How to Configure Citrix NetScaler GeoIP Restrictions

This is a guide on how to configure Citrix NetScaler GeoIP restrictions.

Overview

This is a guide on how to configure Citrix NetScaler GeoIP restrictions.  This specific example, will allow traffic only originating from Great Britain (GB) and also allow a specific IP exemption.

The way this is achieved, is by utilizing a GeoIP country database in CSV format, create a Responder policy that basically states DROP any traffic NOT originating from GB (according to the CSV data) or from the specific IP defined in the policy.  Then we will bind the policy to the specific Virtual Server.

Instructions

Download the free country database from MaxMind and unzip it.

Download MaxMind Country GeoIP database

The above database is free, and the accuracy of the information is debatable.  For production environments, you should explore other options.  For example, the above database could most likely be easily bypassed by using a low-cost VPN proxy.

Upload the extracted file GeoIPCountryWhois.csv to the /var/geoip directory on each NetScaler.  Create the directory if it does not exist.  You can use WinSCP to connect to the NetScaler and transfer the file.

Transfer file to NetScaler using WinSCP

Using SSH, Putty is used for this purpose, execute the following commands:

add locationfile /var/geoip/GeoIPCountryWhois.csv -format GeoIP-Country

The following command is for verification.

show locationparameter

NetScaler add locationfile

The following command will create the responder policy that basically states DROP any traffic not coming from Great Britain (GB) or from that specific IP.

add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.GB.*.*.*.*\").NOT && CLIENT.IP.SRC.EQ(192.168.1.1).NOT" DROP 

As of this writing, the command referenced in the official Citrix article CTX130701 fails because it utilizes the opening quote is a “curly quote**”** NOT a “straight quote”.

Next, bind the responder policy to the actual virtual server name that you want the policy to apply.  In this example, we assume that the virtual server name is:  AG_REMOTE.

bind lb vserver AG_REMOTE -policyName Drop_non_US -priority 100

Next, proceed to test and save the configuration.

References

How to Block Access to a Website Using a Location Database Based on User’s Country

GeoLite Legacy Downloadable Databases