Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Citrix through Web VPN

Reply
Thread Tools

Citrix through Web VPN

 
 
Scotty
Guest
Posts: n/a
 
      06-25-2006
Hi All,
I have setup a 1841 Router with WebVPN, behind a 837 internet router. I
have natted through port 443.

I have a Citrix server inside and am publishing it through the WebVpn.

I can connect to the Web Interface but can not launch applications. If
I use the activeX component I get a generic error, can not connect to
an application. If I use the Java client I get an error "Error opening
ICa file" "The address of an application server must be specified"

I have internally created certificates installed on the router and the
root certificate installed as trusted in IE and Java.

There is an error logging on the 1841 each time I try to launch an
application.

Jun 22 05:02:08.246: %TCP-2-INVALIDTCB: Invalid TCB pointer: 0x63A24534
-Process= "SSLVPN_PROCESS", ipl=
0, pid= 120 -Traceback= 0x60AD545C 0x61180F74 0x6117E9B8 0x61BBD2C4
0x61BBAB20 0x61BBB104 0x61BBEDD8 0x61
BCDA0C


Here is the running config without the real names or IPs.

Thanks for any suggestons. I have spent ages on this so far.
-----------------------------
bob#s run
Building configuration...

Current configuration : 8679 bytes
!
! Last configuration change at 15:03:08 NZST Thu Jun 22 2006
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bob
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 last Sun Mar 2:00
ip cef
!
!
!
!
ip domain name mytestwebvpn4.co.nz
ip name-server 10.73.220.4
!
!
crypto pki trustpoint TP-self-signed-117527664
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-117527664
revocation-check none
rsakeypair TP-self-signed-117527664
!
crypto pki trustpoint mytestwebvpn4.org.nz
enrollment terminal
serial-number
fqdn bob.mytestwebvpn4.co.nz
ip-address FastEthernet0/0
password
subject-name OU=MY_OU, CN=bob.mytestwebvpn4.co.nz, C=NZ
revocation-check crl
rsakeypair SDM-RSAKey-1150934803000
!
!
crypto pki certificate chain TP-self-signed-117527664
certificate self-signed 01
D8AC05A8 6B2F9945 3E
quit
crypto pki certificate chain mytestwebvpn4.org.nz
certificate 61C2A6A000000000000F
8C4E7AB
quit
certificate ca 2F2FAD22B439B28F4BDB0CF2978A5E85
DDEBC0 99175B8C FCD38DF6 E586759C
6C5FA52A B3F7DF
quit

!
!
interface FastEthernet0/0
ip address 192.168.193.222 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.73.220.248 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.193.1
!
!
ip http server
ip http secure-server
!
access-list 101 remark Outside access list inbound traffic
access-list 101 permit tcp any host 192.168.193.222 eq 443
access-list 101 deny ip any any log
!
!
!
!
scheduler allocate 20000 1000
!
webvpn gateway sample_1
ip address 192.168.193.222 port 443
ssl trustpoint mytestwebvpn4.org.nz
inservice
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context test_1
title "Test Web VPN"
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
!
url-list "Printer"
heading "HTTP Printer"
url-text "HP Printer" url-value "http://10.73.220.38"
!
url-list "SDMCitrixServerList2"
heading "My Citrix farm"
url-text "server2" url-value
"http://10.73.220.71/Citrix/MetaFrame/auth/login.aspx"
!
login-message "You must be authorised to access this network."
!
policy group NUTS01_RDP
url-list "Printer"
url-list "SDMCitrixServerList2"
hide-url-bar
citrix enabled
default-group-policy NUTS01_RDP
aaa authentication list default
gateway sample_1
inservice
!
end

bob#

 
Reply With Quote
 
 
 
 
Newbie72
Guest
Posts: n/a
 
      06-27-2006
Here are the lines in my ACL I had to add inorder to get citrix working
through our PIX. May help you out it may not. the hostname csg was our
citrix gateway and the hostname citrix was our citrix server on the
inside network.

access-list dmz2inside permit tcp host csg host Citrix eq www
access-list dmz2inside permit tcp host csg host Citrix eq 8081
access-list dmz2inside permit tcp host csg host Citrix eq https
access-list dmz2inside permit tcp host csg host Citrix eq citrix-ica
access-list dmz2inside permit tcp host csg host Citrix eq 3389

Steve

Scotty wrote:
> Hi All,
> I have setup a 1841 Router with WebVPN, behind a 837 internet router. I
> have natted through port 443.
>
> I have a Citrix server inside and am publishing it through the WebVpn.
>
> I can connect to the Web Interface but can not launch applications. If
> I use the activeX component I get a generic error, can not connect to
> an application. If I use the Java client I get an error "Error opening
> ICa file" "The address of an application server must be specified"
>
> I have internally created certificates installed on the router and the
> root certificate installed as trusted in IE and Java.
>
> There is an error logging on the 1841 each time I try to launch an
> application.
>
> Jun 22 05:02:08.246: %TCP-2-INVALIDTCB: Invalid TCB pointer: 0x63A24534
> -Process= "SSLVPN_PROCESS", ipl=
> 0, pid= 120 -Traceback= 0x60AD545C 0x61180F74 0x6117E9B8 0x61BBD2C4
> 0x61BBAB20 0x61BBB104 0x61BBEDD8 0x61
> BCDA0C
>
>
> Here is the running config without the real names or IPs.
>
> Thanks for any suggestons. I have spent ages on this so far.
> -----------------------------
> bob#s run
> Building configuration...
>
> Current configuration : 8679 bytes
> !
> ! Last configuration change at 15:03:08 NZST Thu Jun 22 2006
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname bob
> !
> boot-start-marker
> boot-end-marker
> !
> no logging buffered
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login sdm_vpn_xauth_ml_1 local
> aaa authorization exec default local
> !
> aaa session-id common
> !
> resource policy
> !
> clock timezone NZST 12
> clock summer-time NZDT recurring 1 Sun Oct 2:00 last Sun Mar 2:00
> ip cef
> !
> !
> !
> !
> ip domain name mytestwebvpn4.co.nz
> ip name-server 10.73.220.4
> !
> !
> crypto pki trustpoint TP-self-signed-117527664
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-117527664
> revocation-check none
> rsakeypair TP-self-signed-117527664
> !
> crypto pki trustpoint mytestwebvpn4.org.nz
> enrollment terminal
> serial-number
> fqdn bob.mytestwebvpn4.co.nz
> ip-address FastEthernet0/0
> password
> subject-name OU=MY_OU, CN=bob.mytestwebvpn4.co.nz, C=NZ
> revocation-check crl
> rsakeypair SDM-RSAKey-1150934803000
> !
> !
> crypto pki certificate chain TP-self-signed-117527664
> certificate self-signed 01
> D8AC05A8 6B2F9945 3E
> quit
> crypto pki certificate chain mytestwebvpn4.org.nz
> certificate 61C2A6A000000000000F
> 8C4E7AB
> quit
> certificate ca 2F2FAD22B439B28F4BDB0CF2978A5E85
> DDEBC0 99175B8C FCD38DF6 E586759C
> 6C5FA52A B3F7DF
> quit
>
> !
> !
> interface FastEthernet0/0
> ip address 192.168.193.222 255.255.255.0
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 10.73.220.248 255.255.255.0
> duplex auto
> speed auto
> !
> ip route 0.0.0.0 0.0.0.0 192.168.193.1
> !
> !
> ip http server
> ip http secure-server
> !
> access-list 101 remark Outside access list inbound traffic
> access-list 101 permit tcp any host 192.168.193.222 eq 443
> access-list 101 deny ip any any log
> !
> !
> !
> !
> scheduler allocate 20000 1000
> !
> webvpn gateway sample_1
> ip address 192.168.193.222 port 443
> ssl trustpoint mytestwebvpn4.org.nz
> inservice
> !
> webvpn context Default_context
> ssl authenticate verify all
> !
> no inservice
> !
> !
> webvpn context test_1
> title "Test Web VPN"
> title-color #669999
> secondary-color white
> text-color black
> ssl authenticate verify all
> !
> url-list "Printer"
> heading "HTTP Printer"
> url-text "HP Printer" url-value "http://10.73.220.38"
> !
> url-list "SDMCitrixServerList2"
> heading "My Citrix farm"
> url-text "server2" url-value
> "http://10.73.220.71/Citrix/MetaFrame/auth/login.aspx"
> !
> login-message "You must be authorised to access this network."
> !
> policy group NUTS01_RDP
> url-list "Printer"
> url-list "SDMCitrixServerList2"
> hide-url-bar
> citrix enabled
> default-group-policy NUTS01_RDP
> aaa authentication list default
> gateway sample_1
> inservice
> !
> end
>
> bob#


 
Reply With Quote
 
 
 
 
Scotty
Guest
Posts: n/a
 
      06-28-2006
HI Steve,
Thanks for your input.

However it seems that you are using a Citrix Secure Gateway, where as I
want to use the Router's WebVPN to connect to the Citrix farm

As far as I am aware I only need to open up 443. I am seeing no access
denies on the outside interface so it does not appear to be using any
other ports.

Regards,
Scott

 
Reply With Quote
 
Don35 Don35 is offline
Junior Member
Join Date: Sep 2006
Posts: 18
 
      09-16-2006
Quote:
Originally Posted by Scotty
Hi All,
I have setup a 1841 Router with WebVPN, behind a 837 internet router. I
have natted through port 443.

I have a Citrix server inside and am publishing it through the WebVpn.

I can connect to the Web Interface but can not launch applications. If
I use the activeX component I get a generic error, can not connect to
an application. If I use the Java client I get an error "Error opening
ICa file" "The address of an application server must be specified"

I have internally created certificates installed on the router and the
root certificate installed as trusted in IE and Java.

There is an error logging on the 1841 each time I try to launch an
application.

Jun 22 05:02:08.246: %TCP-2-INVALIDTCB: Invalid TCB pointer: 0x63A24534
-Process= "SSLVPN_PROCESS", ipl=
0, pid= 120 -Traceback= 0x60AD545C 0x61180F74 0x6117E9B8 0x61BBD2C4
0x61BBAB20 0x61BBB104 0x61BBEDD8 0x61
BCDA0C


Here is the running config without the real names or IPs.

Thanks for any suggestons. I have spent ages on this so far.
-----------------------------
bob#s run
Building configuration...

Current configuration : 8679 bytes
!
! Last configuration change at 15:03:08 NZST Thu Jun 22 2006
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bob
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 last Sun Mar 2:00
ip cef
!
!
!
!
ip domain name mytestwebvpn4.co.nz
ip name-server 10.73.220.4
!
!
crypto pki trustpoint TP-self-signed-117527664
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-117527664
revocation-check none
rsakeypair TP-self-signed-117527664
!
crypto pki trustpoint mytestwebvpn4.org.nz
enrollment terminal
serial-number
fqdn bob.mytestwebvpn4.co.nz
ip-address FastEthernet0/0
password
subject-name OU=MY_OU, CN=bob.mytestwebvpn4.co.nz, C=NZ
revocation-check crl
rsakeypair SDM-RSAKey-1150934803000
!
!
crypto pki certificate chain TP-self-signed-117527664
certificate self-signed 01
D8AC05A8 6B2F9945 3E
quit
crypto pki certificate chain mytestwebvpn4.org.nz
certificate 61C2A6A000000000000F
8C4E7AB
quit
certificate ca 2F2FAD22B439B28F4BDB0CF2978A5E85
DDEBC0 99175B8C FCD38DF6 E586759C
6C5FA52A B3F7DF
quit

!
!
interface FastEthernet0/0
ip address 192.168.193.222 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.73.220.248 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.193.1
!
!
ip http server
ip http secure-server
!
access-list 101 remark Outside access list inbound traffic
access-list 101 permit tcp any host 192.168.193.222 eq 443
access-list 101 deny ip any any log
!
!
!
!
scheduler allocate 20000 1000
!
webvpn gateway sample_1
ip address 192.168.193.222 port 443
ssl trustpoint mytestwebvpn4.org.nz
inservice
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context test_1
title "Test Web VPN"
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
!
url-list "Printer"
heading "HTTP Printer"
url-text "HP Printer" url-value "http://10.73.220.38"
!
url-list "SDMCitrixServerList2"
heading "My Citrix farm"
url-text "server2" url-value
"http://10.73.220.71/Citrix/MetaFrame/auth/login.aspx"
!
login-message "You must be authorised to access this network."
!
policy group NUTS01_RDP
url-list "Printer"
url-list "SDMCitrixServerList2"
hide-url-bar
citrix enabled
default-group-policy NUTS01_RDP
aaa authentication list default
gateway sample_1
inservice
!
end

bob#

YOu need to go to the Citrix.com site and LOAD the web client or the PNA on your PC. Thats all you are missing. IF it still does not open the application, then CHECK your file type association
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dot Net Nuke 4 + Citrix Web Interface 4 Robert Michel ASP .Net 3 01-24-2008 03:09 PM
Citrix access through a Web VPN Scotty Cisco 0 06-14-2006 03:50 AM
Citrix access via VPN 3005 concentrator w/WebVPN slim Cisco 1 01-31-2006 02:00 AM
XP Wireless & Citrix App =?Utf-8?B?TWFydGluSg==?= Wireless Networking 0 10-25-2005 05:46 PM
VPN or CITRIX?? Tommy Computer Support 4 04-04-2004 11:10 PM



Advertisments