in NetScaler

How to get a Forward Proxy virtualserver to respond back with a “blocked site” + upstream logging to syslog server.

SSL / TLS inspection should be implemented every where. for a long time we have been used to only allowing specific users access specific things in the DMZ. the “allow any any” rule should removed. But users accessing the internet can access everything – why? because it hasnt been much of a focus, but it should be.

Citrix ADC has that capability build into the Premium edition, which runs on your cloud/hypervisor/hardware of choice, depending on your requirements.

This does require a little workaround since you cant directly use a responder policy in a forward proxy virtual server.
To get the right UX for the user, you have to create a rewrite that points to a dummy lb (or a 3rd party server) and responds with a meaningful message.
In my example I have added logging to a 3rd party syslog server for every request thats blocked.

I am blocking the website vejr.tv2.dk and redirecting that to http://badsite.local with some parameteres i use for logging.

pre reqs:
Create a ssl profile with the CA cert + key used for the inspection.

forward proxy conf:

Dummy lb (bind it to a service thats up):

The binding of the syslog policy is there, according to nitro.log:
May 2 08:19:25 vpx httpd: [75335] Netscaler_ip 172.16.1.200 – User #TOKENUSER# – Remote_ip 192.168.10.20 – Method POST – Command { “params”: { “warning”: “YES” } }{ “lbvserver_auditsyslogpolicy_binding”: { “name”: “lbvs_badsite”, “policyname”: “syslog_blocked”, “priority”: “100” } } – Status “Success”
but nothing in sh run. a support case has been created. since it dissapears after a reboot

What do you think?

Comment