Pages

Thursday, May 5, 2016

Using Citrix NetScaler Rewrite Action and Policy to prevent the Location HTTP header from exposing internal IP addresses

I was recently asked by a client to fix an issue with their Exchange 2013 Outlook Web Access webpage where an HTTP request to the site would expose the internal IP address of the Client Access Server in the Location HTTP header as shown in the following test performed with NMAP (https://nmap.org/download.html):

ncat 76.8.35.111 80
GET / HTTP/1.0

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Pragma: no-cache
Location:
https://10.10.10.93/owa/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 05 May 2016 00:08:13 GMT
Connection: close
Content-Length: 0

image

The client referenced the following Microsoft KB but the article references an older version of IIS:

https://support.microsoft.com/en-us/kb/218180

After researching about the issue and not finding a way to correct this in IIS, I decided to use the Citrix NetScaler load balancer we were already using to publish OWA to rewrite the header to use the FQDN. The following are steps required.

Begin by creating a new Rewrite Action with the following configuration:

Name: act_location_header

Type: REPLACE

Expression to choose target location: HTTP.RES.HEADER("Location")

Expression to Replace with: https://webmail.domain.com/owa/

image

Once the Rewrite Action is created, proceed with creating a Rewrite Policy with the following configuration:

Name: pol_location_header
Action: act_location_header
Undefined-Result Action: -Global-undefined-result-action-
Expression: true

image

With the Rewrite Policy created, proceed with assigning it to the HTTP (not HTTPS) OWA Load Balancing Virtual Server that serves to redirect user requests to HTTPS:

image

Choose Policy: Rewrite
Choose Type: Response

image

Select the pol_location_header Rewrite policy:

image

Leave the rest of the settings as default and click on the Bind button:

image

Redoing the test will now show the Location header replaced with the FQDN:

image

No comments: