Clientless SSL variables - macro substitution

Unanswered Question
Aug 26th, 2010
User Badges:

I'm using ASA5510/8.2


I am trying to allow users to only have to enter a single username/password at VPN login.

Then pass this through to a Citrix xenapp server. I have configured a bookmark and linked to the connection profile and this works but

then Citrix login still comes up no matter how I configure the POST parameters.


Has anyone got this working? I know that it is possible but I must be missing something.

I've included a screenshot of the POST parameter.


Many Thanks

Sam

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Somerset2 Tue, 08/31/2010 - 01:01
User Badges:

Has anyone had any experience of trying to make SSO work using POST parameters?

We are using Citrix Xenapp Desktop.


Thanks

Sam

tgrundbacher Wed, 09/01/2010 - 01:47
User Badges:

Hi Sam & Jonathan


I'm having the same troubles as you have (using ASA 8.2(2)). I first tried to use the Citrix plug-in, yet it didn't work.


Then I decided to use an http link pointing directly to the Citrix server and do SSO, that didn't work out either (I always landed on the Citrix login page and it didn't want to SSO me - it didn't even mention that I've entered the wrong credentials).


Now I've got it to work with the post plug-in which is downloadable from the Cisco website at the ASA section. YET IT ONLY WORKS WITH FIREFOX! IE currently doesn't work with the very same link. Here's the link that only works with Firefox:


post:///Citrix/AccessPlatform/auth/login.aspx?LoginType=Explicit&user=CSCO_WEBVPN_USERNAME&password=CSCO_WEBVPN_PASSWORD&csco_preload=http:///Citrix/AccessPlatform/auth/login.aspx&csco_ispopup=yes&csco_frame=yes


Smart tunnel is disabled (greyed out) and the URL method is a default 'Get'.


If anybody has an idea what needs to be done to get it working with IE, I'd appreciate it very much.


Regards

Toni

Somerset2 Wed, 09/01/2010 - 03:15
User Badges:

I'm going to try that with Firefox now.

I have managed to get TAC involved today so I will let you know on the IE front.


Only thing with the POST that  I downloaded from Cisco is that it always says post plugin not found when I access

the ssl vpn.

I downloaded the Post and imported it using asdm. Is that all that I had to do?


Sam

tgrundbacher Wed, 09/01/2010 - 05:21
User Badges:

Hi Sam


Yes, that's basically all you have to do with the post plug-in: importing it. The rest is just referencing it with the bookmarks using ASDM. Other than that, has clientless VPN been working for you? Which ASA version are you using?


Toni

Somerset2 Wed, 09/01/2010 - 05:27
User Badges:

I tried the link as per yours below but that did not work.

I just goes straight to the log in again of citrix.

At least the POST does actually work in Firefox


Did you put the Post:// all on one line in the bookmark with no breaks?

Yes it is working fine once you actually get logged in.

The logging in process does seem to loop and this causes slowness but I'm hoping

Cisco can fix this.


I have a Tac call raised so I will let you know how I get on.


Sam

tgrundbacher Wed, 09/01/2010 - 05:51
User Badges:

Hi Jonathan


In ASDM, paste the link without actually writing post:// in front of it; just select post:// from the preceding drop-down list. It has to be all in that single line without spaces.


For me it works with SSO in Firefox w/out having to manually enter a username/password a second time. With IE, I still have to log in a second time.


And yes, please keep me updated with the results from TAC!


Thanks

Toni

Somerset2 Thu, 09/02/2010 - 06:24
User Badges:

Toni,

TAC has taken a look at the HTTP capture and said that we are not using http POST forms on the citrix environement.

Have you enabled this also? If so where is it?


Sam

tgrundbacher Thu, 09/02/2010 - 06:50
User Badges:

Uhmm...I don't know what I should answer you. I haven't saved my sniff (I used HTTP Debugger Pro trial) and don't have access to the customer infrastructure right now.


All I can say is, with my link provided, using the post plugin, it works when using Firefox. With the http link method documented here https://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1164893, it doesn't work. (Maybe the behaviour changed from "Metaframe", which used to be a previous Citrix version, to the current one, I don't know.) I'm not an application guy...


Regards

Toni

tgrundbacher Tue, 09/07/2010 - 00:34
User Badges:

Hi Jonathan


Have you already got a solution from TAC? Is there really no solution available from someone else? I can't believe that such an important application (Citrix) that has been on the market for so long doesn't work properly through ASA WebVPN...


Or have you tried with the ICA plug-in?


Regards

Toni

Somerset2 Tue, 09/07/2010 - 01:14
User Badges:

As we are unable to make changes to the live Citrix environment we are going to make some Citrix changes next Tuesday

and a tac engineer is going to do some work at our end too.


I will let you know how we get on with all aspects.


Sam

Actions

This Discussion