Overview

In a bid to enhance security and prevent unauthorized access, many organizations require that their Citrix NetScaler Gateway URL be accessible only from specific, trusted IP addresses. This is particularly important for businesses that handle sensitive data or have strict compliance requirements. By limiting access to the NetScaler Gateway URL to a predefined set of IP addresses, administrators can significantly reduce the risk of malicious activity and data breaches. In this article, we will explore the steps and best practices for configuring Citrix NetScaler to restrict access to the Gateway URL based on IP address.

You can test by creating a responder policy directly by using an expression like CLIENT.IP.SRC.EQ(<Client_IPAddress>) but you need to add || (which is or in the expression) when adding multiple IPs. Ex: CLIENT.IP.SRC.EQ(<Client_IPAddress1>) || CLIENT.IP.SRC.EQ(<Client_IPAddress2>) || CLIENT.IP.SRC.EQ(<Client_IPAddress3>) Below mentioned process is easy when you’re dealing with multiple IPs to allow.

Steps to Allow Only Approved IP Addresses

Creating a Data Set

To restrict access to the Virtual Server by IP address, we need to create a data set that contains the allowed IP addresses. To do this:

• Log in to the Citrix ADC and navigate to Configuration > AppExpert > Data Sets.
• Click the Add button to create a new data set.
• Name the data set (e.g., “Allowed_IPs”) using only letters and underscores.
• Set the Type to ipv4, as we will be adding IPv4 addresses to this data set.
• Next, we can add a single IP address or add an IP address range. Click Insert and follow below to add a single ip or an ip address range to the data set.

Adding IP Addresses to the Data Set

• To add a range of IP addresses, enter the first usable IP address in the range in the Value column and the last usable IP address in the range in the End Range column. Also, document the VLAN ID and a brief description of the IP range.
• To add a single host entry, enter the IP address of the device in the Value field and a description or name of the device in the Comments field.
• Click Insert to add the IP address or range to the data set.

Creating a Responder Policy

• Navigate to AppExpert > Responder > Policies and click Add.
• Create a policy that will RESET any request destined for an IP address that is NOT in the Allowed Dataset.
  • RESET: Sends a TCP RESET packet to the client, immediately terminating the connection and providing an immediate error message.
  • DROP: Discards the client’s request without sending a response, potentially causing the client to wait and retransmit, leading to delays and additional traffic.
• Name the policy accordingly and set the Action to RESET.
• Add the following expression with the data set name in double quotes: !CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("Allowed_IPs").
• Add a comment that explains what this policy does.
• Click Create.

Binding the Responder Policy to the Virtual Server

• Navigate to Citrix Gateway > Virtual Servers and edit the Virtual Server you want to apply this Responder Policy to.
• If there are no responder policies on the Virtual Server, click on Advanced Settings on the right and then click on Policies. Otherwise, scroll down to the Policies section.
• Click the + to add a new policy and follow any one of the following as per your authentication policy.
  • If you have LDAP authentication under Choose Policy, select Responder and select Request in the choose Type column.
  • If you have SAML authentication policy, under Choose Policy, select Responder and select AAA_Request in the choose Type column. Note that you have to add the responder policy as AAA_Request only if you have saml policy. If you have LDAP policy, this step is not needed. Just add it as Request type and continue.
• Click Continue and select the Responder Policy we created earlier.
• Click Bind to bind the Responder Policy to the Virtual Server.

By following these steps, you can restrict access to the Virtual Server by IP address using a data set and a Responder Policy.