Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to Citrix secure gateway
- From: "Juan Sejuro Salazar" <jsejuro@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 Jan 2005 10:26:31 -0500
Usa el Squid de linux es gratis y mejor, y lo puedes instalar desde una
pentium II
----- Original Message -----
From: <tdoholis@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, January 13, 2005 9:59 AM
Subject: [isalist] PLEASE HELP....ISA 2004 and outbound 443 traffic to
Citrix secure gateway
> http://www.ISAserver.org
>
> I am trying to figure out how to fix an issue allowing connections to a
> Citrix Secure Gateway without timing out every 3 minutes.
>
> As I understand, this happens because although SSL traffic is not
> connection oriented, the encapsulated ICA traffic is and ISA is not
> allowing a persistent connection. I have pasted a message I read below for
> clarification of the problem. If I dont use the proxy the issue goes away
> so this is definitely the cause.
>
> Please Help!
>
> Document ID: CTX103192, Created on: Jan 14, 2004, Updated: Jan 14, 2004
>
> Products: Citrix Secure Gateway 1.0, Citrix Secure Gateway 1.1
>
> ICA/SSL is the protocol used to securely deliver ICA. This protocol
> encapsulates ICA in SOCKS, further wrapped in SSL. This protocol typically
> is delivered over TCP port 443.
>
> HTTPS is HTTP wrapped in SSL. This protocol typically is delivered over
> port 443. Port 443 is the official registered port for HTTPS; any traffic
> over port 443 is assumed to be HTTPS by firewalls and proxy servers.
>
> Because SSL is the encryption protocol, firewalls, routers, proxies, and
> so on between the client and the server cannot "see" what is inside the
> protocol. They will verify that the protocol is wrapped in SSL.
>
> Therefore, firewalls and proxies do not really differentiate between
> ICA/SSL and HTTPS, and typically try to treat ICA/SSL as HTTPS.
>
> ICA differs from HTTP in the following ways:
>
> ICA is a real-time interactive protocol.
>
> HTTP is a near-real-time protocol and does not require individual
> keystrokes and mouse clicks to be sent to the server. Latency tolerance of
> HTTP is at least four or five times higher than that of ICA.
>
> ICA is a connection-oriented protocol. ICA, like other real-time
> interactive protocols, does not tolerate interruptions in the TCP
> connection. Terminated TCP connections can cause loss of a session. This
> could lead to errors such as:
>
> Errors in connection - no route to the specified subnet.
>
> HTTP is not as sensitive to TCP connection interruptions. Transport TCP
> connections may go up and down several times during a typical Web/portal
> session.
>
> Typical Firewall Configurations
>
> Firewalls can be configured in Proxy or Forward mode.
>
> Proxy Mode
>
> In Proxy mode, the firewall terminate a transport TCP connections from the
> client and opens a new TCP connection to the server. The firewall analyses
> and copies data between the client and the server connections and tries to
> protect the server from various attacks such as malformed packets.
>
> Firewalls know that HTTPS connections can easily tolerate interrupted
> transport TCP connections, and may terminate idle or too long TCP
> connections assumed to be HTTPS connections.
>
> When a firewall is running in Proxy mode for HTTPS traffic, it uses the
> Nagle algorithm trying to aggregate small TCP packets. The Nagle algorithm
> is not as suitable for interactive protocols as it is for HTTPS. If the
> firewall uses the Nagle algorithm for ICA/SSL, problems may occur with
> interactivity.
>
> Forward Mode
>
> In Forward mode, the firewall does not terminate TCP connections. It
> inspects packets and forwards them to the right destination. Depending on
> the vendor and firewall type, the level of packet inspection varies.
>
> Choosing Forward mode on the firewall ensures that TCP connections are
> opened directly between the ICA Client and the Secure Gateway server.
>
> The Secure Gateway server handles ICA/SSL traffic correctly.
>
> Conclusion
>
> When you are using your firewall in Proxy mode and utilizing the Nagle
> algorithm, you may notice a slow response from your MetaFrame hosted
> applications.
>
> To ensure against random disconnects of your ICA session, consider your
> firewall time-outs.
>
> ICA sessions may be disconnected even when they are not idle if the
> firewall is using some other time-out/criteria for connection termination.
> For example, the firewall may have a limit on the total session time or
> the total amount of data sent.
>
> ICA/SSL is usually misinterpreted by firewalls as HTTPS. Therefore, do not
> impose any time-outs on the ICA/SSL session including idle, absolute, and
> data traffic time-outs.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jsejuro@xxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> __________ Información de NOD32 1.969 (20050112) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
Other related posts:
