After upgrading NetScaler to 10.5-56.22, users using SSL VPN with ICA proxy enabled start getting "Error: Not a privileged user" after authentication.
When user is not using SSL VPN+ ICA proxy options on the session policy then it works fine.
Destination IP based authorization policies do not work as expected in ICA Proxy Mode. Users see authorization failures despite having an authorization policy that allows traffic destined to Storefront server's IP address. As a workaround, Host header based authorization policy or user membership based policies can be used.
Fix for this issue is available in 10.5-61+ and 11.0 65+ builds.
In ns.log we see below errors:
===
Dec 1 21:00:43 <local0.warn> 127.0.0.2 12/01/2015:15:30:43 GMT citrix-vpx 0-PPE-0 : default SSLVPN Message 50262 0 : "User citrix is not authorized to access /citrix/citrix-storeweb"
Dec 1 21:00:43 <local0.info> 127.0.0.2 12/01/2015:15:30:43 GMT citrix-vpx 0-PPE-0 : default SSLVPN Message 50263 0 : "AAA Client Handler: Found extended error code 589826, ReqType 16386 request /citrix/citrix-storeweb, cookie hdr NSC_AAAC=701ac63308082e03a07804ae896c027900960092745525d5f4f58455e445a4a42"
If we turn off the ICA Proxy mode then the same authorization rule passes:
set vpn sessionAction SF-Prof -winsIP 0.0.0.0 -sessTimeout 2 -splitTunnel ON -defaultAuthorizationAction ALLOW -wihome "http://ip-address/citrix/citrix-storeweb" -wihomeAddressType IPV4 -ntDomain rajat -iconWithReceiver ON" - Status "Success
This is a code related issue on the 10.5 and 11.0 builds wherein the logic with respect to how the destination IP is evaluated has changed from 10.1 release.
In working scenario from 10.1 build, destination IP is evaluated to IP provided in Web Interface/StoreFront -wihome option, where as in 10.5 version the destination IP is always evaluated or matched against NetScaler Gateway vserver IP. So ideally in 10.1 code we are updating destination IP based on server side PCB(SNIP/MIP to WI/SF ip address), where as in 10.5 code destination IP information is updated using client side PCB (client to ag vserver ip ).