Jump to content
Welcome to our new Citrix community!

Prevent rewrite if member of AD group?

Recommended Posts

After the recent Exchange ECP vulnerabilities it has been requested to prevent access to /ecp unless a user is a member of a specific AD group.  The internal mitigation for the vulnerability that is currently in place is a rewrite of requests containing /ecp to be redirected to /owa.

Would a modified rewrite policy like " AAA.USER.IS_MEMBER_OF("ExampleGroup").NOT && HTTP.REQ.URL.EQ("/ecp")" be possible? I would like to avoid changing the traffic flow for standard users, and placing form-based auth in front of the admin console seems redundant as the admin would need to enter their credentials twice. (we are not using SSO)


Thanks for any input!

Link to comment
Share on other sites

I would use aaa authorization policies, example:


add authorization policy pol_auth_ecp "AAA.USER.IS_MEMBER_OF(\"SEC_CITRIX_ADC_ECP\").NOT" DENY


So if the user is not member of the SEC_CITRIX_ADC_ECP Group, after trying to access the /ecp directory -> "Access is denied"


Bind this authorization policy to your exchange ecp loadbalancer, example:


bind lb vserver LB_vServer-Exchange-ECP-2019-NA -policyName pol_auth_ecp -priority 100 -gotoPriorityExpression END -type REQUEST




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...