Jump to content
Welcome to our new Citrix community!

ADC 13.1 - Redirect 403 Access Forbidden

Recommended Posts

Hey all,


Background: I have a project where users in a specific AD group can only access our external Citrix Gateway from a specific subnet. I accomplished this with an AAA Group and Authorizations Policy:

  • AAA Group: <same name of AD group>
  • Authorization Policy: Action = DENY, Expression = CLIENT.IP.SRC.BETWEEN(<starting IP>,<ending IP>).NOT


Issue: The AAA Group is working like expected, the issue is that the higher ups don't like the "Error: Not a privileged User" page when access is blocked:

I used Fiddler to get the header information, and I'm thinking the best approach would be to perform a Rewrite on the 403 Response.


I found this article that seems to be what I need: https://support.citrix.com/article/CTX237393, but not getting any Hits


I currently have 3 Rewrite Polices on my Citrix Gateway and none of them are getting hits:

  • HTTP.RES.STATUS_MSG.CONTAINS("Access Forbidden")


Any help would be apricated!



Link to comment
Share on other sites

15 hours ago, Julian Jakob said:

Hello Brian,


there you go, an example doing the same thing for an OWA LB with a html Page via responder, you should be able to bind this to your gw vServer, too. 

See https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/#Group_Filtering 





Thank you! This does exactly what I need.


Just to make sure my understanding is correct though. Doesn't the resp_pol_owa_deny Responder Policy, make the Authorization Policy redundant? I.e. if you removed pol_auth_owa, they would still not be able to get in. Granted I see the point of having extra security, I just want to make sure I'm not missing something.


Thanks again! and I'll probably be referencing your article for a few other things I have going on.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...