Unable to Launch Citrix Applications - SSL Error 4
Hello,
I just installed WI on new server due to viruses on old server. Here is my setup....
XenApp and WI both sit behind a TZ190. The WI sits in a DMZ Zone on the TZ190. Keep in mind all was working with the NAT and Access Rules before I installed WI on a new server.
Windows 2008
XenApp 5.0
Windows 2003
WI
CSG
Default Website properties
Default
(All Unassigned)
TCP port 81
SSL port 444
Secure Gateway Configuration
Certification found: Citrix.myrapadocs.com
Secure Socket Layer (SSLv3) and TLSv1
Cipher suite: All
Configure inbound client connections
checked - Monitor all IPv4
TCP port: 443
No Network Interface list
No outbound traffic restrictions
Servers running the STA
Identifier: STA362CE7A8D924 FQDN: WIN08CITRIX (Which is the XenApp Server)
Path: /Scripts/CtxSTA.dll
Protocols settings: Unchecked Secure traffic between the STA and Secure Gateway
TCP port: 8080
Use Default: Unchecked
No connection timeout
No Concurrent connection limits
No Logging exclusions
Access Options
Checked - Indirect & Installed on this computer
TCP port: 81
Logging: Warning, errors, and fatel events
--------------------------
WI
Site name: XenApp
Site URL: https://Citrix.myrapadocs.com:444/Citrix/XenApp
Farm Name: RAPA Citrix
XML Service: WIN08CITRIX
XML port: 8080
XML transport: HTTP
Authentication: At Web Interface
Available methods: Explicite
Resource type: Online
Available clients: Native clients
Specify Access method: IP Address: Default - Access method: Gateway Direct
Specify Gateway Settings: Address (FQDN) citrix.rapadocs.com
Port: 443
Checked: Enable session reliability
Unchecked: Request tickets from two STA
Secure Ticket Authority URLs: http://WIN08CITRIX:8080/Scripts/CtxSTA.dll
Bypassed failed server for: 1 Hour
I am able to log on to Citrix and see my Apps, however when I click on an APP I get Error -Unableto launch your application: Cannot connect to the Citrix XenApp Server.
SSL Error 4: Attempted to connect using the TLS V1.0|SSL v3.0 protocols. The server rejected the connection.
I am also getting Warning under Event Viewer - ID 125 - Source: Citrix Secure Gateway
SSL handshake from client failed.
Late last night I got Event ID: 30107
Site path: c:\inetpub\wwwroot\Citrix\
The Citrix server reported that they are too busy to provide access to the selected resource. This message was reported from the XML Service at address http://WIN08CITRIX:8080
[com.citrix.xml.NFuseProto
I appreciate your help and support.
Thanks,
nimdatx
I just installed WI on new server due to viruses on old server. Here is my setup....
XenApp and WI both sit behind a TZ190. The WI sits in a DMZ Zone on the TZ190. Keep in mind all was working with the NAT and Access Rules before I installed WI on a new server.
Windows 2008
XenApp 5.0
Windows 2003
WI
CSG
Default Website properties
Default
(All Unassigned)
TCP port 81
SSL port 444
Secure Gateway Configuration
Certification found: Citrix.myrapadocs.com
Secure Socket Layer (SSLv3) and TLSv1
Cipher suite: All
Configure inbound client connections
checked - Monitor all IPv4
TCP port: 443
No Network Interface list
No outbound traffic restrictions
Servers running the STA
Identifier: STA362CE7A8D924 FQDN: WIN08CITRIX (Which is the XenApp Server)
Path: /Scripts/CtxSTA.dll
Protocols settings: Unchecked Secure traffic between the STA and Secure Gateway
TCP port: 8080
Use Default: Unchecked
No connection timeout
No Concurrent connection limits
No Logging exclusions
Access Options
Checked - Indirect & Installed on this computer
TCP port: 81
Logging: Warning, errors, and fatel events
--------------------------
WI
Site name: XenApp
Site URL: https://Citrix.myrapadocs.com:444/Citrix/XenApp
Farm Name: RAPA Citrix
XML Service: WIN08CITRIX
XML port: 8080
XML transport: HTTP
Authentication: At Web Interface
Available methods: Explicite
Resource type: Online
Available clients: Native clients
Specify Access method: IP Address: Default - Access method: Gateway Direct
Specify Gateway Settings: Address (FQDN) citrix.rapadocs.com
Port: 443
Checked: Enable session reliability
Unchecked: Request tickets from two STA
Secure Ticket Authority URLs: http://WIN08CITRIX:8080/Scripts/CtxSTA.dll
Bypassed failed server for: 1 Hour
I am able to log on to Citrix and see my Apps, however when I click on an APP I get Error -Unableto launch your application: Cannot connect to the Citrix XenApp Server.
SSL Error 4: Attempted to connect using the TLS V1.0|SSL v3.0 protocols. The server rejected the connection.
I am also getting Warning under Event Viewer - ID 125 - Source: Citrix Secure Gateway
SSL handshake from client failed.
Late last night I got Event ID: 30107
Site path: c:\inetpub\wwwroot\Citrix\
The Citrix server reported that they are too busy to provide access to the selected resource. This message was reported from the XML Service at address http://WIN08CITRIX:8080
[com.citrix.xml.NFuseProto
I appreciate your help and support.
Thanks,
nimdatx
ASKER
Did all troublshooting steps, still no fix.
hi,
what does the CSG-diagnostics say?
what does the CSG-diagnostics say?
ASKER
HELLO!!!! Thank god your back....
CSG Diagnostics:
Version = 3.2.0
Computer NetBIOS Name: CITRIXWI
Configuration captured on: 2/15/2012 10:59:48 AM
--------------------------
Secure Gateway Global Settings
--------------------------
Version = 3.2.0
Product secured = Citrix XenApp only
Logging level = 2 (Warning, errors and fatal events)
Client connection timeout = 100 seconds
Maximum concurrent connections = 250
Certificate FQDN = Citrix.myrapadocs.com
Interfaces
----------
All interfaces (0.0.0.0 : 443)
--------------------------
Protocol = SSL, TLS
Cipher suites = ALL
Secured = Yes
HTTP = No
ICA = Yes
SOCKS = Yes
Gateway Client = No
LoadBalancerIPs = None defined
Web Interface
-------------
FQDN = localhost
Port = 81
Secured = No
Protocol = SSL, TLS
Cipher suites = ALL
Access mode = Indirect
Tested OK
Authority Servers
-----------------
ID = STA362CE7A8D924
--------------------
FQDN = WIN08CITRIX
Port = 8080
Path = /Scripts/CtxSTA.dll
Type = STA
Secured = No
Protocol = SSL, TLS
Cipher suites = ALL
Tested OK
Certificate Check
-----------------
FQDN = Citrix.myrapadocs.com
This certificate is currently valid.
EOF
CSG Diagnostics:
Version = 3.2.0
Computer NetBIOS Name: CITRIXWI
Configuration captured on: 2/15/2012 10:59:48 AM
--------------------------
Secure Gateway Global Settings
--------------------------
Version = 3.2.0
Product secured = Citrix XenApp only
Logging level = 2 (Warning, errors and fatal events)
Client connection timeout = 100 seconds
Maximum concurrent connections = 250
Certificate FQDN = Citrix.myrapadocs.com
Interfaces
----------
All interfaces (0.0.0.0 : 443)
--------------------------
Protocol = SSL, TLS
Cipher suites = ALL
Secured = Yes
HTTP = No
ICA = Yes
SOCKS = Yes
Gateway Client = No
LoadBalancerIPs = None defined
Web Interface
-------------
FQDN = localhost
Port = 81
Secured = No
Protocol = SSL, TLS
Cipher suites = ALL
Access mode = Indirect
Tested OK
Authority Servers
-----------------
ID = STA362CE7A8D924
--------------------
FQDN = WIN08CITRIX
Port = 8080
Path = /Scripts/CtxSTA.dll
Type = STA
Secured = No
Protocol = SSL, TLS
Cipher suites = ALL
Tested OK
Certificate Check
-----------------
FQDN = Citrix.myrapadocs.com
This certificate is currently valid.
EOF
ASKER
FYI - I also have no NAT going from WI (DMZ) to XenApp (LAN) and Access Rules are open up.
Also....IIS SSL Port is 444
Also....IIS SSL Port is 444
ASKER
Take a look at this ticket I have open....do you think it has anything to do with it?
https://www.experts-exchange.com/questions/27586360/Error-occurred-when-using-myXenAppcomputername-in-the-discovery-process.html
https://www.experts-exchange.com/questions/27586360/Error-occurred-when-using-myXenAppcomputername-in-the-discovery-process.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's how I had it on old server....
only an experiment but ...
try to configure the CSG-location within WI also with the big "C".
try to configure the CSG-location within WI also with the big "C".
ASKER
Ok....I changed Specify Gateway Settings - FQDN: Citrix.rapadocs.com (Big C) I left port on 443 and left checked Enable session reliability and left uncheck Request tickets from two STAs.
Still no luck.
Still no luck.
ASKER
Would it hurt if I changed Host name on WI to reflect old WI server's HOST name? I am currently able to resolve Host name to IP from new WI server all is good, but just a thought. When I initially setup my first WI server 2 yrs back, I remember I got same error message, but not sure how I fixed it. I think it has something to do with IIS.
like the support articles say .. be sure the IIS dont use port 443.
i think thats ok.
i think thats ok.
ASKER
On my XenApp Server I am unable to access Access Management Console due to some weird permissions issues I have not figured out. Do you think that that has anything to do with it? If I go through XenApp advance configuration, I am able to connect to WIN08CITRIX and see my apps. I sent you the link to other ticket.
Not sure what I'm going to do at this point. My boss'es boss asked me how long already....and I must figure this out soon.
Not sure what I'm going to do at this point. My boss'es boss asked me how long already....and I must figure this out soon.
check the proxy-settings within the web-interface-site
it should be set to "auto" mostly.
save the launch.ica file and post them.
it should be set to "auto" mostly.
save the launch.ica file and post them.
has your WI/CSG server internet access to check the CRL?
ASKER
HEY....I just freaking noticed that Gateway Settings - FQDN is Citrix.rapadocs.com and should be Citrix.myrapadocs.com.
no !
:-)
:-)
ASKER
IT WORKED!!!!!!!!!!!!!!!!!!!!
nice to hear.
have a happy day.
have a happy day.
ASKER
dkotte, I really appreciate all your help. You have no idea how much you helped me. I had began to take the WI out of DMZ and test when the light bulb came on. It was cause you mentioned that SSL is sensitive and I had that on my mind when I suddenly looked down at a piece of papper I wrote down Gateway Settings and noticed it was incorrect.
You have a happy day as well my friend.
nimdatx
You have a happy day as well my friend.
nimdatx
http://support.citrix.com/article/CTX524634