Secure Citrix ADC Gateway and Web Services using Geo IP

Secure Citrix ADC Gateway and Web Services using Geo IP

Secure Citrix ADC Gateway and Web Services using Geo IP

This post has already been read 6306 times!

Continuing down the ethical hacking journey I was recently asked to provide a geographical security baseline to a Citrix ADC setup. The request was something flexible enough to provide security quickly and easily but also something that was simple to manage.

I have know about using the Geo IP Database on Citrix ADC’s for a while but when I was asked about this there were a couple of requests.

  • Have the ability to globally lock out certain regions from ANY service that resides on the ADC
  • Have a more granular control of specific services that are running on the ADC
  • Have the ability to quickly lock out a region from accessing ALL or INDIVIDUAL services immediately

The rest of this post will address how to achieve this on a Citrix ADC as well as walking you through configuring this for use within your own environment.

NOTE: If licensed I would put this in as a default setting even with ALL regions allowed. This means that the framework would already be in place for you to quickly and easily lock out regions should your security team request it from you.

First lets cover off the technologies we will be using to achieve this:

Geo IP Database

I will start with this as this is fundamental to the remaining policies working correctly.

NOTE: Starting from Citrix ADC 11 and up the firmware you deploy comes with a built in Geo IP database. This makes deploying this far easier as you no longer need to convert and import your database.

Navigate to AppExpert -> Location -> Static Databases and click Add

Then navigate to /var/netscaler/inbuilt_db


Here you will see the in build Geo IP Databases included with Citrix ADC and you can go ahead and select the relevant one and click Open


You will now see that your Geo IP Database is there and (almost) ready to use


If you are using a firmware version after 11.1 Build 53.11 you will need to enable wildcard search. Open up a putty session to your ADC and enter the following command

set locationParameter -matchWildcardtoany YES

So now you are ready to test that your Geo IP database is imported correctly and working as expected.

From the putty session type the following

show locationparameter

Here you can see the Wildcard qualifier is all set up and the Geo IP database is ready to go. Lets just test that its getting the right data back from the database.

Type in the following then enter any public IP (I am using my public IP my ISP has assigned me)

nsmap -d –t

Here you can see the ADC knows that I an in Europe (yes – we are still in the EU – for the moment), I am in Great Britain and in England.

Great, that’s the Geo IP Database installed and working, lets move onto locking your ADC down.

Citrix Application Firewall

So now the Geo IP Database is up and running lets get into locking down access based on location.

First thing I want to do is lock down access globally to all but the 2 regions that the business operates from. In this case its:

  • United Kingdom
  • United States of America

Access from ALL other regions will need to be blocked, however, I want to have the ability to easily onboard another location should the need arise.

Before I get into this I want to point out an invaluable resource. Its called the ISO 3166 Country Codes and it has ALL the country codes that the Geo IP database is built on. You can find it here:

So, looking into this I can see that I want to allow access from the following 2 codes. US for United Stated and GB for United Kingdom.

Head over to Security -> Citrix Web App Firewall -> Policies -> Firewall and click on Add

Give your new profile a name and select the built in APPFW_DROP profile. The in the expression you want to put the following


What this does is block ALL traffic with the exception of GB and US public IP’s. You may think there should be an OR statement here (so did I) but trial and error showed that you need the and (&&) to make both work.

Click OK and create your new policy


Then click on the policy manager Botton at the top of the page


Click to continue through override global


Click on Add Binding and select your new policy from the list provided


Click on Done and that’s it. You have just blocked all traffic to your ADC with the exception of GB and US traffic. Go ahead and try getting to your Citrix Gateway – It should still work fine.


So for the purpose of testing this I am going to remove the GB expression and retest to ensure that my traffic is blocked


There it is. Blocked.

So you now have the ability to easily block or allow FULL ADC access to any region, just update the app firewall expression and you are good to go.

Let’s put it back to GB and US and move onto the specific lockdown of the Citrix Gateway.

Citrix Gateway and Responder Policies

So now we have access ONLY from the US and GB regions but we have been asked to lock down the Citrix Gateway to ONLY be accessed via the GB region as the US use other Virtual Servers on the ADC and not the gateway.

We can achieve this via Responder policies. But first lets think of the error page.

I know this sounds weird but when we block via Responder we are going to display a nice page stating they are denied access rather than a “Page Cannot Be Displayed”

Head over to AppExpert -> Responder -> HTML Page Imports and click add to create a new HTML Page.

NOTE: You cannot put links to images in your page here, if you want to put an image in your HTML page you will need to convert the image to a Base64 string first and reference that in the HTML. This can take a bit of time to get right but stick with it until you get this right – your users will appreciate the effort you put in!


Here is my error page HTML and below what it looks like for real


You have your HTML error page done, now head over to AppExpert -> Responder -> Actions and click new to create an action. Give the action a name, select Respond With HTML and select your new HTML page from the list


Click ok then head over to AppExpert -> Responder -> Policies and click Add the create a new Policy. Give your policy a name, select your new Action and put the following into the expression


This states that you want to display your error page to ALL traffic except from the GB region. Remember the App Firewall policies earlier. In essence ONLY US and GB traffic can get through but ONLY GB traffic can access the gateway


Click ok then bind this new policy to your Citrix Gateway as a REQUEST type.


Lets test – first try the gateway from my machine here in the UK


Works fine – now to test from the US. Thanks here to my buddy Jarian Gibson for quickly jumping on and testing this whilst doing his Thanks Giving prep (or just drinking coffee on the sofa!)


There we go.

So we have locked down global access to our ADC using Citrix App Firewall and specific access to our Gateways using Responder.

We can quickly lock out regions globally by removing them from the App Firewall Policy or grant new regions by adding them. Finally we can edit specific access to the Citrix Gateways by editing the responder policies assigned.

Hope this gives you a quick insight into how you can use Geo IP and ADC to secure your remote access by region.



One thought on “Secure Citrix ADC Gateway and Web Services using Geo IP

  1. Tim R

    Hey Dave,

    Smashing write-up! Very easy to follow and implement.

    Wanted to let you know a couple items I ran into when deploying across my environment. I had to modify your rules a bit for the global responder, as several ADCs have internal redirections to RFC 1918 (private subnets), and those were not showing as _any_ country. I ended up doing it based on subnet – one for my DMZ, and another for our internal network, using this syntax:


    Of course, you can modify the subnets to be _only_ those of your networks to lock it down even further. I was able to validate that this was the problem through ADM with syslogging. I added a Log action to the firewall rule with the following expression:

    “Blocked non-US source from IP ” + CLIENT.IP.SRC + ” using hostname ” + http.REQ.HOSTNAME

    Modify as you see fit =). I have it set to Alert level, and Alerts are forwarded to the syslog server (Citrix ADM). I’m then able to filter based on Alert level, and see the external IP of the client(s) attempting to access my systems. This makes it much easier to determine whether I have a valid IP / geolocation I need to add to my rules.

    The other problem I ran into was on an 11.0 NS / ADC when enabling Geo IP database. After banging around with it for a while, I had to create the /var/netscaler/locdb folder (mkdir /var/netscaler/locdb), and make sure it was fully accessible (chmod 777 /var/netscaler/locdb). Then, I had to follow this Citrix article ( to get the DB to provide valid responses using nsmap.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.