Clientless SSL variables - macro substitution

Unanswered Question
Aug 26th, 2010

I'm using ASA5510/8.2

I am trying to allow users to only have to enter a single username/password at VPN login.

Then pass this through to a Citrix xenapp server. I have configured a bookmark and linked to the connection profile and this works but

then Citrix login still comes up no matter how I configure the POST parameters.

Has anyone got this working? I know that it is possible but I must be missing something.

I've included a screenshot of the POST parameter.

Many Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Somerset2 Tue, 08/31/2010 - 01:01

Has anyone had any experience of trying to make SSO work using POST parameters?

We are using Citrix Xenapp Desktop.



tgrundbacher Wed, 09/01/2010 - 01:47

Hi Sam & Jonathan

I'm having the same troubles as you have (using ASA 8.2(2)). I first tried to use the Citrix plug-in, yet it didn't work.

Then I decided to use an http link pointing directly to the Citrix server and do SSO, that didn't work out either (I always landed on the Citrix login page and it didn't want to SSO me - it didn't even mention that I've entered the wrong credentials).

Now I've got it to work with the post plug-in which is downloadable from the Cisco website at the ASA section. YET IT ONLY WORKS WITH FIREFOX! IE currently doesn't work with the very same link. Here's the link that only works with Firefox:


Smart tunnel is disabled (greyed out) and the URL method is a default 'Get'.

If anybody has an idea what needs to be done to get it working with IE, I'd appreciate it very much.



Somerset2 Wed, 09/01/2010 - 03:15

I'm going to try that with Firefox now.

I have managed to get TAC involved today so I will let you know on the IE front.

Only thing with the POST that  I downloaded from Cisco is that it always says post plugin not found when I access

the ssl vpn.

I downloaded the Post and imported it using asdm. Is that all that I had to do?


tgrundbacher Wed, 09/01/2010 - 05:21

Hi Sam

Yes, that's basically all you have to do with the post plug-in: importing it. The rest is just referencing it with the bookmarks using ASDM. Other than that, has clientless VPN been working for you? Which ASA version are you using?


Somerset2 Wed, 09/01/2010 - 05:27

I tried the link as per yours below but that did not work.

I just goes straight to the log in again of citrix.

At least the POST does actually work in Firefox

Did you put the Post:// all on one line in the bookmark with no breaks?

Yes it is working fine once you actually get logged in.

The logging in process does seem to loop and this causes slowness but I'm hoping

Cisco can fix this.

I have a Tac call raised so I will let you know how I get on.


tgrundbacher Wed, 09/01/2010 - 05:51

Hi Jonathan

In ASDM, paste the link without actually writing post:// in front of it; just select post:// from the preceding drop-down list. It has to be all in that single line without spaces.

For me it works with SSO in Firefox w/out having to manually enter a username/password a second time. With IE, I still have to log in a second time.

And yes, please keep me updated with the results from TAC!



Somerset2 Thu, 09/02/2010 - 06:24


TAC has taken a look at the HTTP capture and said that we are not using http POST forms on the citrix environement.

Have you enabled this also? If so where is it?


tgrundbacher Thu, 09/02/2010 - 06:50

Uhmm...I don't know what I should answer you. I haven't saved my sniff (I used HTTP Debugger Pro trial) and don't have access to the customer infrastructure right now.

All I can say is, with my link provided, using the post plugin, it works when using Firefox. With the http link method documented here, it doesn't work. (Maybe the behaviour changed from "Metaframe", which used to be a previous Citrix version, to the current one, I don't know.) I'm not an application guy...



tgrundbacher Tue, 09/07/2010 - 00:34

Hi Jonathan

Have you already got a solution from TAC? Is there really no solution available from someone else? I can't believe that such an important application (Citrix) that has been on the market for so long doesn't work properly through ASA WebVPN...

Or have you tried with the ICA plug-in?



Somerset2 Tue, 09/07/2010 - 01:14

As we are unable to make changes to the live Citrix environment we are going to make some Citrix changes next Tuesday

and a tac engineer is going to do some work at our end too.

I will let you know how we get on with all aspects.



This Discussion