• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1106
  • Last Modified:

Citrix Secure Gateway and Citrix Web Interface on a single computer

OK Experts - Time sensative question here, I will try to be as detailed as possible.

I have 2 servers runnig citrix
1 for PS 4.0
1 for WI and SG

Previously I had everything on one server.  Now I have WI and SG on a separate server, and that server is in the DMZ.

Before I put the SG server in the DMZ, i was able to connect through WI to the PS, now, that the SG server is in the DMZ, and out of the local IP loop, I cannot connect over WI.

The details.
The SG server is on IP address x.x.x.19, I can ping the DMZ x.x.x.18 and hit both.
The SG certificate is secure.billsmoonko.com, it is installed on the SG.
the web address for secure.billsmoonko.com is not currently being redirected to the server ip x.x.x.19, but I can make that happen.
I was hoping SG would function by its direct IP for now, and change it after it is running.

WI and SG both installed (thx mgcIT), but I'm sure I didn't default something correct

Under WI  in the Access Suite Consolu I have 2 interfaces listed
https://amscitrix01.ams.net:444/citrix/metframe
https://secure.billsmoonko.com:444/citrix/metframe  default set to Secure Gateway

I added the second on becuase during the discovery for the first on, nothing cam up under WI.

So presently I cannot connect to the SG via web browser
I tried the ip, the secure.billsmoonko.com

I really need to get this up and going, please let me know what else you need to help me get me up and running.

ON the important scale I give it a literal 10 of 10.  





0
Quadeeb2003
Asked:
Quadeeb2003
  • 12
  • 6
1 Solution
 
mgcITCommented:
if the only thing you did was move the server into the DMZ then this is probably a DMZ/firewall issue.  What ports do you have open between your LAN & DMZ?
0
 
Quadeeb2003Author Commented:
between the LAN and the DMZ
443
444
80
8080
1443
0
 
Quadeeb2003Author Commented:
I wasn't able to get into Citrix via the certificate name previously either, the secure...
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Quadeeb2003Author Commented:
I had previously changed the name of the IIS server web site from default to the secure.billsmoonko.com, is that incorrect?

0
 
Quadeeb2003Author Commented:
I am able to log into Citrix with the following
http://<servername.domain.org>/citrix/metaframe
0
 
Quadeeb2003Author Commented:
but not through https, sorry about the continuous updates.
0
 
mgcITCommented:
you are able to do this externally?

if so check to see if you have port 443 opened on the external firewall to the DMZ for the proper IP address.
0
 
Quadeeb2003Author Commented:
No, can't do it externally mgcIT.  Only on the local.
Currently trying to configure the router, there seems to be a problem with how they gave us the new IP addresses that does not work so well for our DMZ.
We cannot ping the router from a non LAN ip at the moment.

But, besides that.  Shouldn't  I be able to hit    https://certname:443.

I can't hit anything with the cert name, but server name and or ip I can hit.

0
 
mgcITCommented:
should yes... have you configured DNS so that certname = IP Address?
0
 
mgcITCommented:
also I should mention that DNS changes on the internet can sometimes take awhile to propogate (usually about a day).
0
 
Quadeeb2003Author Commented:
No, I have not configured DNS so the certname = IP address,
how would I go about doing that?
0
 
mgcITCommented:
well first you would have had to purchase the domain name billsmoonko.com... have you done that?

Depending on where you purchase from, they will have a web admin page where you can point that domain (and others such as secure.billsmoonko.com) to a certain IP Address
0
 
Quadeeb2003Author Commented:
The web domain was purchased from godaddy, it is presently hosted by godaddy, and the ip is mapped to the ip of the server.

I was having difficulty running discovery in the access suite console, so much so that I re-installed the OS on the SG server.
The good news is it only took about 5 minutes to get the WI and SG back to the position they had been in previously.
It is taking a very long time to initialize the snap-ins and to run discovery on the SG server.  
I can't log into http://<servername.domain.org>/citrix/metaframe
I get an error the RPC server cannot be contacted. Check that the server name is correct, that the server is on, that metaframe ps is in the server, and and that the metaframe COM server is running.

I'm guessing this is all firewall related.  
0
 
Quadeeb2003Author Commented:
OK, it was firewall related. All those issues are gone.
Now, I am back to getting the SG to work.
I had success in a local connection over https / ip address
Non local and non VPN i can get to the site Https, install the cert, but I still get cannot find the server.
Next step to look at the launch.ica file, i just have to find it.  I forget how.
0
 
Quadeeb2003Author Commented:
Here is my ICA file
I'm back to my old SG issue, but, we now have the SG server in a DMZ (and working), and behind a firewall (configured correctly)

Can you help me from my iCA

[Encoding]
InputEncoding=ISO8859_1

[WFClient]
ClientName=WI_EQgJ0erWVDz3hfqeA
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Wordpad=

[Wordpad]
Address=10.0.0.101:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=90B05D912B0B95
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\2D18E6E6232BB1B9
InitialProgram=#Wordpad
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-basic-AMSNET-Justin-DME
TWIMode=On
TransportDriver=TCP/IP
Username=Justin
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
0
 
Quadeeb2003Author Commented:
Alright, I have added a couple address translations, and now I am to the next error,
I feel like it is progress.

The Citrix SSL relay name could not be resolved (SSL error 40)
citrix has this to say
http://support.citrix.com/article/CTX103569&searchID=22922834

I am looking into the DNS, because mcgIT said something about it previously.
0
 
mgcITCommented:
the SSL error 40 is because your certificate says secure.billsmoonko.com but you are connecting to the IP Address.  The URL and certificate must match in order for SSL to work.  Have you enabled the DNS yet?
0
 
Quadeeb2003Author Commented:
No, mcgIT, not quite sure how to enable the DNS.
See open question.  This question really had to do with the router settings, which I gave you credit for, that was a step in the right direction.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now