Thursday, May 14, 2009

[THIN] Re: Accessing WI 4.6 on IIS through reverse proxy

Hi Jim,

Possibly the wrong approach here...or at least something I would never do, as you would also need to open up ports 1494 and 2598 to all Citrix servers for the ICA traffic.

For this reason, Citrix have a free product called Citrix Secure Gateway, or CSG for short. It goes on a Windows server, typically in the DMZ, and proxies your Web Interface AND ICA connections. The only drawback in your case is getting another Digital cert for say remote.company.com, unless you already have one, or a wildcard cert.

Cheers,
Jeremy.

________________________________

From: thin-bounce@freelists.org on behalf of Wittry, Jim
Sent: Fri 15/05/2009 9:20 AM
To: thin@freelists.org
Subject: [THIN] Accessing WI 4.6 on IIS through reverse proxy

I've run into two issues trying to make an internal Web Interface IIS server farm accessible from the Internet via reverse proxy.

The first problem I have is the Web interface (4.6 running on IIS) generates a 401 permanent redirect to its internal hostname when users connect to the base URL of a configured WI site. This fails since the internal hostname is not accessible from the Internet.

The second problem I have is that I get into an infinite loop of redirects if I specify the URL for the full path to the default.htm of the WI site instead of just the base URL when going through the reverse proxy.

Essentially I have a reverse proxy URL https://externalname.company.com/citrix/wi pointed at an internal WI server https://internalname.company.com/wi-csg

If an external user enters https://externalname.company.com/wi then they get a 401 redirect to the internal name of the WI server which fails since the internal name is not directly accessible from the Internet.

If an external user enters https://externalname.company.com/wi/default.htm then they do succeed in getting to the internal WI but something with the auto client detect appears to be putting the user into an infinite loop of auto redirects between the login process and client detection process. You never actually get to the WI login page. - For this I'm questioning if it is because I'm rewriting the path name from /citrix/wi externally to /wi-csg internally.

Has anyone experienced or resolved either of these situations?


Thanks,
Jim


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect@principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com <http://thinmaillist.blogspot.com/>
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************

#####################################################################################
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.
#####################################################################################

1 comment:

Jim said...

Thanks for the response.

We are in fact already using CSG for farm access. We just don't choose to use CSG as the proxy for the Web Interface.

We are presently using an older version of the web interface hosted in an IBM webshere envrionment which is working just fine through a reverse proxy. We're now migrating the web interface to IIS and having to fight through a some issues getting it to work as desired through an ISA reverse proxy. I believe however that although likely not as common as using CSG to proxy WI access, that this is also a fairly common setup.

Thanks,
Jim