7021981: Connecting through a Firewall with Reflection FTP Client

Passive Mode FTP

Passive mode FTP transfers use only outward connections for both control and data connections. Reflection FTP uses passive mode by default. If you suspect your firewall is blocking inbound connections, follow the steps below to confirm that Reflection FTP Client is configured for passive mode connections.

  1. Start Reflection FTP Client.
  2. On the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Properties.
  3. In the Site Properties dialog box, click the Connection tab and confirm that the”Use passive mode” check box is selected.

SOCKS Proxy Server Firewalls

SOCKS proxy servers use the SOCKS protocol between the FTP client and the proxy server. Reflection FTP Client includes support for SOCKS servers.

To configure Reflection FTP Client to support a SOCKS proxy server, follow the steps below that correspond to your version of Reflection.

  1. Start Reflection FTP Client.
  2. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. Select the Proxy tab> Use proxy server> SOCKS. Click Configure.
  4. Enter the IP address of your SOCKS proxy server.
  5. Click OK to close the open dialog boxes, and then retry your connection.

See the product help for more information about configuring Reflection for multiple SOCKS proxy servers.

Common FTP Passthrough Server Firewalls

Passthrough servers differ from other proxy servers in that they use the FTP protocol to communicate between the FTP client and the firewall. To configure Reflection FTP Client to support common FTP Passthrough servers, follow the steps below.

  1. Start Reflection FTP Client.
  2. On the Connection menu, click Connect. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. On the Firewall tab, select the Use Firewall check box.
  4. In the Style drop-down list select the authentication style used by your server. For information about the available options, search on “Firewall Authentication Styles” in the product help.
  5. The Server name and User name fields on this tab become enabled or disabled depending on the authentication style you selected. Enter these values as required by your authentication type.
  6. If you want to avoid entering a required password for future connections, select “Save password” and then enter the password.
  7. If you are using the “username@servername” style and your passthrough server requires a login before the USER command, select the Passthrough authentication check box.
  8. Click OK to close all of the dialog boxes, and then retry your connection.

Uncommon FTP Passthrough Server Firewalls

There is no industry-standardized format for connecting through an FTP passthrough server. Because of the wide variation in authentication methods, you may need to experiment with the information you enter in the passthrough server and general site properties fields in Reflection.

For example, you may need to enter your firewall user name instead of your FTP server user name on the General tab of the Site Properties. Consult your firewall documentation for the required syntax.

HTTP Proxy Server Firewalls

Some firewalls support HTTP proxy connections. To configure the FTP Client to use an HTTP proxy:

  1. Start Reflection FTP Client.
  2. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. Select the Proxy tab > Use proxy server > HTTP. Click Configure.
  4. Enter connection information for your HTTP proxy server.
  5. Click OK to close the open dialog boxes, and then retry your connection.

Related:

  • No Related Posts

[Just Sharing] Can Proxy SG intercept POP3/POP3S traffic

I need a solution

Hi all

I just want to ask a little.
Can the proxy doing intercept a pop3 or pop3s traffic ?

Now I’m deployment and require intercpet pop3 / pop3s traffic. I have added a pop3 / pop3s port to intercept but still not succeeded

Sometimes the user cannot retrieve e-mail from the mail server, coincidentally the email we used was office 365. For outlook that uses exchange, there is no problem. Will be problem if the user uses the pop3 setting for the email.

And according to your experience, does email traffic have to go through a proxy so that email becomes more secure?
is there any benefit if email traffic is force using proxy?

For deployment we use a transparent proxy. All traffic from user segments are directed to the proxy using F5.

Best Regads.

Indra Pramono.

0

Related:

  • No Related Posts

How to Configure and Troubleshoot Browser Content Redirection

Policies

The following policies are available for the Browser Content Redirection feature in Citrix Studio:

User-added image
Note: Editing regkeys will require to close and reopen the Browser on the VDA

2.0 Browser Content Redirection policyBy default, Citrix Receiver tries client fetch and client render. If client fetch and client render fails, server-side rendering is tried. If you also enable the Browser Content Redirection proxy configuration policy, Citrix Receiver tries only server fetch and client render.

By default, the Browser Content Redirection policy is set to Allowed.

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixHdxMediastreamOrHKEY_LOCAL_MACHINESOFTWARECitrixHdxMediastreamName: WebBrowserRedirectionType: DWORD1 = Browser content redirection is Allowed.0 = Browser content redirection is Prohibited

2.1 Browser Content Redirection ACL Configuration policy

Use this policy to configure an Access Control List (ACL) of URLs that can use browser content redirection or are denied access to browser content redirection.

Authorized URLs are the whitelisted URLs whose content is redirected to the client. The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL:

  • Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*
  • Not allowed: http://*.xyz.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only the index.html page is redirected.

By default, this setting is set to https://www.youtube.com/*

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

Close and re-open the Browser for these regkeys to be honored after a change.

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixHdxMediastreamOrHKEY_LOCAL_MACHINECitrixHdxMediastreamName: WebBrowserRedirectionACLType: REG_MULTI_SZ

2.2 Browser Content Redirection Blacklist Configuration policy (7.17 and higher)

This setting works along with the Browser Content Redirection ACL Configuration policy. If URLs are present in the Browser Content Redirection ACL Configuration policy and the Browser Content Redirection Blacklist Configuration policy, the blacklist configuration takes precedence and the browser content of the URL isn’t redirected.

Policy Settings:

  • Unauthorized URLs: Specifies the blacklisted URLs whose browser content isn’t redirected to the client, but rendered on the server. The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL.
  • Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*
  • Not allowed: http://*.xyz.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only index.html is blacklisted.

By default, this list is empty.

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

HKLMSOFTWAREWow6432NodeCitrixHdxMediastreamOrHKLMSOFTWARECitrixHdxMediastreamName: WebBrowserRedirectionBlacklistType: REG_MULTI_SZ​

2.3 Browser Content Redirection Proxy Configuration policy

This policy provides configuration options for proxy settings on the VDA for Browser Content Redirection feature.

If enabled with a valid proxy address and port number, only Server Fetch Client Rendering is attempted.

Server Fetch Client Render in fact would only be attempted if this policy is enabled.

If disabled or left unconfigured with default value, Client Fetch Client Rendering is attempted.

Allowed pattern: http://<hostname/ip address>:<port>

For example, http://proxy.example.citrix.com:80

By default, this setting is prohibited in Studio.

At the moment, support for PAC files or Exceptions in IE11 LAN Settings is not possible – instead, configuration on the Proxy server itself (e.g. BlueCoat or NetScaler Secure Web Gateway) is necessary to handle the exceptions.

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

(Registry path varies depending on VDA architecture):

HKLMSOFTWAREWow6432NodeCitrixHdxMediastreamOrHKLMSOFTWARECitrixHdxMediastreamName: WebBrowserRedirectionProxyAddressType: REG_SZ

2.4 Browser Content Redirection Authentication Sites policy (7.18 and higher)

This setting allows you to configure a list of URLs that sites redirected via Browser Content Redirection can use to authenticate a user.

In other words, it specifies the URLs for which Browser Content Redirection will remain active (redirected) when navigating away from a whitelisted URL.

A classic scenario is a website that relies on an Identity Provider (IdP) for authentication.

For example, website www.xyz.com needs to be redirected to the endpoint, but the authentication portion is handled by a third party IdP, like Okta (www.xyz.okta.com).

The Admin would need to use the Browser Content Redirection ACL Configuration policy to whitelist www.xyz.com, and use Browser Content Redirection Authentication Sites to whitelist www.xyz.okta.com.


Registry override options on the VDA for policy settings:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixHdxMediastreamOrHKEY_LOCAL_MACHINECitrixHdxMediastreamName: WebBrowserRedirectionAuthenticationSitesType: REG_MULTI_SZ

2.5 Client Side Optimization

There is currently a known issue when upgrading to Receivers 4.10 or higher from any version: CTX235183

Fresh installs of those Receivers do not have any known issues.

The following registry key can be set on the Client (Receiver for Windows 4.10 only, in 4.11 is already included by default) in order to enable HdxBrowser.exe (the overlay browser on the endpoint responsible for Client-side rendering) to use the GPU resources on the Client, hence reducing CPU utilization.

HKEY_LOCAL_MACHINE (and in HKEY_CURRENT_USER) SOFTWARE Microsoft Internet Explorer Main FeatureControl FEATURE_GPU_RENDERING (create if not present) HdxBrowser.exe = (DWORD) 00000001___________________________________________________________________________________________________________________________

3.0 Browser Content Redirection Troubleshooting

3.1 General troubleshooting steps

Step May clear problem in
Close Internet Explorer, re-open, and navigate to a whitelisted site. Browser Add-On and HdxVideo.js file
Disconnect and reconnect the session. Receiver, HdxBrowser.exe, WebsocketAgent, and services
Logoff and logon to a new session. Receiver, HdxBrowser.exe, WebsocketAgent, and services
Stop the services: 1. Browser redirection service, 2. HTML5 redirection service, and 3. Port forwarding service. Restart them in reverse order listed. Logoff and logon the session. All components


3.2 Data to collect for troubleshooting

CDF modules to trace:

VDA Side Receiver Side
HDX_Multimedia_BrowserService
HDX_Multimedia_HdxjsInjector
HDX_Multimedia_PortForwardLibrary
HDX_Multimedia_PortForwardService
HDX_Multimedia_WebSocketAgent
HDX_Multimedia_WebSocketPipe
HDX_Multimedia_WebSocketService
PE_Service_CtxEchoSvc
PE_Library_GvchBase
IcaClient_DriversVd_BrowserRedir
IcaClient_DriverVd_PortForward
Ica_Multimedia_HdxBrowser

Ensure HdxBrowser.exe is running on Receiver while you are on a whitelisted site.


4.0Browser JavaScript log live debugging:

  1. Open %programfiles%CitrixHTML5 Video RedirectionHdxVideo.js

    (or depending on your VDA version, the Javascript can also be located inside a folder called %programfiles%CitrixICASERVICE)

    You might need to do this running Notepad as an Admin and opening the .js file from the Open menu

  2. Change the line var DEBUG_ONLY = false; to var DEBUG_ONLY = true;

    Save the file and close your Editor.

  3. Close Internet Explorer and reopen it, hit f12, and go to the Console tab. Browse to a whitelisted site, e.g. https://www.youtube.com

  4. You should see traces from [HdxVideo.js] (example below). Collect the entire log.

    Key messages to look for are highlighted in bold, with additional comments inside brackets [ ]:

    [HdxVideo.js] OnUnload (window): [object Window]

    [HdxVideo.js] DocumentBodySuppressor.start()

    [HdxVideo.js Events] interceptEventListeners()

    [HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer

    [HdxVideo.js] OnLoad (window): [object HTMLDocument]

    [HdxVideo.js] Unredirected video count: 0

    [HdxVideo.js] HDX_DO_PAGE_REDIRECTION: true [if false, redirection is not even attempted. Problem with policies or browser Extension?]

    [HdxVideo.js] infallback: undefined

    [HdxVideo.js] Installing event listeners.

    [HdxVideo.js] msexitFullscreen – Found!

    [HdxVideo.js] onWSOpen: [Websocket opening to WebsocketAgent.exe 127.0.0.1:9001 succeeded. If failed, check your IE Security Settings]

    [HdxVideo.js] >>> {“v”:”pageurl”,”url”:”https://www.google.de/”}

    [HdxVideo.js] onVisibilityChange:

    [HdxVideo.js] >>> {“v”:”vis”,”vis”:true}

    [HdxVideo.js] onResize:

    [HdxVideo.js] >>> {“v”:”pageredir”}

    [HdxVideo.js] sendClientSize: w: 1316 h: 755

    [HdxVideo.js] >>> {“v”:”clisz”,”w”:1316,”h”:755}

    CSI/tbsd_: 15.599,072ms

    CSI/_tbnd: 15.658,128ms

    [HdxVideo.js] <<< {“v”:”winid”,”title”:”CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}”}

    [HdxVideo.js] onWSMessage: winid: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}

    [HdxVideo.js] setWindowTitle: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}

    [HdxVideo.js] documentTitleMutator.start()

    [HdxVideo.js] >>> {“v”:”winid”}

    [HdxVideo.js] <<< {“v”:”pageredir”} [VDA is instructing Receiver to start the redirection process]

    [HdxVideo.js] onWSMessage: pageredir

    [HdxVideo.js] Redirecting page — 화이팅! https://www.google.de/ [Korean characters means the redirection was successful]

A common error is:

[HdxVideo.js] OnUnload (window): [object Window]

Navigation Event Separator HTML1300: Navigation occurred.
www.youtube.com

[HdxVideo.js] DocumentBodySuppressor.start()

[HdxVideo.js Events] interceptEventListeners()

[HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer

[HdxVideo.js] OnLoad (window): [object HTMLDocument]

[HdxVideo.js] Installing event listeners.

[HdxVideo.js] msexitFullscreen – Found!


[HdxVideo.js] doRedirection(): exception connecting to WebSocket: SecurityError

[HdxVideo.js] onWSError:

[HdxVideo.js] Showing content — suspendRedirection.

In the Developer Tools console this can be seen as:

User-added image

This is caused by some security configurations in IE11’s Security Zones.

Please add the following entries to to the Trusted Zone in IE11 (Internet Options -> Security)


Another possible error is that some websites use a technology called CSP (Content Security Policy) which prevents any outside resource (like the Javascript used in BCR) from being executed in the trusted webpage context. Therefore Browsers prevent the injection of HdxVideo.js and BCR fails.

User-added image


5.0How to verify the webpage is redirected

Method #1: Drag the IE11 window quickly. You will notice a ‘delay’ or ‘out of frame’ between the viewport and the User Interface.

Also you will notice a quick change in the title on the Tab (CitrixVideoId) before the original title is placed back

User-added image


Method #2: When the right mouse button is clicked on window area, a customized context menu is displayed. Back/Forward menu items are currently disabled for the initial releases. The remaining menu items perform the following tasks:

  • Refresh: refreshes current client side web page.
  • Open: if the mouse point is focused on a hyper link, the link will be opened; otherwise, nothing will happen.
  • Open in New Tab: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance.)
  • Open in New Window: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance and the link is opened in a new Tab rather than in a new Window)
  • About HDX Browser Redirection: Browse to Citrix support site in a new Tab
User-added image


Known issue: After starting a YouTube video using the YouTube HTML5 video player, full-screen mode might not work. You click the icon in the lower-right corner of the video, and the video doesn’t resize leaving the black background in the full area of the page. As a workaround, click the full screen button, and then select theater mode.

Related:

  • No Related Posts

FAQ: NetScaler Secure Web Gateway 12.0

Citrix Secure Web Gateway, formerly NetScaler Secure Web Gateway

Question: What is NetScaler Secure Web Gateway?

Answer:
NetScaler Secure Web Gateway (SWG) solution offers tools that enterprises can use to protect against internet threats.

Question: How is the NetScaler Secure Web Gateway appliance deployed?

User-added image

Question: NetScaler SWG is supported on what NetScaler models?

Answer: The NetScaler Secure Web Gateway is supported on the following hardware and VPX models.

NetScaler Platforms

NetScaler Models

14xxx series

MPX 14020, 14030, 14040

14xxx series 40-gig

MPX 14020-40G, 14040-40G

14xxx S-series

MPX 14040-40S, 14060-40S, 14080-40S, 14100-40S

VPX

200, 1000, 3000, 5000, 8000, 10G, 15G, 25G

Question: What features are included in this release of NetScaler Secure Web Gateway?

Answer: Forward Proxy (SSL Visibility), NetScaler URL Filtering Solution,User Behavior Analytics in MAS.

Question: What are the two capture modes that I can set when creating a Secure Web Gateway virtual server?

Answer: The SWG solution supports Explicit and Transparent forward proxy. In explicit proxy, clients must specify an IP address in their browsers, unless the organization pushes the setting via policies on their devices. The address is the IP address of a proxy virtual server configured on the NetScaler Secure Web Gateway appliance. All client requests, is sent to this IP address. Transparent proxy, as the name implies, is transparent to the client. The clients are not aware that a proxy server is mediating their requests.

Question: Is the NetStar URL Filtering feature available as an add-on license?

Answer: Yes this feature is available only as an add-on license.

Question: Does NetScaler Secure Web Gateway have a configuration wizard?

Answer: Yes. The wizard is located on the Secure Web Gateway node in the configuration utility.


Question: What NetScaler features are used when configuring NetScaler Secure Web Gateway?

Answer: Responder, AAA TM vserver, Content Switching Virtual Server, and SSL.

Question: What authentication methods are supported with NetScaler Secure Web Gateway when setup in explicit proxy mode?

Answer
: LDAP, RADIUS, TACACS and ,NEGOTIATE

Question: What authentication method is support with NetScaler Secure Web Gateway in Transparent mode?

Answer: LDAP only.

Question: Is it necessary to install the CA Certificate on the client PC?

Answer: Yes. The CA Certificate that is used to sign the server certificate must be pre-installed on all client devices, so that the regenerated server certificate is trusted by the client.

Question: Can I use a NetScaler Platform license on NetScaler Secure Web Gateway device?

Answer: No. The NetScaler Secure Web Gateway requires its own Platform license.

Question: Is HA supported for a NetScaler Secure Web Gateway deployment?

Answer
: Yes

Question: What file contains log entry for NetScaler Secure Web Gateway?

Answer: The ns.log file records NetScaler Secure Web Gateway information. Note: Logging must be enabled using the set syslogparams -ssli Enabled command.

Question: What nsconmsg commands can I use to troubleshoot NetScaler Secure Gateway related issues?

Answer:
nsconmsg -d current -g ssliand nsconmsg -d current -g err

Question: Is NetScaler MAS able to capture data from NetScaler Secure Web Gateway?

Answer: Yes.This will require NetScaler MAS 12.0 MR1

Click here for an updated version of the FAQ.

Related:

  • No Related Posts

How to Accelerate ICA Proxy Mode in NetScaler Gateway with CloudBridge

  1. Collecting Required Certificates

  2. Enabling SSL Traffic Acceleration

  3. Setting up the Peer Communication

  4. Configuring SSL Profiles on the Server-Side CloudBridge

  5. Configuring Service Class

  6. Configuring an External Firewall

  7. Confirming the ICA Acceleration

Collecting Required Certificates

Required Peer Communication Certificates:

  1. It is recommended to use certificates that refer to a trusted certifying authority.

    Note: This is not the certificate used in NetScaler Gateway ICA Proxy virtual server.

  2. For testing purposes, you can generate and use a self-signed X509 certificate based on a private key (which is also generated by you). This certificate /key pair can be used alternatively for Peer Communication. For more information refer to Citrix Documentation.

  3. Set aside when ready to configure Peer Communication.

Required SSL Profile Certificates:

  1. From NetScaler Gateway, verify the Certificate (Server Certificate) referenced by the ICA Proxy virtual server. Navigate to NetScaler Gateway > Virtual Servers >Your ICA Proxy Virtual Server > Edit > Server Certificate. Make note of the certificate name.

  2. Go to Traffic Management > SSL > Certificates to find the actual certificate/key pair referenced by Server Certificate.

  3. Download the referenced certificate/key pair by navigating to Traffic Management > SSL > Manage Certificate / Keys / CSRs.

  4. You will also need to get the company’s root and intermediate certificates (if any). If there are intermediate certificates, it must be concatenated with root certificate to a single certificate file.

  5. At this point, you are expected to have the following certificates:

    • Root + intermediate(s), all must be concatenated into a single file.

    • One certificate/key pair (taken from NetScaler Gateway virtual server).

  6. Set aside the certificates when ready to configure SSL Profile.

Enabling SSL Traffic Acceleration

To enable SSL traffic acceleration on a CloudBridge, complete the following procedure on both client and server-side CloudBridge:

  1. Install the CloudBridge Crypto License.

  2. On the CloudBridge Graphical User Interface (GUI), select SSL Encryption from the Configuration > SSL settings section.

  3. For the Key Store parameter, click Create Password.

  4. Set the password as required.

  5. For the User Data Store parameter, click Enable Encryption.

  6. For the SSL Optimization parameter, click Enable.

Setting up the Peer Communication

To set up the peer communication on a CloudBridge, complete the following procedure:

Note: The following steps must be completed on both client and server-side CloudBridge, unless specified.

  1. On the CloudBridge GUI, select Secure Partners from the Configuration > SSL Settings section.

  2. Select the Enabled option for the Partner State parameter.

  3. Configure the following Partner Security settings:

  • From Certificate/Key name list, select ADD NEW ENTRY, if you must install a certificate. If you have already installed the required certificate, then select the appropriate certificate/key from the list.

  • From CA Certificate Store name list, select ADD NEW ENTRY, if you must install a certificate. If you have already installed the required certificate, then select the appropriate CA certificate from the list.

    Note: For self-signed certificates, CA certificate is the same certificate for the certificate/key pair.

  • Select the Signature/Expiration option for the Certificate Verification parameter.

    Note: This is required to maintain security between CloudBridge.

  1. Ensure that the Enable Auto-Discovery option is selected.

  2. For server-side CloudBridge, populate the Listen On parameter with its IP address that is reachable from the client-side CloudBridge as shown in the following screen shot:

    User-added image

  3. For client-side CloudBridge, populate the Connect To with the same IP address as that in the preceding step.

    Note: On the server-side CloudBridge, do not specify anything for this parameter.

    User-added image

  4. Click Save.

Configuring SSL Profiles on the Server-Side CloudBridge

To configure SSL profiles on a CloudBridge, complete the following procedure:

Note: This section should be completed only on the server-side CloudBridge.

  1. On the CloudBridge GUI, select SSL Acceleration from the Configuration > SSL Settings section.

  2. Click Add.

  3. In the Profile Name field, specify a SSL Profile name.

  4. Select the Profile Enabled option.

  5. For the Proxy Type parameter, ensure that the Split option is selected.

  6. From the Certificate/Private Key list, select ADD NEW ENTRY, if you must install a certificate. Install gathered NetScaler Gateway virtual server and root (may include concatenated intermediate) certificates. If you have already installed the required certificates, then select the appropriate certificate from the list.

  7. Ensure Build Certificate Chain is checked.

  8. Select Use all configured CA stores for Certificate Chain Store.

  9. Select the Signature/Expiration option for the Certificate Verification parameter.

    Note: This is required to maintain security between the CloudBridge appliance/VPX.

  10. Select Use all configured CA stores for Verification Store.

  11. Retain the default settings for the other fields, as shown in the following screen shot:

    User-added image

  12. Click Add.

    For more information refer to
    Citrix Documentation.

Configuring Service Class

To configure Service Class on both client and server-side CloudBridge, complete the following procedure:

  1. On the CloudBridge GUI, select Service Classes from the Configuration > Optimization Rules section.

  2. Move the ICA service class to the top of the list.

  3. For ICA service class, click Edit under Action.

  4. Ensure that the Enabled option is selected and Disk is selected from the Acceleration Policy.

  5. Add a new line under Filter Rules with the following field entries:

    Application: HTTPS

    Src IP: Any

    Dst IP: NetScaler Gateway VIP IP address

    VLAN: Any

    DiffServ DSCP Bits: Any

    SSL Profile: ICA Proxy profile that was created in the previous steps.


    Note: This only applies to server-side CloudBridge. For client-side CloudBridge, it must be set to Any.

Server-Side CloudBridge

User-added image

Client-Side CloudBridge

User-added image

Configuring an External Firewall

Configure the external Firewall application in the data center to allow the following inbound ports for the CloudBridge:

  • Signaling Address and Port (default 2312) for the CloudBridge peer communication.

  • NetScaler Gateway traffic port (default 443).

Confirming the ICA Acceleration

To confirm the ICA acceleration on a CloudBridge, complete the following procedure:

  1. On the CloudBridge GUI, select Secure Partners from the Monitoring > Partners & Plug-ins section.

  2. Ensure that a secure connection is established between the target client and server-side CloudBridge, as shown in the following screen shot:

Server-Side CloudBridge

User-added image

Client-Side CloudBridge

User-added image

Note: Depending on which CloudBridge you are viewing, Peer Name denotes the hostname of the partner CloudBridge on the other end.

  1. On the CloudBridge GUI, select Citrix (ICA/CGP) from the Monitoring > Optimization section.

  2. Ensure that the accelerated ICA connections in Green are listed in the ICA Status page, as shown in the following screen shot:

    User-added image

    Note: If the accelerated ICA connections are not listed, then review the CloudBridge configuration.

Related:

  • No Related Posts

Troubleshooting SSL Error 4 on Secure Gateway

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

The “SSL Error 4” on Secure Gateway usually indicates a connection issue between one or more components that make up Secure Gateway.

Enable Logging

  1. Set logging levels to maximum on the Citrix Secure Gateway server and the Secure Ticket Authority (STA) server. For more information refer to Citrix Documentation – Generating the Secure Gateway Diagnostics Report.

  2. Examine the logs for indication of the cause after SSL Error 4 occurs on the client machine.

Secure Gateway Server

  1. Ensure that the client is connecting to Secure Gateway:

    1. If client connectivity is observed in Secure Gateway logs, then verify the STA logs.
    2. If there is no client connectivity, then verify that the Secure Gateway is running and the IP address that it is bound to is the one that the client is resolving from the FQDN.
  2. Examine the Secure Gateway event viewer’s application, system, and Secure Gateway logs.

Secure Ticket Authority Server

  1. Verify if Request Data is successful for each successful Request Ticket.

    1. If Requested Data is successful then Secure Gateway can connect to the STA.
    2. If the the Request Data is not successful then the Secure Gateway did not validate the ticket.
  2. Examine the Web Interface configuration and the Secure Gateway configuration to verify that they are pointing to the same STA server.

  3. Verify connectivity between the Secure Gateway server and the STA server using the transport protocol designated in the configuration (http/https).

IIS Server

If the Citrix Secure Gateway server is also running IIS, then the IIS service could be blocking the Citrix Secure Gateway service from starting.

To resolve this issue, disable the IIS Admin service and all its dependent services on the Secure Gateway server, or change the IIS SSL port to something other than 443.

Connectivity

  • Verify that ports 8080, 1494, 80, 2598, 443 or any other manually assigned ports are open from the Secure Gateway to each XenApp server. To verify, run a telnet from the Secure Gateway to each XenApp server on the ports in question.

Certificate

  1. Ensure that there is no certificate trust issues.

  2. Ensure that the certificate chain is complete.

  3. Ensure that the server certificate is not corrupt.

Third-party Load Balancer

In case you are using a third-party load balancer to load balance multiple Secure Gateway servers and no issue is identified using the preceding troubleshooting steps then engage the support team of the load balancer vendor. If the load balancer being used is F5, then be aware that F5 can decryptencrypt packets before they get to the Secure Gateway.

Additional Troubleshooting Tips

  • Does the Gateway have a sufficient route to the client?
  • Does adjusting the STA and Gateway Timeout help?
  • What happens when SSL is not used?
  • Ensure the ICA File has SSLEnable=ON and does not include a “d” after SSLEnable.

Related:

  • No Related Posts

workaround to block psiphon ??

I need a solution

 
A proxy application called “psiphon” can pass and avoid the filtering. It’s not categorized in the proxy avoidance category and not recognized as an application by Bluecoat.
 
We tried to block it using the following regex “//bd{1,3}.d{1,3}.d{1,3}.d{1,3}b”  that used to work with me but it didn’t work this time.
 
Any Ideas ??
 
