Using NetScaler Responder policies to log source ip-address

Sometimes you need to decomission services, and move them to new servers. Sometimes this requires the change of the IP address. This is no big deal as long as accessing clients use DNS, or until you can change the IP address to connect to the services using a central mechanism. DNS and LDAP are two of these services. They come often as part of Microsoft Active Directory Domain Controllers. Sometimes customers use the IP address of a DC and put this IP address hard coded into other IT systems or config files. This makes it nearly impossible to track what clients and sub systems access these services.

I often use NetScaler ADC (former Citrix NetSCaler or Citrix ADC) to preserve the IP address of a demoted Domain Controller and to get a log file of accessing clients. To accomplish this, I setup e.g. DNS or LDAP load balancing with the new Domain Controllers as backend services. Then I use Responder policies to log the IP address of accessing clients.

First of all: We need a syslog server, e.g. TFTP64 can act as a syslog server, and we need to setup syslog loggion on the NetScaler ADC. It is important to enable -userDefinedAuditlog, because we will also need a user defined syslog message and message action. Make sure to globally bind the audit policy.

add audit syslogAction syslog_10.99.1.110 10.99.1.110 -logLevel INFORMATIONAL -dateFormat YYYYMMDD -userDefinedAuditlog YES
add audit syslogPolicy aud_pol_syslog true syslog_10.99.1.110
bind audit syslogGlobal -policyName aud_pol_syslog -priority 100

Then we need to add a message action that logs the client ip address and the name of the target load-balancing virtual server.

add audit messageaction sys_msg_act_logclientip INFORMATIONAL "CLIENT.IP.SRC+\" accessed \"+CLIENT.TCP.LB_VSERVER.NAME"

The responder policies does nothing except the logAction. The expression for the policy must be true and make sure that you use the default action NOOP.

add responder policy res_pol_log_clientip true NOOP -logAction sys_msg_act_logclientip

Last thing is to bind the responder policy to the load-balancing virtual server.

bind lb vserver lb_vsrv_ad_ldap_dc1 -policyName res_pol_log_clientip -priority 100 -gotoPriorityExpression END -type REQUEST

After binding the responder policy you should see the syslog server receiving a log entry each time a client accesses the load-balancing virtual server. This allows you to identify the accessing clients and change their configuration.