Getting Started

To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. The algorithm uses a URL set that can contain a list of URLs up to one million (1,000,000) blacklisted entries. Each entry can include metadata that defines URL categories and category groups as indexed patterns. The appliance can also periodically download URLs of highly sensitive URL sets managed by internet enforcement agencies (with government websites) or independent internet organizations such as the Internet Watch Foundation (IWF).  Once the URL set is downloaded from a website and imported into the appliance, the appliance encrypts the URL sets in the appliance (as required by these agencies) and kept confidential so that the entries are not tampered.

The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against blacklisted entries. An entry can include metadata. For entries that have no metadata, you might want to use an expression that evaluates the URL on the basis of an exact string match. For other URLs, you might want to use an expression that evaluates the URL’s metadata, in addition to an expression that checks for an exact string match.

Use Case for Safe Internet Access Policies for ISPs/Telcos

A URL set enables an Internet Service Provider (ISP) or a Telco customer to enforce government mandated safe internet access policies such as:

  1. Block access to illegal internet sites (child abuse, drugs, and so on)
  2. Safe browsing for children

A NetScaler appliance enables you to periodically download URL sets managed by internet enforcement agencies or independent internet organizations such as IWF (Internet Watch Foundation). The appliance periodically downloads the list and updates it securely. The list is stored as confidential URL sets so that it is not tampered or human readable. The periodically downloaded URL set functions as a blacklisted set for URL evaluation purposes.

If you have a private URL set and the contents of the list are kept confidential and the network administrator does not know about the blacklisted URLs present in the list. To make sure if the policy is configured correctly and the correct list is referenced to evaluate an incoming URL, you configure an internal URL called Canary URL and add it to the URL set. Using the Canary URL, the administrator can request through the appliance use the private URL set to ensure it is looked up for every URL request.

Getting Started