Jump to content
Welcome to our new Citrix community!

ADC 13.1 - Redirect 403 Access Forbidden


Recommended Posts

Hey all,

 

Background: I have a project where users in a specific AD group can only access our external Citrix Gateway from a specific subnet. I accomplished this with an AAA Group and Authorizations Policy:

  • AAA Group: <same name of AD group>
  • Authorization Policy: Action = DENY, Expression = CLIENT.IP.SRC.BETWEEN(<starting IP>,<ending IP>).NOT

 

Issue: The AAA Group is working like expected, the issue is that the higher ups don't like the "Error: Not a privileged User" page when access is blocked:
Error_PrivilegedUser.thumb.jpg.ca071f871fdb20adb15f42cbe19124a1.jpg

I used Fiddler to get the header information, and I'm thinking the best approach would be to perform a Rewrite on the 403 Response.
image.thumb.png.e67cff704ae72248f1133e845c50eff8.png

 

I found this article that seems to be what I need: https://support.citrix.com/article/CTX237393, but not getting any Hits

 

I currently have 3 Rewrite Polices on my Citrix Gateway and none of them are getting hits:

  • HTTP.RES.IS_SERVER_ERROR
  • HTTP.RES.STATUS.EQ(403)
  • HTTP.RES.STATUS_MSG.CONTAINS("Access Forbidden")

 

Any help would be apricated!

 

Thanks 

Link to comment
Share on other sites

15 hours ago, Julian Jakob said:

Hello Brian,

 

there you go, an example doing the same thing for an OWA LB with a html Page via responder, you should be able to bind this to your gw vServer, too. 
 

See https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/#Group_Filtering 

 

Regards

Julian

 

Thank you! This does exactly what I need.

 

Just to make sure my understanding is correct though. Doesn't the resp_pol_owa_deny Responder Policy, make the Authorization Policy redundant? I.e. if you removed pol_auth_owa, they would still not be able to get in. Granted I see the point of having extra security, I just want to make sure I'm not missing something.

 

Thanks again! and I'll probably be referencing your article for a few other things I have going on.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...