Jump to content
Welcome to our new Citrix community!

Citrix ADC Web Chaining to replace MS ISA


Recommended Posts

We are moving to a Citrix ADC to support Reverse Proxy functions currently supported by a legacy MS ISA server.  Further to this we need to support Web Chaining currently implemented by the ISA to forward to specific internal servers.  To send the proxy protocol to the back end server I am following this https://support.citrix.com/article/CTX224265

 

One challenge is that the end servers are running multiple HTTPS services on 2/3 different non-standard ports; not 443.  We also only have a Standard license as only reverse proxy and Web Chaining and are required; no other Forward Proxy functions or SSL inspection is needed.

 

I'm thinking I'll need to use a CS V-Server with && policy or using String, rather than Pattern, sets to identify requests to the different servers and service ports.  These can then be directed to individual LB V-Servers and onto Services configured for each of these non-standard ports.

 

Will this work when defining the CS V-Server as a service type HTTP.? Or will this always require the service type to be defined as PROXY requiring the addition of a Premium Edition license.

Link to comment
Share on other sites

You can conifgure https servers and services on any port and then configure single decision making content switch with properly configured policies to proxy conenctions to requested backend vserver (backend LB vservers do not even need IP).

 

For HTTPS backend services you will need HTTPS CS (with SAN, wildcard cert or configure SNI), HTTPS services cannot be bound to HTTP vservers

 

BR, 

G

 

 

Link to comment
Share on other sites

  • 3 weeks later...

The main purpose of the configuration is to support a legacy process between heavily locked down servers running Apache.  Again - these are currently supported by Web Chaining defined on an MS ISA server.  The method of using Proxy Protocol referenced in my link above looks not to be supported by Apache servers; certainly when they're such legacy servers.

 

Further to this it also appears that the CS or LB V-Server of type HTTP, SSL or SSL_BRIDGE will not support an HTTP CONNECT from the client to it defined proxy; in this case the ADC V-Server address running HTTP on 8080.

 

Running a packet trace the client HTTP CONNECT see the ADC returns a HTTP 403 Forbidden.  Is this what we'd expect to see when a V-Server type of PROXY is demanded.  Hence an upgrade to Premium Edition license is necessary?

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...