This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection to server timed out

Hello,

I have problem with citrix web logon. We connecting to remote citrix gateway vai ipsec sito-to-site vpn. Today citrix web gateway stop work and log says this:

 

2017:03:27-15:11:58 mail-1 httpproxy[6563]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.188" dstip="172.20.242.97" user="mn-ps" group="Personnel" ad_domain="MY-COMPANY" statuscode="504" cached="0" profile="REF_HttProAccesPolic (Access policy)" filteraction="REF_HttCffOpen (Open)" size="2533" request="0xcea83e00" url="citrix.my.company.local/" referer="" error="Connection to server timed out" authtime="103" dnstime="517" cattime="90" avscantime="0" fullreqtime="60738043" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" exceptions="av,sandbox,fileextension" category="9998" reputation="unverified" categoryname="Uncategorized" country="N/A"

The remota site says the verything works on their site, we are just clients with citrix receiver. I am not sure where to start search.

Ping to citrix.my.company.local works and return ip 172.20.242.97

I put this address to Web Protection/Filtering Options/Misc/Skip transparent mode destination Hosts/Nets but this was not help. What can be wrong ?

Thank you for any info.

   


This thread was automatically locked due to age.
  • I will assume that you are using Transparent Mode for web filtering.   If not, then the skiplists have no effect.

    To skip these sites, you need to put the destination in the skiplist AND check the box for "Allow HTTP/S traffic for listed hosts/nets".   If you don't do this, the site might be blocked by the UTM firewall logic.

    I have had difficulty getting Citrix to work with web filtering.  Stuff works fine for the login, but the process breaks down when it switches to ICA protocol.   Often, the switch to ICA also involves switching to a non-standard port.   I have gotten things working for one Citrix site by managing the login phase with web filtering, and manage the ICA phase with a firewall rule to enable the special port.

  • Hello Douglas,

    I add the dns host to destination skiplist and check Allow HTTP/S traffic for listed hosts/nets but still not working. I attach screen if  I set up it right.

  • There must be the problem in web filtering. If I open same address from vpn on my home computer it's work like a charm.

  • 1) Suggest you look for a DNS problem.   This document is helpful

    https://community.sophos.com/products/unified-threat-management/w/utm-wiki/2/dns-best-practice

    2) Try configuring your skiplist entries by ip address (with hostname configured as an attribute) and see if that works different.

    3) Try disabling this setting:  Webfiler... Filter Options...  Misc... (scroll to bottom of page) Enable Pharming Protection

    (I run with it enabled, but it causes an extra DNS lookup, so it may help diagnose whether or not DNS is the problem.)

  • Filip, since the solution suggested by DouglasFoster did not solve your problem and the access via VPN shows no such problem, I conclude:

    1. Your Internal network is in 'Allowed Networks' for a Web Filtering Profile in Standard mode.
    2. Your VPN subnet is not handled by httpproxy, and all traffic passes via firewall rule(s).

    The solution is a GPO that makes client browsers skip the Proxy for Citrix access.  As DouglasFoster implied above, the 'Transparent Mode Skiplist' only applies in Transparent mode, not in Standard.

    You might want to review Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • When you open the URL from your home computer with VPN active, one of two things are happening:

    1) Your VPN tunnel is running with split-tunnel mode, so the traffic leaves from your house, not from work.  OR

    2) Your UTM is not really on the path between all devices and the internet, so you are not using transparent mode, s the previous post suspects.

     

    You may benefit from reading my posts over here, because they talk about how to use web logs to see which Filter Action and Profile is being used.

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/89746/setting-up-policy-from-block-all-to-allow-specific-sites-but-filter-them/326458#326458

    I will restate some basic information from that link

    Processing Logic:

    • Source IP, Authentication Method, and Proxy method are used to determines the FILTER PROFILE.
    • The FILTER PROFILE determines whether HTTPS inspection will be used.
    • The FILTER PROFILE also determines the list of Policies that will be considered, and their order of evaluation.   The first successful profile match is selected.
    • The PROFILE determines the FILTER ACTION.
    • The FILTER ACTION determines most of the Block/Allow logic, and some of the exceptions.   Other exceptions are defined in the Web Site Exceptions list.

    You have to have the UTM on the path to the Internet, and you have to have a Filter Profile that enables transparent mode, matches the user IP, and matches the user authenticatino method.  the logs will show if your intended Filter Action and Profile were actually activated.

  • Hello,

    Thank you for advices. I am using normal sophos openpnvpn ssl. This vpn has automatic fw rule and can access to remote site. I using web filtering in stadard mode wit AD and also have spacify GPO groups for users who access to internet. I think there is some problem with DNS.

  • Filip, you may also have a problem with DNS - I don't see a reason here to conclude that you have a DNS problem.

    My post above gives the correct solution for your problem as you are not in Transparent mode.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I found this in log

    2017:03:30-11:42:03 mail-1 httpproxy[6563]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.100.144" dstip="13.107.5.80" user="mn-lba" group="Office" ad_domain="MY-COMPANY" statuscode="200" cached="0" profile="REF_HttProAccesPolic (Access policy)" filteraction="REF_HttCffRestrict (Restricted)" size="187" request="0xc429000" url="api.bing.com/qsml.aspx referer="" error="" authtime="99" dnstime="34869" cattime="214" avscantime="0" fullreqtime="148598" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" exceptions="av,sandbox,fileextension" category="145" reputation="neutral" categoryname="Search Engines" country="United States" content-type="text/html" application="bing" app-id="59"

    2017:03:30-11:42:03 mail-1 httpproxy[6563]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.100.144" dstip="13.107.5.80" user="mn-lba" group="Office" ad_domain="MY-COMPANY" statuscode="200" cached="0" profile="REF_HttProAccesPolic (Access policy)" filteraction="REF_HttCffRestrict (Restricted)" size="187" request="0xaa8c2000" url="api.bing.com/qsml.aspx referer="" error="" authtime="39" dnstime="32846" cattime="193" avscantime="0" fullreqtime="203843" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" exceptions="av,sandbox,fileextension" category="145" reputation="neutral" categoryname="Search Engines" country="United States" content-type="text/html" application="bing" app-id="59"

     Local should connect to local remote server but he using bing and then I understand why I have requested timed out. He have to use addrress 172.20.242.97 not the 13.109.5.80

    This would be the problem.