-
Install and configure the NetScaler Gateway appliance
-
Maintain and monitor NetScaler Gateway systems
-
Using Advance Policy to Create VPN Policies
-
Configure DTLS VPN virtual server using SSL VPN virtual server
-
Integrate NetScaler Gateway with Citrix products
-
Integrate NetScaler Gateway with Citrix Virtual Apps and Desktops
-
Configure settings for your Citrix Endpoint Management Environment
-
Configure load balancing servers for Citrix Endpoint Management
-
Configure load balancing servers for Microsoft Exchange with Email Security Filtering
-
Configure Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allow Access from mobile devices with Citrix Mobile Productivity Apps
-
Configure domain and security token authentication for Citrix Endpoint Management
-
Configure client certificate or client certificate and domain authentication
-
-
NetScaler Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Proxy Auto Configuration for Outbound Proxy support for NetScaler Gateway
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Using Advance Policy to Create VPN Policies
Classic Policy Engine (PE) and Advance Policy Infrastructure (PI) are two different policy-configuration-and-evaluation frameworks that NetScaler currently supports.
Advance Policy Infrastructure consists of powerful expression language. The expression language can be used to define rules in policy, define various parts of Action, and other entities supported. The expression language can parse through any part of the request or response and also enables you to look deeply through the headers and payload. The same expression language expands and works through every logical module NetScaler supports.
Note: You are encouraged to use advanced policies for creating policies.
Why Migrate from Classic Policy to Advance Policy?
Advanced Policy has a rich expression set and offers much greater flexibility than Classic Policy. As NetScaler scales and caters to a vast variety of clients, it is imperative to support expressions which vastly exceed the Advanced Policies. For more information, see Policies and Expressions.
Following are the added capabilities for Advance Policy.
- Ability to access the body of the messages.
- Supports many other protocols.
- Accesses many other features of the system.
- Has more number of basic functions, operators, and data types.
- Caters to the parsing of HTML, JSON, and XML files.
- Facilitates fast parallel multi-string matching (
patsets, and so forth).
Now the following VPN policies can be configured using Advance Policy.
- Session Policy
- Authorization Policy
- Traffic Policy
- Tunnel Policy
- Audit Policy
Also, End Point Analysis (EPA) can be configured as an nFactor for authentication feature. EPA is used as a gatekeeper for endpoint devices trying to connect to the Gateway appliance. Before the Gateway logon page is displayed on an endpoint device, the device is checked for minimum hardware and software requirements, depending on the eligibility criteria configured by the Gateway administrator. The access to the Gateway is granted based on the outcome of the performed checks. Previously EPA was configured as part of session policy. Now it can be linked to nFactor providing more flexibility, as to when it can be performed. For more information on EPA, see How endpoint policies work topic. For more on nFactor, see nFactor authentication topic.
Use Cases:
Pre-authentication EPA using Advanced EPA
Pre-authentication EPA scan happens before a user provides the logon credentials. For information on configuring NetScaler Gateway for nFactor authentication with pre-authentication EPA scan as one of the authentication factors, see CTX224268 topic.
Post authentication EPA using Advanced EPA
Post authentication EPA scan happens after user credentials are verified. Under the classic policy infrastructure, post authentication EPA was configured as part of the session policy or session action. Under the advanced policy infrastructure, the EPA scan is to be configured as an EPA factor in nFactor authentication. For information on configuring NetScaler Gateway for nFactor authentication with post-authentication EPA scan as one of the authentication factors, see CTX224303 topic.
Pre-authentication and post-authentication EPA using Advanced policies
EPA can be performed before authentication and post authentication. For information on configuring NetScaler Gateway for nFactor authentication with pre-authentication and post-authentication EPA scans, see CTX231362 topic.
Periodic EPA scan as a factor in nFactor authentication
Under classic policy infrastructure, periodic EPA scan was configured as part of session policy action. Under the advanced policy infrastructure, it can be configured as part of the EPA factor in nFactor authentication.
For more information on configuring Periodic EPA scan as a factor in nFactor authentication, click CTX231361 topic.
Troubleshooting:
The following points are to be kept in mind for troubleshooting.
- Classic and Advance policies of the same type (for example, Session policy) cannot be bound to the same entity/bind point.
- Priority is mandatory for all PI policies.
- Advance Policy for the VPN can be bound to all bind points.
- Advance Policy with the same priority can be bound to a single bind point.
- If none of the configured authorization policies get selected, then the global authorization action configured in the VPN parameter is applied.
- In authorization policy, the authorization action is not reversed if the authorization rule fails.
Commonly used Advanced Policy equivalent expressions for Classic Policy:
| Classic Policy expressions | Advance Policy expressions |
|---|---|
| ns_true | true |
| ns_false | false |
| REQ.HTTP | HTTP.REQ |
| RES.HTTP | HTTP.RES |
| HEADER “foo” | HEADER(“foo”) |
| CONTAINS ”bar” | .CONTAINS(“bar”) [Note use of “..”] |
| REQ.IP | CLIENT.IP |
| RES.IP | SERVER.IP |
| SOURCEIP | SRC |
| DESTIP | DST |
| REQ.TCP | CLIENT.TCP |
| RES.TCP | SERVER.TCP |
| SOURCEPORT | SRCPORT |
| DESTPORT | DSTPORT |
| STATUSCODE | STATUS |
| REQ.SSL.CLIENT.CERT | CLIENT.SSL.CLIENT_CERT |
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.