from the client it's a SSL VPN to the NS through the FW, the NS sits entirely in the DMZ, external FW allows 443 through and is doing NAT. From the DMZ to the inside (where the WI and citirix farm is) we allow 1494, 3010, 443, 80, 22, 53 & 2598. The client PC can use PN to get to the farm and launch apps with smart card auth, so it's just the WI that's not cooperating. We're trying to use the WI has the default web page that the NS presents to the user. On Thu, Jan 8, 2009 at 3:26 PM, Steve Greenberg <steveg@xxxxxxxxxxxxxx>wrote: > How is it configured exactly? Is it a pure VPN connection and not an ICA > proxy? I.e. does the client have a tunnel to the WI box directly? If so, > have you opened the ports need for the smart card software?? ( I have no > idea what they would be) > > > > > > *Steve Greenberg* > > Thin Client Computing > > 34522 N. Scottsdale Rd D8453 > > Scottsdale, AZ 85266 > > *(602) 432-8649* > > www.thinclient.net > > *steveg@xxxxxxxxxxxxxx* > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Steve Snyder > *Sent:* Wednesday, January 07, 2009 5:40 PM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] netscalers and smartcards (CAC) - who's using them? > > > > and what did you have to do to get the WI to come up properly? > > We're trialing a NS 8.1 in our DMZ - the VPN tunnel connects and it starts > to load the WI site but the smartcard (CAC) authentication just doesn't fly. > Citrix is scratching their heads. >