Cannot connect to the citrix XenApp server. Could not find specified Citrix XenApp server.

Can you determine the IP that is being returned in the .ica file?

NO IP, only the servername...
++++++++++++++++++++++++++++++++++++++

[Encoding]
InputEncoding=UTF8
[WFClient]
CPMAllowed=On
ClientName=WI_f9dT3cgVZhYc6gz5w
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=FullScreenOnly
TransportReconnectEnabled=On
VSLAllowed=On
Version=2
VirtualCOMPortEmulation=Off
[ApplicationServers]
Admins - CTX1 Desktop=
[Admins - CTX1 Desktop]
Address=servername.company.com (FQDN):1494
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
ClearPassword=F3F12AE8438615
ClientAudio=Off
ConnectionBar=1
DesiredColor=8
DoNotUseDefaultCSL=On
Domain=\56373383B3A80A7E
EncryptionLevelSession=EncRC5-128
FontSmoothingType=0
InitialProgram=#Admins - CTX1 Desktop
LPWD=0
Launcher=WI
LocHttpBrowserAddress=!
LogonTicket=F3F12AE843861556373383B3A80A7E
LogonTicketType=CTXS1
LongCommandLine=
NRWD=0
ProxyTimeout=30000
ProxyType=Auto
SFRAllowed=Off
SSLEnable=Off
ScreenPercent=90
SessionsharingKey=-OrDZXz1k3CeQyIerTqyDqB
StartIFDCD=1251384908862
StartSCD=1251384908862
TRWD=0
TWIMode=Off
TransportDriver=TCP/IP
UILocale=en
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll
[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll
[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll
[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNmeWin32=pdc40n.dll
[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

WI app eventlog

Ok, you are not going through the CSG based on this:
Address=servername.company.com (FQDN):1494
1494 is not used for CSG, everything goes through 443.  The screen shot tells us the issue at hand though.  Edit your STA entries to reflect port 8080:

http://servername2.company.com:8080/scripts/ctxsta.dll

Your entry will use port 80 (http's default port, get it?)

Same error inside or outside. Thx.

You fix this in the AMC, go to Edit Gateway Settings, edit your STA URL to reflect 8080 as I stated above.  That will clear up the one error.  Sometimes we need to peel the errors back in layers one by one.  Let me know where we stand after doing this.

Yes, one error clears up. It works internally, I will have users test from outside tomorrow.
We are making some progress here. Thx. I will let you know.

Excellent!  Let me know if you run into errors from the outside!

OK, outside users get this error:

"Cannot connect to the XenApp server.  SSL Error 61: You have not chosen to trust "DOD CA-21", the issuer of the server's security certificate..

Do I have to push out this DoD CA-21 cert to users? Any simple way to do so?

Was the cert issued by a private CA?  If so, consider using a source such as Verisign or RapidSSL for your SSL cert.

Issued by DoD.

I don't see them listed as a default trusted root CA in XP or Windows 7 (not sure about Vista), so you'll likely need to distribute that root CA to your customers or use a different root CA.

I am testing with different OS versions, will keep you posted. Thx.

First, make sure that your test machine has its Root Certificates updated.  I see tons of people run Express on their Windows Updates and never get their roots updated.  Now open your mmc, add the certificates snapin and look around the trusted certification authorities for a cert that matches yours.  I use GoDaddy for example (they are cheap and local); here and there I find users who don't have the Intermediate cert we go through but, for the most part, it works without intervention.  That is the whole point of buying certificates.  

Now I did a search for DoD certificates and I immediately found a site telling you how to install the certificates on client machines.  Sounds like they are not preloaded on common operating systems or pushed via Root Certificate updates.  
https://acc.dau.mil/ifc/dod_cert_dwnld.aspx

BLIpman,
I think we are almost there... :)
I have one user manually installed the latest DoD certs and have him test with IE7 and IE8 settings.
I have about 5 ctx server desktops published for the user, right now he say that the connections to the server desktops vary. Sometimes he can connect and sometimes he gets "The Citrix SSL server you have selected is not accepting connections." Again, it is random...
He will update me on Monday with his testing results.
Thanks,

Ok, do you have 5 separate desktops published and each goes to one different server but the problem is random or do you have one desktop published to 5 servers, it load balances, and the problem appears to be random? For testing individual servers I like to publish something like notepad and will label them Notepad on Server 1, Notepad on Server 2, etc.  This is handy for checking servers individually and for testing printing while you are at it.  

I have published apps the same way as you mentioned, ex) desktop_svr1, desktop_svr2 and so on...so that I can identifiy easier. Thx,

Yep, then let me know which ones you are having issues with and we can work them out from there.  Connection issues will often present themselves in the event viewer of the application server and or the web interface/secure gateway server so post anything you see that might be interesting.  Also, compare working launch.ica files to those from servers that are not working.

WI/CSG LOGs

Secure Gateway Logs:
1.Connection was broken by either client or server.                              2:05:39  ID:169  CORE
2.Client IP 10.101.7.172 sent bad ticket, connection dropped.                2:05:43  ID:100  Ticketing
3.Socks Session [3] failed ticket check. Client IP [10.101.7.172].            2:05:43  ID:190  SOCKS
4.Client IP 10.101.7.172 sent bad ticket, connection dropped.                2:07:25   ID:100 Ticketing
5.Socks Session [7] failed ticket check. Client IP [10.101.7.172].            2:07:25  ID:190  SOCKS
Connection was broken by either client or server.                              2:09:47  ID:169  CORE

App Logs:
1. Site path: c:\inetpub\wwwroot\Citrix\XenApp.
A socket has been forcibly destroyed by the transaction layer. [Log ID: bbb31685]     2:05:01 PM
2. Site path: c:\inetpub\wwwroot\Citrix\XenApp.
The Citrix servers sent HTTP headers indicating that an error occurred: 400 Bad Request. This message was reported from the XML Service at address http://CTX5:8080/scripts/wpnbr.dll [com.citrix.xml.NFuseProtocol.RequestCapabilities]. This XML Service could not be contacted and will be temporarily removed from the list of active services. [Log ID: 5425364c]                       2:05:01 PM
3. Site path: c:\inetpub\wwwroot\Citrix\XenApp.
An error occurred while attempting to connect to the server CTX3 on port 8080. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with IIS, verify that IIS is running. This message was reported from the XML Service at address http://CTX3:8080/scripts/wpnbr.dll. This XML Service could not be contacted and will be temporarily removed from the list of active services. [Log ID: ca6b75c6]                                          2:05:03 PM
4. svchost (856) The database engine stopped.                                                              2:05:27 PM
5. Site path: c:\inetpub\wwwroot\Citrix\XenApp.
The Citrix servers reported that they are too busy to provide access to the selected published resource. This message was reported from the XML Service at address http://CTX4:8080 [com.citrix.xml.NFuseProtocol.RequestAddress].  [Log ID: 632c8eb8]                             2:05:39 PM

This might be useful for the first error but let's try to clear the others up first, I am not convinced you have a corrupted application:
http://support.citrix.com/article/CTX114769

Verify that all servers running your published applications are using 8080 for XML (you can check the properties of each in the AMC to verify this).  Then, assuming you are on the right port and didn't accidentally set 80/share with IIS on one of them, reset the XML service, make sure it comes up without generating new events, try that server again.  

Verified that all CTX servers are using 8080 for XML port. Still waiting on external user's test outputs.
Meanwhile, I have published notepad from each server such as notepad_CTX1, notepad_CTX2, and so on, and I still get "Cannot connect to the Citrix XenApp server. The Citrix SSL server you have selected is not accepting connections." randomly. However, if I try a few more times I finally get connected. User load should be less than 3. Any ideas? Thanks.

Do you have a load balancer in front of the farm perhaps?  

Gees, forgot to mention that, so sorry...
Yes, we do. Is that a known issue? Way to work around? Thx,

Don't leave me hanging  :(

I am sorry, got tied up with some issues at work.  I am glad you are using a load balancer because it makes the issue much easier to solve.  You need to enable sticky sessions (or whatever your load balancer calls "persistence").  If you start a session with one server and then the load balancer takes you to another the session ID won't be recognized and the new server will drop the connection.  Then, finally, the LB takes you back and the original server can work.  It explains your issue pretty neatly.  

Let me get one thing cleared up first, do you have more than one Web Interface or CSG server?  If not, then is the load balancer in the back end trying to balance connections to the Citrix farm?  

Citrix does it's own load balancing to farm servers and will do a better job than any hardware LB you will put in place; it has all sorts of server metrics it can use to better distribute load.  To load balance Web Interface or CSG servers you must guarantee that a "flow" (a user's session or a combination of a unique IP/port combination) always goes to the same server it started on.  

Load balancers can usually sticky on things like:
-source IP
-SSL session ID
-URL cookie
-file based cookie

etc...

Thanks for coming back :)  :)
Here is little change took place in the past 48 hrs.
Due to the DoD Cert mismatch I had to move the WI/SG in the trusted network. (10.x.x.x) from DMZ, and it is operational.
I only have one WI/SG for now. Eventually will have one more.
LB sits in the DMZ and it is just forwarding ips from external to internal (sort of NATing, it is not LBing) and not balancing connections to the CTX farm. Hope this answers your question.
My question is if I still experience this behavior below what would you suggest?
["Cannot connect to the Citrix XenApp server. The Citrix SSL server you have selected is not accepting connections." randomly. However, if I try a few more times I finally get connected.]
Thank you,

...although...if it works from the LAN just fine it shouldn't be an STA thing causing these failures...

OMG!!!  Found out that one of STAs corrupted or bad, no clue what/how happened...
Took out the bad STA and works like a charm!!!
Last Question: Should I check the Enable Session Reliability option?

Session Reliability always seemed like a smoke and mirrors trick in my mind...and it uses more ports.  I tend to disable it but you may find value in using it.  Do you have users coming in over really bad Internet connections?  

Nah, I figure I keep it off then.
Thank you very very very much for your big help!

Any time, I am glad you are up and running!