Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 22178 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection to server timed out

FilipMaroul

Hello,

I have problem with citrix web logon. We connecting to remote citrix gateway vai ipsec sito-to-site vpn. Today citrix web gateway stop work and log says this:

 

2017:03:27-15:11:58 mail-1 httpproxy[6563]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.188" dstip="172.20.242.97" user="mn-ps" group="Personnel" ad_domain="MY-COMPANY" statuscode="504" cached="0" profile="REF_HttProAccesPolic (Access policy)" filteraction="REF_HttCffOpen (Open)" size="2533" request="0xcea83e00" url="citrix.my.company.local/" referer="" error="Connection to server timed out" authtime="103" dnstime="517" cattime="90" avscantime="0" fullreqtime="60738043" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" exceptions="av,sandbox,fileextension" category="9998" reputation="unverified" categoryname="Uncategorized" country="N/A"

The remota site says the verything works on their site, we are just clients with citrix receiver. I am not sure where to start search.

Ping to citrix.my.company.local works and return ip 172.20.242.97

I put this address to Web Protection/Filtering Options/Misc/Skip transparent mode destination Hosts/Nets but this was not help. What can be wrong ?

Thank you for any info.

   


This thread was automatically locked due to age.
Parents
  • 0

    I will assume that you are using Transparent Mode for web filtering.   If not, then the skiplists have no effect.

    To skip these sites, you need to put the destination in the skiplist AND check the box for "Allow HTTP/S traffic for listed hosts/nets".   If you don't do this, the site might be blocked by the UTM firewall logic.

    I have had difficulty getting Citrix to work with web filtering.  Stuff works fine for the login, but the process breaks down when it switches to ICA protocol.   Often, the switch to ICA also involves switching to a non-standard port.   I have gotten things working for one Citrix site by managing the login phase with web filtering, and manage the ICA phase with a firewall rule to enable the special port.

  • 0 in reply to DouglasFoster

    Hello Douglas,

    I add the dns host to destination skiplist and check Allow HTTP/S traffic for listed hosts/nets but still not working. I attach screen if  I set up it right.

  • 0 in reply to FilipMaroul

    There must be the problem in web filtering. If I open same address from vpn on my home computer it's work like a charm.

  • 0 in reply to FilipMaroul

    1) Suggest you look for a DNS problem.   This document is helpful

    https://community.sophos.com/products/unified-threat-management/w/utm-wiki/2/dns-best-practice

    2) Try configuring your skiplist entries by ip address (with hostname configured as an attribute) and see if that works different.

    3) Try disabling this setting:  Webfiler... Filter Options...  Misc... (scroll to bottom of page) Enable Pharming Protection

    (I run with it enabled, but it causes an extra DNS lookup, so it may help diagnose whether or not DNS is the problem.)

  • 0 in reply to FilipMaroul

    Filip, since the solution suggested by DouglasFoster did not solve your problem and the access via VPN shows no such problem, I conclude:

    1. Your Internal network is in 'Allowed Networks' for a Web Filtering Profile in Standard mode.
    2. Your VPN subnet is not handled by httpproxy, and all traffic passes via firewall rule(s).

    The solution is a GPO that makes client browsers skip the Proxy for Citrix access.  As DouglasFoster implied above, the 'Transparent Mode Skiplist' only applies in Transparent mode, not in Standard.

    You might want to review Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to FilipMaroul

    Filip, since the solution suggested by DouglasFoster did not solve your problem and the access via VPN shows no such problem, I conclude:

    1. Your Internal network is in 'Allowed Networks' for a Web Filtering Profile in Standard mode.
    2. Your VPN subnet is not handled by httpproxy, and all traffic passes via firewall rule(s).

    The solution is a GPO that makes client browsers skip the Proxy for Citrix access.  As DouglasFoster implied above, the 'Transparent Mode Skiplist' only applies in Transparent mode, not in Standard.

    You might want to review Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML