Solved

Cannot connect to the Citrix Metaframe server. The Citrix SSL server you have selected is not accepting connections

Posted on 2006-11-02
9
5,274 Views
Last Modified: 2009-12-11
I trying to access an application using Web Interface an CSG, I get the following error. "Cannot connect to the Citrix Metaframe server. The Citrix SSL server you have selected is not accepting connections".

My setup is as follows. I have 1 CSG and one WI in a DMZ. on the trusted LAN are my presentation servers. All the correct porst have been oppened on the fire walls. I can telnet to all ips on the required ports.

If you ask me more questions I will have answers.

I need Ideas ASAP as my install needs to be completed by tomorrow evening.
0
Comment
Question by:GrantBeattie
  • 3
  • 2
9 Comments
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17859424
1)  Are CSG/WI on the same server?  If so, do you have 80/443 opened from the outside (with a redirection from http:// to https:// -- actually the CSG service)?   I would assume yes on this, but want to make sure.  
2)  Are you trying to secure the connection to the STAs (via the "Secure traffic between the STA and the Secure Gateway" checkbox)?  If so this may be the problem if you don't have a server cert on each PS4 server.  
3)  You can telnet to all IPs from the CSG or from the outside?  With CSG you really only need to have port 80 and 443 opened from the outside.  You DO NOT need ports 1494 and 2598 opened from the public edge of your network (if so, this defeats the purpose of using CSG).
4)  Are you using the default of port 80 for XML traffic?  If NOT, have you configured Web Interface with the non-http port (i.e. http://<ps4 server:8080>/scripts/ctxsta.dll).  This is done in the Presentation Server Admin console under "Manage secure client access" > Edit Secure Gateway Settings.  
5)  In the Web Interface config, have you set your non-local client address table to us "Secure Gateway Direct"?  This is done in the Metaframe Presentation Server Administration console under Manage Secure Client Access > Edit DMZ Settings.
6)  Within the CSG configuration, are you using Indirect or Direct within the "Access options" section of the Secure Gateway Configuration Wizard?  
7)  Are you using FQDNs instead of short names in both CSG AND the Web Interface connection?  You may have a name resolution issue if not.  With that said, can you the CSG/WI server resolve the names of the Citrix PS4 servers in your network?  If not, you may need to edit your hosts file to define them.

Hope this is some sort of help to you,
Chris
0
 

Author Comment

by:GrantBeattie
ID: 17859536
1: Not on same server
2: Not secure connection between STA
3:External firewall only has 80 and 443 open.
4:Yes.
5:This has been set to Secure Gateway Alternate as I have Nating in plce from external url
6:Indirect.
7:I have entered all as FQDN's that I made sure of as I am aware of the ploblems that can arise with not puting them in correctly.

If port 443 is not open on the internal firewall between the DMZ and secure network would this possibly affect it.

grant
0
 
LVL 10

Accepted Solution

by:
chrisnewman01 earned 250 total points
ID: 17859619
If you wanted to, you could put both WI and CSG on the same server -- just an FYI in case you would like to free up a server.  Try Secure Gateway direct instead of Secure Gateway Alternate.  Web Interface is also in the DMZ, or is that internal?  Unless you're secure access from the DMZ to an internal server (i.e., Web Interface), you should not need 443 opened.  Just 80, 1494, and 2598 to the Citrix servers.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17859667
Another thing with using Secure Gateway Direct instead of Secure Gateway Alternate -- make sure you don't have an alternate address set on any of the PS4 servers (ALTADDR from the command line should return NO results).  

Chris
0
 
LVL 19

Assisted Solution

by:BLipman
BLipman earned 250 total points
ID: 17870012
chrisnewman01 is correct in that you want Secure DW Direct, NOT alternate.  The SG box acts as a proxy for clients and needs the real IP of your farm servers unless you have a double hop or double NAT setup.  Get everything working using the Web Interface directly from the CSG box (a Citrix engineer gave me this suggestion when I called for support, you must get it working from there first).  You can set an alternate address on the servers; it won't hurt anything.  It is only given when asked (when your PN is set to Alternate Address for FW Connections or when the Web Interface has Alternate as the DMZ setting).  
If you are having trouble getting things working still, download your .ICA file (right click on your app in the WI and Save, then open w/ notepad and post here).  
0
 
LVL 19

Expert Comment

by:BLipman
ID: 18029713
I would suggest a point split between chrisnewman01 and BLipman, we both put in some time to assist and are still waiting for a response from the poster.  
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Citrix on an ipad 13 14
Citrix Storefront V3.5 4 59
Create a GP to add the "Save As" button in Excel ribbon. 4 48
Printer Settings 3 64
Citrix XenDesktop, Citrix Studio, Citrix Policies, Citrix XenApp
Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now