How to Override the Web Interface 4.5 Client Address Mode Discovery

Summary

When using server load balancing (SLB) products with Web Interface to provide redundancy for both internal and external users, the ICA client access mode logic based on client IP address may not adhere to the client address table settings in the Access Management Console (AMC).

Requirements

• Web Interface version 4.5

• Server Load Balancer product such as Citrix NetScaler that can inject HTTP request headers for configured services

• A network topology similar to that described below

Background

When server load balancer devices are configured for TCP offloading, this usually includes reverse network address translation where the source IP address of the inbound client request is replaced with an IP address associated with the device. This IP address becomes the address that is consumed by the Web Interface application when determining the appropriate ICA client access mode of Direct, Gateway Direct, etc....

Below is a network diagram of typical internal and external client access network topology with SLB.

Procedure

1. Modify the NetScaler Configuration
To provide a method with which to override the normal client address mode discovery process, you can leverage the Client IP feature to inject an HTTP header which you can reference in a condition statement at the time the Web Interface is determining the client address for mode assignment. This method is normally used to provide the true client IP to Web server filters so that Web logs can accurately reflect the correct client IP address in the HTTP request but the method proves equally useful in this situation. You can perform the configuration changes using the Administrative Console or the Command Line Interface.

Making the modifications using the Administrative Console:

Making the modifications using the Command Line Interface:
Use the Add Server and Add Service commands as shown below. The parameters in bold set the client IP just as is done with the user interface above.

add server CPS451 192.168.70.25

add service WI45 CPS451 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED CLIENT-IP -usip YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB YES -CMP YES

2. Modify the Web Interface 4.5 Configuration

The web interface configuration needs to include specific access method rules which are based on the IP Address or Subnet gleaned from the Citrix NetScaler or other Load Balancing device.

Open the file Citrix/AccessPlatform/app_data/auth/serverscripts/include.aspxf
Make a backup copy of this file prior to making any edits
Find the getClientAddress method and add a condition statement similar to below example so that the existence of the client IP header can be verified. The lines in italic indicate those which should be commented out and the lines in bold indicate those which need to be added.

/**

 * Returns the IP address of the client as reported by NetScaler.

 *

 * @return the client IP address as a string

 */

public string getClientAddress() {

   /** if (Request.ServerVariables["HTTP_SRCADDR"]  != null ) {

   */ return (string) Request.ServerVariables["HTTP_SRCADDR"];

    if (Request.ServerVariables["CLIENT-IP"]  != null ) {

        return (string) Request.ServerVariables["CLIENT-IP"];

    } else {

        return Request.UserHostAddress;

    }

}

Open the Edit DMZ Settings dialog from the Manage secure client access link under Common Tasks in the Task Pane of the Citrix Access Management Console.

Create a client address table entry that represents any internal subnets where the desired ICA connection type should be Direct or the appropriate access method.

More Information

This method will also work for legacy versions of Web Interface. The secure gateway settings and client address mode table may not be located in the same place in the user interface.

Alternate Solutions:

• Many server load balancing products may have the ability to disable TCP management functions. On the Citrix NetScaler, this is referred to as Use Source IP (USIP) mode. USIP can also be implemented to solve this issue, with the caveat that you essentially negate the benefits of providing TCP server offloading.

• When using a VPN connection such as the Access Gateway Enterprise, the Secure Access Client would be able to access the protected LAN over a secured tunnel. In this scenario, the client address mode can be set as Direct. If using clientless mode, or Secure Gateway proxy, the source address will always be a specific MIP or SNIP so a client address table entry can be added which references this IP address.

• It may also be possible to utilize the X-Forwarded-For (XFF) HTTP header. The XFF HTTP header is a de facto standard for identifying the originating IP address of a client connecting to a Web server through an HTTP proxy. XFF headers are supported by most proxy devices but there is a possibility that they are not preserved through device traversals. An injection method as described above is a more absolute solution.