By this do you mean that a VPN tunnel is established and then you present the actual WI server page as a redirect/forward to the user automatically? Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Snyder Sent: Thursday, January 08, 2009 1:07 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: netscalers and smartcards (CAC) - who's using them? from the client it's a SSL VPN to the NS through the FW, the NS sits entirely in the DMZ, external FW allows 443 through and is doing NAT. From the DMZ to the inside (where the WI and citirix farm is) we allow 1494, 3010, 443, 80, 22, 53 & 2598. The client PC can use PN to get to the farm and launch apps with smart card auth, so it's just the WI that's not cooperating. We're trying to use the WI has the default web page that the NS presents to the user. On Thu, Jan 8, 2009 at 3:26 PM, Steve Greenberg <steveg@xxxxxxxxxxxxxx> wrote: How is it configured exactly? Is it a pure VPN connection and not an ICA proxy? I.e. does the client have a tunnel to the WI box directly? If so, have you opened the ports need for the smart card software?? ( I have no idea what they would be) Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 <http://www.thinclient.net> www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Snyder Sent: Wednesday, January 07, 2009 5:40 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] netscalers and smartcards (CAC) - who's using them? and what did you have to do to get the WI to come up properly? We're trialing a NS 8.1 in our DMZ - the VPN tunnel connects and it starts to load the WI site but the smartcard (CAC) authentication just doesn't fly. Citrix is scratching their heads.