cescentman
asked on
VPN Accross HTTPS - an Alternative to CAG Required
I have a need to offer VPN connection to my server farm to a number of remote customers using HTTPS in order to minimise the requirements of end users to amend proxy and firewall rules. I decided to use the Citrix Access Gateway (CAG). Much to my dismay I have found that there is a bug in the current implementation which means that in some circumstances the client still attempts to connect directly even where one specifies a proxy address in the advanced settings of the client.
To be fair to Citrix they are currently working on the issue and have acknowledged that it is their problem. However I am coming under extreme pressure to resolve this and Citrix are unable to give me a date.
So my problem is deciding on another solution to implement in the short term. Does anyone have any experience and recommendations of other solutions I might deploy? I need:-
VPN to be established using HTTPS as with the CAG.
to be able to pick up authentication details via Active Directory on the farm.
be able to manually set proxy details in the client
To be fair to Citrix they are currently working on the issue and have acknowledged that it is their problem. However I am coming under extreme pressure to resolve this and Citrix are unable to give me a date.
So my problem is deciding on another solution to implement in the short term. Does anyone have any experience and recommendations of other solutions I might deploy? I need:-
VPN to be established using HTTPS as with the CAG.
to be able to pick up authentication details via Active Directory on the farm.
be able to manually set proxy details in the client
ASKER
Many thanks for the suggestion. I am assuming that the Citrix Support Specialist was aware of these and we have tried as far forward as v455-37.1. However I will run it past him assumptions can sometimes be flawed!!!!!
In the meantime the blow lamp is being held close to the seat of my pants and I desperately need an alternative to try in case The fix takes too long. Do you have any suggestions?
In the meantime the blow lamp is being held close to the seat of my pants and I desperately need an alternative to try in case The fix takes too long. Do you have any suggestions?
ASKER
Just realised that I neglected to add the last criterion:-
I need to be able to restrict traffic on the VPN to port 3389
I need to be able to restrict traffic on the VPN to port 3389
I mainly implement and use the CAGs. I'm not sure if there's anything that's better than that. Are you using only the CAG, or do you have the CAG + Access Gateway Advanced Edition? Sorry if I'm not much help to you.
Oh. Sorry -- you were probably typing as I was before. With the CAG, you can straddle the firewall (one port in the DMZ, the other port in the private LAN) OR you could open port 3389 from the DMZ to your private LAN -- to be originated from the IP of your CAG. Do you need users to be able to open MSTSC.exe to open an RDP (3389) connection to any server in your LAN? That will do the trick, if that's what you're looking for.
ASKER
Citrix has confirmed that the build I tested did include the DNS hot fix you posted. The problem isn't getting RDP to users, it all works fine except for one site. There it's the proxy issue and to date no fix, needless to say this customer is the one with the greatest clout.
This is why I am desperate to identify another product that would do the trick.
This is why I am desperate to identify another product that would do the trick.
ASKER
If you are interested the problem is like this:-
My Customer uses balanced Border Manager proxy servers and on each PC the proxy setting point to the location of a Proxy Pac - a script. The script performs a number of functions and they are wedded to it's versatility. The blurb about CAG does emphasise that it does not support Proxy Pac. All well and good. However even when we set the proxy address in the CAG Client settings manually while Proxy Pac is specified in the internet options it fails, as it bypasses the proxy and goes direct to the CAG. Citrix has acknowledged that this is not designed behaviour when the proxy address is manually.
The problem is that we seem a long way off a solution and I'm tearing my hair out. I was convinced that CAG was the best solution and did the training went through all the hoops to get it set up. I'm beginning to regret it!!!
My Customer uses balanced Border Manager proxy servers and on each PC the proxy setting point to the location of a Proxy Pac - a script. The script performs a number of functions and they are wedded to it's versatility. The blurb about CAG does emphasise that it does not support Proxy Pac. All well and good. However even when we set the proxy address in the CAG Client settings manually while Proxy Pac is specified in the internet options it fails, as it bypasses the proxy and goes direct to the CAG. Citrix has acknowledged that this is not designed behaviour when the proxy address is manually.
The problem is that we seem a long way off a solution and I'm tearing my hair out. I was convinced that CAG was the best solution and did the training went through all the hoops to get it set up. I'm beginning to regret it!!!
Would the Access Gateway Enterprise edition be a better fit? From what I remember about proxy pac, there's a DNS entry defined and it's implemented via DHCP, no? Also, there's a file (either proxy.pac or wpad.dat) that's implemented that basically tells which proxy to use. http://nscsysop.hypermart.net/proxypac.html (just checked this out) <-- Is there a way to modify this file to say "if CAG client is used then repoint to proxy"? Something like that, to get it to work.
ASKER
No I don't think so, the CAG was the most appropriate solution when we assessed it. Your suggestion is interesting but surely, given that Proxy Pac is not supported, changing settings in ot won't make any difference?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for this, I have decided to go with the Juniper SA2000, it's expensive but looks very full featured.
Microsofts IAG isn't that bad actualy.
And the CAG Enterprise Edition 8.x doesn't have the problem you discribe
And the CAG Enterprise Edition 8.x doesn't have the problem you discribe
Hotfix AG2000_v455 - Access Gateway Standard Edition 4.5
http://support.citrix.com/article/CTX114028
Hotfix AAC450W001 - For Access Gateway Advanced Edition 4.5 http://support.citrix.com/article/CTX112803