Jump to content
Welcome to our new Citrix community!

cVPN rewrite fails on path and query


Kari Ruissalo

Recommended Posts

Hi,

 

I have a problem with cVPN destination which we're unable to publish with any other methods due to other restrictions.

 

The initial web site opens nicely and everything shows as it should. This page is a logon page.

 

After we enter our credentials we run in to problems and get a 503 response for our POST request.

 

Our logon URL is like:

https://ugw.company.com/cvpn/{hash}/application/login

... but when we're trying to log in I'm seeing that the request URL is missing the {hash} -bit, so it looks like:

https://ugw.company.com/otherpath/api/v1/authentication/login

And this gives us 503 response.

 

If I edit and resend the request (Firefox developer tools) like this:

https://ugw.company.com/cvpn/{hash}/otherpath/api/v1/authentication/login

I get a 200 response.

 

If I set the cVPN URL encoding to "Clear" in the session policy, I can see that I'm missing the internal server name which is hashed in normal use case.

 

Is there a way to leverage Clientless Access Policies/Profiles to circle around this issue?

 

Link to comment
Share on other sites

Difficult to provide specific inputs without actually looking at the HTML / js received at client. 

 

From experience, that 503 is response tells you the form submit url was not rewritten properly so you ended up submitting to /url instead of /cvpn/url. 

 

From the html / JS on the page try to locate the form submit action for login and work from there.

 

See if these help. 

https://support.citrix.com/article/CTX232291

https://support.citrix.com/article/CTX122984

 

 

 

Link to comment
Share on other sites

  • 3 months later...

Hi Kari or someone else,

 

We got a simular problem with this, maybe you can help me solve it. I tried a couple of things to make it work but till now no i have no clue how to solve it.

 

With CVPN bookmark we publish a internal url to be accessible through the unified gateway.

 

We are redirected to the page we are looking for. But the page is not displaying correctly because the page is missing soms files (javascript, css).

 

When i look into the code the path to this files is not correct. The path looks like this:

https://gw.test.nl/cvpn/monaco/MonacoEncryptie.js

 

It has to be:

https://gw.test.nl/cvpn/aHR0cHM6Ly9tb25hY28uc2Z2Zy5ubA/monaco/MonacoEncryptie.js

 

i tried a couple things with responder policy but it didn't work out.

 

i hope you can help my any further.

 

Regards,

Richard

 

link references on the home page of the internal website.png

Link to comment
Share on other sites

  • 2 weeks later...
On 5/16/2019 at 3:39 PM, Richard van Brandwijk1709158041 said:

Hi Kari or someone else,

 

We got a simular problem with this, maybe you can help me solve it. I tried a couple of things to make it work but till now no i have no clue how to solve it.

 

With CVPN bookmark we publish a internal url to be accessible through the unified gateway.

 

We are redirected to the page we are looking for. But the page is not displaying correctly because the page is missing soms files (javascript, css).

 

When i look into the code the path to this files is not correct. The path looks like this:

https://gw.test.nl/cvpn/monaco/MonacoEncryptie.js

 

It has to be:

https://gw.test.nl/cvpn/aHR0cHM6Ly9tb25hY28uc2Z2Zy5ubA/monaco/MonacoEncryptie.js

 

i tried a couple things with responder policy but it didn't work out.

 

i hope you can help my any further.

 

Regards,

Richard

 

link references on the home page of the internal website.png

 

Hi richardvbrandwijk,

 

Is it an option to just reverse proxy it? So establish something like this?:

 

Internal address = mysecretserver.mydomain.local

External address = mynotsosecretserver.test.nl

 

... I've found in several cases that the cVPN rewrites tend to break, but the hostname is much easier to locate from the requests and rewrite. This should leave your path and query untouched. If you have at least Advanced level licensing, you can require the users to authenticate with AAA or GW vServer before allowing them to access the application.

 

The major difference is that the hostname doesn't get encrypted and you need to have the "mynotsosecretserver.test.nl" added to your DNS and have a matching cert if you're using HTTPS.

Link to comment
Share on other sites

  • 3 weeks later...

Hi Kari,

 

Thank for your answer on my post.

We solved it with you solution, with CVPN it didn't work at all.

Externally we created a DNS record pointing to the content switching vserver.

The content switching vserver has a content switching policy that every request send to that url (external DNS record) is forwarded to a non addressable lb vserver.

Before forwarding to the non addressable vserver the content switching server has form based authentication enabled with a aaa authentication profile.

The aaa authentication profile send every request to the unified gateway where the authentication takes place.

After authentication it wild send the user to the non addressable lb vserver backend server.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...