SAM Office B.V.
Venrayseweg 16 5961 AG Horst
+31 77 398 22 88
www.samoffice.com
Whitepaper
NETSCALER ROCKS Core Logic
22-2-2016
Roel Schreibers, Jan Tytgat
Whitepaper-CoreLogic-NetScalerRocks
Page 2 | 24
INTRODUCTION
Thisdocumentisintendedasawhitepaperandaguidewithin-depthinformationforallCitrixNetScalerenthusiastsoutthere.WhetheryouareaSAMOfficecustomerwhoalreadyhastheCore-Logicinstalled,orafellowCitrixNetScalercommunitymember,wehopethiswhitepaperwillprovideyouwithsomeinsightsandideas.
ThisdocumentshowstheCore-Logicasablackbox:
• HowtosetupCore-Logic• HowtoaddanewContentSwitchingVirtualServertotheNetScaler• HowtoaddanewApplicationtoaContentSwitchingVirtualServer• HowtomanagetheControlPlane
TheSAMOfficeChallenge:Basedonthisdocument,wechallengeyoutofigureoutthepolicyexpressionsandthelogicbehindtheCore-Logic.Letusknowwhatyouthink,orgiveusyourinputonhowwecanmakeitevenbetter!RatherstartworkingwiththeSAMOfficeCore-Logicimmediately?Noproblem,sendane-mailtoinfo@samoffice.comandwewillsendyouthefilesforfree.SAMOfficestartedwiththeCore-Logic,webelieveinit,let’smakeitevenbettertogether!
Needhelp?That’swhatweatSAMOfficedo!
Kindregards,
RoelSchreibers,JanTytgat.
Whitepaper-CoreLogic-NetScalerRocks
Page 3 | 24
CONTENT
Buildtomaintain 4History 4
Concept 4
Core-Logic 5Overview 5Expressions 5ControlPlane 5Advantages 6LookingForward 6
Implementation 7Requirements 7
Basicdesign 7
Installation 8Step-By-Step 8
ResponderHTMLpages 8Core-LogicModule 10
Post-Installation 11StringMaps 11PatternSets 11PolicyExpressions 12Responder 12LoadBalancing 13ContentSwitching 14
UserGuide 15In-housingaTenant 15
ContentSwitchingVirtualServers 15DeploymentScript 17
Deployingapplicationsforatenant 18WebApplicationX 18MicrosoftExchange2013 18
ControlPlane-Coding 20Keys 20Values 20
ControlPlane–Result 21
ControlPlane–ProcessingFlow 22
ControlPlane–CLIManagement 23
Conclusions 24
Whitepaper-CoreLogic-NetScalerRocks
Page 4 | 24
BUILD TO MAINTAIN HISTORY
It’snotclearwhenwestartedtothinkaboutacentralsteeringmechanismforcontentswitching,whicheventuallyledtothiswhitepaper.Somewherein2014,wefirstpublishedablogonNetScalerRocks.com1introducingtheideaofutilizingCitrixNetScaler’sstrengthofbuildingdynamicexpressionstosteerrequeststothecorrectLoadBalancingVirtualServer.Untilthen,eachrequestwassteeredusingindividualpolicies,causingconfigurationstobecomelargeandcomplex;andthereforehardtomaintain.
Thecomplexityanddiversityofmanyconfigurationswasverytime-consumingintermsoffiguringouthowthingswereactuallyprocessed,andwhatneededtobechangedinordertomaketherequestedchangeworkwithoutalteringordisruptingthewholeenvironment.
Version11ofCitrixNetScaleralsoemphasizedthepossibilitytousecontentswitchingincombinationwiththeauthenticationpossibilitiesoftheplatform.UsingUnifiedGatewayasaAAAserver,whilebeingintegratedintotheContentSwitchingVirtualServer,enablesustobeevenmoreflexibleindeployingapplications.Though,thisflexibilityalsoemphasizestheneedforaunifiedmethodtoconfigureandmaintainthegrowingcomplexityofaconfiguration.
