ADC

Use Case: Filtering clients by using an IP blacklist

HTTP callouts can be used to block requests from clients that are blacklisted by the administrator. The list of clients can be a publicly known blacklist, a blacklist that you maintain for you organization, or a combination of both.

The Citrix ADC appliance checks the IP address of the client against the pre-configured blacklist and blocks the transaction if the IP address has been blacklisted. If the IP address is not in the list, the appliance processes the transaction.

To implement this configuration, you must perform the following tasks:

  1. Enable responder on the Citrix ADC appliance.
  2. Create an HTTP callout on the Citrix ADC appliance and configure it with details about the external server and other required parameters.
  3. Configure a responder policy to analyze the response to the HTTP callout, and then bind the policy globally.
  4. Create an HTTP callout agent on the remote server.

Enabling responder

You must enable responder before you can use it.

To enable responder by using the GUI

  1. Make sure that you have installed the responder license.
  2. In the configuration utility, expand AppExpert, and right-click Responder, and then click Enable Responder feature.

Creating an HTTP callout on the Citrix ADC appliance

Create an HTTP callout, HTTP_Callout, with the parameter settings shown in the following table. For more information about creating an HTTP callout, see Configuring an HTTP Callout pdf.

Configuring a responder policy and binding it globally

After you configure the HTTP callout, verify the callout configuration, and then configure a responder policy to invoke the callout. While you can create a responder policy in the Policies sub-node and then bind it globally by using the Responder Policy Manager, this demonstration uses the Responder Policy Manager to create the responder policy and bind the policy globally.

To create a responder policy and bind it globally by usin

  1. Navigate to AppExpert > Responder.
  2. In the details pane, under Policy Manager, click Policy Manager.
  3. In the Responder Policy Manager dialog box, click Override Global.
  4. Click Insert Policy, and then, under Policy Name, click New Policy.
  5. In the Create Responder Policy dialog box, do the following:

    1. In Name, type PolicyResponder1.
    2. In Action, select RESET.
    3. In Undefined-Result Action, select Global undefined-result action.
    4. In Expression, type the following default syntax expression:

      "HTTP.REQ.HEADER("Request").EQ("Callout Request").NOT && SYS.HTTP_CALLOUT(HTTP_Callout).CONTAINS("IP Matched")"
    5. Click Create, and then click Close.
  6. Click Apply Changes, and then click Close.

Creating an HTTP callout agent on the remote server

You must now create an HTTP callout agent on the remote callout server that will receive callout requests from the Citrix ADC appliance and respond appropriately. The HTTP callout agent is a script that is different for each deployment and must be written with the server specifications in mind, such as the type of database and the scripting language supported.

Following is a sample callout agent that verifies whether the given IP address is part of an IP blacklist. The agent has been written in the Perl scripting language and uses a MYSQL database.

The following CGI script checks for a given IP address on the callout server.

#!/usr/bin/perl -w print "Content-type: text/html\n\n"; use DBI(); use CGI qw(:standard); #Take the Client IP address from the request query my $ip_to_check = param('cip'); # Where a MYSQL database is running my $dsn = 'DBI:mysql:BAD_CLIENT:localhost'; # Database username to connect with my $db_user_name = ‘dbuser’; # Database password to connect with my $db_password = 'dbpassword'; my ($id, $password); # Connecting to the database my $dbh = DBI->connect($dsn, $db_user_name, $db_password); my $sth = $dbh->prepare(qq{ select * from bad_clnt }); $sth->execute(); while (my ($ip_in_database) = $sth->fetchrow_array()) { chomp($ip_in_database); # Check for IP match if ($ip_in_database eq $ip_to_check) { print "\n IP Matched\n"; $sth->finish(); exit; } } print "\n IP Failed\n"; $sth->finish(); exit;
Use Case: Filtering clients by using an IP blacklist