DavidKirby

Have not posted on discussions in a long long time but it appears there has been some clean up as all past history is gone and I am a newbie again.

I have an issue where a rewrite policy bound to a gateway virtual server is not triggering. I have seen past articles which suggest it is due to HTTTP compression of the response and to remove the Accept-Encoding header. I have added a policy to remove the header which is triggering. This is the scenario, Unified Gateway with Clientless access enabled providing RDP Proxy with published RDP URLS's. I want to trigger rewrite upon a request for a RDP Proxy URL. I have tried the following expressions. "http.req.url.set_text_mode(ignorecase).contains(\"rdpproxy\") or checking for the existence of 'NSC_NONCE='in the URL "http.req.url.set_text_mode(ignorecase).contains(\"NSC_NONCE\") The request headers are for example GET /rdpproxy/srvtest01..somedomain.com?pol_name=srvtest01&NSC_NONCE=5NsxdQp6SMr256eQ HTTP/1.1 Host: gateway.som.nats.co.uk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: NSC_AAAC=0eec9dfa847021c050c0d17bbe1d971a0af151d9c45525d5f4f58455e445a4a42 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Pragma: no-cache Cache-Control: no-cache And the response is HTTP/1.1 200 OK Strict-Transport-Security: max-age=157680000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Length: 605 Cache-control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Type: application/x-rdp; charset=utf-8 Content-Disposition: attachment; filename=srvtest01_1709721406.rdp I have also tried evaluating on the response header. HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/x-rdp\")" Policies are bound to the correct bind point, and there are no other higher priorities with a go to expression of end. Should it be configured in a Clientless Access Policy as clientless access is enabled. A rewrite policy in a different environment which encrypts the ICA file does not evaluate when clientless access is enabled in the session profile. Therefore I tried the above in a clientless access policy but still couldn't get it to trigger but the difference is with RDPProxy the request is not re-written to /CVPN. The requirement for this is because RDP files generated by the NetScaler are not signed therefore when downloaded by the browser a trust warning is displayed. All is required is to change the HTTP Response Body and sign it with a certificate. Something along the lines of add rewrite action insert_rdp_sig insert_after "HTTP.RES.BODY(2048)" "(\"signature:s:\").APPEND(HTTP.RES.BODY(2048).PKEY_SIGN_CERTKEY(\"certkeyname\"))" Not sure if I can just do an append or I need to do a replace add rewrite action insert_rdp_sig2 replace "HTTP.RES.BODY(2048)" "HTTP.RES.BODY(2048).APPEND(\"signature:s:\").APPEND(HTTP.RES.BODY(2048).PKEY_SIGN_CERTKEY(\"certkeyname\"))" Have also logged a call with Citrix