Solved

Citrix XenApp via Cisco SSL VPN

Posted on 2013-01-28
8
3,577 Views
Last Modified: 2013-06-25
Dear Experts,

we have been stuggling with a problem for a few days, we have a citrix XENAPP Farm v 4.7 that contains two servers, plus a citrx web interface server v 5.2.

we have successfully configured our Cisco SSL VPN with SSO to connect to our server farm, however we are unable to access the published applications, the applcations begin to launch but never complete (see attached).
Application Hangingthe citrix apps work fine from within the network and via a ipsec vpn. I believe the problem could be caused by missing configuration within the citrix web interface "secure access" I tried configuring gateway direct as an option but then we need to configure STA, so on each xenapp server I have configured the SSL relay settings using the instructions found here. http://support.citrix.com/article/CTX128257

however the gateway direct requires to be pointed to http://fqdn/ctxsta.dll does this mean that we need to install IIS on the XENApp server or can we configured another server to be the STA.

Or are we heading down the wrong path altogther?

note that while connecting to citrix via the SSL VPN with the monitor open on theASA the IP requesting data from the citrix Farm is the inside interface of the ASA, however the traffic from the XENAPP (applications never get returned) see attached screen shot of ASA monitor.
ASA Monitor
one other thing to note we have secured the SSL vpn with a wildcard certificate it has been suggected that this is our problem??

TIA
Steve
0
Comment
Question by:macomsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38829651
When I've had problems with this in the past, it has usually been due to routing/nat'ing, or the xenapp mode (?). Depending on how the xenapp server is setup, the temporary ica file used to launch the app can contain a private IP or fqdn, or a public IP/fqdn if the server is setup to act as a gateway. Different setups would require either of those to be configured. The real time log viewer would suggest that you are using private IP's, so I would look to make sure the server has a route to reach that particular vpn address pool, and to also make sure and have a nat exemption configured for that traffic. If you are using fqdn's, make sure the proper dns server is being used by default with the vpn client. I've also seen where xenapp servers were configured with two interfaces. In this case routing needs to be configured so that the server know where to send external and internal traffic with the potentially oddball route being for vpn client as those are usually private IP addresses but routed towards the internet.

I don't know anything about xenapp configuration (hence the ? after using the term mode), but I do have experience with the network side of things. It may be helpful to open up the ica file in an editor so that you know for sure what address is being handed out for the app, and from there you can check routing/firewall/nat (or no nat).
0
 

Author Comment

by:macomsupport
ID: 38830258
Thanks for your input however this is a SSL VPN so their is no VPN client or VPN IP Pool, the ASA inside interface is making the requests on behalf of the users. looking inside the ICA file is a nice idea but the File never gets received by the client when using the SSL VPN. this is also what the monitor above suggests.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38830921
I didn't realize you were using clientless SSL VPN; I was thinking AnyConnect SSL VPN which does have a client and VPN pool.

Having no experience with this setup, the best I can give you is the Cisco configuration guide regarding this.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_clientless_ssl.html#wp1293004

What I found interesting about the instructions is that you are required to not only download the ICA plugin for the portal, but also to download a couple files from the Citrix website and add them to the ZIP file that is used to install the ICA plugin on the ASA.
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:macomsupport
ID: 38832880
Thanks again, yes the cisco guide was followed to the letter.....
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 38919171
It sounds like you need to create another site on your web interface for your external connections. I use a Netscaler in my enviroment and haven't used the Cisco VPN solution but I can give you a basic idea of what i did.

1) You default internal Citrix website should be set to "Authentication Point at Web Interface" you shoud create another website that is set to "At Access  Gateway"

2) Authentication Method is set to explict:  https://<ExternalCitrixURL/CitrixAuthService/AuthService.asmx

3)STA servers should point to one of your internal Citrix servers. I usually point this to my data collector.. You do not need to install IIS

4) Make sure the firewall between you Citrix servers and Cisco VPN allows: ports: 443, 80, 1494 to all Citrix servers.

I will look for your reply and will see if I can gather more information for you.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 38919176
Also see if this link help's: https://supportforums.cisco.com/thread/2090788

Good Luck!!!!
0
 

Accepted Solution

by:
macomsupport earned 0 total points
ID: 39187009
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0
 

Author Closing Comment

by:macomsupport
ID: 39274159
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question