Citrix ADC

Use Case: Filtering clients by using an IP blacklist

September 21, 2020

Contributed by:

HTTP callouts can be used to block requests from clients that are blacklisted by the administrator. The list of clients can be a publicly known blacklist, a blacklist that you maintain for you organization, or a combination of both.

The Citrix ADC appliance checks the IP address of the client against the pre-configured blacklist and blocks the transaction if the IP address has been blacklisted. If the IP address is not in the list, the appliance processes the transaction.

To implement this configuration, you must perform the following tasks:

Enable responder on the Citrix ADC appliance.
Create an HTTP callout on the Citrix ADC appliance and configure it with details about the external server and other required parameters.
Configure a responder policy to analyze the response to the HTTP callout, and then bind the policy globally.
Create an HTTP callout agent on the remote server.

Enabling responder

You must enable responder before you can use it.

To enable responder by using the GUI

Make sure that you have installed the responder license.
In the configuration utility, expand AppExpert, and right-click Responder, and then click Enable Responder feature.

Creating an HTTP callout on the Citrix ADC appliance

Create an HTTP callout, HTTP_Callout, with the parameter settings shown in the following table. For more information about creating an HTTP callout, see Configuring an HTTP Callout pdf.

Configuring a responder policy and binding it globally

After you configure the HTTP callout, verify the callout configuration, and then configure a responder policy to invoke the callout. While you can create a responder policy in the Policies sub-node and then bind it globally by using the Responder Policy Manager, this demonstration uses the Responder Policy Manager to create the responder policy and bind the policy globally.

To create a responder policy and bind it globally by usin

Navigate to AppExpert > Responder.
In the details pane, under Policy Manager, click Policy Manager.
In the Responder Policy Manager dialog box, click Override Global.
Click Insert Policy, and then, under Policy Name, click New Policy.
In the Create Responder Policy dialog box, do the following:
1. In Name, type PolicyResponder1.
2. In Action, select RESET.
3. In Undefined-Result Action, select Global undefined-result action.
4. In Expression, type the following default syntax expression:
```
"HTTP.REQ.HEADER("Request").EQ("Callout Request").NOT && SYS.HTTP_CALLOUT(HTTP_Callout).CONTAINS("IP Matched")"
```
5. Click Create, and then click Close.
Click Apply Changes, and then click Close.

Creating an HTTP callout agent on the remote server

You must now create an HTTP callout agent on the remote callout server that will receive callout requests from the Citrix ADC appliance and respond appropriately. The HTTP callout agent is a script that is different for each deployment and must be written with the server specifications in mind, such as the type of database and the scripting language supported.

Following is a sample callout agent that verifies whether the given IP address is part of an IP blacklist. The agent has been written in the Perl scripting language and uses a MYSQL database.

The following CGI script checks for a given IP address on the callout server.

#!/usr/bin/perl -w
print "Content-type: text/html\n\n";
        use DBI();
        use CGI qw(:standard);
#Take the Client IP address from the request query
        my $ip_to_check = param('cip');
# Where a MYSQL database is running
        my $dsn = 'DBI:mysql:BAD_CLIENT:localhost';
# Database username to connect with
        my $db_user_name = ‘dbuser’;
# Database password to connect with
        my $db_password = 'dbpassword';
        my ($id, $password);
# Connecting to the database
        my $dbh = DBI->connect($dsn, $db_user_name, $db_password);
        my $sth = $dbh->prepare(qq{ select * from bad_clnt });
        $sth->execute();
        while (my ($ip_in_database) = $sth->fetchrow_array()) {
        chomp($ip_in_database);
# Check for IP match
        if ($ip_in_database eq $ip_to_check) {
              print "\n IP Matched\n";
                                                     $sth->finish();
                                               exit;
                }
       }
       print "\n IP Failed\n";
       $sth->finish();
       exit;

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Use Case: Filtering clients by using an IP blacklist

September 21, 2020

Contributed by:

September 21, 2020

Contributed by:

Use Case: Filtering clients by using an IP blacklist

Enabling responder

To enable responder by using the GUI

Creating an HTTP callout on the Citrix ADC appliance

Configuring a responder policy and binding it globally

To create a responder policy and bind it globally by usin

Creating an HTTP callout agent on the remote server

In this article