Traffic policies
Traffic policies allow you to configure the following settings for user connections:
- Enforcing shorter time-outs for sensitive applications that are accessed from untrusted networks.
- Switching network traffic to use TCP for some applications. If you select TCP, you must enable or disable single sign-on for certain applications.
- Identifying situations where you want to use other HTTP features for Citrix Secure Access client traffic.
- Defining the file name extensions that are used with file type association.
Create a traffic policy
To configure a traffic policy, you create a profile and configure the following parameters:
- Protocol (HTTP or TCP)
- Application time-out
- Single sign-on to web applications
- Form single sign-on
- File type association
- Repeater plug-in
- Kerberos Constrained Delegated (KCD) accounts
After you create the traffic policy, you can bind the policy to virtual servers, users, groups, or globally.
For example, you have the web application PeopleSoft Human Resources installed on a server in the internal network. You can create a traffic policy for this application that defines the destination IP address, the destination port, and you can set the amount of time a user can stay logged on to the application, such as 15 minutes.
If you want to configure other features, such as HTTP compression to an application, you can use a traffic policy to configure the settings. When you create the policy, use the HTTP parameter for the action. In the expression, create the destination address for the server running the application.
Sample traffic policy expressions
Following are the expression examples of traffic policies:
-
add vpn trafficPolicy trafPol1 "HTTP.REQ.URL.CONTAINS(\"/Citrix/\") || HTTP.REQ.URL.CONTAINS(\"10.102.\")")" trafAct1
-
add vpn trafficPolicy trafPol2 "HTTP.REQ.HOSTNAME.CONTAINS(\"portal-srv\") || HTTP.REQ.URL.CONTAINS(\"homePage\"))" trafAct2
-
add vpn trafficPolicy trafPol3 true trafAct3
Configure a traffic policy by using the GUI
-
Expand NetScaler Gateway > Policies and then click Traffic.
-
In the details pane, on the Policies tab, click Add.
-
In the Create Traffic Policy dialog box, in Name, type a name for the policy.
-
Next to Request Profile, click New.
-
In Name, type a name for the profile.
-
In Protocol, select either HTTP or TCP.
Note: If you select TCP as the protocol, you cannot configure single sign-on and the setting is disabled in the profile dialog box.
-
In AppTimeout (minutes), type the number of minutes. This setting limits the time users can stay logged on to the web application.
-
To enable single sign-on to the web application, in Single Sign-On, select ON.
Note: If you want to use form-based single sign-on, you can configure the settings within the traffic profile. For more information, see Configuring Form-Based Single Sign-On.
-
To specify a file type association, in File Type Association, select ON.
-
To use the repeater plug-in to optimize network traffic, in Citrix SD-WAN, select ON, click Create, and then click Close.
-
If you configure KCD on the appliance, in KCD Account, select the account.
For more information about configure KCD on the appliance, see Configuring Kerberos Constrained Delegation on a NetScaler Appliance.
-
In the Create Traffic Policy dialog box, create or add an expression, click Create, and then click Close.
Configure form-based single sign-on
Form-based single sign-on allows users to log on one time to all protected applications in your network. When you configure form-based single sign-on in NetScaler Gateway, users can access web applications that require an HTML form-based logon without having to type their password again. Without single sign-on, users are required to log on separately to access each application.
After creating the form single sign-on profile, you then create a traffic profile and policy that includes the form single sign-on profile. For more information, see Creating a Traffic Policy.
Configure form-based single sign-on
-
Expand NetScaler Gateway > Policies, and then click Traffic.
-
In the details pane, click the Form SSO Profiles tab and then click Add.
-
In Name, type a name for the profile.
-
In Action URL, type the URL to which the completed form is submitted.
Note: The URL is the root relative URL.
-
In User Name, type the name of the attribute for the user name field.
-
In Password, type the name of the attribute for the password field.
-
In SSO Success Rule, create an expression that describes the action that this profile takes when invoked by a policy. You can also create the expression by using the Prefix, Add, and Operator buttons under this field.
This rule checks if the single sign-on is successful or not.
-
In Name Value Pair, type the user name field value, followed by an ampersand (&), and then the password field value.
Value names are separated by an ampersand (&), such as name1=value1&name2=value2.
-
In Response Size, type the number bytes to allow for the complete response size. Type the number of bytes in the response to be parsed for extracting the forms.
-
In Extraction, select if the name/value pair is static or dynamic. The default setting is Dynamic.
-
In Submit Method, select the HTTP method used by the single sign-on form to send the logon credentials to the logon server. The default is Get.
-
Click Create, and then click Close.
Configure SAML single sign-on
You can create a SAML 1.1 or SAML 2.0 profile for single sign-on (SSO). Users can connect to web applications that support the SAML protocol for single sign-on. NetScaler Gateway supports the identity provider (IdP) single sign-on for SAML web applications.
Configure SAML single sign-on
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway \ > Policies and then click Traffic.
- In the details pane, click the SAML SSO Profile tab.
- In the details pane, click Add.
- In Name, type a name for the profile.
- In Signing Certificate Name, enter the name of the X.509 certificate.
- In ACS URL, enter the assertion consumer service of the identity provider or service provider. The AssertionConsumerServiceURL (ACS URL) provides SSO capability for users.
- In Relay State Rule, build the expression for the policy from Saved Policy Expressions and Frequently Used Expressions. Select from the Operator list to define how the expression is evaluated. To test the expression, click Evaluate.
- In Send Password select ON or OFF.
- In Issuer Name enter the identity for the SAML application.
- Click Create and then click Close.
Bind a traffic policy
You can bind traffic policies to virtual servers, groups, users, and to NetScaler Gateway Global. You can use the configuration utility to bind a traffic policy.
Bind a traffic policy globally by using the GUI
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Traffic.
- In the details pane, select a policy and then in Action, click Global Bindings.
- In the Bind / Unbind Traffic Policies dialog box, under Details, click Insert Policy.
- Under Policy Name, select the policy and then click OK.
Remove traffic Policies
You can use either the configuration utility to remove traffic policies from NetScaler Gateway. If you use the configuration utility to remove a traffic policy and the policy is bound to the user, group, or virtual server level, you must first unbind the policy. Then, you can remove the policy.
Unbind a traffic policy by using the GUI
- Expand NetScaler Gateway, and then click Virtual Servers.
- Expand NetScaler Gateway > User Administration and then click AAA Groups.
- Expand NetScaler Gateway > User Administration and then click AAA Users.
- In the details pane, select a virtual server, group, or user and then click Open.
- In the Configure NetScaler Gateway Virtual Server, Configure AAA Group, or Configure AAA User dialog box, click the Policies tab.
- Click Traffic, select the policy, and then click Unbind Policy.
- Click OK, and then click Close.
After the traffic policy is unbound, you can remove the policy.
Remove a traffic policy by using the GUI
- Expand NetScaler Gateway > Policies, and then click Traffic.
- In the details pane, on the Policies tab, select the traffic policy, and then click Remove.