Hi Jim, Possibly the wrong approach here...or at least something I would never do, as you would also need to open up ports 1494 and 2598 to all Citrix servers for the ICA traffic. For this reason, Citrix have a free product called Citrix Secure Gateway, or CSG for short. It goes on a Windows server, typically in the DMZ, and proxies your Web Interface AND ICA connections. The only drawback in your case is getting another Digital cert for say remote.company.com, unless you already have one, or a wildcard cert. Cheers, Jeremy. ________________________________ From: thin-bounce@xxxxxxxxxxxxx on behalf of Wittry, Jim Sent: Fri 15/05/2009 9:20 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Accessing WI 4.6 on IIS through reverse proxy I've run into two issues trying to make an internal Web Interface IIS server farm accessible from the Internet via reverse proxy. The first problem I have is the Web interface (4.6 running on IIS) generates a 401 permanent redirect to its internal hostname when users connect to the base URL of a configured WI site. This fails since the internal hostname is not accessible from the Internet. The second problem I have is that I get into an infinite loop of redirects if I specify the URL for the full path to the default.htm of the WI site instead of just the base URL when going through the reverse proxy. Essentially I have a reverse proxy URL https://externalname.company.com/citrix/wi pointed at an internal WI server https://internalname.company.com/wi-csg If an external user enters https://externalname.company.com/wi then they get a 401 redirect to the internal name of the WI server which fails since the internal name is not directly accessible from the Internet. If an external user enters https://externalname.company.com/wi/default.htm then they do succeed in getting to the internal WI but something with the auto client detect appears to be putting the user into an infinite loop of auto redirects between the login process and client detection process. You never actually get to the WI login page. - For this I'm questioning if it is because I'm rewriting the path name from /citrix/wi externally to /wi-csg internally. Has anyone experienced or resolved either of these situations? Thanks, Jim -----Message Disclaimer----- This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to Connect@xxxxxxxxxxxxx and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation. Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act ("E-Sign") unless a specific statement to the contrary is included in this message. While this communication may be used to promote or market a transaction or an idea that is discussed in the publication, it is intended to provide general information about the subject matter covered and is provided with the understanding that The Principal is not rendering legal, accounting, or tax advice. It is not a marketed opinion and may not be used to avoid penalties under the Internal Revenue Code. You should consult with appropriate counsel or other advisors on all matters pertaining to legal, tax, or accounting obligations and requirements. ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin Follow ThinList on Twitter http://twitter.com/thinlist Thin List discussion is now available in blog format at: http://thinmaillist.blogspot.com <http://thinmaillist.blogspot.com/> Thinlist MOBILE Feed http://thinlist.net/mobile ************************************************ ##################################################################################### Confidentiality and Privilege Notice This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. #####################################################################################