Citrix DaaS – Geoblocking with NetScaler

Reading Time: 3 minutes

Overview

This Post contains informations about restricting the Usage of Citrix DaaS (Cloud Workspace customer.cloud.com) for limited Countries / Geo-Locations.

In this scenario I’m using NetScaler as IdP of Citrix DaaS – so this is valid for Adaptive Authentication and “Citrix Gateway” (=BYO NetScaler).

Configuration

NetScaler in General

Regarding the config of Geo-Blocking with the simple usage of Responder – checkout this Post from CTA Johannes Norz for all details – thanks for that!

In General, these are the simple commands to enable IP-Database and enable access only for Germany, Switzerland and Austria. I’ve also created a Whitelist Pattern-Set if there’s the need to enable static IP’s, too. Also, there’s an audit NOTICE message action, so you’re able to verify dropped requests in ns.log.

This is an example for a dropped message which will help you to identify possible wrong or blocked Geo-IP locations:

default RESPONDER Message 19247296 0 :  “Dropped request for 20.113.32.199 from North America.US.*.*.*.* who tried to access aaa.customer.com/logon/LogonPoint/tmindex.html”

#enable IPv4 GeoDB and creating Responder Policies for Block and Allow, including WhiteList PatternSet
#enable and configure a Logging Action for checking blocked actions in ns.log

set audit syslogParams -userDefinedAuditlog YES
set audit nslogParams -userDefinedAuditlog YES
add audit messageaction log_locationInformation NOTICE "\"Dropped request for \" + CLIENT.IP.SRC + \" from \" + CLIENT.IP.SRC.LOCATION + \" who tried to access \" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY"


add locationFile "/var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4"
set locationParameter -matchWildcardtoany YES

add policy patset PatSet_Allow_Whitelist
add policy expression PolExpr_Allow_Whitelist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(23) + \"/23\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(22) + \"/22\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(21) + \"/21\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(20) + \"/20\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(19) + \"/19\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(18) + \"/18\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(17) + \"/17\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(16) + \"/16\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(15) + \"/15\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(14) + \"/14\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(13) + \"/13\").EQUALS_ANY(\"PatSet_Allow_Whitelist\")"

add responder policy rs_pol_deny_all true DROP -logAction log_locationInformation
add responder policy rs_pol_allow-DACH "CLIENT.IP.SRC.MATCHES_LOCATION(\"*.DE.*.*.*.*\")||CLIENT.IP.SRC.MATCHES_LOCATION(\"*.AT.*.*.*.*\")||CLIENT.IP.SRC.MATCHES_LOCATION(\"*.CH.*.*.*.*\")||PolExpr_Allow_Whitelist" NOOP

bind authentication vserver auth_vs -policy rs_pol_allow-DACH -priority 5 -gotoPriorityExpression END -type AAA_REQUEST
bind authentication vserver auth_vs -policy rs_pol_deny_all -priority 1000 -gotoPriorityExpression END -type AAA_REQUEST

Basically, this will work for all kind of NetScaler published Content / Services.

Difference in Combination with DaaS

But as of Cloud Workspace, the Authentication Frontendservice of DaaS, called Athena, is trying to access the NetScaler AAA / Gateway URL, too. That’s because of the Authentication-Flow, which is working with a redirect (More details here):

As we are using OAuth – Athena needs to access the openid-configuration. Otherwise the redirect from customer.cloud.com to your NetScaler for authentication will never happen and there’s the following Errormessage in Athena’s logs: Unable to obtain configuration from: ‘https://aaa.customer.com/oauth/idp/.well-known/openid-configuration’. 

What to do now? We will create another Responder to enable access to all following six OAuth URL’s – but NOT the Logonpage itself (as this would allow the whole world to access the Portal, again):

#Creating Responder to allow access to all six OAuth URL's - but not the Logonpage itself
#Replace aaa.customer.com with your AAA FQDN

add responder policy rs_pol_allow-AthenaOAuth "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"aaa.customer.com\")&&(HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/.well-known/openid-configuration\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/login\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/token\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/certs\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/logout\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/userinfo\"))" NOOP

bind authentication vserver auth_vs -policy rs_pol_allow-AthenaOAuth -priority 1 -gotoPriorityExpression END -type AAA_REQUEST

Summary

I hope this information helps when trying to restrict access to Citrix DaaS Cloud Workspace from specific Countries with NetScaler as IdP.

Leave a Reply

Your email address will not be published. Required fields are marked *