I recently tried to figure out how to block non-USA countries from accessing my NetScaler Gateway page on my ADC. I tried to follow some old documentation. This Citrix Article, this, this, etc, all have old, outdated information. I will put together this quick post on how I got this accomplished.
First, I had to sign up for a Maxmind account. I used this link to sign up for Geolite2.
Then, I downloaded the database file in CSV format.
Next, I downloaded the Convert_GeoIPDB_To_Netscaler_Format.pl script from GitHub here. I have added this file to my website just in case that GitHub repo disappears on us. Download here if previous link doesn’t work.
SSH into your ADC and go to shell
# mkdir /var/geoip
Unzip the files. I then used WinSCP to copy all of them up to the ADC into /var/geoip
Go back to the SSH shell.
# chmod +x Convert_GeoIPDB_To_Netscaler_Format_WithContinent.pl
Then convert the files. I’m from USA, so I used the -en file.
# perl Convert_GeoIPDB_To_Netscaler_Format_WithContinent.pl -b GeoLite2-Country-Blocks-IPv4.csv -i GeoLite2-Country-Blocks-IPv6.csv -l GeoLite2-Country-Locations-en.csv
This spits out two .gz files. Unzip them to .csv files.
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv4.csv.gz
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv6.csv.gz
Exit Shell and go back to the NSShell (Notice I’m not using -format GeoIP-Country)
> add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv
Then check it and make sure there are no Errors
> show locationparameter
Lines: 307344 Warnings: 0 Errors: 0
Next, create a responder policy. In my example I’m just using .US.
> add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.US.*.*.*.*\”).NOT” DROP
> set locationParameter -matchWildcardtoany YES
Lastly, bind it to your vServer. My example is for a Citrix Gateway vServer
> bind vpn vserver LAB_AG -policy Drop_non_US -priority 100 -gotoPriorityExpression END -type REQUEST
I try to add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv but it do not work. I try to add add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv.gz that work
do we have to unzip fisrt becasue the sho locationparameter show only one line
we have to extract the gz file and also the line add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.US.*.*.*.*\”).NOT” DROP forget the ” at the end. after that all works. thank sir
Good catch, thank you. I have updated the post to make sure you unzip the files. I also added the ” on the end.
the ” should be place after .NOT”
and I can confirm that it work. I do a test from VPN that I have in europe and the ip was block. But also in Canada, where I live so I have to fine tune the geoip file. but it works thanks
my mistake add Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.CA.*.*.*.*\”).NOT” DROP
I failed… LOL.. Fixed.. Thanks!