Forum Discussion
NimbostratusCitrix SSL GW VIp
Have a question here that may seem remedial however having challenges creating a custom VIP on a F5 where SSL is decrypted, sent in the clear to some security reverse proxy devices (if the traffic was HTTP) and for the non-http traffic (ICA) we need to send it directly to the SSL GW backend(different pool).
We have this successfully working with a Netscaler(just as a LB) by attaching a content switch policy to the VIP that does: if http request then > security devices, else default pool is the SSL gw.
Our challenge on F5 is that if we create a HTTP VIP we can implement a irule but the non-HTTP traffic seems to be getting dropped. If we change it to a TCP VIP then we cannot attach an irule with HTTP functions.
SNIP:
when CLIENT_ACCEPTED { #Sets the default pool
pool pool-ctx-direct
}
when HTTP_REQUEST { #Changes the pool if an HTTP request is received.
pool pool-rp
}
Thx in advance for the help.
3 Replies
Ok, but then you should create a HTTPS virtual server and an ICA virtual server. Or are there more posts that need to be opened?
Hi,
You can create two virtual servers. One with port 443, ssl offloading and pool pool-rp, another with port any (with same destination ip) and pool pool-ctx-direct.
All 443 traffic will go to the 443 virtual server, all other traffic to the any virtual server.
Cheers,
Kees
ardmallorYes we considered this with a 444 port however this would allow all traffic(http and non-http) to be attacked directly towards that Citrix gw direct and remove our ability to inspection/block traffic (number of citrix http vpn attacks)
