Video Screencast Help

Web Gateway and Citrix

Created: 28 Feb 2012 | 20 comments

Does anyone know if the current version of the Web Gateway will work within Citrix?

I've read about the previous version which doesn't and you have to turn on virtual IP on Citrix but was wondering if this has been sorted on the new version.

Thanks

Discussion Filed Under:

Comments 20 CommentsJump to latest comment

KevK76's picture

Hi Kenglam,

I don't really think there is anything that can be "sorted" from a Web Gateway perspective.  The Web Gateway associates users to IP's and if all traffic from Citrix comes from the same IP then the Web Gateway won't be able to identify users properly.  The way to work around this is to have Citrix associates Virtual IP's to the different user sessions. If you don't enable this work around in Citrix I don't really think you'll be able to get around this.

Cheers,

Kevin

kenglam's picture

Fair enough. I'll look into enabling Virtual IP.

Thanks Kevin.

kenglam's picture

Hi Kevin,

I've enabled VIP in Citrix and I've tested it.

The IP Address is sent to the SWG but it doesn't include the username. Our policies work off usernames and groups.

Is there something I'm not doing correctly?

Thanks

BenDC's picture

does the DC see the the user at that IP login? You can check the windows security event log.

kenglam's picture

I've checked the Security logs in the event viewer and the only thing that appears at the time when I browse is Success Audit's, event ID 560 and 562 about the dcinterface. Doesn't give any details about the IP address or user.

Should I log this with support?

Thanks

TSE-JDavis's picture

You need to be able to tell the Web Gateway which users are associated with which IP in order for the policy to work. This can be done two ways; NTLM and DCInterface. If neither of these are an option, there is not much we can do.

kenglam's picture

I've got DCInterface on all of our DCs but we haven't enabled NTLM. Would I need to enable it for it to work in Citrix?

I've logged a call with support. I'll see what they say.

TSE-JDavis's picture

When your users log into their computers, are the login requests reaching the DC from the virtual IP the Citrix server gives them, or the actual IP address assigned to their computer's NIC?

BenDC's picture

Do not use both NTLM and DCinterface at the same time.

kenglam's picture

How do I check the login requests on the DC? I've checked the event logs on the DC and it doesn't say anything about logins.

Thanks

BenDC's picture

Windows Security log is where DC inferface pulls login events to send to SWG for user to IP correlation.

kenglam's picture

I've checked the event logs when I try and browse and it looks like it doesn't log any info on the DC.

I get Event IDs of 560 and 562.

ID 560:

Object Open:
     Object Server:    Security
     Object Type:    Key
     Object Name:    \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security
     Handle ID:    280
     Operation ID:    {0,2973367706}
     Process ID:    1428
     Image File Name:    C:\Symantec\dcinterface_4_5_4\DCInterface.exe
     Primary User Name:    SRV102$
     Primary Domain:    UK
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    -
     Client Domain:    -
     Client Logon ID:    -
     Accesses:    DELETE
            READ_CONTROL
            WRITE_DAC
            WRITE_OWNER
            Query key value
            Set key value
            Create sub-key
            Enumerate sub-keys
            Notify about changes to keys
            Create Link
           
     Privileges:    -
     Restricted Sid Count:    0
     Access Mask:    0xF003F

 

ID: 562

Handle Closed:
     Object Server:    Security
     Handle ID:    280
     Process ID:    1428
     Image File Name:    C:\Symantec\dcinterface_4_5_4\DCInterface.exe

The thing is, I get simlar logs with normal working browsing.

I installed DCInterface as per the instructions. Should try reinstalling?

BenDC's picture

DCinterface doesn't log what it sends in the windows event log. It checks the windows security event log for login events and sends those to the SWG. If the SWG is seeing other users and LDAP groups that are not on the citrix machine it is likely DCinterface is working.

 

To see what dcinterface is sending to the SWG you can enable debug for dcinterface.

to enable debug for dcinterface
1. Stop the dcinterface service
2. From the command prompt (cmd.exe) change to the directory where dcinterface is installed
3. Run “dcinterface.exe -debug >> debug_log.log”
4. Type Ctrl-C to stop after you have the user(s) log in to their a machine(s).
5. The log will be not be written until the service is stopped.
6. Start the the dcinterface from service normally.

review the errorlog.txt and debug_log.log.

SMLatCST's picture

...your other non-citrix based users?

If so, is it possible that you have not yet added the IP Range used by Citrix for its Vitrual IP addresses into your SWG (Administration -> Configuration -> Networks -> Internal Networks), and into the Authentication Policy?

kenglam's picture

User authentication works for non-Citrix users. Got it working on PCs and Laptops.

The VIP range I'm using is within the IP Address range/Subnet I have defined for the Internal Network.

Authentication policy is correct as it works on PCs/Laptops.

Thanks

SMLatCST's picture

Can you log into one of these Citrix sessions, bring up a command prompt and type 'set' and hit enter to grab the logon server, then connect to this logon server and check the DCInterface service is installed/running, and run Ben's log generation steps against it please?

Hopefully this will help confirm if the Citrix users are using the same DC as your normal users to give us an indication of where to direct the investigation.

KevK76's picture

So there should be no Authentication policy if only DC Interface is being used...

What I would probably check as well is log into a PC or laptop that is working, check out the events written to the security event log in the DC, then log into one of your Citrix clients, I probably would have expected that you would see similar events in the security event log showing the IP address and user who has logged in to the physical and Citrix client(these activities may happen on different DC's if you have multiple DC's).  Also even though user identification isn't working, in the Custom Reports on the SWG are you seeing activity from the Virtual IP of the Citrix client in the report?

Kevin

kenglam's picture

I've got DC Interface installed on all of my DCs and also an Authentication policy setup in Adimistration->Configuration->Authentication tab, I've setup the LDAP Configuration.

Do I not need the LDAP Configuration setup?

I've run the debug on DC Interface on the DC that a laptop and the Citrix is connected to.

At the beginning of the log is an ignore list. The IP address (in hex) of both the laptop and IE in the Citrix session is in the ignore list. Then after the ignore list, it doesn't actually log any of the events from either the laptop or IE in the Citrix session to the web gateway. (There are other entries though). I know something is happening as web browsing works on the laptop, (i.e. it blocks sites which it should do and lets me on sites which I can go on) and everything gets blocked on IE in the Citrix session. (which is right as the lowest policy web filter policy is to block everything).

Support sent me to:

http://www.symantec.com/docs/TECH148736

which isn't really helpful.

Any other suggestions?

Thanks

BenDC's picture

You do not need an authentication policy if you are using DCinterface as it forwards login events to the SWG where NTLM authentication is done at the SWG/Client.

Debug for dcinterface logs login events that it is passing to the DC. So for it to not show things I would wonder if we are looking at the right machine for it to see the laptop/citrix login events. Are we sure that the laptop/citrix is hitting the DC/DCinterface of the machine with the dcinterface debug enabled?

 

 

kenglam's picture

They way to get the SWG working in Citrix is to use NTLM rather than DC Interface.

I uninstalled DC Interface and enabled NTLM and the username is now pulling through with the Virtual IP Address.

Tested on a test Citrix Server and a live one and it works fine on both.

Thanks for all your help guys.