I am facing authentication issue with a public site sgplive.barcap.com (requires login). Once logged in will have to click on an internal link to initiate a connection to citrix server which prompts for a login.
Even if I enter the credentials it doesnt get past !
when I by pass the proxy it works fine, but via MWG it prompts a for login. Herewith attaching the tcpdump for the same, appreciate your valuable suggestions.
I took a very quick look into the capture, but it seems that most of the interesting part is happening within the SSL tunnel. Maybe you want to file a service request with support, since they can have a deeper look into this specific issue.
To collect data about what is happening in the SSL tunnel you could try to enable connection traces as well, which log the traffic that MWG sees and will also contain the communication from within the tunnel (if SSL Scanner is enabled). One thing you may want to try is having a whitelist entry for the domain causing the issue and skipping filters and authentication. Maybe you could also skip SSL Scanner to prevent MWG from touching the traffic, and simply pass it along. If it works then we know that it is probably a filter, SSL Scanner, Authentication or something similar that causes the issues. If it still does not work, probably the server does not like a proxy in the loop.
Apologies for the delay,
Since I dont have the login credentials, I wil have to wait for the user availability to test the suggested scenarios.
Will test and let you guys know.
I tested it out by whitelisting and it din't work. But when I bypass authentication it works fine.Also tried disabling SSL scanner, still the same. since there is no other rule between authentication and whitelisting, I strongly believe its got something to do with the authentication for the site.
Herewith attaching the Authentication bypassed capture and the non working one and SSL scanner disabled
Message was edited by: srini2411 on 3/19/12 1:50:43 AM CDTMessage was edited by: srini2411 on 3/19/12 2:11:11 AM CDT
thank you for the traces. There is only one difference I can find but I can´t promise that this is the problem.
A lot of CONNECT requests are made. but all of them seem to be authenticated fine, e.g. the client sends a CONNECT request, MWG answers with a "407" to ask for authentication, and the client starts to authenticate. Once authentication is done all looks good. But there is ony connection going to tocket.barcap.com which seems to behave differently. In the trace without authentication the client requests this URL and data goes back and forth as expected.
With authentication enabled the client asks for this URL, MWG sends a "407" to ask the client to authenticate, but no more data is coming. The client does not come back again and send credentials to MWG so this part of the communication is never established. You could try to only whitelist this host from authentication, maybe this is already suitable to allow the site to work fine. If that does not help you may want to file a support ticket as well, to have support look into the issue as well.
we solved a problem yesterday with a Citirx ICA Client at a customer. Are you using such a clilent.
We figured out the following behaviour with ICA. When anything is changed in the communication the ICA Client tries to connect directly to the citrix server.
Check this in the command line: netstat -na |find /i "syn"
If you get an result you have the same troubles as we resolved yesterday. :-)
The second problem was a coaching Ruleset for uncategorized WebSites. ICA is not clicking the "Continue" Button. *g*
Try the debugging RuleSet. Perhaps you can figure out something.
ThorstenNachricht geändert durch Troja on 22.03.12 10:12:36 MEZ
That's interesting, actually there is an internal link which initiates a citrix connection. Let me try the suggested command and get back.
as i expected, MWG blocks something from the ICA communication and ICA tries a direct connection. The same behaviour as my installation. :-)
The client tries to directly connect to the Citrix Server (syn_sent), but there is no answer.
Is ICA client able to connect If you define a whitelist for the client based on IP?