Secure Gateway 3 and Web Interface 4.2 Multiple Site

I am having some issues configuring a second Web Interface site.  We currently have one Citrix Farm supporting one company.  We have a second small company of a couple dozen users who will also be accessing some apps in the farm.  The partners want this second company to have their own branded WI site.  I get as far as creating a second site in IIS 6 and changing the port to 444 and then the second site stops running in IIS.  It says the port is already in use.  444?  I'm specifyng IP addresses in IIS for the WI site 1 and this second one.

My current config is a single IIS 6 box (W2k3 SP1) in my DMZ with WI 4.2 and CSG 3.0 installed on it.  PS4 servers are behing the firewall.  I have a cert for secure gateway.  I have a cert for my primary WI site.  I have a cert for my 2nd WI site.  CSG, WI site 1, and WI site 2 each have separate public IP's so no NAT or translation going on.  This should be a very direct config but IIS is killing me off the bat.

I also forsee a problem with my current setup once this hurdle is cleared.  Since everything is on the same box I am using the Indirect Access option in my CSG configuration.  I have unchecked the "Installed on this computer" option so I can specify the FQDN for my WI site 1 in the field.  This is the only way I could get it to work when I specified the specific IP address in IIS for my WI site 1.  If I leave "Installed on this computer" checked off the only way to get access to the WI site 1 through CSG was to not specify an IP address in IIS and leave "All Unassigned".

My concern here, since CSG is specifying WI Site 1 in the config is how will it interact with Site 2 once I get it running in IIS?  My guess is I have something fundamentally misconfigured here but I've tried every iteration I can think of to get just the one site working with specified IP addresses in IIS and this is the only way I could get the pages to come up correctly.

So, I have two tasks here:
1. Get the second site running on 444 in IIS6.
2. Get my CSG setup correctly to work with multiple WI sites.
Who is Participating?
CetusMODConnect With a Mentor Commented:
PAQed with points refunded (250)

Community Support Moderator
Can you bind a second IP to your NIC and have site #2 use the alternate IP?  
broussardgroupAuthor Commented:
I already have 3 IP's bound to my one NIC.
IP1 for Secure Gateway.
IP2 for WI Site #1.
IP3 for WI Site #2.

I'm still digging and I found this thread on Citrix's Support Forum:

I'm giving it a shot.
broussardgroupAuthor Commented:
I got it.  For anyone who slams into this in the future here is what I did -- most of this I'm paraphrasing from the thread above which was very helpful.

1. You need a cert for the Secure Gateway and every WI site you want to create.
2. Secure Gateway and each WI site needs a unique IP address.  I didn't try this with headers...
3. Setup SG so that it only listens to its IP address on 443.
4. Setup SG so it uses "Direct" access to the Web Interface Site aka Parallel configuration.

SG is now ready.  Now you have to make IIS play nice.

5. Download the httcfg utility off the W2K3 CD "Support Tools".  This tool is used when dealing with IIS6.  If IIS5 or earlier you have to manipulate some sockets.  Search EE for how to do this.
6. Now you have to tell IIS to listen to ONLY the IP's for the websites you will be creating in IIS.  In my case I did the following:

SG is
WI Site 1 is
WI Site 2 is

httpcfg set iplisten -i

httpcfg set iplisten -i


When you start fooling with httpcfg it makes IIS only listen to those IP's so if you have other sites, etc., you need to include those.  The point is DO NOT include the SG IP or IIS will listen there too and SG won't be able to access 443 on its IP.
7. NOW, create your sites in IIS.  If the sites were created before doing this -- as mine were -- you still have issues when trying to get that 2nd, 3rd, 4th... site up.  After hours of futility I last ditch deleted the 2nd site and recreated it and it worked.  So, create sites last appears to be the proper order.
8. Now go into the Access Suite Console and create your site there.

You will now have multiple unique WI 4.2 sites running on the same box as SG 3.0 running through the same SG each with their own certificate.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.