• View Communities
    • Citrix Developer Network
      The place for unfiltered straight talk on Citrix products. Blogs, code downloads, best practices, APIs, and more can all be found here.
    • Citrix Ready Community Verified
      Does it work with Citrix? Application compatibility questions are a thing of the past with the new Citrix Community Verified site.
    • Blogs
      Learn the latest from the Citrix employees who are building application delivery infrastructure technologies.
    • Blogosphere
      The Citrix Blogosphere is a window into the thousands of conversations taking place about Citrix and Application Delivery.
  •  Sign In
NetScaler Developer Network

How NetScaler Policies are Evaluated

Added by Catherine Hampton, last edited by Vishal Ganeriwala on Aug 12, 2008  (view change)

This article describes the policy evaluation process for the Citrix NetScaler Access Gateway, Application Firewall, and Application Switch.

Summary

You need to understand how policies are evaluated to write policies that will do what you want them to do. This article describes the policy evaluation process.

When the Application Switch receives traffic to or from any server it manages, it consults the appropriate list of globally-bound policies to determine how it should handle that traffic. Each policy on the list contains one or more expressions that together define the criteria that a connection must meet to match the policy. Each policy is evaluated in order of priority, starting with the lowest number and proceeding through to the highest, until all policies have been evaluated.

As the figures below indicate, evaluation of a policy can produce, not two, but three possible outcomes. The policy can evaluate as TRUE, which means that the connection matches that policy. In this case, the Application Switch performs the associated action. It can evaluate as FALSE, which means that the connection did not match the policy. In this case, the Application Switch proceeds to evaluate the next policy, or if there is no next policy, performs the default action.

Finally, it can evaluate as UNDEFINED, which means that there is an error in the policy expression itself. In this case, the Application Switch stops evaluating policies, and performs the UNDEFACTION, the action it is configured to perform when a policy expression is found to contain errors.

For all types of policy except Rewrite policies, when a connection matches a policy, the Application Switch ceases to evaluate any further policies, and performs the action associated with that policy. A chart of the general policy evaluation process flow is shown below. Click the picture to download a .WMF (Windows Metafile) version of this chart.
ae:

For Rewrite policies, the action associated with the policy is added to the list of actions to be performed, then policy evaluation continues until terminated or all policies have been evaluated. A chart of the rewrite policy evaluation process flow is shown below. Click the picture to download a .WMF (Windows Metafile) version of this chart.
ae:

More Information

Tags

appexpert appexpert Delete
pe pe Delete
how to how to Delete
policy engine policy engine Delete
policy flow policy flow Delete
policy evaluation policy evaluation Delete
Enter tags to add to this page:
Please wait 
Looking for a tag? Just start typing.
Related Links
Citrix Branch Repeater
NetScaler Installation & Configuration Guide 1
NetScaler Installation & Configuration Guide 2
NetScaler - Quick Start Guide
NetScaler Command Reference Guide