SSL/VPN (Cisco) and pass trough WebInterface, in the Citrix Web Interface forum on BrianMadden.com

Hey guys,

I have the following issue. In the company they already have a Cisco ASA and they use it also for SSL/VPN access to the network. Now they want to enable the Citrix-Farm access on the ASA-portal-site with a Citrix Web Interface.
How can I setup the WI, so they don't have to logon again but it will use the logon-vredetials the users already have given to logon the SSL/VPN connection???

any suggestion?

I know, for a SSL/VPN solution I preffer also the CAG, but that is not the question........

Läslo Pruis

I'm going through the same thing with my company. Rather than spend any money for a CAG, they want to use the ASA WebVPN. In versions 7.x and 8.x of ASA, there is a single sign on option that allows you to specify a particular url/ip address or entire range of addresses to use your WebVPN credentials on. It works great with other apps, such as OWA, but doesn't work very well with WI using passthru authentication. It brings up the application set just fine but presents you with a server authentication when launching an app. I was told by a Cisco engineer to set up the WI as a bookmark and use the POST option to post the WebVPN credentials to the WI. Unfortunately I haven't been able to find any information about the parameters the WI is looking for. Just using user=CSCO_WEBVPN_USERNAME and password=CSCO_WEBVPN_PASSWORD does NOT work, so it must be looking for other parameters than just username and password. If anyone has any suggestions or knows these WI parameters, I'm all ears...

Well after all, I was able to convince the team here that the best option was to get a GAC.
With some help from Citrix I could make a Proof of Concept. It only took me 2 hours to configure the CAG instead of searching for option more than 60 hours to get it working with a Cisco ASA. (if you don;t need the Cisco ASA anymore, Citrix is willing to pay for destruction)

Now we use the Cisco ASA for Firewall (and other functions) but for SSL/VPN access the GAC is working perfectly. Easier to manage and configure (even better in my point of view).

I would love to know if anyone has been able to get this to work. I have the Cisco ASA WebVPN automatically redirecting to the inet page but our users have to login a 2nd time. Is there anyway to pass through the login credentials or maybe even make them propogate into the login box.

would be nice, but still haven't found anyone that will make it work with a Cisco ASA and SSO.
i would advise a CAG. Use the ASA as a firewall.. it was made for it ;)

Has anyone tried using the Microsoft Single Sign-on service?

http://msdn.microsoft.com/en-us/library/ms984587.aspx

Also, I'm not so worried about the single sign on but just getting Web Interface to work through the webvpn. Can anyone that has it working list their setup?

Did you ever get this to work i discovered in the ascx citrix uses the variables ID_USER, and ID_PASSWORD. However when i use http://server/citrix/accessplatform/auth/login.aspx?ID_USER=CSCO_WEBVPN_PASSWORD , the value of the textbox is just user. I would love to get this working asap since it is a high priority project for us.

Thanks

I ended up getting it to work if anyone is interested

Toby Manuel:

I ended up getting it to work if anyone is interested

Hi Toby, Yes, I am interested....

Thanks in advance.

 

1) Create a bookmark for the citrix web interface.  For example:

http://citrix-web-interface-host/Citrix/AccessPlatform/auth/login.aspx
 
Advanced Options:
URL = POST
Favorite = <doesn't matter>
Smart Tunnel = No
 
Post Parameters:
LoginType=Explicit
user=CSCO_WEBVPN_USERNAME
password=CSCO_WEBVPN_INTERNAL_PASSWORD
domain=<YourActiveDirectoryDomain>
submitMode=submit
slLanguage=en
ReconnectAtLoginOption=DisconnectedAndActive
 
This will work at this point, but you will have to click on the login page twice because the ASA does not seem to properly handle the cookie in its own cache, so the following fixes that.
 
2) Create new or Edit your DfltGrpPolicy

+More Options
Session Settings:
User Storage Location - Set this up.  We used ftp with url style "user:pass@host/storage-directory"
Storage Key - left blank
Storage Objects: cookies,credentials
 
Now you should be able to login with username/Rsa-token and provide an optional internal password which it will use when you click on a link in the ASA WebVPN Portal page to the Citrix Web Interface.  Make sure your Citrix Web Interface is configured to only require user/pass/domain.

This worked on a Citrix Xen Web Interface server (4.5).  You will see small ~2k files in the ftp site named <username>.cps that will survive from session to session.

Hopefully, Cisco will fix the username/password cookie issue pretty soon.