Cannot access CITRIX published apps via clientless SSL Web VPN

paultribe · ‎06-06-2011

I have configured a web VPN portal for a cutomer and they wish to use it to access their CITRX Web service, which I have bookmarked (Its an HTTPS page). The problem is as follows:

- I connect to the Cisco WebVPN portal OK.

- I connect to the CITRIX server OK.

- I am then presented with the published Citrix Apps, when I click on one of these I get the following error:

"Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. SSL error 61: "you have not chosen to trust "10.1.1.14", the issuer of the servers security certificate"

I can confirm I did have the Citrix XenApp client running on my PC and that the Citrix server was operating in direct mode. The address reffered to in the message (Which for security pupoises is made up), is the outside interface on the ASA that I had connected to in order to access the SSL VPN main portal.

Do I have to do anything else on the ASA or could this be a Citrix issue,

Paul

Herbert Baerten · ‎06-07-2011

Paul,

the client is saying that it does not trust the ASA's certificate (which it uses to authenticate itself during the SSL handshake). Since the issuer is the ip address of the ASA, I conclude that it is using a self-signed certificate.

So the solution is to either

- get a trusted certificate on the ASA (i.e. a certificate issued by a trusted third-party CA like Verisign etc., for which the client has the issuer certificate in its trusted root store)

OR

- import the ASA certificate in the trusted root store on the client.

hth

Herbert

paultribe · ‎06-07-2011

Herbert

Thank you for your response, I thought no one was ever going to answer. Just a couple of questions if you don't mind:

1) Is the process as follows:

a) Purchase an SSL certificate for the ASA (say from Thawte).

b) Install the SSL certificate and the relevant root CAs on the ASA.

c) Associate it with the outside interface of the ASA.

d) Ensure the Citrix server(s) have the same CAs that trust/signed the SSL certifcate installed on the ASA.

-OR-

a) Create a self signed certificate on the ASA. (I had not actually done this yet).

b) Import this certificate in the trusted root store on every client.

2) If the portal is accessed from both the external and internal network I presume I would need two certificates as the IP addresses would be different - whether it be on the same or different ASA interfaces.

3) I could not find a guide to configuring this on the ASA in relation to CITRIX, do you know of one?

Many thanks

Paul

Herbert Baerten · ‎06-07-2011

Paul,

for #1 : step d should not even be needed.

As for the self-signed cert: if you don't create one explicitly, the ASA will create one for you, but it will create a new one every time the ASA reboots - so better create one manually.

for #2: the cert will typically contain the hostname (FQDN), not the IP address (although that is also possible). The name or ip address in the cert must match what the user connects to though.

So if you can have your DNS point the same name to different ip addresses depending on the location (i.e. inside users resolve vpn.mycompany.com to the internal ip of the ASA, outside users resolve the same name to the outside ip of the ASA) then you can use the same cert on both interfaces.

Alternatively you can purchase a "wildcard" cert, i.e. a cert with something like " *.mycompany.com" and use that on both interfaces, and users can connect to "vpn.mycompany.com" from the outside, and "vpn-inside,mycompany.com" on the inside.

Alternatively, you can indeed just use 2 different certificates.

for #3, sorry I don't know of any detailed configuration guides for citrix over webvpn.

hth

Herbert