SSLVPN 9.2 Citrix Single Sign-on using External Portal
I was working on an ASA migration that was using the Anyconnect Clientless portal to single sign on with a seamless redirection to Citrix. They were running 9.1.2 and were using the homepage url with Post to redirect and login users to Citrix without sending them to the Cisco portal first. In later versions of ASDM the Post feature is missing for the Homepage URL and in 9.2.2 this feature is not available in the CLI either, even though the commands may be in there if you restored using ASDM. Https does not work and even if it did it displays the Username and Password in clear text in the URL.
I contacted TAC and was informed this option was removed and that there was no work around.
While trying to get the portal reconfigured to use Bookmarks I stumbled across a feature called External Portal. This feature does exactly what the homepage URL feature does, but it still has the option to use Post URLs. Oddly enough the Post URL I had did not work so I tried the PreDefined Application templates and was able to set it up using HTTPS for XenApp, but this time the Username and Password are not displayed in the URL. The below link gives some information on it on page 12, but the process is pretty straight foward.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...