Guest Blog from Julian Jakob (@jakob_davidson)
Quick post about an OAuth-Issue with Citrix ADC’s SSL VPN. There is a missing hint in CTX225084 as this article is only refering to SharePoint deployments. OAuth can make use of the bearer authorization token. If users are trying to access WebApps via Citrix Gateway Plugin (SSL VPN), the ADC is removing the OAuth authorization header and this can cause SSO failing and access to specific resources of your WebApps stop working.
Create below traffic policy and bind it to the Citrix Gateway virtual server with a lower priority than possible other bound policies.
add vpn trafficAction traf_act_SSLVPN_AuthHeader_Bearer http -SSO OFF
add vpn trafficPolicy traf_pol_SSLVPN_AuthHeader_Bearer "HTTP.REQ.HEADER(\"Authorization\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Bearer\")" traf_act_SSLVPN_AuthHeader_Bearer
bind vpn vserver vpn.customer.com_NSGW_VPN -policy traf_pol_SSLVPN_AuthHeader_Bearer -priority 90 -gotoPriorityExpression END -type REQUEST
I hope this is helping others, struggling with customer-built OAuth WebApps with Citrix ADC’s SSL VPN.