Forum Discussion

Carl_Brothers's avatar
Carl_Brothers
Icon for Employee rankEmployee
Nov 16, 2010

Citrix XenApp APM deployment Guide

Looking into using APM to replace CITRIX CAG/CSG for a new project, but I have a small stumbling block.

 

 

My employer is BIG and has quite a few citrix servers, so the static data group suggested in pages 10 and 11 of the deployment guide PDF is a nonstarter for us. Additionally it does not allow for a dynamic Citrix infrastructure... A plan we have is to deploy the XenApp servers within dedicated vlans/subnets.

 

 

 

How can I effectively modify the Irule and Datagroup to accomodate subnets?

 

 

 

This is the statement from the HTTPConnectProxy_help Irule that consumes the Datagroup CitrixXenAppServers.

 

 

 

if { [matchclass CitrixAppServers equals "$ip-$port"] ne 0 } {

 

 

 

The data in the Datagroup has a string/array like 192.168.3.140-1494 :=1

 

 

 

 

 

I found an Irule example using subnets, and wondered how the datagroup and Irule matchclass could be altered to support such a comparison.

 

 

 

if { [IP::addr [IP::client_addr] eq 192.168.3.0/24] } {

 

 

 

Thanks,

 

 

 

 

CarlB

 

 

 

APM
app sec
security

3 Replies

Sort By
  • Carl_Brothers's avatar
    Carl_Brothers
    Icon for Employee rankEmployee
    Nov 16, 2010
    More background info -

     

     

    I would have three ingress points from major geographical regions into our networks. This would then feed to an existing XenApp/Presentation server environment that spans over 100 servers across the globe from approximately 15 subnets.
  • Carl_Brothers's avatar
    Carl_Brothers
    Icon for Employee rankEmployee
    Nov 17, 2010
    As I was evaluating the options possible, I was thinking of the possible paths to make this check easier:

    - Use the Subnet mask/CIDR notations in the datagroup

     

    - Dynamically update the datagroup at run time as Xenapp servers are learned from the ICA files passed from the Web interface.

     

    - Create a process that would leverage Icontrol to query the XenApp infrastructure for valid hosts and to then update the datagroup.

     

     

     

    What I did not consider was to simply remove this additional validation that the target server is actually valid for this virtual server. As the ICA files are coming from the XML Broker via the Web interface, it is logical to trust that communication, unless you really fear a man in the middle type attack that would generate ica files.

     

     

     

    So I have my solution for now.

     

     

     

    I would like to know if there is a routine in iRules to match an IP to a subnet in CIDR notation.

     

     

     

    Thanks,

     

     

     

    CarlB

     

  • Nojan_Moshiri_4's avatar
    Nojan_Moshiri_4
    Historic F5 Account
    Dec 01, 2010
    Hi Carl, this is a valid point and a great suggestion for scaling out this solution for environments that are so large. I think the iRule can be modified to support a subnet and I'll experiment with this and get back to you.

     

     

    I think there is a valid concern of redirection attempts more than just man-in-the-middle attacks, so a valid list is probably something you want to get back to sooner rather than later.