Jump to content
Welcome to our new Citrix community!

Vserver setup as ANY using listen policy for tcp and udp ports


Recommended Posts

I have a vserver setup as ANY protocol with * for the ports allowed.

 

I have a listen policy written as..

 

CLIENT.IP.PROTOCOL.EQ(TCP) && CLIENT.TCP.DSTPORT.EQ(2369) || CLIENT.TCP.DSTPORT.BETWEEN(9011,9012) || CLIENT.TCP.DSTPORT.EQ(1857) || CLIENT.TCP.DSTPORT.EQ(135) || CLIENT.TCP.DSTPORT.BETWEEN(8020,8025) || CLIENT.IP.PROTOCOL.EQ(UDP) && CLIENT.UDP.DSTPORT.EQ(443)

 

This application does a 443 handshake via udp, and it does not work with the above expression.

 

This will work if I create another vserver that is setup for protocol UDP allowing any port, but this particular application would require a total of 52 vips if I did it that way, so I'm hoping there is a way to write the expression to only accept these specific tcp and udp ports. Thanks,

Link to comment
Share on other sites

Hi Jonathan,

 

A vserver of type ANY with wildcard port and Listen policy will in fact listen only on those ports as specified in the policy. You can verify this with e.g. an nmap scan to the VIP. However since you mention you're trying to support a TLS handshake over UDP/443, this would implies the use of DTLS and as such the vserver needs the certificate to be able to offload the TLS traffic. To do this would require a different type of vserver as the ANY type does not allow for binding a certificate. When using a Content Switch you would need to create one of type SSL with the DTLS option turned on. For a Load Balancing vserver you can create one of type DTLS.

 

I hope this helps.

 

Cheers,

G.

Link to comment
Share on other sites

Thanks Gunther,

 

I was able to create another vserver of type UDP, with the listen policy specifying udp/443 only. I did not bind a cert to this vserver.

 

This worked ok. This leads me to think that a vserver of type ANY should work with the correct regex. I received this suggestion from Citrix support but it didn't work. Thanks again for your reply,

 

(CLIENT.IP.PROTOCOL.EQ(TCP) && (CLIENT.TCP.DSTPORT.EQ(2369) || CLIENT.TCP.DSTPORT.BETWEEN(9011,9012) || CLIENT.TCP.DSTPORT.EQ(1857) || CLIENT.TCP.DSTPORT.EQ(135) || CLIENT.TCP.DSTPORT.BETWEEN(8020,8025))) || (CLIENT.IP.PROTOCOL.EQ(UDP) && (CLIENT.UDP.DSTPORT.EQ(443)))

Link to comment
Share on other sites

I would try using pattern sets to keep the expression simpler:

add policy patset patSet_tcpPorts
bind policy patset patSet_tcpPorts "2369"
bind policy patset patSet_tcpPorts "9011"
bind policy patset patSet_tcpPorts "9012"

add policy patset patSet_udpPorts
bind policy patset patSet_udpPorts "443"

add lb vserver myServer ANY 1.2.3.4 * -Listenpolicy...
  or
set lb vserver myServer -Listenpolicy "( CLIENT.IP.PROTOCOL.EQ(TCP) && CLIENT.TCP.DSTPORT.TYPECAST_TEXT_T.EQUALS_ANY(\"patSet_tcpPorts\") ) || ( CLIENT.IP.PROTOCOL.EQ(UDP) && CLIENT.UDP.DSTPORT.TYPECAST_TEXT_T.EQUALS_ANY(\"patSet_udpPorts\") )" -Listenpriority 10

 

Link to comment
Share on other sites

Hi Jonathan,

 

The updated expression just makes it that the protocol check is applicable for all ports. In fact, I don't believe you need such a check in the expression as the protocol is implicit when using CLIENT.TCP or CLIENT.UDP anyway. 

 

Unfortunately I don't really have anything on hand that does udp/443 with TLS handshake to test your configuration, but I can follow your reasoning that in theory it should work with an ANY type vserver. However it will be tricky to troubleshoot. A network trace would be most interesting here, but maybe you could also do some checking with some clever policies using similar expressions (e.g. CLIENT.UDP.DSTPORT) and a logaction attached to it. You could then check in the logging whether the policy hits and optionally you can also provide more custom info in your logaction.

 

Last but not least, while not really in the scope of your question, Martin's feedback regarding using a pattern set to 'simplify' the expression might be a good idea, especially if you need to add even more ports later on. You could even do it with one single stringmap instead of 2 pattern sets, but that's even more beyond the scope of your post so I won't elaborate further here.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...