Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Odd APM logon deny messages

Hi,

Recently I build a portal for my customers so they can access their Citrix published desktop from a remote location. The BIG-IP is only proxy and does not provide the webinterface portal itself. It all works fine apart from some strange behaviour. Let me first explain what I did build.

We have one public url. Let's call it portal.website.foo. Each customer has it's own uri. So customer 1 browses to https://portal.website.foo/customer1. When they do that they hit an iRule which checks the URI and redirects them to the appropriate Citrix Webinterface portal. For customer1 this is https://portal.website.foo/Citrix/Remote-Customer1/auth/login.aspx. Then they access the APM policy which checks for this URI. Depending on the URI the right branche is choosen which handles the authentication en SSO.

So, as mentioned before, this works fine. But when I check the APM accesspolicy reports I see a lot "logon deny" messages, even thought the user is authenticated and has access to his CItrix desktop. The logon deny message mentions a false URI. This is logged via de fallback branche in the APM policy. The URI is diferent each time, but always something like session.server.landinguri is /Citrix/Remote-Customer1/media/ButtonHoverLeft.png. It looks like the user does visit the correct citrix wi interface portal, but that some items within that page are seen as different sessions. I don't have a clue where the fault might be. The default switch in the iRule is not hit. I added a "event disable" to see if it might help. It doesn't.

The iRule which is added to the virtual server is this:

when HTTP_REQUEST {

    set reload_page {
        No valid page. Please choose the correct one.
    }

    switch [string tolower [HTTP::uri]] {
        "/customer1" {
            event disable
            HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer1/auth/login.aspx"
        }
        "/customer2" {
            event disable
            HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer2/auth/login.aspx"
        }
        "/customer3" {
            event disable
            HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer3/auth/login.aspx"
        }
        "/" {
            log local0. "iRule : No URI choosen."
            HTTP::respond 200 content $reload_page
        }
        Default {
            log local0. "iRule : None of the above ;-)"
        }
    }
}

Any help is welcome. Thank you.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Your problem in on your switch condition.
If your client comes with a URI /customer1/test, his request will match your default condition.

You should use -glob option and a wildcard at the end of your URIs :

when HTTP_REQUEST {

set reload_page {











    No valid page. Please choose the correct one.




}

switch -glob [string tolower [HTTP::uri]] {
    "/customer1*" {
        event disable
        HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer1/auth/login.aspx"
    }
    "/customer2*" {
        event disable
        HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer2/auth/login.aspx"
    }
    "/customer3*" {
        event disable
        HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer3/auth/login.aspx"
    }
    "/" {
        log local0. "iRule : No URI choosen."
        HTTP::respond 200 content $reload_page
    }
    Default {
        log local0. "iRule : None of the above ;-)"
    }
}
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Thomas,

Thanks you for your answer. I understand what you mean. However, i don't think this will help. The URI's that are listed in the "login deny" messages all start with /Citrix. So the URI /customer1 only hits the first time. After that the user gets redirected to the /Citrix URI. I think that the order of events is the following:

  • User browses to /customer1 URI.
  • iRule redirects user to /Citrix/Remote-Customer1/auth/login.aspx
  • APM policy is being accessed and processed
  • user is athenticated with SSO in the Citrix Webinterface
  • user exists APM policy
  • user is redirected by the Citrix Webinterface server to another URI
  • APM policy goes into work for some URI's, not all (but only sometimes, not allways)

Mayby this helps narrowing it down.

0