Jump to content
Welcome to our new Citrix community!

Responder Policy and redirect to HTTP external site


Kiran Oddiraju 2

Recommended Posts

Hi guys,

 

I am using Responder policies to redirect a https site to an external website which is http only. User types in https://mydomain.com and gets redirected to http://ext-site.com. When the website is redirected it remains on http site. Is there a way you can keep the connection secure (HTTPS) end-to-end without making any changes at the external site?

 

Thanks,

Kiran

Link to comment
Share on other sites

Remember:  Redirect:  user goes to "x" and you send them a redirect to "y"; user is now making new connection to new location "y".

If the place you are sending them is not HTTPS itself, even if you proxy the traffic client to lb vserver (SSL); you still have the ADC to external Site HTTP.  And if this destination is NOT behind your ADC, then you are still unencrypted on the wire (it just looks encrypted to user; on the first part of the transaction); there is no security on the backend to destination in this config.

There is no way to make this traffic SSL end-to-end, since you are not in control of the external web destination.

 

So, while you can "proxy" this traffic between your users and the external destination, it is worth determining what problem are you really solving.

 

In addition, if you create a service normally to an IP address "behind" your ADC, then you have a SNIP to reach this destination.

If you are using your ADC to frontend someone else's site (that you don't host), you still need a SNIP to reach this destination (or alternate IP assigned by net profile) and you may require a SNIP in your "public" network to reach the destination IP.

Basic example:

add service svc_extweb1 <extIP> HTTP 80

add lb vserver lb_vsrv_extweb SSL <VIP> 443

bind lb vserver lb_vsrv_extweb svc_extweb1

ensure you have a SNIP in the public network (or other alternate IP via net profile) that can be used for ADC to server traffic.

 

 

As for, why your specific config didn't work, can you share what you tried?  You shouldn't be caching at all until you are sure load balancing works. 

 

I still feel the responder policy is the best way to get user to something that is not your application destination.  And if there site isn't doing HTTPS, I'm not sure you can completely "fix" this from the ADC.

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...