Citrix_APM_ Helper

Problem this snippet solves:

With the combination of BIG-IP Access Policy Manager (APM) and Citrix XenApp, organizations can deliver a complete remote access solution that allows for scalability, security, compliance and flexibility.

This iRule comprises the second part of two iRules that are part of the Citrix Secure Access deployment. The complete installation instructions for this setup will be located in the solutions section of F5.com shortly.

With this iRule, users can connect using BIG-IP APM's secure proxy mode, allowing for connections to XenApp from a variety of clients including Citrix Receiver, PN Agent and Dazzle.

Code :

when CLIENT_ACCEPTED {
    TCP::collect 7
}
when CLIENT_DATA {
    if { [TCP::payload 7] equals "CONNECT" } {
        SSL::disable
    }
    TCP::release
}
when HTTP_REQUEST {
    if { [HTTP::method] equals "CONNECT" } {
        set authstr [HTTP::header Proxy-Authorization]
        set authstr [lindex [ split $authstr " " ] 1 ]
        set remainder [ lindex [split [expr [string length $authstr] / 4.0 ] "." ] 1 ]
        if { $remainder != "0" } {
            if { [regsub -all {(A=)} $authstr = newstring] > 0 } {
                set authstr $newstring
            }
        }
        set authstr [b64decode $authstr]
        set tmm_apm_disp_sess_id [string range [lindex [split $authstr ":"] 0] 24 32]
        set authstr [ lindex [ split $authstr ":" ] 1 ]
        set ipport [split $authstr "-" ]
        set ip [ lindex $ipport 0 ]
        set port [ lindex $ipport 1 ]
        if { [matchclass CitrixAppServers equals "$ip-$port"] == 0 } {
            log -noname accesscontrol.local1.error "01490000
            reject
            return
        }
        node $ip $port
        TCP::respond "HTTP/1.0 200 Connection established\r\n\r\n"
        HTTP::disable discard
        SSL::enable
        SSL::collect
    }
}
when CLIENTSSL_DATA {
    binary scan [SSL::payload] c socksver
    if { $socksver != 5 } {
        SSL::release
        return
    }
    SSL::payload replace 0 [SSL::payload length] {}
    if { [info exists socks_connect] } {
        SSL::respond [binary format H2H2H2H2H2H2H2H2H2H2 05 00 00 01 00 00 00 00 00 00]
        SSL::release
    } else {
        set socks_connect {}
        SSL::respond [binary format H2H2 05 00]
        SSL::collect
    }
}
Published Mar 16, 2015
Version 1.0
application delivery
citrix
devops
iRules
No CommentsBe the first to comment