Because all the commotion about the NetScaler vulrenability I decided to share my Client IP black and white list. This script will create a pattern set which you can fill with ip’s or subnets.

This pattern set is used in a policy expression which is used in a responder policy.

You can add direct ip’s in the format or subnets in the format The expression is only filtering form subnet /32 to /24. If you want more, just change the expression.

You can bind the responder policies against any vserver or global 😉 But don’t shut yourself out 😛

Note 1: The defaults are just for example and you need to fill in the public ip’s which you want to block/whitelist.
Note 2: Hackers use other ip’s or use VPN’s. So this is no 100% safe solution but just an extra step.
Note 3: I’m not responsible for any damage 😉



Jeroen Tielen

Experienced Consultant/Architect with a demonstrated history of working in the information technology and services industry. Skilled in Citrix, Microsoft, VMware, Ivanti, etc.


PSun · October 27, 2020 at 00:01

Jeroen – thank you for these great instructions for configuring a white/blacklist responder policy on the Netscaler. I recently moved my ADCs to AWS and had a hard time figuring out how to restrict access to an AG. Your instructions worked like a charm! Set up a whitelist and added all my allowed subnets. Voila! Thanks again for taking time to write this up and helping the community. Cheers!

Rogier · January 26, 2021 at 14:51


i get stuck with the .NOT expression in the add responder policy, it keeps telling me expression systax error, how to get the “NOT” condition in the policy, i’ve tryed also the .! or ( xxx.!) but it does not seem te work

Rogier Winter · January 26, 2021 at 17:09

Hello Jeroen,

I’ve found out my problem : that when you use the gui, you’ve have to use the expression:
(via CLI it parses the string/format)


(CLIENT.IP.SRC + “/32”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(31) + “/31”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(30) + “/30”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(29) + “/29”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(28) + “/28”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(27) + “/27”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(26) + “/26”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(25) + “/25”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(24) + “/24”).EQUALS_ANY(“PATSET_IP_Whitelist”)

    Jeroen Tielen · January 31, 2021 at 19:43

    Ho Rogier sorry for the late reply. But yes use the CLI 😉

Steve · February 16, 2023 at 22:23

Great Post. Wondering if something similar can be done for the Gateway in Citrix DaaS? Specifically, I need an expression to blacklist all external access to a delivery group and allow from internal subnets. I know it’s a little off topic but could use a hand. Thanks in advance!

    Sibgat · March 22, 2023 at 07:21

    Yeah, you can bind same responder policy to Citrix gateway virtual server.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: