After reading through the squid archive and the various Citrix support documents, I have found a combination of settings which will allow my users to access Citrix through the squid proxy. I am seeking a better understanding of the ramifications of what I had to do and would appreciate your collective thoughts on my changes ... In squid.conf: before my changes: acl all src 0.0.0.0/0.0.0.0 acl AuthorizedUsers proxy_auth REQUIRED acl manager proto cache_object acl PURGE method PURGE acl localhost src 127.0.0.1/255.255.255.255 acl grandsquid src 99.99.99.99/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 81 # Autorpm.org acl Safe_ports port 89 # Oracle Technical Forums acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access allow manager grandsquid http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access allow all AuthorizedUsers http_access allow PURGE localhost http_access allow localhost http_access deny all after the change I made: acl all src 0.0.0.0/0.0.0.0 acl AuthorizedUsers proxy_auth REQUIRED acl manager proto cache_object acl PURGE method PURGE acl localhost src 127.0.0.1/255.255.255.255 acl grandsquid src 99.99.99.99/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 80 443 563 1494 2598 acl Safe_ports port 80 # http acl Safe_ports port 81 # Autorpm.org acl Safe_ports port 89 # Oracle Technical Forums acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access allow manager grandsquid http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access allow all AuthorizedUsers http_access allow PURGE localhost http_access allow localhost http_access deny all The change is found on the line: acl SSL_ports port 80 443 563 1494 2598 Now the part I don't understand. I found 1494 and 2598 and understand why they are needed but it wasn't until I added port 80 to SSL ports that I was successful in making a connection. What are the security concerns or issues this brings? Is there another way to accomplish this? Is it important?
