cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1836
Views
0
Helpful
5
Replies

ACE, SSL offload and Citrix Secure Gateway

ross.bagurdes
Level 1
Level 1

I need to config my ace, to do both SSL offload, as well as Load Balancing for a pair of Citrix Secure Gateways.

The issue I'm running into, is I'm able to get the CSG website to load properly with SSL Offload, however, when the Client starts a Citrix Session, the Certificate transfer fails, and I'm unable to launch the Citrix Session.

5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

I do not know the application.

Are you doing client authentication on the CSS ?

Does it fail because the CSS rejects the client certificate ?

Is the certificate to be sent to the citrix server ?

I would suggest to capture traces with and without the CSS so we can compare.

Gilles

I'm not using the CSS.

I'm using the Cisco Application Control Engine(ACE), version 3.0(0)A1(6.3b).

CSG = Citrix Secure Gateway.

After a user logs into the website (the ace isn't dealing with client auth, this is the job of the CSG server), and a user attempts to launch a Citrix Session, the Citrix Client errors out, giving a cert error, or a citrix server unavailable error.

I believe the CSG is passing a new certificate to the Citrix Client(new meaning a different cert than is used to load the website), but the ACE is confusing the Citrix Client somehow.

The captures I've done shows a 'TCP Checksum Incorrect' right after the "Change Cypher Spec, and Encrypted Handshake Message.

Did you find a resolution on this? I am having the same issue with CSG servers.

Hi,

Not sure if this is relevant - it is about SSL offload to a Netscaler rather than an ACE, but the principles should be the same.

http://www.jaytomlin.com/blog/2006/07/can_netscaler_perform_ssl_offl_1.html

Effectively you need to tell the CSG not to expect SSL on its three virtual servers.

HTH

Cathy

No.

The solution is to leave the cert on the CSG's and not do SSL Offload. as far as I can see.

Review Cisco Networking for a $25 gift card