Resolve Citrix Secure Ticket Authority (STA)

Problem this snippet solves:

Optimal Gateway Routing (OGR) for Citrix Storefront is a design whereby a Citrix web client is directed to an ICA Proxy Gateway (ICA-GW) anywhere in the world that is closest to the app/desktop hosting environment (XenApp and XenDesktop servers) which may not be on the same Citrix StoreFront ADC (NetScaler) Gateway (SF-GW) which has authenticated the user. This is in contrast to being directed to a single ADC Gateway device that hosts SF-GW and ICA-GW. In a Citrix ADC deployment, the ICA-GW (not the SF-GW) is responsible for validating/resolving the STA ticket provided by a Secure Ticket Authority (STA) server. Since the ICA-GW is responsible for this validation, it allows OGR to function and send ICA traffic to a different ICA-GW than what was used to download the ICA file from StoreFront.

This iRule will be used to resolve/validate the STA ticket which has already been extracted from the client's ICA proxy request.

How to use this snippet:

See DC Article "Solution for Citrix Optimal Gateway Routing" for implementation.

Code :

##
## Resolver iRule
## To enable detailed iRule debugging, set the static::debug_sta_rslv variable in the RULE_INIT event to 1
## Updated July 14, 2021 by b.otlin@f5.com
##

when RULE_INIT {
    set static::debug_sta_rslv 0
}

when HTTP_REQUEST {
    if { [HTTP::has_responded] } {
        if { $static::debug_sta_rslv } { log local0. "HTTP::has_responded" }
        return
        } else {
           if { $static::debug_sta_rslv } { log local0. "HTTP::has NOT responded" }
        }

    set sta_request [expr {[HTTP::path] == "/f5apm/ctx-sta"}]
    if { $static::debug_sta_rslv } { log local0. "req is [HTTP::uri]" }
    if { $static::debug_sta_rslv } { log local0. "sta req is $sta_request" }

    if {!$sta_request} {
        # exit event if the request was not a STA request
       if { $static::debug_sta_rslv } { log local0. "sta_request does NOT exist, exit event" }
        return
        } else {
        if { $static::debug_sta_rslv } { log local0. "sta_request does exist, continue" }
        }

    sharedvar internal_ica_file_request
    if { [info exists internal_ica_file_request] } {
        if { $static::debug_sta_rslv } { log local0. "internal_ica_file_request exists...return 200 ok to SF APM with mod ICA info" }
        HTTP::respond 200 content \
            "\[ApplicationServers\]\nApp=\n\[App\]\nAddress=;[HTTP::query]" \
            "Content-Type" "application/x-ica"
        if { $static::debug_sta_rslv } { log local0. "unset internal_ica_file_request and exit event" }
        unset internal_ica_file_request
        return
    }
    else {
        if { $static::debug_sta_rslv } { log local0. "internal_ica_file_request does NOT exist, continue" }
    }

    if { [info exists sta_request_sid] } {
        if { $static::debug_sta_rslv } { log local0. "sta_request_sid is $sta_request_sid" }
        if { $static::debug_sta_rslv } { log local0. "insert MRHSession cookie = $sta_request_sid and X-F5-Client header" }
        HTTP::header insert \
            "Cookie" "MRHSession=$sta_request_sid" \
            "X-F5-Client" "citrix-launch"
        VDI::enable
        if { $static::debug_sta_rslv } { log local0. "enable VDI" }

        set internal_ica_file_request 1
        if { $static::debug_sta_rslv } { log local0. "internal_ica_file_request set to 1" }
        SSL::disable serverside
        if { $static::debug_sta_rslv } { log local0. "disable SSL serverside" }
        virtual [virtual name]
        if { $static::debug_sta_rslv } { log local0. "go back to same VS" }

    } else {
        if { $static::debug_sta_rslv } { log local0. "sta_request_sid does NOT exist" }
        HTTP::header insert "clientless-mode" "1"
        if { $static::debug_sta_rslv } { log local0. "insert clientless-mode header" }
    }
}

when HTTP_RESPONSE {
    if { [HTTP::payload] contains "Address=;" } {
        if { $static::debug_sta_rslv } { log local0. "Response payload contains Address=; which denotes an ICA File" }

        set sta_address [HTTP::payload]
        regexp -line {^(?:[^;]*;){2}([^;]*)} $sta_address -> sta1
        regexp -line {^(?:[^;]*;){4}([^;]*)} $sta_address -> sta2
        set STA1 [class match -value -- $sta1 equals sta_dg]
        if { [info exists sta2] } {
            set STA2 [class match -value -- $sta2 equals sta_dg]
            ACCESS::session data set session.citrix.sta_servers "$STA1;$STA2"
             if { $static::debug_sta_rslv } { log local0. "STA from SF is $sta1 and $sta2 resolved to FQDN: $STA1 and $STA2 and adding to access session table" }
            }
        else {
            if { $static::debug_sta_rslv } { log local0. "STA from SF is $sta1 resolved to FQDN: $STA1 and adding to access session table" }
            ACCESS::session data set session.citrix.sta_servers "$STA1"
        }
    } else {
        if { $static::debug_sta_rslv } { log local0. "not an ICA" }
    }
}

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::has_responded] } {
        if { $static::debug_sta_rslv } { log local0. "HTTP has_responded...exit event" }
        return
    }

    if {!$sta_request} {
        if { $static::debug_sta_rslv } { log local0. "sta_request does NOT exist...exit event" }
        return
        }

    if { [HTTP::status] == 200 } {
        if { $static::debug_sta_rslv } { log local0. "HTTP status is 200, remove Set-Cookie header" }
        # There is no need to expose this SID
        HTTP::header remove Set-Cookie
    } else {
        if { $static::debug_sta_rslv } { log local0. " HTTP status is NOT 200, remove access session" }
        # Remove session on failed STA resolution
        ACCESS::session remove
    }
}

when ACCESS_SESSION_STARTED {
    if { !$sta_request } {
        if { $static::debug_sta_rslv } { log local0. "sta_request does NOT exist...exit event" }
        return
        } else {
            if { $static::debug_sta_rslv } { log local0. "sta_request exists...continue" }
        }

    if { $static::debug_sta_rslv } { log local0. "sta_request exists so set 'session.external_sta_ticket' to 1" }
    ACCESS::session data set "session.external_sta_ticket" "1"
}

when ACCESS_POLICY_COMPLETED {
    if { !$sta_request } {
        if { $static::debug_sta_rslv } { log local0. "sta_request does NOT exist...exit event" }
        return
    } else {
            if { $static::debug_sta_rslv } { log local0. "sta_request exists...continue" }
        }

    set sta_request_sid [ACCESS::session sid]
    if { $static::debug_sta_rslv } { log local0. "sta_request_sid is $sta_request_sid" }
}

Tested this on version:

15.1
Published Jul 15, 2021
Version 1.0
No CommentsBe the first to comment