Citrix ADC / NetScaler Client IP or Subnet Black and Whitelist

Published by Jeroen Tielen on

Because all the commotion about the NetScaler vulrenability I decided to share my Client IP black and white list. This script will create a patternset which you can fill with ip’s or subnets.

This patternset is used in a policy expression which is used in a responder policy.

You can add direct ip’s in the format or subnets in the format The expression is only filtering form subnet /32 to /24. If you want more, just change the expression.

You can bind the responder policies against any vserver or global 😉 But don’t shut yourself out 😛

Note 1: The defaults are just for example and you need to fill in the public ip’s which you want to block/whitelist.
Note 2: Hackers use other ip’s or use VPN’s. So this is no 100% safe solution but just an extra step.
Note 3: I’m not responsible for any damage 😉



Jeroen Tielen

Experienced Consultant/Architect with a demonstrated history of working in the information technology and services industry. Skilled in Citrix, Microsoft, VMware, Ivanti, etc.


PSun · October 27, 2020 at 00:01

Jeroen – thank you for these great instructions for configuring a white/blacklist responder policy on the Netscaler. I recently moved my ADCs to AWS and had a hard time figuring out how to restrict access to an AG. Your instructions worked like a charm! Set up a whitelist and added all my allowed subnets. Voila! Thanks again for taking time to write this up and helping the community. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: