For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

roger10dc_46053's avatar
roger10dc_46053
Icon for Nimbostratus rankNimbostratus
Sep 09, 2010

Source Network based Stream profile for Citrix Secure GW

Hello -

 

 

We have a single instance of Citrix Secure Gateway in our DMZ which users access using https://www.mycsg.com/Citrix/XenApp/

 

 

The goal is for internal users (10.0.0.0 / 8) to redirect to https://www.mycsg.com/Citrix/XenApp1/ which is setup to send the Citrix clients direct via ICA instead of HTTPS.

 

 

The BigIP virtual server must be SSL Pass Through. Any time lately that I apply an http profile the connection breaks.

 

 

I attempted the following:

 

 

when CLIENT_DATA {

 

Disable the stream filter by default

 

STREAM::disable

 

Check if client IP is in the datagroup

 

if {[matchclass [IP::client_addr] equals $::internal_net]}{

 

STREAM::enable

 

}

 

}

 

 

 

with a stream profile of:

 

 

https://www.mycsg.com/Citrix/XenApp/

 

https://www.mycsg.com/Citrix/XenApp1/

 

 

 

 

The connection works, but nada on the rewrite.

 

 

 

Thanks,

 

 

 

 

 

application delivery
dev
devops
iRules

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 20, 2010
    Hi Jon,

     

     

    I'm guessing there is a more effective way to handle this on the Citrix servers. Could you tell them to use XenApp1 in their references to themselves for internal clients?

     

     

    If not, you'd need to tell LTM to collect the TCP payload using the TCP::collect command. However, isn't the content you want to rewrite in the server response data? If so, could you try SERVER_CONNECTED and SERVER_DATA instead?

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/server_data

     

     

    Aaron