STA Server and Citrix
Hi guys!
Im trying to connect to my secure gateway externally.
I can connect through to https://<securegatewayURL> on port 443
This brings up my web interface which is on the same box as the csg.
When I connect and view my certificate, it says the following:
Issued to: <Public IP Address>
Issued by: <internal computer name> eg.testbox.domain.com
The above information - the public ip address is the ip assigned to the internal computer name which is natted on the firewall.
However the FQDN is NOT a registered domain name so externally, I CANNOT type in the FQDN to get to the server eg.https://testbox.domain.com will not work.....I have to type in the public IP address.
Further certificate details:
Subject:
CN = <x.x.x.x> the public ip address
OU = Simon
O = Simon
L = melbourne
S = vic
C = AU
Issuer:
<internal computer name> eg.testbox.domain.com ( not public ip address)
I click on Yes to accept and I log in to my WI which returns the application sets for me.
Now, whenever I click on an application to launch an ica session, I get the following response.........
"cannot connect to the citrix metaframe server
there is no citrix ssl server configured on the specified address."
Im guessing that when I launch a citrix application, it tries to contact the STA server. I dont understand why it cant connect because the STA server is the SAME machine. Is it because of the certificate?
Im guessing that even though the issuer and system being issued the certificate are the SAME machine, does the FQDN have to be a registered domain name?
On the CSG box, is the following:
Web Interface - port 80
CSG
Certificate Services
IIS with a certificate installed for the default web site.
When I open Certificate Services, the server name is my INTERNAL NAME eg.testbox.domain.com. When I created the certificate to then be issued to IIS
When I set up the Secure Gateway, and it asked for an STA Server, I could not use <public IP address>, I had to use the internal computer name testbox.domain.com. This could be contacted when I ran diagnostics, but Im presuming this has to be a registered domain name as well.
Also, when I launch an application from the web interface, I wanted to see the contents of the ica file.
Here it is ==========================
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ClientName=WI_hvx5fp53SRqz
ProxyFavorIEConnectionSett
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=
TransportReconnectEnabled=
Version=2
VirtualCOMPortEmulation=Of
[ApplicationServers]
CSG Notepad=
[CSG Notepad]
Address=<INTERNAL IP ADDRESS>:1494 --------------------------
AudioBandwidthLimit=2
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
ClearPassword=652D63E994D0
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\2ED5D310BB3B406A
HTTPBrowserAddress=!
InitialProgram=#CSG Notepad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLCiphers=all
SSLEnable=On
SSLProxyHost=<INTERNAL FQDN which cannot be entered externally:443> --------------------------
SecureChannelProtocol=Dete
SessionsharingKey=blah blah
TWIMode=On
TransportDriver=TCP/IP
Username=testuser
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dl
DriverNameWin32=pdcompn.dl
[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll
[EncRC5-128]
DriverNameWin16=pdc128w.dl
DriverNameWin32=pdc128n.dl
[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll
[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll
==========================
So what I did was in the above, I changed the 2 settings above to the public IP address and then launched the file with the following message:
"Cannot connect to the Citrix Metaframe Server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate."
I click OK and the session closes.
I have tried installing the certificate on the client pc with no luck, ensuring in the internet options - advanced, all security options for encryption are set correctly. Ive set the altaddress on the csg server.
The only thing I can think of is that there is a problem with the certificate, but I ran the diagnostic tool and it returned all successful.
When a citrix application is launced, does the client have to connect to the CN name as defined in the certificate, and does this CN name HAVE to be a FQDN, not a public IP address, even though in my case, they are the SAME machine?
I cant get the certificate trusted, and Im assuming I have to register this CN name so I can resolve it externally.
Sorry for this huge question.........you guys are fantastic, and I know I have posted a lot of questions......Im close now and will reward you all.
Thank you.
Simon
Im trying to connect to my secure gateway externally.
I can connect through to https://<securegatewayURL> on port 443
This brings up my web interface which is on the same box as the csg.
When I connect and view my certificate, it says the following:
Issued to: <Public IP Address>
Issued by: <internal computer name> eg.testbox.domain.com
The above information - the public ip address is the ip assigned to the internal computer name which is natted on the firewall.
However the FQDN is NOT a registered domain name so externally, I CANNOT type in the FQDN to get to the server eg.https://testbox.domain.com will not work.....I have to type in the public IP address.
Further certificate details:
Subject:
CN = <x.x.x.x> the public ip address
OU = Simon
O = Simon
L = melbourne
S = vic
C = AU
Issuer:
<internal computer name> eg.testbox.domain.com ( not public ip address)
I click on Yes to accept and I log in to my WI which returns the application sets for me.
Now, whenever I click on an application to launch an ica session, I get the following response.........
"cannot connect to the citrix metaframe server
there is no citrix ssl server configured on the specified address."
Im guessing that when I launch a citrix application, it tries to contact the STA server. I dont understand why it cant connect because the STA server is the SAME machine. Is it because of the certificate?
Im guessing that even though the issuer and system being issued the certificate are the SAME machine, does the FQDN have to be a registered domain name?
On the CSG box, is the following:
Web Interface - port 80
CSG
Certificate Services
IIS with a certificate installed for the default web site.
When I open Certificate Services, the server name is my INTERNAL NAME eg.testbox.domain.com. When I created the certificate to then be issued to IIS
When I set up the Secure Gateway, and it asked for an STA Server, I could not use <public IP address>, I had to use the internal computer name testbox.domain.com. This could be contacted when I ran diagnostics, but Im presuming this has to be a registered domain name as well.
Also, when I launch an application from the web interface, I wanted to see the contents of the ica file.
Here it is ==========================
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ClientName=WI_hvx5fp53SRqz
ProxyFavorIEConnectionSett
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=
TransportReconnectEnabled=
Version=2
VirtualCOMPortEmulation=Of
[ApplicationServers]
CSG Notepad=
[CSG Notepad]
Address=<INTERNAL IP ADDRESS>:1494 --------------------------
AudioBandwidthLimit=2
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
ClearPassword=652D63E994D0
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\2ED5D310BB3B406A
HTTPBrowserAddress=!
InitialProgram=#CSG Notepad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLCiphers=all
SSLEnable=On
SSLProxyHost=<INTERNAL FQDN which cannot be entered externally:443> --------------------------
SecureChannelProtocol=Dete
SessionsharingKey=blah blah
TWIMode=On
TransportDriver=TCP/IP
Username=testuser
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dl
DriverNameWin32=pdcompn.dl
[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll
[EncRC5-128]
DriverNameWin16=pdc128w.dl
DriverNameWin32=pdc128n.dl
[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll
[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll
==========================
So what I did was in the above, I changed the 2 settings above to the public IP address and then launched the file with the following message:
"Cannot connect to the Citrix Metaframe Server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate."
I click OK and the session closes.
I have tried installing the certificate on the client pc with no luck, ensuring in the internet options - advanced, all security options for encryption are set correctly. Ive set the altaddress on the csg server.
The only thing I can think of is that there is a problem with the certificate, but I ran the diagnostic tool and it returned all successful.
When a citrix application is launced, does the client have to connect to the CN name as defined in the certificate, and does this CN name HAVE to be a FQDN, not a public IP address, even though in my case, they are the SAME machine?
I cant get the certificate trusted, and Im assuming I have to register this CN name so I can resolve it externally.
Sorry for this huge question.........you guys are fantastic, and I know I have posted a lot of questions......Im close now and will reward you all.
Thank you.
Simon
ASKER
Hi mgcIT!
Thank you for all your fantastic help. Thanks to you Im getting further but still no luck.
I made all your suggestions above, and youre spot on about the ica file....now mine doesnt show the internal ip address.
Now the message im getting when I launch an app is the following:
"Cannot connect to the citrix metaframe server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate"
The connection then terminates.
Slowly getting there. A huge thank you to you.
Thank you for all your fantastic help. Thanks to you Im getting further but still no luck.
I made all your suggestions above, and youre spot on about the ica file....now mine doesnt show the internal ip address.
Now the message im getting when I launch an app is the following:
"Cannot connect to the citrix metaframe server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate"
The connection then terminates.
Slowly getting there. A huge thank you to you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
mgcIT!
Guess what!..........IT WORKS!!!!!! I did everything you said and it works.
You are a LEGEND.....I cant thank you enough for the effort youve put in to help me. I can see that you help a lot of people on here, and I just wish i could shake your hand.
Ive been stumped on this for days trying to get this to work, and thanks to yourself and the other guys on here, its working.
THANK YOU SO MUCH!
Simon
Guess what!..........IT WORKS!!!!!! I did everything you said and it works.
You are a LEGEND.....I cant thank you enough for the effort youve put in to help me. I can see that you help a lot of people on here, and I just wish i could shake your hand.
Ive been stumped on this for days trying to get this to work, and thanks to yourself and the other guys on here, its working.
THANK YOU SO MUCH!
Simon
Great! Glad you got it working. Next time don't be stumped for days... just post a Q and we'll try to help you out. Now that you've got it all setup i'm sure you'll want to tinker around with it and customize it to your liking. If you run into trouble just let me know
Sam
Sam
ASKER
mgcIT..............mate thank you again.............really appreciate it.
I am also facing this problem and I have checked all of this.... still I continue to get Protocol Driver error... it starts working after 10,15 retries on its own...
Your problem is this:
Address=<INTERNAL IP ADDRESS>:1494 --------------------------
You should NOT see an IP Address at all! The STA server will mask the IP Address so it will show as something like:
Address=;40;STA8DD5D589DAF
You need to change some settings in your web interface. Open the Access Suite Console:
click Manage Secure Client Access > Edit DMZ Settings
your default should be either Secure Gateway Direct or Secure Gateway Alternate depending on your setup
click Manage Secure Client Access > Edit Secure Gateway Settings
Make sure the FQDN name here is the external IP
also for the STA Servers you shouldn't use your CSG server. Use the name (internal is fine) of your Citrix 4.0 server. So it will be something like this:
http://citrix.mydomain.hq/scripts/ctxsta.dll
You'll need to rerun the CSG configuration also and put this server in there as well. Note that if your XML port is not the default (80) you will need to specify that. In the above example it would be like this:
http://citrix.mydomain.hq:8080/scripts/ctxsta.dll
in the CSG setup there will be a box where you type in the port number. Again it will default to 80