Location Based Access to Web Apps and IP Reputation via NetScaler

This post shows how to configure location based access and IP reputation feature for Web Apps delivered through NetScaler.

Key takeaways

Increase Security level on business applications, by using location based access and/or with IP Reputation.

Security – limit exposure of business apps to a geo location and block known anonymous vpn proxies, botnet, malware etc.

Low cost – Free GeoIP database or subscription based GeoIP database both available

Flexibility – control access to ressources based on country and/or city.

Note that IP Reputation feature requires Platinum license. Where location based access via GeoIP uses AppExpert Responder engine which is available in standard edt.

Use Case

Typically, clients that operates from within one or more countries and/or cities, and wishes to reduce exposure of business applications by defining access based on location criteria’s.
This use case can be combined with IP Reputation feature on NetScaler, to block access, from known “Bad IPs” to prevent DenialOfService, scanners, Malware attacks etc.

GeoIP database can be downloaded from e.g. MaxMind or several other public services at no cost.

A Subscription Based license at MaxMind can be purchased for dynamically updates of changes to GeoIPs.

Configuration Guideline – Location Based Access via GeoIP

Note. In Part 2 – a HTTP Callout will be used to dynamically update GeoIP DB!
Pre-req:
Download GeoIP DB CSV and Upload CSV to /var/geoip/ via SFTP
https://dev.maxmind.com/geoip/legacy/geolite/#Downloads

Location Based Access can be configured by following NS CLI:

Add download GeoIP

Add MessageAction to log any blocks

Add Responder Policy and trigger MessageActions

Configuration Guideline – IP Reputation

Low hanging fruit for tighten security.

IP Reputation can be utilized from Responder or Application Firewall engine. Reponder has a lower CPU footprint.

Citrix integrates with Webroot public cloud service as source for IP reputation, in order to troubleshoot IP Reputation then analyze this log file:

cat /var/log/iprep.log

NS CLI

Leave a Reply