Critical System Protection

 View Only
  • 1.  SCSP & Citrix

    Posted Jun 28, 2011 10:17 AM

     

    Hi all,
     
    I'm having trouble with SCSP & Citrix.
     
    When I apply an IPS policy (prevention enabled) to a Citrix desktop server, login to the Citrix servers takes 5-7 minutes.
     
    When I disable prevention all is well.
     
    Does anybody encountered a similar problem?
     
    SCSP Ver. 5.2 RU7 MP3
     
    Citrix Server: w2k8 32Bit/64Bit (Happens on both, doesn't happen on w2k3 with same Citrix setup).
     
    THX


  • 2.  RE: SCSP & Citrix

    Broadcom Employee
    Posted Jul 05, 2011 05:07 AM

    Open a case with Symantec. The drivers could be the culprit in the case.



  • 3.  RE: SCSP & Citrix

    Posted Jul 06, 2011 08:11 PM

    As Pete mentioned this very well may be a driver issue due to the one note of differences in the OS (one working, 2k8 not).

    How much tuning have you performed with the policy in log only mode? What types of resource blocking are you seeing? Are you starting with Core or full strict? This may just be a tuning issue. Remember all blue events = will be blocked if prevention is enabled. From my experience there is alot of tuning that needs to occur with using CSP and Citrix because Citrix makes unique system calls that often fall outside the bounds of normal behavior from applications.

    Also the larger tuning item in w2k8 is UAC can sometimes get in the way of things, ensure the UAC is not enacting for a priv command on log in.

    I would start with Core on the W2K8 Box in log only mode, log in and review the events in blue. Blue events will be blocked therefore you can use CSP's wizards to go ahead and tune the policy to Citrix's needs (each environment may be different). We can assist a bit on here if you post the blue events.

    If you are see an "all is quite" on log in with core in log only, then enable the driver and receive the same performance issues, then its def. a driver issue.