Jump to content
Welcome to our new Citrix community!

Request to be able to configure a locationDetection via IP address range and not only via suffixList

Recommended Posts

Hello Citrix Team,

at the moment with the situation with working from home, we didn’t noticed but now that more people are going to the office, we are having connection problems with Citrix Always on VPN and would like to deactivate the AOV if people are in the Office (we would like to use “locationDetection”).


We have one internal domain/DNS Suffix for/in all our Branches such as Ireland, Netherlands, United Kingdom, Belgium, Germany, …. if we activate the locationDetection/dynamic setup of the tunnel (automatic deactivation of the Always-On VPN in the branch office) this means that the Citrix Gateway will look into our internal DNS server for example “company.com” and if reachable will deactivate VPN.

So far so good however if a person travels to other Branches for example Ireland, there does not have the same resource reachable as in Germany and this is a big problem. This means that they need to establish a VPN Connection from all other Branches outside from Germany to connect to resources in the German DataCentre.


Our request is to be able to configure a locationDetection/deactivation the VPN per specific IP address/VLANs(/IP Adress range and not only via suffixList to avoid conflict with the same DNS Suffix that is active for all branches.

Or do you have another idea or solution for this need/request?


Thank you in advance

Link to comment
Share on other sites

1) For users in branch locations, do you want vpn on/but not always on vpn OR do you want a responder policy to redirect them to a non-gateway access point?


Create a custom static database with your ip ranges. Assign location identifiers and then you can add policies based on these.



Some examples of working with locations in policy expressions.


And here's just straight ip or subnet expressions without the location database:  https://discussions.citrix.com/topic/409145-netscaler-policy-assistance/page/2/


You can also use patternsets or datasets of ips or subnets of interest and trigger session policies to not use always on vpn or a redirect policy to not do gateway at all.  If the second article doesn't give you examples, I can update after work.  

Link to comment
Share on other sites

  • 4 weeks later...

Hello Rhonda,

We would like that when users are in the Office there is NO Always on VPN, without VPN ( if people are working from Home then always on VPN needs to be active)

Users in Germany use Always on VPN and when this users go to another location and work in the Office (France), they have the same DNS suffix (company.com), that means that always on VPN would not be active but they cannot access the German resources. 


We got a confirmation from Citrix support that locationDetection through IP address is not possible and this needs to be configured in the future. 

Link to comment
Share on other sites

You might want to repost to get more info from others.


If you can't toggle on or off through application of different session policies, then you might need separate vpn vservers for the "in office" vs the everywhere else connection for this scenario.


So, does this response from Citrix mean:

On 9/13/2021 at 6:48 AM, Christian Dominguez1709162918 said:

We got a confirmation from Citrix support that locationDetection through IP address is not possible and this needs to be configured in the future. 

That you can't use any type of ip based expression to toggle the session policy you need?

If not, then separate VPN vservers would be the only way I know to do this.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...