STA Server and Citrix

Hi guys!

Im trying to connect to my secure gateway externally.

I can connect through to https://<securegatewayURL> on port 443
This brings up my web interface which is on the same box as the csg.

When I connect and view my certificate, it says the following:

Issued to: <Public IP Address>
Issued by: <internal computer name>

The above information - the public ip address is the ip assigned to the internal computer name which is natted on the firewall.
However the FQDN is NOT a registered domain name so externally, I CANNOT type in the FQDN to get to the server eg. will not work.....I have to type in the public IP address.

Further certificate details:

CN = <x.x.x.x>  the public ip address
OU = Simon
O = Simon
L = melbourne
S = vic
C = AU

<internal computer name> ( not public ip address)

I click on Yes to accept and I log in to my WI which returns the application sets for me.

Now, whenever I click on an application to launch an ica session, I get the following response.........

"cannot connect to the citrix metaframe server
there is no citrix ssl server configured on the specified address."

Im guessing that when I launch a citrix application, it tries to contact the STA server. I dont understand why it cant connect because the STA server is the SAME machine. Is it because of the certificate?

Im guessing that even though the issuer and system being issued the certificate are the SAME machine, does the FQDN have to be a registered domain name?

On the CSG box, is the following:

Web Interface - port 80
Certificate Services
IIS with a certificate installed for the default web site.

When I open Certificate Services, the server name is my INTERNAL NAME When I created the certificate to then be issued to IIS

When I set up the Secure Gateway, and it asked for an STA Server, I could not use <public IP address>, I had to use the internal computer name This could be contacted when I ran diagnostics, but Im presuming this has to be a registered domain name as well.

Also, when I launch an application from the web interface, I wanted to see the contents of the ica file.

Here it is ================================================= notepad.ica



CSG Notepad=

[CSG Notepad]
Address=<INTERNAL IP ADDRESS>:1494 -----------------------------------------------------> Is this a problem being the internal IP Address??
InitialProgram=#CSG Notepad
SSLProxyHost=<INTERNAL FQDN which cannot be entered externally:443> --------------------------> is this a problem? Should this be the PUBLIC IP ADDRESS??
SessionsharingKey=blah blah
WinStationDriver=ICA 3.0







So what I did was in the above, I changed the 2 settings above to the public IP address and then launched the file with the following message:

"Cannot connect to the Citrix Metaframe Server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate."

I click OK and the session closes.

I have tried installing the certificate on the client pc with no luck, ensuring in the internet options - advanced, all security options for encryption are set correctly. Ive set the altaddress on the csg server.

The only thing I can think of is that there is a problem with the certificate, but I ran the diagnostic tool and it returned all successful.

When a citrix application is launced, does the client have to connect to the CN name as defined in the certificate, and does this CN name HAVE to be a FQDN, not a public IP address, even though in my case, they are the SAME machine?

I cant get the certificate trusted, and Im assuming I have to register this CN name so I can resolve it externally.

Sorry for this huge guys are fantastic, and I know I have posted a lot of questions......Im close now and will reward you all.

Thank you.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ok your problem isn't your certificate.. Although you should register a domain name and use that on your cert, it will be fine with just an IP address for the most part.  Some features will not work though (the java client for one I think).

Your problem is this:

Address=<INTERNAL IP ADDRESS>:1494 -----------------------------------------------------> Is this a problem being the internal IP Address??

You should NOT see an IP Address at all!  The STA server will mask the IP Address so it will show as something like:

You need to change some settings in your web interface.  Open the Access Suite Console:
click Manage Secure Client Access > Edit DMZ Settings
your default should be either Secure Gateway Direct or Secure Gateway Alternate depending on your setup

click Manage Secure Client Access > Edit Secure Gateway Settings
Make sure the FQDN name here is the external IP
also for the STA Servers you shouldn't use your CSG server.  Use the name (internal is fine) of your Citrix 4.0 server.  So it will be something like this:

You'll need to rerun the CSG configuration also and put this server in there as well.  Note that if your XML port is not the default (80) you will need to specify that.  In the above example it would be like this:

in the CSG setup there will be a box where you type in the port number.  Again it will default to 80
Simon336697Author Commented:
Hi mgcIT!

Thank you for all your fantastic help. Thanks to you Im getting further but still no luck.

I made all your suggestions above, and youre spot on about the ica mine doesnt show the internal ip address.

Now the message im getting when I launch an app is the following:

"Cannot connect to the citrix metaframe server. SSL Error 61. You have not chosen to trust the issuer of the server's security certificate"
The connection then terminates.

Slowly getting there. A huge thank you to you.
ok good.. now you've got the CSG set up correctly it sounds like.

Now your problem really is with the cert.  Because this cert was created from an untrusted source (your server basically) there's a couple extra steps you need to take to install the cert.

1. on your certificate server browse to the following page: https://servername/certsrv/certcarc.asp
2. click "Download CA Certificate Chain" - save this file to your hard drive
3. now on the computer you are trying to connect to citrix with, get the file you downloaded above, right-click and choose "Install Certificate"
4. Click Next
5. choose "Place all certificates in teh following store"
6. click Browse
7. choose Trusted Root Certification Authorities - click yes to any warning messages and finish
8. Now try to log into the CSG from that computer


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Simon336697Author Commented:

Guess what!..........IT WORKS!!!!!! I did everything you said and it works.

You are a LEGEND.....I cant thank you enough for the effort youve put in to help me. I can see that you help a lot of people on here, and I just wish i could shake your hand.
Ive been stumped on this for days trying to get this to work, and thanks to yourself and the other guys on here, its working.


Great!  Glad you got it working.  Next time don't be stumped for days... just post a Q and we'll try to help you out.  Now that you've got it all setup i'm sure you'll want to tinker around with it and customize it to your liking.  If you run into trouble just let me know

Simon336697Author Commented:
mgcIT..............mate thank you again.............really appreciate it.
I am also facing this problem and I have checked all of this.... still I continue to get Protocol Driver error... it starts working after 10,15 retries on its own...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.