Forum Discussion
Ethereal_96320
Nimbostratus
Nimbostratusdistinguish between Citrix client and any browser
Hello folks
Supposing that I am not an iRules guru, I will ask for help here.
Basically the goal of my mission would be blocking the access to the Citrix portal from the browser (using https://myentrypoint.org) but allow the Citrix client (using the same URL).
I suppose that I should use the user agent or else, but sniffing the packets in both attempts I couldn’t figure it out a discriminating element or else.
Did someone has an idea or already handled this situation?
Regards
Vicentiu
2 Replies
Michael_YatesHi Ethereal,
You should be able to trigger an event based on the User-Agent contained within the HTTP::header, but I would suggest creating an iRule that would just monitor the incoming User-Agents at first (so that you can catch all of the User-Agents that you do not want to block and use the results to make an exclusion list).
Example: CitrixReciever
You could start with something like this:when HTTP_REQUEST { switch -glob [HTTP::header User-Agent] { "*MSIE 7.0*" - "*MSIE 6.0*" - "*MSIE 5.*" - "*MSIE 4.*" - "*Safari*" - "*Firefox*" - "*MSRPC*" { log local0. "Known Browsers to eventuall block." } "*CitrixReciever*" { log local0. "Known Citrix Client" } default { log local0. "Unkown User-Agent: [HTTP::header User-Agent]" } } }
After you have logged enough you can change the logging behavior to redirect, blocking, reject, drop or whatever action you like.
I would also suggest these as additional reading. They discuss using the User-Agent as well:
Split out clients using the Citrix Receiver w/ iRule
Redirect based on user browser (mobile)
Hope this helps.
Ethereal_96320Hi Michael
You're right. I have sniffed on the client side where due to HTTPS encryption I wasn't able to see anything.
I will try to "tcpdump" on the F5 and figure it out as a first step what is the exact string for the Citrix Client, then logging for a while is a good idea.
Thank you very much for tips.
Vicentiu
