Skip to content

Instantly share code, notes, and snippets.

@pbnj

pbnj/citrix-netscaler-scripts.md

Last active January 22, 2016 22:02
Show Gist options
  • Save pbnj/96085ca1485f83dc7cc0 to your computer and use it in GitHub Desktop.
Save pbnj/96085ca1485f83dc7cc0 to your computer and use it in GitHub Desktop.
Download ZIP
Citrix Netscaler Policies/Rules
Raw
citrix-netscaler-scripts.md

CITRIX NETSCALER

Author: Peter Benjamin
Date: 01/15/2016
Revised: 01/20/2016
Purpose: Instructions for setting up/configuring citrix netscaler as it pertains to Echo-Cloud.

Echo/Eyecom Configurations:

bind policy patset <webservername> <clientid>
add aaa group <clientid>
add authorization policy <policy name> "<policy rule>" <policy action>
bind aaa group <clientid> -policy <policy name> -priority 100
save ns config

Example:

bind policy patset cloudweb53 echo12345
add aaa group echo12345
add authorization policy client_auth_policy_echo12345 "REQ.HTTP.URL == \'/echo12345/*\'" ALLOW
bind aaa group echo12345 -policy client_auth_policy_echo12345 -priority 100 
save ns config

Single Sign-on Configuration:

add ssl certKey SAMLIDP_<clientID> -cert "/nsconfig/ssl/pf.<client_name>.com.crt"
add authentication samlAction SAM_Server_<clientID> -samlIdPCertName SAMLIDP_<clientID> -samlRedirectUrl "https://pf.<client_name>.com/idp/startSSO.ping?PartnerSpId=Echoaccess_CTX" -samlRejectUnsignedAssertion OFF -samlIssuerName pf.<client_name>.com -defaultAuthenticationGroup echo<clientID>
add authentication samlPolicy SAMLPolicy_<clientID> "REQ.HTTP.URL CONTAINS echo<clientID> || REQ.HTTP.URLQUERY CONTAINS echo<clientID>" SAM_Server_<clientID>
bind authentication vserver saml_auth -policy SAMLPolicy_<clientID> -priority 110

Portal Configurations:

  • For all portals:
bind policy patset <aspportal_auth_ldap|aspportal_open|aspportal_ip_restrict> <clientid/portal_name>
  • For closed/private portals, run:
set authorization policy client_auth_policy_<clientid> -rule "<expression || expression && expression>" -action <action>
  • For IP-restricted portals, run:
add responder policy <policy_name> "<expression || expression && expression>" <action>
bind lb vserver <vserver_name> -policyName <policy_name> -gotoPriorityExpression END -type REQUEST -priority <number>

Examples:

  • For open/public portals, run:
bind policy patset aspportal_open "/12345portal/verifportal/"
  • For closed/private portals:
bind policy patset aspportal_auth_ldap "/12345portal/pharmacy/"
set authorization policy client_auth_policy_echo12345 -rule "REQ.HTTP.URL == \'/echo12345/*\' || REQ.HTTP.URL == \'/12345portal/pharmacy/*\'" -action ALLOW
  • For IP-restricted portals:
bind policy patset aspportal_ip_restrict "/12345portal/privportal/"
set authorization policy client_auth_policy_echo12345 -rule "REQ.HTTP.URL == \'/echo12345/*\' || REQ.HTTP.URL == \'/12345echoapps/*\' || REQ.HTTP.URL == \'/12345portal/verifportal/*\' || REQ.HTTP.URL == \'/12345portal/privportal/*\' || REQ.HTTP.URL == \'/echo12345test/*\' || REQ.HTTP.URL == \'/12345testechoapps/*\'" -action ALLOW
add responder policy 12345privportal " (CLIENT.IP.SRC.EQ(67.207.214.82) || CLIENT.IP.SRC.IN_SUBNET(63.247.0.0/19) && HTTP.REQ.URL.STARTSWITH(\"/12345portal/privportal/\") " NOOP
bind lb vserver aspportal_auth_ip_lbv -policyName 12345privportal -gotoPriorityExpression END -type REQUEST -priority 1523

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment