Post to Twitter
Several Citrix products have been nominated for the 2009 Information Security Magazine / SearchSecurity.com Readers Choice Awards:
- NetScaler, Application security: Web application firewall, application/code vulnerability assessment/QA, Web services security
- Access Gateway, Remote access: IPsec, SSL VPNs and other remote access products
- Branch Repeater, Other: Branch optimization/application acceleration solution
Thanks to your support, last year we won the Bronze Award under the 'remote access' category for Citrix Access Gateway and the Bronze Award under the 'application security' category for Citrix App Firewall.
While technically not a security product, Branch Repeater does play a role in building a secure IT infrastructure. Branch optimization allows businesses to centralize applications and data in secure datacenters without sacrificing end-user performance.
Surveys have already gone out to readers of Information Security and SearchSecurity.com via e-mail. If you received one of these surveys please take a few minutes and vote.
Everyone should know by now that the NetScaler standard is the best practice for XenApp delivery. So why do folks still see "Access Gateway" on the NetScaler's cool carbon fiber login page?
Do your prospects a favor and provide a consistent message that NetScaler is the solution they are testing!
One small way you can address this is by changing the "Access Gateway" graphic in the VPN login page to read "NetScaler". I bet you didn't even know Citrix already put the logo on the device, did you?
Proceedure
- Log in to the command line interface using any of the available methods:
- Web GUI: System > Diagnostics > Command Line Interface
- Console port
- SSH client
- Issue the following commands:
> shell # cp -r /netscaler/ns_gui/vpn/* /var/vpn/vpn # cd /var/vpn/vpn/images # mv ctxHeader01.gif ctxHeader01ForAGEE.gif # cp ctxHeader01ForTM.gif ctxHeader01.gif
Notes
Used NetScaler 9.0
A customer asked me to reduce the complexity of having both single and multi factor CAG login pages and create a more seamless access experience for users with and without RSA tokens.
Because the customer wants folks who have been issued a token to receive full VPN access and be directed to a custom Web Interface (WI) site tailored for elevated permissions, I had to use two CAG vips. One for single factor authentication (access.company.com) and the other for multi-factor authentication (rsa.access.company.com) Those who do not have a token, or do not have it readily available, can still log in and be attached to a different WI site with restricted application access.
To get the more seamless experience, I direct everyone to the single factor login page. Then I presented a link to give RSA users an opportunity to plug in their RSA token values. The problem though, is that all CAG vservers share the same HTML login page, so I had to insert the link programmatically by modifying the JavaScript so that it selectively inserts an html link based on which vserver the user is logged into.
While this may be sufficient for your use, please know you can further customize the HTML, JavaScript, and Style Sheet pages to conform to your vision of a seamless user experience.
Example Screen Shots
The Original CAG Login page: 
The New page with RSA Token link: 
If the user follows the link, the RSA token field is presented: 
Proceedure
Edit file /netscaler/ns_gui/vpn/login.js as necessary:
function ns_showpwd()
{
var pwc = ns_getcookie("pwcount");
document.write('<TR><TD align=right style="padding-right:10px;"><SPAN class=CTXMSAM_LogonFont>Password');
document.write(':</SPAN></TD>');
document.write('<TD colspan=2 style="padding-right:8px;"><input class=CTXMSAM_ContentFont type="Password" title="Enter password" name="passwd" size="30" maxlength="32" style="width:100%;"></TD></TR>');
if ( pwc == 2 ) {
document.write('<TR><TD align=right style="padding-right:10px;"><SPAN class=CTXMSAM_LogonFont>RSA Token:</SPAN></TD><TD colspan=2 style="padding-right:8px;"><input class=CTXMSAM_ContentFont type="Password" title="Enter RSA Token" name="passwd1" size="30" maxlength="32" style="width:100%;"></TD></TR>');
} else { document.write('<A href="https://rsa.access.company.com/">Click HERE if you have been issued an RSA token.</A>');}
UnsetCookie("pwcount");
}
References
CTX115756 - How to Modify the Logon Form Field Labels
Notes
Used NetScaler 9.0
Both CAG vServers used the same wildcard SSL certificate.
