STA Server and Citrix

Hi guys!

Im trying to connect to my secure gateway externally.

I can connect through to https://<securegatewayURL> on port 443
This brings up my web interface which is on the same box as the csg.

When I connect and view my certificate, it says the following:

Issued to: <Public IP Address>
Issued by: <internal computer name> eg.testbox.domain.com

The above information - the public ip address is the ip assigned to the internal computer name which is natted on the firewall.
However the FQDN is NOT a registered domain name so externally, I CANNOT type in the FQDN to get to the server eg.https://testbox.domain.com will not work.....I have to type in the public IP address.

Further certificate details:

Subject:
CN = <x.x.x.x>  the public ip address
OU = Simon
O = Simon
L = melbourne
S = vic
C = AU

Issuer:
<internal computer name> eg.testbox.domain.com ( not public ip address)

I click on Yes to accept and I log in to my WI which returns the application sets for me.

Now, whenever I click on an application to launch an ica session, I get the following response.........

"cannot connect to the citrix metaframe server
there is no citrix ssl server configured on the specified address."

Im guessing that when I launch a citrix application, it tries to contact the STA server. I dont understand why it cant connect because the STA server is the SAME machine. Is it because of the certificate?

Im guessing that even though the issuer and system being issued the certificate are the SAME machine, does the FQDN have to be a registered domain name?

On the CSG box, is the following:

Web Interface - port 80
CSG
Certificate Services
IIS with a certificate installed for the default web site.

When I open Certificate Services, the server name is my INTERNAL NAME eg.testbox.domain.com. When I created the certificate to then be issued to IIS

When I set up the Secure Gateway, and it asked for an STA Server, I could not use <public IP address>, I had to use the internal computer name testbox.domain.com. This could be contacted when I ran diagnostics, but Im presuming this has to be a registered domain name as well.

Also, when I launch an application from the web interface, I wanted to see the contents of the ica file.

Here it is ================================================= notepad.ica

[Encoding]
InputEncoding=ISO8859_1

[WFClient]
ClientName=WI_hvx5fp53SRqz0XlEO
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
CSG Notepad=

[CSG Notepad]
Address=<INTERNAL IP ADDRESS>:1494 -----------------------------------------------------> Is this a problem being the internal IP Address??
AudioBandwidthLimit=2
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
ClearPassword=652D63E994D0FB
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\2ED5D310BB3B406A
HTTPBrowserAddress=!
InitialProgram=#CSG Notepad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLCiphers=all
SSLEnable=On
SSLProxyHost=<INTERNAL FQDN which cannot be entered externally:443> --------------------------> is this a problem? Should this be the PUBLIC IP ADDRESS??
SecureChannelProtocol=Detect
SessionsharingKey=blah blah
TWIMode=On
TransportDriver=TCP/IP
Username=testuser
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

==========================================================

So what I did was in the above, I changed the 2 settings above to the public IP address and then launched the file with the following message:

"Cannot connect to the Citrix Metaframe Server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate."

I click OK and the session closes.


I have tried installing the certificate on the client pc with no luck, ensuring in the internet options - advanced, all security options for encryption are set correctly. Ive set the altaddress on the csg server.

The only thing I can think of is that there is a problem with the certificate, but I ran the diagnostic tool and it returned all successful.

When a citrix application is launced, does the client have to connect to the CN name as defined in the certificate, and does this CN name HAVE to be a FQDN, not a public IP address, even though in my case, they are the SAME machine?

I cant get the certificate trusted, and Im assuming I have to register this CN name so I can resolve it externally.

Sorry for this huge question.........you guys are fantastic, and I know I have posted a lot of questions......Im close now and will reward you all.

Thank you.

Simon
LVL 1
Simon336697Asked:
Who is Participating?
 
mgcITConnect With a Mentor Commented:
ok good.. now you've got the CSG set up correctly it sounds like.

Now your problem really is with the cert.  Because this cert was created from an untrusted source (your server basically) there's a couple extra steps you need to take to install the cert.

1. on your certificate server browse to the following page: https://servername/certsrv/certcarc.asp
2. click "Download CA Certificate Chain" - save this file to your hard drive
3. now on the computer you are trying to connect to citrix with, get the file you downloaded above, right-click and choose "Install Certificate"
4. Click Next
5. choose "Place all certificates in teh following store"
6. click Browse
7. choose Trusted Root Certification Authorities - click yes to any warning messages and finish
8. Now try to log into the CSG from that computer

0
 
mgcITCommented:
ok your problem isn't your certificate.. Although you should register a domain name and use that on your cert, it will be fine with just an IP address for the most part.  Some features will not work though (the java client for one I think).

Your problem is this:

Address=<INTERNAL IP ADDRESS>:1494 -----------------------------------------------------> Is this a problem being the internal IP Address??

You should NOT see an IP Address at all!  The STA server will mask the IP Address so it will show as something like:
Address=;40;STA8DD5D589DAF4;E6CE569C3B660AAE61422449ACAF09D9

You need to change some settings in your web interface.  Open the Access Suite Console:
click Manage Secure Client Access > Edit DMZ Settings
your default should be either Secure Gateway Direct or Secure Gateway Alternate depending on your setup

click Manage Secure Client Access > Edit Secure Gateway Settings
Make sure the FQDN name here is the external IP
also for the STA Servers you shouldn't use your CSG server.  Use the name (internal is fine) of your Citrix 4.0 server.  So it will be something like this:
http://citrix.mydomain.hq/scripts/ctxsta.dll

You'll need to rerun the CSG configuration also and put this server in there as well.  Note that if your XML port is not the default (80) you will need to specify that.  In the above example it would be like this:
http://citrix.mydomain.hq:8080/scripts/ctxsta.dll

in the CSG setup there will be a box where you type in the port number.  Again it will default to 80
0
 
Simon336697Author Commented:
Hi mgcIT!

Thank you for all your fantastic help. Thanks to you Im getting further but still no luck.

I made all your suggestions above, and youre spot on about the ica file....now mine doesnt show the internal ip address.

Now the message im getting when I launch an app is the following:

"Cannot connect to the citrix metaframe server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate"
The connection then terminates.

Slowly getting there. A huge thank you to you.
0
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

 
Simon336697Author Commented:
mgcIT!

Guess what!..........IT WORKS!!!!!! I did everything you said and it works.

You are a LEGEND.....I cant thank you enough for the effort youve put in to help me. I can see that you help a lot of people on here, and I just wish i could shake your hand.
Ive been stumped on this for days trying to get this to work, and thanks to yourself and the other guys on here, its working.

THANK YOU SO MUCH!

Simon
0
 
mgcITCommented:
Great!  Glad you got it working.  Next time don't be stumped for days... just post a Q and we'll try to help you out.  Now that you've got it all setup i'm sure you'll want to tinker around with it and customize it to your liking.  If you run into trouble just let me know

Sam
0
 
Simon336697Author Commented:
mgcIT..............mate thank you again.............really appreciate it.
0
 
iamalpineCommented:
I am also facing this problem and I have checked all of this.... still I continue to get Protocol Driver error... it starts working after 10,15 retries on its own...
0
All Courses

From novice to tech pro — start learning today.