Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Citrix Secure Gateway through ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Citrix Secure Gateway through ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Citrix Secure Gateway through ISA - 4.Mar.2008 4:01:53 AM   
ksnook

 

Posts: 6
Joined: 17.Oct.2007
Status: offline 		Does anyone have a guide to publishing the CSG product from Citrix through ISA?

We have this setup and we can get as far as the CSG box on the internal network. However, when we click any of the ica published apps we see SSL 40 error which we can resolve by adding a hosts entry but this doesn't seem a good solution. WIth that in place, we receive "There is no Citrix SSL Server configured at the specified address" error.

Does anyone have a clue to setting this up - I've trawled the web but there seem to be a massive amount of contradictory information.

KS
Post #: 1
RE: Citrix Secure Gateway through ISA - 27.Mar.2008 3:36:50 AM   
aavdberg

 

Posts: 32
Joined: 30.Jul.2004
From: The Netherlands
Status: offline 		Did you get it running? We have it running with a machine in the DMZ zone. So maybe i can help you.

_____________________________

Greeting from
André van den Berg.

(in reply to ksnook)
Post #: 2
RE: Citrix Secure Gateway through ISA - 27.Mar.2008 5:39:46 AM   
Jason Jones

 

Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Hi Kev,

How did you publish CSG?

What default gateway is CSG using?

What network relationship is ISA using between internal and external?

Cheers

JJ

< Message edited by Jason Jones -- 27.Mar.2008 9:59:24 AM >

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to aavdberg)
Post #: 3
RE: Citrix Secure Gateway through ISA - 4.Apr.2008 7:23:51 AM   
frank_hoof

 

Posts: 6
Joined: 27.Mar.2008
Status: offline 		I am new to ISA, but I am also almost CCEA..
I am busy with secure gateway and saw mentioning in the admin guide that I am studying. It is free to download from citrix:
http://support.citrix.com/article/CTX109586
This is the 4.5 standard edition, but similar guides of other versions are available as well.
Maybe this helps with setting it all up.

(in reply to ksnook)
Post #: 4
RE: Citrix Secure Gateway through ISA - 29.Apr.2008 9:08:39 AM   
ksnook

 

Posts: 6
Joined: 17.Oct.2007
Status: offline 		Key here is to use a server publishing rule. This leads us to another problem in that we can't prevent users from discovering the Citrix Secure Gateway URL and accessing directly. Without authorisation (which is done SSO in ISA), we will need to setup the CSG (WI) to do authorisation and this is far from desirable.

Still working on it.......

(in reply to ksnook)
Post #: 5
RE: Citrix Secure Gateway through ISA - 29.Apr.2008 9:22:07 AM   
frank_hoof

 

Posts: 6
Joined: 27.Mar.2008
Status: offline 		So you are guiding users through ISA, then CGW and finnaly the web interface of Citrix?
On all the points the user can authenticate him or herself with user-id and or smartcard.
What is the problem with CGW authenticating the user and establishing a secure citrix connection? It has passed the ISA server, so he or she is allowed to being there.
If you want ISA to check credentials, then remove the CGW and configure the Citrix WI to receive the authentication from ISA. We have users connecting with smartcard and get redirected to the CWI directly and set an autolaunch for the desktop and have hidden all other applications on the CWI. Users can then only work with the published desktop and no other applications. CWI resides in the DMZ and is allowed to communicatie with the farm's STA.

(in reply to ksnook)
Post #: 6
RE: Citrix Secure Gateway through ISA - 29.Apr.2008 12:41:16 PM   
ksnook

 

Posts: 6
Joined: 17.Oct.2007
Status: offline 		Yes, you're right but you haven't quite grasped the problem. What we want to do is:

1) Prevent users having to login twice when they come through ISA. If we turn on Passthrough that's what we'll get. There's a desire for SSO across our infrastructure.
2) If a user does come into the CSG directly (don't forget we have a server publishing rule because that's how we get it to work), we want them to be forced to login. I don't believe we can do that with a server publishing rule.

The two requirements so far seem to be mutually exclusive.

We could, as you say, forget the CSG but that means (we were told by Citrix) boring lots of holes in our firewalls for our Citrix farm and feasibly lots of rules for access.

What we need is a server rule (which satisfies the Citrix requirements) coupled with Authentication (which satisfies the login requirements). Clearly, you would usually set up a Web Publishing rule for this but that doesn't work with CSG (or at least we couldn't get it to work with SSL)

(in reply to frank_hoof)
Post #: 7
RE: Citrix Secure Gateway through ISA - 29.Apr.2008 3:29:49 PM   
frank_hoof

 

Posts: 6
Joined: 27.Mar.2008
Status: offline 		If you configure it badly, you'll end up in authenticating 3 times

Have you turned the sso in CGW? And what kind of authentication did you define in your default realm of CGW. The default must be accepting the authentication from ISA and SSO turned on for the WI of citrix.
I hope this helps...

(in reply to ksnook)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Citrix Secure Gateway through ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts