cancel
Showing results for 
Search instead for 
Did you mean: 

NC/PAC file <-> Citrix problem

Highlighted
Occasional Contributor

NC/PAC file <-> Citrix problem

Hi guys.

Just wondering if somebody had similar issue...

I have users connecting from Internet via NC to company IVE cluster. PAC file is in place so they can access public webpages through Bluecoat proxies. However they cannot open ICA connections to regular public Citrix servers when connected through NC. Problem is that these ICAs are working when they access it directly from company intranet - they use the same PAC file as NC is using...

Colleague did some captures and found out that ICA traffic is routed from cluster directly to Citrix server instead of sending it to proxy... So it seems that Citrix client is not able to get PAC file correctly from IE - but only when connected through netconnect.

I can bypass this easily by allowing traffic on firewall or enabling split tunneling but this would be considered as security policy violation as all user Internet traffic should pass proxy... So trying to find some other solution...

Cheers

4 REPLIES 4
Highlighted
Respected Contributor

Re: NC/PAC file <-> Citrix problem

As a test, is enabling split tunneling possible to see if a change in behavior is seen?

Does instantproxy.pac show the same rules as the PAC file without Network Connect?

Highlighted
Occasional Contributor

Re: NC/PAC file <-> Citrix problem

Well, I've tested with split tunneling and it works perfectly.

PAC file used by IVE is containing one regular function FindProxyForURL(url, host) followed by conditions for DIRECT & PROXY access. This function should return direct or proxy_ip: port

instantproxy is smoothly different...

It begins with function FindClientProxy(url, host) - not sure if this one has any purpose :

function FindClientProxy(url, host) {
return "DIRECT";

Next is function FindServerProxy which contains all the expresions from the original PAC :

function FindServerProxy(url, host)

And last is :

function FindProxyForURL(url, host) {
if (shExpMatch(host, "IVE_URL")) {
return "DIRECT";
}
else {
return FindServerProxy(url, host);
}

I assume that it is done this way to distinguish traffic destined to IVE and the rest of connections.

Highlighted
Respected Contributor

Re: NC/PAC file <-> Citrix problem

Glad to hear that is working through split tunneling enabled (I know it is not what is needed, but at least something is working). Is the snippet you showed below from the option with split tunneling enabled or disabled?

You reference the need for proxySmiley Tongueort---do you mean that your proxy uses a different port for the connections?

Highlighted
Occasional Contributor

Re: NC/PAC file <-> Citrix problem

Yes, this was with split tunneling enabled ( instantproxy file I've checked was in Juniper networks folder somewhere in Documents - not sure if there is more of those .pac stored during session)

Regarding to function return values - for proxy it is always proxyname:8080 . We use 8080 for all our proxies - 8080 should be default value for many proxy vendors...