[squid-users] Reverse Proxy Citrix ICA over SSL Without CSG from Jonathan Chretien on 2013-01-17 (squid-users)

From: Jonathan Chretien <jonathan_chretien_at_hotmail.com>
Date: Thu, 17 Jan 2013 10:38:07 -0500

Hi All.
I'm currenlty working on a Squid Reverse Proxy to share some website located in my internal network. One of them is Citrix Xenapp 6.5.
I'm able to access my Web Interface of Citrix, but not able to launch application. I know that I can use Citrix Secure Gateway, but I try to figure out if I can avoid using CSG and only use Squid as a reverse proxy for that Web Site.
I know that citrix is ICA over SSL. I tried different configuration and not able to launch any application.
I just want ot know if it's possible to use Squid to replace CSG and ICA over SSL in Squid?
My Setup
Client -> Firewall -> Squid -> Firewall -> XenApp Srv
XenApp Srv setup:
Altaddr = 172.16.x.x
Secure Access = Gateway Alternate (mycitrix.mydomain.com:443, http://10.0.x.x:81/Scripts/CtxSTA.dll)
Firewall setup:
Client to Squid = Redirect only 443 to 172.16.x.x
Squid to XenApp = Redirect only 81, 80, 443, 1494 and 2598 to 10.0.x.x
Squid setup:
...
acl SSL_ports port 443 1494 2598
acl Safe_ports port 80 # http
....
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
...
cache_peer 10.0.x.x parent 443 0 no-query no-digest originserver name=citrix ssl sslcert=/data/certificates/mycitrix.pem sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
acl site_citrix dstdomain mycitrix.mydomain.com
cache_peer_access citrix allow site_citrix
cache_peer_access citrix deny all
never_direct allow site_citrix
http_access allow site_citrix
miss_access allow site_citrix
miss_access deny all
http_access deny all
https_port 172.16.x.x:443 accel vhost cert=/data/certificates/mycitrix.pem
...
The client connect to the web interface. The client is able to authenticate and get list of application. When the user click on an application, the Citrix receiver is trying to connect (Message indicated in the detail section), but nothing happen. In my firewall log, nothing is blocked for all of my public, dmz and internal ip address. In Squid access and cache log, I also have nothing.
I try also the ProxyUseFQDN=on and nothing happen to.
Am I missing a configuration in Squid or Web interface? In the web interface, there are a lot of configs that we can do.
Thanks
Jonathan
Received on Thu Jan 17 2013 - 15:38:14 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 17 2013 - 12:00:04 MST