-
Getting Started with Citrix ADC
-
Deploy a Citrix ADC VPX instance
-
Optimize Citrix ADC VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance in cloud
-
Install a Citrix ADC VPX instance on Microsoft Hyper-V servers
-
Install a Citrix ADC VPX instance on Linux-KVM platform
-
Prerequisites for Installing Citrix ADC VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the Citrix ADC Virtual Appliance by using OpenStack
-
Provisioning the Citrix ADC Virtual Appliance by using the Virtual Machine Manager
-
Configuring Citrix ADC Virtual Appliances to Use SR-IOV Network Interface
-
Configuring Citrix ADC Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the Citrix ADC Virtual Appliance by using the virsh Program
-
Provisioning the Citrix ADC Virtual Appliance with SR-IOV, on OpenStack
-
Configuring a Citrix ADC VPX Instance on KVM to Use OVS DPDK-Based Host Interfaces
-
-
Deploy a Citrix ADC VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Configure a Citrix ADC VPX instance to use SR-IOV network interface
-
Configure a Citrix ADC VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a Citrix ADC VPX instance on Microsoft Azure
-
Network architecture for Citrix ADC VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a Citrix ADC VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Configure a Citrix ADC VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the Citrix high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure address pools (IIP) for a Citrix Gateway appliance
-
Upgrade and downgrade a Citrix ADC appliance
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
On-premises Citrix Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the Citrix ADC appliance
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Content inspection callout
When a Citrix ADC appliance sends an ICAP request, the ICAP server uses a status code to specify the response status. The status code also specifies the action to be taken by the appliance. For example, if the status code in an ICAP response is 200 OK for a REQMOD ICAP request and if res-hdr is set, then the ICAP client can send the received response from the ICAP server to the user. But, if the res-hdr is not set, then the ICAP client (Citrix ADC appliance) can forward the original or adapted request to the origin back-end server.
But in certain scenarios, the ICAP server cannot take the final decision. Instead it only provides the requested information to the appliance and the appliance can decide based on policy evaluation. In this case, the ICAP client cannot depend only on the ICAP response status code, instead it looks at the received ICAP headers and evaluates the policy expression on the headers and applies the associated action.
Following are some use cases where the ICAP content Inspection callout is needed:
- On receiving the SSH handshake request, the ICAP client (Citrix ADC appliance) might classify the accessed domain and decide whether to continue the handshake or drop it.
- On receiving an HTTP request for a service, the appliance might check the access permission for an external server based on the tenant ID of the user. The appropriate action can be taken.
In both the scenarios, the ICAP server does not have any idea about the configured policy, instead it just sends back the requested information to the appliance. The appliance then applies the policy on the received response information and applies the associated action. The ICAP content inspection callout is added to the ICAP framework to return the request information from an external ICAP server. The functionality of this callout is very much similar to how an HTTP callout works. Any policy expression, for example, Responder or AppFirewall can trigger the ICAP request to the configured ICAP server. The requested information, configured through returnExpr, is then extracted from the ICAP response and passed to the requested module
The ICAP content inspection callout is added to the ICAP framework to return the request information from an external ICAP server. The functionality of this callout is very much similar to how an HTTP callout works. The ICAP module can use an existing Advanced policy expression can be used to trigger an ICAP callout to the configured ICAP server
Content inspection callout policy expression
The following content inspection policy expression is used as the return expression in the ICAP callout. The syntax of this content inspection callout expression is similar to an HTTP callout expression.
SYS.CI_CALLOUT(<ContentInspection callout name>).Operator
Where,
<ContentInspection callout name> is the ContentInspection callout of type ICAP that defines the properties of the ICAP server. And the ICAP Profile to be used to send and receive the request to/from the ICAP server.
The return type of the response from the ICAP callout agent determines the set of operators that you can use on the response. If the part of the response that you want to analyze is text, you can use a text operator to analyze the response. For example, you can use the CONTAINS(<string>) operator to check whether the specified portion of the response contains a particular string.
Example:
SYS.CI_CALLOUT(CI-callout). Contains(“value to be checked”)
Configuring ICAP content inspection callout
Complete the following steps to configure the ICAP content inspection callout on your appliance.
- Add ICAP profile
- Add content inspection callout
- set content inspection callout expression
- Invoke content inspection callout
Add ICAP profile
Add content inspection callout
The ContentInspectioncCallout command specifies the ICAP server information and the return expression and its type.
At the command prompt, type:
add contentInspection callout <name> -type ICAP [-profileName <string>] (-serverName <string> | (-serverip <ip_addr|ipv6_addr> [-serverport <positive_integer>])) [-returnType <returnType>] [-resultExpr <string>] [-comment <string>]
Where:
<profileName> - Name of the ICAP Profile
<returnType> - ( **BOOL | NUM | TEXT**)
<resultExpr> - The expression to be evaluated on receiving the ICAP response, must start with ICAP.RES.
Example:
Extract the value of the X-URL-Category ICAP response header, the resultExpr can be specified as per the following.
add contentInspection callout cic –type ICAP –profileName profile1 –resultExpr “ICAP.RES.HEADER("X-URL-Category")”
The preceding expression returns the value of X-URL-Category checks the return value and apply the associated action.
Feature policy using content inspection callout and feature action
When a Citrix ADC feature needs to interact with an external service using ICAP, the feature can use the content inspection callout, CI_CALLOUT. In this mode, the feature uses the CI_CALLOUT in the feature policy expression to trigger the ICAP request to the external ICAP server. On receiving the response, the feature can specify the resultExpression in the ContentInspection action to extract the required information from the ICAP response. The result can be Boolean, numeric, or text. The feature then can take the associated action based on the extracted result. Let’s see a use case of how the feature policies using CI Callout to take the feature action.
Use case 1: To extract SNI using the Video Optimization detection policy and drop the handshake if the domain is “Social Media”
Complete the following steps to configure the use case:
-
Add ICAP profile
add icapProfile ICAPProfileName –mode REQMOD -insertHTTPRequest q{ "GET / HTTP/1.1\r\nHost: " + CLIENT.SSL.DETECTED_DOMAIN + "\r\n\r\n"} -
Add the content inspection callout representing the ICAP server and the result expression to extract category information from the ICAP response.
add contentInspection callout cic -type ICAP -serverName icap-server-name -icapProfile ICAPProfileName -resultExpr "ICAP.res.header("X-URL-Category")" –resultType [same as callout resultType] -
Add a video detection policy and expression to fetch the URL category information for the received domain and drop the request if the category is “Social Media”.
add videooptimization detectionpolicy policy_urlcat -rule " SYS.CI_CALLOUT(cic).EQ(\"Social Media\")" -action DROP
Use case 2: To retrieve the URL category from the ICAP server and block it using a pattern set
Complete the following steps to configure the use case:
-
Add an ICAP Profile that defines the mode and the HTTP Request.
add icapProfile ICAPProfileName –mode REQMOD -insertHTTPRequest q{ "GET / HTTP/1.1\r\nHost: " + CLIENT.SSL.DETECTED_DOMAIN + "\r\n\r\n"} -
Add a Content Inspection callout to fetch the Category information.
add contentInspection callout cic -type ICAP -serverName icap-server-name -icapProfile ICAPProfileName -resultExpr "ICAP.res.header("X-URL-Category")" -
Add a pattern set and bind the blocked category pattern to it.
add policy patset blocked-categorybind policy patset blocked-category “gambling” –index 1bind policy patset blocked-category “social media” –index 2bind policy patset blocked-category “games” –index 3 -
Add a video optimization detection policy to invoke the ICAP callout action.
add videooptimization detectionpolicy policy_urlcat –rule SYS.CI_CALLOUT(cic).CONTAINS_ANY("blocked-category")" -action DROP
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.