CONCEPT The“BuildtoMaintain”conceptisolder,however.FindingamanageableandunifiedmethodtoconfigureandmaintaintheNetScalerConfigurationforacustomerisanon-goingquest:
• Firstofall,VisualizationoftheactualflowthroughdifferentNetScalercomponentshelpeduscommunicatingwiththecustomerandsupportengineers,asitisimperativethatbothpartiesunderstandwhatishappening.Atthesametime,ithelpeddefiningourintentstosolveagivenproblemwhilemakingiteasiertoacquireaquickinsightintowhatwashappeningatthecustomer.Eventoday,visualizationisamajorareaofinteresttousandwearestilllookingtoimproveoncommunicatingaboutthemechanicsofthegreyareabetweenNetworkingandApplication,calledApplicationDelivery.
• Second,besidesthefactthatMonitoringisalreadyoneoftheprimaryservicesCitrixNetScaleroffers,thecompleteServiceChainbecameanimportantpartoftheconcept.AlthoughtheNetScalerappliancemightberunningflawlessly,weshouldalsomonitortheservicesandapplicationswhicharebeingload-balancedfortheirhealth,throughput,etc.BridgingthegapbetweenNetworkingandApplicationsalsorequiresmonitoringtohappenthroughoutthewholeorganization.Assuch,aspecializedmonitoringsystemlikeCommandCenterdoesnotsuffice,asitisaccessiblebyNetScalerengineersonly.Itisimperativethecustomer’sITdepartmenttakesownershipofthe(SNMP)monitoringaswell,andCitrixNetScalercanbeofgreatassistinthisarea.Inresult,monitoringCitrixNetScalerhasbecomeanintricatepartofthe“Buildtomaintain”conceptandhasanimpactonhowanapplicationisload-balancedontheplatform.
1https://netscalerrocks.com/netscaler/contentswitching-quick-dirty/
Whitepaper-CoreLogic-NetScalerRocks
Page 5 | 24
• Third,standardizedimplementationmethodology,startingwithnamingconventions,simpleredirectstoHTTPS,rewritesetc.…Standardizationiskeytoamaintainableenvironment.
The“buildtomaintain”concept,combinedwithourideasaroundtheCore-LogicgaveusnewinsightsonhowtobuildamanageableandunifiedCitrixNetScalerconfigurationforacustomer,whilestartinganewqualitycycleinimprovingourservicesforourcustomers.
CORE-LOGIC
Overview Core-LogicdoesnotspecificallytargettheimplementationofasingleapplicationonaCitrixNetScaler.However,itisconsideredasanintegratedstrategytogetconsistencybetweendifferentapplicationsimplementedonaNetScalerplatform.
ThefocalpointoftheCore-LogicistocentralizeallapplicationsteeringacrossmultipleHTTP/HTTPSContentSwitchingVirtualServersbyusingasingleStringMap,whichwecalltheControlPlane.
Muchofthiswasinspiredbyhttps://www.citrix.com/blogs/2011/07/29/how-string-maps-help-simplify-and-reduce-configuration/(thankyouNeha).
Inshort,theCore-LogicisacollectionofAdvancedPolicyExpressionsandnon-addressableLoadBalancingVirtualServers.Thepolicyexpressionsarestaticandthereforeversionablewithinaconfiguration’slifecycle,sonewfeaturesshould/canbeimplementedinacontrolledmanner.
Expressions Currently,theCore-LogictakescareofthefollowingthingsonaHTTPand/orHTTPSContentSwitch:
• Selectthecorrect(non-addressable)LoadBalancingVirtualServer,basedon:o FQDNo FQDN+1stpathoftheURLo FQDNdomain(wildcard)
• Redirecttherequest:o FromHTTPtoHTTPSorviceversao 301/302Redirectbasedon:
§ FQDN§ FQDN+1stpathoftheURL§ FQDNdomain(wildcard)
• DroporResettherequest,basedon:o FQDNo FQDN+1stpathoftheURLo FQDNdomain(wildcard)
Inmostcases,reducingthenumberofcontentswitchingpoliciesboundtoaContentSwitchingVirtualServeralsoreducesthe“time-to-decision”onhowtoprocessarequest.
Control Plane TheControlPlaneisasingleStringMap,whichresultsinthefollowingpropertieswhenusedfortheCore-Logic:
Whitepaper-CoreLogic-NetScalerRocks
Page 6 | 24
• ProvideacentralizedconfigurationforspecificflowsthroughthedifferentContentSwitchingVirtualServers.
