ADC

NSPEPI tool unsupported features

This topic provides information about the features that are not supported by the NSPEPI tool.

Commands or features not handled by the nspepi conversion tool

The following are some commands that are not handled as part of the auto conversion process.

  • Client security expressions are not handled.
  • Authentication
  • Authorization
  • VPN
  • Syslog
  • Nslog
  • File based Classic expressions are not handled.

Note:

For some features like Patclass/filter, the command syntax is changed. If there are command policies, then command policies might need to be changed depending on customer requirement.

To convert classic policies to advanced policies for the following features, reach out to NetScaler customer support:

  • Sure Connect (SC)
  • Priority Queuing (PQ)
  • HTTP Denial of Service (HDOS)
  • HTML Injection

Binding Priorities

Advanced policies do not allow arbitrary interleaving by priority between global and non-global and between different binding types. If you rely on such interleaving of Classic policy priorities, you need to adjust the priorities to conform to the Advanced policy rules and to get the desired behavior. Priorities in Advanced policies are local to a bind point. A bind point is a unique combination of protocol, feature, direction, and entity (entities are specific virtual servers, users, groups, services, and either global override or global default). Policy priorities are not followed across bind points.

For a given protocol, feature, and direction, the following is the order of evaluation of Advanced policies:

  • Global override.
  • Authentication, authorization, and auditing user(Current).
  • Authentication, authorization, and auditing groups (that the user is a member of) in order of weight. The ordering is undefined if two or more groups have the same weight.
  • LB virtual server that either the request was received on or that was selected by CS.
  • Content switching virtual server, cache redirection virtual server that the request was received on.
  • Service selected by load balancing.
  • Global default.

For authorization policy evaluation, the order is:

  • Systems override.
  • Load balancing virtual server that either the request was received on or that was selected by CS.
  • Content switching virtual server that the request was received on.
  • System default.

Within each bind point, the policies are evaluated in order of priority from lowest numbered to highest numbered. Policies are only evaluated for the protocol used and the direction that the message was received from.

Warning

The following scenarios show the warnings in the nspepi tool:

  • If the rule expression of load balancing virtual server is a boolean expression, the equivalent advanced expression results in boolean value in string format. This results in functionality change when the rule is used for persistenceType or lbMethod. To avoid the functionality change, the command is modified by removing the keywords rule and persistenceType.
  • If the state field of the binding command is DISABLED. If the state is disabled, then command is not in use. The state parameter is not supported with the advanced configuration. So, if we convert this configuration then the functionality changes. If the command is required, take a backup because comments will not be saved in ns.conf after triggering save ns config.

Warning in CMP feature conversion:

  • If a global cmp parameter policy type is set to CLASSIC and advanced policies are bound to global. Without conversion, bounded advanced policies will not be evaluated because the global policy type is set to CLASSIC. After conversion, the policy type would be converted to ADVANCED. So, if we do not comment out the existing global advanced bindings, then these bindings are evaluated and can change the functionality.
  • If the global cmp parameter policy type is set to ADVANCED and classic policies are bound to global. Without conversion, these global classic bindings would not be evaluated because global policy type is ADVANCED. So, to preserve the functionality, we comment out the converted configuration, otherwise converted advanced policies are evaluated and can change the functionality.

Note:

All classic policy bindings with -state option disabled are commented out. The -state option is not available for Advanced policy bindings.

Limitations of NSPEPI tool

The following scenarios cause errors in the nspepi tool:

  • If there is an issue when converting an expression
  • If a named policy expression uses the -clientSecurityMessage parameter because this parameter is not supported in the Advanced policy expression
  • If load balancing virtual server rule expression is a complex expression and has multiple CONTENT based expressions
  • Errors in CMP feature conversion occur in the following scenarios:
    • Both classic and advanced policies are bound to global
    • Classic policies are bound at global and CMP parameter is advanced
    • Advanced policies are bound at global and CMP parameter is classic
    • Classic policies are bound to a virtual server and advanced policies are bound to a global server
    • Advanced policies are bound to a virtual server and classic policies are bound to a global server
    • Classic policies are bound to a virtual server and both classic and advanced policies are bound to a global server
    • Advanced policies are bound to a virtual server and both classic and advanced policies are bound to a global server
  • Errors in converting filter feature policy occur in the following scenarios:
    • If action is of type FORWARD
    • If action is part of HTMLInjection feature, mainly following commands: - add filter action <action name> ADD prebody - add filter action <action name> ADD postbody
    • If there are existing rewrite or responder policy bindings with gotoPriorityExpression END or USE_INNVOCATION, then fitler policy bindings cannot be converted.
  • When both classic and advanced SSL policies are bound, classic SSL bindings cannot be converted.
  • If the classic named expression has the same name as the callout entity name
  • If the classic expression name is invalid for the advanced expression
  • If the converted expression length is more than 1499 characters
  • If the classic expression has client security or file-based expressions

Classic policy bindings that require manual reprioritization

Here are some types of Classic policy bindings that require manual reprioritization to accomplish your needs. All these are for a given feature and the direction.

  • Classic priorities that increase in priority number opposite to the direction of the above entity type lists. For example, a content switching virtual server binding lower than a load balancing virtual server binding.
  • Classic priorities that interleave authentication, authorization, and auditing groups. One part of one group is before some other group and yet another part is after part of that other group.
  • Classic priorities that increase in number other than the order of weights of authentication, authorization, and auditing groups.
  • Classic global priorities that are less than some non-global priority and the same global priorities are greater than some other non-global priority (in other words, any segment of priorities that are a non-global, followed by one or more globals, followed by a non-global).
NSPEPI tool unsupported features