3a. Citrix ADC - Responder Policies to block IP addresses

Overview

We saw how responder policies can tell a client to change the protocol to access a site or redirect a client to a different website.  Responder policies can also drop traffic based on other criteria.  This document will cover using responder policies to block/allow IP address from using a Virtual Server.  In this case, the example will be allowing a list of IP addresses to access our SMTP Virtual Server.

The Citrix ADC has several ways of doing this.  We can use a Access Control List (ACL) that's applied at the network level.  We can use embedded IP addresses in the responder policies themselves, but that can be daunting when we need to update that policy.  For this example, we will leverage a data set since that allows us to comment entries and is far enough removed from the actual configuration where mistakes can be tolerated.  Also, you can have up to 5000 entries in a data set, which should be adequate for most applications of controlling access using an IP address.  

This begs the question of why you would want to control what IP addresses can access a Virtual Server at the ADC level.  Well, if you think about what a content switched virtual server does, you can not apply rules on the firewall in front of the ADC since that would affect all traffic to the virtual server.  So, if you had a service that everyone could access, and a service that should have limited access bound to a content switched virtual server, you HAVE to apply the "firewall rules" to that particular cs-vs resource.

Procedure

Creating a Data Set

  • Login into the Citrix ADC:  Production or Test
  • Navigate to Configuration->AppExpert->Data Sets

  • To Create a Dataset, click on the Add button
  • Data Set names can only include letters and underscore, so this one will be named ds_SMTPAllow 
  • Since this is going to be an array of IPv4 addresses, the Type will be ipv4
  • Click on Insert to add your first IP address/IP address range

  • For the first dataset, we will create range.  For the context of this example, it will allow any IP address in this range to access the SMTP Virtual Server.  Add the first usable IP address in the range as the Value, and then add the last usable IP address in the range as the End Range.  Also, document the VLAN ID and a brief description of the IP Range.

  • Click on Insert
  • Now we will add a single host Entry.  Just add the IP of the device in the Value field and then a description or name of the device in the Comments and click on Insert

  • You can see how easy it is to add/remove IP address/Ranges in the Data Set - the key component to the Data Set is that you can comment each entry!  Compare that to the following content switching policy 

http.req.header("host").set_text_mode(ignorecase).contains("somehost.nic.edu") && (CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8) || CLIENT.IP.SRC==23.99.3.236 || CLIENT.IP.SRC==23.99.4.206 || CLIENT.IP.SRC==23.99.7.131 || CLIENT.IP.SRC==23.99.7.165 ||CLIENT.IP.SRC==23.99.91.55 || CLIENT.IP.SRC==104.209.34.227 || CLIENT.IP.SRC==138.91.242.26 || CLIENT.IP.SRC==191.236.119.221)

Creating the Responder Policy

  • Navigate to AppExpert->Responder->Policies and click Add

  • We will create a policy that will DROP any request destined for an IP address that is NOT in the SMTP Allow Dataset.  To do this
  1. Name the Policy accordingly
  2. Set the Action to RESET
    1. A RESET is a more graceful way where the ADC sends a RESET to the client so the client isn't waiting for a failure and will result in an immediate error/failure message.  
    2. A DROP will result in the client just waiting for a SYN and leave the client hanging.  This could negatively impact the client server depending on how many requests it sends out to the service we are load balancing.  
  3. Add the following Expression with the data set name in double quotes:  !CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("ds_SMTPAllow")

Since we want to ALLOW traffic from IP addresses in this Data Set, we have a ! at the beginning of the expression so if the IP is NOT in the ds_SMTPAllow list, perform the RESET action

  1. Don't forget to add a Comment that explains what this policy does
  2. Click Create

Binding the Responder Policy to the Virtual Server

  • Navigate to your Virtual Server:  Traffic Management->Load Balancing->Virtual Servers
  • Edit the Virtual Server you want to apply this Responder Policy to
  • If there are no existing Policies on the Virtual Server, look under Advanced Settings on the right and click on Policies.  Otherwise, scroll down to the Policies Section

  • Click on the + to add a new Policy

  • This is going to be a Responder Policy

  • With the type of Request

  • Click Continue
  • Since we have created the Responder Policy, click on the > to select your policy

  • Click on Bind so that this Responder Policy is bound to the Virtual Server
Was this helpful?
0 reviews
Print Article

Details

Article ID: 137432
Created
Wed 12/22/21 10:31 AM
Modified
Wed 12/22/21 3:00 PM