We help IT Professionals succeed at work.

Cannot connect to the Citrix Metaframe server. The Citrix SSL server you have selected is not accepting connections

GrantBeattie asked
Medium Priority
Last Modified: 2009-12-11
I trying to access an application using Web Interface an CSG, I get the following error. "Cannot connect to the Citrix Metaframe server. The Citrix SSL server you have selected is not accepting connections".

My setup is as follows. I have 1 CSG and one WI in a DMZ. on the trusted LAN are my presentation servers. All the correct porst have been oppened on the fire walls. I can telnet to all ips on the required ports.

If you ask me more questions I will have answers.

I need Ideas ASAP as my install needs to be completed by tomorrow evening.
Watch Question

1)  Are CSG/WI on the same server?  If so, do you have 80/443 opened from the outside (with a redirection from http:// to https:// -- actually the CSG service)?   I would assume yes on this, but want to make sure.  
2)  Are you trying to secure the connection to the STAs (via the "Secure traffic between the STA and the Secure Gateway" checkbox)?  If so this may be the problem if you don't have a server cert on each PS4 server.  
3)  You can telnet to all IPs from the CSG or from the outside?  With CSG you really only need to have port 80 and 443 opened from the outside.  You DO NOT need ports 1494 and 2598 opened from the public edge of your network (if so, this defeats the purpose of using CSG).
4)  Are you using the default of port 80 for XML traffic?  If NOT, have you configured Web Interface with the non-http port (i.e. http://<ps4 server:8080>/scripts/ctxsta.dll).  This is done in the Presentation Server Admin console under "Manage secure client access" > Edit Secure Gateway Settings.  
5)  In the Web Interface config, have you set your non-local client address table to us "Secure Gateway Direct"?  This is done in the Metaframe Presentation Server Administration console under Manage Secure Client Access > Edit DMZ Settings.
6)  Within the CSG configuration, are you using Indirect or Direct within the "Access options" section of the Secure Gateway Configuration Wizard?  
7)  Are you using FQDNs instead of short names in both CSG AND the Web Interface connection?  You may have a name resolution issue if not.  With that said, can you the CSG/WI server resolve the names of the Citrix PS4 servers in your network?  If not, you may need to edit your hosts file to define them.

Hope this is some sort of help to you,


1: Not on same server
2: Not secure connection between STA
3:External firewall only has 80 and 443 open.
5:This has been set to Secure Gateway Alternate as I have Nating in plce from external url
7:I have entered all as FQDN's that I made sure of as I am aware of the ploblems that can arise with not puting them in correctly.

If port 443 is not open on the internal firewall between the DMZ and secure network would this possibly affect it.

If you wanted to, you could put both WI and CSG on the same server -- just an FYI in case you would like to free up a server.  Try Secure Gateway direct instead of Secure Gateway Alternate.  Web Interface is also in the DMZ, or is that internal?  Unless you're secure access from the DMZ to an internal server (i.e., Web Interface), you should not need 443 opened.  Just 80, 1494, and 2598 to the Citrix servers.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Another thing with using Secure Gateway Direct instead of Secure Gateway Alternate -- make sure you don't have an alternate address set on any of the PS4 servers (ALTADDR from the command line should return NO results).  

chrisnewman01 is correct in that you want Secure DW Direct, NOT alternate.  The SG box acts as a proxy for clients and needs the real IP of your farm servers unless you have a double hop or double NAT setup.  Get everything working using the Web Interface directly from the CSG box (a Citrix engineer gave me this suggestion when I called for support, you must get it working from there first).  You can set an alternate address on the servers; it won't hurt anything.  It is only given when asked (when your PN is set to Alternate Address for FW Connections or when the Web Interface has Alternate as the DMZ setting).  
If you are having trouble getting things working still, download your .ICA file (right click on your app in the WI and Save, then open w/ notepad and post here).  

I would suggest a point split between chrisnewman01 and BLipman, we both put in some time to assist and are still waiting for a response from the poster.  
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.