July 9, 2008 08:13am pdt

1. croberds 147,900
2. BLipman 144,828
3. CarlWebster 52,710
4. mgcIT 34,359
5. tsmvp 29,061
6. JaredJ1 27,395
7. oBdA 25,730
8. LKaushal 22,250
9. mpfister 20,205
10. ScooterA... 17,175
11. ET0000 14,450
12. chrisnew... 10,870
13. dphantom 9,585
14. GregMoseley 9,518
15. nprignano 8,729

1. mgcIT 593,581
2. BLipman 360,680
3. chrisnew... 176,458
4. croberds 147,900
5. ITDharam 130,426
6. CarlWebster 129,003
7. ET0000 123,947
8. oBdA 99,983
9. gsgi 75,983
10. thegordo 74,934
11. tsmvp 59,786
12. mpfister 59,104
13. ScooterA... 57,511
14. AdamBNYC 54,399
15. nprignano 51,229

04.07.2008 at 12:50PM PDT, ID: 23302504

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.9

Launch.ica file contains wrong Adress and SSLProxyHost information

Zone: Citrix

Tags: Citrix, Presentation Server, 4.5, SSL Proxy Host

I have a new Citrix Presentation Server 4.5 with the secure gateway installed and configured. It has a valid cert and is accessible via the Internet with certs FQDN. However, when users log into the WI and launch an application, they get an error to the effect that the Citrix SSL server selected is not accepting connections.

When I look at the launch.ica file, I see that in the published application entry the Address= listed is the internal LAN address and the SSLProxyHost= setting reflects the internal host name. Neither, of course, are publicly accessible.

I have gone through the application and server configuration with a fine toothed comb, even comparing it setting by settings to another server thats working perfectly fine, but I can see nothing that would allow me to change these settings in the ica file the client gets.

Where do I go for this?

Many thanks.

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: SusanPK

Solution Provided By: mpfister

Participating Experts: 2

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

04.08.2008 at 02:36AM PDT, ID: 21303636

Rank: Master

mpfister:

I think its in the web interface configuration. Make sure you select the proper "secure client access". "Secure gateway direct" should be ok for your config (would need to know more about your network layout...).
Also, Adress= should not have a real LAN address, but the STA ticket number. Its either a side-effect of the misconfig of the WI or verify if your STA is working properly.

04.08.2008 at 05:43AM PDT, ID: 21304573

SusanPK:

I do have it set to Secure Gateway Direct. The server is behind a NAT firewall. And how do I check if the STA is working correctly?

04.08.2008 at 05:54AM PDT, ID: 21304661

Rank: Master

mpfister:

Please run the Secure Gateway Diagnostics. If you like you can post the report here, just remove security relevant info before. You can also telnet to the STA:

Telnet

Just to make sure, your config is:

Internet -> Firewall -> CSG/WI -> PS 4.5

Is the CSG/WI on the same subnet as the PS 4.5 server?

04.08.2008 at 05:55AM PDT, ID: 21304670

Rank: Master

mpfister:

I forgot:

Telnet

Press enter once.

Should come back with something like

HTTP/1.1 400 Bad request
Server: Citrix Web PN Server
Date: Tue, 08 Apr 2008 12:52:33 GMT
Connection: Close

04.08.2008 at 06:02AM PDT, ID: 21304733

SusanPK:

Here is the SG diagnostic report. How would I know what port the STA is listening on?

Version = 3.0.1

Computer NetBIOS Name: CITRIXSERVER
Configuration captured on: 4/8/2008 8:59:53 AM
----------------------------------------------

Secure Gateway Global Settings
------------------------------
Version = 3.0.1
Product secured = MetaFrame Presentation Server only
Logging level = 3 (All events including information)
Client connection timeout = 100 seconds
Maximum concurrent connections = 250
Certificate FQDN = citrix.companyname.com

Interfaces
----------

All interfaces (0.0.0.0 : 443)
------------------------------
Protocol = SSL, TLS
Cipher suites = ALL
Secured = Yes
HTTP = No
ICA = Yes
SOCKS = Yes
Gateway Client = No
LoadBalancerIPs = None defined

Web Interface
-------------
FQDN = localhost
Port = 80
Secured = No
Protocol = SSL, TLS
Cipher suites = ALL
Access mode = Indirect
Tested OK

Authority Servers
-----------------

ID = STA637414E16744
--------------------
FQDN = citrix.companyname.com
Port = 80
Path = /Scripts/CtxSTA.dll
Type = STA
Secured = No
Protocol = SSL, TLS
Cipher suites = ALL
Tested OK

Certificate Check
-----------------
FQDN = citrix.companyname.com
This certificate is currently valid.

EOF

04.08.2008 at 06:15AM PDT, ID: 21304828

SusanPK:

Here is the configuration of the WI:

#
# WebInterface.conf
# Ensure that this file is saved with UTF-8 encoding
#

AccountSelfServiceUrl=
# AdditionalExplicitAuthentication=None
AddressResolutionType=ipv4-port
AGEPromptPassword=Off
AGEWebServiceUrl=
AllowBandwidthSelection=Off
AllowCustomizeAppColumns=On
AllowCustomizeApplicationAccessMethod=Off
AllowCustomizeAudio=Off
AllowCustomizeClientPrinterMapping=Off
AllowCustomizeClients=Off
AllowCustomizeJavaClientPackages=Off
AllowCustomizeLayout=Off
AllowCustomizeLogoff=On
AllowCustomizeReconnectAtLogin=On
AllowCustomizeReconnectButton=On
AllowCustomizeSettings=On
AllowCustomizeTransparentKeyPassthrough=Off
AllowCustomizeVirtualCOMPortEmulation=Off
AllowCustomizeWinColor=Off
AllowCustomizeWinSize=On
AllowUserAccountUnlock=Off
AllowUserPasswordChange=Never
AllowUserPasswordReset=Off
AlternateAddress=Mapped
AppColumns=3
ApplicationAccessMethods=Remote
AuthenticationMethods=Explicit
AutoDeployWebClient=On
# AutoDeployWebClientPackage=ica32pkg.msi
AutoFallbackToJavaClient=Off

BrandingColor=#666699
BypassFailedRadiusServerDuration=60
BypassFailedSTADuration=60

ClientAddressMap=10.0.0.0/255.0.0.0,Normal,192.168.0.0/255.255.0.0,Normal,*,SG
ClientProxy=*,Auto,-
# CompanyHomePage=[URL of your company home page]
CompanyLogo=../media/citrix.gif
CredentialFormat=All
CSG_EnableSessionReliability=On
CSG_Server=citrix.companyname.com
CSG_ServerPort=443
CSG_STA_URL1=http://citrix.companyname.com/scripts/ctxsta.dll

DefaultApplicationAccessMethod=Remote
DefaultClient=On
# DefaultCustomTextLocale=[language code]
DisplayFooter=On
DisplayHeader=On
DisplayMainBoxTitleBarBgImage=On
DisplaySiteLogo=On
# DomainSelection=[Domain1,Domain2,...]
DuplicateLogInterval=60
DuplicateLogLimit=10

# EnableFileTypeAssociation=On
EnableKerberosToMPS=Off
EnableLegacyICAClientSupport=Off
EnableLogoffApplications=On
EnablePassthroughURLs=Off
EnableRadiusServerLoadBalancing=On
EnableSTALoadBalancing=On
EnableVirtualCOMPortEmulation=Off
EnableWorkspaceControl=On
# ErrorCallbackURL=[URL for processing fatal error messages which replaces the logged out page]

Farm1=citrixserver,Name:CITRIXFARM,XMLPort:80,Transport:HTTP,SSLRelayPort:443,BypassDuration:60,LoadBalance:On,AuthenticationTickets:On,TicketTimeToLive:200,RADETicketTimeToLive:200
# FooterText_<lang-code>=[Customized footer text in the specified language]

# HeadingImage=[URL of your heading image]
HideDomainField=Off
HpUxUnixClient=Default

IbmAixClient=Default
IcaWebClient=icaweb.cab
IcaWebClientClassID=238f6f83-b8b4-11cf-8771-00a024541ee3
IcaWebClientVersion=9,0,32891,0
IgnoreClientProvidedClientAddress=On
# InternalServerAddressMap=[normalAddress,translatedAddress,normalAddress,translatedAddress,...]

JavaClientPackages=ConfigUI,PrinterMapping,SecureICA
# JavaClientRootCertificate=[File name of a private root certificate for Java Client]

KioskMode=Off

LaunchClients=ICA-Java,ICA-Embedded,ICA-Local
LaunchMethod=ICA-Local
LinuxClient=Default
# LoginDomains=[domain1,domain2,...]
# LoginType=Default
LogoffFederationService=On

MacClient=Default
MainBoxTitleBarBgColor=#C8C8C8
MainBoxTitleBarBgImage=../media/greygrad.gif
MainBoxTitleFontColor=#000000
MessageHeadingBgColor=#DFDFDF
MessageHeadingFontColor=#000000
MultiFarmAuthenticationMode=All

NDSContextLookupLoadbalancing=On
# NDSContextLookupServers=[List of NDS servers, each starting with ldap:// or ldaps://]
# NDSTreeName=[NDS Tree name for NDS logins]

OtherClient=Default
OverlayAutologonCredsWithTicket=On
# OverrideClientInstallCaption=[Customized client install caption]
OverrideIcaClientname=On

PasswordExpiryWarningPeriod=14
PooledSockets=On

RADEClientClassID=4384F3C5-4A9E-4E81-9AAE-4251C2813861
# RADEHeartbeatURL=auto
RadiusRequestTimeout=30
# RadiusServers=[server:port,server:port,...]
RdpWebClient=msrdp.cab
RdpWebClientClassID=7584c670-2274-4efb-b00b-d6aaba6d3850
RdpWebClientVersion=5,2,3790,0
ReconnectAtLogin=DisconnectedAndActive
ReconnectButton=DisconnectedAndActive
RequestICAClientSecureChannel=Detect-AnyCiphers
RequireLaunchReference=Off
RestrictDomains=Off
RetryCount=5

ScoUnixClient=Default
# SearchContextList=[NDS context1,NDS context2,...]
ServerAddressMap=10.10.10.251:80,[PUBLIC IP ADDRESS]:80,10.10.10.251:1494,[PUBLIC IP ADDRESS]:1494,10.10.10.251:2598,[PUBLIC IP ADDRESS]:2598,10.10.10.251:443,[PUBLIC IP ADDRESS]:443
SgiUnixClient=Default
ShowClientInstallCaption=Auto
ShowPasswordExpiryWarning=Never
SolarisUnixClient=Default

Timeout=60
TransparentKeyPassthrough=FullScreenOnly
Tru64Client=Default

# UPNSuffixes=[UPN suffix1,UPN suffix2,...]
UserInterfaceLayout=Auto

Version=4.5.1.8215

WebSessionTimeout=20
# WelcomeMessage_<lang-code>=[Customized welcome message in the specified language]
Win16Client=Default
Win32Client=Default
TwoFactorPasswordIntegration=Off
TwoFactorUseFullyQualifiedUserNames=Off
RADESessionURL=auto

04.08.2008 at 06:32AM PDT, ID: 21304990

Rank: Master

mpfister:

Authority Servers
-----------------

ID = STA637414E16744
--------------------
FQDN = citrix.companyname.com
Port = 80
Path = /Scripts/CtxSTA.dll
Type = STA
Secured = No
Protocol = SSL, TLS
Cipher suites = ALL
Tested OK

Thats ok, you STA is working and its listening to port 80. I personally don't like to have STA and WI listening on the same port, esp. because there is no need to reach the STA from the Internet, only the CSG and WI need to talk to it.

I just wonder why you have FQDN = citrix.companyname.com for the STA. I assume this resolves to the external address of the server, so better configure the internal IP of your server here.

I get the impression everything (GSG/WI and PS 4.5) is running on a single machine, is this correct?

04.08.2008 at 06:46AM PDT, ID: 21305169

Rank: Master

mpfister:

ServerAddressMap=10.10.10.251:80,[PUBLIC IP ADDRESS]:80,10.10.10.251:1494,[PUBLIC IP ADDRESS]:1494,10.10.10.251:2598,[PUBLIC IP ADDRESS]:2598,10.10.10.251:443,[PUBLIC IP ADDRESS]:443

I think this is your problem. Did you add firewall translations in your Web Interface config? Try removing them.
Again, since I'm not 100% sure if I understand your network/firewall topology, this might be wrong.

04.08.2008 at 07:18AM PDT, ID: 21305490

SusanPK:

Correct. Everything is running on a single machine. The only port open on the firewall to the server is 443. I will try removing those translations and see what happens.

04.08.2008 at 07:30AM PDT, ID: 21305601

SusanPK:

Nope. Still no go. Here is what the launch.ica file looks like. Note how there is nomention of the external FQDN.

[Encoding]
InputEncoding=UTF8

[WFClient]
CPMAllowed=On
ClientName=WI_S8tcLTIl-aeGUvkmu
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=FullScreenOnly
TransportReconnectEnabled=On
VSLAllowed=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Desktop Access=

[Desktop Access]
Address=10.10.10.251:1494
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
ClearPassword=56383A193E05B1
ClientAudio=Off
DesiredColor=8
DesiredHRES=1024
DesiredVRES=768
DoNotUseDefaultCSL=On
Domain=\2C3EBB08A1744678
EncryptionLevelSession=EncRC5-0
HTTPBrowserAddress=!
InitialProgram=#Desktop Access
LPWD=16
Launcher=WI
LocHttpBrowserAddress=!
LogonTicket=56383A193E05B12C3EBB08A1744678
LogonTicketType=CTXS1
LongCommandLine=
NRWD=16
ProxyTimeout=30000
ProxyType=Auto
SSLCiphers=all
SSLEnable=On
SSLProxyHost=CITRIXSERVER.LOCALDOMAIN.local:443
SecureChannelProtocol=Detect
SessionsharingKey=8-rc5-login-none-localdomain.local-testadmin-CITRIXFARM
StartIFDCD=1207664747675
StartSCD=1207664747675
TRWD=0
TWIMode=Off
TransportDriver=TCP/IP
UILocale=en
Username=testadmin
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

04.08.2008 at 07:57AM PDT, ID: 21305884

Rank: Master

mpfister:

Can you remove the

ClientAddressMap=10.0.0.0/255.0.0.0,Normal,192.168.0.0/255.255.0.0,Normal,*,SG

from your config? Should read afterwards

ClientAddressMap=*,SG

This is configured under Manage Secure Client Access -> Edit DMZ settings
Remove all settings, except the Default -> Secure Gateway Direct

Would love to have a direct look at the beast ...

Accepted Solution

04.08.2008 at 08:29AM PDT, ID: 21306231

Rank: Master

mpfister:

You probably know that one here:
http://support.citrix.com/servlet/KbServlet/download/6778-102-13635/SG3%20for%20PS4%20Troubleshooters%20Guide%20-%20External.pdf

04.08.2008 at 08:32AM PDT, ID: 21306266

Rank: Master

mpfister:

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html

04.08.2008 at 10:52AM PDT, ID: 21307770

SusanPK:

mpfister,

That solved the web access problem! Thanks! Now I'm working on getting the internal connections working with the Citrix ICA client. These work to a point. The user logs ina nd sees the published desktop, then clicks on it. It tries to make the connection and then errors out with: "Cannot connect to the Citrix Presentation Server. The Citrix SSL Relay name could not be resolved (SSL error 40)"

I thought that's what the DMZ translations were there to take care of, but I'm a novice. Any thoughts? We're close....

04.08.2008 at 10:31PM PDT, ID: 21311975

Rank: Wizard

BLipman:

SSL Relay is part of your issue I would say. I suggest just using http or https and not SSL Relay. This is the communication between your web interface/SG and the farm and occurs across a VLan or even on the same network. SSL is provided between the client and Secure Gateway, that is the part you need to secure the most. If you want to use SSL Relay, I suggest getting everything working with http and then change it when you know everything else is in place.
When you did the Secure Gateway Configuration (right after the install of CSG) did you tell it to allow direct or indirect access (only through the CSG)? I say this because you might want people using the WI alone with no CSG (LAN users perhaps). When you go to your site and you are at the login page, does it change you from http to https? Are you putting https in initially?

04.09.2008 at 02:26AM PDT, ID: 21313053

Rank: Master

mpfister:

I expected that the internal access will no longer work after the change, sorry should have warned you...

Whats the internal address of the firewall? Is it a different IP address range than the internal clients?

The problem (I believe) was that the CSG was unable to distinguish between users via Internet and internal users.
If the IP addresses are in the same range (like 10.0.0.0) you may need to create a different rule under Manage Secure Client Access -> Edit DMZ settings, like:

IP address of firewall -> Secure Gateway Direct
All other internal IP addresses -> Direct

It should go through the roules top down.

Hope it helps,

Michael

04.09.2008 at 05:40AM PDT, ID: 21314215

SusanPK:

I made the changes you suggested. But I still get this message when trying to connect using the Windows Citrix client: "Cannot connect to the Citrix Presentation Server. The Citrix SSL Relay name could not be resolved (SSL error 40)"

I don't have SSL relay configured. Nor did I think the Windows client would use SSL.

04.09.2008 at 05:44AM PDT, ID: 21314243

Rank: Master

mpfister:

Can you post the launch.ica for an internal client?

04.09.2008 at 05:46AM PDT, ID: 21314261

SusanPK:

Can you tell me where to find this?

04.09.2008 at 05:51AM PDT, ID: 21314296

Rank: Master

mpfister:

>> Can you tell me where to find this?
Hm, does that mean the internal clients are not using the web interface but instead connect with the full client?

04.09.2008 at 05:53AM PDT, ID: 21314306

SusanPK:

That's the plan, yes. That's why I'm not sure why I'm getting SSL errors on the full client.

04.09.2008 at 05:53AM PDT, ID: 21314311