There is no any HTTP links to Citrix gateway in ICA file. I will try to explain how Citrix works. Without Apache: 1. User connects to webinterface (WI) site by meanse of Internet Explorer (in our case via HTTPS) and address (https://secgateway.domain1.com/citrix/xenap). 2. User sees WI site and clicks on icon that represents application. 3. Citrix client (installed on User's PC) loads ICA file from WI corresponding to application. This ICA file generted automatically by WI. 4. There is a parameter in ICA file SSLProxyHost that in my case is SSLProxyHost=secgateway.domain1.com. 5. Clients trys to connect secgateway.domain1.com via ICA\SSL protocol. 6. Then ssecgateway.domain1.com redirects to WI, and WI redirects to Citrix Farm to launch the selected app. With Apache: 1.User connects to Apache reverse proxy via HTTPS and address https://proxyserver.domain2.com/citrix/. 2. Apache represents Citrix WI to user. The WI is the same as https://secgateway.domain1.com/citrix/xenap 3.User sees WI site and clicks on icon that represents application. then we go 4,5,6 exatcly as if we do not have any Apache reverse proxy! Client goes directly to Citrix gateway using ICA\SSL protocol. This is the main problem: Why Apache does not proxy ICA\SSL? 07.10.2012, 20:43, "Martin Hasicek" <martin.hasi...@gmail.com>: > Hi after first look, configuration of apache looks fine. Please try to view > source code of https://proxyserver.domain2.com/citrix/xenapp. Somewhere > should be link, which is relative (like href="./citrix/...") or absolute > (like href="https://proxyserver.domain2.com/citrix/...";). I expect, it is > absolute and this cause your problem (because instead of proxyserver you have > in url your secutiryGW). > > Apache proxy has nothing with content which is served by Citrix. It means, > problem is on your side. I'm not so familiar with citrix to point you on > right place, but short google search should solve your problem. > > mh > > On Sun, Oct 7, 2012 at 6:31 PM, Yuriy Medvedev <y...@yandex.ru> wrote: >> Hello, >> >> I am a Citrix Admin and unfamiliar with Apache. >> Our Apache admins said me that I need to reconfigure my Citrix setup. >> But I think that Apache admins must reconfigure their Apache server. 8) >> I need an impartial judge! >> >> We have the next setup: >> >> external clients-------> Apache HTTP Server (reverse proxy >> configured)--------->Firewall----->Citrix Secure Gateway (Citrix Web >> Interface on the same server)--------Citrix Farm(Servers with Applications). >> >> Apache Server resides in external network, but Citrix Secure Gateway and >> Farm reside in internal network. >> Apache server exposes internal address of Citrix Secure Interface >> (https://secgateway.domain1.com/citrix/xenap) as >> https://proxyserver.domain2.com/citrix/xenapp >> External clients launch programs from Citrix farm using Web interface >> https://proxyserver.domain2.com/citrix/xenapp address. >> Clients use HTTPS to connect to Citrix Secure Gateway. >> >> PROBLEM: When client connects to Citrix Secure Gateway (Web Interface) it >> connects via Apache HTTP server (I see it by meanse of netstat -a command). >> But when client launches any application clicking on Web Interface icon, the >> citrix client is trying to connect to Cirtrix Secure Gateway directly >> omitting the Apache HTTP Server! >> But Cirtrix Secure Gateway IP is behind the firewall and application did not >> launch with error. >> When user launches app via proxy server, the ica-file redirects user to >> secgateway.domain1.com rather then to proxyserver.domain2.com. We must open >> ports on firewall to Secure Gateway too. >> This is a security problem for us. Is it possible to launch apps only via >> one Apache proxy server? >> We need all traffic (ICA and HTTPS) go through Apache! We need a possibility >> to launch apps from XenApp farm by means of connecting Apache HTTP server >> (IBM HTTP Server 7.0) rather then Secure Gateway. >> >> Below IBM HTTP Server 7.0 httpd.conf from our Apache admins: >> >> Listen 0.0.0.0:443 >> <VirtualHost *:443> >> SSLEnable >> #SSLProtocolDisable SSLv2 >> SSLClientAuth none >> SSLProxyEngine on >> SSLCipherSpec 34 >> SSLCipherSpec 35 >> SSLCipherSpec 3A >> SSLCipherSpec 33 >> SSLCipherSpec 36 >> SSLCipherSpec 39 >> SSLCipherSpec 32 >> SSLCipherSpec 31 >> SSLCipherSpec 30 >> #Citrix >> <Location /Citrix> >> order deny,allow >> allow from all >> </Location> >> ProxyPass /Citrix https://secgateway.domain1.com/citrix/xenapp >> ProxyPassReverse /Citrix https://secgateway.domain1.com/citrix/xenapp >> </VirtualHost> >> >> Thank you for any help! >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
