Using the Responder Policy with Access Gateway Enterprise Edition VIP
Article ID: CTX136829
Updated On:
Description
This article explains how to use the Responder Policy with Access Gateway Enterprise Edition VIP.
Scenario 1
While transitioning from Access Gateway 5.x to Access Gateway Enterprise Edition 10.x, Access Gateway 5.x has the concept of logon points and Access Gateway Enterprise Edition 10.x does not have logon points, instead uses Virtual IP (VIPs) addresses. User requested to configure the appliance such that the following criteria is true:
-
A user who opens ag.example.com must be pointed to the Access Gateway Enterprise Edition VIP with only single-factor authentication.
-
A user who opens ag.example.com/pl/secure must be pointed to the Access Gateway Enterprise Edition VIP, such as agsecure.example.com with dual-factor authentication.
Scenario 2
A user has a web interface server with two web interface sites, Citrix/XenApp1 and Citrix/XenApp2 and is using an Access Gateway Enterprise Edition virtual server without authentication. Configure the appliance so that the following criteria is true:
-
A user who opens ag.example.com/Citrix/XenApp1 must be pointed to ag.example.com/Citrix/XenApp1.
-
A user who opens ag.example.com/Citrix/XenApp2 must be pointed to ag.example.com/Citrix/XenApp2.
Resolution
To configure the preceding scenarios, you must use Responder Policies. However, you cannot use a Responder Policy to look for URL information on an Access Gateway Enterprise Edition VIP, because the kernel auto-redirects to /vpn/index.html first, and then the global policies are applied. Therefore, if you want to use a Responder Policy on Access Gateway Enterprise Edition VIP, then you can only search for /vpn/index.html and not anything prior to this redirect because the kernel completes this action.
Workaround
The workaround for this issue involves an additional public facing IP address and certificate, unless the user has wildcard certificate. Use a Load Balancing VIP that points to itself with Responder Policies bound to it with the following settings:
- If a user reaches the Load Balancing VIP ag.example.com, then redirect the user to the Access Gateway Enterprise Edition VIP agnew.example.com.
- If a user reaches the Load Balancing VIP ag.example.com/lp/secure, then redirect the user to Access Gateway Enterprise Edition VIP agsecure.example.com.
You can observe the Responder Policies are bound globally in the following sample commands:
add responder policy "Responder Policy Test" "HTTP.REQ.HOSTNAME.EQ(\"ag.example.com\") && HTTP.REQ.URL.CONTAINS(\"/lp/secure\")" "Responder Action" add responder action "Responder Action" redirect "\"https://agsecure.example.com\"" bind responder global "Responder Policy Test" 100 END -type REQ_DEFAULTadd responder policy "Responder Policy Test2" "HTTP.REQ.HOSTNAME.EQ(\"ag.example.com\")” "Responder Action2" add responder action "Responder Action2" redirect "\"https://agnew.example.com\"" bind responder global "Responder Policy Test" 110 END -type REQ_DEFAULT
Note the difference in priority in the preceding commands.
If the Load Balancing feature is not licensed as in Access Gateway Enterprise Edition VPX licensing, then you can configure users to access the web interface externally for authentication or enumeration and use an Access Gateway Enterprise Edition virtual server to open the application.
Different web interface sites can be used for the required authentication settings, such as single-factor or dual-factor.
For this configuration, you need the Access Gateway Enterprise Edition virtual server either on non-standard ports or on another port using the same FQDN or same certificate, as shown in the following screen shot:
Note: Use of non-standard ports are not recommended.
For this configuration, you need another IP address using a different FQDN or different certificate, as shown in the following screen shot:
Issue/Introduction
