#NS12.0 Build 57.19
# Last modified by `save config`, Thu Nov 21 14:54:12 2019
set ns config -IPAddress 192.168.201.3 -netmask 255.255.255.192
enable ns feature WL LB SSL SSLVPN REWRITE RESPONDER CH
enable ns mode FR L3 Edge USNIP PMTUD
set system parameter -doppler DISABLED
set system user nsroot 277855a38c14171c5fe774481c35149c2a3b36a1e119940c1719e880ed13200a0374b7fae6844e9161a93c55d1802094873fcdd5ab25b9a3a24972060180192d9dde24f7d -encrypted -hashmethod SHA512
set rsskeytype -rsstype ASYMMETRIC
set lacp -sysPriority 32768 -mac 00:50:56:a2:47:e0
set ns hostName CMNSGW
set interface 0/1 -autoneg DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype VMXNET3 -ifnum 0/1
set interface LO/1 -haMonitor OFF -haHeartbeat OFF -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype Loopback -ifnum LO/1
add ns ip6 fe80::250:56ff:fea2:47e0/64 -scope link-local -type NSIP -vlan 1 -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED
add ns ip 192.168.201.3 255.255.255.192 -type NSIP -vServer DISABLED -gui SECUREONLY -mgmtAccess ENABLED -dynamicRouting ENABLED
add ns ip 192.168.201.4 255.255.255.192 -vServer DISABLED
set nd6RAvariables -vlan 1
set snmp alarm APPFW-BUFFER-OVERFLOW -timeout 1
set snmp alarm APPFW-COOKIE -timeout 1
set snmp alarm APPFW-CSRF-TAG -timeout 1
set snmp alarm APPFW-DENY-URL -timeout 1
set snmp alarm APPFW-FIELD-CONSISTENCY -timeout 1
set snmp alarm APPFW-FIELD-FORMAT -timeout 1
set snmp alarm APPFW-POLICY-HIT -timeout 1
set snmp alarm APPFW-REFERER-HEADER -timeout 1
set snmp alarm APPFW-SAFE-COMMERCE -timeout 1
set snmp alarm APPFW-SAFE-OBJECT -timeout 1
set snmp alarm APPFW-SESSION-LIMIT -timeout 1
set snmp alarm APPFW-SQL -timeout 1
set snmp alarm APPFW-START-URL -timeout 1
set snmp alarm APPFW-VIOLATIONS-TYPE -timeout 1
set snmp alarm APPFW-XML-ATTACHMENT -timeout 1
set snmp alarm APPFW-XML-DOS -timeout 1
set snmp alarm APPFW-XML-SCHEMA-COMPILE -timeout 1
set snmp alarm APPFW-XML-SOAP-FAULT -timeout 1
set snmp alarm APPFW-XML-SQL -timeout 1
set snmp alarm APPFW-XML-VALIDATION -timeout 1
set snmp alarm APPFW-XML-WSI -timeout 1
set snmp alarm APPFW-XML-XSS -timeout 1
set snmp alarm APPFW-XSS -timeout 1
set snmp alarm CLUSTER-BACKPLANE-HB-MISSING -time 86400 -timeout 86400
set snmp alarm CLUSTER-NODE-HEALTH -time 86400 -timeout 86400
set snmp alarm CLUSTER-NODE-QUORUM -time 86400 -timeout 86400
set snmp alarm CLUSTER-VERSION-MISMATCH -time 86400 -timeout 86400
set snmp alarm COMPACT-FLASH-ERRORS -time 86400 -timeout 86400
set snmp alarm CONFIG-CHANGE -timeout 86400
set snmp alarm CONFIG-SAVE -timeout 86400
set snmp alarm HA-BAD-SECONDARY-STATE -time 86400 -timeout 86400
set snmp alarm HA-NO-HEARTBEATS -time 86400 -timeout 86400
set snmp alarm HA-SYNC-FAILURE -time 86400 -timeout 86400
set snmp alarm HA-VERSION-MISMATCH -time 86400 -timeout 86400
set snmp alarm HARD-DISK-DRIVE-ERRORS -time 86400 -timeout 86400
set snmp alarm HA-STATE-CHANGE -timeout 86400
set snmp alarm HA-STICKY-PRIMARY -timeout 86400
set snmp alarm PORT-ALLOC-FAILED -time 3600 -timeout 3600
set snmp alarm SYNFLOOD -timeout 1
add policy patset ST_WB_CKIES192_168_201_6
add policy patset XDM_UrlSet
bind policy patset ns_vpn_client_useragents AGEE -index 1 -charset ASCII
bind policy patset ns_vpn_client_useragents CitrixReceiver -index 2 -charset ASCII
bind policy patset ns_vpn_client_useragents AGMacClient -index 3 -charset ASCII
