how do i perform authorization using advanced policy … · 2020-03-02 · how do i perform...
TRANSCRIPT
HowdoIperformAuthorizationusingadvancedpolicyexpressionsinNetScaler?
BackgroundAdvancedpolicyexpressionsprovidearichsetofexpressionslikebodybased,DNSbasedexpressionstoadministratorscomparedtoolderclassicones.AdvancedwillbethedefaultexpressioneditorforSession,TrafficandAuthorizationpolicyeditors.Optiontoswitchtoclassicbyclickingon“SwitchtoClassicSyntax”
• Onlyonepolicytype(eitheradvancedorclassic)isallowedtobeboundforatypeofpolicyo E.g.:Allauthorizationpoliciesboundatanylevelmustbeeitheradvancedorclassico AuthorizationpoliciesofAdvanced-typeandTrafficpoliciesofClassictypeareallowed
UsecaseTheadminwantstoblockasetofuserstonotallowthemtoaccessthedownloadpageofcitrix.com.Forthistheadminhascreatedausergroupcalled‘BlacklistUserGroup’,anyuserthatisapartofthisgroupshouldnotbeallowedtoaccessthedownloadpage.StepstoachievethisWithadvancedpolicyexpressions,theadministratorcancreateanauthorizationpolicyonhttprequestandlinkittotheBlackListUserGroup.PleaseseebelowthestepsfromtheNetScalerGUI:
1. LogintotheGUI,navigatetothispath:Configuration->NetScalerGateway->Policies->Authorization
2. Clickontheaddbutton
3. Createanauthorizationpolicy.Inourcase,wehavecreatedthefollowing-
4. Clickonexpressioneditorandusesimpleandintuitivedropdownstocreateapolicyexpression.Forustheexpressionis-http.req.hostname.contains("citrix.com")&&http.req.url.contains("downloads")
Usingtheoperator‘&&’andthencreatinganotherexpressionasbelow:
Finally,thisiswhattheexpressionlookslike:
5. BindthisauthorizationpolicytotheAAA-Usergroup.Navigateto:Configuration->NetScaler
Gateway->UserAdministration->AAAGroups.Inthiscase,weselectBlackListUserGroupandBindthispolicytoit.
LetustakealookattheAuthorizationPolicywhichisboundtothisgroup:
Now,letustestthisout:
1. Wehaveauser–BlacklistuserwhichisapartoftheBlackListUserGroup.Thisusershouldnotbeallowedtoaccessthedownloadspageofcitrix.com
2. LaunchesCitrix.comfromthebookmarkssetasbelow:
Thewebsitelaunchesasshownbelow.
3. Theuserclicksonthedownloadstabonthewebsiteandisdeniedaccesswiththebelowmessage.
Therefore,wehavethetestedourconfigurationoftheauthorizationpolicytodenyaccesstoblacklisteduserstothedownloadpageofcitrix.com