-
Getting Started with Citrix ADC
-
Deploy a Citrix ADC VPX instance
-
Optimize Citrix ADC VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance in cloud
-
Install a Citrix ADC VPX instance on Microsoft Hyper-V servers
-
Install a Citrix ADC VPX instance on Linux-KVM platform
-
Prerequisites for Installing Citrix ADC VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the Citrix ADC Virtual Appliance by using OpenStack
-
Provisioning the Citrix ADC Virtual Appliance by using the Virtual Machine Manager
-
Configuring Citrix ADC Virtual Appliances to Use SR-IOV Network Interface
-
Configuring Citrix ADC Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the Citrix ADC Virtual Appliance by using the virsh Program
-
Provisioning the Citrix ADC Virtual Appliance with SR-IOV, on OpenStack
-
Configuring a Citrix ADC VPX Instance on KVM to Use OVS DPDK-Based Host Interfaces
-
-
Deploy a Citrix ADC VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Configure a Citrix ADC VPX instance to use SR-IOV network interface
-
Configure a Citrix ADC VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a Citrix ADC VPX instance on Microsoft Azure
-
Network architecture for Citrix ADC VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a Citrix ADC VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Configure a Citrix ADC VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the Citrix high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure address pools (IIP) for a Citrix Gateway appliance
-
Upgrade and downgrade a Citrix ADC appliance
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
On-premises Citrix Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the Citrix ADC appliance
-
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
URL list
The URL List feature enables enterprise customers to control access to specific websites and website categories. The feature filters websites by applying a responder policy bound to a URL matching algorithm. The algorithm matches the incoming URL against a URL set consisting of up to one million (1,000,000) entries. If the incoming URL request matches an entry in the set, the appliance uses the responder policy to evaluate the request (HTTP/HTTPS) and control access to it.
URL set types
Each entry in a URL set can include a URL and, optionally, its metadata (URL category, category groups, or any other related data). For URLs with metadata, the appliance uses a policy expression that evaluates the metadata. For more information, see URL Set.
SSL forward proxy supports custom URL sets. You can also use pattern sets to filter URLs.
Custom URL set. You can create a customized URL set with up to 1,000,000 URL entries and import it as a text file into your appliance.
Pattern set. An ADC appliance can use pattern sets to filter URLs before granting access to websites. A pattern set is a string-matching algorithm that looks for an exact string match between an incoming URL and up to 5000 entries. For more information, see Pattern Set.
Each URL in an imported URL set can have a custom category in the form of URL metadata. Your organization can host the set and configure the ADC appliance to periodically update the set without requiring manual intervention.
After the set is updated, the Citrix ADC appliance automatically detects the metadata. The category is now available as a policy expression for evaluating the URL and applying an action such as allow, block, redirect, or notify the user.
Advanced policy expressions used with URL sets
The following table describes the basic expressions you can use to evaluate incoming traffic.
- .URLSET_MATCHES_ANY - Evaluates to TRUE if the URL exactly matches any entry in the URL set.
- .GET_URLSET_METADATA() - The GET_URLSET_METADATA() expression returns the associated metadata if the URL exactly matches any pattern within the URL set. An empty string is returned if there is no match.
.GET_ URLSET_METADATA().EQ(<METADATA) - .GET_ URLSET_METADATA().EQ(<METADATA)
- .GET_URLSET_METADATA ().TYPECAST_LIST_T(‘,’).GET(0).EQ() - Evaluates to TRUE if the matched metadata is at the beginning of the category. This pattern can be used to encode separate fields within metadata but match only the first field.
- HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL) - Joins the host and URL parameters, which can then be used for matching.
Responder action types
Note: In the table, HTTP.REQ.URL is generalized as
<URL expression>
.
The following table describes the actions that can be applied to incoming internet traffic.
Responder Action | Description |
---|---|
Allow | Allow the request to access the target URL. |
Redirect | Redirect the request to the URL specified as the target. |
Block | Deny the request. |
Prerequisites
Configure a DNS server if you import a URL Set from a host name URL. This configuration is not required if you use an IP address.
At the command prompt, type:
add dns nameServer ((<IP> [-local]) | <dnsVserverName>) [-state (ENABLED | DISABLED )] [-type <type>] [-dnsProfileName <string>]
Example:
add dns nameServer 10.140.50.5
Configure a URL list
To configure a URL list, you can use the Citrix SSL forward proxy wizard or the Citrix ADC command-line interface (CLI). On the Citrix ADC appliance, you must first configure the responder policy and then bind the policy to a URL set.
Citrix recommends that you use the Citrix SSL forward proxy wizard as the preferred option to configure a URL list. Use the wizard to bind a responder policy to a URL set. Alternatively, you can bind the policy to a pattern set.
Configure a URL list by using the SSL forward proxy wizard
To configure URL List for HTTPS traffic by using the GUI:
- Navigate to Security > SSL Forward Proxy page.
- In the details pane, do one of the following:
- Click SSL Forward Proxy Wizard.
- Select an existing configuration and click Edit.
- In the URL Filtering section, click Edit.
- Select the URL List check box to enable the feature.
- Select a URL List policy and Click Bind.
- Click Continue and then Done.
For more information, see How to Create a URL List Policy.
Configure a URL list by using the CLI
To configure a URL list, do the following.
- Configure a proxy virtual server for HTTP and HTTPS traffic.
- Configure SSL interception for intercepting HTTPS traffic.
- Configure a URL list containing a URL set for HTTP traffic.
- Configure URL list containing URL set for HTTPS traffic.
- Configure a private URL set.
Note
If you have already configured an ADC appliance, you can skip steps 1 and 2, and configure with step 3.
Configuring a proxy virtual server for Internet traffic
The Citrix ADC appliance supports transparent and explicit proxy virtual servers. To configure a proxy virtual server for internet traffic in explicit mode, do the following:
- Add a proxy SSL virtual server.
- Bind a responder policy to the proxy virtual server.
To add a proxy virtual server by using the CLI:
At the command prompt, type:
add cs vserver <name> <serviceType> <IPAddress> <port>
<!--NeedCopy-->
Example:
add cs vserver starcs PROXY 10.102.107.121 80 -cltTimeout 180
<!--NeedCopy-->
To bind a responder policy to a proxy virtual server by using the CLI:
bind ssl vserver <vServerName> -policyName <string> [-priority <positive_integer>]
<!--NeedCopy-->
Note
If you have already configured the SSL interceptor as part of the Citrix ADC configuration, you can skip the following procedure.
Configure SSL interception for HTTPS traffic
To configure SSL interception for HTTPS traffic, do the following:
- Bind a CA certificate-key pair to the proxy virtual server.
- Enable the default SSL profile.
- Create a front-end SSL profile, and bind it to the proxy virtual server and enable SSL interception in the front-end SSL profile.
To bind a CA certificate-key pair to the proxy virtual server by using the CLI:
At the command prompt, type:
bind ssl vserver <vServerName> -certkeyName <certificate-KeyPairName>
<!--NeedCopy-->
To configure a front-end SSL profile by using the CLI:
At the command prompt, type:
set ssl parameter -defaultProfile ENABLED
add ssl profile <name> -sslInterception ENABLED -ssliMaxSessPerServer <positive_integer>
<!--NeedCopy-->
To bind a front-end SSL profile to a proxy virtual server by using the CLI
At the command prompt, type:
set ssl vserver <vServer name> -sslProfile <name>
<!--NeedCopy-->
Configure a URL list by importing a URL set for HTTP traffic
For information about how to configure a URL Set for HTTP traffic, see URL Set.
Perform explicit subdomain match
You can now perform an explicit subdomain match for an imported URL set. A new parameter, “subdomainExactMatch” is added to the import policy URLset
command.
When you enable the parameter, the URL Filtering algorithm performs an explicit subdomain match. For example, if the incoming URL is news.example.com
and if the entry in the URL set is example.com
, the algorithm does not match the URLs.
At the command prompt, type:
import policy urlset <name> [-overwrite] [-delimiter <character>][-rowSeparator <character>] -url [-interval <secs>] [-privateSet][-subdomainExactMatch] [-canaryUrl <URL>]
Example
import policy urlset test -url http://10.78.79.80/top-1k.csv -privateSet -subdomainExactMatch -interval 900
Configure a URL set for HTTPS traffic
To configure a URL Set for HTTPS traffic by using the CLI
At the command prompt type:
add ssl policy <name> -rule <expression> -action <string> [-undefAction <string>] [-comment <string>]
<!--NeedCopy-->
Example:
add ssl policy pol1 -rule client.ssl.client_hello.SNI.URLSET_MATCHES_ANY("top1m") -action INTERCEPT
<!--NeedCopy-->
To configure a URL set for HTTPS traffic by using the SSL forward proxy wizard
Citrix recommends that you use the SSL forward proxy wizard as the preferred option to configure a URL list. Use the wizard to import a custom URL set and bind to a responder policy.
- Navigate to Security > SSL Forward proxy > URL Filtering > URL Lists.
- In the details pane, click Add.
- On the URL List Policy page, specify the policy name.
- Select an option to import a URL set.
- On the URL List Policy tab page, select the Import URL Set check box and specify the following URL Set parameters.
- URL Set Name—Name of the custom URL set.
- URL—Web address of the location at which to access the URL Set.
- Overwrite—Overwrite a previously imported URL set.
- Delimiter—Character sequence that delimits a CSV file record.
- Row Separator—Row separator used in the CSV file.
- Interval—Interval in seconds, rounded off to the nearest number of seconds equal to 15 minutes, at which the URL set is updated.
- Private Set—Option to prevent exporting the URL set.
- Canary URL—Internal URL for testing whether the content of the URL set is to be kept confidential. The maximum length of the URL is 2047 characters.
- Select a responder action from the drop-down list.
- Click Create and Close.
Configure a private URL set
If you configure a private URL set and keep its contents confidential, the network administrator might not know the blacklisted URLs in the set. For such cases, you can configure a Canary URL and add it to the URL set. Using the Canary URL, the administrator can request the private URL Set to be used for every lookup request. You can refer to the wizard section for descriptions of each parameter.
To import a URL set by using the CLI:
At the command prompt, type:
import policy urlset <name> [-overwrite] [-delimiter <character>] [-rowSeparator <character>] -url <URL> [-interval <secs>] [-privateSet] [-canaryUrl <URL>]
<!--NeedCopy-->
Example:
import policy urlset test1 -url http://10.78.79.80/alytra/top-1k.csv -private -canaryUrl http://www.in.gr
<!--NeedCopy-->
Display imported URL set
You can now display imported URL sets in addition to added URL sets. A new parameter “imported” is added to the show urlset
command. If you enable this option, the appliance displays all imported URL sets and distinguishes the imported URL sets from the added URL sets.
At the command prompt, type:
show policy urlset [<name>] [-imported]
Example
show policy urlset -imported
Configure audit log messaging
Audit logging enables you to review a condition or a situation in any phase of a URL List process. When a Citrix ADC appliance receives an incoming URL, if the responder policy has a URL Set advanced policy expression, the audit log feature collects URL Set information in the URL. It stores the details as a log message for any target allowed by audit logging.
The log message contains the following information:
- Timestamp.
- Log message type.
- The predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency).
- Log message information, such as URL set name, policy action, URL.
To configure audit logging for the URL List feature, you must complete the following tasks:
- Enable Audit Log.
- Create Audit Log message action.
- Set URL List responder policy with Audit Log message action.
For more information, see Audit Logging topic.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.