0

Related:

  • No Related Posts

XenMobile New Port Requirement for ADS Connectivity

Overview

Citrix is making security enhancements to XenMobile in the form of certificate pinning. This feature includes a new Citrix Auto Discovery Service (ADS) access requirement that must be enabled in every customer environment whether you choose to use the certificate pinning feature or not.

What is ADS?

Citrix Auto Discovery Service (ADS) is a cloud service owned and maintained completely by Citrix. This service plays a crucial part in every XenMobile environment and serves two main purposes:

  1. As the name suggests, ADS helps with autodiscovery of XenMobile servers. When an email or UPN is used to initiate enrollment through Secure Hub, Secure Hub calls out to ADS to discover the appropriate XenMobile server for the environment.

  2. ADS is also used to pass on environment-specific security settings to Secure Hub. Certificate pinning builds on this security.

We are making security enhancements to the XenMobile ADS that provides an extra layer of security through certificate pinning. Due to the changes we are making, initial enrollment communication must flow through the ADS server.

What is certificate pinning?

Certificate-pinning is a trusted “first-use” security mechanism during the enrollment process that protects servers from impersonation through fraudulent certificates issued by compromised certificate authorities. It is commonly used to prevent “man in the middle” attacks.

What are the prerequisites for certificate pinning?

  1. Customers should open outbound port 443, if not already open, to enable mobile device access for the Citrix ADS service. This port configuration ensures that devices can access ADS when within the corporate network. The ability to access ADS is important when downloading any security updates made available through ADS. These ports must be opened whether you use the certificate pinning feature or not. All customers must complete step 1.

    To enable mobile device connectivity to Citrix ADS, open outbound port 443 from the client (mobile device) to ADS systems in the cloud for the following destination FQDN and IP addresses.

    FQDN IP Address Port IP and Port Usage
    discovery.mdm.zenprise.com 52.5.138.94 443 Secure Hub – ADS

    Communication
    52.1.30.122 443
    ads.xm.cloud.com* 34.194.83.188 443 Secure Hub – ADS

    Communication
    34.193.202.23 443

    * SecureHub version 10.6.15 and later uses ads.xm.cloud.com

    Note: The IP Address and Ports in the chart are required for the communication of devices on the network. The chart is not describing the communication for the internal components within XenMobile. The ADS connection may not work with your proxy server. In this scenario, you should allow the ADS connection to be bypassed at the proxy.

    If interested in enabling the certificate pinning feature continue with steps 2 and 3.

  2. Collect XenMobile server (or Device Manager server for versions earlier than XenMobile 10) and NetScaler Server certificates. These certificates need to be in PEM format. You must acquire the public certificate and not the private key.

    Note: The exported public certificate must not include the certificate chain (i.e. the intermediate and root certificates).

  3. Contact Citrix Support and place a request to enable certificate pinning. During this process, you will be asked for your certificates. A link to Citrix support can be found on the bottom of the page.

I am not interested in certificate pinning. Do I have to do anything?

Yes. ADS access is required from your network by opening the required port. These ports must be opened whether you use the certificate pinning feature or not

Why does certificate pinning require a new port?

The new certificate pinning improvements mandate that any newly enrolling device connect to ADS before the device enrols. This step ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. If ADS is not reachable, Secure Hub does not allow enrollment of the device. Therefore, opening up ADS access within the corporate network is critical to enable devices to enroll.

When are these changes occurring and when do I need to act?

For the next release of Secure Hub 10.2 for Android, currently scheduled for early October. Certificate pinning will initially be supported on Secure Hub for Android with XenMobile 10.2 and on a future release of Secure Hub for iOS.

Customers must open firewall ports to the ADS service to ensure new enrollment continuity.

What information do I need to provide to Citrix Support?

Refer to the Certificate Pinning information available at Citrix Documentation for Secure Hub.

How should we engage Citrix for support on this feature?

Use the following the link – XenMobile Technical Support to open a support ticket for assistance with ADS configuration. From this link you can locate the support phone number specific to your location.

Questions? Contact your Citrix account manager or authorized Citrix Partner.

Related:

  • No Related Posts