Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

Rate Limiting for Citrix Gateway

February 24, 2022
Contributed by:
C S

The rate limiting feature for Citrix Gateway enables you to define the maximum load for a given network entity or virtual entity on the Citrix Gateway appliance. Since the Citrix Gateway appliance consumes all the unauthenticated traffic, the appliance is often exposed to process requests at a high rate. The rate limiting feature enables you to configure the Citrix Gateway appliance to monitor the rate of traffic associated with an entity and take preventive action, in real time, based on the traffic. For more information about how rate limiting works in a Citrix ADC appliance, seeRate limiting.

Citrix ADC has the rate limiting feature that provides protection to back-end servers for an unforeseen rate. Since the feature for Citrix ADC did not serve the unauthenticated traffic that Citrix Gateway handles, Citrix Gateway needed its own rate limiting functionality. This is needed to check an unforeseen rate of requests from various sources the Citrix Gateway appliance is exposed to. For example, unauthenticated/login/control requests and certain APIs exposed for end user or device validations.

Common use-cases for Rate limiting

  • Limit the number of requests per second from a URL.

  • Drop a connection based on cookies received in request from a particular host if the request exceeds the rate limit.

  • Limit the number of HTTP requests that arrive from the same host (with a particular subnet mask) and that have the same destination IP address.

为Citrix网关配置速度限制

Prerequisites

A configured authentication virtual server.

Points to note

  • In the configuration steps, a sample limit identifier is configured. The same can be configured with all the supported parameters like stream selector, mode. For an exhaustive description of the rate limiting capabilities, seeRate limiting.

  • The policy can also be bound to a VPN virtual server as follows. You need a configured VPN virtual server to bind the policies using the following command.

    bind vpn vserver -policy denylogin –pri 1 –type aaa_request

  • AAA_REQUEST is a newly introduced bindpoint for responder policies. The policies configured at this bind point are applied to all the incoming request at the specified virtual server. The policies are processed for the unauthenticated/control traffic first before any other processing.

  • Binding the policy to the Citrix Gateway virtual server enables rate limiting at the AAA_REQUEST bindpoint for all the traffic consumed by Citrix Gateway including unauthenticated requests.

  • Binding the policy to an authentication virtual server rate limits the unauthenticated/control requests hitting the authentication virtual server.

To configure rate limiting by using the command line interface, at the command prompt, type the following commands:

add limitIdentifier  -threshold  -timeslice  -mode

Example:

add limitIdentifier limit_one_login -threshold 10 -timeslice 4294967290 -mode REQUEST_RATE 
add responderaction denylogin respondwith ‘“HTTP/1.1 200 OK\r\n\r\n” + “Request is denied due to unusual rate”’ 
add responder policy denylogin 'sys.check_limit("limit_one_login")' denylogin 
bind authentication vserver  -policy denylogin –pri 1 –type aaa_request

Example:

bind authentication vserver authvserver -policy denylogin –pri 1 –type aaa_request

Parameter description

  • limitIdentifier -Name for a rate limit identifier. Must begin with an ASCII letter or underscore (_) character, and must consist only of ASCII alphanumeric or underscore characters. Reserved words must not be used. This is a mandatory argument. Maximum Length: 31

  • threshold -A maximum number of requests that are allowed in the given timeslice when requests (mode is set as REQUEST_RATE) are tracked per timeslice. When connections (mode is set as CONNECTION) are tracked, it is the total number of connections that would be let through. Default value: 1 Minimum value: 1 Maximum Value: 4294967295

  • timeSlice -Time interval, in milliseconds, specified in multiples of 10, during which requests are tracked to check if they cross the threshold. The argument is needed only when the mode is set to REQUEST_RATE. Default value: 1000 Minimum value: 10 Maximum Value: 4294967295

  • mode -Defines the type of traffic to be tracked.

    • REQUEST_RATE - Tracks requests/timeslice.
    • CONNECTION - Tracks active transactions.

To configure Rate Limiting using the Citrix ADC GUI:

  1. Navigate toAppExpert > Rate Limiting > Limit Identifiers, click添加and specify the relevant details as specified in the CLI section.

    Create limit identifier.

  2. Navigate toAppExpert>Responder>Policies. On theResponder Policiespage, click添加.

  3. On theCreate Responder Policypage, create a responder policy with a responder action which has the limit identifier.

  4. To create responder action, Click添加next toActionand enter a name for responder action.

  5. 希利ct type asRespond withfrom the drop-down menu, specify the following expression, “HTTP/1.1 200 OK\r\n\r\n”+ “Request is denied due to unusual rate”, and clickCreate.

    Create responder action

  6. To create a responder policy, onCreate Responder Policypage, enter a name for the responder policy, specify the following expression, ‘sys.check_limit(“limit_one_login”)’, and clickCreate.

    Create responder policy

  7. Bind the responder policy to the authentication virtual server.

    • Go toSecurity>AAA-Application Traffic>Virtual server.
    • 希利ct the virtual server.
    • 添加a policy.
    • Choose the responder policy that you want to bind to the server, set the priority.
    • Choose the type asAAA-REQUESTand clickContinue.

    Bind the policy

Note:You can also enable rate limiting at the AAA_REQUEST bind point for the VPN virtual server.

Configuration for the common use cases for applying rate limiting to Citrix Gateway

The following are the examples of commands to configure common use cases.

  • Limit the number of requests per second from a URL.

    选择器添加流ipStreamSelector http.req.url“client.ip.src” add ns limitIdentifier ipLimitIdentifier –threshold 4 –timeslice 1000 –mode request_rate –limitType smooth –selectorName ip StreamSelector add responder policy ipLimitResponderPolicy “http.req.url.contains(\”myasp.asp\”) && sys.check_limit(\”ipLimitIdentifier\”)” myWebSiteRedirectAction bind authentication virtual server authvserver -policy denylogin –pri 1 –type aaa_request

  • Drop a connection based on cookies received in request from www.yourcompany.com if the request exceeds the rate limit.

    add stream selector cacheStreamSelector “http.req.cookie.value(\”mycookie\”)” “client.ip.src.subnet(24)” add ns limitIdentifier myLimitIdentifier –Threshold 2 –timeSlice 3000 –selectorName reqCookieStreamSelector add responder action sendRedirectURL redirect `"http://www.mycompany.com\"` + http.req.url' –bypassSafetyCheck Yes add responder policy rateLimitCookiePolicy “http.req.url.contains(\www.yourcompany.com\) && sys.check_limit(\”myLimitIdentifier\”)” sendRedirectUrl

  • Limit the number of HTTP requests that arrive from the same host (with a subnet mask of 32) and that have the same destination IP address.

    add stream selector ipv6_sel “CLIENT.IPv6.src.subnet(32)”CLIENT.IPv6.dst add ns limitIdentifier ipv6_id –imeSlice 20000 –selectorName ipv6_sel add lb vserver ipv6_vip HTTP 3ffe:: 209 80 –persistenceType NONE –cltTime add responder action redirect_page redirect “\”`http://redirectpage.com/\”"` add responder policy ipv6_resp_pol “SYS.CHECK_LIMIT(\”ipv6_id\”)” redirect_page bind responder global ipv6_resp_pol 5 END –type DEFAULT
Rate Limiting for Citrix Gateway
February 24, 2022
Contributed by:
C S
February 24, 2022
Contributed by:
C S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.