Solved

Citrix XenApp via Cisco SSL VPN

Posted on 2013-01-28
8
3,407 Views
Last Modified: 2013-06-25
Dear Experts,

we have been stuggling with a problem for a few days, we have a citrix XENAPP Farm v 4.7 that contains two servers, plus a citrx web interface server v 5.2.

we have successfully configured our Cisco SSL VPN with SSO to connect to our server farm, however we are unable to access the published applications, the applcations begin to launch but never complete (see attached).
Application Hangingthe citrix apps work fine from within the network and via a ipsec vpn. I believe the problem could be caused by missing configuration within the citrix web interface "secure access" I tried configuring gateway direct as an option but then we need to configure STA, so on each xenapp server I have configured the SSL relay settings using the instructions found here. http://support.citrix.com/article/CTX128257

however the gateway direct requires to be pointed to http://fqdn/ctxsta.dll does this mean that we need to install IIS on the XENApp server or can we configured another server to be the STA.

Or are we heading down the wrong path altogther?

note that while connecting to citrix via the SSL VPN with the monitor open on theASA the IP requesting data from the citrix Farm is the inside interface of the ASA, however the traffic from the XENAPP (applications never get returned) see attached screen shot of ASA monitor.
ASA Monitor
one other thing to note we have secured the SSL vpn with a wildcard certificate it has been suggected that this is our problem??

TIA
Steve
0
Comment
Question by:macomsupport
  • 4
  • 2
  • 2
8 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
When I've had problems with this in the past, it has usually been due to routing/nat'ing, or the xenapp mode (?). Depending on how the xenapp server is setup, the temporary ica file used to launch the app can contain a private IP or fqdn, or a public IP/fqdn if the server is setup to act as a gateway. Different setups would require either of those to be configured. The real time log viewer would suggest that you are using private IP's, so I would look to make sure the server has a route to reach that particular vpn address pool, and to also make sure and have a nat exemption configured for that traffic. If you are using fqdn's, make sure the proper dns server is being used by default with the vpn client. I've also seen where xenapp servers were configured with two interfaces. In this case routing needs to be configured so that the server know where to send external and internal traffic with the potentially oddball route being for vpn client as those are usually private IP addresses but routed towards the internet.

I don't know anything about xenapp configuration (hence the ? after using the term mode), but I do have experience with the network side of things. It may be helpful to open up the ica file in an editor so that you know for sure what address is being handed out for the app, and from there you can check routing/firewall/nat (or no nat).
0
 

Author Comment

by:macomsupport
Comment Utility
Thanks for your input however this is a SSL VPN so their is no VPN client or VPN IP Pool, the ASA inside interface is making the requests on behalf of the users. looking inside the ICA file is a nice idea but the File never gets received by the client when using the SSL VPN. this is also what the monitor above suggests.
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
I didn't realize you were using clientless SSL VPN; I was thinking AnyConnect SSL VPN which does have a client and VPN pool.

Having no experience with this setup, the best I can give you is the Cisco configuration guide regarding this.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_clientless_ssl.html#wp1293004

What I found interesting about the instructions is that you are required to not only download the ICA plugin for the portal, but also to download a couple files from the Citrix website and add them to the ZIP file that is used to install the ICA plugin on the ASA.
0
 

Author Comment

by:macomsupport
Comment Utility
Thanks again, yes the cisco guide was followed to the letter.....
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 19

Expert Comment

by:compdigit44
Comment Utility
It sounds like you need to create another site on your web interface for your external connections. I use a Netscaler in my enviroment and haven't used the Cisco VPN solution but I can give you a basic idea of what i did.

1) You default internal Citrix website should be set to "Authentication Point at Web Interface" you shoud create another website that is set to "At Access  Gateway"

2) Authentication Method is set to explict:  https://<ExternalCitrixURL/CitrixAuthService/AuthService.asmx

3)STA servers should point to one of your internal Citrix servers. I usually point this to my data collector.. You do not need to install IIS

4) Make sure the firewall between you Citrix servers and Cisco VPN allows: ports: 443, 80, 1494 to all Citrix servers.

I will look for your reply and will see if I can gather more information for you.
0
 
LVL 19

Expert Comment

by:compdigit44
Comment Utility
Also see if this link help's: https://supportforums.cisco.com/thread/2090788

Good Luck!!!!
0
 

Accepted Solution

by:
macomsupport earned 0 total points
Comment Utility
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0
 

Author Closing Comment

by:macomsupport
Comment Utility
Hello

We nether got this working, So we have installed Citrix Access gateway Enterprise and this got everything working the way we wanted.


Thanks for all your help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
Citrix XenDesktop 7.6 Citrix Policies Graphics
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now