IronPort, user based filtering with MS terminal / Citrix?

alig.norbert · ‎10-29-2012

Hi there,

Can someone tell me if the IronPort can handle user based filtering on MS terminalserver / Citrix (multi-user server) with AD-integration?

Thanks a lot.

Greets,

Norbert

Ken Stieers · ‎10-31-2012

If you're using transparent redirection on the Citrix boxes you can use

Use Cookie Surrogates

Turn on the "Virtual IP" feature in Citrix. (which really means Citrix is dealing with the problem, not the WSA)

The issue with cookie surrogates is that https traffic appears to be unauthenticated to the WSA and some applications can't deal with them. (check the help file on the box under "Understanding How Authentication Affects HTTPS and FTP over HTTP Requests")

How are you doing the redirection? If you're using explicit redirection, you can turn off surrogates for an identity and it does authentication that is session based...

The simplest would be Virtual IP on Citrix, since that looks the most like a regular workstation to a WSA...

alig.norbert · ‎11-01-2012

Thanks for the reply.

Im in state of deployment, which product could cover our requirement.

So far, I will check the Virtual IP function on Citrix first.

galinmlg1 · ‎11-08-2012

We didn't want to designate a pool of addresses for each citrix server.. Or have to extend dhcp scopes to accomidate user per IP in the Citrix space with real delayed IP pool re-use. It's really hokey, if you think about how users log into Xenapp / farms and use an IP, that now gets cached for the surrogate timeout, which is common across WSA. Users change which farm server they log into frequently. We cache surrogate creds for 12 hours, to get through a business day.

for citrix/ts we use persistent cookie auth.. It's not great.. If you have non-browser apps and want to have identity rules, you spend time, writing an identity that is a non-auth bypass for certain browser user agents or destination IP's..

It works..