Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Need iRule to modify Citrix ICA enrollment IP address And Match AppNames in ICA File

HI,

When the users from outside open login on the citrix using the public natted ip, the address in the ica is the internal one.

[Enrollment Informat]
Address=192.168.4.86:1494
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
`</pre>

So obviously the external client cannot connect. 

I need to catch this .ica file and update this IP to our public IP:1494 for internet users and to an internal VS-IP:1494 for internal users.

The initial request goes to VS:443 on the LTM.

I think I'll need to use another VS and an iRule for the port 1494 which citrix needs. I am only using LTM to do this, appreciate guidance.

**UPDATE 12 OCT 2017**

Just to bump this up and give the current status.

I have this:

`PUBLIC-IP -> 10.9.5.58:443 and 10.9.5.58:1494 -> Storefront:443 -> then based on application I get a different ICA file -> then based on the app it will choose any of these -> 192.168.x.85:1494,2958 or 192.168.x.86:1494,2958`

So after hitting the VIP:443 and authenticating with Storefront:443 the ICA which is sent back to the client contains the FQDN which would look like:

<pre>`[Enrollment Informat]
Address=FQDN
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
`</pre>

Then this ica when executed uses TCP:1494 to again go through the FW NAT and Hit the VIP:1494 which then should send it to the correct application server based on the application name in the ica file.

The issue is now matching the APP NAME in the ica file and send the traffic to the correct APP server. 

I cannot find a way to this matching. 

The appname in the ica file is as recorded as follows:

<pre>`[ApplicationServers]
AppDesign-8***_1=

[ApplicationServers]
PS*ISDE***-**_1=

I have just obscured the appnames with ** but can I match them in the return TCP traffic?

Any ideas on how to go ahead would be great!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Got this working using APM and replaced the storefront with the LTM webtop.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This has been answered before I believe:

https://devcentral.f5.com/questions/irule-required-to-change-citrix-ica-ip-address

Hope that gets you on the right track. Post back if you get any issues

MP

0
Comments on this Answer
Comment made 10-Oct-2017 by David Fish 143

yea actually I saw that one, but didnt exactly understand how to modify it for my needs!

0
Comment made 10-Oct-2017 by Lee Sutcliffe 2650

Ok, you could try something more simple to start with and use a Stream profile to replace the IP address:

https://support.f5.com/csp/article/K8115

Try it with just the profile to start with, it may not require an iRule, especially if you're just replacing one static item with another

0
Comment made 10-Oct-2017 by David Fish 143

I also need to match on incoming client IP address and replace the ip in the ica file based on internal vs external user?

And this will surley need a new VS right, for the port 1494, as the current vs only listens on 443?

0
Comment made 11-Oct-2017 by David Fish 143

I managed to get the address changed but the thing is there are other applications based on which the storefront will send me the ica, how can i manage that?

The flow is as below:

PUBLIC-IP -> VIP:443 -> Storefront:443 -> then based on application I get a different ICA file -> then based on the app it will choose any of these -> 192.168.x.85:1494,2958 or 192.168.x.86:1494,2958

Appreciate some next steps!

0