Jump to content
Welcome to our new Citrix community!

Different URL same gateway different StoreFront


tohadlock

Recommended Posts

OK, so I have been asked to do something that I haven't done before so maybe someone can provide me a bit of direction.

 

Production site:

production.mydomain.com/Citrix/Production

 

Test site:

test.mydomain.com/Citrix/Test

 

We would be using the same gateway and the same StoreFront servers but with a different Store.

I know I can setup an AAA group to match an AD group to redirect them to a different NS Policy but that requires changing the user's group membership.

They want to be able to hit either site using the same account.

 

Any ideas where to start?

Link to comment
Share on other sites

You can create 2 external DNS entries:

production.mydomain.com

test.mydomain.com

 

They can both resolve to the same vpn gateway.

Create one session profile going to the prod store, and another going to the test store.

Create 2 session policies, each checking the URL entered by the user.

Link the appropriate policy to the corresponding profile.

Bind both session policies to the gateway.

Link to comment
Share on other sites

I would assume the policy should look something like this?

HTTP.REQ.URL.CONTAINS("https://testing.medhost.com")

 

I'm getting an error that says when I try and attach the policy to the gateway.

"Advanced VPN Session Policy cannot be bound if Classic VPN Session Policy is already bound to any entity (i.e. aaa user, aaa group, vpn vserver, vpn global)"

 

I tried the nspepi tool but something isn't quite right.

 

PL_OS:
CL - REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
AD - HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")

 

PL_WB:
CL - REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS
AD - HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT && HTTP.REQ.HEADER(\"Referer\").EXISTS

 

 

Link to comment
Share on other sites

The error "Advanced VPN Session Policy cannot be bound.." suggest you have an policy bound using an expression in the old/classic format somewhere else on the ADC. Unfortunately you'd need to replace them all before it will let you bind a policy that uses the Advanced expression format.

 

Alternatively you could use the classic expression format so for the Session Policy to test the incoming host used:

Advanced Expression -  HTTP.REQ.HEADER("Host").CONTAINS("testing.medhost.com")

Classic Expression - REQ.HTTP.HEADER Host CONTAINS testing.medhost.com

 

Combine with your existing session policies:

PL_WB:

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS && REQ.HTTP.HEADER Host CONTAINS testing.medhost.com

PL_OS:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER Host CONTAINS testing.medhost.com

 

Do the same for the production domain.

Link to comment
Share on other sites

Thank you gentlemen for your assistance.

 

So I added the "REQ.HTTP.HEADER Host CONTAINS testing.medhost.com" classic expression and it seems to be working.

At some point I guess we'll need to convert the existing "classic" expressions to "advanced" but we seem to be good for now.

 

Your assistance is much appreciated!

 

 

Link to comment
Share on other sites

9 minutes ago, Paul Cross said:

Support for classic expressions is being removed from firmware 13.1 onwards. Fingers crossed you don't have 100s of policies that will need converting prior to your next update :)

Agreed, we have a limited amount of policies but they are classic.

Sounds like I should get started with the conversion though.

 

Hey, so I have 2 StoreFront sites (prod & test)

www.mydomain/Citrix/Prod (prod.mydomain.com)

www.mydomain/Citrix/Test (test.mydomain.com - Using new policy you guys already helped with)

 

When I ping prod from the NS shell I get a 127.0.0.1

When I ping test from the NS shell I get what is put in DNS which is a different address that is a VIP on the NS.

Both addresses are entered into our DNS pointing to the VIP.

 

Prod has a callback which seems to be working as it did.

If I put the new callback in for test I get the "Cannot complete your request" fun stuff.

If I remove the callback the error changes to "Cannot start your desktop..."

 

Any ideas?

 

 

Link to comment
Share on other sites

Generate the "Cannot complete your request" error again then on the StoreFront server in the event logs go to Application and Services Logs > Citrix Delivery Services. I suspect you'll see something like "None of the AG callback services responded".

 

Worth noting as the both prod and test are using the same citrix gateway vserver on the ADC you can use the same callback server address on both in the StoreFront config. So if prod is working  copy the callback address.

 

Are you using the callback address for a particular reason? If you are simply doing ICA proxy you don't need it.

Link to comment
Share on other sites

4 minutes ago, Paul Cross said:

Generate the "Cannot complete your request" error again then on the StoreFront server in the event logs go to Application and Services Logs > Citrix Delivery Services. I suspect you'll see something like "None of the AG callback services responded".

 

Worth noting as the both prod and test are using the same citrix gateway vserver on the ADC you can use the same callback server address on both in the StoreFront config. So if prod is working  copy the callback address.

 

Are you using the callback address for a particular reason? If you are simply doing ICA proxy you don't need it.

 

What I found is whoever set this server up is not using SSL between the STF's and the DDC's.

I have it fixed for now as far as that issue but will work on the security another day.

I am getting the  SSL Error 59 since I am using a different URL than the certificate is deployed for apparently I have to apply another cert.

I "think" I've got this I hope.

 

Thanks

Link to comment
Share on other sites

21 hours ago, Paul Cross said:

Generate the "Cannot complete your request" error again then on the StoreFront server in the event logs go to Application and Services Logs > Citrix Delivery Services. I suspect you'll see something like "None of the AG callback services responded".

 

Worth noting as the both prod and test are using the same citrix gateway vserver on the ADC you can use the same callback server address on both in the StoreFront config. So if prod is working  copy the callback address.

 

Are you using the callback address for a particular reason? If you are simply doing ICA proxy you don't need it.

 

What I found is whoever set this server up is not using SSL between the STF's and the DDC's.

I have it fixed for now as far as that issue but will work on the security another day.

I am getting the  SSL Error 59 since I am using a different URL than the certificate is deployed for apparently I have to apply another cert.

I "think" I've got this I hope.

 

Thanks

 

 

Link to comment
Share on other sites

Gents,

So for whatever reason the NS doesn't seem to like the following Advanced expressions.

HTTP.REQ.HEADER("Host").CONTAINS("testing.medhost.com")

 

I tried to convert the expression in nspepi but it didn't seem to work either.

I tried to translate "REQ.HTTP.HEADER Host CONTAINS testing.medhost.com" and 

this is what it gave me "HTTP.REQ.HEADER(\"Host\").CONTAINS(\"testing.medhost.com\")"

 I tried it without the back slashes but it still didn't work.

I also tried it without the quotes around the expression.

 

What am I doing wrong?

Link to comment
Share on other sites

1 hour ago, tohadlock said:

Gents,

So for whatever reason the NS doesn't seem to like the following Advanced expressions.

HTTP.REQ.HEADER("Host").CONTAINS("testing.medhost.com")

 

I tried to convert the expression in nspepi but it didn't seem to work either.

I tried to translate "REQ.HTTP.HEADER Host CONTAINS testing.medhost.com" and 

this is what it gave me "HTTP.REQ.HEADER(\"Host\").CONTAINS(\"testing.medhost.com\")"

 I tried it without the back slashes but it still didn't work.

I also tried it without the quotes around the expression.

 

What am I doing wrong?

 

 

Link to comment
Share on other sites

On 5/14/2021 at 7:58 AM, tohadlock said:

So for whatever reason the NS doesn't seem to like the following Advanced expressions.

HTTP.REQ.HEADER("Host").CONTAINS("testing.medhost.com")

 

I tried to convert the expression in nspepi but it didn't seem to work either.

I tried to translate "REQ.HTTP.HEADER Host CONTAINS testing.medhost.com" and 

this is what it gave me "HTTP.REQ.HEADER(\"Host\").CONTAINS(\"testing.medhost.com\")"

 I tried it without the back slashes but it still didn't work.

I also tried it without the quotes around the expression.

 

What am I doing wrong?

 

For best results show your input and your error for more help if the below doesn't fix it for you.

It may just be simple syntax stuff (or my guess is you are editing the existing policy from classic to advanced; instead you need to create a new policy2 with advanced to replace original policy1 with classic.)

 

1) If you are working in the GUI

and you have an EXISTING policy using the CLASSIC syntax and you try to select ADVANCED (DEFAULT) and paste in the advanced expression to move the current policy from classic to advanced it will fail.

Create a NEW policy session_pol_demo2 and make it advanced from the start.  Once a policy is created you can't change that instance from classic to advanced or vice-versa but you can create a NEW policy with the new expression type.

 

2) If you are working in the GUI and advanced is selected, then you should be able to paste in the expression without the extraneous quotes.  As so:

HTTP.REQ.HEADER("Host").CONTAINS("testing.medhost.com")

 

If you are working in the CLI to create the NEW policy and not editing an existing one (so be sure new policy name is specified), then the expression will need to be surrounded in quotes and internal quotes escaped like so:

"HTTP.REQ.HEADER(\"Host\").CONTAINS(\"testing.medhost.com\")"

OR

you can use single quotes on the outside and non-escaped double quotes inside like so:

'HTTP.REQ.HEADER("Host").CONTAINS("testing.medhost.com")'

 

if you had a compound expression it would look like this (just for reference):

"HTTP.REQ.HEADER(\"Host\").CONTAINS(\"testing.medhost.com\") || http.req.url.path.eq(\"/\")"

OR

'HTTP.REQ.HEADER("Host").CONTAINS("testing.medhost.com") || http.req.url.path.eq("/")'

 

3) The NetScaler syntax GUI and CLI only excepts straight quotes like ' and " and will reject smart quotes (which are the curly ones) you get in editors like Word.  What you see here is correct, but other editors might change things.  Also en-dashes (-) and not em-dashes (--) which are converted by word into a a single long "-" which I can't do easily in this editor.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...