Capturing Citrix Connector Web Traffic with Fiddler

Recently I came across a situation where I needed to get more insight into the traffic going from Citrix Connector to the multiple providers.

First of all, we have a lot of providers installed on a Cloud Connector.

And offcourse, we can check the Resource Monitor and TCP connections. Mabey try some Wireshark etc.

Even collecting ETW data could not be enough. It may be useful to intercept some of the Providers Web Requests.

We can use Fiddler for this.

Fiddler can be downloaded from the following location:

https://www.telerik.com/download/fiddler/fiddler4

After downloading you need to install this on the Citrix Cloud Connector.

After installing the self-extracting installer start Fiddler

Next is to Configure the SSL Decryption

Tools –> Options –> HTTPS

  • Enable the “Capture HTTPS Connects option”
  • Enable the “Decrypt HTTPS Traffic”

At this point you will get some warnings:

Fiddler will install a DO_NOT_TRUST_FiddlerRoot certificate to the machine’s Trusted Root Certificate Authorities certificate store.

This certificate will be used by Fiddler to generate a counterfeit wildcard server certificate for each SSL-enabled host endpoint accessed through the proxy.

This process is necessary to intercept and decode SSL traffic passing through the proxy.

These certificates are not safe to leave on the Connector machine and must be removed after the support session is complete.

Select the option “From Non-Browsers Only”

Important: Removal of the certificates

Fiddler can help by navigating to Tools -> Fiddler Options -> HTTPS and unselect Decrypt HTTPS Traffic, then click the Actions button and select Remove Interception Certificates.

Removal must be verified through the Certificate Management MMC snap-in for both the user and machine stores. Manually remove any remaining DO_NOT_TRUST certificates.

The next step is to set up an HTTP Proxy.

Fiddler itself is a web proxy server. It captures traffic by acting as the system proxy server and recording the traffic that is proxied through it.

Therefore, for traffic to be captured, the Connector services must be configured to use Fiddler as their proxy server by making Fiddler the WinHTTP proxy.

To do this we check the current configuration:

Netsh winhttp import proxy source=ie

Can be used to copy the WinINET settings set by Fiddler to WinHTTP where they can be read by the Connector services. Take note of what the previous settings were before running this command as the original settings will need to be restored when you are done.

Now use the following:

Netsh winhttp set proxy proxyserver=”http=127.0.0.1:8888;https=127.0.0.1:8888”

And make sure the Loopback address is not configured in the Bypass list

Next step is to start capturing with Fiddler.

Go back to Fiddler and select File –> Capture.

Also make sure you select “Non-Browser” at the bottom of the screen

At this point you will see traffic captured with Fiddler:

Similar to other capture tools such as Wireshark, traffic will be logged as a single line in the main view, and single-clicking the line will expand details about the selected HTTP(S) request.

I hope this will help and is useful for deeper troubleshooting

Leave a Reply