Citrix App Temp Share Point Dep Guide NS90 B 66
Citrix App Temp Share Point Dep Guide NS90 B 66
Citrix App Temp Share Point Dep Guide NS90 B 66
AppExpert Template
Deployment Guide
Microsoft Sharepoint
Deployment Guide
Notice:
THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.
Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-
2009 U.S.A. All rights reserved.
Table of Contents
Introduction...........................................................................................................................................4
Solution Requirements...........................................................................................................................5
Prerequisites..........................................................................................................................................5
Network Diagram..................................................................................................................................6
AppExpert Templates ...........................................................................................................................7
Introduction......................................................................................................................................7
Sharepoint Template..............................................................................................................................8
Sharepoint AppExpert Template Configuration..................................................................................8
Characterization of the Sharepoint Application..................................................................................9
Sharepoint Application Units...........................................................................................................12
Ordering of Application Units..........................................................................................................18
Sharepoint Public Endpoint Configuration - HTTP...........................................................................19
Sharepoint Load Balancing Configuration - HTTP...........................................................................20
Recommended Sharepoint Deployment.........................................................................................20
Sharepoint Public Endpoint Configuration - HTTPS.........................................................................22
Sharepoint HTTP-to-HTTPS Redirect..............................................................................................23
Application Visualizer......................................................................................................................25
Exporting AppExpert Templates...........................................................................................................26
Importing AppExpert Templates...........................................................................................................27
Appendix A - NetScaler Configuration.................................................................................................29
Appendix B - Content Types................................................................................................................35
Introduction
Citrix® NetScaler® optimizes the delivery of web applications — increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership (TCO),
security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive
network system that combines high-speed load balancing and content switching with state-of-the-art
application acceleration, layer 4-7 traffic management, data compression, dynamic content caching,
SSL acceleration, network optimization, and robust application security into a single, tightly integrated
solution. Deployed in front of application servers, the system significantly reduces processing overhead
on application and database servers, reducing hardware and bandwidth costs.
Additionally, AppExpert Templates allow you to drill down and see which individual NetScaler policies are
active, and what policies are inactive but available, by application component and NetScaler module.
From this same view, individual policies can be created, activated and deactivated.
AppExpert Templates can be downloaded, imported, modified and exported. Administrators can
download AppExpert Templates built by Citrix, Citrix Partners and members of the NetScaler community
from the Citrix Community Website. These templates are easily imported into any NetScaler running
NetScaler 9.0 or higher, jump starting the configuration and deployment process. Templates developed
in-house can be easily exported and shared within your organization, or posted back to the Citrix
Community Website for others to view and improve.
Solution Requirements
• Application Switch NetScaler
• Microsoft Sharepoint
Prerequisites
• Citrix NetScaler L4/7 Application Switch, running version 9.0 build 66 (Quantity x 2 for HA)
• Windows Sharepoint Services (WSS)
• Microsoft Office Sharepoint Server (MOSS)
• Client laptop/workstation running Internet Explorer 6.0+, Ethernet port
• 9-pin serial cable -or- USB-to-serial cable
Network Diagram
The following is the Network that was used to develop this deployment guide.
Microsoft SharePoint
Server Farm
Citrix NetScaler®
Sharepoint Load Balanced IP
‘virtualsharepoint’
10.60.x.y
VLAN 11:
Interface 1/7, Untagged
SNIP: 192.168.x.y / 24
AppExpert Templates
Introduction
AppExpert Templates are a new and simple approach to configuration management for complex enterprise
applications. Applications are listed in the left-most column of the NetScaler GUI under AppExpert. In
one simple view, you can view what is most important to you in terms of application delivery. You simply
configure what constitutes interesting traffic for each application delivery unit, and turn on the rules for
compression, caching, rewrite, filtering, responder and application firewall. This is largely different from
having to go into each feature and define complex rules and expressions individually, reducing the time
to deploy, easing management and improving the bottom line.
The process for entering AppExpert Templates into the NetScaler Application Switch is simple. From
the GUI, navigate to NetScaler AppExpert Applications. Select ‘Add’ to add the Application by
name. Select ‘Add’ again to enter an Application Unit, which refers to the workflow, for example “Report
Management”. Enter the Expression to identify the reports, for example URL == ‘/*.pdf’. From this
basis, the important operations can be configured upon all reports that appertain to this application, such
as compression, caching, rewrite, filtering, responder and application firewall.
One final step involves adding the front-end Virtual IP Address (VIP) and back-end servers. Then, by
virtue of this configuration, load balancing is in effect for this application. Load Balancing algorithms and
persistence can be modified from the default values.
Sharepoint Template
Sharepoint AppExpert Template Configuration
Sharepoint is an enterprise information portal from Microsoft that can be configured to run Intranet,
Extranet and Internet sites. There are two underlying software technologies, Microsoft Windows
Sharepoint Services (WSS) and Microsoft Office Sharepoint Server (MOSS). Sharepoint services (WSS)
is typically used by small teams, projects and companies, while Sharepoint Server (MOSS) is designed
for individuals, teams and projects within a medium to large enterprise. MOSS is a collaborative portal
that is built on top of WSS. MOSS requires a license.
The Sharepoint application server is characterized by shared folders and files, collaboration, document
workspace, meetings, discussion boards, integrated workflows, RSS Feeds, blogs, wikis, FrontPage
integration and ASP web pages. The goal of Sharepoint is to provide a simple, familiar and consistent
user experience tightly integrated with applications that run through a web browser.
What this means to an Application Expert is you will see a myriad of content being passed through the
Citrix NetScaler Application Switch.
After installation the first page that comes up on the Sharepoint server is /localhost/default.aspx. If you
view some examples of Sharepoint sites for collaboration, you can see that just about every document
type and content type will be uploaded and downloaded from the site. If you view some example of
Sharepoint Internet Web sites, you will see them full of images, scripts and .aspx pages.
What is important to the Application Expert is how the application is characterized by its content. In
other words, what is the content that comprises the back-end application, and what are you most
concerned with regarding it’s delivery. It is this content that we are most interested in, as we will build
AppExpert Templates surrounding this content.
Characterization of the Sharepoint Application
We know from experience that Sharepoint workflows are characterized by collaboration, portals, enterprise content management, and
business intelligence, to name a few. We can peel back the layers of these workflows to identify the actual data that is transferred between
Client and Server when this Application is in use. Under the hood, the workflows are characterized accordingly to the following table.
SOAP Services SOAP responses Method is a POST, and the Header contains
soapaction
Portal Management Dynamic content - .jsp, .jspx, .asp, .aspx .asp, .aspx, .htm, .html, .mht, .mhtml, .xhtml,
Static content - .html, .mht, .mhtml, .xhtml, .xml .xml, .jsp, .jspx
Document Management Document Sharing & Storage, MS Office .doc, .docx, .ppt, .pptx, .dot, .dotx, .docm,
Documents, Reports, Spreadsheet, Forms .dotm, . rtf, .txt, .wps, .ppt, .pptx, .pot, .potx,
.pptm, .potm, .thmx, .ppsx, .ppsm, .pps, .ppam,
.pdf, .csv, .txt, .prn, .xsn, .xls, .xlsx, .xlt, .xltx,
.xlsb, .xlsm, .xltm, .dif, .slk, .xlam, .xla
Image Management Responses containing images .gif, .jpg, .jpeg, .tif, .tiff, .bmp, .wmf, .emf, .png,
.wbmp, .ico
Styles and Scripts Stylesheets, Scripts .css, .js, .htc, .axd, .wmls
Image Management Responses containing images .gif, .jpg, .jpeg, .tif, .tiff, .bmp, .wmf, .emf, .png,
.wbmp, .ico
Web Services Definitions WSDLs and WSILs ?wsdl, .wsdl, ?wsil, .wsil, .xml
If we examine the workflows in Sharepoint, we know that some of this content is compressible, while some is not. Some of this content
is cacheable, while some is not. And so we form the basis of our AppExpert Template. In summary, we want to configure the AppExpert
Template for the following features. A check indicates we want to enable the feature. The Default appears last and is a catch all for traffic
that has not been characterized by our Application units. We have added an Https Redirect, because we want to redirect all HTTP traffic to
HTTPS.
FrontPage Services
SOAP Services
Portal Management
Document Management
Image Management
Styles and Scripts
Web Services Definitions
Web Services Schemas
Default
10
From the Workflow table, we build the following expression table, for the each Application Unit. This is the interesting traffic to which we will
apply policy.
FrontPage Services
HTTP.REQ.HEADER(“X-Vermeer-Content-Type”).EXISTS
SOAP Services
HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.
HEADER(“soapaction”).EXISTS
Portal Management
URL == ‘/*.jsp’ || URL == ‘/*.jspx’ || URL == ‘/*.asp’ || URL == ‘/*.
aspx’ || URL == ‘/*.htm’ || URL == ‘/*.html’ || URL == ‘/*.mht’ || URL
== ‘/*.mhtml’ || URL == ‘/*.xhtml’ || URL == ‘/*.xml’
Document Management
URL == ‘/*.pdf’ || URL == ‘/*.csv’ || URL == ‘/*.prn’ || URL == ‘/*.
xsn’ || URL == ‘/*.xls’ || URL == ‘/*.xlsx’ || URL == ‘/*.xlt’ || URL ==
‘/*.xltx’ || URL == ‘/*.xlsb’ || URL == ‘/*.xlsm’ || URL == ‘/*.xltm’ ||
URL == ‘/*.dif’ || URL == ‘/*.slk’ || URL == ‘/*.xlam’ || URL == ‘/*.
xla’ || URL == ‘/*.doc’ || URL == ‘/*.docx’ || URL == ‘/*.ppt’ || URL
== ‘/*.pptx’ || URL == ‘/*.dot’ || URL == ‘/*.dotx’ || URL == ‘/*.
docm’ || URL == ‘/*.dotm’ || URL == ‘/*.rtf’ || URL == ‘/*.txt’ || URL
== ‘/*.wps’ || URL == ‘/*.pot’ || URL == ‘/*.potx’ || URL == ‘/*.pptm’
|| URL == ‘/*.potm’ || URL == ‘/*.thmx’ || URL == ‘/*.ppsx’ || URL
== ‘/*.ppsm’ || URL == ‘/*.pps’ || URL == ‘/*.ppam’
Image Management
HTTP.REQ.METHOD.EQ(GET) && HTTP.REQ.URL.PATH.
STARTSWITH(“/_layouts/images”) && (HTTP.REQ.URL.PATH.
ENDSWITH(“.gif”) || HTTP.REQ.URL.PATH.ENDSWITH(“.jpg”) ||
HTTP.REQ.URL.PATH.ENDSWITH(“.jpeg”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.tiff”) || HTTP.REQ.URL.PATH.ENDSWITH(“.tif”) ||
HTTP.REQ.URL.PATH.ENDSWITH(“.png”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.bmp”) || HTTP.REQ.URL.PATH.ENDSWITH(“.emf”) ||
HTTP.REQ.URL.PATH.ENDSWITH(“.wmf”) || HTTP.REQ.URL.PATH.
ENDSWITH(“.wbmp”) || HTTP.REQ.URL.PATH.ENDSWITH(“.ico”))
11
Sharepoint Application Units
Configuration of the Sharepoint AppExpert Template involves defining Application Units for Sharepoint
Traffic. An Application Unit defines a subset of traffic that you are interested in applying template policies
to. For example Images or Reports, or specific portions of content. Definition of Application units are
Request based, in that the expressions are built upon Request based rules.
Select Add.
12
Add the remaining Application
Unit categories.
13
After all of the Application
units have been added, we
configur the policies, starting
with Compression. Click on
the icon under Compression.
Select ‘Create’.
Click ‘Ok’.
14
Enable Caching.
15
Enable Rewrite.
Note: replace
‘yourspwebserver’ with the
hostname or ip address of
your SharePoint webserver.
Replace ‘yournsvip’ with your
NetScaler Vserver ip address
or hostname.
16
To enable compression for
other Application units, re-
use the policy created in the
previous step.
Compression:
• select sharepoint_
compress
Caching:
• Insert Policy.
• Policy Name: NOPOLICY-
CACHE
• Invoke: sharepoint_cache_
label
17
The Default Application Unit is
a “Catch-All” for content that
was not previously expressed
in an Application Unit.
18
Sharepoint Public Endpoint Configuration - HTTP
The Front-End configuration, or public endpoints configuration, is the public facing IP Address(es) that
users will use to access the Application.
Select Ok.
Select Add.
19
Sharepoint Load Balancing Configuration - HTTP
Configuring backend services is the place where we add the backend servers to send traffic to. When
the AppExpert Template was created, a Load Balancing virtual server (vserver) was created internally
within the NetScaler. It is during the configuration of the backend services that we can change the
default load balancing settings.
Select Add.
Select ‘Ok’.
20
Select the Monitors tab to set
the health check monitor to
be used.
Select ‘Ok’.
Select ‘Ok’.
21
Sharepoint Public Endpoint Configuration - HTTPS To enable SSL or HTTPS
for the Sharepoint Public
The NetScaler Application Switch can be used as a secure SSL or HTTPS gateway to the Sharepoint Endpoints, select Add.
Applications. A NetScaler server certificate can be created using the SSL Certificate Wizard by navigating
in the GUI to NetScaler SSL, Certificate Wizard. Add the IP Address and
Port that the public users
will access the SHarePoint
Application with.
• Name: <endpoint name>
• Public IP Address: x.x.x.x
• Protocol: SSL
• Port: 443
Select Ok.
22
Sharepoint HTTP-to-HTTPS Redirect
To turn the Sharepoint HTTP Portal into a secure HTTPS portal, a simple redirect needs to be added to
the AppExpert Template, which can be enabled and disabled at any time.
Select Create.
Enable Responder.
23
Create Responder Policy
Label: ‘http-to-https-
responder’.
24
Application Visualizer
When an AppExpert Template is complete, all of the policies that are configured can be viewed in the
Application Visualizer. The Visualizer provides an end-to-end view of the Application Flow from the Client
to the Server.
25
Exporting AppExpert Templates
AppExpert Templates can be exported so that they can be shared, uploaded to the Citrix Community
Website, modified by others, and imported into other NetScaler switches to simplify and ease
deployment.
26
Importing AppExpert Templates
AppExpert Templates can be imported into the Citrix NetScaler Application Switch. Templates can be
downloaded from the Citrix Community Website or from local or network storage.
27
28
Appendix A - NetScaler Configuration
Primary NetScaler
set ns config -IPAddress 10.60.108.100 -netmask 255.255.0.0
add policy expression ns_html “RES.HTTP.HEADER Content-Type CONTAINS text/html” -description “Http response has html content type”
add policy expression ns_all_image_types “(URL == \’/*.gif\’ || URL == \’/*.jpg\’ || URL == \’/*.jpeg\’ || URL == \’/*.tiff\’ || URL == \’/*.tif\’ || URL
== \’/*.png\’ || URL == \’/*.bmp\’ || URL == \’/*.emf\’ || URL == \’/*.wmf\’ || URL == \’/*.wbmp\’ || URL == \’/*.ico\’)”
set locationParameter -context geographic -q1label Continent -q2label Country -q3label Region -q4label City -q5label ISP -q6label
Organization
29
add server 10.60.2.110 10.60.2.110
add cs policy app_cs2 -rule “SYS.EVAL_CLASSIC_EXPR(\”URL == \’/*.jsp\’ || URL == \’/*.jspx\’ || URL == \’/*.asp\’ || URL == \’/*.aspx\’\”)”
add cs policy app_cs3 -rule “SYS.EVAL_CLASSIC_EXPR(\”URL == \’/*.pdf\’ || URL == \’/*.csv\’ || URL == \’/*.prn\’ || URL == \’/*.xsn\’ || URL
== \’/*.xls\’ || URL == \’/*.xlsx\’ || URL == \’/*.xlt\’ || URL == \’/*.xltx\’ || URL == \’/*.xlsb\’ || URL == \’/*.xlsm\’ || URL == \’/*.xltm\’ || URL ==
\’/*.dif\’ || URL == \’/*.slk\’ || URL == \’/*.xlam\’ || URL == \’/*.xla\’ || URL == \’/*.doc\’ || URL == \’/*.docx\’ || URL == \’/*.ppt\’ || URL == \’/*.
pptx\’ || URL == \’/*.dot\’ || URL == \’/*.dotx\’ || URL == \’/*.docm\’ || URL == \’/*.dotm\’ || URL == \’/*.rtf\’ || URL == \’/*.txt\’ || URL == \’/*.
wps\’ || URL == \’/*.pot\’ || URL == \’/*.potx\’ || URL == \’/*.pptm\’ || URL == \’/*.potm\’ || URL == \’/*.thmx\’ || URL == \’/*.ppsx\’ || URL ==
\’/*.ppsm\’ || URL == \’/*.pps\’ || URL == \’/*.ppam\’\”)”
add cs policy app_cs6 -rule “SYS.EVAL_CLASSIC_EXPR(\”URL CONTAINS ?wsdl || URL CONTAINS .wsdl || URL CONTAINS ?wsil || URL
CONTAINS .wsil || URL == \’/*.xml\’\”)”
add service MercurySP1 10.60.2.41 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -sp OFF -cltTimeout 180 -
svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add service MercurySPx 10.60.2.25 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -sp OFF -cltTimeout 180 -
svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add service my_citrite 10.9.154.149 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -sp OFF -cltTimeout 180 -
svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add vpn intranetApplication route_migrate_1 ANY 192.168.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT
add filter policy html_prebody -rule “REQ.HTTP.METHOD == GET || REQ.HTTP.HEADER Content-Type == text/html” -reqAction act_
prebody
add filter policy html_postbody -rule “REQ.HTTP.METHOD == GET || REQ.HTTP.HEADER Content-Type == text/html” -reqAction act_
postbody
add lb vserver app_0_ApplicationsSharePoint HTTP 0.0.0.0 0 -persistenceType COOKIEINSERT -persistenceBackup SOURCEIP -lbMethod
ROUNDROBIN -cltTimeout 180 -downStateFlush DISABLED
add lb vserver app_u_SharePointFrontPage_Services HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED
30
add lb vserver app_u_SharePointSOAP_Services HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED
add lb vserver app_u_SharePointPortal_Management HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180
-downStateFlush DISABLED
add lb vserver app_u_SharePointDocument_Management HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout
180 -downStateFlush DISABLED
add lb vserver app_u_SharePointImage_Management HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush
DISABLED
add lb vserver app_u_SharePointStyles_and_Scripts HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED
add lb vserver app_u_SharePointWeb_Service_Definitions HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout
180 -downStateFlush DISABLED
add lb vserver app_u_SharePointWeb_Service_Schemas HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180
-downStateFlush DISABLED
add lb vserver app_o_SharePointdefault HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -downStateFlush DISABLED
add responder action http_to_https_action12 redirect “\”https://\” + HTTP.REQ.HOSTNAME+ HTTP.REQ.URL” -bypassSafetyCheck YES
add responder action http_to_https_action121 redirect “\”https://\” + HTTP.REQ.HOSTNAME+ HTTP.REQ.URL” -bypassSafetyCheck YES
