Solved

Using Citrix Secure Gateway over SSL client cannot find server

Posted on 2006-06-09
20
1,772 Views
Last Modified: 2008-02-07
I have a Citrix set up just installed, working perfectely over the WAN.

When using the web interface over port 443 the icons travel back and forth to the client, but the app launches, but fails to find the server.

I'm guessing router issue, (dont laugh) I am using a linksys befx41 on my side.

500 quick points.
0
Comment
Question by:Quadeeb2003
  • 15
  • 5
20 Comments
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16874744
Both TCP and UDP are enabled.
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 16875184
please give more details on your setup:

Are you running WI and Secure Gateway on the same server?  Is this server in the DMZ or just natted behind the firewall?

Are you sure you are launching the apps from the Secure Gateway and not directly from the WI?
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16875219
ok, yes, the bad, we are running WI and SG on the same server.
The server is just behind the firewall no DMZ at the moment.

The launching of the apps is done from IE on HTTPS, by directly typing in the IP for the router.
The router is porting to the server over 443,

I know it is not the ideal situation, but we need to get things up and running at the moment.
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 16875461
WI and SG on the same server is actually ok... same with just have the server behind the firewall and not in the DMZ.  As long as you have your firewall configured correctly.

What is the error you are seeing when trying to connect externally?
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16875489
OK here is my step by step
1. I bring up https://*.*.58.166:443
2  the system immediately returns a Security Alert about the SSL that I created on my server asking if I want to proceed.
3  I click yes
4 Citrix Web interface pops up, I enter user name and PW
5 immediately returns my applications (wordpad tester)
6 I click on Wordpad to launch
7 connection in progress ..... about 80% of the way across and it hangs
..Wordpad ERROR
Cannot connect to the Citrix Metaframe server.
There is no Citrix MetaFrame server configured on the specified address.

..When I use the WI over the WAN, it works.  Same procedure, HTTPS://.... and it launches.
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16875693
I just upgraded the Firmware on the router, but so far no luck.
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 16875730
instead of launching wordpad, right-click on it and choose Save Target As...  Then open this file that you just saved (launch.ica) and open it with notepad.  There will be a line in that file that says:

Address=xxxx

does that line show you IP address, or is it a bunch of jumbled characters?
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 16875744
and one other question, when you launch from the WAN are you going to the same website?  same IP?
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16875766
Here is what is says, the only thing that sticks out to me is the port 1494, which is not going to that server.

Encoding]
InputEncoding=UTF8

[WFClient]
ClientName=WI_ogmukN6HECU6H1AhT
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Wordpad=

[Wordpad]
Address=10.0.0.101:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=AA7F7AF906A4B0
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\1B562B928414AB57
InitialProgram=#Wordpad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-basic-amsnet-justin-DME
TWIMode=On
TransportDriver=TCP/IP
Username=justin
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16875771
yes, for the WAN same HTTPS:// ip adress
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16875779
Hey, that 10.0.0.101:1494 is the server, should that be pointing to the router?
0
 
LVL 18

Accepted Solution

by:
mgcIT earned 500 total points
ID: 16877113
yea this is exactly your problem.  You actually aren't using Secure Gateway otherwise that IP Address would be masked by a bunch of jumbled characters.

Make sure you have SG configured correctly and that it is set to monitor port 443 (this would be done with the configuration wizard).  Also you'll want to make sure to change the SSL port in IIS to something other than 443 (444 for example).  You've probably already done this though otherwise you'd be getting error messages.

One last thing:

Open the Access Suite Console and go to your web interface site.  You need to make sure that the connection is set up for "Secure Gateway Direct".  Make this the default connection.  You probably have just Direct or Alternate selected now as the default.  This will be under Manage Secure Client Access > Edit DMZ Settings.
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877130
Great I'll give those a try, I'll be back in my office shortly. SoCal time like you.  
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877270
just one note, the 10.0.0.100 you are seeing is my wan, my external ip isn't showing.

..and whole citrix set up was done by a top rated (by citrix website) reseller.  I am totally new to this, so I'm not quite so fast.
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877364
I've opened Access Suite Consol under suite components.configuration tools>web interface  I dont have any options for Manage Secure Client Access > Edit DMZ Settings
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877486
ok, the SG wizard on configure inbound client address is set to 10.0.0.101:8080 (secured) / monitor all IP Adresses in not checked (I only have one)
No outbound traffic restrictions
One STA (FQDN) format
Access options : indirect / installed on this computer / localhost / port 80
logging all events

I am still looking for the Access Suite Control settings for Manage Secure Client Access . Edit DMZ Settings

ahh. I don't have a DMZ is that a problem?

0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877515
Here is the diagnostic
Secure Gateway Global Settings
------------------------------
  Version = 3.0.1
  Product secured = MetaFrame Presentation Server only
  Logging level =  3 (All events including information)
  Client connection timeout =  100 seconds
  Maximum concurrent connections =  250
  Certificate FQDN = AMSCITRIX01

Interfaces
----------

  10.0.0.101 : 8080
  -----------------
    Protocol = SSL, TLS
    Cipher suites = ALL
    Secured = Yes
    HTTP = No
    ICA = Yes
    SOCKS = Yes
    Gateway Client = No
    LoadBalancerIPs = None defined

Web Interface
-------------
  FQDN = localhost
  Port = 80
  Secured = No
  Protocol = SSL, TLS
  Cipher suites = ALL
  Access mode = Indirect
  Tested OK

Authority Servers
-----------------

  ID = STA9487253D2546
  --------------------
    FQDN = amscitrix01.ams.net
    Port = 80
    Path = C:\Inetpub\Scripts/CtxSTA.dll
    Type = STA
    Secured = No
    Protocol = SSL, TLS
    Cipher suites = ALL
   

Certificate Check
-----------------
  FQDN = AMSCITRIX01
  This certificate is currently valid
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877538
Alriht, you are on the BALL!!  I was trying to access the Secure Gateway Direct piece remotely, and I had to do it from the server to see what you were telling me to do.  

I just do not know what the mask is supposed to be

the blanks are
client ip: 10.0.0.101
mask ?
access method :secure access direct
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877558
Progress!!
I have a new error now.
Cannot connect to the Citrix Metraframe server.
The Citrix SSL relay name could not be resolved  (SSL error 40)
0
 
LVL 1

Author Comment

by:Quadeeb2003
ID: 16877675
Super help, I really appreciate it.
the default was incorrectly set.
Now I am getting another error, but I'll post it in a separate question.

Thanks so much.

Cannot connect to the Citrix server:
The Citrix SSL relay name could not be resolved (SSL error 40)”
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

#Citrix #XenApp #Citrix XenApp #Citrix Concurrent License #Citrix Licensing #Citrix Policies
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now