Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Citrix XenApp via Cisco SSL VPN

Posted on 2013-01-28
8
Medium Priority
?
3,666 Views
Last Modified: 2013-06-25
Dear Experts,

we have been stuggling with a problem for a few days, we have a citrix XENAPP Farm v 4.7 that contains two servers, plus a citrx web interface server v 5.2.

we have successfully configured our Cisco SSL VPN with SSO to connect to our server farm, however we are unable to access the published applications, the applcations begin to launch but never complete (see attached).
Application Hangingthe citrix apps work fine from within the network and via a ipsec vpn. I believe the problem could be caused by missing configuration within the citrix web interface "secure access" I tried configuring gateway direct as an option but then we need to configure STA, so on each xenapp server I have configured the SSL relay settings using the instructions found here. http://support.citrix.com/article/CTX128257

however the gateway direct requires to be pointed to http://fqdn/ctxsta.dll does this mean that we need to install IIS on the XENApp server or can we configured another server to be the STA.

Or are we heading down the wrong path altogther?

note that while connecting to citrix via the SSL VPN with the monitor open on theASA the IP requesting data from the citrix Farm is the inside interface of the ASA, however the traffic from the XENAPP (applications never get returned) see attached screen shot of ASA monitor.
ASA Monitor
one other thing to note we have secured the SSL vpn with a wildcard certificate it has been suggected that this is our problem??

TIA
Steve
0
Comment
Question by:macomsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38829651
When I've had problems with this in the past, it has usually been due to routing/nat'ing, or the xenapp mode (?). Depending on how the xenapp server is setup, the temporary ica file used to launch the app can contain a private IP or fqdn, or a public IP/fqdn if the server is setup to act as a gateway. Different setups would require either of those to be configured. The real time log viewer would suggest that you are using private IP's, so I would look to make sure the server has a route to reach that particular vpn address pool, and to also make sure and have a nat exemption configured for that traffic. If you are using fqdn's, make sure the proper dns server is being used by default with the vpn client. I've also seen where xenapp servers were configured with two interfaces. In this case routing needs to be configured so that the server know where to send external and internal traffic with the potentially oddball route being for vpn client as those are usually private IP addresses but routed towards the internet.

I don't know anything about xenapp configuration (hence the ? after using the term mode), but I do have experience with the network side of things. It may be helpful to open up the ica file in an editor so that you know for sure what address is being handed out for the app, and from there you can check routing/firewall/nat (or no nat).
0
 

Author Comment

by:macomsupport
ID: 38830258
Thanks for your input however this is a SSL VPN so their is no VPN client or VPN IP Pool, the ASA inside interface is making the requests on behalf of the users. looking inside the ICA file is a nice idea but the File never gets received by the client when using the SSL VPN. this is also what the monitor above suggests.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38830921
I didn't realize you were using clientless SSL VPN; I was thinking AnyConnect SSL VPN which does have a client and VPN pool.

Having no experience with this setup, the best I can give you is the Cisco configuration guide regarding this.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_clientless_ssl.html#wp1293004

What I found interesting about the instructions is that you are required to not only download the ICA plugin for the portal, but also to download a couple files from the Citrix website and add them to the ZIP file that is used to install the ICA plugin on the ASA.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:macomsupport
ID: 38832880
Thanks again, yes the cisco guide was followed to the letter.....
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 38919171
It sounds like you need to create another site on your web interface for your external connections. I use a Netscaler in my enviroment and haven't used the Cisco VPN solution but I can give you a basic idea of what i did.

1) You default internal Citrix website should be set to "Authentication Point at Web Interface" you shoud create another website that is set to "At Access  Gateway"

2) Authentication Method is set to explict:  https://<ExternalCitrixURL/CitrixAuthService/AuthService.asmx

3)STA servers should point to one of your internal Citrix servers. I usually point this to my data collector.. You do not need to install IIS

4) Make sure the firewall between you Citrix servers and Cisco VPN allows: ports: 443, 80, 1494 to all Citrix servers.

I will look for your reply and will see if I can gather more information for you.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 38919176
Also see if this link help's: https://supportforums.cisco.com/thread/2090788

Good Luck!!!!
0
 

Accepted Solution

by:
macomsupport earned 0 total points
ID: 39187009
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0
 

Author Closing Comment

by:macomsupport
ID: 39274159
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question