Citrix ADC / NetScaler Client IP or Subnet Black and Whitelist

Published by Jeroen Tielen on

Because all the commotion about the NetScaler vulrenability I decided to share my Client IP black and white list. This script will create a patternset which you can fill with ip’s or subnets.

This patternset is used in a policy expression which is used in a responder policy.

You can add direct ip’s in the format 192.168.2.57/32 or subnets in the format 192.168.2.57/28. The expression is only filtering form subnet /32 to /24. If you want more, just change the expression.

You can bind the responder policies against any vserver or global 😉 But don’t shut yourself out 😛

Note 1: The defaults are just for example and you need to fill in the public ip’s which you want to block/whitelist.
Note 2: Hackers use other ip’s or use VPN’s. So this is no 100% safe solution but just an extra step.
Note 3: I’m not responsible for any damage 😉

 

 


Jeroen Tielen

Experienced Consultant/Architect with a demonstrated history of working in the information technology and services industry. Skilled in Citrix, Microsoft, VMware, Ivanti, etc.

5 Comments

PSun · October 27, 2020 at 00:01

Jeroen – thank you for these great instructions for configuring a white/blacklist responder policy on the Netscaler. I recently moved my ADCs to AWS and had a hard time figuring out how to restrict access to an AG. Your instructions worked like a charm! Set up a whitelist and added all my allowed subnets. Voila! Thanks again for taking time to write this up and helping the community. Cheers!

Rogier · January 26, 2021 at 14:51

Jeroen,

i get stuck with the .NOT expression in the add responder policy, it keeps telling me expression systax error, how to get the “NOT” condition in the policy, i’ve tryed also the .! or ( xxx.!) but it does not seem te work
NS12.1.60.17
thanks

Rogier Winter · January 26, 2021 at 17:09

Hello Jeroen,

I’ve found out my problem : that when you use the gui, you’ve have to use the expression:
(via CLI it parses the string/format)

Thanks

(CLIENT.IP.SRC + “/32”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(31) + “/31”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(30) + “/30”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(29) + “/29”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(28) + “/28”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(27) + “/27”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(26) + “/26”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(25) + “/25”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(24) + “/24”).EQUALS_ANY(“PATSET_IP_Whitelist”)

    Jeroen Tielen · January 31, 2021 at 19:43

    Ho Rogier sorry for the late reply. But yes use the CLI 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: