nevgeo_cwr Posted August 28 Share Posted August 28 Hi Everyone, We've been working to enable WAF for Horizon's external traffic using Citrix Netscaler WAF, but so far, we've been unsuccessful. Despite ongoing collaboration with Citrix, we haven’t received a satisfactory resolution. The main issue is that Horizon client traffic is being blocked due to "transfer coding chunked." Management is considering trying Cloudflare WAF, but we've had issues in the past when DNS was proxied, causing Horizon to not function as expected. Has anyone successfully configured Cloudflare WAF for Horizon? Any tips or advice would be greatly appreciated as we look for a solution. Quote Link to comment Share on other sites More sharing options...
Employee Hussam Rabaya Posted August 28 Employee Share Posted August 28 it is recommended to run WAF in learning mode, test all functions and lock it down, WAF is vendor-specific technology, please consult the WAF vendor for configuration in all cases, Quote Link to comment Share on other sites More sharing options...
ArifR Posted August 29 Share Posted August 29 We currently do this and it does not work. Our I.T Security team wanted Cloudflare in front and it does not work. Plus, cloudflare only works on port 443 and not on other ports. Have you tried looking into AVI load balancer, we currently use it and works great!. Quote Link to comment Share on other sites More sharing options...
nevgeo_cwr Posted August 30 Author Share Posted August 30 @ArifR We are currently using AVI and moving to Netscaler due to management decision. So just evaluating Cloud flare at the moment for WAF. Quote Link to comment Share on other sites More sharing options...
StephenWagner7 Posted August 30 Share Posted August 30 I haven't attempted to do what you're trying to do yet, but do you have all your ports configured properly? If you're using a WAF, IMO you should only have phase 1 of the connection running through it, and then run BLAST on separate ports (default 8443, or change to something else). If you're running WAF on 443, and have your BLAST session tunneled in 443, I could see this causing problems with any WAFs you are using (also keep in mind this configuration increases CPU utilization on the UAG as well). Quote Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com Link to comment Share on other sites More sharing options...
nevgeo_cwr Posted Wednesday at 10:11 PM Author Share Posted Wednesday at 10:11 PM @StephenWagner7 Thank you for the response. We did try it but there are still some limitation with Cloud flare and the recommendation was to use spectrum due to the costing we have deviated from this. Currently we have enabled SSL inspection in our firewall as an interim solution. Quote Link to comment Share on other sites More sharing options...
StephenWagner7 Posted Wednesday at 11:01 PM Share Posted Wednesday at 11:01 PM 50 minutes ago, nevgeo_cwr said: @StephenWagner7 Thank you for the response. We did try it but there are still some limitation with Cloud flare and the recommendation was to use spectrum due to the costing we have deviated from this. Currently we have enabled SSL inspection in our firewall as an interim solution. Hi @nevgeo_cwr, all your Horizon/VDI traffic should be exempt from any WAF/IPS traffic inspection as it can cause issues with BLAST, BEAT, and VDI sessions. Quote Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.