• MinimizechangestothecontentswitchingpoliciesbyusingtheCore-Logic.• Improveperformance,especiallyforlargeconfigurations,asstringmapsareindexedonCitrix
NetScaler.
Advantages WiththeCore-Logicimplemented,addinganewapplicationshouldonlyrequirethecreationofanon-addressableloadbalancingvirtualserverfortheapplicationandaddingacorrespondingentrytotheControlPlane.
Theadvantagesareclear:”
• Changeshavealowerimpactonthecurrentconfiguration.• Changesareeasiertoautomate.• Changestakelesstimetobeimplemented.• Lowertime-to-decision• Improvedperformance
Looking Forward Currently,Core-Logicisatversion9.Wecouldcontinueknockingourselvesoutinaddingnewfeaturesorfancierpossibilitiestothissinglestringmap.However,thisversiondeliversthenecessaryflexibilityformost(current)implementations.
Inthecomingperiod,wetendtospendmoretimeonautomationoftheentireprocess.
Whitepaper-CoreLogic-NetScalerRocks
Page 7 | 24
IMPLEMENTATION REQUIREMENTS
AtypicalimplementationofCitrixNetScalerisbasedonhavinganumberofapplicationsthatneedtobemadeaccessiblefromtheinternet.MicrosoftADFS,MicrosoftExchange,MicrosoftSharePoint,CitrixStorefront,etc.Needlesstosaythiscanbeanywebapplication.
Possibleextrarequirements:
• Someapplicationsrequiretwo-factorauthentication.• Someapplicationsshouldbeaccessibleanonymously.• Wereallywanttouseonly1IPaddressper“tenant”.
BASIC DESIGN
Adeploymentnormally/regularlyhasthefollowingbasicingredients:
• Alogonpoint(AAA/UniversalGateway)• AHTTPandaHTTPSversionofaContentSwitchingVirtualServer• AdefaultRedirecttoHTTPS• Redirectcapabilities(example:redirectanemptypathtosomesub-path)• ContentSwitchingPolicieswhichdefinethesteering.
Withtheexceptionofthelogonpoint,theCore-Logicwilltakecareofallbasicingredients.Thisleadstothefollowingtypicaldesign:
OtherfeatureslikeRewrites,ApplicationFirewall,Caching,etc.areapplicationspecificandmustbeconfiguredontheindividualLoadBalancingVirtualServersforanapplication.
UG_AAA LB_ADFS
ADFS
CS_Services1_HTTPS
LB_EX_OWA
Exchange
LB_SP
Sharepoint
LB_SF
Storefront
CS_Services1_HTTP
CoreLogic|Controlplane
NetScalerDefault:redirecttoHTTPS
Default:Blocktherequest
VIP1,tcp80 VIP1,tcp443
Whitepaper-CoreLogic-NetScalerRocks
Page 8 | 24
INSTALLATION TheinstallationoftheCore-Logiccodeisveryeasy,asoutlinedbelow.
STEP-BY-STEP
Responder HTML pages resppage_no_service Choose:AppExpert|Responder|HTMLPageImports,ClickAdd.
Makesuretheimportpageisnamed“resppage_no_service”,thecorelogicwillrefertothisnamelateron.
ClickContinue.
ThispagewillbeshowniftheCore-Logicdetectsaservicehasbeenconfigured,buttheactualvirtualserveriscurrentlynotavailable.
ClickDone.
Whitepaper-CoreLogic-NetScalerRocks
Page 9 | 24
<html>
<body>
<h1>OOPS!</h1>
<p>This page is shown because the requested service is currently unavailable.</p>
<p>Your IP Address: ${CLIENT.IP.SRC}</p>
<p>Requested: ${HTTP.REQ.URL}</p>
</body>
</html>
Note:Youmightwanttoadjustthisbasichtmlcodetoreflectstandardmessageswithinyourorganization.
resppage_blocked Choose:AppExpert|Responder|HTMLPageImports,ClickAdd.
Makesuretheimportpageisnamed“resppage_blocked”,thecorelogicwillrefertothisnamelateron.
ClickContinue.
ThispagewillbeshowniftheCore-Logicdetectsarequestforaservicewhichisnotconfigured.
ClickDone.
