Citrix SSL Forward proxy’s Default authorization is to ALLOW ANY instead of DENY ANY

As per current design the DEFAULT Authorization of Citrix SSL Forward proxy is ALLOW ANY instead of DENY ANY. Hence, filed an Enhancement request with Citrix Development team.

While Citrix Development team is working on an enhancement request to make the DEFAULT Authorization as DENY ANY, We have a workaround as shown in the below configuration snippet to achieve the same requirement (i.e Default DENY ANY)

Sample Configuration Snippet:

———————————————-

The below configuration will take care of all requests that come in with a port value in the URL or HOST Header and Deny the access if the destination ports are not with :443 or :80

NOTE: Like port :443 or :80 mentioned in the below patset, You can also add the “ : <port number>“ in patset which is required to be allowed via Citrix ADC Proxy.

> add patset allowed_ports

> bind policy patset allowed_ports “:443”

> bind policy patset allowed_ports “:80”

>add responder policy web only ‘(HTTP.REQ.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT) || (HTTP.REQ.URL.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.URL.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT)’ RESET

> bind cs vs SSL-FORWARDPROXY Vserver -policyname web_only -priority 10

Related:

  • No Related Posts

Leave a Reply