SSL/VPN (Cisco) and pass trough WebInterface, in the Citrix Web Interface forum on BrianMadden.com

Hey guys,

I have the following issue. In the company they already have a Cisco ASA and they use it also for SSL/VPN access to the network. Now they want to enable the Citrix-Farm access on the ASA-portal-site with a Citrix Web Interface.
How can I setup the WI, so they don't have to logon again but it will use the logon-vredetials the users already have given to logon the SSL/VPN connection???

any suggestion?

I know, for a SSL/VPN solution I preffer also the CAG, but that is not the question........

Läslo Pruis

I'm going through the same thing with my company. Rather than spend any money for a CAG, they want to use the ASA WebVPN. In versions 7.x and 8.x of ASA, there is a single sign on option that allows you to specify a particular url/ip address or entire range of addresses to use your WebVPN credentials on. It works great with other apps, such as OWA, but doesn't work very well with WI using passthru authentication. It brings up the application set just fine but presents you with a server authentication when launching an app. I was told by a Cisco engineer to set up the WI as a bookmark and use the POST option to post the WebVPN credentials to the WI. Unfortunately I haven't been able to find any information about the parameters the WI is looking for. Just using user=CSCO_WEBVPN_USERNAME and password=CSCO_WEBVPN_PASSWORD does NOT work, so it must be looking for other parameters than just username and password. If anyone has any suggestions or knows these WI parameters, I'm all ears...

Well after all, I was able to convince the team here that the best option was to get a GAC.
With some help from Citrix I could make a Proof of Concept. It only took me 2 hours to configure the CAG instead of searching for option more than 60 hours to get it working with a Cisco ASA. (if you don;t need the Cisco ASA anymore, Citrix is willing to pay for destruction)

Now we use the Cisco ASA for Firewall (and other functions) but for SSL/VPN access the GAC is working perfectly. Easier to manage and configure (even better in my point of view).

I would love to know if anyone has been able to get this to work. I have the Cisco ASA WebVPN automatically redirecting to the inet page but our users have to login a 2nd time. Is there anyway to pass through the login credentials or maybe even make them propogate into the login box.

would be nice, but still haven't found anyone that will make it work with a Cisco ASA and SSO.
i would advise a CAG. Use the ASA as a firewall.. it was made for it ;)

Has anyone tried using the Microsoft Single Sign-on service?

http://msdn.microsoft.com/en-us/library/ms984587.aspx

Also, I'm not so worried about the single sign on but just getting Web Interface to work through the webvpn. Can anyone that has it working list their setup?

Did you ever get this to work i discovered in the ascx citrix uses the variables ID_USER, and ID_PASSWORD. However when i use http://server/citrix/accessplatform/auth/login.aspx?ID_USER=CSCO_WEBVPN_PASSWORD , the value of the textbox is just user. I would love to get this working asap since it is a high priority project for us.

Thanks

I ended up getting it to work if anyone is interested

Toby Manuel:

I ended up getting it to work if anyone is interested

Hi Toby, Yes, I am interested....

Thanks in advance.

 

1) Create a bookmark for the citrix web interface.  For example:

http://citrix-web-interface-host/Citrix/AccessPlatform/auth/login.aspx
 
Advanced Options:
URL = POST
Favorite = <doesn't matter>
Smart Tunnel = No
 
Post Parameters:
LoginType=Explicit
user=CSCO_WEBVPN_USERNAME
password=CSCO_WEBVPN_INTERNAL_PASSWORD
domain=<YourActiveDirectoryDomain>
submitMode=submit
slLanguage=en
ReconnectAtLoginOption=DisconnectedAndActive
 
This will work at this point, but you will have to click on the login page twice because the ASA does not seem to properly handle the cookie in its own cache, so the following fixes that.
 
2) Create new or Edit your DfltGrpPolicy

+More Options
Session Settings:
User Storage Location - Set this up.  We used ftp with url style "user:pass@host/storage-directory"
Storage Key - left blank
Storage Objects: cookies,credentials
 
Now you should be able to login with username/Rsa-token and provide an optional internal password which it will use when you click on a link in the ASA WebVPN Portal page to the Citrix Web Interface.  Make sure your Citrix Web Interface is configured to only require user/pass/domain.

This worked on a Citrix Xen Web Interface server (4.5).  You will see small ~2k files in the ftp site named <username>.cps that will survive from session to session.

Hopefully, Cisco will fix the username/password cookie issue pretty soon.

is this just to pass user credentials?  i am not so much interested in that as just getting this to work period.

 

via cisco ssl/webvpn, i can get to the presentation server page but when i launch the app i get the error a Citrix Presentation Server cannot be found at this address" after wfica32.exe clocks for a while.

 

I setup a smart tunnel and specified wfica32.exe to use it.  Doesnt seem to work.  Any other ideas?

 

thanks,

scott

Hi,

We're trying to establish our WI connection using your description.

Thanks for your work.

Any news yet on the 'username/password cookie issue' ?

 

 

We have configured our ASA exactly as you did.  All works well.  One issue we are having though.  Our WI is version 5.0.  What we have noticed is that once we athenticate to the ASA with username, pswd, and RSA tokencode and we are at the ASA portal listing the citrix WI bookmark and if for some reason the users network connection (either wireless or wired) is interrupted for a few seconds we get the following issue. 

In rare cases it will continue to work.  But if the user has to re-authenticate to get back to the ASA portal and clicks on the citrix wi book mark it give an error connecting to the page.  In some cases clearing the entire cache (IE7 or 8) will get us back in.  Other times we do an IIS-reset on the WI.  Has anyone else experianced this and if so, have you found a resolution?

We have tried using cache cleaner and secure desktop (vault) to address but they are not successful.  We also feel this is a cookie issue but are not sure where to turn.  Cisco, Citrix and Microsoft are all scrating thier heads at this point.

I am trying to setup Pass through authentication using POST parameters.

We are using Xendesktop through a provisioning server.

I have tried all the different Post parameters and have tried many different methods of the single sign on.

None work.

When we log into the clientless vpn we are then authenticating off to AD using Cisco ACS in between.

I'm not sure if this is why the usual CSCO_WEBVPN_USERNAME + CSCO_WEBVPN_PASSWORD are not working.

I would think that it should but maybe i have not configured this correctly.

I have and http inspector and can see all the parameters but I wasn't sure which to check.

I've inlcluded a screenshot of my Bookmark from the ASA.

I'm hoping someone can help as I have spent so long looking at this I'm not sure where to go now.

 

Many Thanks

Sam