Forum Discussion

ardmallor's avatar
Icon for Nimbostratus rankNimbostratus
Jan 22, 2021

Citrix SSL GW VIp

Have a question here that may seem remedial however having challenges creating a custom VIP on a F5 where SSL is decrypted, sent in the clear to some security reverse proxy devices (if the traffic was HTTP) and for the non-http traffic (ICA) we need to send it directly to the SSL GW backend(different pool).


We have this successfully working with a Netscaler(just as a LB) by attaching a content switch policy to the VIP that does: if http request then > security devices, else default pool is the SSL gw.


Our challenge on F5 is that if we create a HTTP VIP we can implement a irule but the non-HTTP traffic seems to be getting dropped. If we change it to a TCP VIP then we cannot attach an irule with HTTP functions.



when CLIENT_ACCEPTED { #Sets the default pool

pool pool-ctx-direct


when HTTP_REQUEST { #Changes the pool if an HTTP request is received.

pool pool-rp


Thx in advance for the help.

3 Replies

  • Hi,


    You can create two virtual servers. One with port 443, ssl offloading and pool pool-rp, another with port any (with same destination ip) and pool pool-ctx-direct.

    All 443 traffic will go to the 443 virtual server, all other traffic to the any virtual server.





    • ardmallor's avatar
      Icon for Nimbostratus rankNimbostratus

      Yes we considered this with a 444 port however this would allow all traffic(http and non-http) to be attacked directly towards that Citrix gw direct and remove our ability to inspection/block traffic (number of citrix http vpn attacks)

  • Ok, but then you should create a HTTPS virtual server and an ICA virtual server. Or are there more posts that need to be opened?