[THIN] Re: Help With Secure Access Manager

  • From: "Tastet, Arthur" <ARTHUR.TASTET@xxxxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Thu, 6 Nov 2003 08:35:49 -0500

Tony,
  In the SAM pilot we have the CSG and the logon agent server in the DMZ.
We have three other servers on the production side 1 as an agent server,
state server, and SQL.  The 2nd is a web server and agent server.  The last
is just a ticketing server.  We have ensured that FQN can be resolved.  Do
you think the Alias command could be messing things up?

Whats interesting is we are CSG 2.0 in production for our remotes sites with
the same ticketing server all is well.  Both point to the same farm.

Arthur

-----Original Message-----
From: Tony Lyne [mailto:Tony.Lyne@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, November 05, 2003 3:29 PM
To: Tastet, Arthur
Subject: RE: [THIN] Re: Help With Secure Access Manager


OK,

So where is your CSG server located. On the DMZ?

A couple of things youll need to check.

Make sure the CSG server can resolve the FQN of the Citrix servers
internally and the addresses are not NAT'ed (I had issues when NAT was used
between the Internal and DMZ interfaces) CSG didn't like it.
Ensure the FQN of the access center is also accessable via the same means.

PIX is a stateful inspection firewall so there should be less issues with
the NAT side of things as compared to a layer 7 FW like Borderware.

Let me know if this is of any help and if you need more info.

Tony Lyne
Senior Systems Engineer 
Computerland Central 
P O Box 1470 
PALMERSTON NORTH
Telephone (+64) 06 3537300
Facsimile (+64) 06 3566800
Mobile (+64) 0274 720696
E-mail Tony.Lyne@xxxxxxxxxxxxxxxxxx
Internet http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain information
that is confidential and subject to privilege. If you are not the intended
recipient, you are notified that any use, dissemination, distribution or
copying of this message or data is prohibited. If you have received this
e-mail in error, please notify me immediately and delete all material
pertaining to this e-mail. Thank you.
 


-----Original Message-----
From: Tastet, Arthur [mailto:ARTHUR.TASTET@xxxxxxxxxxxxx] 
Sent: Thursday, 6 November 2003 9:17 a.m.
To: Tony Lyne
Subject: RE: [THIN] Re: Help With Secure Access Manager

Tony,
   We use a Cisco Pix 515 on our firewall.  We use alias command which
translate all DNS calls.

Arthur Tastet
Moses Cone Health System

-----Original Message-----
From: Tony Lyne [mailto:Tony.Lyne@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, November 05, 2003 2:59 PM
To: ARTHUR.TASTET@xxxxxxxxxxxxx
Subject: FW: [THIN] Re: Help With Secure Access Manager


Did you get this reply to your email? 

------------------------------------------------------------------


Arthur,

What is the firewall you are using, and what kind of certificates are you
using.

I had issues initially setting up the CSG/MSAM integration side of things as
well. As the clients firewall was a Layer 7 (Borderware firewall server,
very nice firewall I must add) so we had to do a few things on the firewall
to get it working reliably.

Tony Lyne
Senior Systems Engineer 
Computerland Central 
P O Box 1470 
PALMERSTON NORTH
Telephone (+64) 06 3537300
Facsimile (+64) 06 3566800
Mobile (+64) 0274 720696
E-mail Tony.Lyne@xxxxxxxxxxxxxxxxxx
Internet http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain information
that is confidential and subject to privilege. If you are not the intended
recipient, you are notified that any use, dissemination, distribution or
copying of this message or data is prohibited. If you have received this
e-mail in error, please notify me immediately and delete all material
pertaining to this e-mail. Thank you.
 


-----Original Message-----
From: Tastet, Arthur [mailto:ARTHUR.TASTET@xxxxxxxxxxxxx] 
Sent: Wednesday, 5 November 2003 4:46 a.m.
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Help With Secure Access Manager

We are evaluating Secure Access Manager in a pilot for both internal and
external use.  We are having problems with the proxy function of mSAM and
wanted to know if anybody is using it for both internal and external use for
web and ica traffic?  If so, are you having any issues?  

In short, it works for a short amount of time externally and then stops
working.  ICA traffic stops being sent through the secure gateway and wants
to start going direct to the Citrix servers.  This seems odd since this is
the core functionality of the mSAM product (secure, remote access to
internal network resources).  

We are doing network address translation in our DMZ.   We are wondering if
it may be configuration issue, but we are unable to identify the problem.
Does anybody have any insight into what could be the problem?

Thanks,

Arthur Tastet
Moses Cone Health System
(336) 832-7722


Moses Cone Health System 
Greensboro, North Carolina 27401
********************************************************
This Weeks Sponsor Pearl Software
Internet Monitoring, Filtering, and Control Solutions
Enabling User & Group Level Oversight & Access Policies
Fully Functional in a Thick or Thin Client Environment
http://www.pearlsw.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
New! Online Thin Computing Magazine Site
http://www.OnDemandAccess.com

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest
constraint to scaling up?! Get this free white paper to understand the
real constraints & how to overcome them. SAVE MONEY by scaling-up rather
than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=147
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
New! Online Thin Computing Magazine Site
http://www.OnDemandAccess.com

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Moses Cone Health System 
Greensboro, North Carolina 27401

Moses Cone Health System 
Greensboro, North Carolina 27401
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest
constraint to scaling up?! Get this free white paper to understand the
real constraints & how to overcome them. SAVE MONEY by scaling-up rather
than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=147
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
New! Online Thin Computing Magazine Site
http://www.OnDemandAccess.com

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: