cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

1639
Views
5
Helpful
3
Replies
Highlighted
Enthusiast

IronPort, user based filtering with MS terminal / Citrix?

Hi there,

Can someone tell me if the IronPort can handle user based filtering on MS terminalserver / Citrix (multi-user server) with AD-integration?

Thanks a lot.

Greets,

Norbert

Everyone's tags (6)
3 REPLIES 3
Collaborator

IronPort, user based filtering with MS terminal / Citrix?

If you're using transparent redirection on the Citrix boxes you can use

     Use Cookie Surrogates

     Turn on the "Virtual IP" feature in Citrix. (which really means Citrix is dealing with the problem, not the WSA)

The issue with cookie surrogates is that https traffic appears to be unauthenticated to the WSA and some applications can't deal with them. (check the help file on the box under "Understanding How Authentication Affects HTTPS and FTP over HTTP Requests")

How are you doing the redirection?  If you're using explicit redirection, you can turn off surrogates for an identity and it does authentication that is session based...

The simplest would be Virtual IP on Citrix, since that looks the most like a regular workstation to a WSA...

Enthusiast

IronPort, user based filtering with MS terminal / Citrix?

Thanks for the reply.

Im in state of deployment, which product could cover our requirement.

So far, I will check the Virtual IP function on Citrix first.

Beginner

IronPort, user based filtering with MS terminal / Citrix?

We didn't want to designate a pool of addresses for each citrix server.. Or have to extend dhcp scopes to accomidate user per IP in the Citrix space with real delayed IP pool re-use.   It's really hokey, if you think about how users log into Xenapp / farms and use an IP, that now gets cached for the surrogate timeout, which is common across WSA.   Users change which farm server they log into frequently.  We cache surrogate creds for 12 hours, to get through a business day.  

for citrix/ts we use persistent cookie auth.. It's not great.. If you have non-browser apps and want to have identity rules, you spend time, writing an identity that is a non-auth bypass for certain browser user agents or destination IP's..

It works..