Solved

There is no citrix ssl server configured on the specified address.

Posted on 2006-11-22
10
29,633 Views
Last Modified: 2011-08-18
Hi
Im getting the error after I have logged in on the web interface, using username,password, and safeword.
I get to see my published applications. When i launch one of the applications from the internet, I get the error:  "cannot connect to the citrix metaframe server. there is no citrix ssl server configured on the specified address".
Im thinking it could be a nat or firewall rule problem to the Secure gateway.

If I make a vpn connection to the firewall, and make a entry in my hosts file like this:
172.16.0.5 csg.mydomain.com
it will work.
I can see in the secure gateway performance statistics, that I only get packets back and forth from it, using this method.

I have the following ports forwarded:
externalip1:443 -> CSG -> 80,443,1494,2598 -> LAN
externalip2:443 -> WI:444


Here is some more detail:

Internet  -> Firewall -> Internal Router -> Web interface (172.16.0.3:444) cert = citrix.mydomain.com
                                          |                  Citrix Secure Gateway (172.16.0.5:443) cert = csg.mydomain.com
                                          |
                                          |-> Citrix Servers 192.168.110.4, 192.168.110.5



[Snippet from launch.ica]

[Encoding]
InputEncoding=ISO8859_1

[WFClient]
ClientName=WI_J185ZbOMP2aAUN8cK
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=Off
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Lommeregner=

[Lommeregner]
Address=;40;STAE7A35C69069E;588B7D50D019E925FDFB898D24FC201A
AudioBandwidthLimit=2
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPSecurityTicket=On
ClearPassword=6986A7AE46B116
ClientAudio=On
DesiredColor=4
DesiredHRES=1024
DesiredVRES=768
Domain=\B04E617A64E9280A
HTTPBrowserAddress=!
InitialProgram=#Lommeregner
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
ProxyType=Auto
SSLCiphers=all
SSLEnable=On
SSLProxyHost=csg.mydomain.com:443
SecureChannelProtocol=Detect
SessionsharingKey=4-basic-basic-NYTORV-mdaservice-Farm1
TWIMode=On
TransportDriver=TCP/IP
Username=mdaservice
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

0
Comment
Question by:tosse22
  • 6
  • 4
10 Comments
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17995504
Hello.  If you're forcing users to go to https://<CSG server>, then you can close port 444 to the WI server.  In the CSG configuration wizard's "Access Options" page, you should have Indirect selected (uncheck the checkbox if WI is on another server (I couldn't tell if you just used 2 IPs for one server or not)), enter the FQDN of the WI server (or localhost if it's on the same server), and check the "Secure traffic between the WI and SG" checkbox and enter port 444.

Test by going to https://<YourExternalName>.  At this point, everything is going through CSG.

Hope this helps,
Chris
0
 

Author Comment

by:tosse22
ID: 17995689
Hi, I have other reasons for going to the WI first.
The reason is that the customer is actually 2 companys.
These sites have ssl certificates.
I have citrix.mycompany.com and citrix.mycompany2.com.

I have no problem logging in and authenticating. The problem appears when I press the application icon.
Users go to http://citrix.mycompany.com which forwards to https://citrix.mycompany.com on the iis

I use 3 IP's for one server.
Internet  -> Firewall -> Internal Router -> Web interface (172.16.0.3:444) cert = citrix.mydomain.com
                                          |                  Web interface (172.16.0.4:444) cert = citrix.mydomain2.com
                                          |                  Citrix Secure Gateway (172.16.0.5:443) cert = csg.mydomain.com
                                          |
                                          |-> Citrix Servers 192.168.110.4, 192.168.110.5
0
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17995985
Ok, so you have port 80 opened as well from the outside (if they're getting to the page that redirects them to either WI1 or WI2, port 444).  Within each site in IIS, do you have the IP address assigned to the respective site (the one in the dropdown)?  I would assume yes, but wanted to verify.  In the CSG configuration, are you using the one IP, or is "monitor all ip addresses" checked?  
0
 
LVL 10

Expert Comment

by:chrisnewman01
ID: 17996108
Also, in the Web Interface console (for each WI site), are you using Secure Gateway Direct for the default method of access? (Manage Secure Client Access > Edit DMZ Settings.)
0
 

Author Comment

by:tosse22
ID: 17996571
Woops yes port 80 is forwarded to the respective sites.

Everything is happening on one server in the dmz.

IP address assigned to the respective site. None of the sites has all unassigned. Default web site is stopped.

CSG is one ip listening.

On webinterface configuration it is set to Secure Gateway Direct
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 10

Accepted Solution

by:
chrisnewman01 earned 500 total points
ID: 17996726
It sounds like one option is off.  In the CSG configuration wizard's "Access Options" page, how do you have it configured?

Also check C:\Program Files\Citrix\Secure Gateway\logs.  This may help to find the cause of the problem.  I probably should've mentioned this folder before :-)
0
 

Author Comment

by:tosse22
ID: 18001420
CSG config:
Metaframe Presentation Server -> next
Advanced -> next
Choosing csg.mydomain.com -> next
Protocol = SSLv3 & TLSv1, Cipher = ALL -> next
No check in monitor all IP adresses. 172.16.0.5 port 443 chosen. -> next
No outbound traffic restrictions -> next
Sta is set to the 2 fqdn of the presentation servers on the inside (only resolvable from dmz and inside) -> next
No connection timeout, and connection limit 250 -> next
None exluded from logfiles.
Direct Access option chosen
All events logged including informational


0
 

Author Comment

by:tosse22
ID: 18001519
Nothing is logged unless im connected through VPN. But then it all works.
Im beginning to think its the firewall somehow, although nothing is logged there either.
0
 

Author Comment

by:tosse22
ID: 18003177
Im totally lost here.
I opened everything to csg.mydomain.com and forwarded it to 172.16.0.5.
Nothing at all comes in on this ip.
0
 

Author Comment

by:tosse22
ID: 18003305
Found the problem!!
The company hosting the customers DNS made a typo in the IP address!!! AAarrrrgh, when I get my hands on that guy I dont know what im gonna do! More than 2 days of seaching for a citrix error.... Grrrrr
I'll give you the points. I would never have spotted this even if you had asked me.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Citrix XenDesktop 7.6 Citrix Policies Audio
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now