A situation has arisen where certain responder policies intended for filtering whitelist users on Citrix Gateway fail to operate as expected.

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

To address this issue, ensure that the responder policy is bound to the NetScaler Gateway Vserver with the "REQUEST" type.

---

Problem Cause

Responder policy is not honored due to incompatible policy expression checking in AAA_REQUEST bindpoint.
The non-functionality of these responder policies is attributed to their binding with the "AAA_REQUEST" bindpoint of the NetScaler Gateway Vserver. NetScaler AAA_REQUEST is a newly introduced bindpoint for responder policies. The policies configured at this bind point are applied to all the incoming request at the specified virtual server. The policies are processed for the unauthenticated/control traffic first before any other processing.
 

e.g. Incorrect NetScaler CLI configuration sample: 
add responder policy ResponderPolicyName "HTTP.REQ.USER.NAME.EQ(\"UserName\")&&CLIENT.IP.SRC.EQ(<Client_IPAddress>).NOT" DROP
bind vpn vserver VserverName -policy ResponderPolicyName -priority 350 -gotoPriorityExpression END -type AAA_REQUEST