-
AppExpert Applications and Templates
-
Configure application authentication, authorization, and auditing
-
-
Use Case: ESI Support for Fetching and Updating Content Dynamically
-
Use Case: Access Control and Authentication
-
-
Advanced Policy Expressions: Working with Dates, Times, and Numbers
-
Advanced Policy Expressions: Parsing HTTP, TCP, and UDP Data
-
Advanced Policy Expressions: IP and MAC Addresses, Throughput, VLAN IDs
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Use Case: Access control and authentication
In high security zones, it is mandatory to externally authenticate the user before a resource is accessed by clients. On the Citrix ADC appliance, you can use HTTP callouts to externally authenticate the user by evaluating the credentials supplied. In this example, the assumption is that the client is sending the user name and password through HTTP headers in the request. However, the same information could be fetched from the URL or the HTTP body.
To implement this configuration, you must perform the following tasks:
- Enable the responder feature on the Citrix ADC appliance.
- Create an HTTP callout on the appliance and configure it with details about the external server and other required parameters.
- Configure a responder policy to analyze the response, and then bind the policy globally.
- Create a callout agent on the remote server.
Enabling Responder
The responder feature must be enabled before it is used on the Citrix ADC appliance.
To enable responder by using the configuration utility
- Make sure that the responder license is installed.
- In the configuration utility, expand AppExpert, and right-click Responder, and then click Enable Responder feature.
Creating an HTTP callout on the Citrix ADC appliance
Create an HTTP callout, HTTP-Callout-3, with the parameter settings shown in the following table. For more information about creating an HTTP callout, see Configuring an HTTP Callout.
Table 1. Parameters and Values for HTTP-Callout-3
Parameter
Value
Name
HTTP-Callout-3
Server to receive callout request:
IP Address
10.103.9.95
Port
80
Request to send to the server:
Method
GET
Host Expression
10.102.3.95
URL Stem Expression
“/cgi-bin/authenticate.pl”
Headers:
Name
Request
Value-expression
Callout Request
Parameters:
Name
Username
Value-expression
HTTP.REQ.HEADER(“Username”).VALUE(0)
Name
Password
Value-expression
HTTP.REQ.HEADER(“Password”).VALUE(0)
Server Response:
Return Type
TEXT
Expression to extract data from the response
HTTP.RES.BODY(100)
Creating a Responder Policy to Analyze the Response
Create a responder policy, Policy-Responder-3, that will check the response from the callout server and RESET the connection if the source IP address has been blacklisted. Create the policy with the parameters settings shown in the following table. While you can create a responder policy in the Policies subnode and then bind it globally by using the Responder Policy Manager, this demonstration uses the Responder Policy Manager to create the responder policy and bind the policy globally.
Parameter | Value |
---|---|
Name | Policy-Responder-3 |
Action | RESET |
Undefined-Result-Action | -Global undefined-result action- |
Expression | “HTTP.REQ.HEADER(\“Request\”).EQ(\“Callout Request\”).NOT && SYS.HTTP_CALLOUT(HTTP-Callout-3).CONTAINS(\“Authentication Failed\”)” |
Table 2. Parameters and Values for Policy-Responder-3
To create a responder policy and bind it globally by using the configuration utility
- Navigate to AppExpert > Responder.
- In the details pane, under Policy Manager, click Responder Policy Manager.
- In the Responder Policy Manger dialog box, click Override Global.
- Click Insert Policy, and then, in the Policy Name column, click New Policy.
- In the Create Responder Policy dialog box, do the following:
-
In Name, type Policy-Responder-3.
-
In Action, select RESET.
-
In Undefined-Result Action , select Global undefined-result action.
-
In the Expression text box, type:
"HTTP.REQ.HEADER(\"Request\").EQ(\"Callout Request\").NOT && SYS.HTTP_CALLOUT(HTTP-Callout-3).CONTAINS(\"Authentication Failed\")" <!--NeedCopy-->
- Click Create, and then click Close.
-
- Click Apply Changes, and then click Close.
Creating an HTTP Callout Agent on the Remote Server
You now need to create an HTTP callout agent on the remote callout server. The HTTP callout agent receives callout requests from the Citrix ADC appliance and responds appropriately. The callout agent is a script that is different for each deployment and must be written with server specifications in mind, such as the type of database and the scripting language supported.
Following is sample callout agent pseudo-code that verifies whether the supplied user name and password are valid. The agent can be implemented in any programming language of your choice. The pseudo-code is to be used only as a guideline for developing the callout agent. You can build additional functionality into the program.
To verify the supplied user name and password by using pseudo-code
- Accept the user name and password supplied in the request and format them appropriately.
- Connect to the database that contains all the valid user names and passwords.
- Check the supplied credentials against your database.
- Format the response as required by the HTTP callout.
- Send the response to the Citrix ADC appliance.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.