The Citrix ADC (Netscaler) is often called a swiss knife because of its full feature set but… all those options can be very confusing (my own experience). So, after a few questions about limiting access to applications I thought it was time to explain some traffic manipulating options on the Citrix ADC. To start I wanted to highlight the Responder policy vs the Rewrite policy.
As Citrix states: A rewrite policy consist of a rule and action. The rule determines the traffic on which the rewrite is applied and the action determines the manipulations to be taken on the traffic. Good thing to know is that rewrite policies can apply to traffic going client – server (request) and server – client (response).
Rule: Evaluates the policy. Example – CLIENT.IP.DST.EQ(10.0.0.15)
Action: Insert (delete / replace), NOREWRITE, RESET or DROP traffic.
Adding a rewrite policy (insert) comes in handy: no modifications on your ADC template & consistent when applying future updates to your ADC.
Responder policies look a lot like Rewrite policies: Rules & Action.
But one of the most important differences: Responder policies cannot be used for response or server-based expressions. The ADC examines the request from the client, takes action (if rules are met), sends response back to the client and closes the connection.
Rules: Evaluates the policy (can consist of one or more expressions).
Action: Redirecting, Responding, Dropping / Resetting.
A responder policy is a good example of how you could protect your Citrix One-Time-Password management website (users can configure their MFA token on this portal): reset the connection if the request is not originated from your internal (and secure) LAN. Hackers can’t add a token & prevents them from logging in.
Where can I apply Responder and Rewrite Policies (in order of processing):
- Global Policies
- Load balancing, Content Switching or other vservers.
If you want to bind multiple policies to a vserver and determine the order of processing: add the right priorities when binding the policy to a specific vserver. You can manipulate the order and flow of bonded policies by NEXT and END or defining a specific policy.
Bounded policy, Priorities and GoTo Expression.
Conclusion? Generally speaking: use rewrite if you want to manipulate the traffic. Use responder if you want to reset, redirect or drop connections.
And what about ACL’s? You could use ACL’s to filter access towards your Citrix ADC / Gateway. Especially non-vserver traffic (like your NSIP – Management IP) are perfect examples where you can add ACL’s to secure access to your management portal. Do mind that ACL’s are processed globally, responder policies can be more fine-grained and bound to a vserver.
TIP: If you want to try out a full Web App Firewall: try the helpful post of Mads B. Petersen.
Next up in this series will be Content Switching.