The clients are web proxy clients going through ISA 2004 to the Citrix secure gateway on port 443. With a pretty standard config, after 3 minutes they get a citrix error "there is no route to the specified subnet" This only happens after 3 minutes of idle time. If they continue working the connection stays up. I followed instructions on this site to configure for direct access and now they don't get that error but it still drops after 3 minutes of idle time with error "the Citrix server is not available" Again, if I remove the proxy from the equation it works perfectly. I am trying the Firewall client now. Thanks for your help. TD Ted Doholis SaltSpring Software Inc. -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Thursday, January 13, 2005 11:58 AM To: [ISAserver.org Discussion List] Subject: [isalist] RES: RE: RES: Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to Citrix secure gateway http://www.ISAserver.org Are your clients web proxy clients, firewall clients or securenat clients? Which ISA version are you running? Tiago de Aviz SoftSell - Curitiba (41) 340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. -----Mensagem original----- De: Ted Doholis [mailto:tdoholis@xxxxxxxxxxxxx] Enviada em: quinta-feira, 13 de janeiro de 2005 14:01 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: RES: Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to Citrix secure gateway http://www.ISAserver.org If I remove ISA from the equation, the client connects perfectly. This is an issue with ISA. I will start an issue with Citrix if I could see that it was not an ISA problem. Ted Doholis SaltSpring Software Inc. -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Thursday, January 13, 2005 11:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] RES: Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to Citrix secure gateway http://www.ISAserver.org Why are you on the ISA list then? Helpful tip, Juan. Tiago de Aviz SoftSell - Curitiba (41) 340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. -----Mensagem original----- De: Juan Sejuro Salazar [mailto:jsejuro@xxxxxxxxxx] Enviada em: quinta-feira, 13 de janeiro de 2005 13:27 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: PLEASE HELP....ISA 2004 and outbound 443 traffic to Citrix secure gateway http://www.ISAserver.org Usa el Squid de linux es gratis y mejor, y lo puedes instalar desde una pentium II ----- Original Message ----- From: <tdoholis@xxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, January 13, 2005 9:59 AM Subject: [isalist] PLEASE HELP....ISA 2004 and outbound 443 traffic to Citrix secure gateway > http://www.ISAserver.org > > I am trying to figure out how to fix an issue allowing connections to a > Citrix Secure Gateway without timing out every 3 minutes. > > As I understand, this happens because although SSL traffic is not > connection oriented, the encapsulated ICA traffic is and ISA is not > allowing a persistent connection. I have pasted a message I read below for > clarification of the problem. If I dont use the proxy the issue goes away > so this is definitely the cause. > > Please Help! > > Document ID: CTX103192, Created on: Jan 14, 2004, Updated: Jan 14, 2004 > > Products: Citrix Secure Gateway 1.0, Citrix Secure Gateway 1.1 > > ICA/SSL is the protocol used to securely deliver ICA. This protocol > encapsulates ICA in SOCKS, further wrapped in SSL. This protocol typically > is delivered over TCP port 443. > > HTTPS is HTTP wrapped in SSL. This protocol typically is delivered over > port 443. Port 443 is the official registered port for HTTPS; any traffic > over port 443 is assumed to be HTTPS by firewalls and proxy servers. > > Because SSL is the encryption protocol, firewalls, routers, proxies, and > so on between the client and the server cannot "see" what is inside the > protocol. They will verify that the protocol is wrapped in SSL. > > Therefore, firewalls and proxies do not really differentiate between > ICA/SSL and HTTPS, and typically try to treat ICA/SSL as HTTPS. > > ICA differs from HTTP in the following ways: > > ICA is a real-time interactive protocol. > > HTTP is a near-real-time protocol and does not require individual > keystrokes and mouse clicks to be sent to the server. Latency tolerance of > HTTP is at least four or five times higher than that of ICA. > > ICA is a connection-oriented protocol. ICA, like other real-time > interactive protocols, does not tolerate interruptions in the TCP > connection. Terminated TCP connections can cause loss of a session. This > could lead to errors such as: > > Errors in connection - no route to the specified subnet. > > HTTP is not as sensitive to TCP connection interruptions. Transport TCP > connections may go up and down several times during a typical Web/portal > session. > > Typical Firewall Configurations > > Firewalls can be configured in Proxy or Forward mode. > > Proxy Mode > > In Proxy mode, the firewall terminate a transport TCP connections from the > client and opens a new TCP connection to the server. The firewall analyses > and copies data between the client and the server connections and tries to > protect the server from various attacks such as malformed packets. > > Firewalls know that HTTPS connections can easily tolerate interrupted > transport TCP connections, and may terminate idle or too long TCP > connections assumed to be HTTPS connections. > > When a firewall is running in Proxy mode for HTTPS traffic, it uses the > Nagle algorithm trying to aggregate small TCP packets. The Nagle algorithm > is not as suitable for interactive protocols as it is for HTTPS. If the > firewall uses the Nagle algorithm for ICA/SSL, problems may occur with > interactivity. > > Forward Mode > > In Forward mode, the firewall does not terminate TCP connections. It > inspects packets and forwards them to the right destination. Depending on > the vendor and firewall type, the level of packet inspection varies. > > Choosing Forward mode on the firewall ensures that TCP connections are > opened directly between the ICA Client and the Secure Gateway server. > > The Secure Gateway server handles ICA/SSL traffic correctly. > > Conclusion > > When you are using your firewall in Proxy mode and utilizing the Nagle > algorithm, you may notice a slow response from your MetaFrame hosted > applications. > > To ensure against random disconnects of your ICA session, consider your > firewall time-outs. > > ICA sessions may be disconnected even when they are not idle if the > firewall is using some other time-out/criteria for connection termination. > For example, the firewall may have a limit on the total session time or > the total amount of data sent. > > ICA/SSL is usually misinterpreted by firewalls as HTTPS. Therefore, do not > impose any time-outs on the ICA/SSL session including idle, absolute, and > data traffic time-outs. > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jsejuro@xxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > __________ Información de NOD32 1.969 (20050112) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tdoholis@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tdoholis@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx