Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CSC-SSM: HTTP scanning enabled and Citrix

Hi,

We have the following architecture:

Internet ---> Firewall Juniper ---> DMZ ---> Firewall ASA ---> LAN

In DMZ, Citrix Secure Gateway 3.01 and Citrix WebInterface 4.0 are installed on a Windows 2003 Server.


The Citrix Farm (XenApp 4.5) is in the LAN.

We have a problem when enabling an HTTP Scanning (default configuration) on CSC-SSM 20.

Without HTTP Scanning, the users can authenticate and access the virtualized applications

With HTTP Scanning enabled, the users can authenticate on the Citrix Secure Gateway but can't access the virtualized applications on Citrix XenApp.

Have you already had such a problem ??

Thanks

Herve

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: CSC-SSM: HTTP scanning enabled and Citrix

It has happened before.

Depending on the traffic patterns CSC could drop packets. Check if you have any HTTP scanning logs on the CSC that give you more details.

What you can do is to put a deny for traffic that is destined to the Citrix server on the ACL that is used to match traffic that will be inspected by the CSC.

That way the CSC will not scann the traffic going to Citrix and it should work.

I hope it helps.

PK

Cisco Employee

Re: CSC-SSM: HTTP scanning enabled and Citrix

You can exclude the DMZ citrix talking to internal Websites from being scanned by the CSC that will allieviate the problem.

You can do this by adding a deny line above the permits in the acl that matches traffic to be scanned by the CSC module.

Example:

access-list csc-acl extended deny ip host 192.168.1.10  host 10.10.10.10
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq ftp

Where 192.168.1.10 is the ip of the citrix server and 10.10.10.10 is the ip address of the inside webserver.

-KS

3 REPLIES
Cisco Employee

Re: CSC-SSM: HTTP scanning enabled and Citrix

It has happened before.

Depending on the traffic patterns CSC could drop packets. Check if you have any HTTP scanning logs on the CSC that give you more details.

What you can do is to put a deny for traffic that is destined to the Citrix server on the ACL that is used to match traffic that will be inspected by the CSC.

That way the CSC will not scann the traffic going to Citrix and it should work.

I hope it helps.

PK

Cisco Employee

Re: CSC-SSM: HTTP scanning enabled and Citrix

You can exclude the DMZ citrix talking to internal Websites from being scanned by the CSC that will allieviate the problem.

You can do this by adding a deny line above the permits in the acl that matches traffic to be scanned by the CSC module.

Example:

access-list csc-acl extended deny ip host 192.168.1.10  host 10.10.10.10
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq ftp

Where 192.168.1.10 is the ip of the citrix server and 10.10.10.10 is the ip address of the inside webserver.

-KS

New Member

Re: CSC-SSM: HTTP scanning enabled and Citrix

Thanks a lot for all your answers.

Actually, this problem is documented in bug CSCsf05298

Citrix not supported with CSC module

Symptom:
Citrix application is not fully compliant with the RFC because CSC inspection of the Citrix traffic is not supported.

There are no plans to fix the issue on the CSC module.

Workaround: Bypass Citrix traffic over CSC by ASA MPF

Herve

540
Views
0
Helpful
3
Replies
CreatePlease to create content