How to force CitrixSSO VPN client for iOS to send CSHOST hostname to Citrix Gateway instead of CSIP header

How to force CitrixSSO VPN client for iOS to send CSHOST hostname to Citrix Gateway instead of CSIP header

book

Article ID: CTX270922

calendar_today

Updated On:

Description

There are situations in which Internal network Proxy requires that websites requests from CitrixSSO VPN clients provide the hostnames to be able to categorize the traffic and apply access rules.

By default CitrixSSO VPN client for iOS will sends the CSIP header containing only the IP address of requested website and Proxy rules will not be able to determine access rule, thus applying default drop rule.

With this solution ADC will send the websites hostnames to internal proxy server instead of CitrixSSO header containing only the IP CSIP header.

Example of this behavior is as follows ::

HTTP Request from CitrixSSO VPN client request machine to ADC Gateway

======================

GET /cs HTTP/1.1

Host: gateway.domain.com

PORT: 443

CSIP: 17.248.131.206

SPORT: 52745

PRTCL: TCP

Cookie: NSC_AAAC=******

User-Agent: Macintosh/CitrixSSO-1.2.7 Intel Mac OS X 10_15_4 VpnCapable AuthV3Capable NAC/1.0 AGMacClient/542

TunnelType: nocmp

 

ADC forward request through Proxy

======================

CONNECT 17.248.131.206:443 HTTP/1.0Content-length:0

Pragma: no-cache

Host:17.248.131.206

Proxy-Connection: Keep-Alive


Proxy sever can't determine access rules based on IP and forbid access
====================

HTTP/1.1 403 Forbidden

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Proxy-Connection: Keep-Alive

Connection: Keep-Alive

Content-Length: 33132

 

Response from Proxy sent to CitrixSSO VPN client
============================

HTTP/1.1 403 Access Forbidden

Connection: close

Content-Length: 29

Content-Type: text/html

Cache-Control: no-cache,no-store

Pragma: no-cache

 

Error: Not a privileged User.

Instructions

Create a proxy.pac file with this content ::

function FindProxyForURL(url, host)
        {
        return "PROXY 155.180.110.35:8443; DIRECT";
        }

Set the VPN Session Policy Action to push automatic proxy.pac file to VPN devices ::
> set vpn sessionaction [vpn_sessio_for_ios] -autoProxyUrl http://[server_hosting_proxy_pac_file_ip]/proxy.pac

Additional Information

Internal Proxy Server needs hostname of webServer requested by client Citrix SSO to be able to determine access rule based on categorization. But CitrixSSO will send header with CSIP, only IP address of WebSites not hostname, Internal Proxy can't categorize based on IP and forbid access.
Powered by Wolken Software