Transparent Squid and Citrix ICA-XML



  • Hi !

    Squid as an application layer filter is a fine thing, as it also works with ttransparent proxying on port 80.

    We have a citrix-farm running behind out IPSec-tunnels and on the clientside I have my pfsense enabled with transparent proxying…

    As citrix also uses ICA-XMP-Service on port 80, ans squid recognises this not to be any html, it will be filtered out, resulting in a non -working citrix connection from behind a transparent proxy.
    i just wanted to ask if there are other users having the same issue and if there is some interest in getting this solved by sort of a modification for squid / pfsense.

    If yes, pelase contract me per IM for exchange of ideas.

    Martin



  • I have just run into this today as well.  Any new information?



  • From the Citrix knowledgebase…

    When a MetaFrame Presentation Server Client is behind a web proxy such as Squid, the client will
    attempt to reach MetaFrame Presentation Servers using the CONNECT method, also known as “SSL
    Tunneling.” By default, Squid allows the CONNECT method only to port 443 (HTTPS). Connections
    to Secure Gateway should work by default, but connections to a MetaFrame Presentation Server will
    fail by default.
    In order to allow ICA connections through Squid on ports 1494 or 2598, edit the etc/squid.conf file
    and locate the following line:
    acl SSL_Ports port 443 #https
    Add the numbers 1494 and 2598, separated by spaces after the number 443:
    acl SSL_Ports port 443 1494 2598 #https
    Save the squid.conf file and restart Squid in order for the change to take effect.



  • Tried modifying the squid.conf through the web interface, however on service restart my changes were gone.  Where must I make the change mentioned above to have it stick in the config?


Log in to reply