Re: [squid-users] special configuration of squid for connections with citrix clients?

[Stephen Borrill]

On 08/07/2014 16:13, andreas.resc...@mahle.com wrote:
 Hello there,
 
 is there a special configuration of squid to allow connections for a 
 Citrix ICA-Client to go through to proxy? We're not able to connect the 
 Citrix ICA-Client (Web) through our squid proxy to a Citrix server outside 
 in the internet. With the Microsoft ISA-Proxy it does.
[snip]

What are you connecting to at the other end? Access Gateway, NetScaler,
Secure Gateway or just Web Interface?

The first 3 will tend to just tunnel all ICA and CGP traffic over port
443. The latter could use any ports as defined within its secure access
section.

-- 
Stephen

Re: [squid-users] special configuration of squid for connections with citrix clients?

[Eliezer Croitoru]

Hey Andreas,

What do you see in the access.log when you try to access the website?
Also try to change the behavior of:
http://www.squid-cache.org/Doc/config/forwarded_for/

Eliezer

On 07/08/2014 06:13 PM, andreas.resc...@mahle.com wrote:

Hello there,

is there a special configuration of squid to allow connections for a
Citrix ICA-Client to go through to proxy? We're not able to connect the
Citrix ICA-Client (Web) through our squid proxy to a Citrix server outside
in the internet. With the Microsoft ISA-Proxy it does.

Our squid.conf:
bgstproxyls01:~ # cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

acl snmppublic snmp_community squid
snmp_port 3401
snmp_incoming_address 10.143.153.27
snmp_outgoing_address 10.143.153.27
snmp_access allow all
client_db off
half_closed_clients off
via off
cache_mem 4096 MB
ipcache_size 2028
fqdncache_size 2048

hosts_file /etc/hosts

memory_pools off
maximum_object_size 50 MB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
buffered_logs on

dns_nameservers 10.20.94.32
# acl manager proto cache_object
# acl localhost src 127.0.0.1 # ::1
# acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range

acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# neu
acl SSL method CONNECT
acl CONNECT method CONNECT


# erlaubte Seiten ohne Internetberechtigung
acl open-sites dstdomain /etc/squid/open-sites.txt
# erlaubte Seiten ohne Internetberechtigung

# verbotene Seiten
acl denied-sites url_regex /etc/squid/denied-sites.txt
acl selling-sites url_regex /etc/squid/selling-sites.txt

acl social-sites url_regex /etc/squid/social-sites.txt
# verbotene Seiten
acl allowedurls dstdomain /etc/squid/bypass.txt

external_acl_type LDAPLookup children-startup=10 children-idle=30
children-max=80 ttl=600 negative_ttl=30 %LOGIN
/usr/sbin/ext_ldap_group_acl -d  -b dc=behrgroup,dc=net -D
CN=BGST-S-SQUID,OU=Service Accounts,OU=bgst,OU=de,DC=behrgroup,DC=net -W
/etc/squid/ppp -f
((objectclass=user)(sAMAccountName=%v)(memberof:1.2.840.113556.1.4.1941:=CN=%a,OU=groups,OU=Proxy,OU=Global
Groups,DC=behrgroup,dc=net)) -h 10.20.94.32


## DEBUGGING

#debug_options 28,9
#debug_options ALL,5 33,2 28,9 44,3

# local  manager
http_access allow manager localhost
http_access deny manager

# nur safe  SSL ab hier
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


deny_infohttp://bgstproxyls01/denied.html  denied-sites


# Squid normally listens to port 3128
http_port 3128


# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=BEHRGROUP.NET
auth_param ntlm children 128
auth_param ntlm keep_alive off


# Zeit-Steuerung für Indien
acl indien proxy_auth external LDAPLookup GGPY-LO-Web-Time-Limited
acl DAY time 05:30-13:30
# Zeit-Steuerung für Indien
acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
acl auth proxy_auth REQUIRED
# bestimmte IP-adressen erlauben
acl permitt_ips src 10.143.10.247/32
acl FTP proto FTP
acl PUT method PUT

# whitelisten
http_access allow open-sites all
http_access allow localhost
http_access allow permitt_ips !denied-sites !social-sites
http_access allow indien DAY
http_access deny indien
http_access deny !chkglwebhttp
http_access allow selling-sites sellingUser
http_access allow social-sites socialUser

# Denied sites rauswerfen, wenn sie nicht ebenfalls in allforbUser stehen
http_access allow denied-sites allforbUser

Re: [squid-users] special configuration of squid for connections with citrix clients?

[Amos Jeffries]

On 2014-07-09 03:13, andreas.resc...@mahle.com wrote:

Hello there,

is there a special configuration of squid to allow connections for a
Citrix ICA-Client to go through to proxy? We're not able to connect the
Citrix ICA-Client (Web) through our squid proxy to a Citrix server 
outside

in the internet. With the Microsoft ISA-Proxy it does.


The key things are to know whether the client software supports HTTP 
proxy either transfers over HTTP requests (ie. some form of REST 
protocol) or via CONNECT tunnels, and what ports are involved. Once you 
know those you can tune the Squid ACLs to check for just about anything 
in the client traffic and permit/deny as you please.


Amos