I recently tried to figure out how to block non-USA countries from accessing my NetScaler Gateway page on my ADC. I tried to follow some old documentation. This Citrix Article, this, this, etc, all have old, outdated information. I will put together this quick post on how I got this accomplished.
First, I had to sign up for a Maxmind account. I used this link to sign up for Geolite2.
Then, I downloaded the database file in CSV format.
Next, I downloaded the Convert_GeoIPDB_To_Netscaler_Format.pl script from GitHub here. I have added this file to my website just in case that GitHub repo disappears on us. Download here if previous link doesn’t work.
SSH into your ADC and go to shell
# mkdir /var/geoip
Unzip the files. I then used WinSCP to copy all of them up to the ADC into /var/geoip
Go back to the SSH shell.
# chmod +x Convert_GeoIPDB_To_Netscaler_Format_WithContinent.pl
Then convert the files. I’m from USA, so I used the -en file.
# perl Convert_GeoIPDB_To_Netscaler_Format_WithContinent.pl -b GeoLite2-Country-Blocks-IPv4.csv -i GeoLite2-Country-Blocks-IPv6.csv -l GeoLite2-Country-Locations-en.csv
This spits out two .gz files. Unzip them to .csv files.
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv4.csv.gz
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv6.csv.gz
Exit Shell and go back to the NSShell (Notice I’m not using -format GeoIP-Country)
> add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv
Then check it and make sure there are no Errors
> show locationparameter
Lines: 307344 Warnings: 0 Errors: 0
Next, create a responder policy. In my example I’m just using .US.
> add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.US.*.*.*.*\”).NOT” DROP
> set locationParameter -matchWildcardtoany YES
Lastly, bind it to your vServer. My example is for a Citrix Gateway vServer
> bind vpn vserver LAB_AG -policy Drop_non_US -priority 100 -gotoPriorityExpression END -type REQUEST