Forum Discussion

Tony_Kroukamp_1's avatar
Tony_Kroukamp_1
Icon for Nimbostratus rankNimbostratus
Oct 02, 2013

Need to modify Citrix ICA file

I have Citrix deployed through F5 using an iApp, and all is working fine. I have one app that is published through Citrix that interrogates the connecting PC for that machine's computer name, this computer name has to be white listed in this app to allow access. When accessing this app through F5 the computer name comes back as something like 'F5-3995e0d6". The Hex number is based off of the session ID in F5 and changes at each connect. This causes the app to fail since I can't white list all the possible computer names. When I look at the ICA file generated for this app, I see an entry saying "ClientName=F5-3995e0d6". I would like to somehow change this entry and potentially hard code this client name entry to something that I can then white list.

 

Can anyone give me some advice as to how I might accomplish this?

 

Thanks in advance.

 

application delivery
citrix
devops
iRules

7 Replies

Sort By
  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    Oct 02, 2013

    We are currently using an iRule with a stream replacement to modify our Citrix ICA files. Our scenario differs in that we know the exact string. You'll have to do the regex to get yours to replace it. If I read this correctly, it's the ICA in the response file that has the ClientName in it. So the examples in this should help you.

     

    https://devcentral.f5.com/wiki/irules.STREAM__expression.ashx

     

    But the stream has worked extremely well for us in our implementation. Being that it is only on the ICA file transmission and login the iRule doesn't get called often.

     

    One last thing, when doing our Citrix implementation we didn't use the iApp, but we also did not run into the problem you're seeing. Is it possible that sending the X-forwarded-for might alleviate this problem for you?

     

    Jason

     

    • Tony_Kroukamp_1's avatar
      Tony_Kroukamp_1
      Icon for Nimbostratus rankNimbostratus
      Oct 09, 2013
      Hey Jason Thanks for this answer. I am trying this approach, but I'm not having any luck getting it to work. Is there any chance you can share your code so I can modify it for my needs? Thanks Tony
    • Jason_40733's avatar
      Jason_40733
      Icon for Cirrocumulus rankCirrocumulus
      Oct 21, 2013
      Sorry, went on vacation. Here is our code. Please note that we had to search for two occurrences and also be aware that case can change in the variable names. This bit us several times until we put in a larger rule that replaced all of the variants of case we saw in the hostname. when HTTP_REQUEST { Disable the stream filter for all requests STREAM::disable set find "stuff.mycompany.net" set findagain "STUFF.mycompany.net:1494" set replace "192.168.1.2" set replaceagain "192.168.1.2:1494" } when HTTP_RESPONSE { Replace IP addresses in response content with the string STREAM::expression "@$find@$replace@ @$findagain@$replaceagain@" Enable the stream filter for this response only STREAM::enable } Not a lot of magic in it, fairly straight forward rule. If anyone has improvements, I'd love to add something to my repertoire.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 03, 2013

    Tony,

     

    Can you please advise on which version of APM you are running, as well as your deployment scenario - are you leveraging BIG-IP as the presentation layer(replacing Web Interface/StoreFront) or integration with WI/StoreFront? And last, but not least, are your clients launching applications through a web browser, or are they connecting directly from Citrix Receiver?

     

  • Tony_Kroukamp_1's avatar
    Tony_Kroukamp_1
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2013

    Hi Michael

     

    I'm running ver 11.3. Yes, BigIP is replacing the Web Interface. They are launching apps through the browser.

     

    Thanks Tony

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 03, 2013

    Tony,

     

    Thanks for the clarification. A couple of things. First, as far as we know, it is impossible to get the "true" client name when the ICA session is launched through the browser - this is why Citrix prefers to track user sessions by original source IP addresses. I am not aware of a way to have true client name be populated/present when launching ICA sessions through either F5 or Web Interface.

     

    It is possible, however, to do that when the connection originates from Receiver directly. So, if you want to point your Receiver directly to the APM virtual server, it will work and preserve the true client name. You will have to upgrade your BIG-IP to 11.4.0 HF3 or 11.4.1 in order to take advantage of this feature, as it was officially introduced. If you must stay on 11.3.0 for some other reasons, you can open a case with support and request a hotfix for BZ422326.

     

  • Tony_Kroukamp_1's avatar
    Tony_Kroukamp_1
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2013

    Thanks Michael

     

    I understand that getting the true client name is not possible, and it makes complete sense to me as to why F5 made it work this way. I'm not looking to set the true client name, I just would like to change it to something consistent, maybe like 'F5' so I can white list it in the back end application. Any idea how to make that happen?

     

    Connecting directly from the receiver is not an option.

     

    Thanks Tony