Authorization Policy Does Not Work When Bound to AAA Group on NetScaler Gateway Virtual Server

book

Article ID: CTX204880

calendar_today

Updated On:

Description

After upgrading NetScaler to 10.5-56.22, users using SSL VPN with ICA proxy enabled start getting "Error: Not a privileged user" after authentication.

When user is not using SSL VPN+ ICA proxy options on the session policy then it works fine.

Destination IP based authorization policies do not work as expected in ICA Proxy Mode. Users see authorization failures despite having an authorization policy that allows traffic destined to Storefront server's IP address. As a workaround, Host header based authorization policy or user membership based policies can be used.

Resolution

Fix for this issue is available in 10.5-61+ and 11.0 65+ builds.

In ns.log we see below errors:
===

Dec 1 21:00:43 <local0.warn> 127.0.0.2 12/01/2015:15:30:43 GMT citrix-vpx 0-PPE-0 : default SSLVPN Message 50262 0 : "User citrix is not authorized to access /citrix/citrix-storeweb"
Dec 1 21:00:43 <local0.info> 127.0.0.2 12/01/2015:15:30:43 GMT citrix-vpx 0-PPE-0 : default SSLVPN Message 50263 0 : "AAA Client Handler: Found extended error code 589826, ReqType 16386 request /citrix/citrix-storeweb, cookie hdr NSC_AAAC=701ac63308082e03a07804ae896c027900960092745525d5f4f58455e445a4a42"

If we turn off the ICA Proxy mode then the same authorization rule passes:

set vpn sessionAction SF-Prof -winsIP 0.0.0.0 -sessTimeout 2 -splitTunnel ON -defaultAuthorizationAction ALLOW -wihome "http://ip-address/citrix/citrix-storeweb " -wihomeAddressType IPV4 -ntDomain rajat -iconWithReceiver ON" - Status "Success

Problem Cause

This is a code related issue on the 10.5 and 11.0 builds wherein the logic with respect to how the destination IP is evaluated has changed from 10.1 release.

In working scenario from 10.1 build, destination IP is evaluated to IP provided in Web Interface/StoreFront -wihome option, where as in 10.5 version the destination IP is always evaluated or matched against NetScaler Gateway vserver IP. So ideally in 10.1 code we are updating destination IP based on server side PCB(SNIP/MIP to WI/SF ip address), where as in 10.5 code destination IP information is updated using client side PCB (client to ag vserver ip ).

Issue/Introduction

After the upgrade to 10.5/11.0, users employing SSL VPN with ICA proxy enabled see authorization failures. The authorization failures are issued, even though; a policy is bound to the AAA group that checks for StoreFront's destination IP

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"