Extract Citrix Secure Ticket Authority (STA)

Problem this snippet solves:

Optimal Gateway Routing (OGR) for Citrix Storefront is a design whereby a Citrix web client is directed to an ICA Proxy Gateway (ICA-GW) anywhere in the world that is closest to the app/desktop hosting environment (XenApp and XenDesktop servers) which may not be on the same Citrix StoreFront ADC (NetScaler) Gateway (SF-GW) which has authenticated the user. This is in contrast to being directed to a single ADC Gateway device that hosts SF-GW and ICA-GW. In a Citrix ADC deployment, the ICA-GW (not the SF-GW) is responsible for validating/resolving the STA ticket provided by a Secure Ticket Authority (STA) server. Since the ICA-GW is responsible for this validation, it allows OGR to function and send ICA traffic to a different ICA-GW than what was used to download the ICA file from StoreFront.

This iRule will be used to extract the STA ticekt information from the client's ICA proxy request. the iRule will then force a sideband call to a local virtual server which is responsible for validating the STA ticket with the STA server.

How to use this snippet:

See DC Article "Solution for Citrix Optimal Gateway Routing" for implementation.

Code :

##
## Extractor iRule
## To enable detailed iRule debugging, set the static::debug_sta_extr variable in the RULE_INIT event to 1
## Updated July 14, 2021 by b.otlin@f5.com
##

when RULE_INIT {
    set static::debug_sta_extr 0
}

#collect TLS data for evaluation
when CLIENTSSL_HANDSHAKE {
    SSL::collect
}

when CLIENTSSL_DATA {
    set data [SSL::payload]
    
    # Look for specific Session Reliability CGP payload; Pre-amble is hex 1A followed by ASCII encoded CGP/01
    # Look for specific non-Session Reliability ICA Payload; Pre-amble is hex 05 01 00 03
    # ICA ticket info follows these pre-ambles
    if { $data starts_with "\x1ACGP/01" || $data starts_with "\x05\x01\x00\x03"} {

        regexp -line {;([\d\w;]*)} $data -> ticket
        if { $static::debug_sta_extr && $data starts_with "\x1ACGP/01" } { log local0. "CGP with SR ticket is $ticket" }
        if { $static::debug_sta_extr && $data starts_with "\x05\x01\x00\x03" } { log local0. "ICA without SR ticket is $ticket" }
        
        if { [string length $ticket] > 0 } {
            # create ticket variable from CGP or ICA payload
            set ticket [string trimleft $ticket ";"]

            # make sideband call to resolver VS
            # resolver VS gets a synthetic ICA download and then performs STA validation
            set conn [connect "sta-resolver-vs"]
            send $conn "GET /f5apm/ctx-sta?$ticket HTTP/1.0\r\nHost: APM\r\n\r\n"
            recv -eol $conn
            close $conn
        }
    }
    
    SSL::release
    SSL::collect
}

Tested this on version:

15.1
Published Jul 15, 2021
Version 1.0
APM
application delivery
citrix
HDX
iRules
OGR
Optimal Gateway Routing
storefront

Was this article helpful?

No CommentsBe the first to comment