Unable to tunnel application via http

Discussion in 'Parallels Remote Application Server' started by benitom25, Aug 13, 2006.

  1. benitom25

    benitom25 Guest

    Hi,

    I have installed Application Server 3.7 on a Windows 2003 R2 server (ip 10.0.0.10). I have setup IIS to listen on port 81 on this machine (set up the MIME settings in IIS too) and enabled the proxy functionality of the 2X Application Server (enabled on port 80). I set up the Application Startup Mode to "Via 2X Proxy Gateway" and defined my public DNS entry (say: app.mydomain.com).
    My network is protected by an ISA 2004 server. In ISA I have set up a web publishing rule for app.my.domain.com to forward http requests to 10.0.0.10 (port 80).
    The webpage publishing the applications is hosted by www.mydomain.com for which I have also setup an ISA web publishing rule. Requests for www.mydomain.com are forwarded to 10.0.0.11.
    When I open a webbrowser on a public machine (on the internet) and connect to www.mydomain.com I get connected to the webpage providing the applications, so this works as expected. But whenever I click on a link to and application, the application server client starts up and immediately I get an "Internal error <3334>" message.
    When I save the shortcut and open it in notepad, I see the following content:

    <App><Connection><Port>80</Port><PrimaryServer>app.mydomain.com</PrimaryServer><Proxy>1</Proxy></Connection><Logon><AutoLogon>false</AutoLogon><Domain>MYDOMAIN</Domain></Logon><Startup><OverrideParams></OverrideParams><PublishedApp>Excel</PublishedApp><StartMode>1</StartMode></Startup></App>

    This file (app0001.2xa) seems to be right, but I am not able to start the application tunneling on port 80.

    When I try it from within my LAN, it doesn't work eighter, but when I start the 2x application client on an internal workstation I can start the application without any issue.
    So the application server is working fine, but the tunneling via port 80 doesn't seem to work.
    I can't figure out what I'm doing wrong, so I hope anyone can point me in the right direction.

    Note: I have installed the application server client on all workstations I mentioned above, so also on the external client (connected to the internet).

    TIA,

    Benito
     
  2. Lee

    Lee Guest

    App><Connection><Port>80</Port><PrimaryServer>app.mydomain.com</PrimaryServer><Proxy>1</Proxy></Connection><Logon><AutoLogon>false</AutoLogon><Domain>MYDOMAIN</Domain></Logon><Startup><OverrideParams></OverrideParams><PublishedApp>Excel</PublishedApp><StartMode>1</StartMode></Startup></App>

    would usually indicate that the mime header is either not setup or setup incorrectly.
     
  3. benitom25

    benitom25 Guest

    OK, I would look on that, but I don't think that that's the issue, cause I did configure the MIME settings in IIS 6 as described on your website.

    Benito
     
  4. benitom25

    benitom25 Guest

    Could you post an example of how this file would look like with correct MIME settings?

    TIA,

    Benito
     
  5. Lee

    Lee Guest

    with the correct mime settings it will bring up the client details to enter username and password

    and then connect to the seemless application
     
  6. benitom25

    benitom25 Guest

    sorry I forgot to mention that I do get a box to enter my credentials.
    When I enter my credentials (actually I don not have to enter anything, cause it is all filled in) and press Connect, I allmost immediately get Internal Error <3334>.
    In order to troubleshoot this issue, I did not left click the shotcut, but right-clicked it an saved it to my desktop. After that I opened the downloaded file with notepad to see what's in it.
    So I assume that the MIME settings are correct.

    Benito
     
  7. benitom25

    benitom25 Guest

    OK, well it seems to go wrong at ISA 2004.
    When I try to connect from an internal client and click on the link to the application, I get a Logon-box where I can enter my credentials (as mentioned earlier, all things are already filled in). This looks like this:

    Server: app.mydomain.com
    Username: user1
    Pass: *********
    Domain: MyDomain

    When I press "Connect" I allmost immediately get the "Internal Error <3334>" message, but when I change app.mydomain.com with the internal IP address of the 2xSRV (server on which the 2xApplicationServer is installed) and click on "Connect", I get the application I expect. This shows me that the proxy is working fine (as said before, I did right click the shortcut and saved the .2xa file. I opened it in notepad and see the <Port>80</Port> and <Proxy>1</Proxy> entries)

    When I try to connect from an external client, almost immediately after clicking on "Connect", I get "Internal Error <3334>".
    On this external client I leave the servername to app.mydomain.com which is indeed an allready registered external DNS a-record. I am able to resolve this name to an IP address on this external client.

    All external traffic is going through a router which forwards all traffic arriving at port 80 and 443 to my ISA 2004 server.

    When I check the ISA logging, I can see the following occur:

    Original Client IP Server Name Transport Source Port Processing Time Bytes Sent Bytes Received Result Code Cache Information Error Information Log Record Type Log Time Client IP Destination IP Destination Port Protocol Action Source Network Destination Network HTTP Method URL
    xxx.xxx.xxx.xxx 2xSRV TCP 1190 0 0 0 0x0 0x0 0x0 Firewall 15-8-2006 20:40 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy 80 HTTP Initiated Connection External Local Host - -
    xxx.xxx.xxx.xxx 2xSRV TCP 1190 0 307 4510 0x80074e20 0x0 0x0 Firewall 15-8-2006 20:40 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy 80 HTTP Closed Connection External Local Host - -




    NOTE: xxx.xxx.xxx.xxx is the IP address of the external client
    yyy.yyy.yyy.yyy is the IP address of the ISA firewall

    In ISA 2004 I have set up 2 Web Publishing Rules:

    www.mydomain.com which redirects requests on port 80 for this domain to my webserver (port 81 on the 2xSRV server). This works fine, cause I get the page which gives my the shortcuts to the published applications

    app.mydomain.com which redirects requests on port 80 for this domain to the 2x Proxy (port 80 on the 2xSRV server)

    It looks like here is the bottleneck, cause requests are not passed to server 2xSRV on port 80 (when I click on connect in the Logon box). They seem to stuck on the ISA 2004 server.
    Is it possible to redirect (bridge) http requests from the 2x Application Client with a Web Publishing Rule in ISA 2004? Other webbased applications are working fine this way (even if the are listening on other ports than the default http(s) ports, this is accomplished by bridging request based on hostheader in ISA).
    If this isn't the right way, can someone tell me how I can accomplish it. I only have 1 public IP address and are serving other webapplications/pages on port 80 and 443.

    Benito.
     
  8. benitom25

    benitom25 Guest

    As mentioned earlier, the problem lies within ISA. ISA 2004 can't handle the HTTP packet sent from the 2x App client.

    Is it possible to use HTTPS instead of HTTP when using the 2x App proxy? Cause this way I can set up ISA to use HTTPS tunneling so ISA won't inspect the packet but directly pass it on to the 2x Proxy. Citrix Secure Gateway works this way.

    Benito.
     
  9. ITF1

    ITF1 Guest

    Hi,
    may you can disable some of the http filter criteria for the 2x publishing rule.

    Regards
    Anthony
     
  10. Masud

    Masud Guest

    Hi,

    the main problem isn't ISA. The main problem lies obviously in the architecture of 2x Applicationserver and its protocole. :(
    In order to distinguish between a HTTP packet (which the Application server sends to IIS) and a tunneled RDP packet (which goes to the TS) they have changed apparently a byte of http header. If your 2x Appserv is behind an application layer FW (or a stateful inspection FW with AppLevel Filtering ability like ISA) you have a problem with your 2x Client. In this case the sent request will be identified as a non HTTP packet and will be dropped, as it isn't a "pure" http packet. It is a potential attack.
    If you use some AppLayer FW you will see some log entris like:
    illegal protocol detected, ... , An illegal character (0x02) was found at position 1 in the request. This character doesn't accomplish RFC2068, RFC1738, and RFC1808.
    So, if you want to use 2x Appserv behind an ISA FW the best way is to define a new incoming protocole on port 80. Then define a rule with that protocole. A web publishing in ISA doesn't work with 2x Appserv, as 2x hasn't got a pure http, so the packet gets dropped. Neither can you get a connection from a 2x Client to 2x Appserver, if your client has to be behind a proxy. It hasn't still got the ability to use a proxy. It needs a direct connection. I guess the reason is the same.
    If somebody from 2x reads this forum, I will be thankful to know if proxy support is planned.

    Regards

    Masud
     
  11. benitom25

    benitom25 Guest

    Hi Masud,

    Thnx for your reply. Another question though. When I define another incoming protocol on port 80, is it still possible to use the web-publishing rules for my websites? The reason I tried to use a web-publishing rule is that I only have 1 IP address and using web-publishing rules, you can filter incoming packets based on host-header. This way I can route packets to the right machine hosting that specific website.
    If so, should I set up a rule using this new protocl after the web-publishing rules?

    TIA,

    Benito
     
  12. Masud

    Masud Guest

    Dear Benito,

    you cannot publish two apps on the same port of the firewall. The solution is simply to set the 2X Appserver on another port and define this port on ISA and make an allow rule for that port.

    If I can be of any further help. please feel free to write again or write directly to me.

    Regards
     
  13. benitom25

    benitom25 Guest

    My goal was to approach each application everywhere on the internet, so I thought the easiest way to accomplish this is to connect using port 80 or 443 because this way a remote firewall wouldn't be the first problem I'd ran on to. An example of this way of working is Outlook Web Access, which uses https to connect to an exchange server, or Outlook RPC over HTTP(s), which also uses the https protocol. Other webbased applications like remotely anywhere (which gives you the opportunity to manage a remote server via a webpage using the http(s) protocol). This way I simply can use a webpublishing rule so it doesn't matter that I only have 1 IP address because ISA is able to filter the traffic based on the host-header. This works excellent. I wondered if this was also possible with 2X AppServer using the proxy capabilities, but after your replies, I doubt that this is possible in my current set-up, using only the ports 80 and 443.
    In case I am wrong, please let me know how to accomplish this.

    Benito
     

Share This Page