Product Documentation

Using Advance Policy to Create VPN Policies

Jan 02, 2018

Classic Policy Engine (PE) and Advance Policy Infrastructure (PI) are two different policy-configuration-and-evaluation frameworks that NetScaler currently supports.

Advance Policy Infrastructure consists of extremely powerful expression language. The expression language can be used to define Rules in Policy, define various parts of Action, and other entities supported. The expression language can parse through any part of the request or response and also enables you to look deeply through the headers and payload. The same expression language expands and works through every logical module NetScaler supports.

Note

You are encouraged to use advanced policies for creating policies.

Why Migrate from Classic Policy to Advance Policy?

Advanced Policy has a rich expression set and offers much greater flexibility than Classic Policy. As NetScaler scales and caters to vast variety of clients, it is imperative to support expressions which vastly exceed the Advanced Policies. For more information, click here.

Following are the added capabilities for Advance Policy.

  • Ability to access the body of the messages.
  • Supports many additional protocols.
  • Accesses many additional features of the system.
  • Has more number of basic functions, operators, and data types.
  • Caters to the parsing of HTML, JSON, and XML files.
  • Facilitates fast parallel multi-string matching (patsets, etc.).

Now the following VPN policies can be configured using Advance Policy.

  • Session Policy
  • Authorization Policy
  • Traffic Policy
  • Tunnel Policy
  • Audit Policy

Also, End Point Analysis (EPA) can be configured as an nFactor for authentication feature. EPA is used as a gatekeeper for endpoint devices trying to connect to the Gateway appliance. Before the Gateway logon page is displayed on an endpoint device, the device is checked for minimum hardware and software requirements, depending on the eligibility criteria configured by Gateway administrator. The access to Gateway is granted based on the outcome of the performed checks. Previously EPA was configured as part of session policy. Now it can be linked to nFactor providing more flexibility, as to when it can be performed. For more information on EPA, click here. For more on nFactor, click here.

Use Cases

Pre-authentication EPA using Advanced EPA

Pre-authentication EPA scan happens before user provides the logon credentials. For information on configuring NetScaler Gateway for nFactor authentication with pre-authentication EPA scan as one of the authentication factors, click https://support.citrix.com/article/CTX224268.

Post-auth EPA using Advanced EPA

Post-authentication EPA scan happens after user credentials are verified. Under classic policy infrastructure, post authentication EPA was configured as part of the session policy or session action. Under Advanced policy infrastructure, EPA scan is to be configured as EPA factor in n-factor authentication. For information on configuring NetScaler Gateway for n-factor authentication with post-authentication EPA scan as one of the authentication factors, click https://support.citrix.com/article/CTX224303.

Pre-authentication and post-authentication EPA using Advanced policies

EPA can be performed before authentication and post authentication. For information on configuring NetScaler Gateway for nFactor authentication with pre-authentication and post-authentication EPA scans, click https://support.citrix.com/article/CTX231362.

Periodic EPA scan as a factor in nFactor authentication

Under Classic policy infrastructure, periodic-EPA scan was configured as part of session policy action. Under advanced policy infrastructure, it can be configured as part of EPA factor in n-factor authentication.

For more information on configuring Periodic EPA scan as a factor in nFactor authentication, click https://support.citrix.com/article/CTX231361.

Troubleshooting

The following points are to be kept in mind for troubleshooting.

  • Classic and Advance policies of the same type (for example, Session policy) cannot be bound to the same entity/bind point.
  • Priority is mandatory for all of the PI policies.
  • Advance Policy for VPN can be bound to all bind points.
  • Advance Policy with same priority can be bound to a single bind point.
  • If none of the configured authorization policies get hit then the global authorization action configured in VPN parameter is applied.
  • In authorization policy, the authorization action isnot reversed if the authorization rule fails.

Commonly used Advanced Policy equivalent expressions for Classic Policy

Classic Policy expressions Advance Policy expressions

ns_true

true

ns_false

false

REQ.HTTP

HTTP.REQ

RES.HTTP

HTTP.RES

HEADER "foo" 

HEADER("foo")

 CONTAINS "bar" 

 .CONTAINS("bar")   [Note use of “.”.]

REQ.IP

CLIENT.IP

RES.IP

SERVER.IP

SOURCEIP

SRC

DESTIP

DST

REQ.TCP

CLIENT.TCP

RES.TCP

SERVER.TCP

SOURCEPORT

SRCPORT

DESTPORT

DSTPORT

STATUSCODE

STATUS

REQ.SSL.CLIENT.CERT

CLIENT.SSL.CLIENT_CERT