cancel
Showing results for 
Search instead for 
Did you mean: 

Web resources with source IP does not work.

SOLVED
Ruud_
Contributor

Web resources with source IP does not work.

Hi,

I have configured a "Web resource" for Citrix and Outlook Web Access. The role that uses these resources have a Source IP address assigned.

On the firewall I pass everything from that source IP address to the OWA and Citrix server.

Nevertheless this setup is not working, I receive 'Page could not be displayed" error.

I really do not know what I could have done wrong...

Do I also need to configure SAM or something else?

Greets,

Ruud.

1 ACCEPTED SOLUTION

Accepted Solutions
muttbarker_
Valued Contributor

Re: Web resources with source IP does not work.

Ruud:

#1 - Source IP can be at both the realm and role level.

#2 - You would only see if deny in policy trace if you were to switch out the source IP role to explicitly "deny"

#3 - If the OWA does not work with source IP off it is not your issue

#4 - The SSL Box is a proxy server. You willl see all traffic as showing between the SSL box and the source PC. The traffic between to/from the OWA server is contained really running to/from the SSL box and it is then "rewritten" to pass to the end client.

#5 - Do you know if you setup the OWA correctly? IE does it work inside your firewall through the SSL box? Perhaps it is an issue with how you pass credentials, etc....

Message Edited by muttbarker on 10-23-2008 07:33 AM

View solution in original post

5 REPLIES 5
muttbarker_
Valued Contributor

Re: Web resources with source IP does not work.

Have you done any troubleshooting by doing a policy trace on that user login? Source IP at the realm or role level is something that is checked when a user logs in. You said that you use source IP at the role level. So as an example - if you had a "deny" and did a policy trace you would see the user restricted when the logged in.

Is there anything in the event or user log files. I am assuming that if you turn "off" source IP the user logs in and then can access the page just fine? That behavior is strange as source IP should not affect an individual bookmark access.

Ruud_
Contributor

Re: Web resources with source IP does not work.

Have you done any troubleshooting by doing a policy trace on that user login? Source IP at the realm or role level is something that is checked when a user logs in.

I have done a "User Access Log". I can login fine. But when I click on the link, I receive the message, "This page cannot be displayed". Nothing is shown in the log. Correct me if I am wrong, but Source IP address is at role level, it can't be define at realm level. I use several roles for one realm, each with the same Source IP address.

You said that you use source IP at the role level. So as an example - if you had a "deny" and did a policy trace you would see the user restricted when the logged in.

I don't see anything of a deny in the log file, that is the strange part.

Is there anything in the event or user log files. I am assuming that if you turn "off" source IP the user logs in and then can access the page just fine? That behavior is strange as source IP should not affect an individual bookmark access.

When I turn off the source IP, I still have the same problem.

What I found strange is that I don't see any logging in the firewall. I have a bookmark to outlook web access. To reach this bookmark, it needs to pass the firewall whith as source the Internal Source IP and as destination the server of Outlook Web Access. But I don't see any logging...

muttbarker_
Valued Contributor

Re: Web resources with source IP does not work.

Ruud:

#1 - Source IP can be at both the realm and role level.

#2 - You would only see if deny in policy trace if you were to switch out the source IP role to explicitly "deny"

#3 - If the OWA does not work with source IP off it is not your issue

#4 - The SSL Box is a proxy server. You willl see all traffic as showing between the SSL box and the source PC. The traffic between to/from the OWA server is contained really running to/from the SSL box and it is then "rewritten" to pass to the end client.

#5 - Do you know if you setup the OWA correctly? IE does it work inside your firewall through the SSL box? Perhaps it is an issue with how you pass credentials, etc....

Message Edited by muttbarker on 10-23-2008 07:33 AM

View solution in original post

kenlars_
Super Contributor

Re: Web resources with source IP does not work.

Ruud -

Kevin is recommending that you do a policy trace. This is found under Troubleshooting - User Sessions - Policy Tracing. Turn on checking for web access, for the user ID you will test with and the realm it logs into.

Run your test, and then come back to the Policy Tracing screen and view the log. You'll be able to see if the access passed your web policies.

Ken

Ruud_
Contributor

Re: Web resources with source IP does not work.

I found the solution thanks to your help.

I've done a "Policy Tracing". There I saw that "Selective Rewriting" was used. The strange thing is, that only one "Selective Rewriting" policy was defined and it was not assigned to the role for owa. But somehow the OWA role used it, even it was not assigned to it.

Nevertheless, I've made a new policy for "Selective Rewriting" and assigned it to the role. Afterwards it worked like it should!

Thanks for the tips and the help. I learned a lot troubleshooting this problem !

Ruud.

Message Edited by Ruud on 10-24-2008 05:34 AM