QUOTE

Problem Definition

Access Gateway Advanced Edition Endpoint Analysis Client and Access Gateway Standard Edition Secure Access Client do not launch when an appliance, such as a reverse proxy server like Fortress, is in front of Access Gateway.

Environment

This issue is seen in the following products:

Access Gateway Standard Edition 4.5.2

Access Gateway Advanced Edition 4.5 (no service pack)

External access to Access Gateway in Advanced Access Control mode is through the Fortress reverse proxy appliance.

Troubleshooting Methodology

Advanced Access Control has EPA scans that are set to the LogonPoint visibility setting.

The workstation meets the EPA requirements; however, it still fails and the LogonPoint is not displayed.

Using the Fiddler tool, a trace was obtained that shows a request done to an IP over 443 and a 502 Bad GatewayÓ result is returned. That IP address reference below is the external Access Gateway interface.

Note: Fiddler provides capturing all HTTP(s) traffic from the userÕs machine. It does this by using its own proxy that is automatically set in Internet Explorer when Fiddler is running. Read more about Fiddler at this location: http://www.fiddlertool.com/fiddler/

A trace was performed at Access GatewayÕs internal interface. Filtering on HTTP shows that a request to the logonagentservice.asmx is performed.

Looking closer to this request a BeginLogonSequence is being sent to the LogonAgent Web Service.

Looking closer to the Soap data, externalAddressableAddressOfAg is contained within.

In the data contained within the welcome.aspx file, the object tag where the EPA client gets activated shows params and EnquiryUrl is one of them.

Our internal pages, Welcome.ascx.cs and ASPUtil.cs, have a section that shows how the Enquiry.aspx URL is built, utilizing the externallyAddressableAddressOfAg sent in the Soap data. Because this data contains the IP of the external interface of Access Gateway, the user never sees the EPA launch.

For the Secure Access Client, the issue is similar when requesting and launching the net6helper.cab from Access Gateway.

DeployVPNClient.ascx contains the specifics for creating the Access Gateway URL to download the client and launch it.

The server side code that gets called here utlimately calls the same ASPUtil.cs function that derives the external Access Gateway interface IP. Since that interface is not reachable externally, this fails as well.

Resolution

Endpoint Analysis Client

We are using the externalAddressableAddressOfAg value in the Soap request to the logonagentservice to build the Enquiry.aspx URL. This address is derived from the external FQDN set on the Access Gateway Standard Edition console which did not point to the external address of the Fortress appliance.

However, apart from this finding another issue came to light. Access to internal resources through Access Gateway Standard Edition requires that Fortress receives all Access Gateway Standard Edition / Access Gateway Advanced Edition requests through an additional path ex. /lni/citrix. This is the additional issue found that breaks the EPA scan as the URL to the enquiry.aspx does not contain that path.

Secure Access Client

The same process is used to download Secure Access Client, but since the additional /lni/citrix is not in the path, the download fails.

The issue was identified to be unsupported due to the path requirement that Fortress imposes. Essentially http://fqdn +/go/here was not a tested scenario. However, Citrix Engineering is committed to reviewing this issue and evaluating the implications of the changes required to resolve it.

This document applies to:

Access Gateway 4.5 Advanced Edition

Access Gateway 4.5 Standard Edition

UNQUOTE