Citrix Virtual Desktop users get 403 Access Denied Topic is solved

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
Amongthegums
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Wed Mar 04, 2015 6:22 am

Citrix Virtual Desktop users get 403 Access Denied

Post by Amongthegums » Tue Oct 13, 2020 5:47 am

Hi
I hope this this the right place- I maintain a small J3 website (current version, always) on a shared host in AU.
Since about the end of last year we have a number of users who are greeted by "403 Access Denied" when they try to access the domain https://mbea.com.au


Working through the issues and some trial, error and elimination and consultation with the host and the Citrix environment admins we've established that the block originates in the Joomla CMS. As I understand it, when the user arrives at the site Joomla cannot "authenticate" the user (proxy?) and generates the 403. This is above my paygrade, so I cannot comment.

The Citrix admins whitelisted the domain, but that has had no effect. The 403s continue.

I then thought it was Akeeba's Admin Tools. We consulted Akeeba, which led to no solution. Consequently, and clutching at straws, Admin Tools was removed. Again, that wasn't the issue.

Since then I have done a clean Joomal install, and provided a plain HTML sub domain for testing.

The Citrix users can access the latter OK. However, the main domain running a clean, new copy of Joomla gives the Citrix mob a 403.

Users coming from a non Citrix environment are able to access the domain OK.

I'm beside myself here. Does anyone have a suggestion what else I might look at to find a solution?

Thanks

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9698
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by sozzled » Tue Oct 13, 2020 6:16 am

G'day ...

... nice website design. I am not one of the visitors to your website who's greeted with a 403 Access Forbidden error. Maybe the error message appears for people after they've logged in? This would make some sense because you mentioned authentication (and authentication doesn't come into play until after login).

So the first question is simple: where do you users go when they login?

BTW, J! is agnostic about what device people use (or, for that matter, what browser(s) people use). When J! handles a GET request from the client (i.e the "user") it just sends back a HTML package assuming that the client is permitted access to the content sought in the GET. Get it? ;)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3900
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by abernyte » Tue Oct 13, 2020 8:07 am

Is there a rewrite condition in your .htaccess blocking proxys? As @sozzled states, Joomla is agnostic about what connects unless a rule has been set on the server which loads before Joomla.
What we obtain too cheap, we esteem too lightly…Thomas Paine

Amongthegums
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Wed Mar 04, 2015 6:22 am

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by Amongthegums » Tue Oct 13, 2020 1:34 pm

abernyte wrote:
Tue Oct 13, 2020 8:07 am
Is there a rewrite condition in your .htaccess blocking proxys? As @sozzled states, Joomla is agnostic about what connects unless a rule has been set on the server which loads before Joomla.
We had an .htaccess generated by admin tools. That was removed and on the clean install we implemented the basic one that comes with Joomla.


That said, we have tested with no .htaccess and Citrix users are immediately greeted with 403s.

Amongthegums
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Wed Mar 04, 2015 6:22 am

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by Amongthegums » Tue Oct 13, 2020 1:38 pm

sozzled wrote:
Tue Oct 13, 2020 6:16 am
G'day ...

... nice website design. I am not one of the visitors to your website who's greeted with a 403 Access Forbidden error. Maybe the error message appears for people after they've logged in?
Thanks for the compliment.

Users get the 403 on the connection attempt. They don't even see the home page.

So I don't misunderstand, are you coming from a Citrix environment?

Thanks

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9698
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by sozzled » Tue Oct 13, 2020 5:54 pm

No, I don't use Citrix.

When I searched for citrix on this forum I did not find much current information about those issues. There was also nothing at GitHub or at Joomla StackExchange.

You may need to engage a professional web developer to identify and resolve your issues. I'm sorry I don't have any real insight in that area; Citrix is not on my radar screen.

I don't have problems accessing your website without Citrix. Good luck in finding the answer. :)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

Amongthegums
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Wed Mar 04, 2015 6:22 am

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by Amongthegums » Wed Oct 14, 2020 1:29 am

Hi
A couple of the (Citrix) users who had previously reported the 403 issue, this morning (AU time) advised that they were getting the ERR_TUNNEL_CONNECTION_FAILED failure in Chrome. This is generally well known & documented in search engines.

Specifically, Chrome will report
This site can’t be reached

3. The webpage at https://testsite.mbea.com.au/ might be temporarily down or it may have moved permanently to a new web address.

4. ERR_TUNNEL_CONNECTION_FAILED


The fix has to be applied in Chrome as I understand it.

So far I've established that the majority of affected users are reporting Chrome, although one claims he is using Edge.

But my question is, might ERR_TUNNEL_CONNECTION_FAILED cause a 403 error to be generated?

Thanks

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27200
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by Per Yngve Berg » Wed Oct 14, 2020 3:48 am

Have you looked in the Web Server Logs?

Amongthegums
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Wed Mar 04, 2015 6:22 am

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by Amongthegums » Thu Oct 15, 2020 10:36 pm

Per Yngve Berg wrote:
Wed Oct 14, 2020 3:48 am
Have you looked in the Web Server Logs?
Yes, we have. There's nothing. For example, we know the IP addresses of some of the affected users and were hoping to see them in the logs. Nothing.

On the progress side, we know the sub domain we created for testing works, so whatever the problem is it is in our main joomla installation. I'm inclined to take a backup and do a clean install in the main domain, then import the data.

I love technology. When it works....

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27200
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by Per Yngve Berg » Fri Oct 16, 2020 3:33 am

Looks more like an error in a proxy.

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3900
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by abernyte » Fri Oct 16, 2020 7:22 am

So far I've established that the majority of affected users are reporting Chrome, although one claims he is using Edge.
They both use the Blink engine. Just for giggles ask an effected user to use a Gecko browser - Firefox or PaleMoon with Goanna.
I, like Per, do suspect the error is caused by a proxy and not in Joomla per se.
What we obtain too cheap, we esteem too lightly…Thomas Paine

Amongthegums
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Wed Mar 04, 2015 6:22 am

Re: Citrix Virtual Desktop users get 403 Access Denied

Post by Amongthegums » Sat Oct 24, 2020 2:12 am

UPDATE:
More out of frustration than anything else I backed up the site, did a clean install of Joomla, and restored the content and user data.
I also enabled the standard Joomla .htaccess file.

So far, so good.

I have not installed Admin Tools at this point because I feel it was the cause of the 403 errors. When my blood pressure goes down I may try to see what happens when I install it ;-)

Cheers & thanks for the feedback.


Post Reply

Return to “Security in Joomla! 3.x”