Jump to content
Welcome to our new Citrix community!

allow only certain IP ranges to a specific Virtual server


Sunil Chacko

Recommended Posts

can someone help me? i wanted to allow only certain IP ranges on a specific LB Vserver. i tried to use responder policy and i cant add a whole class it seems. Lets say i have whole bunch on IP ranges such as 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13 that ONLY allow, how would i do it. I know i can do with a specific range. Any help appreciated

Thank you! 

Link to comment
Share on other sites

You can restrict access to an lb vserver for only allowed IPs via ACLs (though for the number of allowed networks above), this may be messy to do well. 

Or a listen policies on the lb vserver with a bunch of OR clauses:  client.ip.src.in_subnet(13.107.6.152/31) || client.ip.src.in_subnet(13.107.18.10/31) || ....

 

If you want to use responder policy to redirect/drop any IPs that are not in allowed list, you can use a negation or an http callout.

allowed ranges (just 2 of the above):  client.ip.src.in_subnet(13.107.6.152/31) || client.ip.src.in_subnet(13.107.18.10/31)

Therefore the responder policy would need to drop IPS NOT in range, which could be written in either of the following forms:

[a]  !(client.ip.src.in_subnet(13.107.6.152/31) || client.ip.src.in_subnet(13.107.18.10/31))

  !client.ip.src.in_subnet(13.107.6.152/31) && !client.ip.src.in_subnet(13.107.18.10/31) && !<other allowed ips...>

 

So, your responder policy (bound to the lb vserver), would only do the action (DROP or REDIRECT) when the expression is TRUE (meaning, when the user connects with an IP not in the allowed list).

 

If the list of subnets is longer than what you sampled, then implementing as a http callout with either a whitelist of allowed ips or blacklist of denied ips might be easier to manage. And you can find callout whitelist examples in the http callout section of the admin guide.  If its just 4-8 subnet clauses, the responder policy is do-able.

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...