add responder action http_to_https_action1211 redirect “\”https://\” + HTTP.REQ.HOSTNAME+ HTTP.REQ.URL” -bypassSafetyCheck YES
set cache parameter -memLimit 512 -via “NS-CACHE-8.0: 1” -verifyUsing HOSTNAME_AND_IP -maxPostLen 1024 -enableBypass YES
-undefAction NOCACHE
add cache contentGroup BASEFILE -relExpiry 86000 -weakNegRelExpiry 600 -quickAbortSize 4194303 -maxResSize 256 -memLimit 2
-minHits 0
add cache contentGroup DELTAJS -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -quickAbortSize 4194303 -maxResSize 256
-memLimit 1 -minHits 0 -pinned YES
31
add cache contentGroup SHAREPOINT_IMAGES -quickAbortSize 4194303 -maxResSize 4000 -minHits 0
add cache policy _cacheableExpiryRes -rule “HTTP.RES.HEADER(\”Expires\”).EXISTS” -action CACHE -storeInGroup DEFAULT
add cache policy cache_everything_sharepoint -rule true -action CACHE -storeInGroup SHAREPOINT_DEFAULT
add cache policy cache_sharepoint_scripts -rule true -action CACHE -storeInGroup SHAREPOINT_SCRIPTS
add cache policy cache_sharepoint_images -rule true -action CACHE -storeInGroup SHAREPOINT_IMAGES
bind cache policylabel _reqBuiltinDefaults -policyName cache_sharepoint_images -priority 100 -gotoPriorityExpression END
bind cache policylabel cache_all_sharepoint -policyName cache_everything_sharepoint -priority 100 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableStatusRes -priority 100 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableVaryRes -priority 200 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableCacheControlRes -priority 300 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _cacheableCacheControlRes -priority 400 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheablePragmaRes -priority 500 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _cacheableExpiryRes -priority 600 -gotoPriorityExpression END
32
bind cache policylabel _resBuiltinDefaults -policyName _imageRes -priority 700 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _personalizedRes -priority 800 -gotoPriorityExpression END
bind cache global NOPOLICY -priority 100 -gotoPriorityExpression END -type REQ_DEFAULT -invoke policylabel _reqBuiltinDefaults
bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression NEXT -type REQ_DEFAULT -invoke policylabel _reqBuiltinDefaults
bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression NEXT -type RES_DEFAULT -invoke policylabel _resBuiltinDefaults
set appfw profile sp_web2_firewall_profile -startURLAction block learn log stats -startURLClosure ON -cookieConsistencyAction block learn
log stats -fieldConsistencyAction block learn log stats -crossSiteScriptingAction block learn log stats -SQLInjectionAction block learn log stats
-fieldFormatAction block learn log stats -XMLSQLInjectionAction none -XMLXSSAction none -type HTML XML
set appfw profile sp_xml_firewall_profile -startURLAction block learn log stats -startURLClosure ON -cookieConsistencyAction block learn log
stats -fieldConsistencyAction block learn log stats -crossSiteScriptingAction block learn log stats -SQLInjectionAction block learn log stats
-fieldFormatAction block learn log stats -XMLSQLInjectionAction none -XMLXSSAction none -type XML
bind appfw profile sp_web2_firewall_profile -XMLWSIURL “.*” -XMLWSIChecks “BP1201, R1000, R1001, R1003, R1004, R1005, R1006,
R1007, R1011, R1013, R1014, R1015, R1031, R1032, R1033, R1109, R1111, R1126, R1132, R1140, R1141, R2113, R2211, R2714,
R2729, R2735, R2738, R2740, R2744, R4003”
bind appfw profile sp_web2_firewall_profile -denyURL “/core(/.*)?$” -comment “Unix core file attacks” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “[\\/]etc[\\/](passwd|group|hosts)” -comment “Unix file attacks” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL q{([ /=]|\t|\n)(ls|rm|cat)([ ;’\”&].*)?$} -comment “Command injection attack” -state
DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[+][.]htr” -comment “HTR source disclosure” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/[?][SM]=[AD]” -comment “Apache possible directory index disclosure
vulnerability” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/[?]wp-” -comment “Netscape enterprise server directory indexing vulnerability”
-state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/NULL[.]printer” -comment “Printer buffer overflow” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/default[.]ida[?]N+” -comment CodeRed -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/publisher” -comment “Netscape enterprise server web publishing vulnerability”
