cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1127
Views
0
Helpful
7
Replies

CX Prompting for Authentication to Citrix, OWA

Nick Burns
Level 1
Level 1

Running 9.1.2.29

We believe this is relatively new.  CX module is prompting for credentials (Active Auth) for users at home, connecting to Outlook Web Acces, Citrix, etc. inside of the firewall.  Internal users using the same resources are not. 

I cannot even visualize where the CX module would be inspecting the traffic in, then out again for an internal server. 

What configuration / policies exists to control that behavior?

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

The CX will inspect traffic per its rules according to the service-policy on the ASA. If traffic isn't flowing through the firewall (e.g internal users) the service policy will never redirect the flow to the CX for inspection. You could reference an ACL in the service-policy exempting flows from the VPN pool addresses to your internal servers from inspection.

Actually, I am talking about pure port 80/443 traffic in bound to our OWA, Citrix.  If our users are at home, via VPN, the CX behaves correctly - using passive authentication via the AD agent.  If the user is not on VPN, goes to OWA or Citrix via their browser (80/443) they see the login screen load for OWA, Citrix but immediately receive a pop-up from the CX module requiring active authentication.

Hmmm OK. So the issue is with inbound non-VPN users. We wouldn't normally expect their traffic to hit the CX at all. Where is your service-policy applied? (sh run service-policy)

Mind boggling, hey?  Result of the sh run service-policy:  service-policy global_policy global.

Hopefully that sheds some light.

Thanks Marvin.

I don't see how your CX is activated in the ASA policy. Normally I would expect your CX policy to be called out. Something like:

Result of the command: "show run policy-map inside-policy"

!

policy-map inside-policy

class inside-class

  cxsc fail-open auth-proxy

!

Result of the command: "show run service-policy"

service-policy global_policy global

service-policy inside-policy interface inside

Marvin,

Thanks for the continued help and sorry for the delay.  The configuration you were looking for is in my global_policy:

!

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect icmp

class DR_GRE

  set connection timeout idle 0:00:15

class NFLOW

  flow-export event-type all destination 10.128.36.16

class Internet

  cxsc fail-open auth-proxy

!

Does this help?!

Yes.

Because you have the class map with cxsc redirection in your global policy it will apply to all interfaces. The ones I have setup applied the CX inspection to outbound user traffic (e.g. that coming into the Inside interface). That is, specify Inside at step 8 of the configuration guide here.

Review Cisco Networking for a $25 gift card