Solved

Problems with CSG / Session Information

Posted on 2006-11-15
17
1,445 Views
Last Modified: 2008-02-26
I have a few questions about CSG running with WI 4, and PS4... I'm not using Secure Access Manager.

I'm using Microsofts Certificate Authority at the moment, but I plan on making the customer buy a public certificate once I get this working.  Currently I am able to connected from the outside pointing to the HTTPS site, and when I save the ica file, it is showing the inside address.  That proves to me that CSG is working, but when I go into the management console for CSG, there is no session information.

Also, their internal domain is setup in a domain.local format.  So, all my settings in WI for CSG are pointing to the FQDN with that format, ie the STAs are setup like:

http://citrix01.domain.local/scripts/ctxsta.dll
http://citrix02.domain.local/scripts/ctxsta.dll

the CSG server is set to SQL01.domain.local which is how the certificate was setup also.

Will this cause problems when connecting from the outside?
0
Comment
Question by:tduplantis
  • 8
  • 5
  • 4
17 Comments
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17949994
The only thing you need to worry about from the outside is:  a)  Does the user have an updated ICA client (web client, or full Program Neighborhood), and b)  You only need to open ports 80 and 443 (don't open the other unnecessary ports such as 1494, 2598, otherwise the CSG is not going to be doing what is supposed to).  

I don't know how you want to set this up, but you probably only want to set CSG for all connections that aren't local to the environment (10.x.x.x, 172.16.x.x, 192.168.x.x will go through CSG, but they will have access to Web Interface).  In the Web Interface console, have you configured the option to use Secure Gateway Direct?  (Metaframe Presentation Server Administration > Suite Components > Configuration Tools > Web Interface > <the site> Manage Secure client access (menu) > Edit DMZ Settings.  If Default/direct is the only thing listed, then you want to add one for 172.0.0.0 255.0.0.0 Direct (if 172.16.0.0 is your inhouse IP range and 255.255.0.0 is your mask) and change the Default setting to Secure Gateway Direct.  With that set like that, internal users will go directly to the Web Interface and not use CSG, while all other users will use CSG.

The rest of the settings look perfect.

Hope this helps,
Chris
0
 
LVL 4

Author Comment

by:tduplantis
ID: 17955726
That is all setup properly already, my question is why sessions don't show up in the CSG management console, and if the domain.local domain will cause issues with the external certificate.
0
 
LVL 18

Assisted Solution

by:mgcIT
mgcIT earned 100 total points
ID: 17958422
>> and when I save the ica file, it is showing the inside address.  That proves to me that CSG is working

This actually proves that CSG is NOT WORKING.  You should not see an IP address at all in the launch.ica file.  And this is also the reason why you are not seeing sessions in the mgmt. console.

To give you an example this is what I see inside my ica file for CSG (it should be a bunch of random characters and not an IP Address:

Address=;40;STA0CD5290A5CDD;E030C56D37F9FCC96A2CE33F65BC307E
0
 
LVL 10

Accepted Solution

by:
chrisnewman01 earned 150 total points
ID: 17958646
If CSG is configured properly (using CSG Direct), you should see session information in the secure gateway management console.  If users are bypassing it (just a direct connection), there will be no sessions in the console.  As long as the CSG server can resolve the names, there shouldn't be any issues.  

Are you using 2 NICs (one for CSG and the other for Web Interface), or are you using one NIC with 443 for CSG and 444 for Web Interface, or is Web Interface not encrypted?  Are you using port 80 for the STAs, or another port?  If another port, append the port like this:  http://<fqdn of sta>:<port #>/scripts/ctxsta.dll.
0
 
LVL 4

Author Comment

by:tduplantis
ID: 17958808
mgcT - that would certainly explain it, but why can I connect to that private IP address when I am on the outside of the network?  Would CGS be half working?

Chris - I am using CSG Direct.  I only have one nic in the server.  The Web Interface is not encrypted... SSL is not being used on the web server.  I am using port 80 on the STAs.

At least yesterday I was able to connect using the HTTPS addy, now I'm getting a page cannot be found!  
0
 
LVL 4

Author Comment

by:tduplantis
ID: 17958837
Here is a copy of the CSG config if it can be used to help:

# Citrix Secure Gateway Configuration file
KeepAlive On
MaxKeepAliveRequests 500
KeepAliveTimeout 15
Timeout 300

ServerName localhost
UseCanonicalName Off

ServerTokens prod
ServerSignature On

# Socks Protocol settings (5 Minutes / 5 Seconds)
SocksTcpKeepAliveTime            300
SocksTcpKeepAliveInterval       5

# Log rotation

# Global Logging Parameters
# Sock Logs
LogFormat "%t %a %{SocksVersion}n %{SocksResponse}n %{SocksDestinationHost}n %{SocksDestinationPort}n" socks_log
CustomLog "|bin/rotatelogs.exe logs/SocksAccess_%Y_%m_%d.log 3600 -240 30D" socks_log env=LOG_SOCKS

# CGP Logs
LogFormat "%t %a %{CgpResponse}n %{CgpDestinationHost}n %{CgpDestinationPort}n %{cgpProtocol}n" cgp_log
CustomLog "|bin/rotatelogs.exe logs/CgpAccess_%Y_%m_%d.log 3600 -240 30D" cgp_log env=LOG_CGP

# Access & Error Logs
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "|bin/rotatelogs.exe logs/Access_%Y_%m_%d.log 3600 -240 30D" Combined env=LOG_HTTP
ErrorLog "|bin/rotatelogs.exe logs/Error_%Y_%m_%d.log 3600 -240 30D"

# Do not log GIF's & requests from localhost
SetEnvIf Request_URI \.gif$ nolog=gif
SetEnvIf Request_URI \.jpg$ nolog=jpg
SetEnvIf Request_URI \.png$ nolog=png
SetEnvIf Request_URI \.js$ nolog=js
#SetEnvIf Remote_Addr ^127.0.0.1$ nolog=127.0.0.1

# **************************************************************************************
# Citrix Secure Gateway configuration section
# DO NOT MANUALLY EDIT CONFIGURATION SETTINGS IN THIS SECTION. ALL MANUAL EDITS WILL
# BE OVER WRITTEN BY THE CONFIGURATION TOOL.
# ANY MANUAL EDITS SHOULD BE OUTSIDE THIS SECTION.
#
#!<CSG>
ServerRoot "C:/Program Files/Citrix/Secure Gateway/"
PidFile logs\httpd.pid

# The default value for VHOST Throttle comes from the registry variable HTTPBoost in the global section
# The default value is set to 250

<IfModule mpm_winnt.c>
ThreadsPerChild 500
MaxRequestsPerChild 0
</IfModule>

#Event Log
EventLogServiceName "Secure Gateway"

#Scoreboard file

ScoreBoardFile logs/perf.map

LoadModule access_module modules/mod_access.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule mime_module modules/mod_mime.so
LoadModule socks_module modules/mod_socks.so
LoadModule winevent_log_module modules/mod_winevent_log.so
LoadModule async_engine_module modules/mod_async_engine.so
LoadModule ticket_module modules/mod_ticket.so
LoadModule perfmon_module modules/mod_perfmon.so
LoadModule vhost_throttle_module modules/mod_vhost_throttle.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule include_module modules/mod_include.so
LoadModule multiplexer_module modules/mod_multiplexer.so
LoadModule schannel_module modules/mod_schannel.so

#CSG Modules ...
LoadModule session_module modules/mod_session.so
LoadModule auth_sta_module modules/mod_auth_sta.so
LoadModule cgp_module modules/mod_cgp.so

# Max Connections
MaxConnections CONCURRENT_CONN_LIMIT 250

# Scoreboard Max Connections
ScoreboardMaxConnections 1700

# mod_multiplexer directives
ProtocolSignature SOCKSV5 \005
ProtocolSignature CGP \032CGP/
MultiplexerHandshakeTimeout 100000
ProtocolMultiplexer 192.168.1.20:443

#Listen directives
Listen 192.168.1.20:443

#NameVirtualHost directives
NameVirtualHost 192.168.1.20:443

#STA servers
STAHOST STAB1ED9C8F0492 http://citrix01.prohealth.local:80/Scripts/CtxSTA.dll

STAHOST STAFA50C971C972 http://citrix02.prohealth.local:80/Scripts/CtxSTA.dll

#Async Engine directives
AsyncWorkerThreadCount 0

#SSL settings
SSLProtocol +SSLv3 +TLSv1
SSLCipherSuite ALL


#Log level
LogLevel warn

#WI Config
<VirtualHost 192.168.1.20:443>

      ServerName www.ourdomain.com:443

      # SSL Params
      SSLEngine On
      SSLCertificateHash cfa35b6f5bd49bf855f42bad34772ddf926dbfc7

      # Document Root and Directory directives
      DocumentRoot "C:/Program Files/Citrix/Secure Gateway"

      <Directory "C:/Program Files/Citrix/Secure Gateway/error">
            AllowOverride None
            Options IncludesNoExec
            AddOutputFilter Includes html
            AddHandler type-map var
            LanguagePriority en ja cs de es fr it nl sv pt-br ro
            ForceLanguagePriority Prefer Fallback
      </Directory>

      ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
      ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
      ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
      ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
      ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
      ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
      ErrorDocument 410 /error/HTTP_GONE.html.var
      ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
      ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
      ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
      ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
      ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
      ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
      ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
      ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
      ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
      ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

      # This proxy pass rule should be prior to the ProxyPass rule you already define
      # This rule states that Secure Gateway won't proxy anything that starts with /error
      ProxyPass /error !


      # Reverse Proxy Web Interface
      <Location />
            ProxyPass http://localhost/
            ProxyPassReverse http://localhost/
      </Location>

      # Used by HTTP custom Log Setting
      SetEnvIf nolog ^$ LOG_HTTP=1

</VirtualHost>

#Gwy Settings - CGP
<VirtualHost 192.168.1.20:443>

      ServerName www.ourdomain.com:443

      CgpProtocol On

      RequireTicket On
      CGPHandshakeTimeout 100000
      RegisterProtocol CGP
      UseConnCounter CONCURRENT_CONN_LIMIT

      # SSL Params
      SSLEngine On
      SSLCertificateHash cfa35b6f5bd49bf855f42bad34772ddf926dbfc7
      SSLProxyEngine On

      # Outbound ACL's
      <Location /destination/cgp>
            Order Deny,Allow
            Deny to All
            Allow to All
      </Location>

      # Used by CGP custom Log Setting
      SetEnvIf nolog ^$ LOG_CGP=1

</VirtualHost>


#Gwy Settings - SOCKS
<VirtualHost 192.168.1.20:443>

      ServerName www.ourdomain.com:443

      SocksProtocol On
      SocksHandshakeTimeout 100000
      RegisterProtocol SOCKSV5
      RequireTicket On
      UseConnCounter CONCURRENT_CONN_LIMIT

      # SSL Params
      SSLEngine On
      SSLCertificateHash cfa35b6f5bd49bf855f42bad34772ddf926dbfc7

      # Used by SOCKS custom Log Setting
      SetEnvIf nolog ^$ LOG_SOCKS=1

</VirtualHost>

#!</CSG>
#
# END Citrix Secure Gateway configuration section
# *************************************************************************************
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 17958857
>> but why can I connect to that private IP address when I am on the outside of the network

You would be able to log into the web interface site, but not actually launch sessions.  If you were able to do this, then your settings probably hadn't been applied yet (you should run IISRESET to stop/restart the IIS service after making changes to your WI/CSG servers to be sure), and this probably explains why you can't even get to the site now.

CSG wouldn't be half working, but you can have it enabled and still have normal WI connections enabled as well.
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 17958910
did you change the SSL port in IIS to something other than 443? for example just change it to 444
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17959251
Thanks for the info, sorry for all the questions.  In the CSG config, is the "secure traffic between the STA and the Secure Gateway" checkbox checked?  Also, are you using indirect mode, or direct mode for the Web Interface?  What hotfixes for CSG are you running, too?

Chris
0
 
LVL 4

Author Comment

by:tduplantis
ID: 17961798
using direct mode, and the traffic between the STA and CSG  isn't secured.

mgcIT - I can log in and run an application from the outside, and when I save that the ica file to my desktop it is showing an internal address in the file.
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 17961841
when you say "from the outside" do you mean that you are using the external https:// address or that you are literally outside of your network?  i.e. aside from citrix are you able to directly communicate with your servers using the internal IP address (ping for example)?
0
 
LVL 4

Author Comment

by:tduplantis
ID: 17961956
>> did you change the SSL port in IIS to something other than 443? for example just change it to 444

I do not have SSL running on the IIS server.  If I did, wouldn't I need two certificates, one for CSG, and one for the IIS server?
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 17962240
even though SSL is not configured on the IIS server you still need to change the port it uses for SSL.  In the properties of your site just change it to 444.
0
 
LVL 4

Author Comment

by:tduplantis
ID: 17962344
mgcit > that is exactly what I mean!  I'm not connected via vpn, and I'm on a totally different network.   Ok, I'll set the IIS SSL port to 444, I had problems starting IIS at all when CSG was running, so I just removed the port all together from the IIS config.  
0
 
LVL 4

Author Comment

by:tduplantis
ID: 17962360
chris, i misunderstood your question.  I am using indirect mode in the csg config.  I thought you were referring to the WI config, wether i was using CSG direct, translated, etc.  CSG and WI are installed on the same computer.
0
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17965492
You probably created the ssl cert using iis, then assigned it to the server (this would still work if you kept the same cert on there, but set it to 444 in IIS).  The server defaulted it to 443 just because that's the default for ssl, and that's why you had a problem with CSG starting, but you took care of that already.  

With everything on the same server, try this configuration:

Users navigate to http://website, then get shifted right to CSG (which sits on https://website) by way of a redirect script (i called the file below webinterface.htm and set it as the default for the IIS site) <-- as you see, it's right from Citrix, but I believe it's for WI3 and not WI4.  You'll have to modify it to point it to the right default WI4 page:

<!--
---- WebInterface.htm
---- Copyright (c) 2000 - 2004 Citrix Systems, Inc. All Rights Reserved.
---- Web Interface (Build 37544)
-->
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
<!--
window.location="https://server.yourcompany.com/Citrix/MetaFrame/default.htm";
// -->
</SCRIPT>
____________________
CSG Configuration:

Indirect:  check the "installed on this computer" checkbox
Details:  FQDN = localhost (greyed-out)
TCP port: 80

Chris

0
 
LVL 4

Author Comment

by:tduplantis
ID: 17969568
I'll try that out Monday... thanks chris, and mgcit for the responses.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
CITRIX XENAPP 6.5 FARM CUSTOM POLICY - CHANGE MANAGEMENT WINDOW REBOOT SCHEDULE
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now