Quadeeb2003
asked on
Citrix Secure Gateway and Citrix Web Interface on a single computer
OK Experts - Time sensative question here, I will try to be as detailed as possible.
I have 2 servers runnig citrix
1 for PS 4.0
1 for WI and SG
Previously I had everything on one server. Now I have WI and SG on a separate server, and that server is in the DMZ.
Before I put the SG server in the DMZ, i was able to connect through WI to the PS, now, that the SG server is in the DMZ, and out of the local IP loop, I cannot connect over WI.
The details.
The SG server is on IP address x.x.x.19, I can ping the DMZ x.x.x.18 and hit both.
The SG certificate is secure.billsmoonko.com, it is installed on the SG.
the web address for secure.billsmoonko.com is not currently being redirected to the server ip x.x.x.19, but I can make that happen.
I was hoping SG would function by its direct IP for now, and change it after it is running.
WI and SG both installed (thx mgcIT), but I'm sure I didn't default something correct
Under WI in the Access Suite Consolu I have 2 interfaces listed
https://amscitrix01.ams.net:444/citrix/metframe
https://secure.billsmoonko.com:444/citrix/metframe default set to Secure Gateway
I added the second on becuase during the discovery for the first on, nothing cam up under WI.
So presently I cannot connect to the SG via web browser
I tried the ip, the secure.billsmoonko.com
I really need to get this up and going, please let me know what else you need to help me get me up and running.
ON the important scale I give it a literal 10 of 10.
I have 2 servers runnig citrix
1 for PS 4.0
1 for WI and SG
Previously I had everything on one server. Now I have WI and SG on a separate server, and that server is in the DMZ.
Before I put the SG server in the DMZ, i was able to connect through WI to the PS, now, that the SG server is in the DMZ, and out of the local IP loop, I cannot connect over WI.
The details.
The SG server is on IP address x.x.x.19, I can ping the DMZ x.x.x.18 and hit both.
The SG certificate is secure.billsmoonko.com, it is installed on the SG.
the web address for secure.billsmoonko.com is not currently being redirected to the server ip x.x.x.19, but I can make that happen.
I was hoping SG would function by its direct IP for now, and change it after it is running.
WI and SG both installed (thx mgcIT), but I'm sure I didn't default something correct
Under WI in the Access Suite Consolu I have 2 interfaces listed
https://amscitrix01.ams.net:444/citrix/metframe
https://secure.billsmoonko.com:444/citrix/metframe default set to Secure Gateway
I added the second on becuase during the discovery for the first on, nothing cam up under WI.
So presently I cannot connect to the SG via web browser
I tried the ip, the secure.billsmoonko.com
I really need to get this up and going, please let me know what else you need to help me get me up and running.
ON the important scale I give it a literal 10 of 10.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I wasn't able to get into Citrix via the certificate name previously either, the secure...
ASKER
I had previously changed the name of the IIS server web site from default to the secure.billsmoonko.com, is that incorrect?
ASKER
ASKER
but not through https, sorry about the continuous updates.
you are able to do this externally?
if so check to see if you have port 443 opened on the external firewall to the DMZ for the proper IP address.
if so check to see if you have port 443 opened on the external firewall to the DMZ for the proper IP address.
ASKER
No, can't do it externally mgcIT. Only on the local.
Currently trying to configure the router, there seems to be a problem with how they gave us the new IP addresses that does not work so well for our DMZ.
We cannot ping the router from a non LAN ip at the moment.
But, besides that. Shouldn't I be able to hit https://certname:443.
I can't hit anything with the cert name, but server name and or ip I can hit.
Currently trying to configure the router, there seems to be a problem with how they gave us the new IP addresses that does not work so well for our DMZ.
We cannot ping the router from a non LAN ip at the moment.
But, besides that. Shouldn't I be able to hit https://certname:443.
I can't hit anything with the cert name, but server name and or ip I can hit.
should yes... have you configured DNS so that certname = IP Address?
also I should mention that DNS changes on the internet can sometimes take awhile to propogate (usually about a day).
ASKER
No, I have not configured DNS so the certname = IP address,
how would I go about doing that?
how would I go about doing that?
well first you would have had to purchase the domain name billsmoonko.com... have you done that?
Depending on where you purchase from, they will have a web admin page where you can point that domain (and others such as secure.billsmoonko.com) to a certain IP Address
Depending on where you purchase from, they will have a web admin page where you can point that domain (and others such as secure.billsmoonko.com) to a certain IP Address
ASKER
The web domain was purchased from godaddy, it is presently hosted by godaddy, and the ip is mapped to the ip of the server.
I was having difficulty running discovery in the access suite console, so much so that I re-installed the OS on the SG server.
The good news is it only took about 5 minutes to get the WI and SG back to the position they had been in previously.
It is taking a very long time to initialize the snap-ins and to run discovery on the SG server.
I can't log into http://<servername.domain.org>/ci
I get an error the RPC server cannot be contacted. Check that the server name is correct, that the server is on, that metaframe ps is in the server, and and that the metaframe COM server is running.
I'm guessing this is all firewall related.
I was having difficulty running discovery in the access suite console, so much so that I re-installed the OS on the SG server.
The good news is it only took about 5 minutes to get the WI and SG back to the position they had been in previously.
It is taking a very long time to initialize the snap-ins and to run discovery on the SG server.
I can't log into http://<servername.domain.org>/ci
I get an error the RPC server cannot be contacted. Check that the server name is correct, that the server is on, that metaframe ps is in the server, and and that the metaframe COM server is running.
I'm guessing this is all firewall related.
ASKER
OK, it was firewall related. All those issues are gone.
Now, I am back to getting the SG to work.
I had success in a local connection over https / ip address
Non local and non VPN i can get to the site Https, install the cert, but I still get cannot find the server.
Next step to look at the launch.ica file, i just have to find it. I forget how.
Now, I am back to getting the SG to work.
I had success in a local connection over https / ip address
Non local and non VPN i can get to the site Https, install the cert, but I still get cannot find the server.
Next step to look at the launch.ica file, i just have to find it. I forget how.
ASKER
Here is my ICA file
I'm back to my old SG issue, but, we now have the SG server in a DMZ (and working), and behind a firewall (configured correctly)
Can you help me from my iCA
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ClientName=WI_EQgJ0erWVDz3
ProxyFavorIEConnectionSett
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=
TransportReconnectEnabled=
Version=2
VirtualCOMPortEmulation=Of
[ApplicationServers]
Wordpad=
[Wordpad]
Address=10.0.0.101:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=90B05D912B0B
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\2D18E6E6232BB1B9
InitialProgram=#Wordpad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-
TWIMode=On
TransportDriver=TCP/IP
Username=Justin
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dl
DriverNameWin32=pdcompn.dl
[EncRC5-0]
I'm back to my old SG issue, but, we now have the SG server in a DMZ (and working), and behind a firewall (configured correctly)
Can you help me from my iCA
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ClientName=WI_EQgJ0erWVDz3
ProxyFavorIEConnectionSett
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=
TransportReconnectEnabled=
Version=2
VirtualCOMPortEmulation=Of
[ApplicationServers]
Wordpad=
[Wordpad]
Address=10.0.0.101:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=90B05D912B0B
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\2D18E6E6232BB1B9
InitialProgram=#Wordpad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-
TWIMode=On
TransportDriver=TCP/IP
Username=Justin
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dl
DriverNameWin32=pdcompn.dl
[EncRC5-0]
ASKER
Alright, I have added a couple address translations, and now I am to the next error,
I feel like it is progress.
The Citrix SSL relay name could not be resolved (SSL error 40)
citrix has this to say
http://support.citrix.com/article/CTX103569&searchID=22922834
I am looking into the DNS, because mcgIT said something about it previously.
I feel like it is progress.
The Citrix SSL relay name could not be resolved (SSL error 40)
citrix has this to say
http://support.citrix.com/article/CTX103569&searchID=22922834
I am looking into the DNS, because mcgIT said something about it previously.
the SSL error 40 is because your certificate says secure.billsmoonko.com but you are connecting to the IP Address. The URL and certificate must match in order for SSL to work. Have you enabled the DNS yet?
ASKER
No, mcgIT, not quite sure how to enable the DNS.
See open question. This question really had to do with the router settings, which I gave you credit for, that was a step in the right direction.
See open question. This question really had to do with the router settings, which I gave you credit for, that was a step in the right direction.
ASKER
443
444
80
8080
1443