Solved

Citrix SSL relay name could not be resolved

Posted on 2006-06-28
7
16,102 Views
Last Modified: 2012-06-27
OK, using SG I am getting the error above,  from Citrix I get this solution

Symptom

Users receive the following error message when trying to launch applications through Secure Gateway:

“Cannot connect to the Citrix server:
The Citrix SSL relay name could not be resolved (SSL error 40)”

Cause

The fully qualified domain name (FQDN) of the Secure Gateway server is not recognized by the client.

Reason

A DNS record was not made to resolve the FQDN name of the gateway

— or —

The FQDN of the Secure Gateway server entered in Web Interface/NFuseAdmin/server-side firewall/Secure Gateway for MetaFrame does not match the name on the certificate of the Secure Gateway server.

Resolution

Create a DNS record that resolves the FQDN of the Secure Gateway server or create an entry in the host file on the client devices.

Verify that the FQDN referenced in Web Interface/NFuseAdmin/server-side firewall/Secure Gateway for MetaFrame matches the name on the certificate of the Secure Gateway server.

****************
1 Ok, I would create the DNS record to resolve the FQDN, but I can't figure that one out.  The DNS server is
10.0.x.x
the SG server 192.168.x.x (DMZ) FQDN CITRIX01.AMS.NET
the citrix PS server 10.0.x.x FQDN SECUREGATE01.AMS.NET
or
2 verify that the FQDN referenced in the web interface... matches the name of the certificate

cert name secure.billsmoonko.com
ext ip 70.169.x.x


0
Comment
Question by:Quadeeb2003
  • 5
7 Comments
 
LVL 18

Accepted Solution

by:
mgcIT earned 500 total points
Comment Utility
you said previously (i think) that you registered the billsmoonko.com domain name through GoDaddy and it is being hosted by them.

If this is true they will have a utility that allows you to do this.  I don't have an account there so I can't see exactly what it looks like but based on their help/support section it looks pretty easy.

Basically you will want to do this:

1. create a subdomain for secure.billsmoonko.com (you probably just reserved billsmoonko.com as your domain so you can create any subdomains such as xyx.billsmoonko.com)
2. create an "A Record" so that secure.billsmoonko.com = 70.169.x.x (assuming this is your external ip address and this address is NAT'd on your firewall to the internal IP Address of your SG server - you'll want to set up the NAT for port 443 only)

Here is the main Help section for GoDaddy that you will want to look at: http://help.godaddy.com/article_list.php?topic_id=163&&

and specific pages for:

"What is an A Record" - http://help.godaddy.com/article.php?article_id=678&topic_id=163&&
"What is Total DNS Control? " - http://help.godaddy.com/article.php?article_id=681&topic_id=163&&
"How do I manage my DNS if I host my site on my own servers?" - http://help.godaddy.com/article.php?article_id=682&topic_id=163&&

Those ones you should definetly look at.
0
 
LVL 1

Author Comment

by:Quadeeb2003
Comment Utility
That was stellar! Helped out a ton.
I'm not functional yet, but I have a new error.

From the internet, I am still getting the same error, SSL 40, but from local to the https://secure.billsmoonko.com, i received SSL error 59: The server sent a security certificate identifying "secure.billsmoonko.com", the SSL connection was to "SECUREGATE01.AMS.NET"

So, let me tell you where I think I may have screwed up.
My domain is AMS.NET, where my DC is.
All of my servers are on the ams.net domain.
The SG server domain does not equal the "secure.billsmoonko.com".

Is this ok to do?  Do I need to put the SG server on its own domain or can it be resolved with FQDN?

In part 2 of your answer, you are correct, the external ip address is NAT'd on the firewall to the internal IP address of my SG server.
Looking at the SG setup options I think it is SG alternate or SG translated, and am trying them both.


I have the following setting currently under manage secure client access and am changing them around to see if anything works.

dmz settings
client ip              mask             access method
default                                    direct
70.169.x.x         x.x.x.x             secure gateway alternate
192.168.x.x        x.x.x.x             secure gateway translated

Secure gateway address FQDN SECUREGATE01.AMS.NET  
port 443
secure ticet authority http://CITRIX01.AMS.NET/scripts/ctxsta.dll
address translations
access type              int address           int port         ext address          ext port
all                            192.168.x.x             80                70.169.x.x            80

web interface
https://secure.billsmoonko.com:444/citrix/metaframe
0
 
LVL 1

Author Comment

by:Quadeeb2003
Comment Utility
added a host file with the name secure.billsmoonko.com to the SG server
I can now ping the cert by name
still having the same problem
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:Quadeeb2003
Comment Utility
I have spent so much time on this and read so many articles and chased so many possible solutions.

I have managed to get ssl error 59 if i change the name of the FQDN in CAS to "cert name".
I look in the error log for CSG and get error
"THE SSL SERVER YOU ARE TRYING TO CONNECT IS NOT ACCEPTING CONNECTIONS"

This post on citrix was the best help i could find
http://support.citrix.com/forums/thread.jspa?forumID=75&threadID=73602&messageID=448064&

But still that has not worked.
In all of the situations I have run accross, the same scenario.
WI/SG on same server
PS and STA on same server

I have a host file on SG naming the SG server the cert name

I can ping by name and IP the cert name on and off of the network and it resolves the IP of the CS server.

From everything I've read, and every site I've gont to, I believe  I'm looking at possible STA problem.

If anyone has an idea I'd appreciate it.

local direct connection - no problem, only CG.
0
 
LVL 1

Expert Comment

by:oneyp
Comment Utility
I've also seen personal firewalls cause the same problem.  Try to disable any Norton or McAfee personal firewalls that you have and try it again.  If it works, then you will need to make an exception on your firewall utility for the ica client.
0
 
LVL 1

Author Comment

by:Quadeeb2003
Comment Utility
I have ICAany already allowed at the moment.
I was logging every denied socket from the SG in DMZ to the trust (PS server and DC) and IMC525 was one, and as such I let it go on through.
There are no denials from the DMZ to the Trust, except port 135 and 123 going to the DC.
I have allowed any to any connections from DMZ to Trust for tests, but no luck.

Thank you for the reply.
Currently, I uninstalled my digicert and am trying to make my own. The FQDN of my SG server and the Common Name for the server certificate are different.  I have a host file that I was hoping would resolve that, but maybe it doesnt.  My domain, ams.net, is acutally a public domain, so I can't get a CA to issue me a cert.  Maybe I should just change my whole domain name. Until then, I am trying to be my own CA and issue a cert for my SG FQDN
0
 
LVL 1

Author Comment

by:Quadeeb2003
Comment Utility
I will post the complete solution to my citrix installation as I finialize and test.
thanks for pointing me in the right direction.
The real trick with and WI and CSG installation on the same computer comes in assigning two separate IP addresses to the server, and giving one to the CSG and one to the WI.  That is why I was getting the errors.

Thanks for everyones help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Citrix XenDesktop, Citrix Studio, Citrix Policies, Citrix XenApp
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now