Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2079
Views
5
Helpful
3
Replies

IronPort, user based filtering with MS terminal / Citrix?

alig.norbert
Enthusiast
Enthusiast

‎10-29-2012 12:59 PM

Hi there,

Can someone tell me if the IronPort can handle user based filtering on MS terminalserver / Citrix (multi-user server) with AD-integration?

Thanks a lot.

Greets,

Norbert

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎10-31-2012 09:26 AM

If you're using transparent redirection on the Citrix boxes you can use

     Use Cookie Surrogates

     Turn on the "Virtual IP" feature in Citrix. (which really means Citrix is dealing with the problem, not the WSA)

The issue with cookie surrogates is that https traffic appears to be unauthenticated to the WSA and some applications can't deal with them. (check the help file on the box under "Understanding How Authentication Affects HTTPS and FTP over HTTP Requests")

How are you doing the redirection?  If you're using explicit redirection, you can turn off surrogates for an identity and it does authentication that is session based...

The simplest would be Virtual IP on Citrix, since that looks the most like a regular workstation to a WSA...

alig.norbert
Enthusiast
Enthusiast
In response to Ken Stieers

‎11-01-2012 12:16 AM

Thanks for the reply.

Im in state of deployment, which product could cover our requirement.

So far, I will check the Virtual IP function on Citrix first.

0 Helpful

galinmlg1
Beginner
Beginner

‎11-08-2012 05:57 AM

We didn't want to designate a pool of addresses for each citrix server.. Or have to extend dhcp scopes to accomidate user per IP in the Citrix space with real delayed IP pool re-use.   It's really hokey, if you think about how users log into Xenapp / farms and use an IP, that now gets cached for the surrogate timeout, which is common across WSA.   Users change which farm server they log into frequently.  We cache surrogate creds for 12 hours, to get through a business day.  

for citrix/ts we use persistent cookie auth.. It's not great.. If you have non-browser apps and want to have identity rules, you spend time, writing an identity that is a non-auth bypass for certain browser user agents or destination IP's..

It works..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents