Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE, SSL offload and Citrix Secure Gateway

I need to config my ace, to do both SSL offload, as well as Load Balancing for a pair of Citrix Secure Gateways.

The issue I'm running into, is I'm able to get the CSG website to load properly with SSL Offload, however, when the Client starts a Citrix Session, the Certificate transfer fails, and I'm unable to launch the Citrix Session.

5 REPLIES
Cisco Employee

Re: ACE, SSL offload and Citrix Secure Gateway

I do not know the application.

Are you doing client authentication on the CSS ?

Does it fail because the CSS rejects the client certificate ?

Is the certificate to be sent to the citrix server ?

I would suggest to capture traces with and without the CSS so we can compare.

Gilles

New Member

Re: ACE, SSL offload and Citrix Secure Gateway

I'm not using the CSS.

I'm using the Cisco Application Control Engine(ACE), version 3.0(0)A1(6.3b).

CSG = Citrix Secure Gateway.

After a user logs into the website (the ace isn't dealing with client auth, this is the job of the CSG server), and a user attempts to launch a Citrix Session, the Citrix Client errors out, giving a cert error, or a citrix server unavailable error.

I believe the CSG is passing a new certificate to the Citrix Client(new meaning a different cert than is used to load the website), but the ACE is confusing the Citrix Client somehow.

The captures I've done shows a 'TCP Checksum Incorrect' right after the "Change Cypher Spec, and Encrypted Handshake Message.

New Member

Re: ACE, SSL offload and Citrix Secure Gateway

Did you find a resolution on this? I am having the same issue with CSG servers.

Silver

Re: ACE, SSL offload and Citrix Secure Gateway

Hi,

Not sure if this is relevant - it is about SSL offload to a Netscaler rather than an ACE, but the principles should be the same.

http://www.jaytomlin.com/blog/2006/07/can_netscaler_perform_ssl_offl_1.html

Effectively you need to tell the CSG not to expect SSL on its three virtual servers.

HTH

Cathy

New Member

Re: ACE, SSL offload and Citrix Secure Gateway

No.

The solution is to leave the cert on the CSG's and not do SSL Offload. as far as I can see.

802
Views
0
Helpful
5
Replies