Jump to content

Configuring allowed working hours on ADC


Recommended Posts



We would like to configure working hours on Citrix ADC, in order to allow connections between 6:00AM and 9:00PM.


I have tried to follow this article : https://docs.citrix.com/en-us/citrix-gateway/current-release/authentication-authorization/time-specific-authentication.html


But the expression isn't clear to me. Can anyone help me with the formatting of the value?


Thank you

Working hours.png

Working hours2.png

Link to comment
Share on other sites

Reminder: It always helps to know what build you are on, so we know what options are available.  


Depending, if this is for the Gateway, you do this via time-based authorization or session policy allow/deny behaviors OR possibly as a true/false to allow or deny authentication (which is what I think you are trying to do above).  There are a few ways to do this.


The problem is you really don't want to do this in the classic engine if you can help it because you will just have to fix it again when you try to migrate to 13.1.

The other trick though is if this is for the Gateway authentication policies without an authentication vserver, you are kind of stuck using classic engine for authentication policies bound directly to the vpn vserver. If you integrate Gateway with an authentication vserver you could switch to advanced engine.


Final note the time-based authentication policy, will generate a basic response of "No active policy is found in Primary authentication cascade
Please contact your administrator." There may be some advanced ways to handle this; but leads to even more policy discussions.


ADVANCED Engine examples:

This forum post has several examples of the advanced engine with time based expressions to trigger allow/deny policies and how to deal with crossing midnight (was used with another gateway authorization example):


Additional advanced time example here:  

If your authentication policy is in the advanced engine, it may also work for authe policy instead of the authorization decision.

quick example (but see that first forum post I referenced because it covers the adjustments in more detail)

Time comparisons are in GMT by Default: So an expression to ALLOW authentication only between 6 am - 9 pm GMT when converted to 24H would be 6- 21

Which could be written as sys.time.hours.between(6,21)

If however you mean 6 am - 9 pm EDT which is GMT-4, then the "HOURS" would actually be 10 am GMT - 1:00 am GMT and since it cross the midnight boundary the timing expression is more difficult (so see the examples in that article).  (There are multiple ways to write this type of expression and see if the post I referenced helps.)



For the CLASSIC policy engine, which is your example above:

Using the expression builder might be buggy on 13.0 and even 12.1, and so finding the classic engine documentation is tricky for the exact syntax.  I would recommend the advanced engine if at all possible. 

So the problem is 1) the classic engine builder IS NOT rendering the right "field" example for the between operator so you can tell what syntax it takes.  2) The legacy docs with detailed examples just aren't available, so I just had to go play with it to see what would work.  


Examples below:


Classic Expression for TIME is based on the basic syntax of:


YYYY: 4-DIGIT Year, MM: 2 digit month, DD: 2 digit day.

HH: Hour in 24 hour format 00 - 23

MM: Minutes

SS: Seconds

Timezone as GMT; whatever your ADC clock is will be converted and compared to GMT time.


Note: You can specify the full DATE:  TIME==2022-08-22:13:10  for 11:10 pm on Aug 22, 2022.

You can also just specify the HOURS you want for  any day by maintaining the partial format without YYY-MM-DD as just HH:MM:SSGMT.

Whether you can do other combos I haven't tested.

BETWEEN takes the syntax:

TIME BETWEEN '<starttime>-<endtime>'

So an absolute interval would:  TIME BETWEEN '2022-08-22:02:00:00GMT-2022-08-22:03:00:00GMT'

A daily hourly interval would be:  TIME BETWEEN '02:00:00GMT-03:00:00GMT'   << For 2-3 am on any day/everyday.


So, allowing 8 am - 9 pm GMT in classic engine would be:

TIME BETWEEN '08:00:00GMT-21:00:00GMT'


EDIT: I missed you said 6 am - 9 pm above (but still a valid example.)

Converting to 8 am - 9pm EDT (GMT-4) though is trickier for the same as above because crossing the midnight boundary:  

This is 12 pm - 1:00 GMT, which would be something like:

TIME BETWEEN '12:00:00GMT-23:59:59GMT' || TIME BETWEEN '00:00:00GMT-01:00:00GMT'


Bottom lines:

  • do advanced engine if at all possible.
  • Decided whether authentication or authorization policies are easier for you to use.
  • And then TEST the crossing midnight boundary extensively to make sure it works as intended and you will likely need to confirm near daylight saving/summer time on/off periods to make sure it continues working as expected at these periods depending on offsets in use.


ADC Time Policy Example

classic time

advanced time





Edited by Rhonda Rowland
fixed typo; added note.
Link to comment
Share on other sites

Hello Rhonda,


Thanks for all the details. My client is currently running ADC v12.1. 


It works fine using the classic expression editor, and the expression : TIME BETWEEN '04:00:00GMT-19:00:00GMT' (corresponding to 6-21 Luxembourg time)


However, you are right, I get a popup saying that "Classic authentication policies are deprecated. Please use advanced authentication policies"


But the licensed has expired and I don't have access to advanced expressions ? (screenshot)


I will notify the client that the feature won't be available if we upgrade his ADC.



Working hours3.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...