Hello everybody, We try to replace the old NFUSE Reverse Proxy with Squid 3.0, the most BackendServer work fine (OWA, IIS, Cognos), but only Citrix wont work. We can reach the WI interface and the Applications are shown, but when you try to start any application in WI, we get a timeout. This Messages in my access.log show a Citrix Connection on squid: access.log on Squid 3.0 1203953393.347 8 85.0.144.114 TCP_MISS/302 950 GET http://wi1.bell.ch/Citrix/AccessPlatform/site/launcher.aspx? - FIRST_UP_PARENT/30.209.130.25 text/html 1203953393.347 8 85.0.144.114 TCP_MISS/302 950 GET http://wi1.bell.ch/Citrix/AccessPlatform/site/launcher.aspx? - FIRST_UP_PARENT/30.209.130.25 text/html 1203953394.402 860 85.0.144.114 TCP_MISS/200 2767 GET http://wi1.bell.ch/Citrix/AccessPlatform/site/launch.ica? - FIRST_UP_PARENT/30.209.130.25 application/x-ica 1203953394.402 860 85.0.144.114 TCP_MISS/200 2767 GET http://wi1.bell.ch/Citrix/AccessPlatform/site/launch.ica? - FIRST_UP_PARENT/30.209.130.25 application/x-ica 1203953394.954 1 85.0.144.114 TCP_MISS/503 0 CONNECT 30.210.35.22:1494 - FIRST_UP_PARENT/30.210.35.22 - 1203953394.954 1 85.0.144.114 TCP_MISS/503 0 CONNECT 30.210.35.22:1494 - FIRST_UP_PARENT/30.210.35.22 - I compiled Squid with SSL and disable-internal-dns Squid3 conf ------------------------------------------------------------------------ ----- # SSL https_port 443 cert=/etc/squid/certs/bell.ch-cert.pem key=/etc/squid/certs/bell.ch-key.pem defaultsite=citrix1.bell.ch vhost ssl_unclean_shutdown on # Squid lauscht auf... #http_port 80 accel defaultsite=vm-iis01 vhost # http_port 80 accel defaultsite=citrix1.bell.ch vhost #http_port 1494 accel defaultsite=citrix1.bell.ch vhost # Authentication auth_param basic program /usr/local/libexec/squid_radius_auth -p 1645 -f /etc/squid/squid_radius_auth.conf auth_param basic children 5 auth_param basic realm Squid Reverse Proxy auth_param basic credentialsttl 5 minute auth_param basic casesensitive off # Auth ACL acl radius-auth proxy_auth REQUIRED http_access allow radius-auth #http_access allow all # Citrix ACL acl citrix_1494 port 1494 http_access allow citrix_1494 # interne BackendServer definieren # cache_peer auf SSL # Server 1 wi cache_peer 30.209.130.25 parent 80 0 no-query originserver front-end-https=on login=PASS name=vhost1 acl vhost1_domains dstdomain wi1.bell.ch wi1.bell-gruppe.ch cache_peer_access vhost1 allow vhost1_domains http_access allow vhost1_domains # Server 2 mycognos cache_peer 30.203.134.26 parent 80 0 no-query originserver login=PASS name=vhost2 acl vhost2_domains dstdomain mycognos1.bell.ch cache_peer_access vhost2 allow vhost2_domains http_access allow vhost2_domains # Server 3 myintranet cache_peer 30.203.34.45 parent 80 0 no-query originserver login=PASS name=vhost3 acl vhost3_domains dstdomain myintranet1.bell.ch cache_peer_access vhost3 allow vhost3_domains http_access allow vhost3_domains # Server 4 mymail cache_peer 30.210.33.64 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on login=PASS name=vhost4 acl vhost4_domains dstdomain mymail1.bell.ch cache_peer_access vhost4 allow vhost4_domains http_access allow vhost4_domains # Server 5 citrix cache_peer 30.210.35.22 parent 443 0 no-query originserver login=PASS name=vhost5 acl vhost5_domains dstdomain citrix1.bell.ch cache_peer_access vhost5 allow vhost5_domains http_access allow vhost5_domains #http_access allow citrix_1494 #Access Control List # Server ACL's acl webserver dst 30.209.130.14 30.210.33.64 30.238.33.12 30.203.5.22 30.210.33.89 30.203.134.26 30.209.130.25 30.210.35.22 #Connection ACL acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl local src 30.0.0.0/255.0.0.0 acl to_localhost dst 127.0.0.0/8 # Port ACL acl Safe_ports port 80 443 1494 2598 # http acl SSL_ports port 443 1494 2598 # https acl purge method PURGE acl CONNECT method CONNECT # ACL's fuer Zugriff von aussen acl url_allow url_regex -i ^https://mymail1.bell.ch/exchange.*$ acl url_allow url_regex -i ^https://mymail1.bell.ch/rpc/rpcproxy.dll.*$ acl url_allow url_regex -i ^https://mymail1.bell.ch/exchweb.*$ acl url_allow url_regex -i ^https://mymail1.bell.ch/.*$ccess Control List # http access http_access allow CONNECT SSL_ports http_access allow CONNECT Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow manager localhost http_access allow webserver miss_access allow all miss_access allow webserver http_access allow url_allow http_access allow SSL_ports http_access deny !Safe_ports http_access deny !SSL_ports http_access deny all miss_access deny all http_access deny manager never_direct allow all #kein Cacheing no_cache deny all #header_access X-Cache deny all #header_access X-Cache-Lookup deny all #header_access X-Squid-Error deny all #header_access Via deny all #header_access Server deny all visible_hostname remotelogin.bell-gruppe.ch deny_info TCP_RESET all # Tunning, Debug, Logs debug_options ALL,1 33,2 cache_dir ufs /var/spool/squid 1800 256 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_effective_user proxy cache_effective_group proxy cache_mgr * access_log /var/log/squid/access.log squid pid_filename /var/run/squid.pid #timeout und error handling retry_on_error on read_timeout 15 minutes half_closed_clients off memory_pools on positive_dns_ttl 24 hours negative_dns_ttl 30 seconds request_timeout 60 seconds connect_timeout 4 hours pconn_timeout 4 hours ie_refresh on emulate_httpd_log off log_ip_on_direct on error_directory /etc/squid/errors/ ------------------------------------------------------------------------ ---------- Squid is complied with ssl enabled and disable-internal-dns What do i wrong or miss? Can someone help ... Thx. best regards Patrick
