Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Feb 22, 2016

Webtop with Citrix links and Portal links

I have built a Citrix portal using the iApp and it works exactly as expected. The individual Citrix applications are displayed directly on the webtop. All is good. I then added some regular portal links to the webtop however when I click on the portal link I get a web page not available. I am getting this in the packet log:

allow ACL: /PORTAL/allow-remaining_acl:0 packet: https://vpn.company.com/f5-w-687474703a2f2f7777772e696e742e636f6d70616e792e636f6d$$/ tcp 1.2.3.4:50236 -> 10.1.2.87:443
allow ACL: /PORTAL/allow-remaining_acl:0 packet: https://vpn.company.com/f5-w-687474703a2f2f7777772e696e742e636f6d70616e792e636f6d$$/ tcp 1.2.3.4:50238 -> 10.1.2.87:443
allow ACL: /PORTAL/allow-remaining_acl:0 packet: https://vpn.company.com/f5-w-687474703a2f2f7777772e696e742e636f6d70616e792e636f6d$$/ tcp 1.2.3.4:50239 -> 10.1.2.87:443

687474703a2f2f7777772e696e742e636f6d70616e792e636f6d is http://www.int.company.com which is the portal link I created 1.2.3.4 is the IP address of the remote user 10.1.2.87 is the IP address of the Big IP (NAT on external facing FW)

The portal link actually has packet logging enabled however it is not showing up in the log. Instead the last ACL which allows all is catching and logging the traffic.

Just to prove that everything works, I created from scratch a regular portal (ie non-Citrix) in another partition. This produces the normal log messages and works as expected:

allow ACL: rewrite_/TEST/www.int.company.com:0 packet: http://www.int.company.com/resources/Styles/assets/images/iconTravelBookings.png tcp 1.2.3.4:50158 -> 192.168.10.10:80
allow ACL: rewrite_/TEST/www.int.company.com:0 packet: http://www.int.company.com/resources/Styles/assets/images/iconPasswordReset.png tcp 1.2.3.4:50160 -> 192.168.10.10:80
allow ACL: rewrite_/TEST/www.int.company.com:0 packet: http://www.int.company.com/resources/Styles/assets/images/iconThankYouCards.png tcp 1.2.3.4:50161 -> 192.168.10.10:80

In this case the proper rewrite is happening and the traffic is being proxied to www.int.company.com which sits on IP 192.168.10.10:80

I can see some differences between the configuration built by the Citrix iApp and the manual configuration that I built, however I cannot figure out what is wrong. I thought I had copied all of the important parts from the working portal over to the Citrix build but I must be missing something. I would expect that after adding the rewrite profile to the Citrix config that the log entries would begin with rewrite but they don’t.

Any suggestions?

APM 11.5.3

2 Replies

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    One issue is the Citrix iApp has internal irules which will run every time and you might not want them to run for your portal access. What about instead of portal access links, use a weblink to another portal access vip on the box? If you use a multi-domain cookie, you can access it without having to log in, but you do need an extra ip / hostname. Otherwise I'd try disabling irule events whenever you get a portal request, make sure the serverssl profile is the same as your working case, and packet capture the backend to see if any packets are leaving and what's happening to them.
  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Where do you see traffic from the client going when selecting int.company.com portal? Is it going to apm ip address or 192.168.10.10:80?