Creating a PI Policy using the GUI

Added by Anonymous , last edited by Catherine Hampton on Nov 19, 2007  (view change)
Tags: 

This procedure describes how to create a profile that uses PI expressions (a PI profile) using the Citrix NetScaler Configuration Utility (the GUI) and put it into effect.

Summary

This article contains a procedure that explains in detail how to create a profile in the Citrix NetScaler Configuration Utility, the GUI-based interface for configuring the Citrix NetScaler Application Switch.  It describes each step you must take to access the GUI, navigate to the appropriate places in the GUI, and what you must do there to create a new policy.  Since PI expressions are complex, many users who are not already familiar with them will find the GUI-based tools for policy creation much easier to use than the alternate command line interface (the CLI).

To create a policy with PI expressions using the configuration utility: 

  1. Log on to the configuration utility, using either the Java client or the Web Start client.
    For more information on how to do this, see the Citrix NetScaler Getting Started Guide.
  2. In the Menu tree, open the appropriate Policies screen for the type of policy you want to create.
    • To create a DNS policy, expand the DNS menu and click Policies, as shown below.
    • To create a Rewrite policy, expand the Rewrite menu and click Policies, as shown below.

      The page may be blank if you have not yet created the first policy of this type, or may contain a list of one or more policies.
  3. In the lower left-hand corner of the data area, click the Add... button.
    The Create Policy dialog box for your type of policy is displayed. The screenshot below shows the Create Rewrite Policy dialog box. The Create DNS Policy dialog box is similar.

  4. In the Name* text box, type a name for your new policy.
    The name can begin with a letter or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen, period, pound (#), space, and underscore symbols. You should choose a name that will make it easy for others to tell what type of content this policy was created to detect.
  5. Click the down arrow to the right of the Action list box, and click name of an action to associate with this policy.
    A list of all existing actions for the type of policy you are creating is included in the Action list box. If you have not yet defined any actions for this policy type, the list box contains only the default actions. If you have not yet created the appropriate action, you can click the New... button and create a new action.
  6. Construct an expression that describes the type of web connections you want this policy to match.
    1. Click the Add... button to display the Add Expression dialog box, shown below.
    2. If the expression type you want does not begin with HTTP, click the down arrow beside that list box and choose the expression element you do want.
      Your choices are:
      • HTTP. Operate on HTTP connection data.
      • SYS. Operate on system-related functions.
      • CLIENT. Operate on client data.
      • SERVER. Operate on server data.
      • URL. Operate on the URL portion of an HTTP request.
      • TEXT. Operate on any text string.
      • TARGET. Operate on the target of an HTTP request.
      • VPN. Operate on VPN data.
        For a complete explanation of each choice, see the NetScaler Expressions Reference.
        After you choose the first expression element for your expression, the Add Expression dialog box refreshes, and immediately to the right of the first list box displays another list box or text box appropriate to the choice you just made. For example, if you choose SYS as your first expression element, the Add Expression dialog box appears as shown below.
    3. Move to the next list box to the right, click the down arrow, and choose your next expression element.
      Your choices depend upon your previous choice. If, for example, you chose SYS as your previous expression element, your choices are TIME and EVAL_CLASSIC_EXPR(). For the choices available for other initial expression elements, see the NetScaler Expressions Reference.
      After you choose your second expression element, the dialog box refreshes again and provides the appropriate list box or text box to prompt you to enter the next expression element. The Help section also displays context-sensitive help for that particular expression element that explains its function and the type of response the expression will produce. The Preview section shows a preview of the expression as it currently is configured. For example, if you choose TIME as your second expression element, the Add Expression dialog box appears as shown below.
    4. Repeat the previous step to add the other expression elements you need to create your PI expression.
      A simple expression might contain only a few elements. For example, if you want a policy that determines whether the current system time hour is between midnight and one AM, your next choices will be HOURS, then BETWEEN(time, time). If you choose that value, the Add Expression dialog box will appear as shown below.

      NOTE: The SYS.TIME.HOURS portion of the expression appears off-screen to the left to allow room for the Lower and Upper text boxes. A scrollbar appears at the bottom of the expression construction area to allow you to scroll to any part of the expression. This will happen at any point that the expression you have created is too large for the expression construction area.
      You will then need to enter the appropriate values for the earliest (lower) and later (upper) hour in the range in the text boxes. For example, if you want to determine whether the current hour is between midnight and one AM, you would enter the number 0 in the Lower text box, and 1 in the Upper text box.
      For complete information on the classes, constructors, methods, and operators available for use in PI expressions, see the NetScaler Expressions Reference.
    5. When you are finished constructing your PI expression, click the OK button to add the expression to the Expression list in the Create Policy dialog box.
    6. Repeat steps B through E to add additional expressions to the Expressions list.
    7. When you have finished adding expressions, click the Close button to close the Add Expression dialog box and return to the Create Policy dialog box.
  7. Click the Create button to create your new policy.
    Your new policy is created and appears in the Policies page list.
  8. Repeat steps 4 through 7 to create any additional policies you want.
  9. Click the Close button to close the Create Policy dialog box and return to the Policies screen.
  10. Click the Global Bindings... button to display the Bind/Unbind Firewall Policy(s) to Global dialog box.
    The Bind/Unbind Firewall Policy(s) to Global dialog box is shown below. Other Bind/Unbind Policy(s) to Global dialog boxes are similar.

    The Bind/Unbind Policy(s) to Global dialog boxes display all policies of their type that have been created on your Application Switch. Policies that have not been globally bound appear in the Available column to the left. Policies that have been globally bound appear in the Configured column to the right.
  11. In the Available list, click the entry for the first policy you just created.
  12. Click the Add > button to transfer that policy from the Available list to the Configured list.
    This globally binds the policy globally and puts it into effect.
  13. Double-click the Priority column to edit the priority, and replace the default setting of zero (0) with an integer that represents the priority of this policy.
    In the NetScaler OS, policy priorities work in reverse order—the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy assigned an order of 1000. All features except the Rewrite feature on the Application Switch implement only the first policy that a connection matches, not any additional policies that it might also match. The Rewrite policy can implement multiple policies, but implements them in order of priority. So policy priority is important to get the results you intended.
    You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the order you want, by setting priorities with intervals of 50 (or, better, 100) between each policy when you globally bind your policies. If you do this, you can add additional policies at any time without having to reassign the priority of an existing policy. You simply look at the priorities assigned to the preceding and following policies, and assign a new policy a priority between that of those two numbers.
  14. If you want to globally bind your policy, but temporarily keep it inactive, uncheck the checkbox in the State column.
    When you globally bind a policy, by default it is enabled and goes immediately into effect. In some cases, you might want to have a policy reviewed before you put it into effect, but want to be able to enable it quickly. Setting its State to unchecked, or DISABLED, allows you to do this.
  15. Repeat steps 11 through 14 for each policy you created to globally bind all of them.
  16. Click the OK button to save your changes.
    The Bind/Unbind Firewall Policy(s) to Global dialog box closes, and you return to the Policies page. In the Policies list in the data area, the Globally Bound? column now reads "Yes" for each policy you globally bound. Your policies have been put into effect.

More Information

  • Add to Bookmarks