Jump to content
Welcome to our new Citrix community!

ICA session not terminated after VPN log off

Grega Zoubek

Recommended Posts

Hello gurus, 


I am facing a small challenge configuring full VPN with ICA proxy. Setting up VPN and provide user access to CVAD apps is not a problem but we cannot achive that ICA session is terminated upon GW plugin log off (manual or due to EPA post-auth). 


I have tried using following combinations:


ICA proxy OFF

Published app/WI address


Clientless OFF


VPN establishes, SSO works - we see SF apps, Store in storefront is set to Full VPN access. ICA session is not terminated after VPN is disconnected.



Home page set to SF over http

Store on Storefront is configured with no remote access (internal only)


VPN establishes, SSO DOES NOT work - user is asked for credentials again. But here ICA session is disconnected after VPN disconnection (logical...)

Is there a way to achieve SSO to SF + get ICA session disconnected when VPN tunnel is terminated?


Thank you for any thoughts in advance!


Link to comment
Share on other sites

Are StoreFront Base URL and Gateway URL the same? If so, after VPN is up, when you ping the StoreFront URL, do you get the internal IP?


Can VPN users access the Internal Beacon? Workspace app should be connecting directly to VDAs across the VPN tunnel instead of using ICA Proxy.


For Browser users, you'd have to get users to go to StoreFront instead of Gateway.

Link to comment
Share on other sites

Storefront and GW URLs are not the same.


VPN users cannot reach internal beacon (only after login).


Browser users go to SF (config in GW - Home Page), but there is no SSO. We would like to achieve SSO - once VPN is established, user is presented with SF page automatically. AFAIK this is the only option to control ICA session inside VPN tunnel

Link to comment
Share on other sites

If StoreFront is set in the Published Apps > Web Interface field, then it should SSO and show apps in the RfWebUI page. If StoreFront is set in the Client Experience > Home Page, or is a bookmark, then Citrix Gateway SSO to StoreFront only happens through VPN if the StoreFront URL is HTTP, not HTTPS, since it would be encrypted on the client-side and there's no way for Gateway to inject credentials. Otherwise, you can do a traditional StoreFront bookmark that uses Integrated Windows Auth (Kerberos/NTLM) to perform SSO to IIS.

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...