I have an issue where a rewrite policy bound to a gateway virtual server is not triggering. I have seen past articles which suggest it is due to HTTTP compression of the response and to remove the Accept-Encoding header. I have added a policy to remove the header which is triggering.
This is the scenario, Unified Gateway with Clientless access enabled providing RDP Proxy with published RDP URLS's. I want to trigger rewrite upon a request for a RDP Proxy URL. I have tried the following expressions.
"http.req.url.set_text_mode(ignorecase).contains(\"rdpproxy\")
or checking for the existence of 'NSC_NONCE='in the URL
"http.req.url.set_text_mode(ignorecase).contains(\"NSC_NONCE\")
The request headers are for example
GET /rdpproxy/srvtest01..somedomain.com?pol_name=srvtest01&NSC_NONCE=5NsxdQp6SMr256eQ HTTP/1.1
Host: gateway.som.nats.co.uk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: NSC_AAAC=0eec9dfa847021c050c0d17bbe1d971a0af151d9c45525d5f4f58455e445a4a42
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
And the response is
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=157680000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 605
Cache-control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/x-rdp; charset=utf-8
Content-Disposition: attachment; filename=srvtest01_1709721406.rdp
I have also tried evaluating on the response header.
HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/x-rdp\")"
Policies are bound to the correct bind point, and there are no other higher priorities with a go to expression of end.
Should it be configured in a Clientless Access Policy as clientless access is enabled.
A rewrite policy in a different environment which encrypts the ICA file does not evaluate when clientless access is enabled in the session profile. Therefore I tried the above in a clientless access policy but still couldn't get it to trigger but the difference is with RDPProxy the request is not re-written to /CVPN.
The requirement for this is because RDP files generated by the NetScaler are not signed therefore when downloaded by the browser a trust warning is displayed. All is required is to change the HTTP Response Body and sign it with a certificate. Something along the lines of
add rewrite action insert_rdp_sig insert_after "HTTP.RES.BODY(2048)" "(\"signature:s:\").APPEND(HTTP.RES.BODY(2048).PKEY_SIGN_CERTKEY(\"certkeyname\"))"
Not sure if I can just do an append or I need to do a replace
add rewrite action insert_rdp_sig2 replace "HTTP.RES.BODY(2048)" "HTTP.RES.BODY(2048).APPEND(\"signature:s:\").APPEND(HTTP.RES.BODY(2048).PKEY_SIGN_CERTKEY(\"certkeyname\"))"
Have also logged a call with Citrix