Netscaler nCore
Already announced at iForum, but worthy of buzz, is the new multi-core, parallel processing architecture for the Citrix NetScaler released in version 9.1 - nCore Technology. Applications are becoming more dynamic and demanding as we have seen in recent community, social networking and Web 2.0 advancements. Browser request and server response is the old model. Rich interactive applications that provide real-time information require real-time connections between browser and server. Enterprise software vendors such as SAP, Microsoft, Oracle and others understand the need to push toward highly interactive applications that enrich the functionality and user experience.
The richness of experience manifests in several ways:
- Protocols: New protocols such as Ajax, Comet, Ruby, etc.
- Connections: Web 2.0 protocols generate more connections between client and server.
- Chattiness: Web 2.0 protocols initiate more requests between the client and server.
- Applications: Rich Internet applications such as Flash, Flex and Silverlight make applications engaging and interactive.
- Clients: Clients are always connected and content needs to be optimized for them (iPhone, Symbian, Blackberry, Palm, Windows Mobile, Internet Explorer, Firefox, Safari).
ADC's need to deliver greater performance and scalability by supporting higher levels of throughput, HTTP requests, concurrent connections and SSL Transactions. ADC's need to handle the increase in connections and requests to offload the demands placed on back-end web servers. The demands for caching, compression and application firewalls will increase as well.
In order to meet the increasing demand in application delivery environments, you need the Citrix NetScaler nCore technology.
Tap into the power of AppExpert!
Cloud Networking is secure and robust
You can create a complete end-to-end network from one cloud network, running on XenServer, through a VPN to another network in a different cloud. All servers and hosts communicate securely over SSL VPN. Amazon Machine Images are secured by the Amazon infrastructure using security groups.
The proof of concept speaks for itself. Between the Softlayer cloud and the Amazon EC2 cloud is running a site-to-site SSL VPN using Vyatta. All of the images in this architecture are running on XenServer. This proof of concept gives rise to many networking architectures for cloud computing.
The reason for using Vyatta site-to-site SSL VPN between the Softlayer and Amazon EC2 clouds is there needs to be a secure network between the two for the transfer of data. The Vyatta AMI (Amazon Machine Image) can also function as a complete router, firewall and DNS cache. The Vyatta SSL VPN router provides security with scalability. Suppose I wanted to separate the Vyatta SSL VPN from a Vyatta OSPF router, I would just launch another instance of the Vyatta AMI.
As you can see from the network diagram and video, complete routing from the Softlayer cloud to the Amazon cloud network is seamless, without having to buy any proprietary hardware. In fact, it is very low cost compared to traditional network solutions. Virtualized networking is here, it is fast, secure and cheap.
A CloudBurst happens when Citrix Workflow Studio determines that one of the devices in the Softlayer Cloud has reached a high watermark. WFS then instructs the NetScaler VPX to start sending traffic to the Cloud - CloudBurst.
To get your own cloud, go here
Configurations used
Vyatta SSL VPN (V1) - Datacenter Configuration
Vyatta SSL VPN (V2) - Cloud Configuration
XenApp VPN Client - Cloud Configuration
Links for this solution
Vyatta for XenServer - go here
Amazon EC2 - go here
XenServer is Free! - go here
XenApp - go here
Workflow Studio - go here
XenApp VPN Client - go here
Dell Server - go here
IP Addresses - go here
Watch This
Its powerful AppExpert!
Cloud Networking is fast
You can create a complete end-to-end network from the datacenter to the cloud. All cloud servers communicate securely over SSL VPN.
Between the datacenter and the Amazon EC2 cloud is a site-to-site SSL VPN built with Vyatta. On the XenApp server in the cloud runs the Citrix Accelerator which connects back to the Citrix Branch Repeater/WANScaler at the datacenter, to accelerate data connections. The Citrix Accelerator makes cloud computing fast, Vyatta makes it secure.
The reason for using Vyatta site-to-site SSL VPN between the datacenter and Amazon EC2 cloud is there needs to be a secure network between the two for the transfer of data. The Vyatta AMI (Amazon Machine Image) can also function as a complete router and firewall. The Vyatta SSL VPN router provides security with scalability.
