• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can't launch applications using Citrix Web Interface over SSL!!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Can't launch applications using Citrix Web Interface over SSL!! Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can't launch applications using Citrix Web Interface ov... - 21.Oct.2007 12:22:02 PM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
I have an ISA 2006 box located on the corporate LAN running Enterprise Edition. I have an Enterprise rule set up to allow HTTP, HTTPS and FTP. Users are able to hit http://.... and https://.... websites with no problems. However, we host a Citrix platform that is located at another site, that requires that users on the LAN hit https://citrixsite.com to access the Citrix Web Interface. This is fine and you can reach the Web Interface and be presented with applications. When a user clicks on an application, they receive "There is no Citrix SSL Server at the specified address".

I have performed log monitoring whilst hitting the website and then launching apps. What you see is the website request being sent to the Web Proxy as an 'SSL-Tunnel' on port 443, but when users launch apps the request is sent to the Firewall service as HTTPS. When the user launches an app they're sent an ICA launch file from the Web Interface with details of the Citrix Secure Gateway server that they need to connect to, in this case it's the address that's being denied.

I found that when i installed the FW client on the users' machines the apps launched fine.

Can somebody explain what's going on under the hood and if there's another way around permitting HTTPS to that site, without having to install the FW client on all machines???

Thanks in advance

_____________________________

Matthew Jones
MCSA/MCSE:M+S/VCP/CCA/CCNA
Post #: 1
RE: Can't launch applications using Citrix Web Interfac... - 22.Oct.2007 5:13:03 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Matt,

When using WI and CSG behind ISA, you need two publishing rules. You can use web publishing for WI, but need to use Server Publishing for CSG. This is becuase CSG is essentially an application proxy in itself and needs to be able to see the original traffic in direct HTTPS format.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to matt.jones)
Post #: 2
RE: Can't launch applications using Citrix Web Interfac... - 22.Oct.2007 7:26:10 AM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
Hi Jason,

It's the other way around. I basically have two seperate locations with each location hosting a Citrix PS Farm. Location one has Citrix behind ISA Server 2006 - WI and CSG in DMZ and Citrix PS Farm on the internal network and the rules have been configured exactly like you say and have been working fine for some time now. Location two has Citrix behind a PIX 515e, again WI and CSG in DMZ and Citrix Farm on the internal network.

All works fine from the outside and users can lauch apps with no problems. The problem exists at location one, where our corporate LAN includes the ISA Server. If we try to launch apps from the Citrix Farm/WI/CSG servers at location two, we get the SSL errors. ISA Server is denying users in location one, access to apps in location two, showing that HTTPS is being denied by the Ent Default rule. When users hit the WI it shows as SSL-Tunnel traffic being allowed as forward web proxy requests. When a user hits an app, it shows as HTTPS by the firewall service. As i said, as soon as i install the FW client on the users' machines in location one, HTTPS is permitted and apps launch.

Thanks

(in reply to Jason Jones)
Post #: 3
RE: Can't launch applications using Citrix Web Interfac... - 22.Oct.2007 6:33:01 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ah right, I understand now!

This sounds similar to accesing an Internet based Citrix service whereby a service provider is hosting applications using Citrix. A good exmaple of this in the UK is used by a company called Housing Corp Online.

From working with clients who have ISA Server as outbound proxies who need to access the above service, the only way to allow access was to use the Firewall client. I know this isn't exactly like you scenario, but the concept is very similar.

I think the key is that Citrix is using HTTPS in a non-RFC way and hence it cannot be proxied by the Web Proxy service and has to be handled by the Firewall service. Hence the need for the firewall client. I think this is exactly why it is necessary to server publish CSG when using ISA inbound and why you cannot web publish it.

Is there any specific problem with using the firewall client?

Have you considered using a specific access rule from location1 to location2 and defining a custom protocol for this rule? This may be a possible soltuion if your clients are SecureNAT clients...

Thanks

JJ 

< Message edited by Jason Jones -- 22.Oct.2007 6:36:03 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to matt.jones)
Post #: 4
RE: Can't launch applications using Citrix Web Interfac... - 23.Oct.2007 7:06:43 AM   
apatel4000

 

Posts: 15
Joined: 1.May2007
Status: offline
Hi guys.
 
Glad i stumbled across your post.  I am having a very similar problem with accessing Citrix published app at the client site through our ISA 2004 server.  However my problem seems to be that even if the FW client is installed on the client machine, i am still unable to access the app.  If i bypass the ISA server i can launch the app without any problems.
 
My client hosts a website which requires login credentials; following which users are then permitted to launch the citrix app - hence the site is using HTTPS/SSL on 443.  I've tried creating a test rule to allow all 'Internal' traffic out 'External' on all protocols however this does not seem to have resolved the problem.

