Almost everything in Citrix ADC/NetScaler is based on policies. That’s true for authentication, user rights assignment (we already have covered these), but also for responding (the Citrix ADC/NetScaler responds to user’s requests), rewriting (requests or responses get changed by the Citrix ADC/NetScaler) and many more.
Condition and expression
Policies always consist of a condition and an expression, or an if and a then. If a user requests the URL /red.htm than drop the connection.
Policies have to get bound to an object (a vServer, a user, a group, globally, …). A policy won’t work as long as it is not bound somewhere.
Binding Policies
The priority of binding defines the order of policy processing if more than just one policy is bound to a certain resource. The lower the binding priority number the higher the priority of a policy.
Example: binding Priority:
Following two policies are bound to a load-balancing vServer:
100: if client ip in subnet 192.168.229.0/24 than allow access. Than end.
110: if requested URL equals /red.htm deny access. Than end.
In this case,
- a user from class C subnet 192.168.229.0 would be able to access everything, due to the first policy. That’s also including /red.htm. Policy processing will stop here, so the second policy won’t get evaluated.
- all other users will not be able to access /red.htm due to the second policy.
More about binding policies:
Some policies, like rewriting policies or command policies, allow having more than a single policy to be active at the same time. There are following goto expressions:
- End (that’s the default setting)
- Next (process the next policy)
- Goto priority # (jump to the policy with priority number #)
[wpedon id=”798″ align=”center”]