You are on page 1of 5

Help

ASK

ANSWER

TOPICS

ARTICLES

About Us

CLOUD CLASS

Login

Start Free Trial

BUGFINDER

Search Experts Exchange

Experts Exchange > Software > System Utilities > Remote Access > Citrix > Citrix X enApp V ia Cisco SSL V PN

Welcome to the #1 Community for Technology Professionals.

Enjoy your unlocked premium solution

Experts Exchange powers the


growth and success of technology
professionals worldwide.

Citrix XenApp via Cisco SSL VPN


Asked by: macomsupport
Solved by: macomsupport

Dear Experts,

Try it Free
30 day free trial. Cancel anytime.

Learn More about How It Works

we have been stuggling with a problem for a few days, we have a citrix XENAPP Farm v 4.7

Related Solutions

that contains two servers, plus a citrx web interface server v 5.2.

Need more help?


We have 4 million solutions here.

we have successfully configured our Cisco SSL VPN with SSO to connect to our server farm,
however we are unable to access the published applications, the applcations begin to launch
but never complete (see attached).

Building a citrix xenapp 6.5 farm


XenApp Citrix load balancing
Citrix Xenapp
Documenting a Citrix XenApp 6.5 farm
Xenapp 6.5 extending farm to different
office
Search more solutions

Application Hanging

Get Experts Exchange's

the citrix apps work fine from within the network and via a ipsec vpn. I believe the problem
could be caused by missing configuration within the citrix web interface "secure access" I

Career Builder Guide


Become successful in your tech career.

tried configuring gateway direct as an option but then we need to configure STA, so on each
xenapp server I have configured the SSL relay settings using the instructions found here.
http://support.citrix.com/article/CTX128257
however the gateway direct requires to be pointed to http://fqdn/ctxsta.dll does this mean that
we need to install IIS on the XENApp server or can we configured another server to be the
STA.
Or are we heading down the wrong path altogther?
note that while connecting to citrix via the SSL VPN with the monitor open on theASA the IP
requesting data from the citrix Farm is the inside interface of the ASA, however the traffic
from the XENAPP (applications never get returned) see attached screen shot of ASA monitor.

Email Address:

Get Guide
We will never share this with anyone.

ASA Monitor

one other thing to note we have secured the SSL vpn with a wildcard certificate it has been
suggected that this is our problem??
TIA
Steve

Topics: Citrix, Virtual Private Networking (VPN), Cisco PIX Firewall


Comments: 8

Jump to Answer
ID: 28011797

Comments
Expert Comment
by: rauenpc on 2013-01-28 at 18:57:02 ID: 38829651

When I've had problems with this in the past, it has usually been due to routing/nat'ing, or
the xenapp mode (?). Depending on how the xenapp server is setup, the temporary ica file
used to launch the app can contain a private IP or fqdn, or a public IP/fqdn if the server is
setup to act as a gateway. Different setups would require either of those to be configured. The
real time log viewer would suggest that you are using private IP's, so I would look to make
sure the server has a route to reach that particular vpn address pool, and to also make sure
and have a nat exemption configured for that traffic. If you are using fqdn's, make sure the

Top Video Training


Develop your skills with step by step
technical training tutorials.
HTML for Beginners

proper dns server is being used by default with the vpn client. I've also seen where xenapp
servers were configured with two interfaces. In this case routing needs to be configured so
that the server know where to send external and internal traffic with the potentially oddball
route being for vpn client as those are usually private IP addresses but routed towards the
internet.
I don't know anything about xenapp configuration (hence the ? after using the term mode),
but I do have experience with the network side of things. It may be helpful to open up the ica
file in an editor so that you know for sure what address is being handed out for the app, and

Introduction to Python
Programming
WordPress for Beginners

WordPress for Intermediate


Users
Customize Your Own Cloud

from there you can check routing/firewall/nat (or no nat).


See more videos

Author Comment
by: macomsupport on 2013-01-29 at 02:05:07 ID: 38830258

Thanks for your input however this is a SSL VPN so their is no VPN client or VPN IP Pool, the
ASA inside interface is making the requests on behalf of the users. looking inside the ICA file
is a nice idea but the File never gets received by the client when using the SSL VPN. this is
also what the monitor above suggests.

Expert Comment
by: rauenpc on 2013-01-29 at 05:48:07 ID: 38830921

I didn't realize you were using clientless SSL VPN; I was thinking AnyConnect SSL VPN
which does have a client and VPN pool.
Having no experience with this setup, the best I can give you is the Cisco configuration guide
regarding this.
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_clientless_
ssl.html#wp1293004
What I found interesting about the instructions is that you are required to not only download
the ICA plugin for the portal, but also to download a couple files from the Citrix website and
add them to the ZIP file that is used to install the ICA plugin on the ASA.

Author Comment
by: macomsupport on 2013-01-29 at 13:18:16 ID: 38832880

Thanks again, yes the cisco guide was followed to the letter.....

Expert Comment
by: compdigit44 on 2013-02-22 at 10:53:05 ID: 38919171

It sounds like you need to create another site on your web interface for your external
connections. I use a Netscaler in my enviroment and haven't used the Cisco VPN solution but
I can give you a basic idea of what i did.
1) You default internal Citrix website should be set to "Authentication Point at Web Interface"
you shoud create another website that is set to "At Access Gateway"
2) Authentication Method is set to explict: https://<ExternalCitrixURL/CitrixAuthService/A
uthService.asmx
3)STA servers should point to one of your internal Citrix servers. I usually point this to my
data collector.. You do not need to install IIS
4) Make sure the firewall between you Citrix servers and Cisco VPN allows: ports: 443, 80,
1494 to all Citrix servers.
I will look for your reply and will see if I can gather more information for you.

Expert Comment
by: compdigit44 on 2013-02-22 at 10:54:45 ID: 38919176

Also see if this link help's: https://supportforums.cisco.com/thread/2090788


Good Luck!!!!

Accepted Solution

by: macomsupport on 2013-05-22 at 03:17:22 ID: 39187009

Hello
We nether got this working, So we have installed Citrix Access gateway Enterprise and this
got everything working the way we wanted.

Thanks for all your help.

Author Closing Comment


by: macomsupport on 2013-06-25 at 02:16:25 ID: 39274159

Hello
We nether got this working, So we have installed Citrix Access gateway Enterprise and this
got everything working the way we wanted.

Thanks for all your help.

Most Popular Citrix Solutions


Receive prompt to install Citrix plugin despite it bei
Citrix Errors on Xenapp 6.5 farm Event Id : 3
Citrix Receiver Pass Through Not Working
Remote desktop services is currently busy
Resource shortcuts are currently disabled. ho
How to install Office 2013 Administrative Tem

Not finding the exact solution you need?


Ask the experts for One-on-One help.
Sign Up Free to Ask Your Question
30 day free trial. Cancel anytime.

Learn More about How It Works

Experts Exchange is trusted by 44 of the top 50 Fortune 500 companies.

Hear from Our Community

"My Staff and I use EE on a daily bases to solve all kinds of issues. One answer can be worth the cost of a
"Three years back we had a client requirement for developing an asset tracking solution that required data
lifetime
membership!
For example,
we ran
into a
bunch of problems
when
migrating
our Exchange
environment
"A few years
back,
I worked
for sources.
a British
bank
compliance.
When
the
bank
sold
its trading
department
to an
acquisition
from
different
data
I was in
assigned
the role
of DBA.
With no
practical
experience
in database
from
2003
to
2010.
We
kept
running
into
issues
and
repeatedly
the
best
and
most
detailed
info
was
coming
American company,
compliance
systems
had to
change
to avoidand
managers
charged
with not
administration,
I wasthe
clueless
on how
to proceed.
Thanks
torapidly
the guidance
supportbeing
of Experts
Exchange's
from
Experts
Exchange. reports
One of the
lastgovernment,
issues was getting
active have
sync been
and OWA
published
correctly
and the
submitting
compliance
to the
which would
criminal
offence.
Experts
vast talent pool,
I was able to complete
the data integration
process in
lessathan
a week's
time,
whichExchange
saved our

partners
helped
company
me
we
more
get
were
the
than
using
job$2000
done
were
on
worth
struggling
time."
of man-hours
for hours.and
Finally
gotIme
decided
a promotion!"
to go look for my own answers and was able
to find what was looking for on Experts Exchange. It was a life saver!"

Sherkar
Murray
Bhurshan
Brown

RFID Consultant at Aplomb


Programmer
Global IT
Jakub
atConsultants
Murbro
Hanson
Ltd
Director of Infrastructure at Noel Group LLC

Join the #1 Community for Technology Professionals


Try it Free
30 day free trial. Cancel anytime.

201401-VQP-093

1996-2014 Experts Exchange, LLC. All rights reserved.

Terms of Use

Privacy Policy