Citrix Access Gateway problem...

[mdc1973]

Wonder if anyone can help...

A customer has a Citrix Access Gateway (managed by them) hanging off a DMZ on a pix (managed by me). The idea is to allow https from internet to the external interface if the VPN device, which triggers a new connection from the internal interface of the AG to an internal authentication server.

The internal interface of the AG connects to a 2nd DMZ on the pix. I am able to see the initial https from internet to the AG, but the AG is making the request to the internal server using the external interface, rather than the internal interface. According to the customer, the AG can only have one default gateway, which points to DMZ 1 on the Pix. I have asked him to put in a static route, to use the internal interface of the AG for any internal traffic, but this makes no difference.

Other than re-designing the whole set up, is there anything else that can be done on the AG?

 

[sniperob]

I am currently experiencing exactly the same problem. I have tried all sorts of configuration combinations to get the CAG to work.

Currently I have it setup to use the Gateway IP Address for DMZ 2 and I can access the CAG and Ping the CAG from the internal network. I have also setup a static route that links in with DMZ 1. This way I can see traffic going into the CAG from the internet and then over to the server on the internal network but it still doesn't appear to be working. It might be a good idea for you to try that to see if you have any luck.

I am currently in talks with our Citrix Consultancy people and they are talking directly to Citrix. They have told Citrix that the CAG needs a Gateway IP Addresses for each of the interfaces but Citrix said that it would confuse the CAG which doesn’t seem to make sense to me.

I will let you know what the outcome is today. If anyone is unable to find a resolution I will be moving the CAG into the internal network and I will configure one of the interfaces rather than two.