SSL VPN with Citrix SSLVPN solution

tkaufi · #1 (**permalink**) 06-09-2009, 07:40 AM

Hi,

in our branch office we´re using a Citrix SSLVPN solution named Citrix access gateway. We´re using this for administrate the systems there. It´s working fine, since i connect to it through an direct internet access like ISDN, DSL or GSM.
But if i want to connect througt the astaro web proxy, i.e. from our internal network througt the proxy via https tunneling, it doesn´t work. The first steps like connecting to the authentication website, authenticate and so on works, but the last step fails. It seems that a request or else will be blocked or running into timeout.
Is there a possiblitiy to debug the network traffic more deeply on the astaro?cause in the available logs, i can´t find a possible reason.

Cu
Thomas

BAlfson · #2 (**permalink**) 06-09-2009, 12:33 PM

Connecting to Citrix servers behind a site-to-site VPN is one of the few places we've used the transparent mode skiplist.

If that can't solve your problem, please show relevant lines from the 'Content Filter (HTTP)' log.

Cheers - Bob

tkaufi · #3 (**permalink**) 06-10-2009, 07:29 AM

hi Bob,

below are the logs from http content filter logs.

As it seems, there is no difference with or without transparent mode skiplist entry

https://ber******X/ is the host or dns host entry in the skiplist
interface was set to any

With transparent mode skiplist entry

09:06:10-07:43:32 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1419" time="629 ms" request="0xc7237b0" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:47:39 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="9064" time="65664 ms" request="0xc78f678" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:50:23 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1056" time="526 ms" request="0xc78f678" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:50:26 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="267" time="365 ms" request="0xc6b0448" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:51:31 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1656" time="65273 ms" request="0xc6b0448" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:51:49 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1099240" time="18316 ms" request="0x8097808" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:52:01 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="21483" time="95798 ms" request="0xc78f678" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:52:44 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1419" time="588 ms" request="0xc78f678" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-07:55:15 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="8243" time="65321 ms" request="0xc6b0448" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"

Without transparent mode skiplist entry:

2009:06:10-08:01:27 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1098455" time="16522 ms" request="0x8942290" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-08:01:28 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1752" time="63024 ms" request="0xa255ec8" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-08:01:48 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="22497" time="84100 ms" request="0xc64c0e0" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"
2009:06:10-08:02:31 FW2-1 httpproxy[28284]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.xx.xx.***" user="username" statuscode="200" cached="0" profile="REF_DtQBrRCaKT" filteraction="REF_lsLZaVpoJV )" size="1419" time="1646 ms" request="0x80fc760" url="https://ber******X/" exceptions="" error="" category="140,178" categoryname="Personal Pages,Internet Services"

CU
Thomas

BAlfson · #4 (**permalink**) 06-10-2009, 04:26 PM

OK, I see the 'Transparent mode skiplist' doesn't apply because you have authentication, and therefore your users' browsers are all pointing at port 8080 directly.

It appears that there's a timeout since packets are taking a minute or longer. Try creating an Exception with all boxes selected for the Citrix servers. If that doesn't work, then maybe there's a port that needs to be allowed; is anything blocked in the packet filter log?

Cheers - Bob

tkaufi · #5 (**permalink**) 06-15-2009, 09:54 AM

Hi Bob,

thx for suggestions. But after applying all exceptions and with transparent mode skiplist there is no effect.
In the packet filter log is no entry belonging to this traffic and in http filter log there are the same entries as before, even the list of exceptions now is longer, like "exceptions="av,auth,content,url,certcheck,certdat e,mime".

I think, i´ve to contact Citrix for an possible reason.

CU