-state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*Admin[.]dll” -comment “Nimbda-3” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/winnt/” -comment “Nimbda-4” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[+]dir” -comment “IIS executable file parsing vulnerability-1” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/georgi[.]asp” -comment “IIS executable file parsing vulnerability-2” -state
DISABLED
33
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.](bat|ini|exe)(|[?].*)$” -comment “IIS executable file parsing vulnerability-3” -state
DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|]” -comment “Script exploit” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.]asp\\.*” -comment “Microsoft IIS UNC mapped virtual host vulnerability” -state
DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.]htx” -comment “Microsoft IIS UNC path disclosure vulnerability” -state
DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*[.]id[aq]” -comment “Index server buffer overflow” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$” -comment “Access attacks” -state
DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$” -comment “Password file attacks” -
state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*dvwssr[.]dll” -comment “Front Page server extensions buffer overflow-1” -state
DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*fp30reg[.]dll” -comment “Front Page server extensions buffer overflow-2” -state
DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*null[.]htw” -comment “Webhits source disclosure” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “debug[.][^/?]*(|[?].*)$” -comment “Debug attacks” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL q/system( |\t|\n)*[(]/ -comment “System command attacks” -state DISABLED
bind appfw profile sp_web2_firewall_profile -denyURL “^[^?]*/_vti_bin/shtml[.]” -comment “Front Page server extensions path disclosure
vulnerability” -state DISABLED
bind appfw profile sp_xml_firewall_profile -XMLWSIURL “.*” -XMLWSIChecks “BP1201, R1000, R1001, R1003, R1004, R1005, R1006,
R1007, R1011, R1013, R1014, R1015, R1031, R1032, R1033, R1109, R1111, R1126, R1132, R1140, R1141, R2113, R2211, R2714,
R2729, R2735, R2738, R2740, R2744, R4003”
bind appfw profile sp_xml_firewall_profile -XMLValidationURL “.*” -XMLValidateSOAPEnvelope ON
bind appfw profile sp_xml_firewall_profile -denyURL “/core(/.*)?$” -comment “Unix core file attacks” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “[\\/]etc[\\/](passwd|group|hosts)” -comment “Unix file attacks” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL q{([ /=]|\t|\n)(ls|rm|cat)([ ;’\”&].*)?$} -comment “Command injection attack” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[+][.]htr” -comment “HTR source disclosure” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/[?][SM]=[AD]” -comment “Apache possible directory index disclosure vulnerability”
-state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/[?]wp-” -comment “Netscape enterprise server directory indexing vulnerability”
-state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/NULL[.]printer” -comment “Printer buffer overflow” -state DISABLED
34
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/default[.]ida[?]N+” -comment CodeRed -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/publisher” -comment “Netscape enterprise server web publishing vulnerability”
-state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*Admin[.]dll” -comment “Nimbda-3” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/winnt/” -comment “Nimbda-4” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[+]dir” -comment “IIS executable file parsing vulnerability-1” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/georgi[.]asp” -comment “IIS executable file parsing vulnerability-2” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.](bat|ini|exe)(|[?].*)$” -comment “IIS executable file parsing vulnerability-3” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|]” -comment “Script exploit” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.]asp\\.