frank_combopia1
Oct 25, 2006Nimbostratus
Rewriting URLs for Citrix Secure Gateway
Rewriting URLs for Citrix Secure Gateway
One of our App teams wishes to deploy a Citrix-based environment using the Secure Gateway in a DMZ, behind two ltm1500s. The Secure Gateway servers will then contact Citrix Presentation Servers behind a firewall in the secure part of our network. Their additional requirements/constraints are:
1. Single certificate for the two SG servers
2. end-to-end SSL
3. no SSL termination at the LTM
4. Multiple entry points: Internet and Intranet (using private network paths)
The last item (4) is what I'm concerned about. To accommodate the "typical" Internet user, the certificate will require an external name, as in, "www.new-app.com". However, policies and standards prevent me from claiming authority for "new-app.com" within our company's internal name/address space, so an intranet request should look more like "www.new-app.site.company.com".
Access to the private network is through a local (site by site) DMZ via a firewall and NAT.
So, can I rewrite "https://www.new-app.site.company.com/*" as "https://www.new-app.com/*" before passing it to the Secure Gateway pool, and reverse that on the way back to the client? I can't return a redirect to the internal client because that would take them to the external gateways, ignoring the private paths set up for this application.
Also, are there other elements of a Citrix session that I need to manipulate (if I can) such as tokens, or cookies?
Is this a viable way to overcome the cert's FQDN, or is there a better alternative?
Thanks!
/frank