In this blog post I would like to share knowledge on how to configure NetScaler to proxy the traffic from MDX apps via a Proxy server like Squid, Bluecoat etc. Enterprises can proxy traffic configuring simple traffic rules on NetScaler box.  Configuration changes are required on NetScaler Box & AppController.

On AppController: 

Set NetworkAccess policy of each MDX app to below settings:

On Netscaler Gateway:

Proxy can be configured at three places on a NetScaler box:

  1.  As a Global Policy.
  2. As a session policy at v-server level.
  3. As a traffic policy at v-server level.

The tricky thing to configure policy rules/expressions to filter the traffic to be proxied.  Below are the few scenarios I have considered and explain how to set proxy.

Scenario #1:

An enterprise want Only MDX App Specific traffic to be proxied i.e. for example an enterprise is very keen to proxy only WorxWeb traffic, below is one of the many ways to configure.

My approach to this scenario is to write an AG traffic policy rule to filter only WorxWeb traffic, give specific priority and bind it to a v-server.

Step #1: Create a traffic action where you define the proxy server, port and kind (HTTP/HTTPS) of traffic you want to proxy. For HTTP traffic “qual” in below command will be HTTP, for HTTPS traffic “qual” will be TCP. At ns root:

Actual command:

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficAction <trafficAction name>  <qual> [-appTimeOut <mins>] [(-SSO ( ON | OFF ) [-formSSOAction <string>]) | -wanscaler ( ON | OFF )] [-fta ( ON| OFF )] [-kcdAccount <string>] [-samlSSOProfile <string>] [-proxy <string:port>]

———————————————————————————————————————————————————————————————————————————————————————————

Traffic action to create an action to proxy HTTP traffic.

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficAction proxy-http http –SSO ON –proxy “10.105.39.250:3128”  

———————————————————————————————————————————————————————————————————————————————————————————

The above command creates a new traffic action called “proxy-http”. We use this action to proxy HTTP traffic from WorxWeb.

Traffic action to create an action to proxy HTTPS traffic.

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficAction proxy-https tcp  –proxy “10.105.39.250:3128”  

———————————————————————————————————————————————————————————————————————————————————————————

The above command creates a new traffic action called “proxy-https”. We use this action to proxy HTTPS traffic from WorxWeb.

Step #2: Create a traffic policy where you define a rule/expression to filter traffic for WorxWeb and bind a traffic action to that rule.

Actual command:

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficPolicy <name> <rule> <trafficAction>  

———————————————————————————————————————————————————————————————————————————————————————————

We need to write a simple rule that filters traffic originated from WorxWeb, to identify this traffic we make use of User-Agent string in HTTP header, WorxWeb User-Agent string contains “com.citrix.browser” or “Mozilla”, we’ll use this to filter traffic.

———————————————————————————————————————————————————————————————————————————————————————————

Rule:  “(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser

———————————————————————————————————————————————————————————————————————————————————————————

Traffic Policy to filter HTTP traffic from WorxWeb:

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficPolicy HTTP-TP “(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser) && REQ.TCP.DESTPORT == 80” proxy-http

———————————————————————————————————————————————————————————————————————————————————————————

Traffic Policy to filter HTTP traffic from WorxWeb:

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficPolicy HTTPS-TP “(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser) && REQ.TCP.DESTPORT == 443” proxy-https

———————————————————————————————————————————————————————————————————————————————————————————

The above two commands creates two traffic polices named “HTTP-TP” & “HTTPS-TP” each proxies HTTP & HTTPS traffic via a proxy server(10.105.39.250:3128 in our example) defined in traffic actions bounded i.e. proxy-http & proxy-https.

Step #3: Bind the traffic policy to a v-server with specific priorities.

Actual Command:

———————————————————————————————————————————————————————————————————————————————————————————

bind vpn vserver <name> -policy <pol_name> -priority <num>

———————————————————————————————————————————————————————————————————————————————————————————

I considered vserver name in this example as “testag” and to bind the above created traffic policies the commands will be.

To bind HTTP traffic policy:

———————————————————————————————————————————————————————————————————————————————————————————

bind vpn vserver testag -policy  HTTP-TP -priority 100

———————————————————————————————————————————————————————————————————————————————————————————

To bind HTTPS traffic policy:

———————————————————————————————————————————————————————————————————————————————————————————

bind vpn vserver testag -policy  HTTPS-TP -priority 90

———————————————————————————————————————————————————————————————————————————————————————————

The above two commands bind both HTTP & HTTPS traffic policies to v-server “testag”. I bounded HTTPS traffic policy with a higher priority(less number 90) because I want that policy to be evaluated first.

That’s it, in 3 simple steps we are done, now all the traffic originated from WorxWeb app will be proxied. The above example not only applies to WorxWeb app, one can use the same approach to different MDX apps by simply changing the traffic rule/expression, for example if an enterprise want to proxy ShareFile traffic my traffic policy rule will be like below

———————————————————————————————————————————————————————————————————————————————————————————

REQ.HTTP.HEADER User-Agent CONTAINS “ShareFile” 

———————————————————————————————————————————————————————————————————————————————————————————

Scenario #2:  

An enterprise wants to proxy all traffic irrespective of where it is originated from. But it don’t want to proxy ActiveSync, and traffic to AppController servers.

My approach in this case is to add a proxy server at global level, and write traffic rules with exclusions i.e. Active Sync traffic and traffic to AppController.

Step #1: 

Set a proxy server globally.

Actual command:

———————————————————————————————————————————————————————————————————————————————————————————

set vpn parameter -proxy [NS/BROWSER] [-httpProxy IP:Port | -allProtocolProxy IP:Port | -sslProxy IP:Port]

———————————————————————————————————————————————————————————————————————————————————————————

 To set proxy server for HTTP traffic: 

———————————————————————————————————————————————————————————————————————————————————————————

set vpn parameter  -proxy NS –httpProxy “10.105.39.250:3128” 

———————————————————————————————————————————————————————————————————————————————————————————

To set proxy server for HTTPS traffic: 

———————————————————————————————————————————————————————————————————————————————————————————

set vpn parameter  -proxy NS –sslProxy “10.105.39.250:3128” 

———————————————————————————————————————————————————————————————————————————————————————————

The above two commands sets both HTTP/HTTPS proxies at a global level. All traffic destined to NetScaler gateway aka Access gateway will be proxied, except the exclusions.

Step #2: 

Writing traffic policies and actions for exclusions, i.e. Active Sync traffic and traffic to app controller. Traffic policy with traffic action in which no proxy defined and if that policy evaluates to true, that traffic will not be proxied. For both the exclusions we can use one traffic Action.

Traffic Action:

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficAction “traffic_will_not_be_proxed” -appTimeOut 1 -proxy NOPROXY

———————————————————————————————————————————————————————————————————————————————————————————

In the above traffic action we are not defining any proxy server with command switch “-proxy”.

Next, we need to write two traffic policies One for excluding Active Sync traffic and the other for AppController, both the policies uses same traffic action with no proxy server defined, i.e what we created just earlier.

Rule to filter traffic to Active Sync server, assuming that exchange server is hosted on IP 10.105.39.230, a rule can be like this: 

———————————————————————————————————————————————————————————————————————————————————————————

“REQ.IP.DESTIP == 10.105.39.230”

———————————————————————————————————————————————————————————————————————————————————————————

Rule to filter traffic to AppController, we can use User-Agent string of traffic for this, traffic to AppController via AG is more specifically from WorxHome. 

———————————————————————————————————————————————————————————————————————————————————————————

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER User-Agent CONTAINS com.zenprise

———————————————————————————————————————————————————————————————————————————————————————————

Traffic policy for Active Sync server exclusion

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficPolicy ActiveSync_Exclusion “REQ.IP.DESTIP == 10.105.39.230” traffic_will_not_be_proxed

———————————————————————————————————————————————————————————————————————————————————————————

Traffic Policy AppC exclusion

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficPolicy AppC_Exclusion “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER User-Agent CONTAINS com.zenprise” traffic_will_not_be_proxed 

———————————————————————————————————————————————————————————————————————————————————————————

Step 3#:

Bind the above policies to vserver. 

I considered vserver name in this example as “testag” and to bind the above created traffic policies the commands will be.

To bind Active Sync Exclusion:

———————————————————————————————————————————————————————————————————————————————————————————

bind vpn vserver testag -policy ActiveSync_Exclusion -priority 100

———————————————————————————————————————————————————————————————————————————————————————————

To bind AppC Exclusion:

———————————————————————————————————————————————————————————————————————————————————————————

bind vpn vserver testag -policy AppC_Exclusion -priority 90

———————————————————————————————————————————————————————————————————————————————————————————

The above two commands bind both exclusion traffic policies to v-server “testag”. That’s it, in 3 simple steps we are done, now all the traffic destined to AG will be proxied except Active Sync & AppC. The traffic rule for AppC can also be like this

———————————————————————————————————————————————————————————————————————————————————————————

REQ.IP.DESTIP == “10.105.39.212” 

———————————————————————————————————————————————————————————————————————————————————————————

where “10.105.39.212” is the AppControllers IP address.

Like above one can create different rules and proxy traffic based on business need. Proxy can be set at different places as I stated earlier. In this blog post I haven’t shown proxy setting at session policy, it can be set at session policy in the same way as others, you need to create a correct session rule that filters traffic and session action that defines proxy server and port.

I will end this blog summarizing commands to add/create traffic actions, session actions, traffic policies, session polices, binding/unbinding policies, set/unset proxy etc. and how policies will be evaluated by NS.

Configuring traffic action

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficAction <name> <qual> [-SSO ( ON | OFF)]  [-proxy <IP:PORT>] 

or

add vpn trafficAction <name> <qual> [-SSO ( ON | OFF)]  [-proxy NOPROXY]    // this will not set any proxy to the action i.e. Dont proxy traffic. 

———————————————————————————————————————————————————————————————————————————————————————————

Configuring traffic policy

———————————————————————————————————————————————————————————————————————————————————————————

add vpn trafficPolicy <name> <rule> <action> 

———————————————————————————————————————————————————————————————————————————————————————————

Configuring session wide proxy

———————————————————————————————————————————————————————————————————————————————————————————

set vpn parameter -proxy NS [-httpProxy IP:PORT | -allProtocolProxy IP:PORT] | -sslProxy IP:PORT]

set vpn sessionAction <name> -proxy NS [-httpProxy IP:PORT | -allProtocolProxy IP:PORT | -sslProxy IP:PORT] 

———————————————————————————————————————————————————————————————————————————————————————————

Binding the policy

———————————————————————————————————————————————————————————————————————————————————————————

 bind vpn vserver <name> -policy <pol_name> -priority <num> 

bind vpn global -policy <pol_name> -priority <num>

———————————————————————————————————————————————————————————————————————————————————————————

To unset proxy settings

———————————————————————————————————————————————————————————————————————————————————————————

unset vpn parameter –proxy [NS/BROWSER]     

———————————————————————————————————————————————————————————————————————————————————————————

To unset HTTP proxy setting

———————————————————————————————————————————————————————————————————————————————————————————

unset vpn parameter –httpProxy

———————————————————————————————————————————————————————————————————————————————————————————

To unset SSL/HTTPS proxy setting

———————————————————————————————————————————————————————————————————————————————————————————

unset vpn parameter –sslProxy

———————————————————————————————————————————————————————————————————————————————————————————

Policy evaluation by NS:

  1. Policy with highest priority (lower number) will be evaluated first irrespective of bounded at User, Group, v-server and Global levels.
  2. The NetScaler appliance implements the first policy that matches and ignores rest (except for rewrite policies).

Known limitations:

  • HTTPS traffic will not be proxied when VPN mode is Secure Browse.
  •  Proxy string should always be IP:PORT format, FQDN is not supported.

Other useful rules:

To exclude mail traffic use below traffic rule with NoProxyAction:

———————————————————————————————————————————————————————————————————————————————————————————

Rule:  REQ.HTTP.URL CONTAINS /Microsoft-Server-ActiveSync && (REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.mail ||  REQ.HTTP.HEADER User-Agent CONTAINS WorxMail || REQ.HTTP.HEADER User-Agent CONTAINS MSFT-WP)

TrafficAction:

 add vpn trafficAction NoProxyAction http -proxy NOPROXY

Traffic Policy:

add vpn trafficPolicy  REQ.HTTP.URL CONTAINS /Microsoft-Server-ActiveSync && (REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.mail ||  REQ.HTTP.HEADER User-Agent CONTAINS WorxMail || REQ.HTTP.HEADER User-Agent CONTAINS MSFT-WP) NoProxyAction

———————————————————————————————————————————————————————————————————————————————————————————