Solved

Citrix over a proxy.

Posted on 2007-11-18
12
5,894 Views
Last Modified: 2012-05-05
Currently I have a Citrix Presentation Server 4.5 being published to the web through an ISA 2004 Server.  So when users go to http://external.domain.com, they are able to click on the application and it opens a tunnel over ports 1494 and 2598 to the server and everything works great.  

I am having a problem with one client who is using a Squid Proxy Server for all their clients to get internet access.  There is no routable gateway specified on any of the workstations, only the proxy server.

I have searched all over the internet, but nothing seems to be pointing me in the right direction.  Any help would be great.

Tyler
0
Comment
Question by:tyty4u2
  • 5
  • 4
  • 3
12 Comments
 
LVL 18

Assisted Solution

by:mgcIT
mgcIT earned 200 total points
ID: 20310331
Hi Tyler,

In the configuration of your web interface you can add a client-side proxy.  In the 4.0 version of Web Interface there is simply a link that says "Edit client-side proxy".  I'm not sure if this has changed in the newer version of WI/Access Suite Console (i'm not able to look at it right now) but you should have something similar.

basically you just need to specify the type of proxy, ip address of the client, ip address of the proxy server and port
0
 

Author Comment

by:tyty4u2
ID: 20310389
I did see that setting and it is set to use the "User's Browser Setting".  I will manually try to set it and see what happens.

And when it asks for the proxy address, I am assuming it is the WAN side of the proxy server???
I really hope it is this easy!
0
 

Author Comment

by:tyty4u2
ID: 20310431
One more note.  It appears I can't enter the proxy server or port unless I specify HTTPS or SOCKS and whever I google Citrix and proxy it always refers to HTTPS also. There are some other settings but only allow you to specify the client address range which I assume is the NATed network of whoever is trying to connect externally.  That settings seems more for people internally and not externally.  Do I need to setup HTTPS on my end for this to work?  What steps do I need to take to enable this on my Citrix setup?  

Thanks for all the help.
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 20310446
no you don't need to set up https.  Your google search is probably giving you results for setting up security on the web interface but that is unrelated to this problem.

yes the subnet is the NATed network of whoever is trying to connect.

I'm not sure what type of proxy is used for "Squid Proxy" but you should look that up to see if it's socks, etc...  After you make the config changes to your WI restart IIS to be sure those settings take effect
0
 
LVL 21

Accepted Solution

by:
robocat earned 300 total points
ID: 20311131
Do you publish the Presentation server using the Citrix Secure Gateway ?

If not, this is the way to go because the SG will tunnel the ICA traffic over HTTPS/SSL, allowing your client to access the Citrix using the Squid proxy.

Using Secure Gateway will also enhance your overall security, and is strongly recommended for use on the internet.
0
 

Author Comment

by:tyty4u2
ID: 20312352
I will try the proxy settings.  How would the server know to use those proxy settings if the client subnet is NATed behing a proxy and it doesn't have any settings in the "Edit Proxy" for their external information?  Wouldn't the client subnet be hidden and all information appear to be from their proxy?  Hopefully that is all it is, but I am curious as to how it works that way,

I realize now that Secure Gateway would be ideal, but I only purchased Citrix Presentation Server Enterprise 4.5 :(
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 21

Expert Comment

by:robocat
ID: 20312800
> I realize now that Secure Gateway would be ideal, but I only purchased Citrix Presentation Server Enterprise 4.5

SG is a free part of Presentation server, not to be confused with the paying Access gateway that Citrix is agressively trying to push.




0
 

Author Comment

by:tyty4u2
ID: 20312944
What would I do without professionals like you guys?  It seems like Citrix intentionally tries to make things difficult or confusing at times.

I looked into the setup for HTTPS but just wanted to get it up and working first.  Sometimes dealing with untrusted certificates through ISA Server and now Citrix can sometimes be difficult.

Is there some good documentation out there to get me pointed in the right direction to get that setup?
Would that tunnel ports 1494 and 2598 over HTTPS 443 as well?

Thanks
0
 
LVL 21

Expert Comment

by:robocat
ID: 20313036

http://support.citrix.com/servlet/KbServlet/download/12613-102-17148/Windows_Secure_Gateway_Guide.pdf

>Would that tunnel ports 1494 and 2598 over HTTPS 443 as well?

Yes, that is exactly what CSG does.

0
 
LVL 18

Expert Comment

by:mgcIT
ID: 20313533
yea I agree... CSG is very beneficial.   The first time setting it up can be confusing, but after you understand the process it can be done in a matter of minutes.  I recommend reading the admin guide linked above to understand as much as you can before starting the install.

Just an FYI though... you can still have issues with client-side proxies when using CSG.  I honestly don't know why some work and others don't but usually you have to get creative in order for some to work.  Citrix provides the "Edit client-side proxy" as a way around this problem but it won't solve 100% of the issues.
0
 

Author Comment

by:tyty4u2
ID: 20315042
So what exactly does the Access Gateway do that CSG does not?  SSL VPN?  Thanks for your help the both of you.  If I need any further help I will open a new thread.

Well I think you both helped me in my solution.
mgcIT with the "edit Proxy" settings.
robocat with the CSG suggestion to make life easier with the proxy support.

I am new to the Expert-Exchange experience.  How should I award points to you guys and what do you think is fair?

Thanks again for your help!
0
 
LVL 21

Expert Comment

by:robocat
ID: 20329754

>So what exactly does the Access Gateway do that CSG does not?  SSL VPN?

Access gateway is a more general purpose SSL VPN gateway, but you don't need that for this. It's almost funny to see how Citrix tries to hush up the existence of SG since they launched AG :-)

>I am new to the Expert-Exchange experience.  How should I award points to you guys and what do you think is fair?

Well, it's up to you to determine which comment helped you most.

That being said, I think you should leave the "client side proxy settings" set to "user's browser settings" because it's doubtful this is the problem. SG should do the trick because proxy servers are designed to pass https traffic.



0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Citrix XenDesktop 7.6 Citrix Policies Audio
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now