Citrix PowerPoint Master (Standard) April 2007

Creating Citrix NetScaler
Policies with AppExpert
Agenda
NetScaler for Traffic Management
AppExpert Policy Framework
Demo: Policies 1-2-3
© 2007 Citrix Systems, Inc. — All rights reserved
2
Agenda
Agenda
item
1
NetScaler
for number
Traffic Management
AppExpert Policy Framework
Demo: Policies 1-2-3
© 2007 Citrix Systems, Inc. — All rights reserved
3
Why NetScaler?
Web Application Delivery Challenges
Web Protocols
Extremely “Chatty”
Apps Moved into Fewer
Centralized Datacenters
© 2007 Citrix Systems, Inc. — All rights reserved
Remote Users Further
Away from Apps
Increased Security
Requirements
4
Solutions Must Span Two Worlds
XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end-user experience...
Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0
Application Traffic
Users
Apps
Network Traffic
Router
Switch
Firewall
MAC address...Source IP...Destination IP...Source port...Destination port...Ping...
OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...
Keepalive...SNMP...SSH...SSL...MTBF...Latency...
© 2007 Citrix Systems, Inc. — All rights reserved
5
XML...SOAP...HTTP...WSDL...JSON...REST...RSS...AJAX...end-user experience...
Mashup...RelTag...SOA...Application Availability...Data theft...RIA...Wiki...Enterprise 2.0
AppExpert
Users
Policy Framework
Router
Switch
Apps
Firewall
MAC address...Source IP...Destination IP...Source port...Destination port...Ping...
OSPF...RIP...BGP...ACL...DNS...Subnet...802.XX...ARP...ICMP...RTT...SYN...ACK...
Keepalive...SNMP...SSH...SSL...MTBF...Latency...
© 2007 Citrix Systems, Inc. — All rights reserved
6
Why AppExpert?
• Traffic Management on the NetScaler is
handled by policies
• AppExpert Visual Policy Builder provides an
easy flexible interface to write and apply
policies
• All of NetScaler Feature Sets can be controlled
via policies.
• And writing policies with AppExpert on the
NetScaler is so easy that…
© 2007 Citrix Systems, Inc. — All rights reserved
7
Code-Monkeys need NOT apply
© 2007 Citrix Systems, Inc. — All rights reserved
8
Agenda
NetScaler
fornumber
Traffic Management
Agenda
item
1
AppExpert Policy Framework
Demo: Policies 1-2-3
© 2007 Citrix Systems, Inc. — All rights reserved
9
AppExpert Policy Engine
Application 1
AppExpert Policy Engine
1) Receive + terminate requests
Users
2) Decrypt / authenticate / analyze requests
Application 2
3) Apply policy + dispatch valid requests
4) Multiplex over persistent connections
© 2007 Citrix Systems, Inc. — All rights reserved
11
What NetScaler Features use Policies?
Feature Sets
Feature Sets
Content switching (CS)
Cache Redirection (CR)
Compression (CMP)
Priority Queuing (PQ)
Content Filtering (CF)
SureConnect (SC)
Integrated Caching (IC)
SSL VPN
Responder
…and more
URL Rewrite
© 2007 Citrix Systems, Inc. — All rights reserved
12
AppExpert Policy Framework is designed
to help you…
• Defines application-aware
policy expressions
• Logically combines
multiple policy
expressions
Policy
Expressions
Compound Expressions
Policy Banks
• And increase power and
flexibilty by providing
policy execution structure
and flow control
© 2007 Citrix Systems, Inc. — All rights reserved
13
Defining AppExpert Policy Engine Elements
• Actions
• Expressions
• Policies and Policy Banks
© 2007 Citrix Systems, Inc. — All rights reserved
14
AppExpert NetScaler Policies
• NetScaler Traffic Management is controlled using
policies
• For example-compression policy defines conditions for compressing content
• A policy consists of expression and action
POLICY
EXPRESSION
© 2007 Citrix Systems, Inc. — All rights reserved
ACTION
15
What are Policy Actions?
