So you want to get that sweet, sweet forward proxy all up there for some kiosks? Well… Have I got a deal for you! If you happen to have the licensing (Premium license requirement), you too can be the proud owner of this actually wonderful product. I have been using this for years now and it works extremely well if you don’t have to constantly add sites to the allowed list. Now… First things first. This is for defining your OWN allow list that YOU have to maintain. Getting Gmail to work will take some effort as there are a LOT of sites you have to add for images. This is not using the URL Threat Intelligence which is a line item purchase. This was completed with the help of Kevin Lofy from Citrix. https://www.linkedin.com/in/jkevinlofy/. This also is the GUI way of configuring this. Hope that this is of help. It REALLY solved a couple issues and allowed a good bit of control with using AppLocker on the VDA hosting server that was publishing the Firefox browser that linked to the proxy address.
Logon to Citrix ADC.
You will need to select “System” > “Settings” > “Configure Basic Features.”
If “Integrated Caching” is not enabled, you will need to enable the feature. This WILL require a reboot.
Select “Settings” > “Configure Advanced Features.”
You will need to select “SSL Interception” and “Forward Proxy.”
Navigate to “Traffic Management” > “DNS” > “Name Servers” and select “Add.”
Select “IP Address.”
Enter “IP Address.”
Select “UDP” from “Protocol.”
Navigate to “Security” > “SSL Forward Proxy.”
Select “Certificate Bundles.”
Select “SSL Forward Proxy Wizard.”
Click “Get Started.”
Enter “Name” for Proxy.
Select “Explicit” from “Capture Mode.”
Select “SSL Sessions Interception.”
I used an Ubuntu machine and hosted the text file there and reference it as http://ip/something.txt
This will set it to go to next line.
HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).URLSET_MATCHES_ANY(“urlsetname”) || HTTP.REQ.URLSET_MATCHES_ANY(“urlsetname”)
You will need to set a policy to set the IP and Port defined for the proxy (typically 8080) and apply to the machine that will be using the proxy. Using AppLocker with it will make it harder to pivot out of for machine security.
I’ll gather up a blog post of AppLocker and a way to use it with SSL Forward Proxy.
Leave a Reply