+ Post New Thread
Results 1 to 12 of 12
Internet Related/Filtering/Firewall Thread, Smoothwall with Citrix/Terminal Server in Technical; Is anyone here using Smoothwall with Citrix or terminal server clients? We have had our Smoothwall setup to use NTLM ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Smoothwall with Citrix/Terminal Server

    Is anyone here using Smoothwall with Citrix or terminal server clients?


    We have had our Smoothwall setup to use NTLM authentication as this was the only way to support TS users. We have also had some location groups setup so we could turn the internet on or off in rooms, this has been working for our thin clients and normal Windows clients. On friday this stopped working in the rooms with thin clients and when I called Smoothwall they told me that it's not possible to manage thin client internet this way.


    I'm a bit confused as we've had it working has anyone else got their Smoothwall setup to allow them to ban thin client devices? (Or am I just going mad)

    Thanks.

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    867
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Would have to know a bit more about your situation.
    The "per room" stuff is identified by hostname or IP - so long as your thin devices are browsing from an identified IP (even if it is DHCP, as long as you have the hostname constant and with a reverse dns lookup..) thats fine. Indeed if this is the case, all methods of authentication should work, not just those marked "terminal services" (which basically means it reauthenticates each session, rather than caching an IP/username pair for any amount of time).

    If you let me know your ticket number (or PM me your details) I will have it looked into further.

    Tom

  3. #3

    Join Date
    Dec 2008
    Location
    Nottingham
    Posts
    575
    Thank Post
    38
    Thanked 115 Times in 105 Posts
    Rep Power
    46
    If you're using internet exploder in a TS environment, I wouldn't see this being possible as the client IP will be that of the TS and not the TC (so you'd identify the TS). I can't say I've ever had it working (though I would certainly like it to). If there is a way, it would be great if someone could pass the info on.

    Cheers

    Will

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by Willott View Post
    If you're using internet exploder in a TS environment, I wouldn't see this being possible as the client IP will be that of the TS and not the TC (so you'd identify the TS). I can't say I've ever had it working (though I would certainly like it to). If there is a way, it would be great if someone could pass the info on.

    Cheers

    Will

    Yes that's what I always thought i'm aware that the Citrix box generates the traffic but as I'm sure I've seen this working I was thinking that maybe NTLM was allowing Smoothwall to know what client a user was using as Citrix shows the clientname.

  5. #5
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Hmm I wonder if Virtual IP might be what we're looking for.

    Powered by Google Docs

  6. #6

    rob_f's Avatar
    Join Date
    May 2008
    Location
    Leeds
    Posts
    227
    Thank Post
    16
    Thanked 75 Times in 57 Posts
    Rep Power
    25
    That looks like the one, or -> Virtual IP addressing in Citrix Presentation Server 4.0

    I'd suggest it's a good idea in general, but obviously doubles up your IP address space (i.e. 1 IP per thin client + 1 IP client session) - not really read into any other potential implications.

    Did you ask this on tek-tips too ? (Citrix solutions - Unique IP address for each client) Set up a VPN for them!? That'll learn you to stray from the 'geek

  7. #7

    rob_f's Avatar
    Join Date
    May 2008
    Location
    Leeds
    Posts
    227
    Thank Post
    16
    Thanked 75 Times in 57 Posts
    Rep Power
    25
    Now here's a question, if you're assigning your sessions unique IPs how do you know which session IP is in which room? Do you have a server-per-room?

    I'm intrigued as to how it worked before... didn't you say on another thread (or it might have been to nile) that it stopped working when you turned on HTTPS interception? Does it start working again if you turn that off?

    Thanks!


    Rob.

  8. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    That looks like the one, or -> Virtual IP addressing in Citrix Presentation Server 4.0

    I'd suggest it's a good idea in general, but obviously doubles up your IP address space (i.e. 1 IP per thin client + 1 IP client session) - not really read into any other potential implications.

    Did you ask this on tek-tips too ? (Citrix solutions - Unique IP address for each client) Set up a VPN for them!? That'll learn you to stray from the 'geek

    Yes I suppose as you say one issue will be using twice as many IP's.

    Yes I thought i'd cast my net over Tek-Tips as well, caught cheating



    Now here's a question, if you're assigning your sessions unique IPs how do you know which session IP is in which room? Do you have a server-per-room?

    I'm intrigued as to how it worked before... didn't you say on another thread (or it might have been to nile) that it stopped working when you turned on HTTPS interception? Does it start working again if you turn that off?

    Thanks!

    I'm starting to doubt myself now but myself and the IT Manager saw this working and the students were complaining as they couldn't get on the internet in lesson. We turned off the HTTPS interception but it didn't solve the issue.

  9. #9

    Join Date
    Dec 2008
    Location
    Nottingham
    Posts
    575
    Thank Post
    38
    Thanked 115 Times in 105 Posts
    Rep Power
    46
    Shame I don't have Citrix... apparently Virtual IP is in 2008R2, but as it's 64 bit, I've got no chance of going to that any time soon due to older curric software. The IP allocation per session is also an interesting hurdle, it doesn't look like there's a way to specify IP range per clientname (unless you could do this by script?). I wonder whether we could create an addon for IE that would put in an x-forwarded-for header with the clientname resolved to IP (or just clientname may do), and whether smoothwall could use this for client machine identification?

  10. #10

    Join Date
    Dec 2008
    Location
    Nottingham
    Posts
    575
    Thank Post
    38
    Thanked 115 Times in 105 Posts
    Rep Power
    46
    Fiddler Web Debugger - Script Samples

    Looks like there's a way to add header's to IE requests... it also looks like it may be able to use .NET system calls, so may be able to pick up clientname. Haven't really got time to look at it at present, but if no one else does, I'll look in the New Year.

    [edit]Looks like fiddler's a proxy that would run on the local machine, so may not be suitable. I'll keep looking through![/edit]
    Last edited by Willott; 8th December 2009 at 10:08 AM. Reason: addition

  11. #11
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by rob_f View Post
    Now here's a question, if you're assigning your sessions unique IPs how do you know which session IP is in which room? Do you have a server-per-room?

    I'm intrigued as to how it worked before... didn't you say on another thread (or it might have been to nile) that it stopped working when you turned on HTTPS interception? Does it start working again if you turn that off?

    Thanks!


    Rob.


    We've been having a think about it and all we can come up with is that we were somehow blocking a server IP so it gave the impression that it was working but it wouldn't of been working per location.


    I'll have a think about the virtual IP option but as stated above it might not be possible to map a particular IP to a virtual IP so you know which client is on which V IP. I've got a feeling it is though but it will take some reading.

  12. #12


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    867
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Keep us posted on how you get along. If there's something you think would be a tweak we could make to help things - let me know.

SHARE:
+ Post New Thread

Similar Threads

  1. Citrix/Terminal Server policies
    By KWestos in forum Thin Client and Virtual Machines
    Replies: 2
    Last Post: 29th September 2009, 01:19 PM
  2. Citrix Client running on a terminal server
    By ajbritton in forum Thin Client and Virtual Machines
    Replies: 7
    Last Post: 3rd July 2009, 09:31 PM
  3. Citrix/Terminal Server antivirus
    By KWestos in forum Thin Client and Virtual Machines
    Replies: 1
    Last Post: 2nd July 2009, 05:42 PM
  4. SIMS.net Assessment Manager and Terminal Server/Citrix
    By localzuk in forum Thin Client and Virtual Machines
    Replies: 0
    Last Post: 28th November 2008, 08:56 AM
  5. Replies: 27
    Last Post: 27th December 2006, 11:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •