Search this Blog

Tuesday, October 12, 2010

Why Clientless Webvpn Filtering with Citrix Traffic is not working?

We are using a ASA 8.2.2 configured with clientless webvpn.Since there are several different user-groups and connection profiles configured, we want to make sure that only certain users have access to certain services. That for we configured webtype acls. This works fine for any http or https related traffic to the internal Server, but it does not work for citrix traffic towards the WebInterface Server for citrix. Thats how part of my config is looking like: ...

group-policy X attributes
vpn-tunnel-protocol webvpn
group-lock value X
webvpn
filter value X ....

access-list X webtype permit url http://x.y/* log default
...

group-policy Citrix attributes

vpn-tunnel-protocol webvpn
group-lock value Citrix

webvpn
filter value Citrix

...

access-list Citrix webtype permit url https://citrix.local/* log default
access-list Citrix webtype permit url citrix://* log default
access-list Citrix webtype permit url citrixs://* log default
access-list Citrix webtype permit url https://citrix/* log default
access-list Citrix webtype permit url http://10.1.2.3/* log default
access-list Citrix webtype permit url https://10.2.3.4/* log default
access-list Citrix webtype permit url http://* log default
access-list Citrix webtype permit url https://* log default
access-list Citrix webtype permit url any log default

When troubleshooting using the log, we only see permits and no denies! Also if we look at the hitcount. But as soon as the Citrix channel from the Client towards the Citrix Server within HTTPS is startet, it fails if the webtype acl is active (even with the permit any url at the end!). If we remove it, it works fine!

rastest# sh access-li Citrix

access-list Citrix-; 9 elements
access-list Citrix line 1 webtype permit url https://citrix.local/* log default (hitcnt=281)
access-list Citrix line 2 webtype permit url citrix://* log default (hitcnt=0)
access-list Citrix line 3 webtype permit url citrixs://* log default (hitcnt=0)
access-list Citrix line 4 webtype permit url https://citrix/* log default (hitcnt=0)
access-list Citrix line 5 webtype permit url http://10.1.2.3/* log default (hitcnt=0)
access-list Citrix line 6 webtype permit url https://10.2.3.4/* log default (hitcnt=0)
access-list Citrix line 7 webtype permit url http://* log default (hitcnt=0)
access-list Citrix line 8 webtype permit url https://* log default (hitcnt=14)
access-list Citrix line 9 webtype permit url any log default (hitcnt=0)

Any Idea, hints?

Tips:

Please try adding a line to the ACL as follows:

access-list Citrix webtype permit tcp any log default

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */