ASA with WebVPN and Secure Desktop accesing Citrix Presentation server
I have a presentation server farm sitting behind a Cisco ASA. The ASA acts as the Citrix Access Gateway in this design and provides a WebVPN connection with Secure Desktop to the remote client via SSL. The Cisco ASA is configured with a certficate from a Verisign Subordinate/Intermediary certificate server. After connecting to the Cisco ASA and downloading the Secure Desktop, I'm provided with a link to the Server farm. After selecting the server farm, I get a SSL/TLS error. I believe this is because the SSL cert by Verisign installed on the Cisco ASA is not part of the JAVA keystore on the remote client. If I import the Verisign cert into the JAVA keystore or if I get Verisign to sign the certificate with a root server, which is by default part of the keystore, the connection works great. However, Verisign is no longer signing certs with their root servers (forcing everyone to use the intermediary servers). Also, having end-users import a certificate into the JAVA keystore from every location they connect from (kiosks, home machines,...) is not acceptable.
I'm running 7.2(2) on the ASA and when I have the Verisign cert on its public interface signed by the Verisign subordinate cert server, I also have the full chaing including the root server and subordinate server's identity cert installed on the ASA. Unless the ASA can respond to the client with the root certs identity, I don't see how the ASA can support citrix connectivity via WebVPN. Any thoughts, ideas, viable work arounds?
Re: ASA with WebVPN and Secure Desktop accesing Citrix Presentat
A present this feature is not supportd in the ASA. Citrix pass-through authentication requires a domain field when the published application is launched. The SSO only passes the Citrix web interface login. But when the published application sends a auth challenge with the domain, there is no domain support with SSO.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...