3 Roles Bypass

NTLM

Dst – Do not Authenticate

Force Authentication

Regular express ( .*. (FE1 | FE2 | FE3 |…)$

Use splash screen

Citrix bypass

Proxy if going to

Citrix farm / ssl

The rules are in layers and can optionally be organized in one or more sections. This is a way of grouping rules together.

1        A section consists of a section header followed by a list of rules. Four sections types are supported in a standard CPL file:

1. [Rule]
2. [url]
3. [url.domain]
4. [server_url.domain]

Boolean expression are built from the specific values allowed with the trigger, and the Boolean operators

• ! (not),
• && (and),
• || (or)
• and () for grouping

Long lines can be split using ‘’ as a line continuation character.

The ‘’ must be the last character on the line and be preceded by space or Tab. For example:

• url.domain=example.com time=0900..1700
• deny

More complex boolean expressions are allowed for the pattern_expression in the triggers.

For example, the second part of the condition in the simple rule shown above could be “the request is made between 9 a.m. and noon or between 1 p.m. and 5 p.m”, expressed as:

• … time=(0900..1200 || 1300..1700) … 

Unavailable Triggers

Some (but not all) triggers can be unavailable in some transactions. If a trigger is unavailable, then any condition containing that trigger is false, regardless of the pattern expression. For example, if the current transaction is not authenticated (that is, the authenticate property was set to “no”), then the “user” trigger is unavailable. This means that user=kevin and user=!kevin are both false.

A condition can be false either because the pattern doesn’t match the trigger value, or because the trigger is unavailable. Policy rule-tracing distinguishes these two cases, using “miss” for the former and “N/A” for the latter.

Note that the special semantics of unavailable triggers are only encountered when you are coding directly in CPL. You will not see this behavior when you use the VPM.

Quoting

Certain characters are considered special by CPL and have meaning as punctuation elements of the language. For example = (equal) separates a trigger name from its associated value, and blank space separates expressions in a rule.

To use a value that contains one of these characters, the value must be quoted with either single (‘) or double (“) quotation marks, so that the special characters are not interpreted as punctuation. Text within single quotation marks can include any character other than a single quotation mark. Text within double quotation marks can include any character other than a double quotation mark. Here are some examples of where quoting is necessary:

• user=”John Doe” ; value contains a space
• url=”www.example.com/script.cgi?param=value” ; value contains ‘=’
• deny( “You don’t have access to that page!” ) ; several special chars