Citrix Systems 9.2 Benutzerhandbuch

Seite von 302
 Appendix  D        Tutorial Examples of Classic Policies
257
To drop packets from specific IPs by using the NetScaler command line
1.
To create a DNS policy named pol_ddos_drop that detects connections 
from hostile networks and drops those packets, type:
add dns policy pol_ddos_drop 
'client.ip.src.in_subnet(192.168.253.128/25) || 
client.ip.src.in_subnet(192.168.254.32/27)' -drop YES'
For the example networks in the 192.168.0.0/16 range, you substitute 
the IP and netmask in ###.###.###.###/## format of each network 
you want to block. You can include as many networks as you want, 
separating each CLIENT.IP.SRC.IN_SUBNET(###.###.###.###./
##)
 command with the OR operator. 
2.
Globally bind your new policy to put it into effect.
SSL Policy to Require Valid Client Certificates
The following example shows an SSL policy that checks the user's client 
certificate validity before initiating an SSL connection with a client.
To block connections from users with expired client certificates
1.
Log on to the NetScaler command line. 
If you are using the GUI, navigate to the SSL Policies page, then in the 
Data area, click the Actions tab.
2.
Create an SSL action named act_current_client_cert that requires 
that users have a current client certificate to establish an SSL connection 
with the NetScaler.
add ssl action act_current_client_cert-clientAuth DOCLIENTAUTH 
-clientCert ENABLED -certHeader "clientCertificateHeader
-clientCertNotBefore ENABLED -certNotBeforeHeader "Mon, 01 Jan 
2007 00:00:00 GMT"
3.
Create an SSL policy named pol_current_client_cert that detects 
connections to the Web server that contain a query string.
add ssl policy pol_current_ client_cert 
'REQ.SSL.CLIENT.CERT.VALIDFROM >= "Mon, 01 Jan 2007 00:00:00 
GMT"' act_block_ssl
4.
Bind your new policy globally.
Since this SSL policy should apply to any user’s SSL connection unless a 
more specific SSL policy applies, you may want to assign it a low priority. 
If you assign it a priority of one thousand (1000), that should ensure that 
other SSL policies are evaluated first, meaning that this policy will apply 
only to connections that do not match more specific policy criteria.