Citrix XenApp via Cisco SSL VPN

Dear Experts,

we have been stuggling with a problem for a few days, we have a citrix XENAPP Farm v 4.7 that contains two servers, plus a citrx web interface server v 5.2.

we have successfully configured our Cisco SSL VPN with SSO to connect to our server farm, however we are unable to access the published applications, the applcations begin to launch but never complete (see attached).
Application Hangingthe citrix apps work fine from within the network and via a ipsec vpn. I believe the problem could be caused by missing configuration within the citrix web interface "secure access" I tried configuring gateway direct as an option but then we need to configure STA, so on each xenapp server I have configured the SSL relay settings using the instructions found here. http://support.citrix.com/article/CTX128257

however the gateway direct requires to be pointed to http://fqdn/ctxsta.dll does this mean that we need to install IIS on the XENApp server or can we configured another server to be the STA.

Or are we heading down the wrong path altogther?

note that while connecting to citrix via the SSL VPN with the monitor open on theASA the IP requesting data from the citrix Farm is the inside interface of the ASA, however the traffic from the XENAPP (applications never get returned) see attached screen shot of ASA monitor.
ASA Monitor
one other thing to note we have secured the SSL vpn with a wildcard certificate it has been suggected that this is our problem??

TIA
Steve
macomsupportAsked:
Who is Participating?
 
macomsupportConnect With a Mentor Author Commented:
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0
 
rauenpcCommented:
When I've had problems with this in the past, it has usually been due to routing/nat'ing, or the xenapp mode (?). Depending on how the xenapp server is setup, the temporary ica file used to launch the app can contain a private IP or fqdn, or a public IP/fqdn if the server is setup to act as a gateway. Different setups would require either of those to be configured. The real time log viewer would suggest that you are using private IP's, so I would look to make sure the server has a route to reach that particular vpn address pool, and to also make sure and have a nat exemption configured for that traffic. If you are using fqdn's, make sure the proper dns server is being used by default with the vpn client. I've also seen where xenapp servers were configured with two interfaces. In this case routing needs to be configured so that the server know where to send external and internal traffic with the potentially oddball route being for vpn client as those are usually private IP addresses but routed towards the internet.

I don't know anything about xenapp configuration (hence the ? after using the term mode), but I do have experience with the network side of things. It may be helpful to open up the ica file in an editor so that you know for sure what address is being handed out for the app, and from there you can check routing/firewall/nat (or no nat).
0
 
macomsupportAuthor Commented:
Thanks for your input however this is a SSL VPN so their is no VPN client or VPN IP Pool, the ASA inside interface is making the requests on behalf of the users. looking inside the ICA file is a nice idea but the File never gets received by the client when using the SSL VPN. this is also what the monitor above suggests.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
rauenpcCommented:
I didn't realize you were using clientless SSL VPN; I was thinking AnyConnect SSL VPN which does have a client and VPN pool.

Having no experience with this setup, the best I can give you is the Cisco configuration guide regarding this.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_clientless_ssl.html#wp1293004

What I found interesting about the instructions is that you are required to not only download the ICA plugin for the portal, but also to download a couple files from the Citrix website and add them to the ZIP file that is used to install the ICA plugin on the ASA.
0
 
macomsupportAuthor Commented:
Thanks again, yes the cisco guide was followed to the letter.....
0
 
compdigit44Commented:
It sounds like you need to create another site on your web interface for your external connections. I use a Netscaler in my enviroment and haven't used the Cisco VPN solution but I can give you a basic idea of what i did.

1) You default internal Citrix website should be set to "Authentication Point at Web Interface" you shoud create another website that is set to "At Access  Gateway"

2) Authentication Method is set to explict:  https://<ExternalCitrixURL/CitrixAuthService/AuthService.asmx

3)STA servers should point to one of your internal Citrix servers. I usually point this to my data collector.. You do not need to install IIS

4) Make sure the firewall between you Citrix servers and Cisco VPN allows: ports: 443, 80, 1494 to all Citrix servers.

I will look for your reply and will see if I can gather more information for you.
0
 
compdigit44Commented:
Also see if this link help's: https://supportforums.cisco.com/thread/2090788

Good Luck!!!!
0
 
macomsupportAuthor Commented:
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.