Jump to content
Welcome to our new Citrix community!

SSL VPN Intranet IP Range & Windows Firewall Location Awareness not working


Recommended Posts

Hi All,

 

I'm setting up a SSL VPN for a customer for their domain joined windows laptops. Because they have Inbound and Outbound Windows Firewall policies in place, we need the Firewall policy to flip from 'Public Network' to 'Domain Profile' when a VPN is successfully established.

 

If I configure the VPN to use the SNIP (ie no address pool) then the windows Firewall immediately switches between profiles. However with an Intranet IP pool in place it does not and remains on 'Public Network'. Unfortunately we need this working...

 

I've verified routing is all in place, the machine is using the same DNS settings and can resolve the domain controller FQDN and telnet to it on LDAP 389. Doing an nltest is successful etc.

 

I've recreated this in a lab so it seems to be consistent. I've tried v12 and v11 firmware with both setup in in-line mode.

 

I've noticed that windows doesn't see the VPN as a dedicated adapter so not sure if this is somehow related to the issue?

 

Any ideas anyone as I'm a bit stumped..

Link to comment
Share on other sites

  • 3 weeks later...

Root cause - It turns out (According to support) that Microsoft changed the behavior of NLA in Windows 7 but reverted it back in subsequent edition of Windows.

 

I think it was also in combination with the way Citrix coded the driver however as it it is seen by windows as a virtual adapter and not a dedicated network adapter that can have windows FW policies applied. Pulse VPN client behaves this was as an example.

 

A custom fix by Citrix developers is required to modify the client behavior but this is only for big corporate customers due to the legacy nature of Win7 now...

  • Like 1
Link to comment
Share on other sites

  • 4 months later...
On 10/2/2017 at 3:48 PM, Andrew Moss1709151939 said:

Hi All,

 

I'm setting up a SSL VPN for a customer for their domain joined windows laptops. Because they have Inbound and Outbound Windows Firewall policies in place, we need the Firewall policy to flip from 'Public Network' to 'Domain Profile' when a VPN is successfully established.

 

If I configure the VPN to use the SNIP (ie no address pool) then the windows Firewall immediately switches between profiles. However with an Intranet IP pool in place it does not and remains on 'Public Network'. Unfortunately we need this working...

 

I've verified routing is all in place, the machine is using the same DNS settings and can resolve the domain controller FQDN and telnet to it on LDAP 389. Doing an nltest is successful etc.

 

I've recreated this in a lab so it seems to be consistent. I've tried v12 and v11 firmware with both setup in in-line mode.

 

I've noticed that windows doesn't see the VPN as a dedicated adapter so not sure if this is somehow related to the issue?

 

Any ideas anyone as I'm a bit stumped..

 

@Andymoss

May i know which version of v12 have you tested this with?

Can you give it a try with Latest 12.0 Version i.e. 12.0 56.20 with Intranet IP Pool used.

 

 

/Puneet

 

Link to comment
Share on other sites

  • 3 weeks later...
  • 4 years later...
On 10/20/2017 at 11:14 AM, Andrew Moss1709151939 said:

Root cause - It turns out (According to support) that Microsoft changed the behavior of NLA in Windows 7 but reverted it back in subsequent edition of Windows.

 

I think it was also in combination with the way Citrix coded the driver however as it it is seen by windows as a virtual adapter and not a dedicated network adapter that can have windows FW policies applied. Pulse VPN client behaves this was as an example.

 

A custom fix by Citrix developers is required to modify the client behavior but this is only for big corporate customers due to the legacy nature of Win7 now...

This is still the case with Windows 10, NS 13.0 88.14, Secure Access Client 22.3.1.5

 

Microsoft Support informed that it takes around 30 UDPs packets to get a response from NetScaler, 29 Packets can't even be seen from 'nstrace'. First response is after around 1m.

 

@Andrew Moss, Have you ever got to resolve this?, Citrix support provided a different Secure Access Client software?

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...