Monday, May 12, 2014

NetScaler - Gateway vServer- Dropping packets from a specific Source

NetScaler - Gateway vServer- Dropping packets from a specific Source

While talking with a citrixirc colleague, the question was brought up... "Is there a way to block 1 client from a vserver at the NetScaler level?"

The answer is "Yes". I am sure there are multiple ways to do this. I personally would use a "Responder Policy".

If you want to learn more about Citrix Responder Policies you can check out

Setting up a Responder Policy to drop a client

  • Open up the GUI and go to "NetScaler Gateway > Virtual Servers"
    • Open the vServer you would like to add the Responder Policy too.
    • Click on the "Policies" tab
      • Then click on the Responder button
        • Click on Insert Policy at the bottom
          • Then click on "New Policy..."

  • Create the following Responder Policy
    • Name: rpol-%youpickaname%
      • You can use which ever naming convention you would like. I use "rpol" for my Responder Policies.
    • Action: DROP
    • Expression: CLIENT.IP.SRC.EQ(
      • Replace with the IP you want to block.
    • Click on "Create" and you should now see you Responder Policy under the Responder Section.

If you want to verify from the NetScaler it is being blocked, you could do something like 
  • Enable logging
  • SSH to you NetScaler and from shell do a " dst" to see what is happening with the packets.
  • From CLI do
    • Show Connectiontable "DESTIP eq"

If you wanted to do this all from the CLI, you could just do...

add responder policy rpol-block-ip "CLIENT.IP.SRC.EQ("
bind vpn vserver My-vServer -policy rpol-block-ip -priority 100 -gotoPriorityExpression END -type REQUEST

Note: This only blocks new connections. Any existing connections will remain connected until they are forced to reconnect. 

1 comment:

Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....