While Citrix Development team is working on an enhancement request to make the DEFAULT Authorization as DENY ANY, We have a workaround as shown in the below configuration snippet to achieve the same requirement (i.e Default DENY ANY)
Sample Configuration Snippet:
The below configuration will take care of all requests that come in with a port value in the URL or HOST Header and Deny the access if the destination ports are not with :443 or :80
NOTE: Like port :443 or :80 mentioned in the below patset, You can also add the “ : <port number>“ in patset which is required to be allowed via Citrix ADC Proxy.
> add patset allowed_ports
> bind policy patset allowed_ports “:443”
> bind policy patset allowed_ports “:80”
>add responder policy web only ‘(HTTP.REQ.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT) || (HTTP.REQ.URL.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.URL.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT)’ RESET
> bind cs vs SSL-FORWARDPROXY Vserver -policyname web_only -priority 10
In accordance with license server certificate renewal, new build version of Citrix ADC* VPX (CSP) is released.
This build 12.1-55.237 is based on existing 12.1-55.18. Only license communication part is updated and other features are unchanged.
*) Former Netscaler
Citrix ADC VPX 10 – Standard Edition for Service Providers
Citrix ADC VPX 50 – Standard Edition for Service Providers
Citrix ADC VPX 200 – Standard Edition for Service Providers
Citrix ADC VPX 1000 – Standard Edition for Service Providers
Citrix ADC VPX 3000 – Standard Edition for Service Providers
To resolve this issue, apply any or both of the following resolutions, as required:
Allocate or reallocate the correct license with correct Host ID/HostName to the NetScaler appliance. For assistance in allocating proper license, see CTX122426 – Citrix NetScaler VPX and CloudBridge VPX Licensing Guide and CTX121062 – How to License NetScaler Appliances Using Manage Licenses Tool.
Note: Perform a complete reboot instead of just a warm reboot of the appliance.
Verify whether the installed NetScaler version license is compatible. If not install the correct license on the appliance.
After applying the required resolution, the additional ciphers are available and you can add a certificate that has a key size greater than 512 bits. The NetScaler appliance supports certificates with key size 512, 1024, 2048, and 4096 bits.