Re: CX Prompting for Authentication to Citrix, OWA

Nick Burns · ‎07-11-2013

Running 9.1.2.29

We believe this is relatively new. CX module is prompting for credentials (Active Auth) for users at home, connecting to Outlook Web Acces, Citrix, etc. inside of the firewall. Internal users using the same resources are not.

I cannot even visualize where the CX module would be inspecting the traffic in, then out again for an internal server.

What configuration / policies exists to control that behavior?

Marvin Rhoads · ‎07-12-2013

The CX will inspect traffic per its rules according to the service-policy on the ASA. If traffic isn't flowing through the firewall (e.g internal users) the service policy will never redirect the flow to the CX for inspection. You could reference an ACL in the service-policy exempting flows from the VPN pool addresses to your internal servers from inspection.

Nick Burns · ‎07-12-2013

Actually, I am talking about pure port 80/443 traffic in bound to our OWA, Citrix. If our users are at home, via VPN, the CX behaves correctly - using passive authentication via the AD agent. If the user is not on VPN, goes to OWA or Citrix via their browser (80/443) they see the login screen load for OWA, Citrix but immediately receive a pop-up from the CX module requiring active authentication.

Marvin Rhoads · ‎07-12-2013

Hmmm OK. So the issue is with inbound non-VPN users. We wouldn't normally expect their traffic to hit the CX at all. Where is your service-policy applied? (sh run service-policy)

Nick Burns · ‎07-12-2013

Mind boggling, hey? Result of the sh run service-policy: service-policy global_policy global.

Hopefully that sheds some light.

Thanks Marvin.

Marvin Rhoads · ‎07-13-2013

I don't see how your CX is activated in the ASA policy. Normally I would expect your CX policy to be called out. Something like:

Result of the command: "show run policy-map inside-policy"

!

policy-map inside-policy

class inside-class

cxsc fail-open auth-proxy

!

Result of the command: "show run service-policy"

service-policy global_policy global

service-policy inside-policy interface inside

Nick Burns · ‎07-15-2013

Marvin,

Thanks for the continued help and sorry for the delay. The configuration you were looking for is in my global_policy:

!

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect icmp

class DR_GRE

set connection timeout idle 0:00:15

class NFLOW

flow-export event-type all destination 10.128.36.16

class Internet

cxsc fail-open auth-proxy

!

Does this help?!

Marvin Rhoads · ‎07-15-2013

Yes.

Because you have the class map with cxsc redirection in your global policy it will apply to all interfaces. The ones I have setup applied the CX inspection to outbound user traffic (e.g. that coming into the Inside interface). That is, specify Inside at step 8 of the configuration guide here.