Citrix Gateway

Configuring Authorization Policies

When you configure an authorization policy, you can set it to allow or deny access to network resources in the internal network. For example, to allow users access to the 10.3.3.0 network, use the following expression:

CLIENT.IP.DST.IN_SUBNET(10.3.0.0/16)

Authorization policies are applied to users and groups. After a user is authenticated, Citrix Gateway performs a group authorization check by obtaining the user’s group information from either an RADIUS, LDAP, or TACACS+ server. If group information is available for the user, Citrix Gateway checks the network resources allowed for the group.

To control which resources users can access, you must create authorization policies. If you do not need to create authorization policies, you can configure default global authorization.

If you create an expression within the authorization policy that denies access to a file path, you can only use the subdirectory path and not the root directory. For example, use fs.path contains “\\dir1\\dir2” instead of fs.path contains “\\rootdir\\dir1\\dir2”. If you use the second version in this example, the policy fails.

After you configure the authorization policy, you then bind it to a user or group as shown in the tasks below.

By default, authorization policies are validated first against policies that you bind to the virtual server and then against policies bound globally. If you bind a policy globally and want the global policy to take precedence over a policy that you bind to a user, group, or virtual server, you can change the priority number of the policy. Priority numbers start at zero. A lower priority number gives the policy higher precedence.

For example, if the global policy has a priority number of one and the user has a priority of two, the global authentication policy is applied first.

Important:

  • Classic authorization policies are applied only on TCP traffic.
  • Advanced authorization policy can be applied on all types of traffic (TCP/UDP/ICMP/DNS).

    • To apply policy on UDP/ICMP/DNS traffic, policies must be bound at type UDP_REQUEST, ICMP_REQUEST, and DNS_REQUEST respectively.

    • While binding, if “type” is not explicitly mentioned or “type” is set to REQUEST, the behavior does not change from earlier builds, that is these policies are applied only to TCP traffic.
    • The policies bound at UDP_REQUEST do not apply for DNS traffic. For DNS, policies must be explicitly bound to DNS_REQUEST TCP_DNS is similar to other TCP requests.

For more details on advanced authorization policies, see article https://support.citrix.com/article/CTX232237.

To configure an authorization policy by using the GUI

  1. Navigate to Citrix Gateway > Policies > Authorization.
  2. In the details pane, click Add.
  3. In Name, type a name for the policy.
  4. In Action, select Allow or Deny.
  5. In Expression, click Expression Editor.
  6. To start to configure the expression, click Select and choose the necessary elements.
  7. Click Done when your expression is complete.
  8. Click Create.

To bind an authorization policy to a user by using the GUI

  1. Navigate to Citrix Gateway > User Administration.
  2. Click AAA Users.
  3. In the details pane, select a user and then click Edit.
  4. In Advanced Settings, click Authorization Policies.
  5. In Policy Binding page, select a policy or create a policy.
  6. In Priority, set the priority number.
  7. In Type, select the request type and then click OK.

To bind an authorization policy to a group by using the GUI

  1. Navigate to Citrix Gateway > User Administration.
  2. Click AAA Groups.
  3. In the details pane, select a group and then click Edit.
  4. In Advanced Settings, click Authorization Policies.
  5. In Policy Binding page, select a policy or create a policy.
  6. In Priority, set the priority number.
  7. In Type, select the request type and then click OK.
Configuring Authorization Policies