Whitepaper-CoreLogic-NetScalerRocks
Page 10 | 24
<html>
<body>
<h1>BLOCKED</h1>
<p>This page is shown because the requested service is unknown.</p>
<p>Your IP Address: ${CLIENT.IP.SRC}</p>
<p>Requested: ${HTTP.REQ.URL}</p>
</body>
</html>
Note:Youmightwanttoadjustthisbasichtmlcodetoreflectstandardmessageswithinyourorganization.
Core-Logic Module
ToinstalltheCore-Logic,deploythescriptsthroughthecommand-lineinterface:
• OpenanSSHshelltotheNetScalerappliance.• Copy/pastethecodeintotheCLI
o Note:Makesureyoupastethedifferentfilesinthecorrectorder!• Savetheconfiguration!!
Whitepaper-CoreLogic-NetScalerRocks
Page 11 | 24
POST-INSTALLATION
ThefollowingitemsshouldbevisibleintheGUIafterinstallingthecore-logicfiles:
String Maps
(filledwithsampledata)
Pattern Sets
Whitepaper-CoreLogic-NetScalerRocks
Page 12 | 24
Policy Expressions
Theseexpressionscanbeconsideredthe“core-logic”
Responder Responder Actions
Whitepaper-CoreLogic-NetScalerRocks
Page 13 | 24
Responder Policies
Load Balancing Virtual Servers
Service Groups
Servers
Whitepaper-CoreLogic-NetScalerRocks
Page 14 | 24
Content Switching Content Switching Actions
Content Switching Policies
Whitepaper-CoreLogic-NetScalerRocks
Page 15 | 24
USER GUIDE ThefollowingsectionwillprovideyouwithdetailedinstructionsonhowtousetheCore-Logic.
Firstofall,theactualnameofthecontentswitchisboundtothefollowinglimitations:
• TheHTTPversionofthecontentswitchshouldendwith_HTTP• TheHTTPSversionofthecontentswitchshouldendwith_HTTPS(or_SSL)• BothversionsoftheContentswitchneedtostartoffusingthesamename
Samples:
• AContentSwitchingVirtualServerforHTTP:o CS_Tenant1_HTTP
• AContentSwitchingVirtualServerforHTTPS:o CS_Tenant1_HTTPS
IN-HOUSING A TENANT
In-housinganewtenantequalsthecreationoftwonewContentSwitchingVirtualServersandbindingtheCore-Logicpolicieswiththeircorrectpriorities.
Content Switching Virtual Servers CS_Tenant1_HTTP
Policy Bindings
Note:MakesuretheContentSwitchingPolicybindingshavethecorrectpriority.
Default Load Balancing Virtual Server ThedefaultLoadBalancingVirtualServerforthisContentSwitchingVirtualServerisVS_REDIR_302_SWITCH,aswewishtoredirectalltrafficfromHTTPtoHTTPS.
Whitepaper-CoreLogic-NetScalerRocks
Page 16 | 24
TheVS_REDIR_302_SWITCHLoadBalancingVirtualServerredirectstheuserinthissituationtoHTTPS.
CS_Tenant1_HTTPS
Policy Bindings
Note:ThisContentSwitchingVirtualServerhasthesameContentSwitchingPolicybindings,usingthesamepriorities.
Default Load Balancing Virtual Server ThedefaultLoadBalancingVirtualServerforthisContentSwitchingVirtualServerisVS_NO_SERVICE
TheVS_NO_SERVICELoadBalancingVirtualServerinformstheuserthat:
• Therequestedapplicationiscurrentlyunavailable(down)• TherequestedapplicationisunknowntotheControlPlane
Whitepaper-CoreLogic-NetScalerRocks
Page 17 | 24
Extra Configuration AdditionalresourceswillbeboundtotheContentSwitchingVirtualServerCS_Tenant1_HTTPS:
• One,ormorevalidcertificates(usingWildcard/SANcertificates,optionallyusingSNI)• AnAAAorUniversalGatewayauthenticationvirtualserver.
Deployment Script Content Switching Virtual Server for HTTP add cs vserver CS_[TENANTNAME]_HTTP HTTP [VIP-Address] 80 -cltTimeout 180
bind cs vserver CS_[TENANTNAME]_HTTP -policyName CSP_FRST_PROTO -priority 101
bind cs vserver CS_[TENANTNAME]_HTTP -policyName CSP_FRST -priority 102
bind cs vserver CS_[TENANTNAME]_HTTP -policyName CSP_FQDN_PROTO -priority 111
bind cs vserver CS_[TENANTNAME]_HTTP -policyName CSP_FQDN -priority 112
bind cs vserver CS_[TENANTNAME]_HTTP -policyName CSP_WILD_PROTO -priority 121
bind cs vserver CS_[TENANTNAME]_HTTP -policyName CSP_WILD -priority 122
bind cs vserver CS_[TENANTNAME]_HTTP -lbvserver VS_REDIR_302_SWITCH
Content Switching Virtual Server for HTTPS add cs vserver CS_[TENANTNAME]_HTTPS SSL [VIP-Address] 443 -cltTimeout 180
bind cs vserver CS_[TENANTNAME]_HTTPS -policyName CSP_FRST_PROTO -priority 101
bind cs vserver CS_[TENANTNAME]_HTTPS -policyName CSP_FRST -priority 102
bind cs vserver CS_[TENANTNAME]_HTTPS -policyName CSP_FQDN_PROTO -priority 111
bind cs vserver CS_[TENANTNAME]_HTTPS -policyName CSP_FQDN -priority 112
bind cs vserver CS_[TENANTNAME]_HTTPS -policyName CSP_WILD_PROTO -priority 121
bind cs vserver CS_[TENANTNAME]_HTTPS -policyName CSP_WILD -priority 122
bind cs vserver CS_[TENANTNAME]_HTTPS -lbvserver VS_NO_SERVICE
Note:DonotforgettobindCertificatestothisContentSwitchingVirtualServer.
Whitepaper-CoreLogic-NetScalerRocks
Page 18 | 24
DEPLOYING APPLICATIONS FOR A TENANT Web Application X
WebapplicationXisconfiguredasanon-addressableLoadBalancingVirtualServer:VS_T1_Web
• ThebasicFQDNforthewebapplicationXis:www.tenant1.com• AllFQDNusingthetenant1.comdomainshouldberedirectedto“www.tenant1.com”
o Redirectusinga301,movedpermanently• Ifthepathisempty,weshouldredirecttheuserto/app1• TheapplicationshouldalwaysrunonHTTPS
WeaddtothestringmapSM_CS_CONTROL:
Key Value
cs_tenant1_https_www.tenant1.com vs=VS_T1_Web;cs_tenant1_tenant1.com vs=VS_REDIR_301;dst=https://www.tenant1.com;cs_tenant1_*.tenant1.com vs=VS_REDIR_301;dst=//www.tenant1.com;cs_tenant1_https_www.tenant1.com/ vs=VS_REDIR_302;dst=/app1;
Note:theredirecttoHTTPSisperformedbydefaultduetotheconfigurationofCS_Tenant1_HTTP.
Sub-path with different configuration: Ifthetenanthas/app2addedontheirwebserverinalaterstage,andshouldrunonHTTPonly,weaddthefollowingentriestothestringmapSM_CS_CONTROL:
Key Valuecs_tenant1_http_www.tenant1.com/app2 vs=VS_T1_Web;cs_tenant1_https_www.tenant1.com/app2 vs=VS_REDIR_302_SWITCH;
Microsoft Exchange 2013
UsingthedeploymentguideprovidedbyCitrix,followingLoadBalancingVirtualServersarecreated:
ApplicationComponent LoadBalancingVirtualServersOutlookwebaccess Vs_t1_ex_owaEcp Vs_t1_ex_ecpEws Vs_t1_ex_ewsEas Vs_t1_ex_easOab Vs_t1_ex_oabRPC Vs_t1_ex_rcpMapi Vs_t1_ex_mapiAutodiscover Vs_t1_ex_autod
Note:ThedeploymentguideforMicrosoftExchange2013canbefoundatthefollowingurl2.
2MicrosoftExchange2013–DeploymentGuide:https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-citrix-netscaler-deployment-guide.pdf
Whitepaper-CoreLogic-NetScalerRocks
Page 19 | 24
AfterthecreationoftheLoadBalancingVirtualServersweonlyneedtoedittheControlPlane,byaddingthenecessaryentries:
Key Valuecs_tenant1_https_mail.tenant1.com/owa vs=Vs_t1_ex_owa;cs_tenant1_https_mail.tenant1.com/eas vs=Vs_t1_ex_eas;cs_tenant1_https_mail.tenant1.com/ews vs=Vs_t1_ex_ews;cs_tenant1_https_mail.tenant1.com/ecp vs=Vs_t1_ex_ecp;cs_tenant1_https_mail.tenant1.com/autodiscover vs=Vs_t1_ex_autod;cs_tenant1_autodiscover.tenant1.com vs=VS_REDIR_302;dst=https://mail.tenant1.co
m/AutoDiscover/AutoDiscover.xml;cs_tenant1_https_mail.tenant1.com/ vs=VS_REDIR_302;dst=/owa;cs_tenant1_http_mail.tenant1.com vs=VS_REDIR_SWITCH;info=3;
Note:therearemultiplewaystoimplement“autodiscover”foroutlook,dependingontheconfigurationofExchange2013.
3Thisoneisneededbecauseweredirectedthewildcard*.tenant1.comtowww.tenant.comearlier
Whitepaper-CoreLogic-NetScalerRocks
Page 20 | 24
CONTROL PLANE - CODING
TheSM_CS_CONTROLentriesaredesignedtobehuman-readable,evenwithoutadeeperunderstandingofNetScalerorCore-Logic.
Astringmapconsistskey-valuepairs,whicharebeingusedbytheCore-Logic.InorderfortheControl-Panetowork,somerulesmustbekeptinmindwheneditingthestringmap.
Keys
Thekeydescribeswhenthecorelogicshouldtakeaction:
• Thekeyisalwaysinlowercase!• Akeycannotbeusedtwice(itistheindexfortheStringMap)• Thekeyconsistsof2partsseparatedbyasingleunderscore(_):
• Thefullnameofthecontentswitchingvirtualserver(e.g.cs_tenant1_https)orthecommonpartofthenameforHTTP|HTTPScontentswitchingvirtualservers(e.g.cs_tenant1).
• Theurlwewanttotakeactionon:o FQDN(www.tenant1.com)o FQDN/1stpath(www.tenant1.com/app2)o WildcardDomain(*.tenant1.com)4
Values
Thevaluedescribeswhatactionshouldbetaken:
• vs=[aloadbalancingvirtualservername];o Mandatory!o Donotforgetthesemicolon“;”attheend!o SpecialVServers:
§ VS_REDIR_302_SWITCH(redirecthttp->httpsorhttps->http)§ VS_REDIR_301(redirect“301movedpermanently”tothedstvalue)§ VS_REDIR_302(redirect“302found”tothedstvalue)§ VS_DROP(dropstherequest)§ VS_RESET(resetstherequest)
• dst=[adestinationreference];o MandatoyforVS_REDIR_301andVS_REDIR_302!o Donotforgetthesemicolon“;”attheend!o BothVS_REDIR_301andVS_REDIR_302performrelativeredirectswhenusingthedst
entry.
• info=[someremarkontheentry];o Optionalo Donotforgetthesemicolon“;”attheend!
4Theentrytenant1.comreferstotheFQDN,*.tenant1.comreferstoallthesubdomains!!
Whitepaper-CoreLogic-NetScalerRocks
Page 21 | 24
CONTROL PLANE – RESULT TheControlPlaneforourtenant1wouldlooklikethis:
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_www.tenant1.com” “vs=VS_T1_Web;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_tenant1.com”
“vs=VS_REDIR_301;dst=https://www.tenant1.com;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_*.tenant1.com”
“vs=VS_REDIR_301;dst=//www.tenant1.com;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_www.tenant1.com/” “vs=VS_REDIR_302;dst=/app1;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_http_www.tenant1.com/app2” “vs=VS_T1_Web;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_www.tenant1.com/app2” “vs=VS_REDIR_302_SWITCH;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_mail.tenant1.com/owa” “vs=Vs_t1_ex_owa;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_mail.tenant1.com/eas” “vs=Vs_t1_ex_eas;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_mail.tenant1.com/ews” “vs=Vs_t1_ex_ews;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_mail.tenant1.com/ecp” “vs=Vs_t1_ex_ecp;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_mail.tenant1.com/autodiscover”
“vs=Vs_t1_ex_autod;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_autodiscover.tenant1.com”
“Vs=VS_REDIR_302;dst=https://mail.tenant1.com/AutoDiscover/AutoDiscover.xml;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_https_mail.tenant1.com/” “Vs=VS_REDIR_302;dst= /owa;”
Bind stringmap SM_CS_CONTROL “cs_tenant1_http_mail.tenant1.com”
“Vs=VS_REDIR_SWITCH;info=*.tennant1.com goes to www.tenant1.com”;”
Whitepaper-CoreLogic-NetScalerRocks
Page 22 | 24
CONTROL PLANE – PROCESSING FLOW
SM_CS_CONTROL
CS_FULLNAMENameoftheContentswitchused
CS_NAMECS_FULLNAME-theending_HTTPor_HTTPS
FQDN_WILD"*."+HTTP.REQ.HOSTNAME.DOMAIN
HTTP.REQcomminginononeoftheContentswitches
CS_FULLNAME+HTTP.REQ.HOSTNAME+HTTP.REQ.URL.PATH.GET(1)
CS_NAME+HTTP.REQ.HOSTNAME+HTTP.REQ.URL.PATH.GET(1)
CS_FULLNAME+HTTP.REQ.HOSTNAME
CS_NAME+HTTP.REQ.HOSTNAME
CS_FULLNAME+FQDN_WILD
CS_NAME+FQDN_WILD
SelectVSERVERtouse
VS_REDIR_302_SWITCHVS_REDIR_301 VS_REDIR_302
SM_CS_CONTROL
VS_xxxxx
VS_yyyyyVS_zzzzz
SelectRedirect
RedirectSwitchhttp-->httpsandhttps-->
http
(CS=HTTPS)VS_NO_SERVICE(CS=HTTP)VS_REDIR_302_SWITCH
Whitepaper-CoreLogic-NetScalerRocks
Page 23 | 24
CONTROL PLANE – CLI MANAGEMENT
ThestringmapSM_CS_CONTROLcanbemanagedthroughtheGUI.Althoughwithabitofpractice,usingthecommandlineinterfaceisgenerallyeasierandfasterforlargerconfigurations.
Adding Entries ThebasiccommandtoaddanentrytotheSM_CS_CONTROLstringmap:
bind stringmap SM_CS_CONTROL [key] [value]
Tip:alwaysputthekeyandvaluebetween“[value]”
Deleting Entries ThebasiccommandtoremoveanentryfromtheSM_CS_CONTROLstringmap:
unbind stringmap SM_CS_CONTROL [key]
Showing Entries Thecommandtogetallentriesforcs_tennant1(httpandhttps):
show run | grep SM_CS_CONTROL | grep cs_tenant1
Whitepaper-CoreLogic-NetScalerRocks
Page 24 | 24
CONCLUSIONS TheCore-Logicisanattemptatcreatingaunifiedwaytointegrateapplicationsintooneormorecontentswitchingvirtualservers.TheCore-LogiclinkstheContentSwitchingVirtualServer(s)totheapplicationsusingtheControlPlane.
ItgeneralizesthemostcommentContentSwitchingPoliciesandResponderPoliciesintoasinglesetofcode.Inaddition,theCore-LogiccodeitselfisnotspecificforaContentSwitchingVirtualServer,aLoadBalancingVirtualServeroragivenredirect.
CreatinganewContentSwitchingVirtualServercaneasilybeautomated,sincethepoliciesboundtoaContentSwitchingVirtualServerarestatic.Anewtenantcanbedeployedbyhaving3parameters:
• [Name]• [VIP]• [Certificate]
ThesteeringisdonethroughasingleControlPlane,whichcanalsoeasilybeautomated.Changestothisstringmapcanbeconsideredalower-impactchangetotheconfiguration.
TheControlPlaneusesthe“morerestrictive”principaltodeterminetheflowoftherequests,resultinginthefollowinglistofkeysfromleastrestrictivetomostrestrictive:
• cs_tenant1_[wildcarddomain]• cs_tenant1_[protocol]_[wildcarddomain]• cs_tenant1_[fqdn]• cs_tenant1_[protocol]_[fqdn]• cs_tenant1_[fqdn+1stpath]• cs_tenant1_[protocol]_[fqdn+1stpath]
ForDTAP(development-test-acceptance-production)situationsthisunificationofcodeishelpful.
ForMulti-tenant/hostingprovidersitcanhelpkeepingcontrolofapplicationdeliveryfortheircustomersandaneasierdeploymentofnewtenantsand/orapplications.