Re-write SSLProxyHost in ICA file

proactive99 · ‎11-19-2010

Dears,

In a scenario of "SSL VPN+Citrix", we are facing a problem that ASA5540 re-writes the SSLProxyHost in ICA file to the IP address of Outside of 5540. Is there any way to re-writes the SSLProxyHost to a FQDN in ASA5540, like "vpn.test.com:443". I didn't find it in user guide.

Thanks,

-Alejin

mulatif · ‎11-19-2010

HI Alejin,

Are you using a Self-Signed Certificate for the External ASA interface ? And is the CN field of the certificate is set to the IP Address of the ASA ?

If you are then please re-create another Self-Signed (Or External if you are using an External CA) where the CN field is equal to the FQDN of the ASA. The re-write function takes the CN field of the external SSL Certificate when writing the SSLProxyHost.

Thanks,

Naman

proactive99 · ‎11-21-2010

Hi Naman,

Thanks for the information.

Unfortunatelly, we're using local user database with password to authenticate ssl client.

So in this scenario, is there any work around to re-write the entry of SSLProxyHost? I checked ASA user guide, but failed to find anything related for that. What I want to do is to replace the IP address with a FQDN in SSLProxyHost.

It seems I can create a self-signed certificate assinged to outside interface where the ssl vpn terminates, does that make sense? I don't have the lab testing it.

Thanks,

-Alejin

mulatif · ‎11-22-2010

Hi Alejin,

It doesn't matter that you are using Local Authentication.

You are right, you just need to create a Self-Signed certificate and assign it to the Outside ASA interface, just make sure that when creating the self-signed certificate you are using the FQDN as the CN

E.g. subject-name=myasa.domain.com

Thanks,

Naman