Jump to content
Welcome to our new Citrix community!

Help converting classic policies to advanced.


Recommended Posts

I'm trying to convert the following policy:

 

ns_true && (REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS) && (REQ.SSL.CLIENT.CERT.SUBJECT CONTAINS 'OU=ABC Corp' || REQ.SSL.CLIENT.CERT.SUBJECT CONTAINS OU=Bob) && REQ.SSL.CLIENT.CERT.SUBJECT CONTAINS C=BobA

 

Using nspepi to convert the pieces of the policy statement I arrived at:

 

TRUE && (HTTP.REQ.HEADER("User-Agent").SET_TEXT_MODE(IGNORECASE).CONTAINS("CitrixReceiver").NOT && HTTP.REQ.HEADER("Referer").EXISTS) && (CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("OU=ABC Corp") || CLIENT.SSL.CLIENT_CERT.SUBJECT.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"OU=Bob") && CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("C=BobA"))

 

The expression evaluator gives the error "Invalid expression [SSL/SSLVPN expression %26 CLIENT.SSL.CLIENT_CERT]" on this statement. Doin some research it seems that this error is given for the statement "... (CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("OU=ABC Corp")..." (as well as the other statements used to verify the certificate).

 

Is it no longer possible to check the presented certificates Subject in a policy? 

 

Link to comment
Share on other sites

1 hour ago, Sam Snyder1709163558 said:

TRUE && (HTTP.REQ.HEADER("User-Agent").SET_TEXT_MODE(IGNORECASE).CONTAINS("CitrixReceiver").NOT && HTTP.REQ.HEADER("Referer").EXISTS) && (CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("OU=ABC Corp") || CLIENT.SSL.CLIENT_CERT.SUBJECT.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"OU=Bob") && CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("C=BobA"))

 

The expression evaluator gives the error "Invalid expression [SSL/SSLVPN expression %26 CLIENT.SSL.CLIENT_CERT]" on this statement. Doin some research it seems that this error is given for the statement "... (CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("OU=ABC Corp")..." (as well as the other statements used to verify the certificate).

 

Is it no longer possible to check the presented certificates Subject in a policy? 

 

There's an extra \  in (\"OU=Bob") that is not necessary if you're configuring from the GUI.

As for the expression evaluator error, I think it doesn't support evaluating SSL expressions like the client cert.

And I'm wondering why you have the initial "TRUE" at the beginning of the expression, in theory it's not doing anything.

 

Hope it helps.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...