RE: RES: RE: RES: Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to Citrix secure gateway
- From: "Ted Doholis" <tdoholis@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 Jan 2005 12:00:29 -0500
The clients are web proxy clients going through ISA 2004 to the Citrix secure
gateway on port 443.
With a pretty standard config, after 3 minutes they get a citrix error "there
is no route to the specified subnet" This only happens after 3 minutes of idle
time. If they continue working the connection stays up.
I followed instructions on this site to configure for direct access and now
they don't get that error but it still drops after 3 minutes of idle time with
error "the Citrix server is not available"
Again, if I remove the proxy from the equation it works perfectly.
I am trying the Firewall client now.
Thanks for your help.
TD
Ted Doholis
SaltSpring Software Inc.
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Thursday, January 13, 2005 11:58 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: RES: Re: PLEASE HELP....ISA 2004 and outbound 443
traffic to Citrix secure gateway
http://www.ISAserver.org
Are your clients web proxy clients, firewall clients or securenat clients?
Which ISA version are you running?
Tiago de Aviz
SoftSell - Curitiba
(41) 340-2363
www.softsell.com.br
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável
pelo conteúdo ou a veracidade desta informação.
-----Mensagem original-----
De: Ted Doholis [mailto:tdoholis@xxxxxxxxxxxxx]
Enviada em: quinta-feira, 13 de janeiro de 2005 14:01
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: RES: Re: PLEASE HELP....ISA 2004 and outbound 443
traffic to Citrix secure gateway
http://www.ISAserver.org
If I remove ISA from the equation, the client connects perfectly. This is an
issue with ISA.
I will start an issue with Citrix if I could see that it was not an ISA problem.
Ted Doholis
SaltSpring Software Inc.
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Thursday, January 13, 2005 11:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to
Citrix secure gateway
http://www.ISAserver.org
Why are you on the ISA list then? Helpful tip, Juan.
Tiago de Aviz
SoftSell - Curitiba
(41) 340-2363
www.softsell.com.br
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável
pelo conteúdo ou a veracidade desta informação.
-----Mensagem original-----
De: Juan Sejuro Salazar [mailto:jsejuro@xxxxxxxxxx]
Enviada em: quinta-feira, 13 de janeiro de 2005 13:27
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to
Citrix secure gateway
http://www.ISAserver.org
Usa el Squid de linux es gratis y mejor, y lo puedes instalar desde una
pentium II
----- Original Message -----
From: <tdoholis@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, January 13, 2005 9:59 AM
Subject: [isalist] PLEASE HELP....ISA 2004 and outbound 443 traffic to
Citrix secure gateway
> http://www.ISAserver.org
>
> I am trying to figure out how to fix an issue allowing connections to a
> Citrix Secure Gateway without timing out every 3 minutes.
>
> As I understand, this happens because although SSL traffic is not
> connection oriented, the encapsulated ICA traffic is and ISA is not
> allowing a persistent connection. I have pasted a message I read below for
> clarification of the problem. If I dont use the proxy the issue goes away
> so this is definitely the cause.
>
> Please Help!
>
> Document ID: CTX103192, Created on: Jan 14, 2004, Updated: Jan 14, 2004
>
> Products: Citrix Secure Gateway 1.0, Citrix Secure Gateway 1.1
>
> ICA/SSL is the protocol used to securely deliver ICA. This protocol
> encapsulates ICA in SOCKS, further wrapped in SSL. This protocol typically
> is delivered over TCP port 443.
>
> HTTPS is HTTP wrapped in SSL. This protocol typically is delivered over
> port 443. Port 443 is the official registered port for HTTPS; any traffic
> over port 443 is assumed to be HTTPS by firewalls and proxy servers.
>
> Because SSL is the encryption protocol, firewalls, routers, proxies, and
> so on between the client and the server cannot "see" what is inside the
> protocol. They will verify that the protocol is wrapped in SSL.
>
> Therefore, firewalls and proxies do not really differentiate between
> ICA/SSL and HTTPS, and typically try to treat ICA/SSL as HTTPS.
>
> ICA differs from HTTP in the following ways:
>
> ICA is a real-time interactive protocol.
>
> HTTP is a near-real-time protocol and does not require individual
> keystrokes and mouse clicks to be sent to the server. Latency tolerance of
> HTTP is at least four or five times higher than that of ICA.
>
> ICA is a connection-oriented protocol. ICA, like other real-time
> interactive protocols, does not tolerate interruptions in the TCP
> connection. Terminated TCP connections can cause loss of a session. This
> could lead to errors such as:
>
> Errors in connection - no route to the specified subnet.
>
> HTTP is not as sensitive to TCP connection interruptions. Transport TCP
> connections may go up and down several times during a typical Web/portal
> session.
>
> Typical Firewall Configurations
>
> Firewalls can be configured in Proxy or Forward mode.
>
> Proxy Mode
>
> In Proxy mode, the firewall terminate a transport TCP connections from the
> client and opens a new TCP connection to the server. The firewall analyses
> and copies data between the client and the server connections and tries to
> protect the server from various attacks such as malformed packets.
>
> Firewalls know that HTTPS connections can easily tolerate interrupted
> transport TCP connections, and may terminate idle or too long TCP
> connections assumed to be HTTPS connections.
>
> When a firewall is running in Proxy mode for HTTPS traffic, it uses the
> Nagle algorithm trying to aggregate small TCP packets. The Nagle algorithm
> is not as suitable for interactive protocols as it is for HTTPS. If the
> firewall uses the Nagle algorithm for ICA/SSL, problems may occur with
> interactivity.
>
> Forward Mode
>
> In Forward mode, the firewall does not terminate TCP connections. It
> inspects packets and forwards them to the right destination. Depending on
> the vendor and firewall type, the level of packet inspection varies.
>
> Choosing Forward mode on the firewall ensures that TCP connections are
> opened directly between the ICA Client and the Secure Gateway server.
>
> The Secure Gateway server handles ICA/SSL traffic correctly.
>
> Conclusion
>
> When you are using your firewall in Proxy mode and utilizing the Nagle
> algorithm, you may notice a slow response from your MetaFrame hosted
> applications.
>
> To ensure against random disconnects of your ICA session, consider your
> firewall time-outs.
>
> ICA sessions may be disconnected even when they are not idle if the
> firewall is using some other time-out/criteria for connection termination.
> For example, the firewall may have a limit on the total session time or
> the total amount of data sent.
>
> ICA/SSL is usually misinterpreted by firewalls as HTTPS. Therefore, do not
> impose any time-outs on the ICA/SSL session including idle, absolute, and
> data traffic time-outs.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jsejuro@xxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> __________ Información de NOD32 1.969 (20050112) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tdoholis@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tdoholis@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
