You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Yuriy Medvedev <ym...@yandex.ru> on 2012/10/07 18:31:35 UTC
[users@httpd] Citrix behind Apache HTTP reverse proxy sever problem
Hello,
I am a Citrix Admin and unfamiliar with Apache.
Our Apache admins said me that I need to reconfigure my Citrix setup.
But I think that Apache admins must reconfigure their Apache server. 8)
I need an impartial judge!
We have the next setup:
external clients-------> Apache HTTP Server (reverse proxy configured)--------->Firewall----->Citrix Secure Gateway (Citrix Web Interface on the same server)--------Citrix Farm(Servers with Applications).
Apache Server resides in external network, but Citrix Secure Gateway and Farm reside in internal network.
Apache server exposes internal address of Citrix Secure Interface (https://secgateway.domain1.com/citrix/xenap) as https://proxyserver.domain2.com/citrix/xenapp
External clients launch programs from Citrix farm using Web interface https://proxyserver.domain2.com/citrix/xenapp address.
Clients use HTTPS to connect to Citrix Secure Gateway.
PROBLEM: When client connects to Citrix Secure Gateway (Web Interface) it connects via Apache HTTP server (I see it by meanse of netstat -a command).
But when client launches any application clicking on Web Interface icon, the citrix client is trying to connect to Cirtrix Secure Gateway directly omitting the Apache HTTP Server!
But Cirtrix Secure Gateway IP is behind the firewall and application did not launch with error.
When user launches app via proxy server, the ica-file redirects user to secgateway.domain1.com rather then to proxyserver.domain2.com. We must open ports on firewall to Secure Gateway too.
This is a security problem for us. Is it possible to launch apps only via one Apache proxy server?
We need all traffic (ICA and HTTPS) go through Apache! We need a possibility to launch apps from XenApp farm by means of connecting Apache HTTP server (IBM HTTP Server 7.0) rather then Secure Gateway.
Below IBM HTTP Server 7.0 httpd.conf from our Apache admins:
Listen 0.0.0.0:443
<VirtualHost *:443>
SSLEnable
#SSLProtocolDisable SSLv2
SSLClientAuth none
SSLProxyEngine on
SSLCipherSpec 34
SSLCipherSpec 35
SSLCipherSpec 3A
SSLCipherSpec 33
SSLCipherSpec 36
SSLCipherSpec 39
SSLCipherSpec 32
SSLCipherSpec 31
SSLCipherSpec 30
#Citrix
<Location /Citrix>
order deny,allow
allow from all
</Location>
ProxyPass /Citrix https://secgateway.domain1.com/citrix/xenapp
ProxyPassReverse /Citrix https://secgateway.domain1.com/citrix/xenapp
</VirtualHost>
Thank you for any help!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Citrix behind Apache HTTP reverse proxy sever problem
Posted by Nick Kew <ni...@webthing.com>.
On 7 Oct 2012, at 17:31, Yuriy Medvedev wrote:
> [chop]
Your backend is probably generating links referencing itself
by full name. This is one of the issues discussed at
http://www.apachetutor.org/admin/reverseproxies
Your best solution is to fix the citrix backend to generate
only relative URLs in HTML (and associated content such
as javascript). But you can also use apache to rewrite those
links with mod_proxy_html & friends.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Citrix behind Apache HTTP reverse proxy sever problem
Posted by Yuriy Medvedev <ym...@yandex.ru>.
Thank you for reply, Martin.
Below see a short part of WI page source code. This is a code of one link: to launch Internet Explorer via WI.
I see that there is no direct html links there, but there are asp-code instead.
The process looks as follows:
1) User click on icon of application on Web interface
2)ASP file (launcher.asp) runs on server and generates ica-file.
3)Client downloads ICA-file.
4)ICA-file has a SSLProxyHost=secgateway.domain1.com.
5) Client goes directly to secgateway.domain1.com instead of Apache proxy and Intenet Explorer runs on xencitrixfarm...
<divclass="iconView">
<a id="idCitrix.MPS.App.xencitrixfarm.Microsoft_0020Intenet_0020Explorer_00208_0020RUS"
href="launcher.aspx?CTX_Application=Citrix.MPS.App.xencitrixfarm.Microsoft%20Intenet%20Explorer%208%20RUS&CTX_Token=73F8B0382B965A5665D91ECB73BF458C" onClick="resetSessionTimeout();clearFeedback();addCurrentTimeToHref(this,'launcher.aspx?CTX_Application=Citrix.MPS.App.xencitrixfarm.Microsoft%20Intenet%20Explorer%208%20RUS&CTX_Token=73F8B0382B965A5665D91ECB73BF458C','LaunchId');launch(this);return false;" onMouseDown=" addCurrentTimeToHref(this,'launcher.aspx?CTX_Application=Citrix.MPS.App.xencitrixfarm.Microsoft%20Intenet%20Explorer%208%20RUS&CTX_Token=73F8B0382B965A5665D91ECB73BF458C','LaunchId');"
class="iconLink"
title="Microsoft Intenet Explorer 8 RUS"
><img src="icons.aspx?size=normal&id=idEPHKJMIIFKJCDKMDDOABGHEALFGCLOLM" alt="Microsoft Intenet Explorer 8 RUS" title="Microsoft Intenet Explorer 8 RUS" ><br><span>Microsoft Intenet Explorer 8 RUS</span><img
id="spinner_idCitrix.MPS.App.xencitrixfarm.Microsoft_0020Intenet_0020Explorer_00208_0020RUS"
class="spinner"
width="11"
height="11"
src="../media/Transparent16.gif" alt=""
></a>
</div>
08.10.2012, 03:01, "Martin Hasicek" <ma...@gmail.com>:
> Well .. apache do proxy for ICA/SSL. On another side, Apache is not responsible for content generated from WI. HTTP protocol has two parts. One is Header second is Contect.
>
> Apache do proxy on Header:
>
> Client -> GET request -> Apache proxy -> GET request (rewrited - only Header) -> WI
> (And back)
>
> Content part of Page from WI is unchanged. If it consist URL like https://secgateway.domain1.com/... it is not rewritten by apache. So client click on Link/Button/Icon/Whatever with such link and browser/ICA Client make request to secgateway instead of your apache proxy.
>
> To summary, browser of your client (or ICA Client) should receive correct URL where to connect ...
>
> In older posts of this forum I found this example (your configuration should work also, but maybe help):
>
> <Virtualhost>
> Servername citrix.example.com
> ProxyRequests Off
> AllowCONNECT 443
> ProxyPass / backendserver
> ProxyPassReverse / backendserver
> </Virtualhost>
>
> mh
>
> On Sun, Oct 7, 2012 at 7:43 PM, Yuriy Medvedev <ym...@yandex.ru> wrote:
>> There is no any HTTP links to Citrix gateway in ICA file. I will try to explain how Citrix works.
>>
>> Without Apache:
>>
>> 1. User connects to webinterface (WI) site by meanse of Internet Explorer (in our case via HTTPS) and address (https://secgateway.domain1.com/citrix/xenap).
>> 2. User sees WI site and clicks on icon that represents application.
>> 3. Citrix client (installed on User's PC) loads ICA file from WI corresponding to application. This ICA file generted automatically by WI.
>> 4. There is a parameter in ICA file SSLProxyHost that in my case is SSLProxyHost=secgateway.domain1.com.
>> 5. Clients trys to connect secgateway.domain1.com via ICA\SSL protocol.
>> 6. Then ssecgateway.domain1.com redirects to WI, and WI redirects to Citrix Farm to launch the selected app.
>>
>> With Apache:
>>
>> 1.User connects to Apache reverse proxy via HTTPS and address https://proxyserver.domain2.com/citrix/.
>> 2. Apache represents Citrix WI to user. The WI is the same as https://secgateway.domain1.com/citrix/xenap
>> 3.User sees WI site and clicks on icon that represents application.
>>
>> then we go 4,5,6 exatcly as if we do not have any Apache reverse proxy!
>>
>> Client goes directly to Citrix gateway using ICA\SSL protocol. This is the main problem: Why Apache does not proxy ICA\SSL?
>> 07.10.2012, 20:43, "Martin Hasicek" <ma...@gmail.com>:
>>> Hi after first look, configuration of apache looks fine. Please try to view source code of https://proxyserver.domain2.com/citrix/xenapp. Somewhere should be link, which is relative (like href="./citrix/...") or absolute (like href="https://proxyserver.domain2.com/citrix/..."). I expect, it is absolute and this cause your problem (because instead of proxyserver you have in url your secutiryGW).
>>>
>>> Apache proxy has nothing with content which is served by Citrix. It means, problem is on your side. I'm not so familiar with citrix to point you on right place, but short google search should solve your problem.
>>>
>>> mh
>>>
>>> On Sun, Oct 7, 2012 at 6:31 PM, Yuriy Medvedev <ym...@yandex.ru> wrote:
>>>> Hello,
>>>>
>>>> I am a Citrix Admin and unfamiliar with Apache.
>>>> Our Apache admins said me that I need to reconfigure my Citrix setup.
>>>> But I think that Apache admins must reconfigure their Apache server. 8)
>>>> I need an impartial judge!
>>>>
>>>> We have the next setup:
>>>>
>>>> external clients-------> Apache HTTP Server (reverse proxy configured)--------->Firewall----->Citrix Secure Gateway (Citrix Web Interface on the same server)--------Citrix Farm(Servers with Applications).
>>>>
>>>> Apache Server resides in external network, but Citrix Secure Gateway and Farm reside in internal network.
>>>> Apache server exposes internal address of Citrix Secure Interface (https://secgateway.domain1.com/citrix/xenap) as https://proxyserver.domain2.com/citrix/xenapp
>>>> External clients launch programs from Citrix farm using Web interface https://proxyserver.domain2.com/citrix/xenapp address.
>>>> Clients use HTTPS to connect to Citrix Secure Gateway.
>>>>
>>>> PROBLEM: When client connects to Citrix Secure Gateway (Web Interface) it connects via Apache HTTP server (I see it by meanse of netstat -a command).
>>>> But when client launches any application clicking on Web Interface icon, the citrix client is trying to connect to Cirtrix Secure Gateway directly omitting the Apache HTTP Server!
>>>> But Cirtrix Secure Gateway IP is behind the firewall and application did not launch with error.
>>>> When user launches app via proxy server, the ica-file redirects user to secgateway.domain1.com rather then to proxyserver.domain2.com. We must open ports on firewall to Secure Gateway too.
>>>> This is a security problem for us. Is it possible to launch apps only via one Apache proxy server?
>>>> We need all traffic (ICA and HTTPS) go through Apache! We need a possibility to launch apps from XenApp farm by means of connecting Apache HTTP server (IBM HTTP Server 7.0) rather then Secure Gateway.
>>>>
>>>> Below IBM HTTP Server 7.0 httpd.conf from our Apache admins:
>>>>
>>>> Listen 0.0.0.0:443
>>>> <VirtualHost *:443>
>>>> SSLEnable
>>>> #SSLProtocolDisable SSLv2
>>>> SSLClientAuth none
>>>> SSLProxyEngine on
>>>> SSLCipherSpec 34
>>>> SSLCipherSpec 35
>>>> SSLCipherSpec 3A
>>>> SSLCipherSpec 33
>>>> SSLCipherSpec 36
>>>> SSLCipherSpec 39
>>>> SSLCipherSpec 32
>>>> SSLCipherSpec 31
>>>> SSLCipherSpec 30
>>>> #Citrix
>>>> <Location /Citrix>
>>>> order deny,allow
>>>> allow from all
>>>> </Location>
>>>> ProxyPass /Citrix https://secgateway.domain1.com/citrix/xenapp
>>>> ProxyPassReverse /Citrix https://secgateway.domain1.com/citrix/xenapp
>>>> </VirtualHost>
>>>>
>>>> Thank you for any help!
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Citrix behind Apache HTTP reverse proxy sever problem
Posted by Martin Hasicek <ma...@gmail.com>.
Well .. apache do proxy for ICA/SSL. On another side, Apache is not
responsible for content generated from WI. HTTP protocol has two parts. One
is Header second is Contect.
Apache do proxy on Header:
Client -> GET request -> Apache proxy -> GET request (rewrited - only
Header) -> WI
(And back)
Content part of Page from WI is unchanged. If it consist URL like
https://secgateway.domain1.com/... it is not rewritten by apache. So
client click on Link/Button/Icon/Whatever with such link and browser/ICA
Client make request to secgateway instead of your apache proxy.
To summary, browser of your client (or ICA Client) should receive correct
URL where to connect ...
In older posts of this forum I found this example (your configuration
should work also, but maybe help):
<Virtualhost>
Servername citrix.example.com
ProxyRequests Off
AllowCONNECT 443
ProxyPass / backendserver
ProxyPassReverse / backendserver
</Virtualhost>
mh
On Sun, Oct 7, 2012 at 7:43 PM, Yuriy Medvedev <ym...@yandex.ru> wrote:
> There is no any HTTP links to Citrix gateway in ICA file. I will try to
> explain how Citrix works.
>
> Without Apache:
>
> 1. User connects to webinterface (WI) site by meanse of Internet Explorer
> (in our case via HTTPS) and address (
> https://secgateway.domain1.com/citrix/xenap).
> 2. User sees WI site and clicks on icon that represents application.
> 3. Citrix client (installed on User's PC) loads ICA file from WI
> corresponding to application. This ICA file generted automatically by WI.
> 4. There is a parameter in ICA file SSLProxyHost that in my case is
> SSLProxyHost=secgateway.domain1.com.
> 5. Clients trys to connect secgateway.domain1.com via ICA\SSL protocol.
> 6. Then ssecgateway.domain1.com redirects to WI, and WI redirects to
> Citrix Farm to launch the selected app.
>
> With Apache:
>
> 1.User connects to Apache reverse proxy via HTTPS and address
> https://proxyserver.domain2.com/citrix/.
> 2. Apache represents Citrix WI to user. The WI is the same as
> https://secgateway.domain1.com/citrix/xenap
> 3.User sees WI site and clicks on icon that represents application.
>
> then we go 4,5,6 exatcly as if we do not have any Apache reverse proxy!
>
> Client goes directly to Citrix gateway using ICA\SSL protocol. This is the
> main problem: Why Apache does not proxy ICA\SSL?
> 07.10.2012, 20:43, "Martin Hasicek" <ma...@gmail.com>:
> > Hi after first look, configuration of apache looks fine. Please try to
> view source code of https://proxyserver.domain2.com/citrix/xenapp.
> Somewhere should be link, which is relative (like href="./citrix/...") or
> absolute (like href="https://proxyserver.domain2.com/citrix/..."). I
> expect, it is absolute and this cause your problem (because instead of
> proxyserver you have in url your secutiryGW).
> >
> > Apache proxy has nothing with content which is served by Citrix. It
> means, problem is on your side. I'm not so familiar with citrix to point
> you on right place, but short google search should solve your problem.
> >
> > mh
> >
> > On Sun, Oct 7, 2012 at 6:31 PM, Yuriy Medvedev <ym...@yandex.ru> wrote:
> >> Hello,
> >>
> >> I am a Citrix Admin and unfamiliar with Apache.
> >> Our Apache admins said me that I need to reconfigure my Citrix setup.
> >> But I think that Apache admins must reconfigure their Apache server. 8)
> >> I need an impartial judge!
> >>
> >> We have the next setup:
> >>
> >> external clients-------> Apache HTTP Server (reverse proxy
> configured)--------->Firewall----->Citrix Secure Gateway (Citrix Web
> Interface on the same server)--------Citrix Farm(Servers with Applications).
> >>
> >> Apache Server resides in external network, but Citrix Secure Gateway
> and Farm reside in internal network.
> >> Apache server exposes internal address of Citrix Secure Interface (
> https://secgateway.domain1.com/citrix/xenap) as
> https://proxyserver.domain2.com/citrix/xenapp
> >> External clients launch programs from Citrix farm using Web interface
> https://proxyserver.domain2.com/citrix/xenapp address.
> >> Clients use HTTPS to connect to Citrix Secure Gateway.
> >>
> >> PROBLEM: When client connects to Citrix Secure Gateway (Web Interface)
> it connects via Apache HTTP server (I see it by meanse of netstat -a
> command).
> >> But when client launches any application clicking on Web Interface
> icon, the citrix client is trying to connect to Cirtrix Secure Gateway
> directly omitting the Apache HTTP Server!
> >> But Cirtrix Secure Gateway IP is behind the firewall and application
> did not launch with error.
> >> When user launches app via proxy server, the ica-file redirects user to
> secgateway.domain1.com rather then to proxyserver.domain2.com. We must
> open ports on firewall to Secure Gateway too.
> >> This is a security problem for us. Is it possible to launch apps only
> via one Apache proxy server?
> >> We need all traffic (ICA and HTTPS) go through Apache! We need a
> possibility to launch apps from XenApp farm by means of connecting Apache
> HTTP server (IBM HTTP Server 7.0) rather then Secure Gateway.
> >>
> >> Below IBM HTTP Server 7.0 httpd.conf from our Apache admins:
> >>
> >> Listen 0.0.0.0:443
> >> <VirtualHost *:443>
> >> SSLEnable
> >> #SSLProtocolDisable SSLv2
> >> SSLClientAuth none
> >> SSLProxyEngine on
> >> SSLCipherSpec 34
> >> SSLCipherSpec 35
> >> SSLCipherSpec 3A
> >> SSLCipherSpec 33
> >> SSLCipherSpec 36
> >> SSLCipherSpec 39
> >> SSLCipherSpec 32
> >> SSLCipherSpec 31
> >> SSLCipherSpec 30
> >> #Citrix
> >> <Location /Citrix>
> >> order deny,allow
> >> allow from all
> >> </Location>
> >> ProxyPass /Citrix https://secgateway.domain1.com/citrix/xenapp
> >> ProxyPassReverse /Citrix https://secgateway.domain1.com/citrix/xenapp
> >> </VirtualHost>
> >>
> >> Thank you for any help!
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Citrix behind Apache HTTP reverse proxy sever problem
Posted by Yuriy Medvedev <ym...@yandex.ru>.
There is no any HTTP links to Citrix gateway in ICA file. I will try to explain how Citrix works.
Without Apache:
1. User connects to webinterface (WI) site by meanse of Internet Explorer (in our case via HTTPS) and address (https://secgateway.domain1.com/citrix/xenap).
2. User sees WI site and clicks on icon that represents application.
3. Citrix client (installed on User's PC) loads ICA file from WI corresponding to application. This ICA file generted automatically by WI.
4. There is a parameter in ICA file SSLProxyHost that in my case is SSLProxyHost=secgateway.domain1.com.
5. Clients trys to connect secgateway.domain1.com via ICA\SSL protocol.
6. Then ssecgateway.domain1.com redirects to WI, and WI redirects to Citrix Farm to launch the selected app.
With Apache:
1.User connects to Apache reverse proxy via HTTPS and address https://proxyserver.domain2.com/citrix/.
2. Apache represents Citrix WI to user. The WI is the same as https://secgateway.domain1.com/citrix/xenap
3.User sees WI site and clicks on icon that represents application.
then we go 4,5,6 exatcly as if we do not have any Apache reverse proxy!
Client goes directly to Citrix gateway using ICA\SSL protocol. This is the main problem: Why Apache does not proxy ICA\SSL?
07.10.2012, 20:43, "Martin Hasicek" <ma...@gmail.com>:
> Hi after first look, configuration of apache looks fine. Please try to view source code of https://proxyserver.domain2.com/citrix/xenapp. Somewhere should be link, which is relative (like href="./citrix/...") or absolute (like href="https://proxyserver.domain2.com/citrix/..."). I expect, it is absolute and this cause your problem (because instead of proxyserver you have in url your secutiryGW).
>
> Apache proxy has nothing with content which is served by Citrix. It means, problem is on your side. I'm not so familiar with citrix to point you on right place, but short google search should solve your problem.
>
> mh
>
> On Sun, Oct 7, 2012 at 6:31 PM, Yuriy Medvedev <ym...@yandex.ru> wrote:
>> Hello,
>>
>> I am a Citrix Admin and unfamiliar with Apache.
>> Our Apache admins said me that I need to reconfigure my Citrix setup.
>> But I think that Apache admins must reconfigure their Apache server. 8)
>> I need an impartial judge!
>>
>> We have the next setup:
>>
>> external clients-------> Apache HTTP Server (reverse proxy configured)--------->Firewall----->Citrix Secure Gateway (Citrix Web Interface on the same server)--------Citrix Farm(Servers with Applications).
>>
>> Apache Server resides in external network, but Citrix Secure Gateway and Farm reside in internal network.
>> Apache server exposes internal address of Citrix Secure Interface (https://secgateway.domain1.com/citrix/xenap) as https://proxyserver.domain2.com/citrix/xenapp
>> External clients launch programs from Citrix farm using Web interface https://proxyserver.domain2.com/citrix/xenapp address.
>> Clients use HTTPS to connect to Citrix Secure Gateway.
>>
>> PROBLEM: When client connects to Citrix Secure Gateway (Web Interface) it connects via Apache HTTP server (I see it by meanse of netstat -a command).
>> But when client launches any application clicking on Web Interface icon, the citrix client is trying to connect to Cirtrix Secure Gateway directly omitting the Apache HTTP Server!
>> But Cirtrix Secure Gateway IP is behind the firewall and application did not launch with error.
>> When user launches app via proxy server, the ica-file redirects user to secgateway.domain1.com rather then to proxyserver.domain2.com. We must open ports on firewall to Secure Gateway too.
>> This is a security problem for us. Is it possible to launch apps only via one Apache proxy server?
>> We need all traffic (ICA and HTTPS) go through Apache! We need a possibility to launch apps from XenApp farm by means of connecting Apache HTTP server (IBM HTTP Server 7.0) rather then Secure Gateway.
