Link to home
Start Free TrialLog in
Avatar of InvisibleTerror
InvisibleTerror

asked on

HTTPS traffic routed to another gateway statically does not connect but pings do

Adding a static route to a Zyxel USG 100 firewall that directs traffic bound for 172.18.0.0 via an internal gateway of 10.10.10.50 works perfectly if you run a ping or trace route.  When you try to connect with a Citrix Reciever however the server can not be found.  Adding a static route directly to the client pc and skipping the Zyxel fixes the issue but is a poor fix with lots of clients.

Setup
Zyxel USG 100 company internet firewall.
Internal IP 10.10.10.1

Cisco 1700 Series EMR Gateway
Internal IP 10.10.10.50

EMR final destination is 172.18.31.245

If I add a static route  to route 172.18.0.0 255.255.0.0 traffic to 10.10.10.50 to the Zyxel firewall it works testing with Pings and trace routes.  But when using the citrix reciever that uses Https as its protocol it never connects.  

I have looked and there is no firewall rules that should be interfering in the traffic flow.  I don't have access to the EMR network to do any testing but the only places that have this issue are those with Zyxel USG firewalls.
Avatar of Dirk Kotte
Dirk Kotte
Flag of Germany image

i think there is a kind of proxy intercepting the traffic. Take a look to the proxy settings at the client.
Also transparent proxy is possible with the most firewalls.
try to connect with port 1494 to the citrix server ...
use "telnet yourserver.yourdomain 1494"
... you should see "ICAICA..." so the connection is possible and http(proxy) the problem.
Are IP redirects enabled on the client and Zyxel box?
Avatar of skullnobrains
skullnobrains

++ most likely a redirection occurs, which messes the https traffic

if the first connection fails and a subsequent connection works, this is the case

you can also check using "netstat -rn" or route

a tracert would be welcome as well
ASKER CERTIFIED SOLUTION
Avatar of InvisibleTerror
InvisibleTerror

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
it would probably be cleaner to prevent the zyxel from sending route redirections
Avatar of InvisibleTerror

ASKER

Troubleshot and found the problem.