InvisibleTerror
asked on
HTTPS traffic routed to another gateway statically does not connect but pings do
Adding a static route to a Zyxel USG 100 firewall that directs traffic bound for 172.18.0.0 via an internal gateway of 10.10.10.50 works perfectly if you run a ping or trace route. When you try to connect with a Citrix Reciever however the server can not be found. Adding a static route directly to the client pc and skipping the Zyxel fixes the issue but is a poor fix with lots of clients.
Setup
Zyxel USG 100 company internet firewall.
Internal IP 10.10.10.1
Cisco 1700 Series EMR Gateway
Internal IP 10.10.10.50
EMR final destination is 172.18.31.245
If I add a static route to route 172.18.0.0 255.255.0.0 traffic to 10.10.10.50 to the Zyxel firewall it works testing with Pings and trace routes. But when using the citrix reciever that uses Https as its protocol it never connects.
I have looked and there is no firewall rules that should be interfering in the traffic flow. I don't have access to the EMR network to do any testing but the only places that have this issue are those with Zyxel USG firewalls.
Setup
Zyxel USG 100 company internet firewall.
Internal IP 10.10.10.1
Cisco 1700 Series EMR Gateway
Internal IP 10.10.10.50
EMR final destination is 172.18.31.245
If I add a static route to route 172.18.0.0 255.255.0.0 traffic to 10.10.10.50 to the Zyxel firewall it works testing with Pings and trace routes. But when using the citrix reciever that uses Https as its protocol it never connects.
I have looked and there is no firewall rules that should be interfering in the traffic flow. I don't have access to the EMR network to do any testing but the only places that have this issue are those with Zyxel USG firewalls.
Are IP redirects enabled on the client and Zyxel box?
++ most likely a redirection occurs, which messes the https traffic
if the first connection fails and a subsequent connection works, this is the case
you can also check using "netstat -rn" or route
a tracert would be welcome as well
if the first connection fails and a subsequent connection works, this is the case
you can also check using "netstat -rn" or route
a tracert would be welcome as well
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it would probably be cleaner to prevent the zyxel from sending route redirections
ASKER
Troubleshot and found the problem.
Also transparent proxy is possible with the most firewalls.
try to connect with port 1494 to the citrix server ...
use "telnet yourserver.yourdomain 1494"
... you should see "ICAICA..." so the connection is possible and http(proxy) the problem.