Jump to content
Welcome to our new Citrix community!

Recommended Posts

Hi 

 

From what I can find with my googlefu, there will come a time in every netscaler... oh sorry, every Citrix ADC admins future where they will have to finally break free from classic expressions in their ADC and implement advanced expressions instead. 

 

Any info on Citrix ADC (Netscaler) version 13.0 and the way to convert old basic authentication to the supported advanced configuration in Citrix ADC 13.0 more than use NSPEPI tool an hope it works in the end? :-) 

 

I have done som labs and some of the expressions work great to convert, others will require a little more thinking before executing. I would not recommend running the full conversion and saving without gaining insight in to the specific configuration and needed changes. Basic auth expressions to next factor being one of the more obvious parts.

 

Any pitfalls you have fallen in, or other helpful tips to make the customers as happy as possible?

Any methodology to converting the configuration that you find works great for you?

Any other tips on what to look out for in 13.0?

 

https://support.citrix.com/article/CTX131024 

https://support.citrix.com/article/CTX234821

 

It would be greatly appreciated as many of my customers will find the way to do this, and the task itself daunting. 

 

 

Happy load balancing. 

Link to comment
Share on other sites

Hi, 

 

There were major enhancements  done to nspepi in the latest 12.1.51.19. You may want to give it a try. 

 

From release notes.

The NSPEPI conversion tool has been enhanced to perform the following:

1. Convert Classic policy expressions to Advanced policy expressions.

2. Convert certain Classic policies and their entity bindings to Advanced policies and bindings.

3. Convert a few additional deprecated features to their corresponding non-deprecated features.

4. Log information in an improved manner.

For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/appexpert/policies-and-expressions/ns-pi-intro-pol-exp-wrapper-con/ns-pi-pe-to-pi-conversion-tool-wrapper-con.html

[# NSPOLICY-507]

 

Val 

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

One thing that the edocs highlight is that if your setup relies on "policy  priority interleaving", then you'll need a rethink.

 

(If you are not aware: priorities for classic polices are GLOBAL.... thus a VPN policy bound to any bind point at Priority 50 always happens before a policy bound to any other at priority 100. This is NOT the case for default policies, which are strictkly processed in the order glob o/ride, LBVS, CS, glob def..)

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...
On 4/5/2019 at 4:36 PM, Seth Lindholm said:

Any pitfalls you have fallen in, or other helpful tips to make the customers as happy as possible?

 

 

If you have loads of nFactor configurations and upgrade to 13.0, they will not show up in the new graphical window display and you cant use your AAA. You will have to redo your nFactor designs as it all works off Policy Labels now and a different naming convention. It now starts with a top Policy Label which is the "Root" label and that name is appended to the lower nFactors labels.

e.g

You will only see the new naming conversion of the policies in the ns.conf, not in the GUI

ns.conf file

 

policylabel 1st_FA__root -loginSchema UP_LSCHEMA_AD_Username_Only

policylabel 2ndFA_auth__1st_FA -loginSchema LSCHEMA_INT

policylabel 3rd_level__1st_FA -loginSchema LSCHEMA_INT

 

policylabel 1st_FA__root -policyName Auth_Username_Only_Pol -priority 100 -gotoPriorityExpression NEXT -nextFactor 2ndPol_check__1st_FA

 

policylabel 2ndPol_check__1st_FA -policyName Auth_LDAP_noAuth_Pol -priority 100 -gotoPriorityExpression NEXT -nextFactor 2ndFA_auth__1st_FA

 

policylabel 2ndFA_auth__1st_FA -policyName Auth-LDAPS-pol -priority 100 -gotoPriorityExpression NEXT -nextFactor 3rd_level__1st_FA

 

policylabel 3rd_level__1st_FA -policyName Auth-LDAPS-pol -priority 100 -gotoPriorityExpression END

 

 

Citrix might bring out a tool to convert pre-13 nFactor configs to the new format..... who knows

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...