cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
788
Views
0
Helpful
2
Replies

Clientless Webvpn Filtering with Citrix Traffic

mstraessle
Level 4
Level 4

Hi

I am using a ASA 8.2.2 configured with clientless webvpn.

Since there are several different user-groups and connection profiles configured, I want to make sure that only certain users have access to certain services. That for I configured webtype acls. This works fine for any http or https related traffic to the internal Server, but it does not work for citrix traffic towards the WebInterface Server for citrix.

Thats how part of my config is looking like:

...

group-policy X attributes
vpn-tunnel-protocol webvpn
group-lock value X
webvpn
  filter value X

....

access-list X webtype permit url http://x.y/* log default
...

group-policy Citrix attributes

vpn-tunnel-protocol webvpn
group-lock value Citrix

webvpn
  filter value Citrix

...

access-list Citrix webtype permit url https://citrix.local/* log default
access-list Citrix webtype permit url citrix://* log default
access-list Citrix webtype permit url citrixs://* log default
access-list Citrix webtype permit url https://citrix/* log default
access-list Citrix webtype permit url http://10.1.2.3/* log default
access-list Citrix webtype permit url https://10.2.3.4/* log default
access-list Citrix webtype permit url http://* log default
access-list Citrix webtype permit url https://* log default
access-list Citrix webtype permit url any log default

If I am troubleshooting using the log, I only see permits and no denies! Also if I look at the hitcount. But as soon as the Citrix channel from the Client towards the Citrix Server within HTTPS is startet, it fails if the webtype acl is active (even with the permit any url at the end!). If I remove it, it works fine!

rastest# sh access-li Citrix

access-list Citrix-; 9 elements
access-list Citrix line 1 webtype permit url https://citrix.local/* log default (hitcnt=281)
access-list Citrix line 2 webtype permit url citrix://* log default (hitcnt=0)
access-list Citrix line 3 webtype permit url citrixs://* log default (hitcnt=0)
access-list Citrix line 4 webtype permit url https://citrix/* log default (hitcnt=0)
access-list Citrix line 5 webtype permit url http://10.1.2.3/* log default (hitcnt=0)
access-list Citrix line 6 webtype permit url https://10.2.3.4/* log default (hitcnt=0)
access-list Citrix line 7 webtype permit url http://* log default (hitcnt=0)
access-list Citrix line 8 webtype permit url https://* log default (hitcnt=14)
access-list Citrix line 9 webtype permit url any log default (hitcnt=0)

Any Idea, hints?

Thanks for your help!

Marco

1 Accepted Solution

Accepted Solutions

Herbert Baerten
Cisco Employee
Cisco Employee

Hi,

do you still need help with this? If so, could you please try adding a line to the ACL as follows:

access-list Citrix webtype permit tcp any log default

and see if that makes any difference?

Herbert

View solution in original post

2 Replies 2

Herbert Baerten
Cisco Employee
Cisco Employee

Hi,

do you still need help with this? If so, could you please try adding a line to the ACL as follows:

access-list Citrix webtype permit tcp any log default

and see if that makes any difference?

Herbert

Hi Herbert

Thank you so much for your help. This was very usefull.

Since there is nothing in the documentation about the fact that you can also filter based on tcp in a webfilter, this would be some useful input for documentation team in cisco.

Now it looks like it does work!

Cheers, Marco

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: