:
• Round robin is one of the simplest load‐balancing methods. In this method, the request is routed to the 
sites based on the rotation, regardless of the load on the sites. MEP is not required for the round‐robin 

214 © 2017 Citrix Authorized Content



CITRIX

method to work, if explicit monitoring is configured.
Least Response Time:
• When this method is enabled, the NetScaler system directs the request to the site with 
the least response time. MEP must be enabled for this method to work as defined. 
Average response time statistics for the configured services are exchanged through MEP. 
The DNS response contains the IP address of the GSLB site with the least current response 
time. Due to external factors such as during network congestion or when a firewall drops 
packets, if the MEP fails for any of the participating sites, then the default method round 
robin is used instead of least response time method. In this case, if the remote service 
belonging to the site for which MEP has failed has an explicit monitor bound to it and its 
state is UP, then it will be included in the round robin rotation. Otherwise, it will not.
Least Bandwidth:
• When this method is enabled, the NetScaler system directs the request to the site with 
N

the least bandwidth. MEP must be enabled for this method to work as defined. MEP is 
ot

used to exchange statistics corresponding to the total and current bytes transferred 
fo

between the configured services. The DNS response of the NetScaler system contains the 
rr

IP address of the GSLB site with least current bandwidth, which is the site that is currently 
serving least traffic in Mbps.
es

• Due to external factors such as during network congestion or when a firewall drops 
al

packets, if the MEP fails for any of the participating sites, then the default method round 
e

robin is used instead of least bandwidth. In this case, if the remote service belonging to 
the site for which MEP has failed has an explicit monitor bound to it and its state is UP, 
or

then it will be included in the round‐robin rotation. Otherwise, it will not.
d

Least Packets:
is

• When this method is enabled, the NetScaler system directs the request to the site with 
t rib

the least packets. MEP must be enabled for this method to work as defined. Statistics 
corresponding to the total and current number of packets transferred for the configured 
ut

service are exchanged between sites through MEP.  The DNS response of the NetScaler 
io

system contains the IP address of the site with the least current packets.
n

• Due to external factors such as during network congestion or when a firewall drops 
packets, if the MEP fails for any of the participating sites, then the default method round 
robin is used instead of least packets. In this case, if the remote service belonging to the 
site for which MEP has failed has an explicit monitor bound to it and its state is UP, then it 
will be included in the round‐robin rotation. Otherwise, it will not.
SourceIP Hash:
• The NetScaler system responds with the IP address of each site selected based on the 
hash of the IP address of the DNS resolver. MEP is not required for this method to work if 
an explicit monitor is bound.
Proximity‐Based Global Server Load Balancing:
• When enabled, the proximity‐based GSLB method allows the NetScaler system to make 

214 © 2017 Citrix Authorized Content •


CITRIX

load‐balancing decisions based on the proximity of the client’s local DNS server (LDNS) in 
relation to different sites.  Proximity can be measured both dynamically and statically.  The 
dynamic determination of proximity is based on the current network status, while the 
static determination of proximity is based on the geographic location of the client’s LDNS 
and the sites the client is accessing.  The main benefit of the proximity‐based GSLB 
method is faster response time resulting from the selection of the closest available site.
• Note: To use the proximity based GSLB method, the proximity based GSLB license is 
necessary. 
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

214 © 2017 Citrix Authorized Content •


CITRIX

• When you configure GSLB to use the weighted round-
GSLB with robin method:
Weighted • Weights are added to the GSLB services
• The configured percentage of incoming traffic is sent to each GSLB
Round Robin site
N
ot
fo
rr

Key Notes:
es

For example, you can configure your GSLB setup to forward 80 percent of the traffic to one site and 20 
al

percent of the traffic to another. After you do this, the NetScaler system will send four requests to the first 
e

site for each request that it sends to the second.
or

Weighted Round Robin:
d

• Round robin is one of the simplest load‐balancing methods. In this method, the request is routed to the 
is

sites based on the rotation, regardless of the load on the sites. MEP is not required for the round‐robin 
t

method to work, if explicit monitoring is configured.
rib
ut
io
n

215 © 2017 Citrix Authorized Content



CITRIX

• A site can be assigned to take over when all primary
GSLB Failover sites are down.
for Disaster • The GSLB domain will resolve to the IP address of the
backup site when all the services behind the virtual
Recovery server go down .
N
ot
fo
rr

Key Notes:
es

All sites that are bound as services to the GSLB virtual IP address are considered primary sites. If the site IP 
al

address is configured as the backup, then the site is considered as the backup site. If the GSLB virtual IP 
e

address is UP, the GSLB virtual server will send the DNS response with one of the primary site IP addresses 
or

as selected by the configured load‐balancing policy. If all of the configured primary sites in the GSLB virtual 
IP address are DOWN, the authoritative domain name server (ADNS) or DNS load‐balancing virtual server 
d

will send the DNS response with the backup IP address as configured in the above command.  Persistence 
is

will not be honored when the backup IP address is configured.
trib
ut
io
n

216 © 2017 Citrix Authorized Content



CITRIX

GSLB Failover to Backup Site (CLI)

On all NetScalers that are part of the GSLB configuration , perform the steps shown:
1. Enable the GSLB feature:

enable ns feature gslb

2. Configure DNS :
adJ dns nameserver <IP> - local

3. Create GSLB Sites:

add gslb site SITEOl <Site IP>


N

add gslb site SITE02 <Site IP>


ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

217 © 2017 Citrix Authorized Content



CITRIX

GSLB Failover to Backup Site (CLI)
These commands can be configured on a single NetScaler and synchronized
4. Create GSLB Services (Single Site only):
add gslb service SITE0l_HTTP_App <VIP> HTTP 80 -sitename SITE0l
add gslb service SITE02_HTTP_App <VIP> HTTP 80 -sitename SITE02
5. Create GSLB VServers :
add gslb vserver Global Primary_App HTTP
add gslb vserver Global_Backup_App HTTP
6. Bind GSLB VServer to GSLB Services:
bind gslb vserver Globa~ Primary_App -servicename SITE0l_HTTP_App
N

bind gslb vserver Global_Backup_App -servicename SITE02_HTTP_App


ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

218 © 2017 Citrix Authorized Content



CITRIX

GSLB Failover to Backup Site (CLI)
These commands can be configured on a single NetScaler and synchronized
7. Bind GSLB VServer to the FQDN to Resolve:
bind gslb vserver Global_Primary_App - domainname <FQDN>
8. Set up Failover to Backup site:
set gslb vserver Global_ Primary_App - BackupVS Global_ Backup_ App
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

219 © 2017 Citrix Authorized Content



CITRIX

CNAME-based GSLB services are useful:

Creating • In a multi-level domain resolver configuration or in


multi-level domain load balancing.
CNAME-Based • If you want to have a single name associated with
GSLB Services multiple DNS sub-delegations.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

220 © 2017 Citrix Authorized Content



CITRIX

Proximity load balancing allows for a faster response
resulting from the selection of the closest available
GSLB Site site:

Proximity • Dynamic Network Proximity {RTT)


• Static Proximity
N
ot
fo
rr

Key Notes:
es

A GSLB policy can be used to implement site‐affinity by directing traffic from an IP address or network of a 
al

LDNS resolver to a predefined target site. GSLB policies operate on a static and custom IP address‐based 
e

location database. Incoming request attributes are evaluated in an expression and the target site is 
or

designated as part of the action.
The following considerations apply when using site affinity:
d is

• Can use the wildcard * to define more than one location
trib

• Applies globally in GSLB
• Has a limit of 64 policies
ut
io
n

221 © 2017 Citrix Authorized Content



CITRIX

• To measure dynamic RTT, the NetScaler system
probes the client's LONS server and gathers RTT
Dynamic RTT metric information .
Configuration • GSLB monitors the real-time status of the network
and dynamically directs the client request to the data
center with the lowest RTT value.
N
ot
fo
rr

Key Notes:
es

Methods to measure RTT:
al

• PING: ICMP Echo Request or Reply.
e

• If there is a reply to the ping request, then the appliance calculates the RTT.
or

• If the ICMP reply mechanism is turned off at any of the intermediate routers or at the LDNS, then on 
d

timeout try to send a DNS query.
is

• For RTT calculation ICMP request is initiated from GSLB SNIP.
trib

• DNS: Query or Response.
ut

• If there is a response to the DNS query, then the appliance calculates the RTT.
io

• If the DNS response is for a specific set of client IP addresses or DNS queries are not answered, then 
n

on timeout try to send a TCP request.
• TCP: Synchronize to a higher order port.
• If there is a SYN+ACK, or RST, or a FIN response, then the appliance calculates the RTT.
• If there is no response, then send a ping request again.

222 © 2017 Citrix Authorized Content



CITRIX

• Evaluate attributes of incoming client LONS requests
and conditionally directs clients to a specific GSLB
site.
Implementing • Load balance requests between the sites that match
Proximity- when the LONS characteristics match for more than
one site.
Based GSLB
• Select the best site based on the load-balancing
method if the entry is not found in either custom or
static databases .
N
ot
fo
rr

Key Notes:
es

When enabled, the proximity‐based GSLB method allows the NetScaler system to make load‐balancing 
al

decisions based on the proximity of the client’s local DNS server (LDNS) in relation to different sites. 
e

Proximity can be measured both statically and dynamically. The dynamic determination of proximity is 
or

based on the current network status, while the static determination of proximity is based on the geographic 
location of the client’s LDNS and the sites the client is accessing.
d is

The main benefit of the proximity‐based GSLB method is faster response time resulting from the selection 
t

of the closest available site.
rib

The two methods of proximity load‐balancing methods include:
ut

• Dynamic Network Proximity/Round Trip Time (RTT)
io

• Determine site to send client to based on client’s local DNS (LDNS) proximity to various sites
n

• Gauged by RTT to the LDNS host
• Static Proximity
• Determine site to direct client to based on proximity to geographic locations in a static location 
database.
• Use location commands in configuring and populating the location database.

223 © 2017 Citrix Authorized Content



CITRIX

Implementing Proximity-Based GSLB

Static Proximity
• Determine the site to direct client to based on proximity to geographic locations in a static
location database.
• Use location commands in configuring and populating the location database.
• The default location of the database file on the appliance is /var/netscaler/locdb.
To add a static location file by using the Configuration Utility:
• Navigate to AppExpert > Location , click the Static Database tab.
• Click Add to add a static location file.
N
ot
fo
rr

Key Notes:
es

When enabled, the proximity‐based GSLB method allows the NetScaler system to make load‐balancing 
al

decisions based on the proximity of the client’s local DNS server (LDNS) in relation to different sites. 
e

Proximity can be measured both statically and dynamically. The dynamic determination of proximity is 
or

based on the current network status, while the static determination of proximity is based on the geographic 
location of the client’s LDNS and the sites the client is accessing.
d is

The main benefit of the proximity‐based GSLB method is faster response time resulting from the selection 
t

of the closest available site.
rib

• Static Proximity
ut

• Determine site to direct client to based on proximity to geographic locations in a static location 
io

database
n

• Use location commands in configuring and populating the location database
Run the following command from the command‐line interface of the appliance to add a static location 
file:
add locationfile <locationfile Name> ‐format LocationFormat
Note: Refer to ICG for supported 
formats.
Run the following command to ensure that the location database is loaded:
show locationparameter
This 
command displays the parameters such as, number of static entries and error messages if the database is 
not loaded correctly. A maximum of 3M‐1 (3 million minus one) entries can be loaded.
Run the following command to view the location of the GSLB site:
show gslb service
Notes:
If the database is loaded correctly, the location of the GSLB sites are automatically populated in the 
database.
At any point in time, only one location file can be specified in the configuration on the appliance.

224 © 2017 Citrix Authorized Content CITRIX




If the appliances are in a high availability setup, then one appliance needs to copy the 
database from the other appliance.
If no match is found for an incoming IP address, the request is processed using the Round 
Robin method.
Run the following command in the command‐line interface of the appliance to configure the 
GSLB feature on the appliance:
• 
set gslb vserver GSLBVserverName ‐lbMethod MethodType
• googleoff: all 

Additional Resources:
Citrix Product Documentation on How to Configure Static 
N

Proximity:http://docs.citrix.com/en‐us/netscaler/12/global‐server‐load‐
ot

balancing/configuring‐static‐proximity.html
fo
rr
es
al
e
or
d is
trib
ut
io
n

224 © 2017 Citrix Authorized Content •


CITRIX

Dynamic weights can be based on either:
• The total number of services bound to the virtual
Using Dynamic server.

Weights for OR

Services • The sum of the weights of the individual services


bound to the virtual server.
• Traffic distribution is then based on the weights configured for the
services.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

225 © 2017 Citrix Authorized Content



CITRIX

Backup IP
Address
Configuration for • You can configure a backup site for your GSLB
configuration.
a GSLB Domain
• With this configuration in place , if all of the primary
sites go DOWN , the IP address of the backup site is
provided in the DNS response.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

226 © 2017 Citrix Authorized Content



CITRIX

Single Backup for Multiple GSLB VServer

• Current NetScaler behavior:


• In previous versions, a given GSLB VServer could not act as backup for more than one GSLB VServer.

• Enhancement:
• A single, backup VServer can now act as a backup VServer for multiple GSLB VServers.
• A backup VServer will take traffic for all the primary VServers which go down or spill over.

• Deployment use case :


• A single backup VServer can be utilized for multiple GSLB VServers.
N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

227 © 2017 Citrix Authorized Content



CITRIX

• Exercise 6-1: Configuring Active/Active GSLB
• Exercise 6-2: Testing GSLB with DNS Proxy
Configuration
• Exercise 6-3: Configuring GSLB for Active/Passive
Scenario
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

228 © 2017 Citrix Authorized Content



CITRIX

• DNS is a critical component in a GSLB environment.
• For GSLB , the NetScaler can serve as a DNS proxy
Key Takeaways or ADNS service .
• GSLB can be customized in many ways including
load-balancing methods, persistence, and proximity.
N
ot
fo
rr

Additional Resources:
es

GSLB load Balancing:  https://www.citrix.com/blogs/2015/08/25/global‐server‐load‐balancing‐part‐1‐2/
al

https://support.citrix.com/article/CTX123792
e
or

https://support.citrix.com/article/CTX128999
https://support.citrix.com/article/CTX130163
d is
trib
ut
io
n

229 © 2017 Citrix Authorized Content



CITRIX

Fi I out the
End of Course you
Survey
Your opinion matters!
we
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

230 © 2017 Citrix Authorized Content



CITRIX


CITRIX

NetScaler Traffic
Management
NetScaler Clustering
N

CNS-219-21
ot

Version 1 O
fo
rr

Key Notes:
es

This is an additional module included for Self Study.
al
e
or
dis
t
rib
ut
io
n

231 © 2017 Citrix Authorized Content



CITRIX

• Explain the NetScaler Clustering feature.
Learning • Identify methods for managing and configuring a
NetScaler Cluster.
Objectives • Discuss options for troubleshooting the NetScaler
Cluster.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

232 © 2017 Citrix Authorized Content



CITRIX

NetScaler Clustering
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

233 © 2017 Citrix Authorized Content



CITRIX

Clustering

A NetScaler Cluster is formed by grouping NetScaler systems into an active-active


configuration.
• The NetScaler systems must satisfy specific hardware and software requirements to
be part of a cluster.
• One of the cluster nodes is designated as a configuration coordinator (CCO) and
coordinates all cluster configurations.
• Auto-detect NetScaler appliances in same subnet as NSIP of Configuration
Coordinator.
• Access to nodes using NSIP is read-only.
N
ot
fo
rr

Key Notes:
es

A NetScaler cluster can include as few as two or as many as 32 NetScaler hardware or virtual appliances.
al

Benefits of Clustering.
e
or

When implementing a clustering, you can: 
• Increase the efficiency by using idle resources. This immediately addresses any scalability requirements. 
d

• Add capacity as needed to satisfy any throughput requirements by scaling out to 32 units acting as a 
is

single logical appliance 
trib

• Simplify administration 
ut

• Eliminate downtime by providing a highly fault tolerant solution alternative to an HA pair 
io

• Ensure there is no network downtime
n

234 © 2017 Citrix Authorized Content



CITRIX

Cluster Configuration

Configuration

• CLIP: Cluster IP used for management.


• CCO (Cluster Coordinator) responsible to replicate the configuration to all
N

other nodes.
ot
fo
rr

Key Notes:
es

When a new cluster is defined, a new IP address is used for managing the cluster. This IP address is owned 
al

by the CCO (cluster coordinator node), who is responsible for replicating the configuration on all the cluster 
e

nodes. 
or

If, at any point, any node in the cluster becomes out‐of‐sync with the latest cluster configuration, there is a 
configuration synchronization module running on each node that will ensure the configuration is the same 
d is

on all nodes. 
t rib

Additionally, a file synchronization module running on each node, replicates certificates, CRLs, and so on … 
to all cluster nodes. 
ut

Election criteria for CCO has many decision points and the algorithm keeps running in the background to 
io

figure out best node… thus, even without a node, complete failure there can be changes in CCO. It looks at 
n

interface stats, ssl card stats and many similar points to make the decision.

235 © 2017 Citrix Authorized Content



CITRIX

The NetScaler configurations and the files that are
Clustering available on the CCO are synchronized on all the other
cluster nodes when:
Synchronization
• A node joins the cluster.
• A node rejoins the cluster.
• A sync command is executed on the CCO.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

236 © 2017 Citrix Authorized Content



CITRIX

Cluster Connections
0/ 1/2 1/ 1/ 1 2/1 /4

1/2 1/ 1 1/4

NSO NS1 NS2

NetScaler Cluster

Cluster network interfaces are represented in 3-tuple (n/c/u) notation (node/controller/unit) .


N
ot
fo
rr

Key Notes:
es

To identify the node to which an interface belongs, the standard NetScaler interface‐naming convention is 
al

prefixed with a node ID. That is, the interface identifier c/u, where c is the controller number and u is the 
e

unit number, becomes n/c/u, where n is the node ID.
or
d is
t
rib
ut
io
n

237 © 2017 Citrix Authorized Content



CITRIX

Clustering Backplane
Cluster Backplane

-•Admin
Cluster IP
Address
N

I
I

~---------------------------------..1
ot

NetScaler Cluster
fo
rr

Key Notes:
es

One important concept is the cluster backplane where the nodes communicate with each other. This 
al

should have a dedicated interface on each node and a dedicated switch.
e
or
d is
t rib
ut
io
n

238 © 2017 Citrix Authorized Content



CITRIX

Cluster Logical Topology
Control Plane

..
C

.
a:
:.
0
c

~-, -~~
.!1
u
• =::- -c:J:11a11

Back Plane

• There are four logical traffic flows in a cluster system.


N

• These identify the relevant information that is passed between client, servers, and
nodes in the cluster.
ot
fo
rr

Key Notes:
es

There are four logical traffic flows in a cluster system that identify the relevant information that is passed 
al

between client, servers, and nodes in the cluster:
e

The control plane, client data plane and server can be shared
or

Client Data Plane ‐ Carries traffic to/from the clients to the cluster.
d

Server Data Plane ‐ Carries traffic to/from real servers to the cluster.
is
t

Cluster Back Plane ‐ Carries inter‐node message passing and inter‐node forwarding traffic. Should be on a 
rib

dedicated switch and interfaces
ut

Control Plane ‐ Carries configuration and control traffic from the admin/user to the cluster.
io
n

239 © 2017 Citrix Authorized Content



CITRIX

Entities on a NetScaler can be available
on multiple nodes in the Cluster:

