• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 477
  • Last Modified:

SSL revocation issues for devices without internet access

Hi all,

We are using a Citrix NetScaler to provide users with access to a Citrix Web Interface.  We have setup a publicly verifiable SSL from GoDaddy to encrypt traffic on the NetScaler.  From an internet location, this works great.

We also have users that access this same NetScaler location on our LAN.  We do not provide direct internet access to the LAN.  Many of our devices our WYSE terminals (mostly model T50).  These device will not load our Citrix web page as they cannot complete the SSL revocation process.

I am wondering what the best way to resovle this problem would be?  I have considered setting up a different Citrix site, but I was wondering if there was a way to resolve this issue.

Any thoughts?
0
Tat4Tat
Asked:
Tat4Tat
1 Solution
 
Dirk KotteSECommented:
CRL's are an essential component when using certificates.
if the client can't reach a CRL distribution point, so he should not use this certificate.

i think there are some options:
allow internet-access to the CRL or create a second virtual server at the netscaler and use an internal CA.

(possible you can disable the CRL-checking at the thin-client)
0
 
shalomcCommented:
You can setup a web server on a VM or internal server, download the CRL to it, and spoof the specific CRL FQDN with your internal DNS. Most if not all CRL are http only so it is easy to get away with it.
0
Tackle projects and never again get stuck behind a technical roadblock.
Join Now