Citrix ADC policy infrastructure controls data traffic into the appliance. These policies use a logical expression to evaluate a request or a response and, based on the outcome of the evaluation, applies one or more actions to it.
With Citrix ADC, you can use both Classic and Advanced policy infrastructures. The Advanced policy infrastructure uses expressions that are similar to Classic policies but is capable of analyzing complex data and can configure more operations in its expressions. For example, it can transform data in the request body into an HTTP request.
Advanced policies are more powerful than Classic policies and are required to evaluate the complex data generated by our newest Citrix ADC features. And Citrix has deprecated Classic policy usage in its configurations, so if your appliance configuration is still using Classic, it’s time to switch to Advanced.
Before you do, though, let’s take a look at the benefits of using Advanced policies and why you should make the shift.
Why Move to Advanced Policies?
Most Citrix ADC features generate complex data that have to be evaluated, which makes Advanced policies preferable. What can you do with an Advanced policy infrastructure? Here are some capabilities:
- Perform fine-grained analyses of network traffic from layers 2 through 7
- Evaluate any part of the header or body of an HTTP or HTTPS request or response
- Bind policies to the multiple bind points that an Advanced policy infrastructure supports at the default, override, and virtual server levels
- Use “goto” expressions to transfer control to other policies and bind points, as determined by the result of expression evaluation
- Use special tools such as pattern sets, policy labels, rate limit identifiers, and HTTP callouts, which enable you to configure policies effectively for complex data evaluation
The Citrix ADC GUI supports built-in Advanced policies and expressions, which means you can easily configure the policies and their expressions. The GUI also includes a policy evaluation feature that you can use to evaluate an Advanced policy and test its behavior before you commit it, avoiding configuration errors.
Let’s consider an ICAP feature that performs content inspection in a Citrix ADC appliance. This feature receives an HTTP request, intercepts the traffic, and uses a Content Inspection policy to evaluate if the HTTP request needs ICAP processing. If it does, the appliance decrypts and sends the message as a plain text to the ICAP servers. The ICAP servers execute the content transformation service on the request message and sends back a response to the appliance. The appliance must use Advanced policies, not Classic policies, to perform complex operations such as load balancing, content transformation, and integrated caching.
Example: add ContentInspection policy ci_pol_HTTP –rule HTTP.REQ.URL.CONTAINS(“html”) –action ci_act_svc
With some dynamic capabilities, you can use Advanced policy expressions instead of Classic policies. To do this, you must upgrade your appliance to 12.0 build 56.20 onward and switch to an Advanced policy infrastructure.
So how do I migrate my existing Classic policies? And what if I have hundreds of them in my appliance?
How Do I Move to Advanced Policies?
You can migrate your Classic policies and their functionalities either manually or by using the nspepi tool, which can auto-convert Classic policies and their expressions (in the Citrix ADC commands, expressions, and configurations) to the Advanced policy infrastructure.
For more information about the nspepi tool and its conversion process, see the conversion using nspepi tool topic on the Product Documentation site. For information about Classic policies that are deprecated and alternative non-deprecated features, check out the deprecated features and functionalities page.
Here’s an example of a manually converted Advanced policy expression:
add filter policy f_pol1 -rule “REQ.HTTP.URL == /test” -reqAction RESET
add responder policy f_pol1 “HTTP.REQ.URL.EQ(\”/test\”)” RESET
With manual conversion, you have to change a Classic policy to an Advanced policy in the appliance configuration file, which can be tiring when you have hundreds of policies. Instead you can use the nspepi tool for the conversion. In the automated process, you provide the expression or path to the configuration file as follows.
nspepi°[-h] (-e <classic policy expression> | -f <path to ns config file>) [-d] [-v] [-V]°
As we build Citrix ADC’s policy infrastructure with quick configurable policies and rules, we want our core policy and expression layer to remain simple, yet dynamic. Some of our new features require the Citrix ADC appliance to maintain states and remember tokens for intelligent decision-making during the session lifecycle. Advanced policy expressions help achieve this and provide operational capabilities.
To learn more about Advanced policy infrastructure and shifting from Classic policies in your configuration, check out the product documentation.
Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Want specific Tech Bytes? Let us know! email@example.com.