As you can see from the network diagram and video, complete routing from the datacenter to the Amazon cloud network is seamless. Data resides at the datacenter and is accessed, over the SSL VPN, by the Application running in XenApp. The remote user connects to XenApp, runs the application, and the application delivers the data to the remote user, quickly and securely.
To get your own cloud, go here.
Configurations used
Vyatta SSL VPN (V1) - Datacenter Configuration
Vyatta SSL VPN (V2) - Cloud Configuration
Windows VPN Client - Cloud Configuration
Links for this solution
Vyatta - go here
Amazon EC2 - go here
XenServer is Free! - go here
XenApp - go here
XenApp VPN Client - go here
Dell Server - go here
IP Addresses - go here
Watch This
Its powerful AppExpert!
皆様はCitrixの製品マニュアルをどう管理されているでしょうか?
私は非常に雑な正確なためいつもwebでhttp://support.citrix.comにアクセスし検索しています。。。
整理整頓ができる方なら、マニュアル類を一定のフォルダにためておいてすぐに参照できるようにされているかと思います。
また、全てのマニュアルをパイプ式のバインダで印刷し重要な部分にマーカーやポストイットでわかりやすい様にマークしたりされているお客様が多く、目からうろこがおちるような思いをしました。見習わなくてはいけないと思っていたこんな私のような方に朗報です!Citrix eDocsが公開されました。
http://support.citrix.com/proddocs/index.jsp?lang=ja
シングルインターフェイスで様々なマニュアルが参照できます。Citrix eDocsのURLのHomeのURLさえお気に入りに登録しておけば、ネットワークに接続している環境であれば、簡単にどのマニュアルにもアクセスできますし、全てのマニュアルを同時に検索することもできますので、大幅に作業効率がアップします。是非お使いください!!また、フィードバックを随時受付していますので下記のサイトからどんどん色々なフィードバックを送っていただければとおもいます。
http://www.surveymonkey.com/s.aspx?sm=OdJNqlUYpLiT_2bYmeV6U7gQ_3d_3d
eDocsホーム
eDocsのXenAppを展開したところ(様々なマニュアルが参照できます)
NetScaler Virtual Machine
Today, Citrix announced a virtual appliance version of their NetScaler Application Delivery Controller - the NetScaler VPX, the first of its kind. All of the functions that traditionally were performed in the datacenter can now be performed in the domain of virtual machines. Load balancing, application acceleration, security and offload functionality are now available as a XenServer virtual appliance.
Industry's first Virtual Load Balancer
No other vendor offers this type of software as a Virtual Appliance. By making advanced web application delivery functionality available as a virtual appliance, NetScaler VPX drives convergence of virtualization and networking. In the continued movement toward simple and affordable convergence, NetScaler VPX makes sophisticated application delivery functionality available to any size organization. This breaks down deployment barriers for all types of organizations.
What used to run on a proprietary piece of hardware now runs on any hardware that supports virtualization. Because there is no physical appliance to ship, install or move VPX can be installed at a moment's notice, on any server running XenServer.
The challenge
- Check out The Great NetScaler VPX challenge and get $10,000.
- The Tech Preview will be downloadable from citrix on May 18th.
- If you are running VMWare, you need to run Xen - and why wouldn't you, Xen is free.
NetScaler VPX
Even since we acquired XenSource, we've been asked "will Citrix make NetScaler available as a virtual appliance?" Actually, folks familiar with NetScaler we're asking for a "software version" of NetScaler long before that. But with the XenSource acquisition, the question volume definitely ratcheted up. Well, if you're reading this, then most likely you know the answer to that question is a most definite "yes."
Today, during the Synergy keynote, we announced NetScaler VPX. We will have a free tech preview available for download on May 18, and general commercial availability scheduled for the third quarter of this year.
NetScaler VPX makes all NetScaler load balancing, acceleration, application security and server offload functionality available as a virtual appliance. Yes, you read that correctly; all the same functionality. All the load balancing, all the advanced L7 traffic management, caching, compression, GSLB, the full Access Gateway-Enterprise SSL VPN, the full application firewall, Web 2.0 Push, connection offload, and everything else. NetScaler VPX is NetScaler; feature-complete.