bind policy patset ns_vpn_client_useragents "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0" -index 4 -charset ASCII
bind policy patset ns_vpn_client_useragents "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0" -index 5 -charset ASCII
bind policy patset ns_aaa_activesync_useragents Apple-iPhone -index 1 -charset ASCII
bind policy patset ns_aaa_activesync_useragents Apple-iPad -index 2 -charset ASCII
bind policy patset ns_aaa_activesync_useragents SAMSUNG-GT -index 3 -charset ASCII
bind policy patset ns_aaa_activesync_useragents "SAMSUNG GT" -index 4 -charset ASCII
bind policy patset ns_aaa_activesync_useragents AirWatch -index 5 -charset ASCII
bind policy patset ns_aaa_activesync_useragents "TouchDown(MSRPC)" -index 6 -charset ASCII
bind policy patset ns_cvpn_default_inet_domains mdm.cmcm.lu:8443 -index 2
bind policy patset ns_videoopt_quic_abr_sni_whitelist googlevideo.com -index 1
bind policy patset ns_videoopt_quic_abr_sni_whitelist c.youtube.com -index 2
bind policy patset ns_videoopt_quic_abr_sni_blacklist manifest.googlevideo.com -index 1
bind policy patset ns_videoopt_quic_abr_sni_blacklist redirector.googlevideo.com -index 2
bind policy patset ST_WB_CKIES192_168_201_6 CsrfToken -index 1
bind policy patset ST_WB_CKIES192_168_201_6 ASP.NET_SessionId -index 2
bind policy patset ST_WB_CKIES192_168_201_6 CtxsPluginAssistantState -index 3
bind policy patset ST_WB_CKIES192_168_201_6 CtxsAuthId -index 4
bind policy patset XDM_UrlSet "/zdm/header.jsp" -index 4
bind policy patset XDM_UrlSet "/zdm/console" -index 1
bind policy patset XDM_UrlSet "/zdm/login.jsp" -index 2
bind policy patset XDM_UrlSet "/zdm/log.jsp" -index 3
bind policy patset XDM_UrlSet "/zdm/login_xdm_uc.jsp" -index 5
add ns httpProfile _XM_SSL_OFFLOAD_HTTP_PROFILE -conMultiplex DISABLED
set cmp parameter -policyType ADVANCED
add server cmsv30 192.168.10.30
add server cmsv31 192.168.10.31
add server cmsv50 192.168.10.50
add server 192.168.201.2 192.168.201.2
add server cmsv34 192.168.10.34
add server CMXENAPP2 192.168.10.134
add service 192.168.201.2_80 192.168.201.2 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CustomServerID 3215509762 -CKA NO -TCPB NO -CMP NO
add service 192.168.10.34_80 cmsv34 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup svgrp_ldap TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
add serviceGroup svgrp_Storefront HTTP -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey "*.cmcm.lu" -cert cmcm_lu.pfx -key cmcm_lu.pfx -inform PFX -passcrypt "wap0Ds+Ki5WWCXpKJDJbFg==" -expiryMonitor DISABLED
add ssl certKey AlphaSSL_CA -cert ca.crt
add ssl certKey AlphaSSL-Intermediate-SHA256-G2 -cert "AlphaSSL CA - SHA256 - G2 - Intermediate.crt"
add ssl certKey STAR.cmcm.lu -cert STAR_cmcm_lu.pfx -key STAR_cmcm_lu.pfx -inform PFX -passcrypt "MMcl7X9G4LO6I/aJD+5TTw=="
add ssl certKey COMODO_CA -cert STAR_cmcm_lu.ca-bundle
add ssl certKey COMODO_CA_ic1 -cert STAR_cmcm_lu.ca-bundle_ic1
link ssl certKey "*.cmcm.lu" AlphaSSL-Intermediate-SHA256-G2
link ssl certKey AlphaSSL-Intermediate-SHA256-G2 AlphaSSL_CA
link ssl certKey STAR.cmcm.lu COMODO_CA
link ssl certKey COMODO_CA COMODO_CA_ic1
add authentication radiusAction Vasco -serverIP 192.168.201.11 -serverPort 1812 -radKey 6848b2e5ad4e2bef47f5a5c814621f79939db84a7c322912258e8bfe624c529a -encrypted -encryptmethod ENCMTHD_3
add authentication ldapAction 192.168.201.8_LDAP -serverIP 192.168.201.8 -ldapBase "ou=users,ou=cmcm,dc=cmcm,dc=loc" -ldapBindDn s-ldapXenMobile@cmcm.loc -ldapBindDnPassword f61e29a723a01c70191655e4fdce4467e7b337b0be306ebde42cc396f8204d05 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName userPrincipalName
add vpn portaltheme X1-CMCM -basetheme X1
add authentication radiusPolicy mobile_Vasco_pol "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Vasco
add authentication radiusPolicy nonmobile_Vasco_pol "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Vasco
add authentication ldapPolicy 192.168.201.8_LDAP_pol NS_TRUE 192.168.201.8_LDAP
add authentication ldapPolicy mobile_ldap_pol "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" 192.168.201.8_LDAP
add authentication ldapPolicy nonmobile_ldap_pol "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" 192.168.201.8_LDAP
set lb parameter -sessionsThreshold 150000
add lb vserver _XM_MAM_LB_192.168.201.9_8443 SSL 192.168.201.9 8443 -persistenceType CUSTOMSERVERID -rule "HTTP.REQ.COOKIE.VALUE(\"ACNODEID\")" -cltTimeout 180
add lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 SSL 192.168.201.5 443 -persistenceType SOURCEIP -timeout 1440 -cltTimeout 180 -httpProfileName _XM_SSL_OFFLOAD_HTTP_PROFILE
add lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 SSL 192.168.201.5 8443 -persistenceType SOURCEIP -cltTimeout 180 -httpProfileName _XM_SSL_OFFLOAD_HTTP_PROFILE
add lb vserver lb_ldap TCP 192.168.201.8 389 -persistenceType NONE -cltTimeout 9000
add lb vserver lb_Storefront HTTP 192.168.201.10 80 -persistenceType SOURCEIP -timeout 60 -cltTimeout 180
set cache parameter -via "NS-CACHE-10.0:   3"
add vpn vserver _XM_XenMobileGateway SSL 192.168.201.6 443 -Listenpolicy NONE
add vpn vserver _XD_192.168.201.7_443 SSL 192.168.201.7 443 -Listenpolicy NONE -deploymentType ICA_STOREFRONT -vserverFqdn myapps.cmcm.lu
set aaa parameter -maxAAAUsers 505
set ns rpcNode 192.168.201.3 -password b987ee67e56905bc2763aaadc9d606a374e34cbfa872f71382c39b75c9a7d5694a861a8db4f3f5d78c02269221e224a1 -encrypted -encryptmethod ENCMTHD_3 -srcIP 192.168.201.3
add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy enforce_STS true insert_STS_header
bind cmp global ns_adv_nocmp_xml_ie -priority 8700 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_nocmp_mozilla_47 -priority 8800 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_cmp_mscss -priority 8900 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_cmp_msapp -priority 9000 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_cmp_content_type -priority 10000 -gotoPriorityExpression END -type RES_DEFAULT
add vpn clientlessAccessProfile ST_WB_RW_192.168.201.6
add vpn clientlessAccessProfile NO_RW_192.168.201.6
set vpn clientlessAccessProfile ST_WB_RW_192.168.201.6 -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies ST_WB_CKIES192_168_201_6
add vpn clientlessAccessPolicy CLT_LESS_RF_192.168.201.6 TRUE ST_WB_RW_192.168.201.6
add vpn clientlessAccessPolicy CLT_LESS_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" NO_RW_192.168.201.6
set appflow param -cqaReporting ENABLED
add responder policy XDM_Admin_Console_Drop "HTTP.REQ.URL.STARTSWITH_ANY(\"XDM_UrlSet\")" DROP
add cache contentGroup DEFAULT
set cache contentGroup NSFEO -maxResSize 1994752
add cache contentGroup BASEFILE -relExpiry 86000 -weakNegRelExpiry 600 -maxResSize 256 -memLimit 2
add cache contentGroup DELTAJS -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES
add cache contentGroup ctx_cg_poc -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -maxResSize 500 -memLimit 256 -pinned YES
add cache policy _nonGetReq -rule "!HTTP.REQ.METHOD.eq(GET)" -action NOCACHE
add cache policy _advancedConditionalReq -rule "HTTP.REQ.HEADER(\"If-Match\").EXISTS || HTTP.REQ.HEADER(\"If-Unmodified-Since\").EXISTS" -action NOCACHE
add cache policy _personalizedReq -rule "HTTP.REQ.HEADER(\"Cookie\").EXISTS || HTTP.REQ.HEADER(\"Authorization\").EXISTS || HTTP.REQ.HEADER(\"Proxy-Authorization\").EXISTS || HTTP.REQ.IS_NTLM_OR_NEGOTIATE" -action MAY_NOCACHE
add cache policy _uncacheableStatusRes -rule "! ((HTTP.RES.STATUS.EQ(200)) || (HTTP.RES.STATUS.EQ(304)) || (HTTP.RES.STATUS.BETWEEN(400,499)) || (HTTP.RES.STATUS.BETWEEN(300, 302)) || (HTTP.RES.STATUS.EQ(307))|| (HTTP.RES.STATUS.EQ(203)))" -action NOCACHE
add cache policy _uncacheableCacheControlRes -rule "((HTTP.RES.CACHE_CONTROL.IS_PRIVATE) || (HTTP.RES.CACHE_CONTROL.IS_NO_CACHE) || (HTTP.RES.CACHE_CONTROL.IS_NO_STORE) || (HTTP.RES.CACHE_CONTROL.IS_INVALID))" -action NOCACHE
add cache policy _cacheableCacheControlRes -rule "((HTTP.RES.CACHE_CONTROL.IS_PUBLIC) || (HTTP.RES.CACHE_CONTROL.IS_MAX_AGE) || (HTTP.RES.CACHE_CONTROL.IS_MUST_REVALIDATE) || (HTTP.RES.CACHE_CONTROL.IS_PROXY_REVALIDATE) || (HTTP.RES.CACHE_CONTROL.IS_S_MAXAGE))" -action CACHE -storeInGroup DEFAULT
add cache policy _uncacheableVaryRes -rule "((HTTP.RES.HEADER(\"Vary\").EXISTS) && ((HTTP.RES.HEADER(\"Vary\").INSTANCE(1).LENGTH > 0) || (!HTTP.RES.HEADER(\"Vary\").STRIP_END_WS.SET_TEXT_MODE(IGNORECASE).eq(\"Accept-Encoding\"))))" -action NOCACHE
add cache policy _uncacheablePragmaRes -rule "HTTP.RES.HEADER(\"Pragma\").EXISTS" -action NOCACHE
add cache policy _cacheableExpiryRes -rule "HTTP.RES.HEADER(\"Expires\").EXISTS" -action CACHE -storeInGroup DEFAULT
add cache policy _imageRes -rule "HTTP.RES.HEADER(\"Content-Type\").SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"image/\")" -action CACHE -storeInGroup DEFAULT
add cache policy _personalizedRes -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS || HTTP.RES.HEADER(\"Set-Cookie2\").EXISTS" -action NOCACHE
add cache policy ctx_images -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS_INDEX(\"ctx_file_extensions\").BETWEEN(101,150)" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_web_css -rule "HTTP.REQ.URL.ENDSWITH(\".css\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_doc_pdf -rule "HTTP.REQ.URL.ENDSWITH(\".pdf\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_web_JavaScript -rule "HTTP.REQ.URL.ENDSWITH(\".js\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_web_JavaScript-Res -rule "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/x-javascript\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_NOCACHE_Cleanup -rule TRUE -action NOCACHE
add cache policylabel _reqBuiltinDefaults -evaluates REQ
add cache policylabel _resBuiltinDefaults -evaluates RES
bind cache policylabel _reqBuiltinDefaults -policyName _nonGetReq -priority 100 -gotoPriorityExpression END
bind cache policylabel _reqBuiltinDefaults -policyName _advancedConditionalReq -priority 200 -gotoPriorityExpression END
