• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 16613
  • Last Modified:

Citrix SSL relay name could not be resolved

OK, using SG I am getting the error above,  from Citrix I get this solution


Users receive the following error message when trying to launch applications through Secure Gateway:

“Cannot connect to the Citrix server:
The Citrix SSL relay name could not be resolved (SSL error 40)”


The fully qualified domain name (FQDN) of the Secure Gateway server is not recognized by the client.


A DNS record was not made to resolve the FQDN name of the gateway

— or —

The FQDN of the Secure Gateway server entered in Web Interface/NFuseAdmin/server-side firewall/Secure Gateway for MetaFrame does not match the name on the certificate of the Secure Gateway server.


Create a DNS record that resolves the FQDN of the Secure Gateway server or create an entry in the host file on the client devices.

Verify that the FQDN referenced in Web Interface/NFuseAdmin/server-side firewall/Secure Gateway for MetaFrame matches the name on the certificate of the Secure Gateway server.

1 Ok, I would create the DNS record to resolve the FQDN, but I can't figure that one out.  The DNS server is
the SG server 192.168.x.x (DMZ) FQDN CITRIX01.AMS.NET
the citrix PS server 10.0.x.x FQDN SECUREGATE01.AMS.NET
2 verify that the FQDN referenced in the web interface... matches the name of the certificate

cert name secure.billsmoonko.com
ext ip 70.169.x.x

  • 5
1 Solution
you said previously (i think) that you registered the billsmoonko.com domain name through GoDaddy and it is being hosted by them.

If this is true they will have a utility that allows you to do this.  I don't have an account there so I can't see exactly what it looks like but based on their help/support section it looks pretty easy.

Basically you will want to do this:

1. create a subdomain for secure.billsmoonko.com (you probably just reserved billsmoonko.com as your domain so you can create any subdomains such as xyx.billsmoonko.com)
2. create an "A Record" so that secure.billsmoonko.com = 70.169.x.x (assuming this is your external ip address and this address is NAT'd on your firewall to the internal IP Address of your SG server - you'll want to set up the NAT for port 443 only)

Here is the main Help section for GoDaddy that you will want to look at: http://help.godaddy.com/article_list.php?topic_id=163&&

and specific pages for:

"What is an A Record" - http://help.godaddy.com/article.php?article_id=678&topic_id=163&&
"What is Total DNS Control? " - http://help.godaddy.com/article.php?article_id=681&topic_id=163&&
"How do I manage my DNS if I host my site on my own servers?" - http://help.godaddy.com/article.php?article_id=682&topic_id=163&&

Those ones you should definetly look at.
Quadeeb2003Author Commented:
That was stellar! Helped out a ton.
I'm not functional yet, but I have a new error.

From the internet, I am still getting the same error, SSL 40, but from local to the https://secure.billsmoonko.com, i received SSL error 59: The server sent a security certificate identifying "secure.billsmoonko.com", the SSL connection was to "SECUREGATE01.AMS.NET"

So, let me tell you where I think I may have screwed up.
My domain is AMS.NET, where my DC is.
All of my servers are on the ams.net domain.
The SG server domain does not equal the "secure.billsmoonko.com".

Is this ok to do?  Do I need to put the SG server on its own domain or can it be resolved with FQDN?

In part 2 of your answer, you are correct, the external ip address is NAT'd on the firewall to the internal IP address of my SG server.
Looking at the SG setup options I think it is SG alternate or SG translated, and am trying them both.

I have the following setting currently under manage secure client access and am changing them around to see if anything works.

dmz settings
client ip              mask             access method
default                                    direct
70.169.x.x         x.x.x.x             secure gateway alternate
192.168.x.x        x.x.x.x             secure gateway translated

Secure gateway address FQDN SECUREGATE01.AMS.NET  
port 443
secure ticet authority http://CITRIX01.AMS.NET/scripts/ctxsta.dll
address translations
access type              int address           int port         ext address          ext port
all                            192.168.x.x             80                70.169.x.x            80

web interface
Quadeeb2003Author Commented:
added a host file with the name secure.billsmoonko.com to the SG server
I can now ping the cert by name
still having the same problem
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Quadeeb2003Author Commented:
I have spent so much time on this and read so many articles and chased so many possible solutions.

I have managed to get ssl error 59 if i change the name of the FQDN in CAS to "cert name".
I look in the error log for CSG and get error

This post on citrix was the best help i could find

But still that has not worked.
In all of the situations I have run accross, the same scenario.
WI/SG on same server
PS and STA on same server

I have a host file on SG naming the SG server the cert name

I can ping by name and IP the cert name on and off of the network and it resolves the IP of the CS server.

From everything I've read, and every site I've gont to, I believe  I'm looking at possible STA problem.

If anyone has an idea I'd appreciate it.

local direct connection - no problem, only CG.
I've also seen personal firewalls cause the same problem.  Try to disable any Norton or McAfee personal firewalls that you have and try it again.  If it works, then you will need to make an exception on your firewall utility for the ica client.
Quadeeb2003Author Commented:
I have ICAany already allowed at the moment.
I was logging every denied socket from the SG in DMZ to the trust (PS server and DC) and IMC525 was one, and as such I let it go on through.
There are no denials from the DMZ to the Trust, except port 135 and 123 going to the DC.
I have allowed any to any connections from DMZ to Trust for tests, but no luck.

Thank you for the reply.
Currently, I uninstalled my digicert and am trying to make my own. The FQDN of my SG server and the Common Name for the server certificate are different.  I have a host file that I was hoping would resolve that, but maybe it doesnt.  My domain, ams.net, is acutally a public domain, so I can't get a CA to issue me a cert.  Maybe I should just change my whole domain name. Until then, I am trying to be my own CA and issue a cert for my SG FQDN
Quadeeb2003Author Commented:
I will post the complete solution to my citrix installation as I finialize and test.
thanks for pointing me in the right direction.
The real trick with and WI and CSG installation on the same computer comes in assigning two separate IP addresses to the server, and giving one to the CSG and one to the WI.  That is why I was getting the errors.

Thanks for everyones help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now