Hi,
We have this strange issue which I don't get.
We are replacing our custom made firewalls with Astaro's, we have 2 Citrix Gateway clusters (CSG for short). One without token authentication and another with token authentication integrated.
I've published both of them on a their own additional unique external IP address using DNAT (externaladdress1:443 → CSG_with_token:443 and externaladdress2:443 → CSG_without_token:443).
DNAT with token is an automatic firewall rule to allow any, DNAT without token is only accesible to a group of known IP addresses.
During testing everything was ok, but when we switched our production over to the astaro there was a strange issue.
Some people couldn't connect to the CSG with tokens, while other people could. In the firewall log we could see blocked traffic CSG_with_token:443 → external client ip:random port.
After adding a Nat rule: source: CSG_With_token, interface: External, Use address: corresponding external additional address. There were less blocked connections, but they were still there.
After adding an additional firewall rule to allow https server traffic (CSG_with_token:443 → any:any_port) no traffic got blocked anymore.
During this time of partial blocking I could see time_wait connections to the blocked IP address on the webserver using netstat.
The parts that I don't get is, why do we need this extra NAT rule, and why does it seem to work for some people but not everyone. The other CSG without the tokens didn't seem to have these problems. But I added the rules for this service just to be sure there wouldn't be any problems if it did occur. The only thing that I can think of is that the CSG with token authentication somehow initiates the communication. That would cause the traffic to go over the default external ip address. But why for some connections and not all.
The second part I don't get is why do I need to add the extra firewall rule, the automatic
Anybody any ideas?
Eric
We have this strange issue which I don't get.
We are replacing our custom made firewalls with Astaro's, we have 2 Citrix Gateway clusters (CSG for short). One without token authentication and another with token authentication integrated.
I've published both of them on a their own additional unique external IP address using DNAT (externaladdress1:443 → CSG_with_token:443 and externaladdress2:443 → CSG_without_token:443).
DNAT with token is an automatic firewall rule to allow any, DNAT without token is only accesible to a group of known IP addresses.
During testing everything was ok, but when we switched our production over to the astaro there was a strange issue.
Some people couldn't connect to the CSG with tokens, while other people could. In the firewall log we could see blocked traffic CSG_with_token:443 → external client ip:random port.
After adding a Nat rule: source: CSG_With_token, interface: External, Use address: corresponding external additional address. There were less blocked connections, but they were still there.
After adding an additional firewall rule to allow https server traffic (CSG_with_token:443 → any:any_port) no traffic got blocked anymore.
During this time of partial blocking I could see time_wait connections to the blocked IP address on the webserver using netstat.
The parts that I don't get is, why do we need this extra NAT rule, and why does it seem to work for some people but not everyone. The other CSG without the tokens didn't seem to have these problems. But I added the rules for this service just to be sure there wouldn't be any problems if it did occur. The only thing that I can think of is that the CSG with token authentication somehow initiates the communication. That would cause the traffic to go over the default external ip address. But why for some connections and not all.
The second part I don't get is why do I need to add the extra firewall rule, the automatic
Anybody any ideas?
Eric