We have the following architecture:
Internet ---> Firewall Juniper ---> DMZ ---> Firewall ASA ---> LAN
In DMZ, Citrix Secure Gateway 3.01 and Citrix WebInterface 4.0 are installed on a Windows 2003 Server.
The Citrix Farm (XenApp 4.5) is in the LAN.
We have a problem when enabling an HTTP Scanning (default configuration) on CSC-SSM 20.
Without HTTP Scanning, the users can authenticate and access the virtualized applications
With HTTP Scanning enabled, the users can authenticate on the Citrix Secure Gateway but can't access the virtualized applications on Citrix XenApp.
Have you already had such a problem ??
You can exclude the DMZ citrix talking to internal Websites from being scanned by the CSC that will allieviate the problem.
You can do this by adding a deny line above the permits in the acl that matches traffic to be scanned by the CSC module.
access-list csc-acl extended deny ip host 192.168.1.10 host 10.10.10.10
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq ftp
Where 192.168.1.10 is the ip of the citrix server and 10.10.10.10 is the ip address of the inside webserver.
It has happened before.
Depending on the traffic patterns CSC could drop packets. Check if you have any HTTP scanning logs on the CSC that give you more details.
What you can do is to put a deny for traffic that is destined to the Citrix server on the ACL that is used to match traffic that will be inspected by the CSC.
That way the CSC will not scann the traffic going to Citrix and it should work.
I hope it helps.