Odd APM logon deny messages

Question

Hi,
Recently I build a portal for my customers so they can access their Citrix published desktop from a remote location. The BIG-IP is only proxy and does not provide the webinterface portal itself. It all works fine apart from some strange behaviour.
Let me first explain what I did build.
We have one public url. Let's call it portal.website.foo. Each customer has it's own uri. So customer 1 browses to https://portal.website.foo/customer1. When they do that they hit an iRule which checks the URI and redirects them to the appropriate Citrix Webinterface portal. For customer1 this is https://portal.website.foo/Citrix/Remote-Customer1/auth/login.aspx.
Then they access the APM policy which checks for this URI. Depending on the URI the right branche is choosen which handles the authentication en SSO.
So, as mentioned before, this works fine. But when I check the APM accesspolicy reports I see a lot "logon deny" messages, even thought the user is authenticated and has access to his CItrix desktop. The logon deny message mentions a false URI. This is logged via de fallback branche in the APM policy. The URI is diferent each time, but always something like session.server.landinguri is /Citrix/Remote-Customer1/media/ButtonHoverLeft.png. 
It looks like the user does visit the correct citrix wi interface portal, but that some items within that page are seen as different sessions. I don't have a clue where the fault might be. The default switch in the iRule is not hit. I added a "event disable" to see if it might help. It doesn't.
The iRule which is added to the virtual server is this:
when HTTP_REQUEST {

set reload_page {
        No valid page. Please choose the correct one.
    }

switch [string tolower [HTTP::uri]] {
        "/customer1" {
            event disable
            HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer1/auth/login.aspx"
        }
        "/customer2" {
            event disable
            HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer2/auth/login.aspx"
        }
        "/customer3" {
            event disable
            HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer3/auth/login.aspx"
        }
        "/" {
            log local0. "iRule : No URI choosen."
            HTTP::respond 200 content $reload_page
        }
        Default {
            log local0. "iRule : None of the above ;-)"
        }
    }
}

Any help is welcome. Thank you.

thomas_gobet · Answer

Hi,  
Your problem in on your switch condition.
If your client comes with a URI /customer1/test, his request will match your default condition.  
You should use -glob option and a wildcard at the end of your URIs : 
when HTTP_REQUEST {

set reload_page {

No valid page. Please choose the correct one.

}

switch -glob [string tolower [HTTP::uri]] {
    "/customer1*" {
        event disable
        HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer1/auth/login.aspx"
    }
    "/customer2*" {
        event disable
        HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer2/auth/login.aspx"
    }
    "/customer3*" {
        event disable
        HTTP::redirect "https://portal.website.foo/Citrix/Remote-Customer3/auth/login.aspx"
    }
    "/" {
        log local0. "iRule : No URI choosen."
        HTTP::respond 200 content $reload_page
    }
    Default {
        log local0. "iRule : None of the above ;-)"
    }
}
}

richard_ · Answer

Hi Thomas,&nbsp;
Thanks you for your answer.
I understand what you mean. However, i don't think this will help. The URI's that are listed in the "login deny" messages all start with /Citrix. So the URI /customer1 only hits the first time. After that the user gets redirected to the /Citrix URI.
I think that the order of events is the following:&nbsp;
User browses to /customer1 URI.iRule redirects user to /Citrix/Remote-Customer1/auth/login.aspxAPM policy is being accessed and processeduser is athenticated with SSO in the Citrix Webinterfaceuser exists APM policyuser is redirected by the Citrix Webinterface server to another URIAPM policy goes into work for some URI's, not all (but only sometimes, not allways)
Mayby this helps narrowing it down.

&nbsp;

Forum Discussion

Odd APM logon deny messages

2 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

FIX Message Response

Customizing logon error messages

Modern APM Message Box

suppressed messages in ltm log

ARX: Troubleshooting "CIFS Access Is Denied” Messages