SSL not working while running CSG and Presentation 4.0 on the same server

I installed CSG and Presentation manager on the same server.
IIS is set to listen on port 3443 and CSG on 443
I am able to login and see my published web apps via an ssl link but cannont launch the applications over ssl.
If I am on the same subnet with the server my applications launched via the web browser talk over port 2598.
If I put a firewall between myself and the server to test the ssl I get a reply back when launching the apps that say:
Cannot connect to the Citrix server:
There is no Citrix Server configured on the specified address

DLBroussardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mgcITCommented:
First I should mention that installing CSG on the same server as PS 4.0 is not recommended.  You won't be getting the same security that you would if they were separate and the CSG was in the DMZ.

For your problem you probably just haven't configured the Web Interface correctly for use with CSG.  Please give more details on your web interface setup.  Specifically under "Manage Seucre Client Access"

And one other piece of info that is key.  Log into the web interface from the outside but rather than trying to launch an application, right-click on the application icon and choose "Save Target As..."  Save this file (launch.ica) to your desktop and then open it with Notepad.  Post that file here.
0
DLBroussardAuthor Commented:
I agree with you on the security, but this is a test site.  production will have separate servers.
The Client access for the secure getway settings are:
FQDN = the external host fqdn
STA URL = http://internal host name/scripts/ctxsta.dll
No translations are in place

ICA File setings

[Encoding]
InputEncoding=ISO8859_1

[WFClient]
ClientName=WI_gx7NzjVyuLDzH5P3e
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Notepad=

[Notepad]
Address=10.1.0.12:1494
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=1E83251A9E8A41
ClientAudio=Off
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\12AC84499658F584
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-none-rdtst-administrator-Test Farm
TWIMode=On
TransportDriver=TCP/IP
Username=administrator
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

0
mgcITCommented:
ok see this is not correct: Address=10.1.0.12:1494

When using CSG you should not see an address here because outside your firewall you can't communicate with a server with the address 10.1.0.12 directly.  The address should be masked so something is not working right with your CSG.  When accessing your web interface site are you typing https:// rather than http://?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

DLBroussardAuthor Commented:
I am using https:
Is there a good document for configuring everything on the same server?
0
mgcITCommented:
and what settings do you have under Manage Secure Client Access > Edit DMZ Settings
0
mgcITCommented:
Unfortunately there isn't a document for that simply because it isn't a recommended setup.  The CSG admin guide from http://support.citrix.com (site seems down at the moment - they have changed the design since yesterday so apparently are having problems with that) gives details about installing Web Interface and CSG on the same server but no PS 4.0 also.
0
mgcITCommented:
ok the site seems fine now.  Here are the links for those specific admin guides:

CSG 3.0: http://support.citrix.com/article/CTX106300

WI for PS 4.0: http://support.citrix.com/article/CTX106472
0
DLBroussardAuthor Commented:
Edit DMZ settings - Default, Direct
0
mgcITCommented:
>> Edit DMZ settings - Default, Direct

ok change this to Secure Gateway Direct
0
DLBroussardAuthor Commented:
Done,
but now I get ERROR: An error has occurred while connecting to the requested resource.
when trying to launch the app
0
mgcITCommented:
ok save the launch.ica file again and post here again.
0
DLBroussardAuthor Commented:
When I go to save the ica file it tries to save it as a serverError.htm which contains the same error.
0
DLBroussardAuthor Commented:
OK, I got the defective end user out of the way (myself)
[Encoding]
InputEncoding=ISO8859_1

[WFClient]
ClientName=WI_gx7NzjVyuLDzH5P3e
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Notepad=

[Notepad]
Address=10.1.0.12:1494
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=6EB12A50FE133D
ClientAudio=Off
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\03C71226F85E9AEB
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-none-rdtst-administrator-Test Farm
TWIMode=On
TransportDriver=TCP/IP
Username=administrator
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

0
mgcITCommented:
ok still not quite right, but I think I see your problem.  Again the Address should not show.  When the CSG is working correctly it will look something like this:
Address=;40;STAEE63F55267DC;90AB360D6374AFD37016F49B923420A7

one of your problems is here:
CGPAddress=*:2598

port 2598 is used for Session Reliablilty.  Normally this will be 443 as you said in your original post the CSG is using SSL over port 443.  In your web interface settings or CSG settings anywhere are you specifying port 2598?
0
DLBroussardAuthor Commented:
OK,

I removed the existing web site, re-ran discovery, created a new web site, configured it as you said  for the dmz, set up the fqdn and the sta address and now I get that the certificate is not from a trusted source when I launch the app.
The good news is the ica file looks correct now.
The certificate error is true because I generated a self signed certificate using a MIcrosoft IIS utility.
I think it will work once I get a real certificate or I set up my pc to trust the source.
0
mgcITCommented:
yes it will work once you get an actual cert.  Or if you want to use the free one do this:

1. on your certificate server (the IIS server you used) browse to the following page: https://servername/certsrv/certcarc.asp
2. click "Download CA Certificate Chain" - save this file to your hard drive
3. now on the computer you are trying to connect to citrix with, get the file you downloaded above, right-click and choose "Install Certificate"
4. Click Next
5. choose "Place all certificates in the following store"
6. click Browse
7. choose Trusted Root Certification Authorities - click yes to any warning messages and finish
8. Now try to log into the CSG from that computer
0
mgcITCommented:
is that a question? or a bug with the site?

If you want to accept one of my comments as the answer to your question then just click the "Accept" button next to the comment (if you didn't do that already)... If you did try it again because something went glitchy when you did.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mgcITCommented:
My recommendation: This question was answered correctly..  In fact I believe the asker tried to accept (or thought he/she was doing it correctly based on their last post).  Either way the solution to several different problems here was given.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.