bind cache policylabel _reqBuiltinDefaults -policyName _personalizedReq -priority 300 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableStatusRes -priority 100 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableVaryRes -priority 200 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableCacheControlRes -priority 300 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _cacheableCacheControlRes -priority 400 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheablePragmaRes -priority 500 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _cacheableExpiryRes -priority 600 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _imageRes -priority 700 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _personalizedRes -priority 800 -gotoPriorityExpression END
bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel _reqBuiltinDefaults
bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel _resBuiltinDefaults
set ns encryptionParams -method AES256 -keyValue b6901d7f0a37170a284b4e48a62d6f0db4b23fce17eac5d7cac8e3c0c81725a0943536d13d6e4d5c73a10306752321b199afa820fb1e4c8002eb7e4e9a2579bef63da35962b557c04780a90ae52e2737 -encrypted -encryptmethod ENCMTHD_3
bind lb vserver _XM_MAM_LB_192.168.201.9_8443 192.168.201.2_80
bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 192.168.201.2_80
bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 192.168.201.2_80
bind lb vserver lb_ldap svgrp_ldap
bind lb vserver lb_Storefront svgrp_Storefront
bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -policyName XDM_Admin_Console_Drop -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -policyName XDM_Admin_Console_Drop -priority 100 -gotoPriorityExpression END -type REQUEST
add dns nameServer 192.168.10.30
add dns nameServer 192.168.10.31
set ns diameter -identity netscaler.com -realm com
set subscriber gxInterface -pcrfRealm pcrf.com -holdOnSubscriberAbsence YES -servicePathAVP 262099 -servicePathVendorid 3845
set ns tcpbufParam -memLimit 512
set dns parameter -dns64Timeout 1000
add dns nsRec . a.root-servers.net -TTL 3600000
add dns nsRec . b.root-servers.net -TTL 3600000
add dns nsRec . c.root-servers.net -TTL 3600000
add dns nsRec . d.root-servers.net -TTL 3600000
add dns nsRec . e.root-servers.net -TTL 3600000
add dns nsRec . f.root-servers.net -TTL 3600000
add dns nsRec . g.root-servers.net -TTL 3600000
add dns nsRec . h.root-servers.net -TTL 3600000
add dns nsRec . i.root-servers.net -TTL 3600000
add dns nsRec . j.root-servers.net -TTL 3600000
add dns nsRec . k.root-servers.net -TTL 3600000
add dns nsRec . l.root-servers.net -TTL 3600000
add dns nsRec . m.root-servers.net -TTL 3600000
add dns addRec l.root-servers.net 199.7.83.42 -TTL 3600000
add dns addRec b.root-servers.net 192.228.79.201 -TTL 3600000
add dns addRec d.root-servers.net 199.7.91.13 -TTL 3600000
add dns addRec j.root-servers.net 192.58.128.30 -TTL 3600000
add dns addRec h.root-servers.net 198.97.190.53 -TTL 3600000
add dns addRec f.root-servers.net 192.5.5.241 -TTL 3600000
add dns addRec mdm.cmcm.lu 192.168.201.9
add dns addRec k.root-servers.net 193.0.14.129 -TTL 3600000
add dns addRec a.root-servers.net 198.41.0.4 -TTL 3600000
add dns addRec c.root-servers.net 192.33.4.12 -TTL 3600000
add dns addRec m.root-servers.net 202.12.27.33 -TTL 3600000
add dns addRec i.root-servers.net 192.36.148.17 -TTL 3600000
add dns addRec g.root-servers.net 192.112.36.4 -TTL 3600000
add dns addRec e.root-servers.net 192.203.230.10 -TTL 3600000
add dns suffix cmcm.loc
set lb monitor ldns-dns LDNS-DNS -query . -queryType Address
set lb monitor stasecure CITRIX-STA-SERVICE -interval 2 MIN
set lb monitor sta CITRIX-STA-SERVICE -interval 2 MIN
add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password ecf34ff2a023fde44c21d48ee6fb3d1b1ed0747c10fd6e969f8a07f4840b5fda -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -baseDN "DC=cmcm,DC=loc" -bindDN "CN=s-ldap XenMobile,CN=Users,DC=cmcm,DC=loc" -filter cn=builtin
add lb monitor mon_Storefront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -storename Mobility
bind serviceGroup svgrp_ldap cmsv30 389
bind serviceGroup svgrp_ldap cmsv31 389
bind serviceGroup svgrp_ldap -monitorName mon_ldap
bind serviceGroup svgrp_Storefront cmsv34 80
bind serviceGroup svgrp_Storefront CMXENAPP2 80
bind serviceGroup svgrp_Storefront -monitorName mon_Storefront
add route 0.0.0.0 0.0.0.0 192.168.201.1
set ssl parameter -denySSLReneg FRONTEND_CLIENT
set ssl service vpndbssvc_-662974853 -sessReuse ENABLED -sessTimeout 120
set ssl service nsrnatsip-127.0.0.1-5061 -eRSA ENABLED -sessReuse DISABLED
set ssl service nskrpcs-127.0.0.1-3009 -eRSA ENABLED -sessReuse DISABLED
set ssl service nshttps-::1l-443 -eRSA ENABLED -sessReuse DISABLED
set ssl service nsrpcs-::1l-3008 -eRSA ENABLED -sessReuse DISABLED
set ssl service nshttps-127.0.0.1-443 -eRSA ENABLED -sessReuse DISABLED
set ssl service nsrpcs-127.0.0.1-3008 -eRSA ENABLED -sessReuse DISABLED
set ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -sessReuse ENABLED -sessTimeout 15 -clientAuth ENABLED -clientCert Optional -sslRedirect ENABLED -ssl3 DISABLED
set ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -ssl3 DISABLED
set ssl vserver _XM_XenMobileGateway -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
set ssl vserver _XD_192.168.201.7_443 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
add ssl action _XM_MDM_XenMobileMDM_ACTION -clientCert ENABLED -certHeader NSClientCert
add ssl policy _XM_MDM_XenMobileMDM_POLICY -rule CLIENT.SSL.CLIENT_CERT.EXISTS -action _XM_MDM_XenMobileMDM_ACTION
add vpn sessionAction AC_OS_192.168.201.6_A_ -splitDns BOTH -sessTimeout 10080 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://mdm.cmcm.lu:8443"
add vpn sessionAction AC_WB_192.168.201.6_A_ -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://mdm.cmcm.lu:8443/Citrix/StoreWeb" -icaProxy OFF -wihome "https://mdm.cmcm.lu:8443/Citrix/StoreWeb" -ClientChoices OFF -clientlessVpnMode ON -SecureBrowse ENABLED
add vpn sessionAction AC_AG_PLG_192.168.201.6_A_ -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://mdm.cmcm.lu:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://mdm.cmcm.lu:8443"
add vpn sessionAction AC_OS_192.168.201.7 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential SECONDARY -icaProxy ON -wihome "http://lb_stfdmz.cmcm.loc/Citrix/MobilityWeb" -ClientChoices OFF -ntDomain CMCM -clientlessVpnMode OFF -storefronturl "http://lb_stfdmz.cmcm.loc" -sfGatewayAuthType domain
add vpn sessionAction AC_WB_192.168.201.7 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "http://lb_stfdmz.cmcm.loc/Citrix/MobilityWeb" -ClientChoices OFF -ntDomain CMCM -clientlessVpnMode OFF -sfGatewayAuthType domain
add vpn sessionPolicy PL_OS_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" AC_OS_192.168.201.6_A_
add vpn sessionPolicy PL_WB_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_192.168.201.6_A_
add vpn sessionPolicy PL_AG_PLG_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT && HTTP.REQ.HEADER(\"Referer\").EXISTS.NOT" AC_AG_PLG_192.168.201.6_A_
add vpn sessionPolicy PL_OS_192.168.201.7 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_192.168.201.7
add vpn sessionPolicy PL_WB_192.168.201.7 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_192.168.201.7
set vpn parameter -forceCleanup none -clientConfiguration all -tag 10
bind audit syslogGlobal -policyName SETSYSLOGPARAMS_ADV_POL -priority 2000000000
bind audit nslogGlobal -policyName SETNSLOGPARAMS_ADV_POL -priority 2000000000
bind tunnel global ns_tunnel_msdocs -priority 4000
bind tunnel global ns_tunnel_mimetext -priority 6000
bind tm global -policyName SETTMSESSPARAMS_ADV_POL -priority 65534 -gotoPriorityExpression NEXT
bind vpn vserver _XM_XenMobileGateway -staServer "http://192.168.10.34"
bind vpn vserver _XM_XenMobileGateway -staServer "https://mdm.cmcm.lu:8443"
bind vpn vserver _XM_XenMobileGateway -staServer "http://192.168.10.134"
bind vpn vserver _XD_192.168.201.7_443 -staServer "http://192.168.10.34"
bind vpn vserver _XD_192.168.201.7_443 -staServer "http://192.168.10.134"
bind vpn vserver _XM_XenMobileGateway -appController "https://mdm.cmcm.lu:8443"
bind vpn vserver _XD_192.168.201.7_443 -portaltheme X1-CMCM
bind vpn vserver _XM_XenMobileGateway -policy 192.168.201.8_LDAP_pol
bind vpn vserver _XM_XenMobileGateway -policy CLT_LESS_192.168.201.6 -priority 80 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy CLT_LESS_RF_192.168.201.6 -priority 100 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy enforce_STS -priority 100 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XM_XenMobileGateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XM_XenMobileGateway -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XM_XenMobileGateway -policy PL_OS_192.168.201.6 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy PL_WB_192.168.201.6 -priority 110 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XM_XenMobileGateway -policy PL_AG_PLG_192.168.201.6 -priority 120 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_192.168.201.7_443 -policy mobile_Vasco_pol -priority 90
bind vpn vserver _XD_192.168.201.7_443 -policy nonmobile_ldap_pol -priority 100
bind vpn vserver _XD_192.168.201.7_443 -policy mobile_ldap_pol -priority 90 -secondary
bind vpn vserver _XD_192.168.201.7_443 -policy nonmobile_Vasco_pol -priority 100 -secondary
bind vpn vserver _XD_192.168.201.7_443 -policy enforce_STS -priority 100 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_192.168.201.7_443 -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.201.7_443 -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.201.7_443 -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.201.7_443 -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_192.168.201.7_443 -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_192.168.201.7_443 -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_192.168.201.7_443 -policy PL_OS_192.168.201.7 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_192.168.201.7_443 -policy PL_WB_192.168.201.7 -priority 110 -gotoPriorityExpression NEXT -type REQUEST
add ssl cipher custom-ssllabs-cipher
add ssl cipher custom-ssllabs-cipher-2019
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 3
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 4
bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2
bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 3
bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 4
bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 5
bind ssl service nsrnatsip-127.0.0.1-5061 -certkeyName ns-server-certificate
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
bind ssl service nshttps-::1l-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-::1l-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate
bind ssl service vpndbssvc_-662974853 -eccCurveName P_256
bind ssl service vpndbssvc_-662974853 -eccCurveName P_384
bind ssl service vpndbssvc_-662974853 -eccCurveName P_224
bind ssl service vpndbssvc_-662974853 -eccCurveName P_521
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -cipherName custom-ssllabs-cipher
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -cipherName custom-ssllabs-cipher
bind ssl vserver _XM_XenMobileGateway -cipherName custom-ssllabs-cipher-2019
bind ssl vserver _XD_192.168.201.7_443 -cipherName custom-ssllabs-cipher-2019
bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -certkeyName STAR.cmcm.lu
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -certkeyName STAR.cmcm.lu
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -certkeyName STAR.cmcm.lu
bind ssl vserver _XM_XenMobileGateway -certkeyName STAR.cmcm.lu
bind ssl vserver _XD_192.168.201.7_443 -certkeyName STAR.cmcm.lu
bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_256
bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_384
bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_224
bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_521
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_256
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_384
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_224
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_521
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_256
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_384
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_224
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_521
bind ssl vserver _XM_XenMobileGateway -eccCurveName P_256
bind ssl vserver _XM_XenMobileGateway -eccCurveName P_384
bind ssl vserver _XM_XenMobileGateway -eccCurveName P_224
bind ssl vserver _XM_XenMobileGateway -eccCurveName P_521
bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_256
bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_384
bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_224
bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_521
bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -policyName _XM_MDM_XenMobileMDM_POLICY -priority 100
add appfw JSONContentType "^application/json$" -isRegex REGEX
add appfw XMLContentType ".*/xml" -isRegex REGEX
add appfw XMLContentType ".*/.*\\+xml" -isRegex REGEX
add appfw XMLContentType ".*/xml-.*" -isRegex REGEX
set ip6TunnelParam -srcIP ::
set ptp -state ENABLE
set ns param -timezone "GMT+01:00-CET-Europe/Luxembourg"
set ns vpxparam -cpuyield DEFAULT
set ns cqaparam -lr1probthresh 0.00e+00 -lr2probthresh 0.00e+00
set qos parameters -debuglevel 0 -dumpcore 4294967295 -dumpsession 0 -dumpqp 0
set urlfiltering parameter -HoursBetweenDBUpdates 24 -TimeOfDayToUpdateDB 03:00 -MaxNumberOfCloudThreads 4 -CloudKeepAliveTimeout 120000 -CloudServerConnectTimeout 1000 -CloudDBLookupTimeout 2000 -seedDBSizeLevel 1 -LocalDatabaseThreads 1
set videooptimization parameter -RandomSamplingPercentage 0.00e+00