Rick Davis

anytext is a literal. To allow any string in the first folder, you can use regex: http(s?)://servername.domain.com/.+?/(.*) This will work for the request (reqUrlFrom) processing but it will not work in the response (resUrlInto) processing. The resUrlFrom looks at server supplied redirects and hardcoded links in the page in order to change it back into something the client will use (resUrlInto). This, and the ability to have more than one transform action are what makes URL-T powerful.

To change https://servername.domain.com/anytext/anytext2 to https://servername.domain.com/anytext2 you will use the URL Transformation feature which is bound as a Transform. add transform profile demo_urlt_profile add transform action demo_urlt_profile demo_urlt_profile 100 set transform action demo_urlt_profile -priority 100 -reqUrlFrom "http(s?)://servername.domain.com/anytext/(.*)" -reqUrlInto "http$1://servername.domain.com/$2" -resUrlFrom "http(s?)://servername.domain.com/(.*)" -resUrlInto "http$1://servername.domain.com/anytext/$2" add transform policy demo_urlt_profile true demo_urlt_profile bind lb vserver <vserver> -policyName demo_urlt_profile

I do not see any problems in your PS code. The details in the error message suggest a listing problem in the payload. For example, I can get the same 1600 error when using properly formatted, but an incorrect, json payload list. In this case, sets can be fetched in list [] form but cannot be submitted in list form. For example, this worked: POST /mgmt/api/nextgen/v1/filters/value_sets/val_set { "value_set": { "name": "val_set", "type": "ipv4", "values": [ "192.168.11.11", "192.168.11.12", "192.168.11.13", "192.168.11.14" ] } } But submitting this payload did not work, resulting in the Error: { "errorcode": 1600, "errormessage": "Internal Server Error", "details": [] } Please know, this is the example returned when fetching value sets. { "value_set": [ { "name": "val_set", "type": "ipv4", "values": [ "192.168.11.11", "192.168.11.12", "192.168.11.13", "192.168.11.14" ] } ] } I also get the same error when using "value_sets" in the payload rather than the required "value_set". The more I test, the more I'm coming to the conclusion the 1600 is being returned due to a payload problem. Not a formatting problem, but incorrect labels or values.

Can you post your code or the API call you are sending and the code version you are using? You can find a description for all error codes under the API Specification here: https://developer-docs.netscaler.com/en-us/nextgen-api/apis/#/Authentication/Login

It did not work for me when specifying the CT and Accept headers only in the json body. "We only support requests in JSON format" Error code 1500 = missing Content-Type: application/json "We only support sending responses in JSON format" Error code 1300 = missing Accept: application/json

Will this working example get you on track? Client: 192.168.200.1 Server: 192.168.200.2:8080 (ws: /Path2) cs_VIP: 192.168.200.231:80 In this content switching example, requests for /Path1/.. are sent to a designated non-addressable vserver called ws_vserver. The client connects to the Content Switching VIP on port 80 URL Translation removes /Path1 from the URI and NetScaler forwards the request to the server on port 8080 The Server sees the established websocket connection and test echo messages are working. # Add the URL-Transform add transform profile ws_URL-T add transform action ws_url_transform ws_URL-T 1 set transform action ws_url_transform -priority 1 -reqUrlFrom "/Path1/(.*)" -reqUrlInto "/$1" add transform policy ws_url-t TRUE ws_URL-T # Setup the non-addressable vserver (and transform the URL) add service ws_service 192.168.200.2 HTTP 8080 add lb vserver ws_vserver HTTP 0.0.0.0 0 -persistenceType NONE -httpProfileName nshttp_ws_profile bind lb vserver ws_vserver ws_service bind lb vserver ws_vserver -policyName ws_url-t -priority 100 -gotoPriorityExpression END -type REQUEST # Setup the Content Switch (and look for /Path1/..) add ns httpProfile nshttp_ws_profile -webSocket ENABLED add cs vserver ws_cs HTTP 192.168.200.231 80 -httpProfileName nshttp_ws_profile -persistenceType NONE add cs action ws_path1 -targetLBVserver ws_vserver add cs policy ws_path1_path2 -rule q{HTTP.REQ.URL.PATH.GET(1).SET_TEXT_MODE(IGNORECASE).EQ("Path1")} -action ws_path1 bind cs vserver ws_cs -policyName ws_path1_path2 -priority 100 URL-T is meant to handle several transform actions. The one I used here is the minimum for the websocket connection. Adding the one I listed previously might be needed to address any links the server is issuing. It also might need to be tweaked further for your specific needs.

Add the Content-Type and Accept headers: POST http://NetScaler/mgmt/api/nextgen/v1/login Content-Type: application/json Accept: application/json { "login": { "username": "user1", "password": "verysecret" } } Next-Gen API https://developer-docs.netscaler.com/en-us/nextgen-api/getting-started-guide.html

The forward proxy feature is specifically for the filtering of encrypted traffic which is not destined for an endpoint on the NetScaler. The correct way to allow servers to communicate without SSL decrypted filtering is to use R-NAT.

Signature objects do not update unless enabled for Signature Auto Update. https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/signatures/signature-auto-update.html

CTX235401 states content switching support websockets. Your wss failing may be related to SSL certificate warnings. Please verify that HTTP and HTTPS are both working correctly, first. You can also try ws:// for a clear text websocket test to rule out PKI related problems. After that, try secure (wss) websocket connection. Bind your HTTP profile (with websockets enabled) to the nonaddressable vserver too.

-reqUrlFrom "http(s?)://any.url.host/Path1/(.*)" -reqUrlInto "http$1://192.168.123.5/$2" -resUrlFrom "http(s?)://192.168.123.5/(.*)" -resUrlInto "http$1://any.url.host/Path1/($2)" you will also need a responder to redirect from any.url.host/ to any.url.host/Path1/ since the application doesn't know about /Path1/

Correct, the device is able fragment when needed. In addition to dropFrag parameter, the dropFragCpuThreshold is another global parameter defined in iptunnelparam to check. It temporarily disables fragmentation during configurable high CPU utilization levels. By default it is disabled, but if enabled it could certainly account for your situation. Please verify you are running the latest supportable code versions.

You can use the AppExpert expression LOCATION.GET(1) to compare just the the County Code against a list of countries. Since country codes are only two characters, Regex would be a decent way to get your list of 30 into a single expression: CLIENT.IP.SRC.LOCATION.GET(1).SET_TEXT_MODE(ignorecase).REGEX_MATCH(re/US|CA|GB/).NOT Ref A Pattern Set makes large groups of conditions more organized, easier to read, and easier to update. This is the optimal solution, particularly when using longer Geo names or frequently making adds/moves/changes to the list, and particularly useful for delegating management of the list. add policy patset countrylist bind policy patset countrylist US bind policy patset countrylist CA bind policy patset countrylist GB add responder policy DROP_non_Test_CUSTOMER "CLIENT.IP.SRC.LOCATION.GET(1).SET_TEXT_MODE(ignorecase).EQUALS_ANY("countrylist").NOT" DROP Ref

Instead of Regex, use inbuilt AppExpert expressions for this use case. In your example, we can use the space character (' ') as the separator for a list of words. Then we can choose the first or last word from the list. Here is your AppExpert expression: AAA.USER.ATTRIBUTE(7).TYPECAST_LIST_T(' ').GET_REVERSE(0) I used the NetScaler Expression Evaluator to make sure it returns the desired result:

I was able to configure a Responder policy with an OPTIONS based AppExpert policy bound to a AAA vserver. Sample code below. Note: The AAA_REQUEST bind point is for responder policies which applies to all the incoming requests and are processed for the unauthenticated traffic first before any other AAA processing. ref: CTX477121 > sho ver NetScaler NS14.1: Build 4.42.nc, Date: Jul 27 2023, 17:27:33 (64-bit) Done > > sho run | grep cors add responder action cors_test respondwith q{"HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\n\r\n"} add responder policy cors_test "HTTP.REQ.METHOD.EQ(\"OPTIONS\")" cors_test bind authentication vserver rd_test_aaa -policy cors_test -priority 100 -gotoPriorityExpression END -type AAA_REQUEST > Here's a better example CORS responder action: add responder action cors_test respondwith q{"HTTP/1.1 204 No Content\r\nContent-Type: text/html\r\nDate: "+SYS.TIME.TYPECAST_TIME_AT+"\r\nAccess-Control-Allow-Methods: POST, GET, OPTIONS\r\n\r\n" } HTTP/1.1 204 No Content Content-Type: text/html Date: Fri, 26 Apr 2024 23:44:51 GMT Access-Control-Allow-Methods: POST, GET, OPTIONS

You can use two policies on the same traffic using Goto Expressions. Your first policy can conduct the logging (using a goto expression of NEXT) and the second policy will perform the Drop. In this case, the order matters because a Drop action requires an END Goto expression. Be sure to remove your .NOT from the first policy since you want to log traffic which you intend to allow. example: Reference: Evaluation order within a policy bank

Good stuff Nicola. Well documented. Please know your expression needs to use AND (&&) rather than OR (||) logic to function correctly. Manoj can test this and other AppExpert expressions with the Expression Evaluator found in the GUI > AppExpert > Expression Evaluator. HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT || HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT should be: HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app1").NOT && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/app2").NOT

