Improve company productivity with a Business Account.Sign Up


Cannot connect to the Citrix Metaframe server. The Citrix SSL server you have selected is not accepting connections

Posted on 2006-11-02
Medium Priority
Last Modified: 2009-12-11
I trying to access an application using Web Interface an CSG, I get the following error. "Cannot connect to the Citrix Metaframe server. The Citrix SSL server you have selected is not accepting connections".

My setup is as follows. I have 1 CSG and one WI in a DMZ. on the trusted LAN are my presentation servers. All the correct porst have been oppened on the fire walls. I can telnet to all ips on the required ports.

If you ask me more questions I will have answers.

I need Ideas ASAP as my install needs to be completed by tomorrow evening.
Question by:GrantBeattie
  • 3
  • 2
LVL 10

Expert Comment

ID: 17859424
1)  Are CSG/WI on the same server?  If so, do you have 80/443 opened from the outside (with a redirection from http:// to https:// -- actually the CSG service)?   I would assume yes on this, but want to make sure.  
2)  Are you trying to secure the connection to the STAs (via the "Secure traffic between the STA and the Secure Gateway" checkbox)?  If so this may be the problem if you don't have a server cert on each PS4 server.  
3)  You can telnet to all IPs from the CSG or from the outside?  With CSG you really only need to have port 80 and 443 opened from the outside.  You DO NOT need ports 1494 and 2598 opened from the public edge of your network (if so, this defeats the purpose of using CSG).
4)  Are you using the default of port 80 for XML traffic?  If NOT, have you configured Web Interface with the non-http port (i.e. http://<ps4 server:8080>/scripts/ctxsta.dll).  This is done in the Presentation Server Admin console under "Manage secure client access" > Edit Secure Gateway Settings.  
5)  In the Web Interface config, have you set your non-local client address table to us "Secure Gateway Direct"?  This is done in the Metaframe Presentation Server Administration console under Manage Secure Client Access > Edit DMZ Settings.
6)  Within the CSG configuration, are you using Indirect or Direct within the "Access options" section of the Secure Gateway Configuration Wizard?  
7)  Are you using FQDNs instead of short names in both CSG AND the Web Interface connection?  You may have a name resolution issue if not.  With that said, can you the CSG/WI server resolve the names of the Citrix PS4 servers in your network?  If not, you may need to edit your hosts file to define them.

Hope this is some sort of help to you,

Author Comment

ID: 17859536
1: Not on same server
2: Not secure connection between STA
3:External firewall only has 80 and 443 open.
5:This has been set to Secure Gateway Alternate as I have Nating in plce from external url
7:I have entered all as FQDN's that I made sure of as I am aware of the ploblems that can arise with not puting them in correctly.

If port 443 is not open on the internal firewall between the DMZ and secure network would this possibly affect it.

LVL 10

Accepted Solution

chrisnewman01 earned 1000 total points
ID: 17859619
If you wanted to, you could put both WI and CSG on the same server -- just an FYI in case you would like to free up a server.  Try Secure Gateway direct instead of Secure Gateway Alternate.  Web Interface is also in the DMZ, or is that internal?  Unless you're secure access from the DMZ to an internal server (i.e., Web Interface), you should not need 443 opened.  Just 80, 1494, and 2598 to the Citrix servers.
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

LVL 10

Expert Comment

ID: 17859667
Another thing with using Secure Gateway Direct instead of Secure Gateway Alternate -- make sure you don't have an alternate address set on any of the PS4 servers (ALTADDR from the command line should return NO results).  

LVL 19

Assisted Solution

BLipman earned 1000 total points
ID: 17870012
chrisnewman01 is correct in that you want Secure DW Direct, NOT alternate.  The SG box acts as a proxy for clients and needs the real IP of your farm servers unless you have a double hop or double NAT setup.  Get everything working using the Web Interface directly from the CSG box (a Citrix engineer gave me this suggestion when I called for support, you must get it working from there first).  You can set an alternate address on the servers; it won't hurt anything.  It is only given when asked (when your PN is set to Alternate Address for FW Connections or when the Web Interface has Alternate as the DMZ setting).  
If you are having trouble getting things working still, download your .ICA file (right click on your app in the WI and Save, then open w/ notepad and post here).  
LVL 19

Expert Comment

ID: 18029713
I would suggest a point split between chrisnewman01 and BLipman, we both put in some time to assist and are still waiting for a response from the poster.  

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

#Citrix #POC #XenDesktop #vCenter #VMware #ESX
Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question