Jump to content
Welcome to our new Citrix community!

Question regarding IP whitelisting.

Recommended Posts

Good day.


So our security is requesting one of our Citrix ADCs, that is accessed only by Corporate Clients, only allow connections from our Corporate Client's office IPs.  


I think I sorta put together a solution, but I'd like to know if there is a better, cleaner way of doing it.


Basically, I created a AAA Authentication Policy that uses a dataset (which contains all the IPs that are whitelisted) to allow access to only certain IPs.  The next factor, if you have a valid IP, is ldap authentication.


Here is my expression in the authentication policy:



The Authentication Virtual server only has that one policy.  So when a user that is not part of the whitelist tries to access the site, they get an error message ("No active policy during authentication") which makes sense, because since it failed the first policy, there is nowhere else to go.


Now, I think there is a better way of doing this with Responder Policies.  But I have no clue how, and my googlefu has left me wanting.  Am I right to believe Responder policies are the way to go?


If what I have currently is ok, then I am wondering if I can create a second authentication policy that will deny everyone if they hit it.  If I can do that, what settings should I use?


As always, thank you for your help.


Link to comment
Share on other sites

Responder policy will engage for that which is NOT on whitelist:


Basically do responder action (drop/reset/redirect) if NOT on whitelist...


However, AAA is evaluated before Responder, so the responder policy may not hit where you want it to.

So if you want to allow logins for members in whitelist

But to have authentication failure due to not in whitelist without getting the "no policy bound"


You might also need a second authentication policy that applies for expression:  !whitelist (based on above) or either just FALSE (which should fail authentication).  (TEST to confirm which method works). Make sure this policy is evaulated after your allowed criteria (such as priority 200 after your earlier priority 100)


If you're gateway is delivered with content switching, you might be able to send the non-whitelist IPs to a lb vserver, where responder can kick in and redirect traffic.  But AAA is still evaluated prior to responder on the CS vserver.  



Link to comment
Share on other sites

Oh. Good to know, Carl.  I hadn't seen that and it makes a ton of sense.   Info below for others (after a  little searching).


Not documented in obvious places in admin guide, but this section here

AAA_REQUEST is a newly introduced bindpoint for responder policies. The policies configured at this bind point are applied to all the incoming request at the specified virtual server. The policies are processed for the unauthenticated/control traffic first before any other processing.

is found under Rate LImiting (which is not where I would expect it to be explained):  https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/rate-limiting-with-gateway.html


Abeaudo799 - so yeah, if you need help with the responder policy before authentication, this should work.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...