This article describes change in default behavior with Advanced Authorization policy for UDP/ICMP/DNS traffic sent through NetScaler Unified Gateway. This article is applicable to release 12.0.56.x and later.

Background

With advanced authorization policy, policy is applied on all types of traffic (TCP/UDP/ICMP/DNS) whereas with classic policies, authorization policies are only applied on TCP traffic. So, this results in default behavior change in cases when default authorization action is DENY from session action/vpn parameter. By default with authorization action set to DENY and with no additional policies, UDP/ICMP/DNS traffic is blocked.

Note: If default authorization action is ALLOW, then there is no change in behavior as all types of traffic will be allowed by default. In this scenario, advanced authorization policies provide more granular control for customers to categorically blacklist UDP/ICMP/DNS packets which was not possible with classic policies.

Traffic Behavior

The subsequent sections explain the behavior for each type of traffic.  

TCP Traffic

No change in behavior. With default authorization action as DENY, all the TCP packets will be blocked at NetScaler by default. Policies needs to be added and bound to corresponding aaa users/aaa groups to categorically whitelist TCP packets.

UDP Traffic

With advanced authorization policy and default authorization action as DENY, all the UDP packets will be blocked at NetScaler by default. A new policy needs to be added and bound to corresponding aaa users/aaa groups as type UDP_REQUEST to categorically whitelist UDP packets.

For example, if customer wants to allow only the UDP traffic destined to port 2080, then corresponding config looks like below.
add authorization policy authpol CLIENT.UDP.DSTPORT.EQ(2080) ALLOW
bind aaa user user1 –policy authpol –priority 10 –type UDP_REQUEST

ICMP Traffic

With advanced authorization policy and default authorization action as DENY, all the ICMP packets will be blocked at NetScaler by default. A new policy needs to be added and bound to corresponding aaa users/aaa groups as type ICMP_REQUEST to categorically whitelist ICMP packets.

For example, if customer wants to allow ICMP traffic, then corresponding config looks like below.
add authorization policy authpol CLIENT.IP.PROTOCOL.EQ(ICMP) ALLOW
bind aaa user user1 –policy authpol –priority 10 –type ICMP_REQUEST

DNS Traffic

By default, DNS based advanced authorization policies are only applicable to DNS records other than of type ‘A’/’AAAA’. In order to apply this for all types of DNS records, customer needs to run the command "nsapimgr -ys enable_vpn_dnstruncate_fix=1" from NetScaler shell. Please note that nsapimgr command by default does not survive a reboot. To make the command persistent across reboots, configure the same command in the file rc.netscaler under /nsconfig. If rc.netscaler does not exist, then create one and add the command.  

with default authorization action DENY, all the applicable DNS record types (as mentioned in the previous paragraph) will be blocked at NetScaler by default. A new policy needs to be added and bound to corresponding aaa users/aaa groups as type DNS_REQUEST to categorically whitelist DNS packets.

For example, if customer wants to allow only the DNS packets that are destined for domains containing keyword “citrix”, then corresponding config looks like below:
add authorization policy authpol CLIENT.UDP.DNS.DOMAIN.CONTAINS(“citrix”) ALLOW
bind aaa user user1 –policy authpol –priority 10 –type DNS_REQUEST

Note: If there are no authorization policies bound, then type of authorization policy is considered as Advanced.  If customer’s config has no authorization policies and the box is upgraded, then all the new behavior changes mentioned here will be applicable.