When the users from outside open login on the citrix using the public natted ip, the address in the ica is the internal one.
So obviously the external client cannot connect.
I need to catch this .ica file and update this IP to our public IP:1494 for internet users and to an internal VS-IP:1494 for internal users.
The initial request goes to VS:443 on the LTM.
I think I'll need to use another VS and an iRule for the port 1494 which citrix needs. I am only using LTM to do this, appreciate guidance.
**UPDATE 12 OCT 2017**
Just to bump this up and give the current status.
I have this:
`PUBLIC-IP -> 10.9.5.58:443 and 10.9.5.58:1494 -> Storefront:443 -> then based on application I get a different ICA file -> then based on the app it will choose any of these -> 192.168.x.85:1494,2958 or 192.168.x.86:1494,2958`
So after hitting the VIP:443 and authenticating with Storefront:443 the ICA which is sent back to the client contains the FQDN which would look like:
Then this ica when executed uses TCP:1494 to again go through the FW NAT and Hit the VIP:1494 which then should send it to the correct application server based on the application name in the ica file.
The issue is now matching the APP NAME in the ica file and send the traffic to the correct APP server.
I cannot find a way to this matching.
The appname in the ica file is as recorded as follows:
I have just obscured the appnames with ** but can I match them in the return TCP traffic?
Any ideas on how to go ahead would be great!
Got this working using APM and replaced the storefront with the LTM webtop.
This has been answered before I believe:
Hope that gets you on the right track.
Post back if you get any issues
yea actually I saw that one, but didnt exactly understand how to modify it for my needs!
Ok, you could try something more simple to start with and use a Stream profile to replace the IP address:
Try it with just the profile to start with, it may not require an iRule, especially if you're just replacing one static item with another
I also need to match on incoming client IP address and replace the ip in the ica file based on internal vs external user?
And this will surley need a new VS right, for the port 1494, as the current vs only listens on 443?
I managed to get the address changed but the thing is there are other applications based on which the storefront will send me the ica, how can i manage that?
The flow is as below:
PUBLIC-IP -> VIP:443 -> Storefront:443 -> then based on application I get a different ICA file -> then based on the app it will choose any of these -> 192.168.x.85:1494,2958 or 192.168.x.86:1494,2958
Appreciate some next steps!