ACE, SSL offload and Citrix Secure Gateway

Unanswered Question
Mar 25th, 2009
User Badges:

I need to config my ace, to do both SSL offload, as well as Load Balancing for a pair of Citrix Secure Gateways.

The issue I'm running into, is I'm able to get the CSG website to load properly with SSL Offload, however, when the Client starts a Citrix Session, the Certificate transfer fails, and I'm unable to launch the Citrix Session.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Thu, 03/26/2009 - 01:18
User Badges:
  • Cisco Employee,

I do not know the application.

Are you doing client authentication on the CSS ?

Does it fail because the CSS rejects the client certificate ?

Is the certificate to be sent to the citrix server ?

I would suggest to capture traces with and without the CSS so we can compare.


ross.bagurdes Thu, 03/26/2009 - 07:53
User Badges:

I'm not using the CSS.

I'm using the Cisco Application Control Engine(ACE), version 3.0(0)A1(6.3b).

CSG = Citrix Secure Gateway.

After a user logs into the website (the ace isn't dealing with client auth, this is the job of the CSG server), and a user attempts to launch a Citrix Session, the Citrix Client errors out, giving a cert error, or a citrix server unavailable error.

I believe the CSG is passing a new certificate to the Citrix Client(new meaning a different cert than is used to load the website), but the ACE is confusing the Citrix Client somehow.

The captures I've done shows a 'TCP Checksum Incorrect' right after the "Change Cypher Spec, and Encrypted Handshake Message.

tbundtzen Mon, 07/20/2009 - 12:39
User Badges:

Did you find a resolution on this? I am having the same issue with CSG servers.

ross.bagurdes Wed, 07/22/2009 - 13:22
User Badges:


The solution is to leave the cert on the CSG's and not do SSL Offload. as far as I can see.


This Discussion