This article describes how to implement Rate Limiting on a NetScaler appliance by using the Responder feature.

Background

Rate Limiting on a NetScaler appliance is a method to detect client connections and limit them by the number of connections available or bandwidth.

To implement rate limiting feature on an appliance, complete the following steps:

1. Create a Limit Selector that specifies the criteria to identify the network traffic on which the limit is applied.

2. Create a Limit Identifier that specifies the restrictions on the network traffic.

3. Bind the policy to a NetScaler feature such as Rewrite, Responder, DNS or Integrated Caching.
   In the example in this article, the Responder feature is used to redirect the end user to http://www.citrix.com/ if the user requests more than one page per second from the "Test-LB-Vserver" Load Balancing virtual server.

NetScaler GUI

To implement Rate Limiting on a NetScaler appliance using the Responder feature, complete the following procedure:

1. Create the Rate Limiting Selector.
   In this example, the rate limiting feature applies to an HTTP request with any URL that starts with /js:

   

2. Create the Rate Limiting Identifier with the settings, as shown in the following screen shot:

   

3. Create the Responder action with the URL redirect, as shown in the following screenshot:

   

4. Create a Responder policy which binds the Responder action and Rate Limiting Identifier.

   

5. Bind the Responder policy to a virtual server.

   

NetScaler CLI

To implement Rate Limiting on a NetScaler appliance by using the Responder feature from the command line interface for a NetScaler appliance, run the following commands:
add ns limitSelector Test_Limit_Selector "HTTP.REQ.URL.PATH.STARTSWITH(\"/js\")"
add ns limitIdentifier Test_Limit_Identifier -timeSlice 1000 -selectorName Test_Limit_Selector
add responder action Responder_Rate_Limiting_action redirect "\"http://www.citrix.com/\""
add responder policy Responder_Rate_Limiting_policy "HTTP.REQ.URL.STARTSWITH(\"/js\") && sys.CHECK_LIMIT(\"Test_Limit_Identifier\")" Responder_Rate_Limiting_action
bind lb vserver Test-LB-Vserver -policyName Responder_Rate_Limiting_policy -priority 100 -gotoPriorityExpression END

Testing the Configuration

To test this configuration, open a web browser and open http://192.168.100.4/js which is the virtual server in this example.

The following is an excerpt from the network packet trace that was recorded:

GET /js/ HTTP/1.1
Host: 192.168.100.4
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:16.0) Gecko/16.0 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en-us;q=0.667,en;q=0.333
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

If you refresh the web browser multiple times in one second, which exceeds the Rate Limit Identifier threshold that is specified in the configuration, then the virtual server must redirect to www.citrix.com:

GET /js/ HTTP/1.1
Host: 192.168.100.4
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:16.0) Gecko/16.0 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en-us;q=0.667,en;q=0.333
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily
Location: http://www.citrix.com/
Connection: close
Cache-Control: no-cache
Pragma: no-cache

Run the following command from the command line interface of the appliance to verify if the user was redirected:
> show limitIdentifier Test_Limit_Identifier

Name: Test_Limit_Identifier
Threshold: 1 Timeslice: 1000
Traps : 0 Max Bandwidth: 0 kbps
Selector: Test_Limit_Selector Mode: REQUEST_RATE Type: BURSTY
Expressions:
1) HTTP.REQ.URL.PATH.STARTSWITH("/js")
Permit 1 Requests in 1000 ms
Hits: 13 Action Taken: 9
Done