*” -comment “Microsoft IIS UNC mapped virtual host vulnerability” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.]htx” -comment “Microsoft IIS UNC path disclosure vulnerability” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*[.]id[aq]” -comment “Index server buffer overflow” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$” -comment “Access attacks” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$” -comment “Password file attacks” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*dvwssr[.]dll” -comment “Front Page server extensions buffer overflow-1” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*fp30reg[.]dll” -comment “Front Page server extensions buffer overflow-2” -state
DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*null[.]htw” -comment “Webhits source disclosure” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “debug[.][^/?]*(|[?].*)$” -comment “Debug attacks” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL q/system( |\t|\n)*[(]/ -comment “System command attacks” -state DISABLED
bind appfw profile sp_xml_firewall_profile -denyURL “^[^?]*/_vti_bin/shtml[.]” -comment “Front Page server extensions path disclosure
vulnerability” -state DISABLED
35
bind lb vserver app_u_SharePointPortal_Management MercurySP1
bind lb vserver app_u_SharePointStyles_and_Scripts -policyName “NOPOLICY-CACHE” -priority 100 -gotoPriorityExpression END -type
REQUEST -invoke policylabel cache_sharepoint_scripts
bind lb vserver app_u_SharePointWeb_Service_Schemas -policyName “NOPOLICY-CACHE” -priority 100 -gotoPriorityExpression END -type
REQUEST -invoke policylabel cache_all_sharepoint
bind lb vserver app_o_SharePointdefault -policyName “NOPOLICY-CACHE” -priority 100 -gotoPriorityExpression END -type REQUEST -
invoke policylabel cache_all_sharepoint
36
bind lb vserver app_u_SharePointImage_Management -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression END
-invoke policylabel label_redirect_forSharepointAp3
bind lb vserver app_o_SharePointdefault -policyName “NOPOLICY-RESPONDER” -priority 100 -gotoPriorityExpression END -invoke
policylabel label_redirect_forSharepointAp3
add lb monitor sp_http HTTP -respCode 200 401 -httpRequest “HEAD /” -LRTM ENABLED -interval 20
set ssl service “nskrpcs-127.0.0.1-3009” -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service “nshttps-127.0.0.1-443” -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service “nsrpcs-127.0.0.1-3008” -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set vpn parameter -splitDns BOTH -killConnections OFF -defaultAuthorizationAction ALLOW -proxyLocalBypass DISABLED -forceCleanup
none -clientOptions all -clientConfiguration all -SSO OFF -clientDebug OFF -icaProxy OFF
37
set audit syslogParams -serverIP 127.0.0.1
set ns hostName ns
38
set uiinternal EXPRESSION app_u_SharePointWeb_Service_Definitions -uiinfo “ET%PE^PR%500^P%app_0_ApplicationsSharePoint^CS%
mercurylb^” -rule “URL CONTAINS ?wsdl || URL CONTAINS .wsdl || URL CONTAINS ?wsil || URL CONTAINS .wsil || URL == \’/*.xml\’”
39
40
Appendix B - Content Types
Content Type Extension mimeType Compress
41
Content Type Extension mimeType Compress
42
Content Type Extension mimeType Compress
43
Content Type Extension mimeType Compress
octet-stream application/octet-stream No
44
Citrix Worldwide
Worldwide headquarters
Regional headquarters
Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000
Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700
Asia Pacific
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000
www.citrix.com
About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more
than 100 countries. Annual revenue in 2006 was $1.1 billion.
Citrix®, NetScaler®, GoToMyPC®, GoToMeeting®, GoToAssist®, Citrix Presentation Server™, Citrix Password Manager™, Citrix Access Gateway™, Citrix Access
Essentials™, Citrix Access Suite™, Citrix SmoothRoaming™ and Citrix Subscription Advantage™ and are trademarks of Citrix Systems, Inc. and/or one or more of its
subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX® is a registered trademark of The Open Group in the U.S. and
other countries. Microsoft®, Windows® and Windows Server® are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks
and registered trademarks are property of their respective owners.
www.citrix.com