[THIN] Re: WI 5.1 and CSG 3.3.1 on Same Server

• From: "Jay Moock" <jmoock@xxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Tue, 7 Jul 2009 17:03:07 -0400

For anyone who may be interested, to get this working, follow
http://support.citrix.com/article/CTX111080 using "X-FORWARDED-FOR"
instead of "HTTP_CLIENTIP" (I was trying to use "HTTP_X_FORWARDED_FOR",
which is apparently incorrect).

________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jay Moock
Sent: Tuesday, July 07, 2009 2:51 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] WI 5.1 and CSG 3.3.1 on Same Server


Hello,
 
I am hoping someone can help me out with something.  I have a server
that has both the Web Interface 5.1 and Secure Gateway 3.1.1 installed,
and I am having issues with it not recognizing the correct client IP for
the access methods that I have set up.  In a nutshell, it sees all
connections as coming from itself.
 
What I want to achieve is to have everyone access the server on port 443
(which is what CSG listens on), and if they are coming from one of our
internal subnets, access the Citrix servers directly, otherwise access
through CSG.
 
Without editing any of the .java files, all connections go direct (as
one of the subnets defined for Direct access is the same subnet the CSG
server is on).
 
I have set this up successfully on WI 4.5 and CSG 3.0 by implementing
http://support.citrix.com/article/CTX108803, but of course none of those
mods apply any more.
 
I've tried to apply the changes mentioned in
http://support.citrix.com/article/CTX111080, using HTTP_X_FORWARDED_FOR
instead of HTTP_CLIENTIP in Include.java, and this does make a
difference in its behavior (all connections go through CSG regardless of
the access method defined for the given subnet), but this isn't what I
want either.  I think I am close, but I just lack the knowledge of what
else needs to be changed.
 
I realize I am breaking a rule by not having the CSG in a DMZ, but since
I was able to get this to work before, I am hoping I can continue my bad
practices on the current versions. :)
 
If I access the server on port 80, everything works as expected.  I
really don't want to allow this though, especially for people coming in
from the outside.
 
Any input would be appreciated.
 
Thanks,
Jay

• References:
  • [THIN] WI 5.1 and CSG 3.3.1 on Same Server
    • From: Jay Moock

Other related posts:

• » [THIN] WI 5.1 and CSG 3.3.1 on Same Server- Jay Moock
• » [THIN] Re: WI 5.1 and CSG 3.3.1 on Same Server - Jay Moock

1. Home
2. thin
3. Archive
4. 07-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---