Citrix Gateway

Using Advance Policy to Create VPN Policies

Classic Policy Engine (PE) and Advance Policy Infrastructure (PI) are two different policy-configuration-and-evaluation frameworks that Citrix ADC currently supports.

Advance Policy Infrastructure consists of powerful expression language. The expression language can be used to define rules in policy, define various parts of Action, and other entities supported. The expression language can parse through any part of the request or response and also enables you to look deeply through the headers and payload. The same expression language expands and works through every logical module Citrix ADC supports.

Note: You are encouraged to use advanced policies for creating policies.

Why Migrate from Classic Policy to Advance Policy?

Advanced Policy has a rich expression set and offers much greater flexibility than Classic Policy. As Citrix ADC scales and caters to a vast variety of clients, it is imperative to support expressions which vastly exceed the Advanced Policies. For more information, see Policies and Expressions.

Following are the added capabilities for Advance Policy.

  • Ability to access the body of the messages.
  • Supports many other protocols.
  • Accesses many other features of the system.
  • Has more number of basic functions, operators, and data types.
  • Caters to the parsing of HTML, JSON, and XML files.
  • Facilitates fast parallel multi-string matching (patsets, and so forth).

Now the following VPN policies can be configured using Advance Policy.

  • Session Policy
  • Authorization Policy
  • Traffic Policy
  • Tunnel Policy
  • Audit Policy

Also, End Point Analysis (EPA) can be configured as an nFactor for authentication feature. EPA is used as a gatekeeper for endpoint devices trying to connect to the Gateway appliance. Before the Gateway logon page is displayed on an endpoint device, the device is checked for minimum hardware and software requirements, depending on the eligibility criteria configured by the Gateway administrator. The access to the Gateway is granted based on the outcome of the performed checks. Previously EPA was configured as part of session policy. Now it can be linked to nFactor providing more flexibility, as to when it can be performed. For more information on EPA, see How endpoint policies work topic. For more on nFactor, see nFactor authentication topic.

Use Cases:

Pre-authentication EPA using Advanced EPA

Pre-authentication EPA scan happens before a user provides the logon credentials. For information on configuring Citrix Gateway for nFactor authentication with pre-authentication EPA scan as one of the authentication factors, see CTX224268 topic.

Post authentication EPA using Advanced EPA

Post authentication EPA scan happens after user credentials are verified. Under the classic policy infrastructure, post authentication EPA was configured as part of the session policy or session action. Under the advanced policy infrastructure, the EPA scan is to be configured as an EPA factor in nFactor authentication. For information on configuring Citrix Gateway for nFactor authentication with post-authentication EPA scan as one of the authentication factors, see CTX224303 topic.

Pre-authentication and post-authentication EPA using Advanced policies

EPA can be performed before authentication and post authentication. For information on configuring Citrix Gateway for nFactor authentication with pre-authentication and post-authentication EPA scans, see CTX231362 topic.

Periodic EPA scan as a factor in nFactor authentication

Under classic policy infrastructure, periodic EPA scan was configured as part of session policy action. Under the advanced policy infrastructure, it can be configured as part of the EPA factor in nFactor authentication.

For more information on configuring Periodic EPA scan as a factor in nFactor authentication, click CTX231361 topic.

Troubleshooting:

The following points are to be kept in mind for troubleshooting.

  • Classic and Advance policies of the same type (for example, Session policy) cannot be bound to the same entity/bind point.
  • Priority is mandatory for all PI policies.
  • Advance Policy for the VPN can be bound to all bind points.
  • Advance Policy with the same priority can be bound to a single bind point.
  • If none of the configured authorization policies get selected, then the global authorization action configured in the VPN parameter is applied.
  • In authorization policy, the authorization action is not reversed if the authorization rule fails.

Commonly used Advanced Policy equivalent expressions for Classic Policy:

Classic Policy expressions Advance Policy expressions
ns_true true
ns_false false
REQ.HTTP HTTP.REQ
RES.HTTP HTTP.RES
HEADER “foo” HEADER(“foo”)
CONTAINS ”bar” .CONTAINS(“bar”) [Note use of “..”]
REQ.IP CLIENT.IP
RES.IP SERVER.IP
SOURCEIP SRC
DESTIP DST
REQ.TCP CLIENT.TCP
RES.TCP SERVER.TCP
SOURCEPORT SRCPORT
DESTPORT DSTPORT
STATUSCODE STATUS
REQ.SSL.CLIENT.CERT CLIENT.SSL.CLIENT_CERT
Using Advance Policy to Create VPN Policies