• Spotted config
• Active on a single node
Entities Within • Striped config
a Cluster • Active on multiple nodes
• Fully striped (all nodes)
• Partially striped (subset of nodes which
belong to a node group)
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

240 © 2017 Citrix Authorized Content



CITRIX

Striped and Spotted IP Addresses

In a clustered deployment, VIP, MIP, and SNIP addresses can be striped or spotted

NetScaler-Owned
Striped IP Address Spotted IP Address
IP Address
NSIP No Yes (Read-Only)

Cluster IP Address No (floats) No (floats)

VIP Yes No
N

MIP/SNIP Yes Yes (recommended)


ot
fo
rr

Key Notes:
es

In a clustered deployment, VIP, MIP, and SNIP addresses can be striped or spotted.
al

Striped IP addresses are active on all nodes of the cluster.
e
or

Spotted IP addresses are active on and owned exclusively by one node.
d is
t
rib
ut
io
n

241 © 2017 Citrix Authorized Content



CITRIX

• Connection Sourcing - Port selected
in such a way that return traffic
Port Allocation comes back to the same node .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

242 © 2017 Citrix Authorized Content



CITRIX

Creating IP Addresses in a Cluster
NetScaler cluster

SNIP: 10.102.29.100

SNIP: 10.102.29.99 SNIP: 10.1 02.29.99 S IP: 10.102.29.99

VIP: 10.1 02.29 .66 VIP: 10.1 02.29 .66 VIP: 10.102.29.66

NSO NS1 NS2

• add lb vserver LBVS 1 HTTP 10.102.29.66 80


• add ns ip 10.102.29.99 255.255.255.0 -type SNIP
N

• add ns ip 10.102.29.100 255.255.255.0 - type SNIP - ownerNode 2


ot
fo
rr

Key Notes:
es

By default, all newly created entities in a cluster are stripped when they are defined on a CLIP.
al

If you would like an entity to be “partially stripped” then bind it to a node group – you bind to a node group 
e

by binding to a single node that is a member of that group.
or

Using the “‐ownerNode” switch designates entity as spotted.
d

Note: You cannot change the ownership of a spotted SNIP address at run time. To change the ownership, 
is

you must first delete the SNIP address and add it again by specifying the new owner.
t rib
ut
io
n

243 © 2017 Citrix Authorized Content



CITRIX

Distributed Flow Distributor controls how traffic flow
happens in a Cluster system.

Client requests are sent to a VIP address on the


NetScaler, in a Cluster, are processed through these
Traffic components:
Distribution • Client-data plane
• Flow receiver
• Flow processor
N
ot
fo
rr

Key Notes:
es

ted Flow Distributor controls how traffic flow happens in a cluster system. Whenever the operational view 
al

of the system changes (node online/offline), all the connections that are served by the cluster entity are 
e

affected. In order to guarantee even traffic distribution among, the distributed flow distributor module will 
or

uniformly control how traffic flows to each module. 
Interface Manager (external traffic distribution)
d is

Interface Manager deals with how traffic is distributed by the external router/switch to cluster. Three 
trib

approaches
ECMP
ut

Link Aggregation 
io
n

Link Sets

Flow Distributor (internal traffic distribution)
The node which receives the traffic finds out the flow processor for the traffic and internally steers the 
traffic to the flow processor. 

The flow processor is determined as follows: 
• Compute hash h on 4‐tuple for TCP/UDP, 2‐tuple for other IP
• Flow Processor = prl_first(V, h)
• Steer packet to the flow processor

244 © 2017 Citrix Authorized Content



CITRIX

• Route the packet to the flow processor
• Tunnel the packet to the flow processor 

Flow Distributor / Flow Receiver (FR)
• Determines FP and steers packet to the FP. 
• Flow processor (FP)
• Spotted entity: processing set is single node. FP = node in processing set. 
• Striped entity: processing set = multiple nodes. Hash computed on the packet 
parameters and an ACTIVE node from processing set is selected as FP based on the 
hash. Global RSS Key synchronized across all the nodes to compute consistent hash. 
• ACLs are applied at FP.
N

Flow processor (FP)
ot

• Spotted entity: processing set is single node. FP = node in processing set. 
fo

• Striped entity: processing set = multiple nodes. Hash computed on the packet parameters 
and an ACTIVE node from processing set is selected as FP based on the hash. Global RSS 
rr

Key synchronized across all the nodes to compute consistent hash. 
es

• ACLs are applied at FP.
al
e

Flow Processor
or

• The node which finally processes the traffic is called flow processor. 
d is
t rib
ut
io
n

244 © 2017 Citrix Authorized Content •


CITRIX

NetScaler Cluster Configuration
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

245 © 2017 Citrix Authorized Content



CITRIX

Follow these steps to set up a NetScaler Cluster:
1. Set up the Cluster backplane network.
2. Create the Cluster by adding the first node, which
NetScaler becomes the initial configuration coordinator (CCO).

Cluster Setup 3. Assign a Cluster IP address to that node.


4 . Once the Cluster IP address is defined on the CCO ,
you can add more nodes to the Cluster.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

246 © 2017 Citrix Authorized Content



CITRIX

To set up the Cluster backplane, perform the following
steps for every node:
To Set Up a 1. Identify the network interface that you want to use
Cluster for the backplane .

Backplane 2. Connect an Ethernet or optical cable from the


selected network interface to the cluster backplane
switch.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

247 © 2017 Citrix Authorized Content



CITRIX

Follow these steps to set up the Initial Configuration
Coordinator:
1. Add a Cluster instance: an entity that
identifies the Cluster.
Initial
2. Add the NetScaler system to the Cluster.
Configuration 3. Add the Cluster IP address to this node.
Coordinator 4. Enable the Cluster instance to create the cluster.
5. Save the configuration .
6. Warm restart the system.
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

248 © 2017 Citrix Authorized Content



CITRIX

To seamlessly scale the size of a cluster to
include a maximum of 32 nodes:

• Ensure the system is added to the Cluster.


• Verify the licenses on that system are checked
against the licenses available on the CCO .
Cluster Node
Addition If the licenses match:

• The system is added to the Cluster.


• The existing configurations of the node are cleared.
• The cluster configurations are synchronized with the
node .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

249 © 2017 Citrix Authorized Content



CITRIX

The Cluster Interface Manager is responsible
for distributing incoming traffic flows .
• Equal Cost Multiple Path (ECMP) - All nodes must
NetScaler be connected. It can be used in combination with
LinkSets .
Cluster Traffic
• Linksets - Does not require all nodes to be connected .
Distribution
• Cluster Link Aggregation Group (CLAG) - All nodes
must be connected. It can be used in combination
with Linksets.
N
ot
fo
rr

Key Notes:
es

The Cluster Interface Manager is responsible to distribute incoming traffic flows. This can be achieved using 
al

different mechanisms: 
e

ECMP: Equal Cost Multipath Routing – requires upstream router configuration
or

CLAG: Cluster Link Aggregation Channels – requires upstream switch configuration
d

Link Set
is
t rib
ut
io
n

250 © 2017 Citrix Authorized Content



CITRIX

NetScaler
Cluster
Management
Common cluster-
management tasks
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

251 © 2017 Citrix Authorized Content



CITRIX

1. Remove the reference to the Cluster instance from
the node .
• This command internally executes the clear ns
config extended command on that node.
Remove a • The MIP and SNIP addresses and all VLAN
Cluster Node configurations (except default VLAN and
NSVLAN) are cleared from the node.
2 . Remove the node from the Cluster.
N
ot
fo
rr

Key Notes:
es

When a node is removed from the cluster, the cluster configurations are cleared from the node (by 
al

internally executing the clear ns config ‐extended command). The SNIP addresses and all VLAN 


e

configurations (except the default VLAN and NSVLAN) are also cleared from the appliance.
or

If the deleted node was the cluster configuration coordinator, another node is automatically selected as the 
cluster configuration coordinator, and the cluster IP address is assigned to that node. All the current cluster 
d is

IP address sessions will be invalid and you will have to start a new session.
t rib

To delete the whole cluster, you must remove each node individually. When you remove the last node, the 
cluster IP addresses are deleted.
ut

When an active node is removed, the traffic serving capability of the cluster is reduced by one node. 
io

Existing connections on this node are terminated.
n

252 © 2017 Citrix Authorized Content



CITRIX

• You can temporarily remove a node from a Cluster by
disabling the cluster instance on that node.
Disable a • A disabled node is not synchronized with the cluster
configuration and is unable to serve traffic .
Cluster Node
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

253 © 2017 Citrix Authorized Content



CITRIX

• To synchronize cluster configurations
by using the NetScaler command-line
interface , type the following
command:
Cluster Configuration
Synchronization - force cluster sync
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

254 © 2017 Citrix Authorized Content



CITRIX

All Cluster nodes must be running the
same software version:
Cluster Node Software
• To upgrade or downgrade the
Upgrades and software of a cluster, you must
Downgrades upgrade or downgrade the software
on each node, one node at a time .
N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

255 © 2017 Citrix Authorized Content



CITRIX

An existing high availability (HA) setup
can be migrated to a cluster setup by
first removing the appliances from the
HA setup and then creating the
HA to c 1ustering Migration NetScaler cluster.
• Consider an HA setup with appliances
NS0 (10.102.97.131) and NS1
(10.102 .97 .132)
• NS0 is the primary and NS1 is the
secondary appliance of the HA setup .
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

256 © 2017 Citrix Authorized Content



CITRIX

If a failure occurs in a NetScaler
cluster, the first step in troubleshooting
is to get cluster instance and node by
Troubleshooting running these commands:
NetScaler Cluster - show cluster instance <clid>
- show cluster node <nodeid>
N
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

257 © 2017 Citrix Authorized Content



CITRIX

• Independent:
• Each node maintains its own set of logs and counters.
• These reside on each node local storage as it is done today.
Logs and
• On-Demand :
Reporting • Aggregation is done on-demand. Counters are summarized, and logs
are merged in order.

• Tech Support File:


• Support file can be generated for the node or the entire cluster.
NSlO_nodel> ~how techsupport scop (Cluster or
NODE)
N
ot
fo
rr

Key Notes:
es

All nodes will have their own independent set of counters and logs and they will reside on each node. 
al

Aggregation is only done on‐demand, for instance when issuing a stat command. 
e
or
d is
t rib
ut
io
n

258 © 2017 Citrix Authorized Content



CITRIX

• Which methods of disaster recovery are you currently
N using in your environment, and why?
ot
fo
rr
es
al
e
or
d is
trib
ut
io
n

259 © 2017 Citrix Authorized Content



CITRIX

• Clustering is a configuration of multiple NetScalers
acting as active-active.
• A striped entity exists on multiple nodes in the cluster
Key Takeaways while a spotted entity exists on a single node .
• Cluster backplane should have a dedicated interface
and switch.
N
ot
fo
rr

Additional Resources:
es

Clustering Guide:  https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler‐
al

adc/citrix_netscaler_clustering_guide_v2.pdf
e

Using Clustering:  https://docs.citrix.com/en‐us/netscaler‐gateway/12/clustering.html
or

Creating a NetScaler Cluster:  http://docs.citrix.com/en‐us/netscaler/12/clustering/cluster‐setup/cluster‐
d

create.html
is

Prerequisites for Cluster Nodes:  http://docs.citrix.com/en‐us/netscaler/12/clustering/cluster‐
t rib

prerequisites.html
ut
io
n

260 © 2017 Citrix Authorized Content



CITRIX

Connect with Citrix Education

Facebook Twitter Linkedln


Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education group

Visit http://training.citrix.com to find more information on training, certifications, and exams .


N
ot
fo
rr
es
al
e
or
d is
t rib
ut
io
n

261 © 2017 Citrix Authorized Content



CITRIX


CITRIX•

N
ot
fo
rr
es
al
e
or
d is
t
rib
ut
io
n

262 © 2017 Citrix Authorized Content



CITRIX