Jump to content
Welcome to our new Citrix community!

One public vServer for all internal resources using Responder, Authentication, Content Switching, Rewriting & AppFW


Recommended Posts

I am trying to setup a single vServer for public access to all internal resources (web apps, CVAD & RDSGW). Naturally being public, SSL, AAA & AppFW will be factored in later.

 

The goal is for end-users to browse to "netscaler.public.com/APP-A" to access apps at  "APP-A.internal.local".

 

And in a variation of this, some apps may use alternate TCP-ports for this web traffic.  In this case the user would browse to "netscaler.public.com/APP-B" to access an app running at "APP-B.internal.local:12345.

 

I expect that the solution comes from rewrite policies and actions bound to the load balancing vServer for each app.

 

Ideally if there was a policy/action that could accommodate a variable for the application name and a second variable for the tcp-port number, this would save a separate policy/action for each app.

 

Currently I am stuck after the user requests "contentswitch.public.com/APP-A" they are redirected to "contentswitch.public.com/index.htm" and fails with 404 - page not found. This because the backend server is getting the request as "../APP-A/index.htm" when it should be getting the request as just "../index.htm".

 

Any advice on getting past this 404 would be appreciated.

 

 

Link to comment
Share on other sites

I would be tempted to suggest doing this a slightly different way. Give each service it's own FQDN:

  • APP-A.public.com
  • APP-B.public.com
  • APP-C.public.com
  • GW1.public.com
  • etc.

These would all resolve to the same IP with a Content Switching vServer directing the traffic to the appropriate service.

 

You could bind any rewrites or responders to either the CS or the LB for the service. As an example, say you wanted to append helpdesk.html to any connection for APP-A.public.com you could create a responder with a redirect using the following expression:

 

HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("APP-A.public.com") && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("helpdesk").NOT

 

Here's an example of the responder policies I had bound to a load balanced VIP for SecurEnvoy to send users to the correct directory for either the enrolment or helpdesk service.

 

image.thumb.png.8025a1aa76a215ebd5d025c425cff88f.png

 

Link to comment
Share on other sites

? Ideally if there was a policy/action that could accommodate a variable for the application name and a second variable for the tcp-port number, this would save a separate policy/action for each app.?

--> you can definitly work with PatternSets and incorporate them into you contentswitching or rewrite policy - if its just a few expressions you might just want to regex them

 

Your 404 issue:

--> redirection is not rewriting !!!

--> do something like rewrite action>replace> target would be something like http.req.url.path 

--> connect the action to a policy being activated by something like http.req.url.startwith("APP-A") or stated ^^ with a PatSet or http.req.url.path.regex_match(re~\/APP-A\/"~)

--> replace with "index.html"

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...