>>
>> Below IBM HTTP Server 7.0 httpd.conf from our Apache admins:
>>
>> Listen 0.0.0.0:443
>> <VirtualHost *:443>
>> SSLEnable
>> #SSLProtocolDisable SSLv2
>> SSLClientAuth none
>> SSLProxyEngine on
>> SSLCipherSpec 34
>> SSLCipherSpec 35
>> SSLCipherSpec 3A
>> SSLCipherSpec 33
>> SSLCipherSpec 36
>> SSLCipherSpec 39
>> SSLCipherSpec 32
>> SSLCipherSpec 31
>> SSLCipherSpec 30
>> #Citrix
>> <Location /Citrix>
>> order deny,allow
>> allow from all
>> </Location>
>> ProxyPass /Citrix https://secgateway.domain1.com/citrix/xenapp
>> ProxyPassReverse /Citrix https://secgateway.domain1.com/citrix/xenapp
>> </VirtualHost>
>>
>> Thank you for any help!
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Citrix behind Apache HTTP reverse proxy sever problem
Posted by Martin Hasicek <ma...@gmail.com>.
Hi after first look, configuration of apache looks fine. Please try to view
source code of https://proxyserver.domain2.com/citrix/xenapp. Somewhere
should be link, which is relative (like href="./citrix/...") or absolute
(like href="https://proxyserver.domain2.com/citrix/..."). I expect, it is
absolute and this cause your problem (because instead of proxyserver you
have in url your secutiryGW).
Apache proxy has nothing with content which is served by Citrix. It means,
problem is on your side. I'm not so familiar with citrix to point you on
right place, but short google search should solve your problem.
mh
On Sun, Oct 7, 2012 at 6:31 PM, Yuriy Medvedev <ym...@yandex.ru> wrote:
> Hello,
>
>
> I am a Citrix Admin and unfamiliar with Apache.
> Our Apache admins said me that I need to reconfigure my Citrix setup.
> But I think that Apache admins must reconfigure their Apache server. 8)
> I need an impartial judge!
>
>
> We have the next setup:
>
>
> external clients-------> Apache HTTP Server (reverse proxy
> configured)--------->Firewall----->Citrix Secure Gateway (Citrix Web
> Interface on the same server)--------Citrix Farm(Servers with Applications).
>
>
> Apache Server resides in external network, but Citrix Secure Gateway and
> Farm reside in internal network.
> Apache server exposes internal address of Citrix Secure Interface (
> https://secgateway.domain1.com/citrix/xenap) as
> https://proxyserver.domain2.com/citrix/xenapp
> External clients launch programs from Citrix farm using Web interface
> https://proxyserver.domain2.com/citrix/xenapp address.
> Clients use HTTPS to connect to Citrix Secure Gateway.
>
> PROBLEM: When client connects to Citrix Secure Gateway (Web Interface) it
> connects via Apache HTTP server (I see it by meanse of netstat -a command).
> But when client launches any application clicking on Web Interface icon,
> the citrix client is trying to connect to Cirtrix Secure Gateway directly
> omitting the Apache HTTP Server!
> But Cirtrix Secure Gateway IP is behind the firewall and application did
> not launch with error.
> When user launches app via proxy server, the ica-file redirects user to
> secgateway.domain1.com rather then to proxyserver.domain2.com. We must
> open ports on firewall to Secure Gateway too.
> This is a security problem for us. Is it possible to launch apps only via
> one Apache proxy server?
> We need all traffic (ICA and HTTPS) go through Apache! We need a
> possibility to launch apps from XenApp farm by means of connecting Apache
> HTTP server (IBM HTTP Server 7.0) rather then Secure Gateway.
>
>
> Below IBM HTTP Server 7.0 httpd.conf from our Apache admins:
>
>
> Listen 0.0.0.0:443
> <VirtualHost *:443>
> SSLEnable
> #SSLProtocolDisable SSLv2
> SSLClientAuth none
> SSLProxyEngine on
> SSLCipherSpec 34
> SSLCipherSpec 35
> SSLCipherSpec 3A
> SSLCipherSpec 33
> SSLCipherSpec 36
> SSLCipherSpec 39
> SSLCipherSpec 32
> SSLCipherSpec 31
> SSLCipherSpec 30
> #Citrix
> <Location /Citrix>
> order deny,allow
> allow from all
> </Location>
> ProxyPass /Citrix https://secgateway.domain1.com/citrix/xenapp
> ProxyPassReverse /Citrix https://secgateway.domain1.com/citrix/xenapp
> </VirtualHost>
>
> Thank you for any help!
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>