FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 189479
Article
DescriptionCitrix Secure Gateway Secure Ticket Authority stops working after Antivirus scanning is enabled on the FortiGate unit.
Components
  • All FortiGate units.
Steps or Commands

Citrix Secure Gateway provides secure access to resources and applications hosted on a server farm. The Secure Gateway transparently encrypts ICA connections to protect against data tampering and theft. The Secure Ticket Authority (STA) is an XML Web service that exchanges MetaFrame server information for randomly generated tickets. It is used to control access for a Citrix Secure Gateway server.

This is a special application running between Citrix STA, XML services and Secure Gateway. It was developed by Citrix for access control/authentication and application emulation for MetaFrame. The processes involved in are STA and XML services that use TCP port 80 by default.

The authentication between Secure Gateway and STA/XML service does not operate properly when the FortiGate unit has antivirus enabled in the protection profile for inbound traffic from a Secure Gateway (such as the DMZ port) to one or more Citrix servers with a web interface (such as on the Internal port).

Solution

The main purpose of the workaround is to let Citrix servers and Security Gateway to communicate on a port other than the default port 80 and to avoid reconfiguring, a potentially large number of end clients.

Ideally, you want to keep the Citrix server to continue listening on port 80, which can still serve other end users not connected through Security Gateway.

  • For all Citrix Servers running a Web Interface, modify the default web site in IIS to listen on port 80 AND another port, for example port 81.
  • Modify the Secure Gateway to communicate with the STA for all Citrix servers over the new port (81 as an example).
  • Modify the Secure Gateway to communicate with the Citrix Servers hosting Web Interface over this new port (81 as an example).