[THIN] Re: Accessing WI 4.6 on IIS through reverse proxy

• From: "Jeremy Saunders" <Jeremy.Saunders@xxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 15 May 2009 09:58:31 +1000

Hi Jim,
 
Possibly the wrong approach here...or at least something I would never do, as 
you would also need to open up ports 1494 and 2598 to all Citrix servers for 
the ICA traffic.
 
For this reason, Citrix have a free product called Citrix Secure Gateway, or 
CSG for short. It goes on a Windows server, typically in the DMZ, and proxies 
your Web Interface AND ICA connections. The only drawback in your case is 
getting another Digital cert for say remote.company.com, unless you already 
have one, or a wildcard cert.
 
Cheers,
Jeremy.

________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Wittry, Jim
Sent: Fri 15/05/2009 9:20 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Accessing WI 4.6 on IIS through reverse proxy 



I've run into two issues trying to make an internal Web Interface IIS server 
farm accessible from the Internet via reverse proxy.

The first problem I have is the Web interface (4.6 running on IIS) generates a 
401 permanent redirect to its internal hostname when users connect to the base 
URL of a configured WI site. This fails since the internal hostname is not 
accessible from the Internet.

The second problem I have is that I get into an infinite loop of redirects if I 
specify the URL for the full path to the default.htm of the WI site instead of 
just the base URL when going through the reverse proxy.

Essentially I have a reverse proxy URL 
https://externalname.company.com/citrix/wi pointed at an internal WI server 
https://internalname.company.com/wi-csg  
 
If an external user enters https://externalname.company.com/wi then they get a 
401 redirect to the internal name of the WI server which fails since the 
internal name is not directly accessible from the Internet.

If an external user enters https://externalname.company.com/wi/default.htm then 
they do succeed in getting to the internal WI but something with the auto 
client detect appears to be putting the user into an infinite loop of auto 
redirects between the login process and client detection process. You never 
actually get to the WI login page. - For this I'm questioning if it is because 
I'm rewriting the path name from /citrix/wi externally to /wi-csg internally.

Has anyone experienced or resolved either of these situations?


Thanks,
Jim


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect@xxxxxxxxxxxxx and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com <http://thinmaillist.blogspot.com/> 
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************



#####################################################################################
Confidentiality and Privilege Notice 
This document is intended solely for the named addressee.  The information 
contained in the pages is confidential and contains legally privileged 
information. If you are not the addressee indicated in this message (or 
responsible for delivery of the message to such person), you may not copy or 
deliver this message to anyone, and you should destroy this message and kindly 
notify the sender by reply email. Confidentiality and legal privilege are not 
waived or lost by reason of mistaken delivery to you.
#####################################################################################

• References:
  • [THIN] Accessing WI 4.6 on IIS through reverse proxy
    • From: Wittry, Jim

Other related posts:

• » [THIN] Accessing WI 4.6 on IIS through reverse proxy- Wittry, Jim
• » [THIN] Re: Accessing WI 4.6 on IIS through reverse proxy - Jeremy Saunders
• » [THIN] Re: Accessing WI 4.6 on IIS through reverse proxy- Wittry, Jim

1. Home
2. thin
3. Archive
4. 05-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---