18 February, 2021 #Citrix

Converting Citrix ADC policies with NSPEPI

If you are planning on upgrading your Citrix ADC from any version below Citrix ADC 12.0 build 56.20, you might need to update your ‘Classic policies’ as these will be deprecated from that version forward.

NSPEPI, a tool by Citrix and available from the Citrix ADC CLI can help us upgrade any classic policies. NSPEPI is capable of upgrading just one policy, or the whole nsconfig file alike.

Please note that NSPEPI is only available from the ‘Shell’.
To enter shell mode connect to your Citrix ADC with SSH and after logging in enter ‘Shell’.

I will show you two examples in this guide:
1. The conversion of a classic policy
2. The conversion of the whole nsconfig file

Syntax Input:
nspepi (-e "classic expression" | -f "ns config file") (-v)

*Max expression length = 1449

Syntax Output:

<Converted advanced expression> | <Convertered ns config>

Converting a Classic Policy

It’s rather simple really. Take the classic policy that you want to convert and copy it to a notepad (or make sure it’s available under your clipboard).

My classic policy will be the all time favorite ‘NS_True’
The same Advanced Expression for that is just ‘TRUE’.

The syntax for converting a classic policy is:

nspepi -e "policy"

So for my policy it would be:

nspepi -e "ns_true"

Comes out as expected!

Converting the NSConfig File

NSPEPI can also conver the whole NSConfig (ns.conf) file for you.
Not to worry that it’s not the actual file that is being upgraded, a second file is generated with the converted policies for you to review. Still, I would recommend to keep an offline backup of the file during the change period.NSPEPI also creates a warning file /nsconfig/warn_ns.conf. Be sure to read it when the conversion is done.

The syntax for the conversion is as follows:

nspepi -f /nsconfig/ns.conf

After entering I got no real confirmation that the conversion was succeeded. I believe that does happen on some versions though. However, the files are created!

Upon opening the warning file, no errors/warnings were mentioned.
The new_ns.conf file however was as expected a ns.conf file.

After reviewing the new file, you can rename the ns.conf file to ns.conf.old and rename the new_ns.conf to ns.conf.

You can do this with the following syntax:

mv <current file name> <new file name>

Now proceed with a warm reboot

Exit   (to exit the shell)
reboot -warm

You should be good to go now! :).

4 Comments on Converting Citrix ADC policies with NSPEPI

  • Alex Gabra Reply

    Hello thanks for this information. I have a couple questions…Do you convert the policies after or before the upgrade to latest version of 13? Also when you run a conversion of the polies on the whole ns.conf file, are there steps different than what you mentioned when having an HA pair?


    • Mick Hilhorst Reply

      Hi Alex,

      You can do it both before and after; I would choose before so your bindings do not stop working.
      Be mindful that if you upgrade to the latest version of 13 your ”Citrix Gateway Virtual Server” policies will probably not auto-convert with this.
      I believe this is due to the fact that all gateway policies need to be ‘unbinded’ first if any classic policy is present. Otherwise advanced policies can’t be bound.

      As for HA, the configuration get’s synced (unless you disabled this). Only need to do this on the primary ADC, the secondary will copy the configuration automatically in a couple of minutes. So no different steps, just no real need to do it on the secondary ADC.

      Kind Regards,

      Mick Hilhorst

  • Robert Arnett Reply

    I just tried this on a test ADC and the new_nsconfig does not have the Virtual servers in the new file?

    • Mick Hilhorst Reply

      Hi Robert,

      Sorry to hear that, most likely something went wrong.
      Are there any logs in the warn_ns.conf?

      If you like you can upload the nsconfig file of your test environment (as long no sensitive data is in there) and the new_nsconf and your warn file.
      Would be happy to take a look at it for you.

      Kind Regards,

      Mick Hilhorst

Leave a Comment

Your email address will not be published. Required fields are marked *

You Might Be Interested In