SSL WebVPN Citrix ICA rewrite

Unanswered Question
Aug 20th, 2010

Any folks out there using Citrix with WebVPN ??  I'm having a problem with what seems to be an ICA file rewrite. If an ICA file is sent to the client from the presentation server, all works just fine. If one of the apps we have writes the ICA file (which is dynamic), I cannot connect to the application and have to smart tunnel the citrix client to get this to work. Anyone seen this type of behavior?? I cannot seem to find any documentation about ASA and Citrix working together.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rahul Govindan Fri, 08/20/2010 - 07:44

Hi Max,

What is the ssl error that you are getting when trying to launchthe application without smart tunnel. The ASA just re-writes to the address(sslproxyhost), sslenable and ssl parameters in the ica file. Also what version of ASA would be helpful.

max.pierson Fri, 08/20/2010 - 07:50

Sorry, I should have included the basics....

ASA 5520 8.3.(2)

We had the same results on 8.2.(2). I'm not really getting an error, but the ICA client just says it can't on :1494

Rahul Govindan Fri, 08/20/2010 - 07:57

Could you just check up that particular ica file and check the address entry? and compare it with the ones which do work? If the end client is connecting to the ssl page and then to citrix server, they shouldn't directly connecting to port 1494 but rather to the port 443 of the ASAs outside fqdn.

max.pierson Fri, 08/20/2010 - 08:25

I think I see the issue. As stated before, if coming from the presentation server of a published app, the ICA has the address as a long hash and below that it has


On the ICA file that does not come from the presentation server, it has :1494 in the address field and does not have the SSL Proxy and SSL Enable in the file.

Thanks again,



This Discussion