Getting Around the Logon/Legal Banner Issues when using APM PCoIP Proxy and Horizon

If you're using APM's PCoIP Proxy and require a logon banner, you've probably figured out that the PCoIP Proxy integration stops working when you turn on the integrated logon banner from within the Horizon Administrator. Adding to the pain, internal users can't get any logon banner since you had to turn it off in order for your external access to work!

Well, the wait is over! With the use of a nifty iRule that you can attach to your internal Horizon Connection Servers virtual server, you can now present a banner BOTH internal users as well as external users who access Horizon resources using APM PCoIP Proxy.

Here's how it works:

  1. Disable the logon banner through Horizon Administrator - the BIG-IP will handle presenting the banners for internal users (through the iRule) and external users (through the View iApp) instead of Horizon.
  2. Modify the text in the iRule with the text you want to show in the logon banner.
  3. Apply the iRule to your LTM Virtual Server that services internal Horizon users (either manually to the LTM virtual server or through the View iApp).
  4. You're done!

A couple of things to think about when you implement this:

  • If you need to present a legal disclaimer your external users using the PCoIP Proxy, you can still do that through the Horizon View iApp. 
  • Do not apply this to any virtual server running the APM PCoIP Proxy - it's only for providing the logon banner to internal Horizon users. The banner for PCoIP Proxy can be easily enabled through the iApp
  • It's important to ensure the PCoIP Proxy's Connection Server settings are pointing to the individual connection server(s) and NOT the LTM virtual server that has the Logon Banner iRule applied.

The iRule source is below.

# Attach iRule to iApp created virtual server named "<iapp_name>_internal_https"
# Replace the section “This is a XXX computer system that is FOR OFFICIAL USE ONLY. This
# system is subject to monitoring. Therefore, no expectation of privacy is to be assumed.
# Individuals found performing unauthorized activities are subject to disciplinary action
# including criminal prosecution.” with your desired text. 

when RULE_INIT {
# Debug Level 0=off, 1=on, 2=verbose
    set static::internal_disclaimer_debug 0
}
when CLIENT_ACCEPTED {
set log_prefix_cs "[IP::remote_addr]:[TCP::remote_port clientside] <-> [IP::local_addr]:[TCP::local_port clientside]"
    if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: CLIENT_ACCEPTED" }
}
when HTTP_REQUEST {
set bypass 0
if {[HTTP::uri] starts_with "/portal/info.jsp"} {
if { $static::internal_disclaimer_debug > 0 } { log local0. "<$log_prefix_cs>: Portal Info request, bypassing further processing"}
        set bypass 1
    } else {    
if {[HTTP::header exists "Content-Length"]} { 
set content_length [HTTP::header "Content-Length"]
} else {
# If the header is missing, use a sufficiently large number 
set content_length 5000
        }
        if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Set content-length to $content_length"}
HTTP::collect $content_length
        if { [HTTP::path] == "/broker/xml" && [HTTP::header Expect] == "100-continue" } {
SSL::respond "HTTP/1.0 100 Continue\r\n\r\n"
if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Application requested: client requires 100 continue response, sending 100-continue"}
}
}
}
when HTTP_REQUEST_DATA {
if { [HTTP::payload] contains "set-locale" and ( not ($bypass)) } {
HTTP::respond 200 content {<?xml version="1.0"?><broker version="9.0"><configuration><result>ok</result><broker-guid>aaaaaaaa-bbbb-cccc-ddddddddddddddddd</broker-guid><authentication><screen><name>disclaimer</name><params><param><name>text</name><values><value>This is a XXX computer system that is FOR OFFICIAL USE ONLY. This system is subject to monitoring. Therefore, no expectation of privacy is to be assumed. Individuals found performing unauthorized activities are subject to disciplinary action including criminal prosecution.</value></values></param></params></screen></authentication></configuration><set-locale><result>ok</result></set-locale></broker>} noserver "Connection" "close" "Content-Type" "text/xml;charset=UTF-8"
if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Sending Disclaimer Message"}
}
if { [HTTP::payload] contains "disclaimer" } {
if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Disclaimer Message Accepted - waiting for credentials."}
}
}

This solution has been tested using Horizon 6.0 (and later) as well as the Horizon 3.0 (and later) Client. Earlier versions of the client and/or Horizon Connection Server could produce unexpected results.

Big shout-out to Greg Crosby for his work on the iRule!

Published Sep 29, 2015
Version 1.0