Introduction
In a recent Citrix NetScaler deployment, a customer requirement was to block access to web applications (which are load balanced through NetScaler) from specific geographic location (Country).
Though there are some articles from Citrix regarding this specific configuration but none of them are straight forward. This blog will help save us some time trying to make sense of the documentation. We can achieve this through NetScaler Application firewall or Responder feature.
Prerequisites
• Any Virtual Server (LB or CS or NetScaler gateway vServer)
• WAF or Responder Policy
• Responder Action (Optional if you want to present custom message instead of default error page)
Note: Netscaler gateway doesn’t support Appfirewall policy so we can use responder policy in such scenario.
Configuration
Download the free Country Public IP database in CSV format from https://www.dropbox.com/s/oks73cqxsi1hwn8/GeoIPCountryWhois.csv?dl=0
Note:MAxmind Website has discontinued netscaler supported format of public IP database CSV file ,workaround to make it work with netscaler is we have to convert the new format to netscaler supported format using the steps mentioned in the below link.
https://github.com/citrix/MaxMind-GeoIP-Database-Conversion-Citrix-ADC-Format/blob/master/README.md
For testing purpose open the csv file and insert internal lab IP address range (192.168.100.5-192.168.100.10) at the end and let’s assume this internal IP range belongs to China(CN)
Using WinSCP copy the csv file to directory /var/netscaler/inbuilt_db .
Login to Netscaler and browse to AppExpert-Location-Static Database and click Add .
Select File and choose the previously uploaded CSV file and select geoip-country under Location format and click create.
Open Putty session and run below command to make sure file is loaded properly
show locationparameter
On the Putty session enter into shell mode and run below commands to check the IP you want to block belongs to which Country so that you can get the country details to block (for testing we are using internal IP 192.168.100.5 and assuming it belongs to China) .
root@NS# nsmap -d –t
Once you received the output copy the highlighted content which is required to create the block Policy
App Firewall Method:
Many blogs are available online to configure NetScaler WAF so wont dive into this. Browse to Netscaler, Security, Citrix Web AppFirewall, Profiles and select the profile then click on Edit
Click on Security Checks
Make sure Block is enabled for Start URL
Browse to Netscaler, Security, Citrix Web AppFirewall, Policies, Firewall and Add new policy then Enter the Name and select the Profile which we created earlier. Under Expression enter the below expression with Country you want to block (Noted from Putty session output)
CLIENT.IP.SRC.MATCHES_LOCATION(“Asia.CN.*.*.*.*”)
Click On Create and save the configuration then Bind the WAF policy to LB vserver .
Responder Method:
Enable Responder feature on NetScaler (System – Settings – Configure Advanced Features).
Create Responder action (AppExpert – Responder – Action – ADD). Enter any message under Expression that you would like present instead of default error page
Create a Responder Policy (AppExpert – Responder – Policy – ADD). Enter below expression based on the country you want to block (Ex. China)
CLIENT.IP.SRC.MATCHES_LOCATION(“Asia.CN.*.*.*.*”)
Select previously created Responder Action and click on create
Assign Responder Policy to Virtual server (Content Switch or LB vserver or Access Gateway) ( Traffic Management-Load Balancing-Virtual Servers – Add Policy – Responder/Request – Select Policy & Bind – Save NS Config ).
Testing
When AppFirewall Policy is active on LB vServer :
When we access the website from IP address 192.168.100.5 (assumed to be belongs to China) the Appfirewall policy gets applied and blocks access.
Syslog shows the logs for the block
When we access it from 192.168.100.11 (which does not belong to China) Netscaler allows the connection .
When Responder Policy is active on LB vServer
When we try to access the website from IP address 192.168.100.10 (assuming it belongs to China) the Responder policy gets applied and drop the connection with a custom error as mentioned in the responder action.
Conclusion:
NetScaler ADC formerly known as NetScaler has a multitude of features that complement security requirements aside from basic Web Application Firewall. features such as Responer, Rewrite, and Content Switching can be used to protect hosted applications from various security attacks.