Citrix CAG LDAP Authentication problem

Greetings,
I have configured my CAG for LDAP auth. The authentication works from my machine ONLY and can Authenticate anyone that is on the Domain is the USERS group, but if you try to login from any other machine it does not work. Any ideas as to why?
dmanisitAsked:
Who is Participating?
 
dmanisitAuthor Commented:
Ok, I feel like a dummy. I figured it out. When trying to connect internally, you are already on the network, NO NEED to create a VPN from internally. It works on the External IP as it should. Thank you all for your help. Sorry I was a little slow in thinking about this. Thanks everyone.
0
 
dmanisitAuthor Commented:
To further this comment. I have found that the users can access the external IP and log on successfully, but when they access the internal IP, they can not authenticate.
0
 
bigbunk390Commented:
I just want to be a bit clearer,

External users (via Internet ) can connect to the CAG?
or
Internal users access the external address from within and connect?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
dmanisitAuthor Commented:
Internal users access the External IP from the LAN and can auth. Kinda crazy?
0
 
bigbunk390Commented:
I thought I posted this a bit earlier..oops.

Does your CAG have an internal DNS entry?
0
 
dmanisitAuthor Commented:
Yes it does
DNS.JPG
0
 
bigbunk390Commented:
Sorry, I should have been more clearer. what I meant was on your dns servers does your CAG have a dns entry?
i.e.  CAGfqdn.domain = x.x.x.x  <--internal network address
0
 
dmanisitAuthor Commented:
Yes sir, they do. The user can get to the signin page no problems, its just authenticating from the internal IP address on LDAP???
0
 
bigbunk390Commented:
Alright, so It works from one computer only regardless of who logs in from that computer.

when you try to login from another machine, does it return an error (initial CAG screen)?
Thsi is a very kooky one, i'll give you that.
0
 
dmanisitAuthor Commented:
It denys Authentication from any other computer on the internal IP ONLY. No other errors at all. Here is a picture of my LDAP config, username blacked out to protect the innocent:-)
CAG-LDAP-Blacked.JPG
0
 
bigbunk390Commented:
Yeah, you got a funky one here.
In, the CAG, under Network, ACL's, do you have anything there?

Also, on the CAG go to, Access Gateway, Policies,Authentication; open the ldap policy you have and in the expression box do you have anything else besides "ns_true"?

It's pretty strange that one machine internally can auth to the internal cag address and not others, but at the same time any internal machine can authenticate to external address.


Sorry I have not been more help. i would think there would be an error popping up somewhere to let you know why.  
0
 
dmanisitAuthor Commented:
Sorry for the delay. No I have nothing listed under ACL. And under Policies and Auth the LDAP policy there is nothing else listed there except ns_true.

And I agree it is very strange. I am not really that familiar with the CAG setup or error logs, so Im sure there may be a log somewhere, and no problem that you havnt been that much help, I just appreciate any help and you are making look at things again. So thank you
0
 
bigbunk390Commented:
Can you tell me which access gateway you have (i.e Enterprise) and which firmware your up to?
0
 
bigbunk390Commented:
No Problem.
But we do use the CAG to service both external and internal connections.
0
 
dmanisitAuthor Commented:
I have the CAG7000 Enterprise NS9.0: Build 71.3, Date: Oct 12 2009, 17:40:14
0
 
bigbunk390Commented:
Seems good. You may want to close the post if your ok with the way your working now.
0
 
dmanisitAuthor Commented:
Well if you have any ideas on the internal I would be grateful
0
 
bigbunk390Commented:
ok, lets give it a shot.
Is he CAG is currently in a DMZ?
0
 
dmanisitAuthor Commented:
yes sir
0
 
bigbunk390Commented:
Do you have something similar to this?
External IP is 113.1.1.1 and resolves to mydomain.com; is natted to 10.1.1.1 internally

Domain DNS
Internal IP is 10.1.1.1 and resolves to mydomain.com




0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.