Now, beyond the core feature set, there are some differences between NetScaler VPX and NetScaler appliances. NetScaler appliances will offer higher performance and throughput than NetScaler VPX. And since the L2 networking environment is virtualized, there are some configuration differences there. But from L3 on up it is NetScaler. If the GUI wasn't labeled NetScaler VPX, even a seasoned NetScaler admin would be hard pressed to tell they were looking at a virtual appliance.
Of course, there is the one big difference: NetScaler VPX is a virtual appliance, which means that you can run it on pretty much any modern (we do require Intel VTx or AMD-V "virtualization assist") industry standard server. Which means that it is now possible to install NetScaler pretty much anyplace within the datacenter. Or, maybe even everyplace in the datacenter.
Which brings us to the Great NetScaler VPX Challenge.
Almost universally, whenever we first mention NetScaler VPX, new uses for NetScaler come up. The flexibility to deploy on-demand immediately opens up the ability to do things that for one reason or another aren't currently practical.
It's now possible to make load balancing and advanced traffic management functionality pervasive across lab, test and even development environments. Not the sexiest use case, but one I think we all agree brings some pretty significant benefits.
Now that NetScaler has a virtual footprint option, it's also much easier to move NetScaler at the same time an application moves. This opens up some interesting options for disaster recovery (think GSLB and SSL VPN), especially for smaller companies. This also makes tapping cloud capacity easier, since NetScaler can run using the same general server capacity as the rest of the application.
And there are some really interesting two-tier deployment options where NetScaler MPX appliances front NetScaler VPX virtual appliances. This is a discussion in and of itself.
We've heard so many good ideas we've decided to provide a venue - the Great NetScaler VPX Challenge - where you can describe a problem and then talk about how you think NetScaler VPX can help solve that problem. Since anyone will be able to download the tech preview, there is plenty of opportunity to experiment. And, since documenting the idea takes a little bit of effort, we added a little kicker (the $10,000 first prize) to help get the creative juices flowing.
In terms of exactly what we're looking for, the Challenge website documents this fairly well.
First, describe a problem. It could be your problem, it could be your friend's problem, it could be a problem you faced in a prior life. In fact, it doesn't necessarily even have to be a problem. Opportunities are just as good, and maybe even better.
Second, describe how you think NetScaler VPX can solve the problem. The judges are just as interested in business issues as they are technical issues, so don't limit yourself to bits and bytes. If there is an organizational or political issue that NetScaler VPX helps you solve, that's likely to be a great entry.
Third, have fun. We're not specifying any specific media or format for the submissions. PowerPoint with voiceover is fine, as is a video of you and your friends talking in front of a whiteboard. Or, just write it up. And we're not looking for War and Peace. Within reason of course, the shorter the better. Three minutes should be plenty of time. Also, while the judges need to see and hear what you're saying, we don't expect Hollywood-level production quality.
We're really excited about NetScaler VPX. And, at least judging from the reactions we're getting at Citrix Synergy, so are you. So, when the tech preview is available, download it and take it for a spin, and then let us know what you think.
Secure Selected Pages
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
In situations where you want to make sure that for some selected pages only the secure server is used, the following can be used.
Apache rewrite:
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/?(page1|page2|page3|page4|page5)$ https://www.example.com/%1 [R,L]
AppExpert rewrite example 1:
Add responder action res_redirect redirect '"https://www.example.com"+HTTP.REQ.URL' -bypassSafetyCheck yes
Add responder policy pol_redirect '!CLIENT.TCP.DSTPORT.EQ(443)&&HTTP.REQ.URL.REGEX_MATCH(re/page[1-5]/)' res_redirect
Bind responder global pol_redirect 100 END
AppExpert rewrite example 2:
Add patset pat1 Bind patset pat1 page1 Bind patset pat1 page2 Bind patset pat1 page3 Bind patset pat1 page4 Bind patset pat1 page5 Add responder action res_redirect redirect '"https://www.example.com"+HTTP.REQ.URL' -bypassSafetyCheck yes Add responder policy pol_redirect '!CLIENT.TCP.DSTPORT.EQ(443)&&HTTP.REQ.URL.CONTAINS_ANY("pat1")' res_redirect Bind responder global pol_redirect 100 END
Tap into the power of AppExpert!
