Thank you for reply, Martin. Below see a short part of WI page source code. This is a code of one link: to launch Internet Explorer via WI. I see that there is no direct html links there, but there are asp-code instead. The process looks as follows: 1) User click on icon of application on Web interface 2)ASP file (launcher.asp) runs on server and generates ica-file. 3)Client downloads ICA-file. 4)ICA-file has a SSLProxyHost=secgateway.domain1.com. 5) Client goes directly to secgateway.domain1.com instead of Apache proxy and Intenet Explorer runs on xencitrixfarm...
<divclass="iconView"> <a id="idCitrix.MPS.App.xencitrixfarm.Microsoft_0020Intenet_0020Explorer_00208_0020RUS" href="launcher.aspx?CTX_Application=Citrix.MPS.App.xencitrixfarm.Microsoft%20Intenet%20Explorer%208%20RUS&CTX_Token=73F8B0382B965A5665D91ECB73BF458C" onClick="resetSessionTimeout();clearFeedback();addCurrentTimeToHref(this,'launcher.aspx?CTX_Application=Citrix.MPS.App.xencitrixfarm.Microsoft%20Intenet%20Explorer%208%20RUS&CTX_Token=73F8B0382B965A5665D91ECB73BF458C','LaunchId');launch(this);return false;" onMouseDown=" addCurrentTimeToHref(this,'launcher.aspx?CTX_Application=Citrix.MPS.App.xencitrixfarm.Microsoft%20Intenet%20Explorer%208%20RUS&CTX_Token=73F8B0382B965A5665D91ECB73BF458C','LaunchId');" class="iconLink" title="Microsoft Intenet Explorer 8 RUS" ><img src="icons.aspx?size=normal&id=idEPHKJMIIFKJCDKMDDOABGHEALFGCLOLM" alt="Microsoft Intenet Explorer 8 RUS" title="Microsoft Intenet Explorer 8 RUS" ><br><span>Microsoft Intenet Explorer 8 RUS</span><img id="spinner_idCitrix.MPS.App.xencitrixfarm.Microsoft_0020Intenet_0020Explorer_00208_0020RUS" class="spinner" width="11" height="11" src="../media/Transparent16.gif" alt="" ></a> </div> 08.10.2012, 03:01, "Martin Hasicek" <martin.hasi...@gmail.com>: > Well .. apache do proxy for ICA/SSL. On another side, Apache is not > responsible for content generated from WI. HTTP protocol has two parts. One > is Header second is Contect. > > Apache do proxy on Header: > > Client -> GET request -> Apache proxy -> GET request (rewrited - only Header) > -> WI > (And back) > > Content part of Page from WI is unchanged. If it consist URL like > https://secgateway.domain1.com/... it is not rewritten by apache. So client > click on Link/Button/Icon/Whatever with such link and browser/ICA Client make > request to secgateway instead of your apache proxy. > > To summary, browser of your client (or ICA Client) should receive correct URL > where to connect ... > > In older posts of this forum I found this example (your configuration should > work also, but maybe help): > > <Virtualhost> > Servername citrix.example.com > ProxyRequests Off > AllowCONNECT 443 > ProxyPass / backendserver > ProxyPassReverse / backendserver > </Virtualhost> > > mh > > On Sun, Oct 7, 2012 at 7:43 PM, Yuriy Medvedev <y...@yandex.ru> wrote: >> There is no any HTTP links to Citrix gateway in ICA file. I will try to >> explain how Citrix works. >> >> Without Apache: >> >> 1. User connects to webinterface (WI) site by meanse of Internet Explorer >> (in our case via HTTPS) and address >> (https://secgateway.domain1.com/citrix/xenap). >> 2. User sees WI site and clicks on icon that represents application. >> 3. Citrix client (installed on User's PC) loads ICA file from WI >> corresponding to application. This ICA file generted automatically by WI. >> 4. There is a parameter in ICA file SSLProxyHost that in my case is >> SSLProxyHost=secgateway.domain1.com. >> 5. Clients trys to connect secgateway.domain1.com via ICA\SSL protocol. >> 6. Then ssecgateway.domain1.com redirects to WI, and WI redirects to Citrix >> Farm to launch the selected app. >> >> With Apache: >> >> 1.User connects to Apache reverse proxy via HTTPS and address >> https://proxyserver.domain2.com/citrix/. >> 2. Apache represents Citrix WI to user. The WI is the same as >> https://secgateway.domain1.com/citrix/xenap >> 3.User sees WI site and clicks on icon that represents application. >> >> then we go 4,5,6 exatcly as if we do not have any Apache reverse proxy! >> >> Client goes directly to Citrix gateway using ICA\SSL protocol. This is the >> main problem: Why Apache does not proxy ICA\SSL? >> 07.10.2012, 20:43, "Martin Hasicek" <martin.hasi...@gmail.com>: >>> Hi after first look, configuration of apache looks fine. Please try to view >>> source code of https://proxyserver.domain2.com/citrix/xenapp. Somewhere >>> should be link, which is relative (like href="./citrix/...") or absolute >>> (like href="https://proxyserver.domain2.com/citrix/...";). I expect, it is >>> absolute and this cause your problem (because instead of proxyserver you >>> have in url your secutiryGW). >>> >>> Apache proxy has nothing with content which is served by Citrix. It means, >>> problem is on your side. I'm not so familiar with citrix to point you on >>> right place, but short google search should solve your problem. >>> >>> mh >>> >>> On Sun, Oct 7, 2012 at 6:31 PM, Yuriy Medvedev <y...@yandex.ru> wrote: >>>> Hello, >>>> >>>> I am a Citrix Admin and unfamiliar with Apache. >>>> Our Apache admins said me that I need to reconfigure my Citrix setup. >>>> But I think that Apache admins must reconfigure their Apache server. 8) >>>> I need an impartial judge! >>>> >>>> We have the next setup: >>>> >>>> external clients-------> Apache HTTP Server (reverse proxy >>>> configured)--------->Firewall----->Citrix Secure Gateway (Citrix Web >>>> Interface on the same server)--------Citrix Farm(Servers with >>>> Applications). >>>> >>>> Apache Server resides in external network, but Citrix Secure Gateway and >>>> Farm reside in internal network. >>>> Apache server exposes internal address of Citrix Secure Interface >>>> (https://secgateway.domain1.com/citrix/xenap) as >>>> https://proxyserver.domain2.com/citrix/xenapp >>>> External clients launch programs from Citrix farm using Web interface >>>> https://proxyserver.domain2.com/citrix/xenapp address. >>>> Clients use HTTPS to connect to Citrix Secure Gateway. >>>> >>>> PROBLEM: When client connects to Citrix Secure Gateway (Web Interface) it >>>> connects via Apache HTTP server (I see it by meanse of netstat -a command). >>>> But when client launches any application clicking on Web Interface icon, >>>> the citrix client is trying to connect to Cirtrix Secure Gateway directly >>>> omitting the Apache HTTP Server! >>>> But Cirtrix Secure Gateway IP is behind the firewall and application did >>>> not launch with error. >>>> When user launches app via proxy server, the ica-file redirects user to >>>> secgateway.domain1.com rather then to proxyserver.domain2.com. We must >>>> open ports on firewall to Secure Gateway too. >>>> This is a security problem for us. Is it possible to launch apps only via >>>> one Apache proxy server? >>>> We need all traffic (ICA and HTTPS) go through Apache! We need a >>>> possibility to launch apps from XenApp farm by means of connecting Apache >>>> HTTP server (IBM HTTP Server 7.0) rather then Secure Gateway. >>>> >>>> Below IBM HTTP Server 7.0 httpd.conf from our Apache admins: >>>> >>>> Listen 0.0.0.0:443 >>>> <VirtualHost *:443> >>>> SSLEnable >>>> #SSLProtocolDisable SSLv2 >>>> SSLClientAuth none >>>> SSLProxyEngine on >>>> SSLCipherSpec 34 >>>> SSLCipherSpec 35 >>>> SSLCipherSpec 3A >>>> SSLCipherSpec 33 >>>> SSLCipherSpec 36 >>>> SSLCipherSpec 39 >>>> SSLCipherSpec 32 >>>> SSLCipherSpec 31 >>>> SSLCipherSpec 30 >>>> #Citrix >>>> <Location /Citrix> >>>> order deny,allow >>>> allow from all >>>> </Location> >>>> ProxyPass /Citrix https://secgateway.domain1.com/citrix/xenapp >>>> ProxyPassReverse /Citrix https://secgateway.domain1.com/citrix/xenapp >>>> </VirtualHost> >>>> >>>> Thank you for any help! >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>>> For additional commands, e-mail: users-h...@httpd.apache.org >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
