Jump to content
Welcome to our new Citrix community!

Setting up an IP whitelist with Responder breaks netscaler sign ins.


Matt Cameron

Recommended Posts

I have a dataset with a list of public IPs ns_whitelist which is associated to responder policy with expression 

!CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("ns_whitelist")

I have the action associated to display static HTML content to guide users to contact us if they think the access denial was in error. It is bound to Override Global / HTTP in the Policy Manager

 

With that in place designated users are able to see the main netscaler authentication page however the sign in process fails "Try again or contact your helpdesk". When I unbind it the sign in process works. 

 

I tried to monitor 

cat /tmp/aaaa.debug

but nothing was showing when I attempted to authenticate. 

 

How can I configure my responder policy correctly so that it allowed authentication? or why is authentication failing with my responder policy enabled?

Link to comment
Share on other sites

if you bound it to Override Global , than it applies to all traffic comming in  .

 

I think it would be better to create a vip an enable gui and management on it. An bind the policy only to this vip.

You could also  try to create a SNIP address and have gui and management enabled but i don't know if you can bind a repsonder policy to that.

Link to comment
Share on other sites

6 hours ago, Mihai Cziraki1709160741 said:

if you bound it to Override Global , than it applies to all traffic coming in  .

 

That's partially how I understood it. External traffic to the gateway ip of 10.10.1.102 is to be policied. Are you saying the traffic outbound, via my SNIP, to my internal servers is also bound to that limit? This was all set up via the "Integrate with Citrix Products > Xenapp and XenDesktop" wizard to connect to my StoreFront farm. Perhaps I could change to what I am binding too?

 

6 hours ago, Mihai Cziraki1709160741 said:

I think it would be better to create a vip an enable gui and management on it. An bind the policy only to this vip.

You could also  try to create a SNIP address and have gui and management enabled but i don't know if you can bind a repsonder policy to that.

 

To be honest I am not sure exactly what you are suggesting since this setup was very wizard driven. 

Link to comment
Share on other sites

I don't know why it matters but I bound the same policy to NetScaler Gateway > Virtual Servers > "machine(s) created from the XenApp and XenDesktop wizard" then it just works as intended. Took a bit since I didn't realize that is something I could do. 

 

Thanks for the help.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...