Jump to content
Welcome to our new Citrix community!

Recommended Posts



From what I can find with my googlefu, there will come a time in every netscaler... oh sorry, every Citrix ADC admins future where they will have to finally break free from classic expressions in their ADC and implement advanced expressions instead. 


Any info on Citrix ADC (Netscaler) version 13.0 and the way to convert old basic authentication to the supported advanced configuration in Citrix ADC 13.0 more than use NSPEPI tool an hope it works in the end? :-) 


I have done som labs and some of the expressions work great to convert, others will require a little more thinking before executing. I would not recommend running the full conversion and saving without gaining insight in to the specific configuration and needed changes. Basic auth expressions to next factor being one of the more obvious parts.


Any pitfalls you have fallen in, or other helpful tips to make the customers as happy as possible?

Any methodology to converting the configuration that you find works great for you?

Any other tips on what to look out for in 13.0?





It would be greatly appreciated as many of my customers will find the way to do this, and the task itself daunting. 



Happy load balancing. 

Link to comment
Share on other sites



There were major enhancements  done to nspepi in the latest You may want to give it a try. 


From release notes.

The NSPEPI conversion tool has been enhanced to perform the following:

1. Convert Classic policy expressions to Advanced policy expressions.

2. Convert certain Classic policies and their entity bindings to Advanced policies and bindings.

3. Convert a few additional deprecated features to their corresponding non-deprecated features.

4. Log information in an improved manner.

For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/appexpert/policies-and-expressions/ns-pi-intro-pol-exp-wrapper-con/ns-pi-pe-to-pi-conversion-tool-wrapper-con.html

[# NSPOLICY-507]



  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

One thing that the edocs highlight is that if your setup relies on "policy  priority interleaving", then you'll need a rethink.


(If you are not aware: priorities for classic polices are GLOBAL.... thus a VPN policy bound to any bind point at Priority 50 always happens before a policy bound to any other at priority 100. This is NOT the case for default policies, which are strictkly processed in the order glob o/ride, LBVS, CS, glob def..)

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...
On 4/5/2019 at 4:36 PM, Seth Lindholm said:

Any pitfalls you have fallen in, or other helpful tips to make the customers as happy as possible?



If you have loads of nFactor configurations and upgrade to 13.0, they will not show up in the new graphical window display and you cant use your AAA. You will have to redo your nFactor designs as it all works off Policy Labels now and a different naming convention. It now starts with a top Policy Label which is the "Root" label and that name is appended to the lower nFactors labels.


You will only see the new naming conversion of the policies in the ns.conf, not in the GUI

ns.conf file


policylabel 1st_FA__root -loginSchema UP_LSCHEMA_AD_Username_Only

policylabel 2ndFA_auth__1st_FA -loginSchema LSCHEMA_INT

policylabel 3rd_level__1st_FA -loginSchema LSCHEMA_INT


policylabel 1st_FA__root -policyName Auth_Username_Only_Pol -priority 100 -gotoPriorityExpression NEXT -nextFactor 2ndPol_check__1st_FA


policylabel 2ndPol_check__1st_FA -policyName Auth_LDAP_noAuth_Pol -priority 100 -gotoPriorityExpression NEXT -nextFactor 2ndFA_auth__1st_FA


policylabel 2ndFA_auth__1st_FA -policyName Auth-LDAPS-pol -priority 100 -gotoPriorityExpression NEXT -nextFactor 3rd_level__1st_FA


policylabel 3rd_level__1st_FA -policyName Auth-LDAPS-pol -priority 100 -gotoPriorityExpression END



Citrix might bring out a tool to convert pre-13 nFactor configs to the new format..... who knows

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...