topic Re: CSC-SSM: HTTP scanning enabled and Citrix in Network Security

CSC-SSM: HTTP scanning enabled and Citrix

herve.leon — Mon, 11 Mar 2019 16:51:33 GMT

Hi,

We have the following architecture:

Internet ---> Firewall Juniper ---> DMZ ---> Firewall ASA ---> LAN

In DMZ, Citrix Secure Gateway 3.01 and Citrix WebInterface 4.0 are installed on a Windows 2003 Server.

The Citrix Farm (XenApp 4.5) is in the LAN.

We have a problem when enabling an HTTP Scanning (default configuration) on CSC-SSM 20.

Without HTTP Scanning, the users can authenticate and access the virtualized applications

With HTTP Scanning enabled, the users can authenticate on the Citrix Secure Gateway but can't access the virtualized applications on Citrix XenApp.

Have you already had such a problem ??

Thanks

Herve

Re: CSC-SSM: HTTP scanning enabled and Citrix

Panos Kampanakis — Wed, 23 Dec 2009 15:41:32 GMT

It has happened before.

Depending on the traffic patterns CSC could drop packets. Check if you have any HTTP scanning logs on the CSC that give you more details.

What you can do is to put a deny for traffic that is destined to the Citrix server on the ACL that is used to match traffic that will be inspected by the CSC.

That way the CSC will not scann the traffic going to Citrix and it should work.

I hope it helps.

Re: CSC-SSM: HTTP scanning enabled and Citrix

Kureli Sankar — Wed, 23 Dec 2009 16:18:19 GMT

You can exclude the DMZ citrix talking to internal Websites from being scanned by the CSC that will allieviate the problem.

You can do this by adding a deny line above the permits in the acl that matches traffic to be scanned by the CSC module.

Example:

access-list csc-acl extended deny ip host 192.168.1.10 host 10.10.10.10
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq ftp

Where 192.168.1.10 is the ip of the citrix server and 10.10.10.10 is the ip address of the inside webserver.

-KS

Re: CSC-SSM: HTTP scanning enabled and Citrix

herve.leon — Tue, 29 Dec 2009 08:12:32 GMT

Thanks a lot for all your answers.

Actually, this problem is documented in bug CSCsf05298

Citrix not supported with CSC module

Symptom:
Citrix application is not fully compliant with the RFC because CSC inspection of the Citrix traffic is not supported.

There are no plans to fix the issue on the CSC module.

Workaround: Bypass Citrix traffic over CSC by ASA MPF

Herve