Most likely, the application is providing content with hard coded links imbedded in its content. Links which include the http(s:)//server_name/ rather than relative links which just provide the directory locations, like: /folder/application/ Have the app own change this behavior or use the NetScaler URL Transform feature to modify requests from an external version seen by outside users to an internal URL seen only by your Web servers, and vice versa. Here is a code example where users see abc.happy.com but the server sees xyz.happy.com. add transform profile demo_app_80_abc.happy.com_profile add transform action abc.happy.com demo_app_80_abc.happy.com_profile 100 set transform action abc.happy.com -priority 100 -reqUrlFrom "https://abc.happy.com/(.*)" -reqUrlInto "https://xyz.happy.com/abcdefg/$1" -resUrlFrom "https://xyz.happy.com/abcdefg/(.*)" -resUrlInto "https://abc.happy.com/$1" add transform policy demo_app_80_abc.happy.com_policy "HTTP.REQ.HOSTNAME.EQ(\"abc.happy.com\")" demo_app_80_abc.happy.com_profile -comment "ADM Stylebook managed" bind lb vserver demo_app_80 -policyName demo_app_80_abc.happy.com_policy -priority 8000 -gotoPriorityExpression END -type REQUEST

You are correct that the Content Switching vserver will use its defined Default vserver when none of the Policy bindings can be honored. If you want to prevent requests from reaching the default because the designated targets are not reachable, you can simply define your default destination at the end of the policy table rather than the "Default Virtual Server" setting. You can accomplish this by using a Rule/Expression of TRUE as the last binding. The result is a 503 Service Unavailable as you expected. Here is an example: > show csvs test_csvs ... Default: Content Precedence: RULE ... 1) Content-Switching Policy: about Target LB: logic_1 Rule: HTTP.REQ.URL.CONTAINS("about") Priority: 100 2) Content-Switching Policy: default Target LB: logic_2 Rule: TRUE Priority: 110

You can setup a list of URLs using the patset AppExpert module. add policy patset block_uri bind policy patset block_uri "/" bind policy patset block_uri "/manager/html" bind policy patset block_uri "/host-manager/html" bind policy patset block_uri "/manager/status" In this example I limited it to just the URI's and will specify the common hostname as part of the AppExpert policy. For security purposes, you may want to drop the session, then use the App Firewall module as follows with the APPFW_DROP. Using a similar configuration with the Responder module will work but precludes Drop and Reset actions. add appfw policy block_list "HTTP.REQ.HEADER(\"HOST\").CONTAINS(\"tomcat.abc.com\") && HTTP.REQ.URL.PATH.EQUALS_ANY(\"block_uri\")" APPFW_DROP

Take a look at our n-factor feature. Also check out Rich's article where he "uses LDAP only to validate Active Directory credentials if the user’s endpoint is on a private subnet". This is a good example of the conditional nature of n-factor. Sounds like you would be substituting Rich's LDAP authentication for SAML authentication. I encourage you to reach out to a value added reseller or account representative for additional configuration assistance.

Let's start with our proprietary JARH and Nile innovations. I had a client tell me they saw 30% faster transfers with Nile versus BIC. But like Morten mentioned, you really need to understand what is important to the customer. https://docs.netscaler.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-customizing-algorithms/hashing-methods.html https://docs.netscaler.com/en-us/citrix-adc/current-release/citrix-adc-support-for-telecom-service-providers/NS_TCP_optimization/tcp_congestion_control_and_optimization.html

Single code base across premise, cloud, and KubernetesSingle management platform across premise, cloud, and KubernetesHolistic visibility and analytics across premise, cloud, and KubernetesLicense portability across premise, cloud, and KubernetesConsistent application and API security features across premise, cloud, and KubernetesSee how Netscaler is different: https://stg-www.citrix.com/products/citrix-adc/compare.html Better PerformanceSee the Tolly report, NetScaler VPX vs F5 Big-IP VE: https://stg-www.citrix.com/products/citrix-adc/form/tolly-group-validates-citrix-adc-over-f5-report.html

add transform profile demo_abc.happy.com_profile add transform action abc.happy.com demo_abc.happy.com_profile 100 set transform action abc.happy.com -priority 100 -reqUrlFrom "https://abc.happy.com/(.*)" -reqUrlInto "https://xyz.happy.com/abcdefg/$1" -resUrlFrom "https://xyz.happy.com/abcdefg/(.*)" -resUrlInto "https://abc.happy.com/$1"

The NetScaler is a secure reverse proxy and as such, it has encrypted sessions with both the clients and the servers. During this process it forwards the GET requests and can throttle the rate of these requests to the backend server. See our Rate Limiting documentation.