Solved: Re: CSC-SSM: HTTP scanning enabled and Citrix

herve.leon · ‎12-23-2009

Hi,

We have the following architecture:

Internet ---> Firewall Juniper ---> DMZ ---> Firewall ASA ---> LAN

In DMZ, Citrix Secure Gateway 3.01 and Citrix WebInterface 4.0 are installed on a Windows 2003 Server.

The Citrix Farm (XenApp 4.5) is in the LAN.

We have a problem when enabling an HTTP Scanning (default configuration) on CSC-SSM 20.

Without HTTP Scanning, the users can authenticate and access the virtualized applications

With HTTP Scanning enabled, the users can authenticate on the Citrix Secure Gateway but can't access the virtualized applications on Citrix XenApp.

Have you already had such a problem ??

Thanks

Herve

Panos Kampanakis · ‎12-23-2009

It has happened before.

Depending on the traffic patterns CSC could drop packets. Check if you have any HTTP scanning logs on the CSC that give you more details.

What you can do is to put a deny for traffic that is destined to the Citrix server on the ACL that is used to match traffic that will be inspected by the CSC.

That way the CSC will not scann the traffic going to Citrix and it should work.

I hope it helps.

PK

View solution in original post

Kureli Sankar · ‎12-23-2009

You can exclude the DMZ citrix talking to internal Websites from being scanned by the CSC that will allieviate the problem.

You can do this by adding a deny line above the permits in the acl that matches traffic to be scanned by the CSC module.

Example:

access-list csc-acl extended deny ip host 192.168.1.10 host 10.10.10.10
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq ftp

Where 192.168.1.10 is the ip of the citrix server and 10.10.10.10 is the ip address of the inside webserver.

-KS

View solution in original post

Panos Kampanakis · ‎12-23-2009

It has happened before.

Depending on the traffic patterns CSC could drop packets. Check if you have any HTTP scanning logs on the CSC that give you more details.

What you can do is to put a deny for traffic that is destined to the Citrix server on the ACL that is used to match traffic that will be inspected by the CSC.

That way the CSC will not scann the traffic going to Citrix and it should work.

I hope it helps.

PK

Kureli Sankar · ‎12-23-2009

You can exclude the DMZ citrix talking to internal Websites from being scanned by the CSC that will allieviate the problem.

You can do this by adding a deny line above the permits in the acl that matches traffic to be scanned by the CSC module.

Example:

access-list csc-acl extended deny ip host 192.168.1.10 host 10.10.10.10
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq ftp

Where 192.168.1.10 is the ip of the citrix server and 10.10.10.10 is the ip address of the inside webserver.

-KS

herve.leon · ‎12-29-2009

Thanks a lot for all your answers.

Actually, this problem is documented in bug CSCsf05298

Citrix not supported with CSC module

Symptom:
Citrix application is not fully compliant with the RFC because CSC inspection of the Citrix traffic is not supported.

There are no plans to fix the issue on the CSC module.

Workaround: Bypass Citrix traffic over CSC by ASA MPF

Herve