Aug 102020

I recently tried to figure out how to block non-USA countries from accessing my NetScaler Gateway page on my ADC. I tried to follow some old documentation. This Citrix Article, this, this, etc, all have old, outdated information. I will put together this quick post on how I got this accomplished.

First, I had to sign up for a Maxmind account. I used this link to sign up for Geolite2.

Then, I downloaded the database file in CSV format.

Next, I downloaded the script from GitHub here. I have added this file to my website just in case that GitHub repo disappears on us. Download here if previous link doesn’t work.

SSH into your ADC and go to shell

# mkdir /var/geoip

Unzip the files. I then used WinSCP to copy all of them up to the ADC into /var/geoip

Go back to the SSH shell.
# chmod +x

Then convert the files. I’m from USA, so I used the -en file.

# perl -b GeoLite2-Country-Blocks-IPv4.csv -i GeoLite2-Country-Blocks-IPv6.csv -l GeoLite2-Country-Locations-en.csv

This spits out two .gz files.  Unzip them to .csv files.
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv4.csv.gz
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv6.csv.gz

Exit Shell and go back to the NSShell (Notice I’m not using -format GeoIP-Country)

> add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv

Then check it and make sure there are no Errors

> show locationparameter

Lines: 307344 Warnings: 0 Errors: 0

Next, create a responder policy. In my example I’m just using .US.

> add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.US.*.*.*.*\”).NOT” DROP
> set locationParameter -matchWildcardtoany YES

Lastly, bind it to your vServer. My example is for a Citrix Gateway vServer

> bind vpn vserver LAB_AG -policy Drop_non_US -priority 100 -gotoPriorityExpression END -type REQUEST