Allow access to web apps based on a specific time schedule with Citrix ADC (NetScaler)

Recently I was involved in a project, where one of the objectives was to restrict access to application resources handled by our Citrix ADC, based on a specific time range.

So from Monday to Friday between 8-16 access should be allowed in this case, where access to the web applications or Citrix Gateway resources should be dropped if initiated outside of our allowed time frame.

This is pretty straight forward to accomplish, we can leverage our SYS.TIME policy expression on our Citrix ADC. The SYS.TIME expression prefix extracts the NetScaler / ADC system time.

Furthermore we can advance it a bit and combine a PatternSet to group allowed source IPs, and a custom audit log action to provide syslog statistics if access is initiated outside our time frame.

Create a Responder Policy to drop traffic if not within our time range

In this example we create our AppExpert Responder policy, which will be bound to the applicable Content Switch, Load Balancing or Gateway Virtual Server in scope. As an alternative to a DROP action we could choose to create a Responder action and Respond with a HTML Page instead. But in this example we simply DROP the traffic if outside of our time range.

Create the Allowed Source Client IP net in a PatternSet

Following will be used to group specific IP Subnets in a PatternSet, so we can manage the subnets in a better way, as opposed to edit our Policy expression we edit our logical pattern set if changes is required.

We start by creating our Pattern Set.

Then we bind our desired IP Subnet to our Pattern Set.

For this to work correctly we have to create our advanced policy expression. Which we will reference later on in our Responder policy. Here we define our Subnet Mask ID.

 

Create our Audit Message to log information if policy is triggered

We create an Audit Log Action to tell if our policy was hit outside our time range. This makes is possible to catch any drops and provide statistics in Syslog messages.

First we make sure User Defined Logging is enabled.

We customize our desired audit message.

Final NS CLI to meet our objective

In this combined example we create our policy and allow access based on a specific time schedule.

Relevant Citrix Docs articles

Following Citrix Docs explains the SYS.TIME syntax in more details.

Expressions of NetScaler System Time:

https://docs.citrix.com/en-us/netscaler/12/appexpert/policies-and-expressions/ns-pi-adv-exp-work-date-time-num-wrapper-con/ns-pi-exp-ns-sys-time-con.html

Format of Dates and Times in an Expressions:

https://docs.citrix.com/en-us/netscaler/12/appexpert/policies-and-expressions/ns-pi-adv-exp-work-date-time-num-wrapper-con/ns-pi-format-date-time-exp-con.html

Leave a Reply