Overview

This is a guide on how to configure Citrix NetScaler GeoIP restrictions.  This specific example, will allow traffic only originating from Great Britain (GB) and also allow a specific IP exemption.

The way this is achieved, is by utilizing a GeoIP country database in CSV format, create a Responder policy that basically states DROP any traffic NOT originating from GB (according to the CSV data) or from the specific IP defined in the policy.  Then we will bind the policy to the specific Virtual Server.

Instructions

Download the free country database from MaxMind and unzip it.

Upload the extracted file GeoIPCountryWhois.csv to the /var/geoip directory on each NetScaler.  Create the directory if it does not exist.  You can use WinSCP to connect to the NetScaler and transfer the file. 

Using SSH, Putty is used for this purpose, execute the following commands:

add locationfile /var/geoip/GeoIPCountryWhois.csv -format GeoIP-Country

The following command is for verification.

show locationparameter

The following command will create the responder policy that basically states DROP any traffic not coming from Great Britain (GB) or from that specific IP.

add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.GB.*.*.*.*\”).NOT && CLIENT.IP.SRC.EQ(192.168.1.1).NOT” DROP 

Next, bind the responder policy to the actual virtual server name that you want the policy to apply.  In this example, we assume that the virtual server name is:  AG_REMOTE.

bind lb vserver AG_REMOTE -policyName Drop_non_US -priority 100

Next, proceed to test and save the configuration.

References

How to Block Access to a Website Using a Location Database Based on User’s Country

GeoLite Legacy Downloadable Databases