• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1471
  • Last Modified:

Problems with CSG / Session Information

I have a few questions about CSG running with WI 4, and PS4... I'm not using Secure Access Manager.

I'm using Microsofts Certificate Authority at the moment, but I plan on making the customer buy a public certificate once I get this working.  Currently I am able to connected from the outside pointing to the HTTPS site, and when I save the ica file, it is showing the inside address.  That proves to me that CSG is working, but when I go into the management console for CSG, there is no session information.

Also, their internal domain is setup in a domain.local format.  So, all my settings in WI for CSG are pointing to the FQDN with that format, ie the STAs are setup like:


the CSG server is set to SQL01.domain.local which is how the certificate was setup also.

Will this cause problems when connecting from the outside?
  • 8
  • 5
  • 4
2 Solutions
The only thing you need to worry about from the outside is:  a)  Does the user have an updated ICA client (web client, or full Program Neighborhood), and b)  You only need to open ports 80 and 443 (don't open the other unnecessary ports such as 1494, 2598, otherwise the CSG is not going to be doing what is supposed to).  

I don't know how you want to set this up, but you probably only want to set CSG for all connections that aren't local to the environment (10.x.x.x, 172.16.x.x, 192.168.x.x will go through CSG, but they will have access to Web Interface).  In the Web Interface console, have you configured the option to use Secure Gateway Direct?  (Metaframe Presentation Server Administration > Suite Components > Configuration Tools > Web Interface > <the site> Manage Secure client access (menu) > Edit DMZ Settings.  If Default/direct is the only thing listed, then you want to add one for Direct (if is your inhouse IP range and is your mask) and change the Default setting to Secure Gateway Direct.  With that set like that, internal users will go directly to the Web Interface and not use CSG, while all other users will use CSG.

The rest of the settings look perfect.

Hope this helps,
tduplantisAuthor Commented:
That is all setup properly already, my question is why sessions don't show up in the CSG management console, and if the domain.local domain will cause issues with the external certificate.
>> and when I save the ica file, it is showing the inside address.  That proves to me that CSG is working

This actually proves that CSG is NOT WORKING.  You should not see an IP address at all in the launch.ica file.  And this is also the reason why you are not seeing sessions in the mgmt. console.

To give you an example this is what I see inside my ica file for CSG (it should be a bunch of random characters and not an IP Address:

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

If CSG is configured properly (using CSG Direct), you should see session information in the secure gateway management console.  If users are bypassing it (just a direct connection), there will be no sessions in the console.  As long as the CSG server can resolve the names, there shouldn't be any issues.  

Are you using 2 NICs (one for CSG and the other for Web Interface), or are you using one NIC with 443 for CSG and 444 for Web Interface, or is Web Interface not encrypted?  Are you using port 80 for the STAs, or another port?  If another port, append the port like this:  http://<fqdn of sta>:<port #>/scripts/ctxsta.dll.
tduplantisAuthor Commented:
mgcT - that would certainly explain it, but why can I connect to that private IP address when I am on the outside of the network?  Would CGS be half working?

Chris - I am using CSG Direct.  I only have one nic in the server.  The Web Interface is not encrypted... SSL is not being used on the web server.  I am using port 80 on the STAs.

At least yesterday I was able to connect using the HTTPS addy, now I'm getting a page cannot be found!  
tduplantisAuthor Commented:
Here is a copy of the CSG config if it can be used to help:

# Citrix Secure Gateway Configuration file
KeepAlive On
MaxKeepAliveRequests 500
KeepAliveTimeout 15
Timeout 300

ServerName localhost
UseCanonicalName Off

ServerTokens prod
ServerSignature On

# Socks Protocol settings (5 Minutes / 5 Seconds)
SocksTcpKeepAliveTime            300
SocksTcpKeepAliveInterval       5

# Log rotation

# Global Logging Parameters
# Sock Logs
LogFormat "%t %a %{SocksVersion}n %{SocksResponse}n %{SocksDestinationHost}n %{SocksDestinationPort}n" socks_log
CustomLog "|bin/rotatelogs.exe logs/SocksAccess_%Y_%m_%d.log 3600 -240 30D" socks_log env=LOG_SOCKS

# CGP Logs
LogFormat "%t %a %{CgpResponse}n %{CgpDestinationHost}n %{CgpDestinationPort}n %{cgpProtocol}n" cgp_log
CustomLog "|bin/rotatelogs.exe logs/CgpAccess_%Y_%m_%d.log 3600 -240 30D" cgp_log env=LOG_CGP

# Access & Error Logs
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "|bin/rotatelogs.exe logs/Access_%Y_%m_%d.log 3600 -240 30D" Combined env=LOG_HTTP
ErrorLog "|bin/rotatelogs.exe logs/Error_%Y_%m_%d.log 3600 -240 30D"

# Do not log GIF's & requests from localhost
SetEnvIf Request_URI \.gif$ nolog=gif
SetEnvIf Request_URI \.jpg$ nolog=jpg
SetEnvIf Request_URI \.png$ nolog=png
SetEnvIf Request_URI \.js$ nolog=js
#SetEnvIf Remote_Addr ^$ nolog=

# **************************************************************************************
# Citrix Secure Gateway configuration section
ServerRoot "C:/Program Files/Citrix/Secure Gateway/"
PidFile logs\httpd.pid

# The default value for VHOST Throttle comes from the registry variable HTTPBoost in the global section
# The default value is set to 250

<IfModule mpm_winnt.c>
ThreadsPerChild 500
MaxRequestsPerChild 0

#Event Log
EventLogServiceName "Secure Gateway"

#Scoreboard file

ScoreBoardFile logs/perf.map

LoadModule access_module modules/mod_access.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule mime_module modules/mod_mime.so
LoadModule socks_module modules/mod_socks.so
LoadModule winevent_log_module modules/mod_winevent_log.so
LoadModule async_engine_module modules/mod_async_engine.so
LoadModule ticket_module modules/mod_ticket.so
LoadModule perfmon_module modules/mod_perfmon.so
LoadModule vhost_throttle_module modules/mod_vhost_throttle.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule include_module modules/mod_include.so
LoadModule multiplexer_module modules/mod_multiplexer.so
LoadModule schannel_module modules/mod_schannel.so

#CSG Modules ...
LoadModule session_module modules/mod_session.so
LoadModule auth_sta_module modules/mod_auth_sta.so
LoadModule cgp_module modules/mod_cgp.so

# Max Connections

# Scoreboard Max Connections
ScoreboardMaxConnections 1700

# mod_multiplexer directives
ProtocolSignature SOCKSV5 \005
ProtocolSignature CGP \032CGP/
MultiplexerHandshakeTimeout 100000

#Listen directives

#NameVirtualHost directives

#STA servers
STAHOST STAB1ED9C8F0492 http://citrix01.prohealth.local:80/Scripts/CtxSTA.dll

STAHOST STAFA50C971C972 http://citrix02.prohealth.local:80/Scripts/CtxSTA.dll

#Async Engine directives
AsyncWorkerThreadCount 0

#SSL settings
SSLProtocol +SSLv3 +TLSv1
SSLCipherSuite ALL

#Log level
LogLevel warn

#WI Config

      ServerName www.ourdomain.com:443

      # SSL Params
      SSLEngine On
      SSLCertificateHash cfa35b6f5bd49bf855f42bad34772ddf926dbfc7

      # Document Root and Directory directives
      DocumentRoot "C:/Program Files/Citrix/Secure Gateway"

      <Directory "C:/Program Files/Citrix/Secure Gateway/error">
            AllowOverride None
            Options IncludesNoExec
            AddOutputFilter Includes html
            AddHandler type-map var
            LanguagePriority en ja cs de es fr it nl sv pt-br ro
            ForceLanguagePriority Prefer Fallback

      ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
      ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
      ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
      ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
      ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
      ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
      ErrorDocument 410 /error/HTTP_GONE.html.var
      ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
      ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
      ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
      ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
      ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
      ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
      ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
      ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
      ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
      ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

      # This proxy pass rule should be prior to the ProxyPass rule you already define
      # This rule states that Secure Gateway won't proxy anything that starts with /error
      ProxyPass /error !

      # Reverse Proxy Web Interface
      <Location />
            ProxyPass http://localhost/
            ProxyPassReverse http://localhost/

      # Used by HTTP custom Log Setting
      SetEnvIf nolog ^$ LOG_HTTP=1


#Gwy Settings - CGP

      ServerName www.ourdomain.com:443

      CgpProtocol On

      RequireTicket On
      CGPHandshakeTimeout 100000
      RegisterProtocol CGP

      # SSL Params
      SSLEngine On
      SSLCertificateHash cfa35b6f5bd49bf855f42bad34772ddf926dbfc7
      SSLProxyEngine On

      # Outbound ACL's
      <Location /destination/cgp>
            Order Deny,Allow
            Deny to All
            Allow to All

      # Used by CGP custom Log Setting
      SetEnvIf nolog ^$ LOG_CGP=1


#Gwy Settings - SOCKS

      ServerName www.ourdomain.com:443

      SocksProtocol On
      SocksHandshakeTimeout 100000
      RegisterProtocol SOCKSV5
      RequireTicket On

      # SSL Params
      SSLEngine On
      SSLCertificateHash cfa35b6f5bd49bf855f42bad34772ddf926dbfc7

      # Used by SOCKS custom Log Setting
      SetEnvIf nolog ^$ LOG_SOCKS=1


# END Citrix Secure Gateway configuration section
# *************************************************************************************
>> but why can I connect to that private IP address when I am on the outside of the network

You would be able to log into the web interface site, but not actually launch sessions.  If you were able to do this, then your settings probably hadn't been applied yet (you should run IISRESET to stop/restart the IIS service after making changes to your WI/CSG servers to be sure), and this probably explains why you can't even get to the site now.

CSG wouldn't be half working, but you can have it enabled and still have normal WI connections enabled as well.
did you change the SSL port in IIS to something other than 443? for example just change it to 444
Thanks for the info, sorry for all the questions.  In the CSG config, is the "secure traffic between the STA and the Secure Gateway" checkbox checked?  Also, are you using indirect mode, or direct mode for the Web Interface?  What hotfixes for CSG are you running, too?

tduplantisAuthor Commented:
using direct mode, and the traffic between the STA and CSG  isn't secured.

mgcIT - I can log in and run an application from the outside, and when I save that the ica file to my desktop it is showing an internal address in the file.
when you say "from the outside" do you mean that you are using the external https:// address or that you are literally outside of your network?  i.e. aside from citrix are you able to directly communicate with your servers using the internal IP address (ping for example)?
tduplantisAuthor Commented:
>> did you change the SSL port in IIS to something other than 443? for example just change it to 444

I do not have SSL running on the IIS server.  If I did, wouldn't I need two certificates, one for CSG, and one for the IIS server?
even though SSL is not configured on the IIS server you still need to change the port it uses for SSL.  In the properties of your site just change it to 444.
tduplantisAuthor Commented:
mgcit > that is exactly what I mean!  I'm not connected via vpn, and I'm on a totally different network.   Ok, I'll set the IIS SSL port to 444, I had problems starting IIS at all when CSG was running, so I just removed the port all together from the IIS config.  
tduplantisAuthor Commented:
chris, i misunderstood your question.  I am using indirect mode in the csg config.  I thought you were referring to the WI config, wether i was using CSG direct, translated, etc.  CSG and WI are installed on the same computer.
You probably created the ssl cert using iis, then assigned it to the server (this would still work if you kept the same cert on there, but set it to 444 in IIS).  The server defaulted it to 443 just because that's the default for ssl, and that's why you had a problem with CSG starting, but you took care of that already.  

With everything on the same server, try this configuration:

Users navigate to http://website, then get shifted right to CSG (which sits on https://website) by way of a redirect script (i called the file below webinterface.htm and set it as the default for the IIS site) <-- as you see, it's right from Citrix, but I believe it's for WI3 and not WI4.  You'll have to modify it to point it to the right default WI4 page:

---- WebInterface.htm
---- Copyright (c) 2000 - 2004 Citrix Systems, Inc. All Rights Reserved.
---- Web Interface (Build 37544)
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
// -->
CSG Configuration:

Indirect:  check the "installed on this computer" checkbox
Details:  FQDN = localhost (greyed-out)
TCP port: 80


tduplantisAuthor Commented:
I'll try that out Monday... thanks chris, and mgcit for the responses.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 8
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now