[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN Accross HTTPS - an Alternative to CAG Required

Posted on 2007-07-24
12
Medium Priority
?
888 Views
Last Modified: 2009-01-07
I have a need to offer VPN connection to my server farm to a number of remote customers using HTTPS in order to minimise the requirements of end users to amend proxy and firewall rules. I decided to use the Citrix Access Gateway (CAG). Much to my dismay I have found that there is a bug in the current implementation which means that in some circumstances the client still attempts to connect directly even where one specifies a proxy address in the advanced settings of the client.

To be fair to Citrix they are currently working on the issue and have acknowledged that it is their problem. However I am coming under extreme pressure to resolve this and Citrix are unable to give me a date.

So my problem is deciding on another solution to implement in the short term. Does anyone have any experience and recommendations of other solutions I might deploy? I need:-
VPN to be established using HTTPS as with the CAG.
to be able to pick up authentication details via Active Directory on the farm.
be able to manually set proxy details in the client
0
Comment
Question by:cescentman
  • 6
  • 5
12 Comments
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 19555904
Is this an issue with the CAG even after the hotfix for CAG 4.5 AND Access Gateway Advanced Edition (formerly AAC) from late last week?  I remember seeing something about proxy settings, that's why I responded to your question.  ("The Secure Access Client sends connection requests to the local DNS server and not to a configured proxy server to resolve the public name of the Access Gateway").  There are a few more proxy-related issues resolved with the Access Gateway Advanced edition.

Hotfix AG2000_v455 - Access Gateway Standard Edition 4.5
http://support.citrix.com/article/CTX114028

Hotfix AAC450W001 - For Access Gateway Advanced Edition 4.5 http://support.citrix.com/article/CTX112803
0
 
LVL 1

Author Comment

by:cescentman
ID: 19556031
Many thanks for the suggestion. I am assuming that the Citrix Support Specialist was aware of these and we have tried as far forward as v455-37.1. However I will run it past him assumptions can sometimes be flawed!!!!!

In the meantime the blow lamp is being held close to the seat of my pants and I desperately need an alternative to try in case The fix takes too long. Do you have any suggestions?
0
 
LVL 1

Author Comment

by:cescentman
ID: 19556254
Just realised that I neglected to add the last criterion:-

I need to be able to restrict traffic on the VPN to port 3389
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 10

Expert Comment

by:chrisnewman01
ID: 19556255
I mainly implement and use the CAGs.  I'm not sure if there's anything that's better than that.  Are you using only the CAG, or do you have the CAG + Access Gateway Advanced Edition?  Sorry if I'm not much help to you.  
0
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 19556280
Oh.  Sorry -- you were probably typing as I was before.   With the CAG, you can straddle the firewall (one port in the DMZ, the other port in the private LAN) OR you could open port 3389 from the DMZ to your private LAN -- to be originated from the IP of your CAG.  Do you need users to be able to open MSTSC.exe to open an RDP (3389) connection to any server in your LAN?  That will do the trick, if that's what you're looking for.
0
 
LVL 1

Author Comment

by:cescentman
ID: 19556459
Citrix has confirmed that the build I tested did include the DNS hot fix you posted. The problem isn't getting RDP to users, it all works fine except for one site. There it's the proxy issue and to date no fix, needless to say this customer is the one with the greatest clout.

This is why I am desperate to identify another product that would do the trick.
0
 
LVL 1

Author Comment

by:cescentman
ID: 19556631
If you are interested the problem is like this:-

My Customer uses balanced Border Manager proxy servers and on each PC the proxy setting point to the location of a Proxy Pac - a script. The script performs a number of functions and they are wedded to it's versatility. The blurb about CAG does emphasise that it does not support Proxy Pac. All well and good. However even when we set the proxy address in the CAG Client settings manually while Proxy Pac is specified in the internet options it fails, as it bypasses the proxy and goes direct to the CAG. Citrix has acknowledged that this is not designed behaviour when the proxy address is manually.

The problem is that we seem a long way off a solution and I'm tearing my hair out. I was convinced that CAG was the best solution and did the training went through all the hoops to get it set up. I'm beginning to regret it!!!
0
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 19556839
Would the Access Gateway Enterprise edition be a better fit?  From what I remember about proxy pac, there's a DNS entry defined and it's implemented via DHCP, no?  Also, there's a file (either proxy.pac or wpad.dat) that's implemented that basically tells which proxy to use.  http://nscsysop.hypermart.net/proxypac.html (just checked this out) <-- Is there a way to modify this file to say "if CAG client is used then repoint to proxy"? Something like that, to get it to work.
0
 
LVL 1

Author Comment

by:cescentman
ID: 19557695
No I don't think so, the CAG was the most appropriate solution when we assessed it. Your suggestion is interesting but surely, given that Proxy Pac is not supported, changing settings in ot won't make any difference?
0
 
LVL 10

Accepted Solution

by:
chrisnewman01 earned 2000 total points
ID: 19558326
Check out Neoteris as well (part of Juniper Networks).  They are Java-based and can run entirely over port 443, from what I remember...  http://www.juniper.net/products_and_services/ssl_vpn_secure_access/
0
 
LVL 1

Author Comment

by:cescentman
ID: 19675950
Thanks for this, I have decided to go with the Juniper SA2000, it's expensive but looks very full featured.
0
 

Expert Comment

by:reza81
ID: 23314565
Microsofts IAG isn't that bad actualy.

And the CAG Enterprise Edition 8.x doesn't have the problem you discribe
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question