Authorization policies
When you configure an authorization policy, you can set it to allow or deny access to network resources in the internal network. For example, to allow users access to the 10.3.3.0 network, use the following expression:
CLIENT.IP.DST.IN_SUBNET(10.3.0.0/16)
Authorization policies are applied to users and groups. After a user is authenticated, NetScaler Gateway performs a group authorization check by obtaining the user’s group information from either an RADIUS, LDAP, or TACACS+ server. If group information is available for the user, NetScaler Gateway checks the network resources allowed for the group.
To control which resources users can access, you must create authorization policies. If you do not need to create authorization policies, you can configure default global authorization.
If you create an expression within the authorization policy that denies access to a file path, you can only use the subdirectory path and not the root directory. For example, use fs.path contains “\\dir1\\dir2” instead of fs.path contains “\\rootdir\\dir1\\dir2”. If you use the second version in this example, the policy fails.
After you configure the authorization policy, you then bind it to a user or group.
By default, authorization policies are validated first against policies that you bind to the virtual server and then against policies bound globally. If you bind a policy globally and want the global policy to take precedence over a policy that you bind to a user, group, or virtual server, you can change the priority number of the policy. Priority numbers start at zero. A lower priority number gives the policy higher precedence.
For example, if the global policy has a priority number of one and the user has a priority of two, the global authentication policy is applied first.
Important:
- Classic authorization policies are applied only on TCP traffic.
Advanced authorization policy can be applied on all types of traffic (TCP/UDP/ICMP/DNS).
To apply policy on UDP/ICMP/DNS traffic, policies must be bound at type UDP_REQUEST, ICMP_REQUEST, and DNS_REQUEST respectively.
- While binding, if “type” is not explicitly mentioned or “type” is set to REQUEST, the behavior does not change from earlier builds, that is these policies are applied only to TCP traffic.
- The policies bound at UDP_REQUEST do not apply for DNS traffic. For DNS, policies must be explicitly bound to DNS_REQUEST TCP_DNS is similar to other TCP requests.
For more details on advanced authorization policies, see article https://support.citrix.com/article/CTX232237.
Configure and bind an authorization policy
Configure an authorization policy by using the GUI
- Navigate to NetScaler Gateway > Policies > Authorization.
- In the details pane, click Add.
- In Name, type a name for the policy.
- In Action, select Allow or Deny.
- In Expression, click Expression Editor.
- To configure the expressions, click Select and choose the necessary elements.
Following are a few expression examples,
-
HTTP.REQ.USER.IS_MEMBER_OF(\"AllowedGroup\")
- You can allow or deny access to a user if the user is member of the user group “AllowedGroup”. -
CLIENT.IP.DST.BETWEEN(10.102.75.10,10.102.75.20)
- You can allow or deny access if the client destination IP address is within a certain range. -
HTTP.REQ.HOSTNAME.CONTAINS(\"portal-srv") || CLIENT.IP.DST.IN_SUBNET(10.102.75.0/25)
- You can allow or deny access to the user if the hostname of their HTTP request contains the text “portal-serv” or if the client device destination IP address is in the subnet 10.102.75.0/25.
-
- Click Done when your expression is complete.
- Click Create.
Bind an authorization policy to a user by using the GUI
- Navigate to NetScaler Gateway > User Administration.
- Click AAA Users.
- In the details pane, select a user and then click Edit.
- In Advanced Settings, click Authorization Policies.
- In Policy Binding page, select a policy or create a policy.
- In Priority, set the priority number.
- In Type, select the request type and then click OK.
Bind an authorization policy to a group by using the GUI
- Navigate to NetScaler Gateway > User Administration.
- Click AAA Groups.
- In the details pane, select a group and then click Edit.
- In Advanced Settings, click Authorization Policies.
- In Policy Binding page, select a policy or create a policy.
- In Priority, set the priority number.
- In Type, select the request type and then click OK.
Authorization specifies the network resources to which users have access when they log on to NetScaler Gateway. The default setting for authorization is to deny access to all network resources. Citrix recommends using the default global setting and then creating authorization policies to define the network resources users can access.
You configure authorization on NetScaler Gateway by using an authorization policy and expressions. After you create an authorization policy, you can bind it to the users or groups that you configured on the appliance.
Default global authorization
To define the resources to which users have access on the internal network, you can configure default global authorization. You configure global authorization by allowing or denying access to network resources globally on the internal network.
Any global authorization action you create is applied to all users who do not already have an authorization policy associated with them, either directly or through a group. A user or group authorization policy always overrides the global authorization action. If the default authorization action is set to Deny, you must apply authorization policies for all users or groups to make network resources accessible to those users or groups. This requirement helps to improve security.
To set default global authorization:
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
- In the details pane, under Settings, click Change global settings.
- On the Security tab, next to Default Authorization Action, select Allow or Deny then and click OK.