Jump to content
Welcome to our new Citrix community!

NetScaler Gateway Full VPN: Using Authorization Policies to match NAT IP (Intranet IP)

Recommended Posts



is it somehow possible to setup authorization policies for NetScaler Gateway Full VPN that are matching for NAT IP (Intranet IP)?


I already know it is possible to set client source ip, but this is then the ISP IP of the user got, and not usable here.


The use case for which I need that is, I want to grant access towards some networks for 3389 (RDP), but it is not possible to define all the Destination IPs in the LAN.

When I only use Destination Port 3389 in the authorization policy and bind it via a group to the user, I noticed it is possible to connect to the user pc from any location as long as 

3389 as destination is used.

So Destination means here Destination in terms of connection, and not in terms of the user who has bound it


Kind regards




Link to comment
Share on other sites



my point is to restrict by source IP, rather than destination IP.


And the source IP should be the IP address the Client got from the VPN aka the Intranet IP it got.


I have not found a expression syntax which can describe the intranet IP of a vpn client. And that is what I am looking for here.

Link to comment
Share on other sites

I don't know if you can use the intranet ip in this filter... but a test should verify.

The problem is unless you assign intranet ips per aaa user, any ip in the range can be assigned to a session; meaning its not a static assignment.

If it can be used it would server.ip.src  as it would define the ip for vpn's server side of the transaction...


The question is, if you want to restrict the intranet ip to rdp destination, why not map authorization policies (or session policies controlling authorization) actions to aaa user or aaa group.  Then it will allow access to specific rdp destinations based on who the user is instead of the intranet ip.  It might be an easier policy design to implement.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...