Table of Contents
Overview
This Post contains informations about restricting the Usage of Citrix DaaS (Cloud Workspace customer.cloud.com) for limited Countries / Geo-Locations.
In this scenario I’m using NetScaler as IdP of Citrix DaaS – so this is valid for Adaptive Authentication and “Citrix Gateway” (=BYO NetScaler).
Configuration
NetScaler in General
Regarding the config of Geo-Blocking with the simple usage of Responder – checkout this Post from CTA Johannes Norz for all details – thanks for that!
In General, these are the simple commands to enable IP-Database and enable access only for Germany, Switzerland and Austria. I’ve also created a Whitelist Pattern-Set if there’s the need to enable static IP’s, too. Also, there’s an audit NOTICE message action, so you’re able to verify dropped requests in ns.log.
This is an example for a dropped message which will help you to identify possible wrong or blocked Geo-IP locations:
default RESPONDER Message 19247296 0 : “Dropped request for 20.113.32.199 from North America.US.*.*.*.* who tried to access aaa.customer.com/logon/LogonPoint/tmindex.html”
#enable IPv4 GeoDB and creating Responder Policies for Block and Allow, including WhiteList PatternSet #enable and configure a Logging Action for checking blocked actions in ns.log set audit syslogParams -userDefinedAuditlog YES set audit nslogParams -userDefinedAuditlog YES add audit messageaction log_locationInformation NOTICE "\"Dropped request for \" + CLIENT.IP.SRC + \" from \" + CLIENT.IP.SRC.LOCATION + \" who tried to access \" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY" add locationFile "/var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4" set locationParameter -matchWildcardtoany YES add policy patset PatSet_Allow_Whitelist add policy expression PolExpr_Allow_Whitelist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(23) + \"/23\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(22) + \"/22\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(21) + \"/21\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(20) + \"/20\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(19) + \"/19\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(18) + \"/18\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(17) + \"/17\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(16) + \"/16\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(15) + \"/15\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(14) + \"/14\").EQUALS_ANY(\"PatSet_Allow_Whitelist\") || (CLIENT.IP.SRC.SUBNET(13) + \"/13\").EQUALS_ANY(\"PatSet_Allow_Whitelist\")" add responder policy rs_pol_deny_all true DROP -logAction log_locationInformation add responder policy rs_pol_allow-DACH "CLIENT.IP.SRC.MATCHES_LOCATION(\"*.DE.*.*.*.*\")||CLIENT.IP.SRC.MATCHES_LOCATION(\"*.AT.*.*.*.*\")||CLIENT.IP.SRC.MATCHES_LOCATION(\"*.CH.*.*.*.*\")||PolExpr_Allow_Whitelist" NOOP bind authentication vserver auth_vs -policy rs_pol_allow-DACH -priority 5 -gotoPriorityExpression END -type AAA_REQUEST bind authentication vserver auth_vs -policy rs_pol_deny_all -priority 1000 -gotoPriorityExpression END -type AAA_REQUEST
Basically, this will work for all kind of NetScaler published Content / Services.
Difference in Combination with DaaS
But as of Cloud Workspace, the Authentication Frontendservice of DaaS, called Athena, is trying to access the NetScaler AAA / Gateway URL, too. That’s because of the Authentication-Flow, which is working with a redirect (More details here):
As we are using OAuth – Athena needs to access the openid-configuration. Otherwise the redirect from customer.cloud.com to your NetScaler for authentication will never happen and there’s the following Errormessage in Athena’s logs: Unable to obtain configuration from: ‘https://aaa.customer.com/oauth/idp/.well-known/openid-configuration’.
What to do now? We will create another Responder to enable access to all following six OAuth URL’s – but NOT the Logonpage itself (as this would allow the whole world to access the Portal, again):
#Creating Responder to allow access to all six OAuth URL's - but not the Logonpage itself #Replace aaa.customer.com with your AAA FQDN add responder policy rs_pol_allow-AthenaOAuth "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"aaa.customer.com\")&&(HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/.well-known/openid-configuration\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/login\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/token\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/certs\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/logout\")||HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oauth/idp/userinfo\"))" NOOP bind authentication vserver auth_vs -policy rs_pol_allow-AthenaOAuth -priority 1 -gotoPriorityExpression END -type AAA_REQUEST
Summary
I hope this information helps when trying to restrict access to Citrix DaaS Cloud Workspace from specific Countries with NetScaler as IdP.