When we talk about the Citrix Delivery Center, we are talking about an end-to-end application delivery infrastructure solution. A solution which represents a family of Citrix product lines: Citrix XenServer, Citrix XenApp, Citrix NetScaler and Citrix XenDesktop. It also represents products that add integrated security, management and networking functions, products such as: Citrix Access Gateway, Citrix Branch Repeater and Citrix Desktop Receiver. Overall, the Citrix Delivery Center gives customers the power to adopt virtualization that meets their specific requirements. Customers can choose to optimize delivery of their Web Applications, Windows Applications, Desktop Delivery, Data Center Optimization - individually or in combination. How about all of them?
Now according to a recent Forrester study "49% of enterprises surveyed that are implementing or interested in virtualization solutions indicate that improving disaster recovery/business continuity continues to be a very important motivation for adoption". So what better way to pique their virtualization/business continuity interest than by demonstrating an end-to-end Citrix and Marathon combined solution onsite at the world's largest business software company SAP.
Recently the Citrix Worldwide Consulting Solutions and Business Development teams did just that. We built and demonstrated a Proof of Concept environment that delivered a highly available and virtualized SAP infrastructure using a complete Citrix Delivery Center solution. Within a two week period, the Citrix, Marathon, and SAP teams built and demonstrated a complete Proof of Concept environment. For a quick project overview please refer the data sheet here.
So how did we do it....First we virtualized every Citrix Delivery Center component and the backend SAP NetWeaver application servers using Citrix XenServer. Then we showcased what a remote SAP NetWeaver user would experience accessing the SAP NetWeaver Portal via Citrix Delivery Center while focusing on the high availability/fault tolerant solutions Citrix and Marathon provide. Finally, we simulated a complete failure in the primary site and used the combined NetScaler Global Server Load Balancing feature in conjunction with Marathon's everRun DR product to failover SAP to a secondary data center.
Let's go through the steps that describe the demonstrated user experience:
- Remote SAP NetWeaver Portal user securely connects to the SSL VPN provided by Citrix Access Gateway Enterprise Edition.
- All connections from the remote user client are accelerated using Citrix Branch Repeater Plug-in.
- Remote user is seamlessly presented with the Citrix Web Interface website with on-demand access to virtual desktops, applications, bookmarks and other corporate resources.
- From the Citrix Web Interface page, the remote user launches a virtual Windows XP desktop hosted by Citrix XenDesktop. This desktop is a private virtual image of Windows XP running within a secure data center and maintained from a centralized Windows XP image provisioned dynamically with Citrix Provisioning Server.
- From the secure virtual Windows XP desktop, the remote user launches a published SAP NetWeaver Portal delivered by Citrix XenApp. The published NetWeaver Portal application is separated from the virtual Windows XP Operating System allowing optimal user performance.
- As the remote user navigates the application, all SAP NetWeaver Portal connections pass through a Citrix NetScaler configured to optimize SAP NetWeaver Portal application delivery.
We also demonstrated the following high availability and recoverability solutions provided by Citrix XenServer and Marathon everRun software:
- Level 1: XenServer delivers out-of-the-box high availability, including cost-effective core failover, recovery and restart capabilities for SAP applications running in the virtual environment.
- Level 2: Marathon everRun VM delivers high availability of component-level fault tolerance, eliminating downtime caused by I/O component failures and guaranteeing recovery from system failures.
- Level 3: Marathon everRun VM's Lockstep Technology delivers continuous availability from system-level fault tolerance, eliminating data loss, downtime and transaction loss.
- Disaster Recovery: Marathon everRun DR provides a robust and flexible remote disaster recovery solution providing automated and reliable long-distance protection for critical data and applications, in this case, SAP.
Each piece of the demonstration was broken down into small video segments for this blog. The first video features the Citrix Delivery Center environment for SAP from top to bottom including the remote user login, virtual desktop access, and SAP NetWeaver Portal launch. Then a complete site failure is simulated and the secondary site recovery is shown using Marathon's everRun DR solution with Citrix NetScaler's Global Server Load Balancing feature.
Stay tuned for a detailed reference architecture and video blogs on different High Availability scenarios including everRun VM also demonstrated at SAP Co-Innovation Lab.
Here's the video:
Now that we have released Workflow Studio 1.1, I wanted to point out that we also have articles with details about what is available in each activity library. There are 8 different libraries listed in the installer - click on the item below to view the activities available with each one:
- Citrix NetScaler
- Citrix XenServer
- Active Directory
- Group Policy
- Networking
- Windows
- WMI
- Workflow Math Functions
Note: The Group Policy activity library requires the Microsoft Group Policy Management Console (GPMC) to be installed before it can be used. You can get GPMC here:
http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
Redirecting a URI to a new format
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
Let's say, for example, that you've got a set of working URLs that look like this: /index.php?id=nnnn. However, you'd really like to change them to /nnnn and make sure search engines update their indexes to the new URI format. First, you'd have to redirect the old URIs to the new ones so that search engines update their indexes, but you still have to rewrite the new URI back to the old one so that the index.php script would run.
Example: The trick here is to place into the query string a marker code that will not be seen by visitors. We redirect from the old link to the new format only if the "marker" is not present in the query string. Then we rewrite the new format link back to the old format, and add a marker to the query string.
Apache rewrite:
RewriteCond %{QUERY_STRING} !marker
RewriteCond %{QUERY_STRING} id=([-a-zA-Z0-9_+]+)
RewriteRule ^/?index\.php$ %1? [R,L]
RewriteRule ^/?([-a-zA-Z0-9_+]+)$ index.php?marker&id=$1 [L]
AppExpert rewrite:
Add responder action act_redirect redirect 'HTTP.REQ.URL.PATH.BEFORE_STR("index.php")+HTTP.REQ.URL.QUERY.VALUE("id")' -bypassSafetyCheck yes Add responder policy pol_redirect '!HTTP.REQ.URL.QUERY.CONTAINS("marker")&& HTTP.REQ.URL.QUERY.VALUE("id").REGEX_MATCH(re/[-a-zA-Z0-9_+]+/) && HTTP.REQ.URL.PATH.CONTAINS("index.php")' act_redirect Bind responder global pol_redirect 100 END Add rewrite action act1 replace 'HTTP.REQ.URL.PATH.SUFFIX(\'/\',0)' '"index.phpmarker&id="+HTTP.REQ.URL.PATH.SUFFIX(\'/\',0)' -bypassSafetyCheck yes Add rewrite policy pol1 '!HTTP.REQ.URL.QUERY.CONTAINS("marker")' act1 Bind rewrite global pol1 100 END
Tap into the power of AppExpert!
Creating Extensionless links
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
Sometimes you may want to support extension less links, either to hide extensions from end users or to make URLs easy to remember.
Example 1: add .php extension to all requests
Apache rewrite:
RewriteRule ^/?([a-z]+)$ $1.php [L]
AppExpert rewrite:
Add rewrite action act1 insert_after 'HTTP.REQ.URL' '".php"'
Add rewrite policy pol1 'HTTP.REQ.URL.PATH.REGEX_MATCH(re#^/([a-z]+)$#)' act1
Bind rewrite global pol1 100
Example 2: if we have a mixture of both .html and .php files, the following can be used
Apache rewrite:
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^/?([a-zA-Z0-9]+)$ $1.php [L]
RewriteCond %{REQUEST_FILENAME}.html -f
RewriteRule ^/?([a-zA-Z0-9]+)$ $1.html [L]
AppExpert rewrite:
Here HTTPCallout would be used, script file_check.cgi hosted on 10.102.59.101 is used to check wether provided argument is avalid file name or not.
add HTTPCallout Call_html add HTTPCallout Call_php set policy httpCallout Call_html -IPAddress 10.102.59.101 -port 80 -hostExpr '"10.102.59.101"' -returnType BOOL -ResultExpr 'HTTP.RES.BODY(100).CONTAINS("True")' -urlStemExpr '"/cgi-bin/file_check.cgi"' -parameters query=http.req.url+".html" set policy httpCallout Call_php -IPAddress 10.102.59.101 -port 80 -hostExpr '"10.102.59.101"' -returnType BOOL -ResultExpr 'HTTP.RES.BODY(100).CONTAINS("True")' -urlStemExpr '"/cgi-bin/file_check.cgi"' -parameters query=http.req.url+".php" Add patset pat1 Bind patset pat1 .html Bind patset pat1 .php Bind patset pat1 .asp Bind patset pat1 .cgi Add rewrite action act1 insert_after 'HTTP.REQ.URL.PATH' '".html"' Add rewrite action act2 insert_after "HTTP.REQ.URL.PATH" '".php"' Add rewrite policy pol1 '!HTTP.REQ.URL.CONTAINS_ANY("pat1") && SYS.HTTP_CALLOUT(Call_html)' act1 Add rewrite policy pol2 '!HTTP.REQ.URL.CONTAINS_ANY("pat1") && SYS.HTTP_CALLOUT(Call_php)' act2 Bind rewrite global pol1 100 END Bind rewrite global pol2 101 END
Tap into the power of AppExpert!
Blocking Inline Images
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
Assume you have under http://www.quux-corp.de/~quux/ some pages with in lined GIF graphics. These graphics are nice, so others directly incorporate them via hyperlinks to their pages. you don't like this practice because it adds useless traffic to your server.
Example : You can restrict the cases where the browser sends a HTTP Referer header.
Apache rewrite:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$
RewriteRule .*\.gif$ - [F]
AppExpert rewrite:
Add patset pat1 Bind patset pat1 .gif Bind patset pat1 .jpeg add responder action act1 respondwith '"HTTP/1.1 403 Forbidden\r\n\r\n"' add responder policy pol1 '!HTTP.REQ.HEADER("Referer").EQ("") && !HTTP.REQ.HEADER("Referer").STARTSWITH("http://www.quux-corp.de/~quux/")&&HTTP.REQ.URL.ENDSWITH_ANY("pat1")' act1 bind responder global pol1 100
Tap into the power of AppExpert!
Blocking Robots
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
You can block a really annoying robot from retrieving pages of a specific webarea. This way you can ease up the traffic at some directories.
Example : This could be done by using a rule set which forbids the URLs of the web area /~quux/foo/arc/. This could also be accomplished by matching the User-Agent HTTP header information. In this example, the ip address to be blocked is 123.45.67.8 & 123.45.67.9.
Apache rewrite:
RewriteCond %{HTTP_USER_AGENT} ^NameOfBadRobot.*
RewriteCond %{REMOTE_ADDR} ^123\.45\.67\.[8-9]$
RewriteRule ^/~quux/foo/arc/.+ - [F]
AppExpert rewrite:
add responder action act1 respondwith '"HTTP/1.1 403 Forbidden\r\n\r\n"' add responder policy pol1 'HTTP.REQ.HEADER("User_Agent").STARTSWITH("NameOfBadRobot")&&CLIENT.IP.SRC.EQ(123.45.67.8)&&CLIENT.IP.SRC.EQ(123.45.67.9) && HTTP.REQ.URL.STARTSWITH("/~quux/foo/arc")' act1 bind responder global pol1 100
Tap into the power of AppExpert!
Browser Dependent Content
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
At least for important top-level pages it is sometimes necessary to provide the optimum of browser dependent content, i.e. one has to provide a maximum version for the latest Netscape variants, a minimum version for the Lynx browsers and an average feature version for all others.
Example : We will act on the HTTP header "User-Agent". The following config does the following: If the HTTP header "User-Agent" begins with "Mozilla/3", the page foo.html is rewritten to foo.NS.html and the rewriting stops. If the browser is "Lynx" or "Mozilla" of version 1 or 2 the URL becomes foo.20.html. All other browsers receive page foo.32.html. This is done by the following rule set:
Apache rewrite:
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/3.*
RewriteRule ^foo\.html$ foo.NS.html [L]
RewriteCond %{HTTP_USER_AGENT} ^Lynx/.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/[12].*
RewriteRule ^foo\.html$ foo.20.html [L]
RewriteRule ^foo\.html$ foo.32.html [L]
AppExpert rewrite:
Add patset pat1 Bind patset pat1 Mozilla/1 Bind Patset pat1 Mozilla/2 Bind patset pat1 Lynx Bind Patset pat1 Mozilla/3 add rewrite action act1 insert_before 'HTTP.REQ.URL.SUFFIX' '"NS."' add rewrite action act2 insert_before 'HTTP.REQ.URL.SUFFIX' '"20."' add rewrite action act3 insert_before 'HTTP.REQ.URL.SUFFIX' '"32."' add rewrite policy pol1 'HTTP.REQ.HEADER("User-Agent").STARTSWITH_INDEX("pat1").EQ(4)' act1 add rewrite policy pol2 'HTTP.REQ.HEADER("User-Agent").STARTSWITH_INDEX("pat1").BETWEEN(1,3)' act2 add rewrite policy pol3 '!HTTP.REQ.HEADER("User-Agent").STARTSWITH_ANY("pat1")' act3 bind rewrite global pol1 101 END bind rewrite global pol2 102 END bind rewrite global pol3 103 END
Tap into the power of AppExpert!