I'm kind of stuck on this now however i have another ISA server which allows traffic through and works without any problems.   I am running ISA 2004 server standard which hosts two nics - 1 x DMZ and 1 x LAN.   The DMZ sits on a Cisco 515E.  If i point the client machine directly to the Cisco PIX (hence by pass the ISA) i can launch the application without any problems. 

 
Any help would be appreciated.

 
 

< Message edited by apatel4000 -- 23.Oct.2007 7:09:13 AM >

(in reply to Jason Jones)
Post #: 5
RE: Can't launch applications using Citrix Web Interfac... - 23.Oct.2007 3:55:04 PM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
First off.....Jason, thanks for getting back to me. That's exactly what i meant, so i think you're spot on and that's exactly what we're doing, hosting applications via Citrix.

Using the FW client isn't a problem and in fact i'm looking at deploying it to all desktops on the corporate LAN as i've found users exhibiting problems not only with the ICA client but with FTP uploads and various other things. I came to the assumption that the ICA client software is making the connection and therefore cannot authenticate directly to the web proxy, so when combined with the FW client, the ICA client being a winsock application, the app and the user can be authenticated and connect.

Secondly, for connections to a Citrix site via the Web Interface, what port is the ICA Client attempting to connect to in order to launch apps? We have different configurations and use Citrix Secure Gateway, is that what you're using? For example, we have configured some of our WI servers to send the launch.ica file to the remote Citrix client with the address of the CSG server as csg.company1.com:443. This informs the ICA client to connect to the Secure Gateway on port 443. On the other hand we have another setup that sends a different port in the launch.ica file as csg.company2.com:444, thus telling the ICA client to connect on port 444.

I've found that proxies don't recognise 444 as regular HTTPS or SSL-Tunnel traffic as it's an SSL Tunnel range that isn't configured out of the box. What i have done is installed the ISA Tunnel Port Editor from http://www.isatools.org and created another tunnel port range as 444 and named it Citrix Ports. Outbound connections to port 444 from the ICA Clients behind the proxy are now recognised as SSL Tunnel traffic and apps launch.

If you're unsure of the port that the ICA client is attempting to connect to, ensure that the web browser is set to Do not save encrypted pages to disk, launch an app and when the launch.ica file appears save it and then open it with notepad. Scroll down the page until you find SSLProxyHost=, and the address of the CSG server along with the port should be shown.

Let me know how you get on.

Matt

(in reply to apatel4000)
Post #: 6
RE: Can't launch applications using Citrix Web Interfac... - 24.Oct.2007 9:15:26 AM   
apatel4000

 

Posts: 15
Joined: 1.May2007
Status: offline
Hi matt.
 
Many thanks for getting back to me.   When connecting via the proxy to the remote citrix server (with or without FW client) the ICA connection will launch and then halt on "connection in progress" to then finally report "There is no Citrix SSL server configured at the specified address". 
 
ISA monitor logs report:
 
The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (Error Code: 12209)
 
The above rule has been relaxed to allow all protocols and is placed at the top of the priority list. 
 
Through a number of other suggestions, i have already disabled the "Do not saved encrypted files" option in IE.  I do however still get prompted to save the file (IE7).  I opened the contents of the ica file to find the following.  The port connection seems to be the standard 443.  This is the contents of the ICA file:-
 
[WFClient]
Version=2
ClientName=etelmar-UK_AH002
TransportReconnectEnabled=Off

RemoveICAFile=no

[ApplicationServers]
PRD_TNTPlus07=

[PRD_TNTPlus07]
Address=;10;STA01;6C671FD7D7076CF8662833109DC2E6F0
InitialProgram=#PRD_TNTPlus07
LongCommandLine=
DesiredColor=4
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
AutoLogonAllowed=On

 
Username=UK_AH002
Domain=\841570D6408DF5A4
ClearPassword=2971775AC6AA80


ScreenPercent=95
EnableIPCSessionControl=TRUE

SSLEnable=On
SSLProxyHost=et210.etelmar.net:443
BrowserProtocol=HTTPonTCP
HTTPBrowserAddress=!
SSLCiphers=all
SecureChannelProtocol=Detect


[EncRC5-0]
DriverNameWin32=pdc0n.dll

[EncRC5-40]
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin32=pdc56n.dll

[EncRC5-128]
DriverNameWin32=pdc128n.dll

 
There doesnt appear to be anything out of the ordinary with this file.  There is something with respect to the SSL/HTTPS but i cant place my finger on it.  
 

(in reply to matt.jones)
Post #: 7
RE: Can't launch applications using Citrix Web Interfac... - 24.Oct.2007 12:38:29 PM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
Is the ISA Server a member of the domain or is it a standalone box?

(in reply to apatel4000)
Post #: 8
RE: Can't launch applications using Citrix Web Interfac... - 25.Oct.2007 10:38:38 AM   
apatel4000

 

Posts: 15
Joined: 1.May2007
Status: offline
Hi matt.
 
Yes the server is within a domain.  The machine has two nics - one external, and one internal.
 

(in reply to matt.jones)
Post #: 9
RE: Can't launch applications using Citrix Web Interfac... - 25.Oct.2007 4:03:39 PM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
Mmmm...seems strange to ask to authenticate if your clients behind the firewall are using the FW client.....i take it they're members of the domain?? What are the browser settings? Are the clients configured as web proxy clients too? The other thing to ask about are the rules that you have configured...any chance of listing the rules that you've configured to allow access to external Citrix apps?

As for the IE7/launch.ica save file issue, you can tweak the internet settings for computers with IE7 in Group Policy.

Also, have you tried using a machine with IE6 and not IE7?

(in reply to apatel4000)
Post #: 10
RE: Can't launch applications using Citrix Web Interfac... - 26.Oct.2007 4:06:31 AM   
apatel4000

 

Posts: 15
Joined: 1.May2007
Status: offline
Strange thing is though, i dont think its the authentication issue thats causing the problem.  i.e. I receive this same message on another proxy server (within the ISA logs) and it still lets me bypass and connect to remote ICA session:-
 
The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (Error Code: 12209) 

Even with using the FW client, i wouldnt expect there to be any interaction with the WP service...??  I placed an exception rule for myself with the highest prority within ISA server allowing myself access to all protocols both inbound and outbound.  Again no go!
 
With regards to IE, all my TS users are tied to GPO therefore adjusting the encrypted file setting shouldnt be an issue and all machines accessing this particular proxy will be domain members.  In terms of testing i have used the PAC file for browser settings - setting auto config via FW client as well as pointing the browser to the proxy and specifying the port manually.
 
I have tried on another XP machine accessing the citrix app via IE6 and Firefox, however through the same proxy, i get the same problem. 
 
If my ISA server rules are completely relaxed (for me!), i would have pressumed that this would still work considering that if i point my machine directly to the firewall thats sites externally to the proxy, there is no problems with connecting.  I am stuck at a dead end now and will probably have to resort to MS for support.
 
My Rules are as follows in order of priority:-
 
Rule: / Action / Protocols / From / To
 
1) Untrusted Sites: Adult Content   (this rule was also disabled to test)
 
2) Block BBC Streaming Content: BBC News (this rule was also disabled to test)
 
3) SSH Out: / Allow / SSH / External

4) Allow DMZ -> LAN:  Numerous' Protocols - CIFS, TCP, UDP, Netbios, Ping
 
5) Allows ISA - DMZ:  All outbound 
 
6) Local host unrestricted out.
 
7) Unrestricted Internet access for Internal users - Applies to a specific AD group.
 
8) Restricted Web access only - Barred users - Applies to a specific AD group
 
9) VPN clients to Internal Network - VPN client network set.


 
 

 

< Message edited by apatel4000 -- 26.Oct.2007 4:37:38 AM >

(in reply to matt.jones)
Post #: 11
RE: Can't launch applications using Citrix Web Interfac... - 27.Oct.2007 12:45:22 PM   
matt.jones

 

Posts: 72
Joined: 16.Aug.2007
From: Poznan, Poland
Status: offline
Tricky one this! Have you tried removing the AD groups, adding the all users group and then configuring a machine as a Secure NAT client? Probably not what you want to do in the long run, but at least you can nail down if it's definately the Web Proxy/Authentication causing the problem.

Another suggestion is to remove the tick from the Web Proxy filter box within the HTTP/HTTPS protocol section of the rule.

Can you also tell me exactly what the SSL error message that the clients are getting again including error numbers etc.

Cheers

(in reply to apatel4000)
Post #: 12
RE: Can't launch applications using Citrix Web Interfac... - 29.Oct.2007 7:34:50 AM   
apatel4000

 

Posts: 15
Joined: 1.May2007
Status: offline
It is.  I've now logged a call with Microsoft to see how they can help.  I've tried setting up a client as secure NAT but it also seems strange how with the firewall client i'm still not able to get out.   The issue that i have also is that i may have to install the FW client on the Terminal servers and all users will need access to this.
 
I will await for feedback from MS and update you as soon as i have some findings.  Thanks for all the help and suggestions so far.

(in reply to matt.jones)
Post #: 13
RE: Can't launch applications using Citrix Web Interfac... - 9.Nov.2007 1:01:47 PM   
apatel4000

 

Posts: 15
Joined: 1.May2007
Status: offline
Hi Matt
 
Just to keep you posted, i escalated the issue to Microsoft and they have not manage to resolve my issue and have not tried anything that i havent already.
 
However through my own means, i downgraded the Firewall client from 2004 to 2000 and it works!  Problem being though that i can get the 2004 FWclient to work with other proxy servers therefore its an issue with the firewall client settings on the proxy...(???).
 
I have run further net mon traces and sent them to microsoft.  A bit bizzare.

(in reply to matt.jones)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Can't launch applications using Citrix Web Interface over SSL!! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts