I have a presentation server farm sitting behind a Cisco ASA. The ASA acts as the Citrix Access Gateway in this design and provides a WebVPN connection with Secure Desktop to the remote client via SSL. The Cisco ASA is configured with a certficate from a Verisign Subordinate/Intermediary certificate server. After connecting to the Cisco ASA and downloading the Secure Desktop, I'm provided with a link to the Server farm. After selecting the server farm, I get a SSL/TLS error. I believe this is because the SSL cert by Verisign installed on the Cisco ASA is not part of the JAVA keystore on the remote client. If I import the Verisign cert into the JAVA keystore or if I get Verisign to sign the certificate with a root server, which is by default part of the keystore, the connection works great. However, Verisign is no longer signing certs with their root servers (forcing everyone to use the intermediary servers). Also, having end-users import a certificate into the JAVA keystore from every location they connect from (kiosks, home machines,...) is not acceptable.
I'm running 7.2(2) on the ASA and when I have the Verisign cert on its public interface signed by the Verisign subordinate cert server, I also have the full chaing including the root server and subordinate server's identity cert installed on the ASA. Unless the ASA can respond to the client with the root certs identity, I don't see how the ASA can support citrix connectivity via WebVPN. Any thoughts, ideas, viable work arounds?