Old to New External URL Rewrite
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
Assume that you have recently renamed the page foo.html to bar.html and now want to provide the old URL for backward compatibility. But this time you want the users of the old URL to see new one, i.e. their browsers Location field should change too.
Example : The following rules can force an HTTP redirect to the new URL which leads to a change of the URL in the users browser:
Apache rewrite:
RewriteEngine on RewriteBase /~quux/ RewriteRule ^foo\.html$ bar.html [R]
AppExpert rewrite: (There are two ways to do this)
add responder action act1 redirect 'HTTP.REQ.URL.BEFORE_STR("foo.html")+"bar.html"' -bypassSafetyCheck yes add responder policy pol1 'HTTP.REQ.URL.ENDSWITH("/~quux/foo.html")' act1 bind responder global pol1 100
add responder action act1 redirect 'HTTP.REQ.URL.PATH.BEFORE_STR("foo.html")+"bar.html"+HTTP.REQ.URL.AFTER_STR("foo.html")' -bypassSafetyCheck yes add responder policy pol1 'HTTP.REQ.URL.PATH.CONTAINS("foo.html")' act1 bind responder global pol1 100
Tap into the power of AppExpert!
Old to New Internal URL Rewrite
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
Assume you have recently renamed the page foo.html to bar.html and now want to provide the old URL for backward compatibility. Actually you want users of the old URL to not recognize that the pages were renamed.
Example : Rewrite the old URL to the new one internally via the following rule, let the base directory be /~quux/.
Apache rewrite:
RewriteEngine on RewriteBase /~quux/ RewriteRule ^foo\.html$ bar.html
AppExpert rewrite: (There are two ways to do this)
add rewrite action act1 replace 'HTTP.REQ.URL.AFTER_STR("/~quux").SUBSTR("foo.html")' '"bar.html"' add rewrite policy pol1 'HTTP.REQ.URL.ENDSWITH("/~quux/foo.html")' act1 bind rewrite global pol1 100
Add rewrite action act1 replace 'HTTP.REQ.URL.PATH.SUFFIX(\'/\',0)' '"bar.html"' Add rewrite policy pol1 'HTTP.REQ.URL.PATH.CONTAINS("foo.html")' act1 Bind rewrite global pol1 100
Tap into the power of AppExpert!
Time Dependent Rewriting
The Citrix NetScaler can be placed in front of a webserver farm that is running Apache. The same re-write rules that run on Apache, can be implemented on the Citrix NetScaler.
We can rewrite a URL based on time.
Example : Changing the request foo.html to foo.day.html or foo.night.html according to time.
Apache rewrite:
RewriteCond %{TIME_HOUR}%{TIME_MIN} >0700
RewriteCond %{TIME_HOUR}%{TIME_MIN} <1900
RewriteRule ^foo\.html$ foo.day.html [L]
RewriteRule ^foo\.html$ foo.night.html
AppExpert rewrite:
Add rewrite action act1 insert_before 'HTTP.REQ.URL.PATH.SUFFIX(\'.\',0)' '"day."' Add rewrite action act2 insert_before 'HTTP.REQ.URL.PATH.SUFFIX(\'.\',0)' '"night."' add rewrite policy pol1 'SYS.TIME.WITHIN(LOCAL 07h 00m,LOCAL 18h 59m)' act1 add rewrite policy pol2 'true' act2 bind rewrite global pol1 101 bind rewrite global pol2 102
Tap into the power of AppExpert!