This articles describes how to perform authorization using advanced policy expressions in NetScaler.

Background

Advanced policy expressions provide a rich set of expressions like body based, DNS based expressions to administrators compared to older classic ones.
Advanced will be the default expression editor for Session, Traffic and Authorization policy editors. You have that option to switch to classic by clicking on “Switch to Classic Syntax”.

Only one policy type (either advanced or classic) is allowed to be bound for a type of policy  

• For example all authorization policies bound at any level must be either advanced or classic   
•  Authorization policies of Advanced-type and Traffic policies of Classic type are allowed

Use case

The admin wants to block a set of users to not allow them to access the download page of citrix.com. For this the admin has created a user group called ‘BlacklistUserGroup’, any user that is a part of this group should not be allowed to access the download page.

---

Instructions

With advanced policy expressions, the administrator can create an authorization policy on http request and link it to the BlackListUserGroup.

Complete the following steps from NetScaler GUI:

1. Log on to NetScaler GUI, navigate to Configuration > NetScaler Gateway > Policies > Authorization.

2. Click on the Add button.

   

3. Create an authorization policy. In our case, we have created the following:

   

4. Click Expression Editor and use simple and intuitive drop-downs to create a policy expression. For us the expression is- http.req.hostname.contains("citrix.com")&&http.req.url.contains("downloads")

   

   Using the operator ‘&&’ and creating another expression as below:

   

   Finally, this is what the expression looks like:

   

5. Bind this authorization policy to the AAA-User group. Navigate to  Configuration > NetScaler Gateway > User Administration > AAA Groups. In this case, we select BlackListUserGroup and bind this policy to it.

   

   Let us take a look at the Authorization Policy which is bound to this group:

   

Testing the Configuration

1. We have a user - Blacklistuser who is a part of the BlackListUserGroup. This user should not be allowed to access the downloads page of citrix.com.

   

2. User launches Citrix.com from the bookmarks set as below:

   

   The website launches as shown below.

   

3. The user clicks on the downloads tab on the website and is denied access with the below message.

   

   We have the tested our configuration of the authorization policy to deny access to blacklisted users to the download page of citrix.com

This articles describes how to perform authorization using advanced policy expressions in NetScaler.