Jump to content
Welcome to our new Citrix community!

Forbidden, You don't have permission to access this resource. When try connect to Citrix GW via nginx reverse proxy.


Recommended Posts

I get "Forbidden, You don't have permission to access this resource" when I try connect to Citrix GW via nginx reverse proxy.
If I connect directly to Citrix GW (without nginx reverse proxy) then I connect successful.
from httpaccess-vpn.log I get:
127.0.0.2 - - [13/Nov/2021:03:35:11 +0300] [9494] "GET /logon/LogonPoint/index.html HTTP/1.0" 403 199 "-" "Mozilla/5.0 ...
from httperror.log I get:
[Sat Nov 13 04:00:00.786772 2021] [authz_core:error] [pid 9494] [client 127.0.0.1:33914] AH01630: client denied by server configuration: /netscaler/ns_gui/var
What could be the reason?
Thanks!

Link to comment
Share on other sites

1) Do you have any authorization policies OR session policies with filters based on source ip or subnet?  If it works without proxy but fails with, then maybe the "source ip" when the proxy is in use is outside the allowed source networks.

 

2) Check syslog for additional info about why the gateway might be denied.

 

Are you in full vpn mode or just ICA Proxy mode?  If vpn, check session profile for split tunnel/split dns and associated intranet apps. Its possible the networks are not accounting for the nginx.

 

Without more info about where the nginx fits in the flow and what type of vpn connection you are doing...you could also do a network trace.

Link to comment
Share on other sites

On 11/13/2021 at 4:32 AM, Rhonda Rowland1709152125 said:

1) Do you have any authorization policies OR session policies with filters based on source ip or subnet?  If it works without proxy but fails with, then maybe the "source ip" when the proxy is in use is outside the allowed source networks.

 

2) Check syslog for additional info about why the gateway might be denied.

 

Are you in full vpn mode or just ICA Proxy mode?  If vpn, check session profile for split tunnel/split dns and associated intranet apps. Its possible the networks are not accounting for the nginx.

 

Without more info about where the nginx fits in the flow and what type of vpn connection you are doing...you could also do a network trace.

Thanks for ideas.
I have not any authorization or session policies with filter based on source ip.
GW setup in ICA Proxy mode. 
some additional info:
I configured ealier two different URL for same GW\StoreFront. One URL configured directly (without nginx) and it work fine. One another configred via nginx (revers proxy) and it now work fine too . Now I want add another new URL via same nginx revers proxy for same GW\StoreFront. All settings I do same. But now I get  "Forbidden, You don't have permission to access this resource". And If I check this new URL directly without proxy it work. I dont undestand why adding new URL on same proxy with working configuration ang working configuration on GW lead to error.

Link to comment
Share on other sites

Without understanding how you are adding the nginx url to the flow, its hard to say.

 

Is the gateway brokering access to the new url?  Then this may again be related to allowed destination networks or a routing issue.

Or is the gateway being accessed via the new nginx url?  This may then be an issue on the storefront side or the gateway side regarding the "source" of user traffic.  Again, not enough details to begin to troubleshoot more.

 

 

 

 

Link to comment
Share on other sites

I'm sorry for the confusion.
Found error in my nginx config. In fact, nginx + Citrix GW bundle did not work at all. Users requests goes to GW by direct IP and all good. Have you successful experience of setting up nginx (revers-proxy) + Citrix GW collaboration? What other working ways to change (hide) the real IP address of the Citrix GW?
Thank you so much!

Link to comment
Share on other sites

Successfully created a working configuration nginx + Citrix GW. To do this, I added SSL / TLS passthrough parameters to nginx config, i.e. disabled traffic termination to pass the encrypted data to GW. After that, the error "Forbidden, You don't have permission to access this resource" disappeared and everything worked as it should.

  • Like 1
Link to comment
Share on other sites

  • 3 months later...
On 11/15/2021 at 9:21 AM, Konstantin Voronov1709159048 said:

Thanks for ideas.
I have not any authorization or session policies with filter based on source ip.
GW setup in ICA Proxy mode. 
some additional info:
I configured ealier two different URL for same GW\StoreFront. One URL configured directly (without nginx) and it work fine. One another configred via nginx (revers proxy) and it now work fine too . Now I want add another new URL via same nginx revers proxy for same GW\StoreFront. All settings I do same. But now I get  "Forbidden, You don't have permission to access this resource". And If I check this new URL directly without proxy it work. I dont undestand why adding new URL on same proxy with working configuration ang working configuration on GW lead to error.

Hi,

 

I have been trying to get Nginx to work as my reverse proxy instead of ADC , how did you even get it to work with Nginx?

i am very interested in any replies advising how to deliver webapp to external users using nginx.

 

regards

Link to comment
Share on other sites

On 11/19/2021 at 12:21 PM, Konstantin Voronov1709159048 said:

Successfully created a working configuration nginx + Citrix GW. To do this, I added SSL / TLS passthrough parameters to nginx config, i.e. disabled traffic termination to pass the encrypted data to GW. After that, the error "Forbidden, You don't have permission to access this resource" disappeared and everything worked as it should.

Pls provide your config as i believe i am also at this forbiden stage...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...