Forum Discussion

frank_combopia1's avatar
frank_combopia1
Icon for Nimbostratus rankNimbostratus
Oct 25, 2006

Rewriting URLs for Citrix Secure Gateway

Rewriting URLs for Citrix Secure Gateway

 

 

One of our App teams wishes to deploy a Citrix-based environment using the Secure Gateway in a DMZ, behind two ltm1500s. The Secure Gateway servers will then contact Citrix Presentation Servers behind a firewall in the secure part of our network. Their additional requirements/constraints are:

 

 

1. Single certificate for the two SG servers

 

2. end-to-end SSL

 

3. no SSL termination at the LTM

 

4. Multiple entry points: Internet and Intranet (using private network paths)

 

 

The last item (4) is what I'm concerned about. To accommodate the "typical" Internet user, the certificate will require an external name, as in, "www.new-app.com". However, policies and standards prevent me from claiming authority for "new-app.com" within our company's internal name/address space, so an intranet request should look more like "www.new-app.site.company.com".

 

 

Access to the private network is through a local (site by site) DMZ via a firewall and NAT.

 

 

So, can I rewrite "https://www.new-app.site.company.com/*" as "https://www.new-app.com/*" before passing it to the Secure Gateway pool, and reverse that on the way back to the client? I can't return a redirect to the internal client because that would take them to the external gateways, ignoring the private paths set up for this application.

 

 

Also, are there other elements of a Citrix session that I need to manipulate (if I can) such as tokens, or cookies?

 

 

Is this a viable way to overcome the cert's FQDN, or is there a better alternative?

 

 

Thanks!

 

/frank

 

 

 

application delivery
dev
devops
iRules
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Oct 25, 2006
    The only way I could see to do this is if you *are* doing SSL termination, because that is the only way to be able to manipulate headers within an iRule on a SSL connection. You do have the ability however to re-encrypt before sending it to your pool using ServerSSL profiles. It would be up to you to determine whether that meets the requirement of "no SSL termination" though.

    So you would have something similar to this:

    
when HTTP_REQUEST {
  if { [HTTP::host] contains "company.com" } {
   HTTP::header replace Host [www.new-app.com]
 }
}

    But, an additional problem is that you can only put one cert on a virtual server, so unless you use a wildcard cert to begin with, you will have to have 2 separate virtual servers, with DNS entries pointing www.new-app.site.company.com to one and www.new-app.com to the other, otherwise you will get a cert warning on one of them if you try to connect both to the same virtual.

    Denny
  • frank_combopia1's avatar
    frank_combopia1
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2006
    Thanks for the quick reply Denny; I may be able to use your suggestion for another application. Unfortunately, I have to defer to the Citrix experts, so if they say, "no ssl termination", I have to comply. I guess I'll start looking at dns hacks.

     

     

    Thanks again!

     

    /frank