Almost everything in Citrix ADC/NetScaler is based on policies. That’s true for authentication, user rights assignment (we already have covered these), but also for responding (the Citrix ADC/NetScaler responds to user’s requests), rewriting (requests or responses get changed by the Citrix ADC/NetScaler) and many more.
Condition and expression
Policies always consist of a condition and an expression, or an if and a then. If a user requests the URL /red.htm than drop the connection.
Policies have to get bound to an object (a vServer, a user, a group, globally, …). A policy won’t work as long as it is not bound somewhere.
The priority of binding defines the order of policy processing if more than just one policy is bound to a certain resource. The lower the binding priority number the higher the priority of a policy.
Example: binding Priority:
Following two policies are bound to a load-balancing vServer:
100: if client ip in subnet 192.168.229.0/24 than allow access. Than end.
110: if requested URL equals /red.htm deny access. Than end.
In this case,
- a user from class C subnet 192.168.229.0 would be able to access everything, due to the first policy. That’s also including /red.htm. Policy processing will stop here, so the second policy won’t get evaluated.
- all other users will not be able to access /red.htm due to the second policy.
More about binding policies:
Some policies, like rewriting policies or command policies, allow having more than a single policy to be active at the same time. There are following goto expressions:
- End (that’s the default setting)
- Next (process the next policy)
- Goto priority # (jump to the policy with priority number #)