The following depicts the configuration required to seamlessly integrate the Citrix NetScaler with Squid/ClamAV.  Squid is a Linux based proxy server and ClamAV is an open source antivirus solution.  Squid and ClamAV both reside on the same server and communicate with each other through the ICAP protocol.

The use case that this solution was developed for is to be able to scan files by an antivirus system before they can be allowed to be uploaded into the protected network through the Citrix NetScaler.  As a general overview, the following Citrix NetScaler features are included to enable this capability:  load balancing & content switching virtual servers, content switching policy, responder policy & action, and http callout.

Below itemizes the logic of the http requests:

  • End-users connect to the virtual IP address of the content switching virtual server.
  • A content switching policy is bound and set to true to allow all connections through the content switching virtual server.
  • A responder policy is bound and is configured to look for a content type of “multi-part/formdata” of all http requests and is also configured to invoke an http callout.
  • An http callout is configured to send requests to the Squid proxy server.
  • The http callout is configured to look for a response with the status of 301.  This value is used to validate that a virus has been found in a scanned file.  Other headers can be used as well.
  • If the previous step returns true, the responder policy is configured with a “respond with” action that lets the end user know the file was not uploaded due to a virus.
    • If the http callout returns false, the file is allowed to be uploaded to the back end server.

The following will delve into the specific configurations required.

  1. Create a load balancing service on the Citrix NetScaler that points to the back end upload server.

In the above screenshot, the upload service is highlighted with an IP address of on port 88.

2.  Create a load balancing virtual server that is not directly addressable.  In other words, does not contain an IP address.

3.   Create a content switching virtual server and configure it with a target load balancing server which consists of the load balancing virtual server created in Step. 2.

4.   Bind a content switching policy to the above content switching virtual server and enter true for the policy expression.

5.   Create the HTTP callout.

Below is the text for the full expression as depicted in the above screenshot:

“POST HTTP/1.1\r\nAccept:”+HTTP.REQ.HEADER(“Accept”)+”\r\nReferer:” +HTTP.REQ.HEADER(“Referer”)+”\r\nAccept-Language:”+HTTP.REQ.HEADER(“Accept-Language”)+”\r\nUser-Agent:”+HTTP.REQ.HEADER(“User-Agent”)+”\r\nContent-Type:”+HTTP.REQ.HEADER(“Content-Type”)+”\r\nAccept-Encoding:”+HTTP.REQ.HEADER(“Accept-Encoding”)+”\r\nHost:\r\nContent-Length:”+HTTP.REQ.HEADER(“Content-Length”)+”\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\n\r\n”+HTTP.REQ.BODY(9000)

Below is the same http callout depicting the server response section:

The above screen shot depicts the http callout configured to look for the status code.  If 301 exists, it designates a virus has been found in opposed to a status code of 200 for a non-virus infected file.

6.   Create and bind a responder policy to the content switching virtual server.

Note that the http callout needs to be created first before you can create and configure the responder policy to use it.  If not, you’ll receive an error message.

7.   Create and bind the responder action to the responder policy.

This completes the required configuration.  Below are screenshots of network traces that were useful in crafting the required configuration.

Proxy server configured in a web browser:

As you can see, a virus is detected.

Below represents the http callout created on the NetScaler and its communication with the Squid proxy server:

As you can see, the request and response is exactly the same.

Below is a trace of a normal file uploaded and scanned:

This concludes the configuration for the Citrix NetScaler and Squid/ClamAV integration.