Rick Davis

I do not see any problems in your PS code. The details in the error message suggest a listing problem in the payload. For example, I can get the same 1600 error when using properly formatted, but an incorrect, json payload list. In this case, sets can be fetched in list [] form but cannot be submitted in list form. For example, this worked: POST /mgmt/api/nextgen/v1/filters/value_sets/val_set { "value_set": { "name": "val_set", "type": "ipv4", "values": [ "192.168.11.11", "192.168.11.12", "192.168.11.13", "192.168.11.14" ] } } But submitting this payload did not work, resulting in the Error: { "errorcode": 1600, "errormessage": "Internal Server Error", "details": [] } Please know, this is the example returned when fetching value sets. { "value_set": [ { "name": "val_set", "type": "ipv4", "values": [ "192.168.11.11", "192.168.11.12", "192.168.11.13", "192.168.11.14" ] } ] } I also get the same error when using "value_sets" in the payload rather than the required "value_set". The more I test, the more I'm coming to the conclusion the 1600 is being returned due to a payload problem. Not a formatting problem, but incorrect labels or values.

Can you post your code or the API call you are sending and the code version you are using? You can find a description for all error codes under the API Specification here: https://developer-docs.netscaler.com/en-us/nextgen-api/apis/#/Authentication/Login

It did not work for me when specifying the CT and Accept headers only in the json body. "We only support requests in JSON format" Error code 1500 = missing Content-Type: application/json "We only support sending responses in JSON format" Error code 1300 = missing Accept: application/json

Will this working example get you on track? Client: 192.168.200.1 Server: 192.168.200.2:8080 (ws: /Path2) cs_VIP: 192.168.200.231:80 In this content switching example, requests for /Path1/.. are sent to a designated non-addressable vserver called ws_vserver. The client connects to the Content Switching VIP on port 80 URL Translation removes /Path1 from the URI and NetScaler forwards the request to the server on port 8080 The Server sees the established websocket connection and test echo messages are working. # Add the URL-Transform add transform profile ws_URL-T add transform action ws_url_transform ws_URL-T 1 set transform action ws_url_transform -priority 1 -reqUrlFrom "/Path1/(.*)" -reqUrlInto "/$1" add transform policy ws_url-t TRUE ws_URL-T # Setup the non-addressable vserver (and transform the URL) add service ws_service 192.168.200.2 HTTP 8080 add lb vserver ws_vserver HTTP 0.0.0.0 0 -persistenceType NONE -httpProfileName nshttp_ws_profile bind lb vserver ws_vserver ws_service bind lb vserver ws_vserver -policyName ws_url-t -priority 100 -gotoPriorityExpression END -type REQUEST # Setup the Content Switch (and look for /Path1/..) add ns httpProfile nshttp_ws_profile -webSocket ENABLED add cs vserver ws_cs HTTP 192.168.200.231 80 -httpProfileName nshttp_ws_profile -persistenceType NONE add cs action ws_path1 -targetLBVserver ws_vserver add cs policy ws_path1_path2 -rule q{HTTP.REQ.URL.PATH.GET(1).SET_TEXT_MODE(IGNORECASE).EQ("Path1")} -action ws_path1 bind cs vserver ws_cs -policyName ws_path1_path2 -priority 100 URL-T is meant to handle several transform actions. The one I used here is the minimum for the websocket connection. Adding the one I listed previously might be needed to address any links the server is issuing. It also might need to be tweaked further for your specific needs.

Add the Content-Type and Accept headers: POST http://NetScaler/mgmt/api/nextgen/v1/login Content-Type: application/json Accept: application/json { "login": { "username": "user1", "password": "verysecret" } } Next-Gen API https://developer-docs.netscaler.com/en-us/nextgen-api/getting-started-guide.html

The forward proxy feature is specifically for the filtering of encrypted traffic which is not destined for an endpoint on the NetScaler. The correct way to allow servers to communicate without SSL decrypted filtering is to use R-NAT.

Signature objects do not update unless enabled for Signature Auto Update. https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/signatures/signature-auto-update.html

CTX235401 states content switching support websockets. Your wss failing may be related to SSL certificate warnings. Please verify that HTTP and HTTPS are both working correctly, first. You can also try ws:// for a clear text websocket test to rule out PKI related problems. After that, try secure (wss) websocket connection. Bind your HTTP profile (with websockets enabled) to the nonaddressable vserver too.

-reqUrlFrom "http(s?)://any.url.host/Path1/(.*)" -reqUrlInto "http$1://192.168.123.5/$2" -resUrlFrom "http(s?)://192.168.123.5/(.*)" -resUrlInto "http$1://any.url.host/Path1/($2)" you will also need a responder to redirect from any.url.host/ to any.url.host/Path1/ since the application doesn't know about /Path1/

Correct, the device is able fragment when needed. In addition to dropFrag parameter, the dropFragCpuThreshold is another global parameter defined in iptunnelparam to check. It temporarily disables fragmentation during configurable high CPU utilization levels. By default it is disabled, but if enabled it could certainly account for your situation. Please verify you are running the latest supportable code versions.

You can use the AppExpert expression LOCATION.GET(1) to compare just the the County Code against a list of countries. Since country codes are only two characters, Regex would be a decent way to get your list of 30 into a single expression: CLIENT.IP.SRC.LOCATION.GET(1).SET_TEXT_MODE(ignorecase).REGEX_MATCH(re/US|CA|GB/).NOT Ref A Pattern Set makes large groups of conditions more organized, easier to read, and easier to update. This is the optimal solution, particularly when using longer Geo names or frequently making adds/moves/changes to the list, and particularly useful for delegating management of the list. add policy patset countrylist bind policy patset countrylist US bind policy patset countrylist CA bind policy patset countrylist GB add responder policy DROP_non_Test_CUSTOMER "CLIENT.IP.SRC.LOCATION.GET(1).SET_TEXT_MODE(ignorecase).EQUALS_ANY("countrylist").NOT" DROP Ref

Instead of Regex, use inbuilt AppExpert expressions for this use case. In your example, we can use the space character (' ') as the separator for a list of words. Then we can choose the first or last word from the list. Here is your AppExpert expression: AAA.USER.ATTRIBUTE(7).TYPECAST_LIST_T(' ').GET_REVERSE(0) I used the NetScaler Expression Evaluator to make sure it returns the desired result:

I was able to configure a Responder policy with an OPTIONS based AppExpert policy bound to a AAA vserver. Sample code below. Note: The AAA_REQUEST bind point is for responder policies which applies to all the incoming requests and are processed for the unauthenticated traffic first before any other AAA processing. ref: CTX477121 > sho ver NetScaler NS14.1: Build 4.42.nc, Date: Jul 27 2023, 17:27:33 (64-bit) Done > > sho run | grep cors add responder action cors_test respondwith q{"HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\n\r\n"} add responder policy cors_test "HTTP.REQ.METHOD.EQ(\"OPTIONS\")" cors_test bind authentication vserver rd_test_aaa -policy cors_test -priority 100 -gotoPriorityExpression END -type AAA_REQUEST > Here's a better example CORS responder action: add responder action cors_test respondwith q{"HTTP/1.1 204 No Content\r\nContent-Type: text/html\r\nDate: "+SYS.TIME.TYPECAST_TIME_AT+"\r\nAccess-Control-Allow-Methods: POST, GET, OPTIONS\r\n\r\n" } HTTP/1.1 204 No Content Content-Type: text/html Date: Fri, 26 Apr 2024 23:44:51 GMT Access-Control-Allow-Methods: POST, GET, OPTIONS

You can use two policies on the same traffic using Goto Expressions. Your first policy can conduct the logging (using a goto expression of NEXT) and the second policy will perform the Drop. In this case, the order matters because a Drop action requires an END Goto expression. Be sure to remove your .NOT from the first policy since you want to log traffic which you intend to allow. example: Reference: Evaluation order within a policy bank

Good stuff Nicola. Well documented. Please know your expression needs to use AND (&&) rather than OR (||) logic to function correctly. Manoj can test this and other AppExpert expressions with the Expression Evaluator found in the GUI > AppExpert > Expression Evaluator. HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT should be: HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT