{"id":241,"date":"2013-01-18T16:21:00","date_gmt":"2013-01-18T16:21:00","guid":{"rendered":"http:\/\/atumvirtwordpress.azurewebsites.net\/?p=241"},"modified":"2013-01-18T16:21:00","modified_gmt":"2013-01-18T16:21:00","slug":"certificates-certificates-certificates-aka-how-remote-access-to-citrix-stopped-working","status":"publish","type":"post","link":"https:\/\/avtempwp.azurewebsites.net\/2013\/01\/certificates-certificates-certificates-aka-how-remote-access-to-citrix-stopped-working\/","title":{"rendered":"Certificates, Certificates, Certificates (aka How Remote Access to Citrix Stopped Working)"},"content":{"rendered":"<p>Last night I had an opportunity to be reminded of how powerful and dangerous our BlueCoat ProxySG is to wield. \u00a0Yesterday when I got home I tried to connect to my workstation via Citrix when I was greeted with an error: \u00a0&#8220;Your App is not available. \u00a0Try again later.&#8221; \u00a0Strange, it had been so solid for many months. \u00a0I was technically off the clock (as I am hourly) and after I used VPN to connect in I saw other sessions were still active, so I chalked it up to &#8220;I&#8217;ll fix that tomorrow.&#8221; As the evening progressed, it nagged me a bit so I tried a few more connections before deciding it would be best if the users weren&#8217;t up in arms in the morning in case they had trouble connecting as well, so I got to work.<\/p>\n<p>The first placed I look was web interface &#8211; both servers &#8211; to see if there was an error logged. \u00a0To my surprise, there was nothing recent in web interface. \u00a0The event logs on the XenApp servers themselves were also equally clean, and the vserver on netscaler was up with both STA&#8217;s functioning. \u00a0What could be wrong? One thing I did not consider was my own client &#8211; it had operated without error for months. \u00a0So at this point I began cycling various components of the infrastructure. \u00a0The vserver, ZDC, app servers all got restarts but still, nothing. \u00a0At that point I tried connecting through AGEE, internally, through the same site (bypassing the firewall). \u00a0To my surprise, it worked! \u00a0So what was different about it?<\/p>\n<p>It was then that a co-worker messaged me and asked what was up with remote access. \u00a0He mentioned that the remote website was presenting a certificate from our proxy (as is normal if SSL interception was happening). \u00a0I verified that this was indeed the case. \u00a0So what had happened?<\/p>\n<p>Our ProxySG is setup to SSL intercept based on the category classification of the destination. \u00a0Interception is used for a number of reasons &#8211; authentication, monitoring, and content filtering. \u00a0I asked the tech if he had added any categories to our list of categories for interception late in the day after I had left work. \u00a0The category, &#8220;Education&#8221; matched our <i>own<\/i>\u00a0organization and the problem was clear. \u00a0Our Proxy sits in-line with our firewall transparently, so the traffic to and from AGEE was being intercepted and the certificate was replaced. \u00a0Citrix receiver aborted the connection because the session wasn&#8217;t valid. \u00a0I added an access rule that bypasses interception for our domain, refreshed the page and verified the certificate was once again the public cert. \u00a0Success! My workstation hadn&#8217;t presented me with a certificate error because it was issued from a trusted root CA as a result of being on our domain.<\/p>\n<p>This situation goes to show that if you&#8217;re having trouble connecting through Access Gateway, be certain to verify your certificate!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last night I had an opportunity to be reminded of how powerful and dangerous our BlueCoat ProxySG is to wield. \u00a0Yesterday when I got home I tried to connect to my workstation via Citrix when I was greeted with an error: \u00a0&#8220;Your App is not available. \u00a0Try again later.&#8221; \u00a0Strange, it had been so solid [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[55,75],"tags":[],"_links":{"self":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts\/241"}],"collection":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/comments?post=241"}],"version-history":[{"count":0,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts\/241\/revisions"}],"wp:attachment":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/media?parent=241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/categories?post=241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/tags?post=241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}