Actions are owned by individual feature sets
• For example an actions that is configurable in the
responder module is different than an action
configurable in the rewrite module
• The individual feature set has to ensure that the
respective actions are applied when there is a
policy match
© 2007 Citrix Systems, Inc. — All rights reserved
16
Understanding Actions
• Actions can be predefined or customizable
(using expression sytax)
• Actions cannot depend on results of other
actions
• All actions are applied at the end of the policy
evaluation process
• For example: A single HTTP header cannot be modified by
multiple actions – if you insert a new header “my-header” you
cannot then change the name of the header to “my-newheader”.
© 2007 Citrix Systems, Inc. — All rights reserved
17
What Are Expressions?
• An expression is the most fundamental component
of a policy.
• Expressions are a common pool of conditions that
can be applied to content entering the Citrix
NetScaler system
• For example; source IP address or browser type
• Expressions be "named" or "inline"
© 2007 Citrix Systems, Inc. — All rights reserved
18
What Are Expressions?
• Policy expression syntax is universal and shared
among NetScaler features
• Expressions referenced as a rule by NetScaler
feature sets
• Expressions can be unary or compound
• The expression (or condition that is evaluated)
does not change the content, but the configured
action can change the content
© 2007 Citrix Systems, Inc. — All rights reserved
19
GUI - Policy Expressions
© 2007 Citrix Systems, Inc. — All rights reserved
20
Writing Expressions using AppExpert
Visual Expression Builder
© 2007 Citrix Systems, Inc. — All rights reserved
21
Advanced vs. Classic Expression Syntax
Advanced Syntax
Classic Syntax
•Policy Expressions must be
written inline
•Policy Expressions can be
named or inline
•Is not available for all
feature sets
•Is not available for all
feature sets
•Increases the processing
power and flexibility of
policies through the use of
GOTO expressions and
Policy Banks
•Backwards compatible with
previous versions of the
NetScaler
•Easy to configure and use
•Easy to configure and use
© 2007 Citrix Systems, Inc. — All rights reserved
22
Defining Top Level Objects for expressions
Advanced Syntax
Starter Object
CLIENT
Description
Provides operations on client side data
HTTP
Operates on HTTP protocol data
SERVER
Provides operations on server side data
SYSTEM
Provides operations on system wide data
Classic Syntax
Starter Object
REQUEST
RESPONSE
Description
Operates on an incoming client request traffic
Operates on server response traffic
© 2007 Citrix Systems, Inc. — All rights reserved
23
AppExpert Policy Expressions
STARTER
OBJECT
PROTOCOL
PROTOCOL
METHOD
OPERATORS
STRUCTURED
UNSTRUCTURED
CLIENT
ETHER
List
After RegEx
SERVER
INTERFACE
Name-value list
Before RegEx
HTTP
IP
Date and time
After string
SYS
TCP
IP address
Before string
VLAN
HTTP URL
Contains
REQ
HTTP Version
Contains any
RES
More…
More…
Varies by
protocol
© 2007 Citrix Systems, Inc. — All rights reserved
24
Structure of Basic Expressions
• In the Policy Engine, a basic expression is a
composition of object-level operations
• Basic expressions consist of a top level starter
object followed by various operations or
parameters
HTTP.REQ.HEADER (advanced), or
REQ.HTTP.HEADER (classic)
© 2007 Citrix Systems, Inc. — All rights reserved
25
Understanding Expression Types
Expressions can return one of the following:
• A BOOLEAN TRUE or FALSE (used in all Policy
types)
Example: “HTTP.REQ.IS_VALID”
• A STRING (Used in Rewrite Actions)
Example:
add rewrite action INSERT_CLIENT_IP
insert_http_header “Client-ip” “CLIENT.IP.SRC”
© 2007 Citrix Systems, Inc. — All rights reserved
26
AppExpert Visual Policy Builder
© 2007 Citrix Systems, Inc. — All rights reserved
27
What are AppExpert Policy Banks?
• A policy bank is a bind point for a group of
policies
• Each policy in a policy bank must have a priority
defined
• Every policy is evaluated in priority order
• Two policies can not have the same priority
• Predefined banks include:
• Override
• Default
© 2007 Citrix Systems, Inc. — All rights reserved
29
AppExpert Policy Banks
• GotoExp statements
• Policy match will trigger “jump” to another policy within the bank
• Cannot GotoExp back (no possibility of endless loop)
• Provides structured execution and flow control
• Performance optimization (course-grained policies first)
• Deterministic execution
• Subroutine call-like behavior
• Processing of policies within a policy bank ends
when all valid policies have been processed or an
END is encountered on a policy match
© 2007 Citrix Systems, Inc. — All rights reserved
30
Agenda
NetScaler
for number
Traffic Management
Agenda item
1
AppExpert Policy Framework
Demo: Policies 1-2-3
© 2007 Citrix Systems, Inc. — All rights reserved
31
Using AppExpert to Configure Policies
Configuing Policies is as easy as 1-2-3
1. Create/Identify the Feature Specific
Action
2. Create the Expression and Add the
Expression and Action into the Policy
3. Bind/Activate the Policy
© 2007 Citrix Systems, Inc. — All rights reserved
32
In this demonstration we will configure a
policy for the Rewrite Feature that will mask
the backend server's software type in the
HTTP traffic
REWRITE DEMO
Create the Action
NetScaler Rewrite Action
© 2007 Citrix Systems, Inc. — All rights reserved
34
Create the Expression and Policy
Create the Rewrite policy by
creating an expression and
adding your action
© 2007 Citrix Systems, Inc. — All rights reserved
35
Bind
Bind your policy
© 2007 Citrix Systems, Inc. — All rights reserved
36
And…
© 2007 Citrix Systems, Inc. — All rights reserved
37
In this demonstration we will configure
policies for Content Switching that will route test
traffic to a test Load Balancing VServer which
performs Load Balancing for the “test-web”
servers which exist within the same domain as
the production web servers
CONTENT SWITCHING DEMO
Identify the Action
A Content Switching Action is the
target Load Balancing Vserver, so
first we need to create/identify
which LB Vserver will be the target.
© 2007 Citrix Systems, Inc. — All rights reserved
39
Create the Expression and Policy
Create the CS Policy which will
identify internal testing team via
IP address
© 2007 Citrix Systems, Inc. — All rights reserved
40
Bind
Activate your policy on the
Content Switching Server
© 2007 Citrix Systems, Inc. — All rights reserved
41
And…
© 2007 Citrix Systems, Inc. — All rights reserved
42
In this demonstration we will configure a
policy for Responder which will respond to a
request URL with /myIP. The NetScaler will
provide an auto-generated page that gives the
client their IP address (this page does not exist
on the backend web servers).
RESPONDER DEMO
Create the Action
NetScaler Responder Action
© 2007 Citrix Systems, Inc. — All rights reserved
44
Create the Expression and Policy
Create the responder policy by
creating an expression and
adding your action
© 2007 Citrix Systems, Inc. — All rights reserved
45
Bind
Bind your policy
© 2007 Citrix Systems, Inc. — All rights reserved
46
And…
© 2007 Citrix Systems, Inc. — All rights reserved
47
In this demonstration we will configure
an integrated caching request policy to cache
any content that contains .html in the
requested URL
INTEGRATED CACHING DEMO
Identify the Action
Identify the NetScaler Integrated
Caching Action you will use
© 2007 Citrix Systems, Inc. — All rights reserved
49
Create the Expression and Policy
Create the Integrated Caching
policy by creating an expression
and adding a pre-defined action
© 2007 Citrix Systems, Inc. — All rights reserved
50
Bind
Activate your policy
© 2007 Citrix Systems, Inc. — All rights reserved
51
And…
© 2007 Citrix Systems, Inc. — All rights reserved
52