Configuring Application Access Controls

Application access controls, also known as management access controls, form a unified mechanism for managing user authentication and implementing rules that determine user access to applications and data. You can configure SNIPs to provide access for management applications. Management access for the NSIP is enabled by default and cannot be disabled. You can, however, control it by using ACLs.

For information about using ACLs, see Access Control Lists (ACLs).

The Citrix ADC appliance does not support management access to VIPs.

The following table provides a summary of the interaction between management access and specific service settings for Telnet.

Management Access Telnet (State Configured on the Citrix ADC) Telnet (Effective State at the IP Level)
Enable Enable Enable
Enable Disable Disable
Disable Enable Disable
Disable Disable Disable

The following table provides an overview of the IP addresses used as source IP addresses in outbound traffic.

Application/ IP NSIP SNIP VIP
ARP Yes Yes No
Server side traffic No Yes No
RNAT No Yes Yes
Dynamic routing Yes Yes Yes

The following table provides an overview of the applications available on these IP addresses.

Application/ IP NSIP SNIP VIP
SNMP Yes Yes Yes
System access Yes Yes No

You can access and manage the Citrix ADC by using applications such as Telnet, SSH, GUI, and FTP.

Note: Telnet and FTP are disabled on the Citrix ADC for security reasons. To enable them, contact the customer support. After the applications are enabled, you can apply the controls at the IP level.

To configure the Citrix ADC to respond to these applications, you need to enable the specific management applications. If you disable management access for an IP address, existing connections that use the IP address are not terminated, but no new connections can be initiated.

Also, the non-management applications running on the underlying FreeBSD operating system are open to protocol attacks, and these applications do not take advantage of the Citrix ADC appliance’s attack prevention capabilities.

You can block access to these non-management applications on a SNIP or NSIP. When access is blocked, a user connecting to a Citrix ADC by using the SNIP or NSIP is not be able to access the non-management applications running on the underlying operating system.

To configure management access for an IP address by using the CLI:

At the command prompt, type:

set ns ip <IPAddress> -mgmtAccess <value> -telnet <value> -ftp <value> -gui <value> -ssh <value> -snmp <value> -restrictAccess (ENABLED | DISABLED)


To enable management access and restrict access for a Citrix ADC owned IP address:

 > set ns ip -mgmtAccess enabled -restrictAccess ENABLED

To disable GUI access for a NSIP or SNIP address:

 > set ns ip -gui disabled


To enable management access for an IP address by using the GUI:

  1. Navigate to System > Network > IPs > IPV4s.
  2. Open an IP address entry, and select the Enable Management Access control to support the listed applications option.
Configuring Application Access Controls