Creating Citrix NetScaler Policies with AppExpert

thoughtlessskytopΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

288 εμφανίσεις

Creating Citrix
NetScaler

Policies with
AppExpert

2

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Agenda

NetScaler for Traffic Management

Demo: Policies 1
-
2
-
3

AppExpert Policy Framework

3

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Agenda

Agenda item number 1

AppExpert Policy Framework

NetScaler for Traffic Management

Demo: Policies 1
-
2
-
3

4

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Remote Users Further
Away from Apps

Apps Moved into Fewer
Centralized Datacenters

Web Protocols
Extremely “Chatty”

Increased Security
Requirements

Why NetScaler?


Web Application Delivery Challenges

5

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end
-
user experience...

Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0

MAC address...Source IP...Destination IP...Source port...Destination port...Ping...

OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...

Keepalive...SNMP...SSH...SSL...MTBF...Latency...

Users

Apps

Router

Switch

Firewall

Application Traffic

Network Traffic

Solutions Must Span Two Worlds

6

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end
-
user experience...

Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0

MAC address...Source IP...Destination IP...Source port...Destination port...Ping...

OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...

Keepalive...SNMP...SSH...SSL...MTBF...Latency...

Users

Apps

Router

Switch

Firewall

AppExpert

Policy Framework

7

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Why AppExpert?


Traffic Management on the NetScaler is
handled by policies


AppExpert Visual Policy Builder provides an
easy flexible interface to write and apply
policies


All of NetScaler Feature Sets can be controlled
via policies.


And writing policies with AppExpert on the
NetScaler is so easy that…


8

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Code
-
Monkeys need
NOT

apply

9

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Agenda

Agenda item number 1

NetScaler for Traffic Management

AppExpert Policy Framework

Demo: Policies 1
-
2
-
3

11

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

2) Decrypt / authenticate / analyze requests

3) Apply policy + dispatch valid requests

1) Receive + terminate requests

4) Multiplex over persistent connections

AppExpert Policy Engine




AppExpert Policy Engine

Application 1

Users

Application 2

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

12

What NetScaler Features use Policies?

Cache Redirection (CR)

Priority Queuing (PQ)

SureConnect (SC
)

SSL VPN

…and more


Feature Sets

Content switching (CS)

Compression (CMP)

Content Filtering (CF)

Integrated Caching (IC)

Responder

URL Rewrite


Feature Sets

13

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

AppExpert Policy Framework is designed
to help you…


Defines

application
-
aware
policy expressions



Logically combines
multiple policy
expressions



And increase power and
flexibilty by providing
policy execution structure
and flow control

Policy Banks

Compound Expressions

Policy

Expressions

14

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Defining AppExpert Policy Engine Elements


Actions


Expressions


Policies and Policy Banks

15

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

AppExpert NetScaler Policies


NetScaler Traffic Management is controlled using
policies


For example
-
compression policy defines conditions for compressing content



A policy consists of
expression

and
action


ACTION

EXPRESSION

POLICY

16

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

What are Policy Actions?


Actions are owned by individual feature sets


For example an actions that is configurable in the
responder module is different than an action
configurable in the rewrite module


The individual feature set has to ensure that the
respective actions are applied when there is a
policy match

17

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Understanding

Actions


Actions can be predefined or customizable
(using expression sytax)


Actions cannot depend on results of other
actions


All actions are applied at the end of the policy
evaluation process



For example: A single HTTP header cannot be modified by
multiple actions


if you insert a new header “my
-
header” you
cannot then change the name of the header to “my
-
new
-
header”.


18

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

What Are Expressions?


An expression is the most fundamental component
of a policy.


Expressions are a common pool of conditions that
can be applied to content entering the Citrix
NetScaler system


For example; source IP address or browser type


Expressions be "named" or "inline"


19

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

What Are Expressions?


Policy expression syntax is universal and shared
among NetScaler features


Expressions referenced as a rule by NetScaler
feature sets


Expressions can be unary or compound


The expression (or condition that is evaluated)
does not change the content, but the configured
action can change the content



20

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

GUI
-

Policy Expressions

21

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Writing Expressions using AppExpert
Visual Expression Builder

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

22

Advanced vs. Classic Expression Syntax


Policy Expressions can be
named or inline


Is not available for all
feature sets


Backwards compatible with
previous versions of the
NetScaler


Easy to configure and use




Classic Syntax


Policy Expressions must be
written inline


Is not available for all
feature sets


Increases the processing
power and flexibility of
policies through the use of
GOTO expressions and
Policy Banks


Easy to configure and use



Advanced Syntax

23

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Defining Top Level Objects for expressions

Advanced Syntax
Starter Object

Description

CLIENT

Provides operations on client side data

HTTP

Operates on HTTP protocol data

SERVER

Provides operations on server side data

SYSTEM

Provides operations on system wide data

Classic Syntax
Starter Object

Description

REQUEST

Operates on an incoming client request traffic

RESPONSE

Operates on server response traffic

24

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

AppExpert Policy Expressions

STARTER
OBJECT

CLIENT

SERVER

HTTP

SYS

PROTOCOL

ETHER

INTERFACE

IP

TCP

VLAN

REQ

RES

PROTOCOL
METHOD

Varies by
protocol

OPERATORS

STRUCTURED

UNSTRUCTURED

List

After RegEx

Name
-
value list

Before RegEx

Date and time

After string

IP address

Before string

HTTP URL

Contains

HTTP Version

Contains any

More…

More…

25

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Structure of Basic Expressions


In the Policy Engine, a basic expression is a
composition of object
-
level operations



Basic expressions consist of a top level starter
object followed by various operations or
parameters


HTTP.REQ.HEADER (advanced), or

REQ.HTTP.HEADER (classic)



26

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Understanding Expression Types

Expressions can return one of the following:


A BOOLEAN TRUE or FALSE (used in all Policy
types)


Example:
“HTTP.REQ.IS_VALID”


A STRING (Used in Rewrite Actions)


Example:

add rewrite action INSERT_CLIENT_IP
insert_http_header “Client
-
ip”
“CLIENT.IP.SRC”



27

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

AppExpert Visual Policy Builder

29

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

What are AppExpert Policy Banks?


A policy bank is a bind point for a group of
policies


Each policy in a policy bank must have a priority
defined


Every policy is evaluated in priority order


Two policies can not have the same priority


Predefined banks include:


Override


Default

30

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

AppExpert Policy Banks


GotoExp
statements


Policy match will trigger “jump” to another policy within the bank


Cannot
GotoExp
back (no possibility of endless loop)


Provides structured execution and flow control


Performance optimization (course
-
grained policies first)


Deterministic execution


Subroutine call
-
like behavior


Processing of policies within a policy bank ends
when all valid policies have been processed or an
END is encountered on a policy match



31

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Agenda

Agenda item number 1

NetScaler for Traffic Management

AppExpert Policy Framework

Demo: Policies 1
-
2
-
3

32

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Using AppExpert to Configure Policies


Configuing Policies is as easy as
1
-
2
-
3

1.
Create/Identify the Feature Specific
Action

2.
Create the Expression and Add the
Expression and Action into the Policy

3.
Bind/Activate the Policy



REWRITE

DEMO


In this demonstration we will configure a
policy for the Rewrite Feature that will mask
the backend server's software type in the
HTTP traffic



34

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Create the Action

NetScaler Rewrite Action

35

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Create the Expression and Policy

Create the Rewrite policy by
creating an expression and
adding your action

36

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Bind

Bind your policy

37

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

And…

CONTENT SWITCHING DEMO


In this demonstration we will configure
policies for Content Switching that will route test
traffic to a test Load Balancing VServer which
performs Load Balancing for the “test
-
web”
servers which exist within the same domain as
the production web servers



39

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Identify the Action

A Content Switching Action is the
target Load Balancing Vserver, so
first we need to create/identify
which LB Vserver will be the target.

40

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Create the Expression and Policy

Create the CS Policy which will
identify internal testing team via
IP address

41

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Bind

Activate your policy on the
Content Switching Server

42

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

And…

RESPONDER DEMO


In this demonstration we will configure a
policy for Responder which will respond to a
request URL with /myIP. The NetScaler will
provide an auto
-
generated page that gives the
client their IP address (this page does not exist
on the backend web servers).



44

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Create the Action

NetScaler Responder Action

45

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Create the Expression and Policy

Create the responder policy by
creating an expression and
adding your action

46

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Bind

Bind your policy

47

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

And…

INTEGRATED CACHING DEMO


In this demonstration we will configure
an integrated caching request policy to cache
any content that contains .html in the
requested URL



49

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Identify the Action

Identify the NetScaler Integrated
Caching Action you will use

50

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Create the Expression and Policy

Create the Integrated Caching
policy by creating an expression
and adding a pre
-
defined action

51

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

Bind

Activate your policy

52

© 2007 Citrix Sy stems, Inc.


All rights reserv ed

And…