cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

725
Views
0
Helpful
0
Replies
Highlighted
Beginner

ASyncOS 7.0 Citrix Connect

All,

Just wanted to post a heads up to everyone following the discovery and subsquent defect bug creation (ID# 72670 ) for Citrix connection issues following the upgrade to ASyncOS 7.0.  Below is the detailed description from our support engineer.

*******************************************************************************************************************************************

We examined the packet captures taken on the IronPort appliance when the Citrix portals work & when they fail and observed the following:

1) When the Citrix portals fail, the problem is that authentication between client & IronPort is failing. Looking at the capture, we see the below transaction resulting in failure:

------------------------------------------

CONNECT 216.220.93.69:443 HTTP/1.0

Host: 216.220.93.69:443

Accept:*/*

Connection: Keep-Alive

Proxy-Authorization: NTLM XXXXX

HTTP/1.0 407 Proxy Authentication Required

Mime-Version: 1.0

Date: Wed, 13 Oct 2010 14:10:02 EDT

Content-Type: text/html

Proxy-Authenticate: NTLM XXXXX

Connection: keep-alive

Content-Length: 0

------------------------------------------

2) Looking at a similar transaction (different domain) on the 6.3.3 version capture (working one), we see the below packets:

------------------------------------------

CONNECT sclin.myalegent.com:443 HTTP/1.0

Proxy-Connection: Keep-Alive

Content-Length: 0

Proxy-Authorization: NTLM XXXX

Pragma: no-cache

Host: sclin.myalegent.com

HTTP/1.0 407 Proxy Authentication Required

Mime-Version: 1.0

Date: Wed, 13 Oct 2010 14:19:23 EDT

Content-Type: text/html

Proxy-Authenticate: NTLM XXXXX

Proxy-Connection: keep-alive

Content-Length: 0

------------------------------------------

3) Comparing the capture information, we can see that the issue is being caused as the "Proxy-Connection: Keep-Alive" header is not being sent back by the IronPort appliance on the 7.0 version.

4) In the 7.0 build, the "Proxy-Connection" header was replaced by the "Connection" header per RFC requirement & interoperability problems seen with certain clients/applications (when "Proxy-Connection" header is used).

5) However, it looks like the Citrix client is unable to process the "Connection" header properly and requires the "Proxy-Connection" header instead

We have filed a defect ID# 72670 for this issue and our development team is working on releasing a fix for the behavior. The defect is being planned to be addressed in a 'HOT Patch' release and we will inform affected customers once the fix is released.

Everyone's tags (3)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here