Go Premium for a chance to win a PS4. Enter to Win


Citrix SSL relay name could not be resolved

Posted on 2006-06-28
Medium Priority
Last Modified: 2012-06-27
OK, using SG I am getting the error above,  from Citrix I get this solution


Users receive the following error message when trying to launch applications through Secure Gateway:

“Cannot connect to the Citrix server:
The Citrix SSL relay name could not be resolved (SSL error 40)”


The fully qualified domain name (FQDN) of the Secure Gateway server is not recognized by the client.


A DNS record was not made to resolve the FQDN name of the gateway

— or —

The FQDN of the Secure Gateway server entered in Web Interface/NFuseAdmin/server-side firewall/Secure Gateway for MetaFrame does not match the name on the certificate of the Secure Gateway server.


Create a DNS record that resolves the FQDN of the Secure Gateway server or create an entry in the host file on the client devices.

Verify that the FQDN referenced in Web Interface/NFuseAdmin/server-side firewall/Secure Gateway for MetaFrame matches the name on the certificate of the Secure Gateway server.

1 Ok, I would create the DNS record to resolve the FQDN, but I can't figure that one out.  The DNS server is
the SG server 192.168.x.x (DMZ) FQDN CITRIX01.AMS.NET
the citrix PS server 10.0.x.x FQDN SECUREGATE01.AMS.NET
2 verify that the FQDN referenced in the web interface... matches the name of the certificate

cert name secure.billsmoonko.com
ext ip 70.169.x.x

Question by:Quadeeb2003
  • 5
LVL 18

Accepted Solution

mgcIT earned 2000 total points
ID: 17006994
you said previously (i think) that you registered the billsmoonko.com domain name through GoDaddy and it is being hosted by them.

If this is true they will have a utility that allows you to do this.  I don't have an account there so I can't see exactly what it looks like but based on their help/support section it looks pretty easy.

Basically you will want to do this:

1. create a subdomain for secure.billsmoonko.com (you probably just reserved billsmoonko.com as your domain so you can create any subdomains such as xyx.billsmoonko.com)
2. create an "A Record" so that secure.billsmoonko.com = 70.169.x.x (assuming this is your external ip address and this address is NAT'd on your firewall to the internal IP Address of your SG server - you'll want to set up the NAT for port 443 only)

Here is the main Help section for GoDaddy that you will want to look at: http://help.godaddy.com/article_list.php?topic_id=163&&

and specific pages for:

"What is an A Record" - http://help.godaddy.com/article.php?article_id=678&topic_id=163&&
"What is Total DNS Control? " - http://help.godaddy.com/article.php?article_id=681&topic_id=163&&
"How do I manage my DNS if I host my site on my own servers?" - http://help.godaddy.com/article.php?article_id=682&topic_id=163&&

Those ones you should definetly look at.

Author Comment

ID: 17011672
That was stellar! Helped out a ton.
I'm not functional yet, but I have a new error.

From the internet, I am still getting the same error, SSL 40, but from local to the https://secure.billsmoonko.com, i received SSL error 59: The server sent a security certificate identifying "secure.billsmoonko.com", the SSL connection was to "SECUREGATE01.AMS.NET"

So, let me tell you where I think I may have screwed up.
My domain is AMS.NET, where my DC is.
All of my servers are on the ams.net domain.
The SG server domain does not equal the "secure.billsmoonko.com".

Is this ok to do?  Do I need to put the SG server on its own domain or can it be resolved with FQDN?

In part 2 of your answer, you are correct, the external ip address is NAT'd on the firewall to the internal IP address of my SG server.
Looking at the SG setup options I think it is SG alternate or SG translated, and am trying them both.

I have the following setting currently under manage secure client access and am changing them around to see if anything works.

dmz settings
client ip              mask             access method
default                                    direct
70.169.x.x         x.x.x.x             secure gateway alternate
192.168.x.x        x.x.x.x             secure gateway translated

Secure gateway address FQDN SECUREGATE01.AMS.NET  
port 443
secure ticet authority http://CITRIX01.AMS.NET/scripts/ctxsta.dll
address translations
access type              int address           int port         ext address          ext port
all                            192.168.x.x             80                70.169.x.x            80

web interface

Author Comment

ID: 17014269
added a host file with the name secure.billsmoonko.com to the SG server
I can now ping the cert by name
still having the same problem
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 17017739
I have spent so much time on this and read so many articles and chased so many possible solutions.

I have managed to get ssl error 59 if i change the name of the FQDN in CAS to "cert name".
I look in the error log for CSG and get error

This post on citrix was the best help i could find

But still that has not worked.
In all of the situations I have run accross, the same scenario.
WI/SG on same server
PS and STA on same server

I have a host file on SG naming the SG server the cert name

I can ping by name and IP the cert name on and off of the network and it resolves the IP of the CS server.

From everything I've read, and every site I've gont to, I believe  I'm looking at possible STA problem.

If anyone has an idea I'd appreciate it.

local direct connection - no problem, only CG.

Expert Comment

ID: 17020336
I've also seen personal firewalls cause the same problem.  Try to disable any Norton or McAfee personal firewalls that you have and try it again.  If it works, then you will need to make an exception on your firewall utility for the ica client.

Author Comment

ID: 17020540
I have ICAany already allowed at the moment.
I was logging every denied socket from the SG in DMZ to the trust (PS server and DC) and IMC525 was one, and as such I let it go on through.
There are no denials from the DMZ to the Trust, except port 135 and 123 going to the DC.
I have allowed any to any connections from DMZ to Trust for tests, but no luck.

Thank you for the reply.
Currently, I uninstalled my digicert and am trying to make my own. The FQDN of my SG server and the Common Name for the server certificate are different.  I have a host file that I was hoping would resolve that, but maybe it doesnt.  My domain, ams.net, is acutally a public domain, so I can't get a CA to issue me a cert.  Maybe I should just change my whole domain name. Until then, I am trying to be my own CA and issue a cert for my SG FQDN

Author Comment

ID: 17043807
I will post the complete solution to my citrix installation as I finialize and test.
thanks for pointing me in the right direction.
The real trick with and WI and CSG installation on the same computer comes in assigning two separate IP addresses to the server, and giving one to the CSG and one to the WI.  That is why I was getting the errors.

Thanks for everyones help.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question