Responder policies

Responder policies allow a Citrix ADC/NetScaler to respond to a client request without querying the physical server.

The responder actions

Responder policies may use the following types of actions:

  • NOOP: Don’t do anything (let the request pass through).
  • DROP: Drop the request silently (don’t send a TCP ACK, the browser will see a time-out).
  • RESET: Reset the connection (send a TCP reset).
  • Respond with some text.
  • Respond with HTML page responds with a pre-configured HTML page.
  • Redirect to somewhere.
  • Reply with a SQL OK to a database query.
  • Reply with a SQL Error to a database query.

While NOOP, RESET and DROP are non-configurable built in ones, all the rest has to be configured. We will focus on “respond with”, “respond with HTML” and “redirect”.

Respond with

Go to AppExpert → Responder → Actions. Click Add.

A NetScaler responder action: respond with text

A respond with action may be as simple as some text, or a complete HTML-page. The Citrix ADC/NetScaler policy engine allows adding variables into the response. In my example, I added the IP address of the client, together with the URL the user wanted to connect too.

"Leave me alone! A client with " + CLIENT.IP.SRC + " must not access " + HTTP.REQ.HOSTNAME + HTTP.REQ.URL

The policy:

Go to AppExpert → Responder → Policies. Click Add.

I will create a simple policy to test this action:

A sample Citrix ADC/NetScaler responder policy, denying access for a subnet

Every policy needs to get a name. You have to select the action and type in the expression. My expression is CLIENT.IP.SRC.IN_SUBNET(192.168.229.0/24), so all IPs from 192.168.229.1 to 192.168.229.254.

Binding the policy

NetScaler: Binding a responder Policy

NetScaler: Binding a policy using policy manager

Click Policy Manager, then select Load Balancing Virtual Server, select HTTP as a protocol (as our server is using HTTP) and lb_vs_colors as the vServer, created during our load-balancing lab. Click Continue.

NetScaler: Binding a Policy

Testing the policy

Click the little arrow, select the policy created before, leave the priority to 100, the GoTo Expression to END and press Bind and Done.

Let’s surf to our load-balancing vServer. It should show the following error message:

A modification: Block just /red.htm

Our policy now blocks all the website for our local network. Let’s change it, so we may surf through all the page, but deny red.

I have to change the policy expression and add && HTTP.REQ.URL.EQ("/red.htm)

  • && is a logical AND
  • || is a logical OR
  • ! is a NOT

The result is as expected: All URLs work fine, just /red.htm gets blocked.


Respond with and HTML code

We could, of course, modify our policy expression, so it returns a real HTML page. To do so, we have to set HTML status-code and headers correctly.

The policy expression would look like that:

"HTTP/1.1 403 Forbidden\r\n\r\n<html><head><title>Forbidden</title></head><body><h1>Forbidden!</h1><p>Leave me alone! A client with " + CLIENT.IP.SRC + " must not access " + HTTP.REQ.HOSTNAME + HTTP.REQ.URL + "</p></body></html>"

The first part (HTTP/1.1 403 Forbidden) is the HTTP status. 402 is Payment Required, 403 forbidden, 404 not found, 418 I’m a teapot (see RFC 2324). You may find all standard HTML status codes, including links to corresponding RFCs, at Wikipedia.

The second part is the HTML code itself. I still left my NetScaler variables in it.

You can see it easily: It’s a “real” 403, an “original” HTML response, any web-server would have done the same.


Respond with HTML

The method presented before is not a perfect one, as it is quite limited in the size of an HTML response. In addition, it is not very handy. Respond with HTML is more powerful.

First, we have to create an HTML page. This page may get downloaded from a web-server, uploaded from a file or get edited in a text file.

The HTML page

Go to AppExpert → Responder → HTML Page Imports. Click Add.

NetScaler reply with 404 page

the name of the page should be pg_404, the URL any URL that does not exist on the server, so the server will reply with a 404 page.

NetScaler: The original 404 page of Wonderkitchen.tk

You see the web-page downloaded, click OK.

The action

Go to AppExpert → Responder → Actions. Click Add.

NetScaler responder action: Reply with 404

Select the right HTML page and a proper status code. A reason phrase is not needed, so leave it blanc.

Let’s update the policy we created before, so it’s using this action.

NetScaler responding with a 404

This page would probably need some tweaking (let’s remove /error), but it looks exactly like the original 404 page from the server.


Don’t forget to unbind responder policies prior to continuing!





Leave a Comment

Your email address will not be published.