000015036 - Access Manager incorrectly redirects HTTPS session to HTTP port on Citrix Web Interface Server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000015036
Applies ToCitrix Secure Access Gateway
RSA Access Manager Agent 4.8 for IIS 6.0
Microsoft Internet Information Services (IIS) 6.0
IssueAccess Manager incorrectly redirects HTTPS session to HTTP port on Citrix Web Interface Server
After authentication the user is directed to HTTP instead of HTTPS on the Citrix Web Interface Server.  The Access Manager redirection cookie (URL retention cookie) ACTSESSION contains the wrong address and port.
CauseThis is issue is not unique to Citrix and occurs whenever a third party SSL accelerator or proxy is installed in front of IIS and the customer is using a central logon page.  The issue occurs because the Central Logon page requires that you include the fully qualified URL in the ACTSESSION cookie instead of the normal relative URL.  The Access Manager Agent installed on the server behind the proxy sees the request as an http request and when the redirection is done it will attempt to redirect to an http URL.
ResolutionIf Central Logon is not required the agent may be configured to use a relative URL in the ACTSESSION cookie by setting

cleartrust.agent.retain_url.use_full_url=False


There are many solutions to this issue.  Some method must be provided to redirect the http requests to the correct https port on the target web server.

  • Many third party SSL Accelerators and SSL proxy servers and load balancers can be configured to do the redirection automatically.  Install these components in front of the IIS server to do the redirection.
  • Modify the central logon page to inspect the ACTSESSION cookie and modify it if contains a redirection URL to the secure gateway.  Some customers want more control over the redirection do not even bother rewriting the ACTSESSION cookie and do the redirection themselves in the logon or home page.
  • Add a third party module to the IIS server for the Web Interface server to do the http redirect.  Search Google for http+https+redirect+IIS for more information.

See also solution AxM 4.8 agent and the arbitrary redirect to port 80 when a loadbalancer is used to rewrite to a different port. ACTSESSION cookie retains port 80.a47576 AxM 4.8 agent and the arbitrary redirect to port 80 when a loadbalancer is used to rewrite to a different port. ACTSESSION cookie retains port 80.
Legacy Article IDa47746

Attachments

    Outcomes