Comments on: Citrix ADC / NetScaler Client IP or Subnet Black and Whitelist

By: Werner Maes

Werner Maes — Thu, 28 Nov 2024 14:12:08 +0000

Hello Jeroen

Thanks for your reply.
Your suggestion works, so I’ll stick to that.

By: Jeroen

Jeroen — Thu, 28 Nov 2024 14:02:25 +0000

In reply to Werner Maes. I cant remember it anymore. But I also tried that in the beginning. As, for me, that makes more sense ;) But I cant remember why it wasnt working.

By: Werner Maes

Werner Maes — Tue, 26 Nov 2024 09:40:08 +0000

Hello Jeroen
Thanks for your post.
Would it be possible to use CLIENT.IP.SRC.IN_SUBNET in combination with a pattern set? Instead of listing all the subnet from 32 to 24 E.g. below
I’ve tried something like this but apparently I cannot seem to use CLIENT.IP.SRC.IN_SUBNET in combination with a pattern set.

Any thoughts?

# Subnet Blacklist
add policy patset PATSET_IP_Blacklist
bind policy patset PATSET_IP_Blacklist “192.168.2.0/24” -index 1
bind policy patset PATSET_IP_Blacklist “192.168.2.0/25” -index 2
add policy expression POLEXP_IP_Blacklist “(CLIENT.IP.SRC.IN_SUBNET(\”PATSET_IP_Blacklist\”)
add responder action RESPACT_Blocked respondwith “This IP address (“+ CLIENT.IP.SRC +”) is blocked to connect to this service.\””
add responder policy RESPOL_IP_Blacklist POLEXP_IP_Blacklist RESPACT_Blocked

By: NetScaler – Securing Microsoft Exchange Hybrid Deployments

NetScaler – Securing Microsoft Exchange Hybrid Deployments — Sun, 04 Feb 2024 09:38:42 +0000

[…] thanks to Jeroen Tielen as his blog post about IP Black and Whitelisting with Citrix ADC was the missing impulse for creating this […]

By: Sibgat

Sibgat — Wed, 22 Mar 2023 06:21:54 +0000

In reply to Steve. Yeah, you can bind same responder policy to Citrix gateway virtual server.

By: Steve

Steve — Thu, 16 Feb 2023 21:23:40 +0000

Great Post. Wondering if something similar can be done for the Gateway in Citrix DaaS? Specifically, I need an expression to blacklist all external access to a delivery group and allow from internal subnets. I know it’s a little off topic but could use a hand. Thanks in advance!

By: Jeroen Tielen

Jeroen Tielen — Sun, 31 Jan 2021 18:43:21 +0000

In reply to Rogier Winter. Ho Rogier sorry for the late reply. But yes use the CLI ;)

By: Rogier Winter

Rogier Winter — Tue, 26 Jan 2021 16:09:44 +0000

Hello Jeroen, I've found out my problem : that when you use the gui, you've have to use the expression: (via CLI it parses the string/format) Thanks (CLIENT.IP.SRC + "/32").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(31) + "/31").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(30) + "/30").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(29) + "/29").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(28) + "/28").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(27) + "/27").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(26) + "/26").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(25) + "/25").EQUALS_ANY("PATSET_IP_Whitelist") || (CLIENT.IP.SRC.SUBNET(24) + "/24").EQUALS_ANY("PATSET_IP_Whitelist")

By: Rogier

Rogier — Tue, 26 Jan 2021 13:51:50 +0000

Jeroen,

i get stuck with the .NOT expression in the add responder policy, it keeps telling me expression systax error, how to get the “NOT” condition in the policy, i’ve tryed also the .! or ( xxx.!) but it does not seem te work
NS12.1.60.17
thanks

By: Jeroen Tielen

Jeroen Tielen — Thu, 12 Nov 2020 15:16:54 +0000

In reply to PSun. Your welcome Penny Sun.

By: PSun

PSun — Mon, 26 Oct 2020 23:01:49 +0000

Jeroen – thank you for these great instructions for configuring a white/blacklist responder policy on the Netscaler. I recently moved my ADCs to AWS and had a hard time figuring out how to restrict access to an AG. Your instructions worked like a charm! Set up a whitelist and added all my allowed subnets. Voila! Thanks again for taking time to write this up and helping the community. Cheers!