This is similiar to a question asked back in 2005.
When I originally installed Web Interface and CSG which is located in a DMZ for access to my Metaframe Presentation Server 4.0. FARM which is in our PN. I had to use the management console on the Web server to configure the Web Interface and CSG and the Management consoles on the Citrix farm to manage the FARM published apps etc.. seperatly because a discovery from DMZ could not see the farm and a discovery from farm can not see the DMZ web Interface. It has been a year now everything from a clients stand point looks great Web apps work from the internet great all PN/PNA/ and web client internally see the appropriate xml config file and no problems. From a management stand point its aggravating not being able to manage the way I am supposed to from a single location and feel I am missing something. Packet captures and event logs inconclusive.
We are running this through a PIX 515 and Ihave CGS configured 442 externally listening and port 80 internally to speak with FARM. I have port 80 opened from the FARM to the WEB SERVERS cluster and also 442 for when I eventually get it working to encrypt the internal session.
to be more specific on the error ........
When I try to run discovery from the presentation server I am specifying the DMZ server as the web interface configuration server but I get an error: "The RPC server cannot be contacted on server <Servername>."
I can run discovery from the DMZ server but when I enter the name of my Presentation Server I get an error that states "Errors occurred when using <Servername> in the discovery process." - When I double click on this error the message states "The RPC server cannot be contacted."
On the original post the response was below access ports set accordingly.. I am 90% sure I have the appropriate access setup because it all functionally works all except the management console which I think uses a port 2513 which I also opened between the DMZ and Farm but no luck so I closed it.. My environment is lock down tight more so then stated below this is why CSG is so important to me and probably the reason everything else works besides the Management discoveries they dont pass through the CSG..
Well been a year and I give.. any suggestions??.. also when this gets answered I have a TS licensing question lol the clients dont see my Liocensing server for renewal and I constantly have to delete their MSLICENSING reg key to refresh their TS licensing what a pain.. ;) alot of clients .. scripting is king but getting it working right is priceless..
Original posters answer that fixed his problem back in 2005..
Prts that need to be open are i think i got them all are
https service all to lan
http service all to lan
smtp service all to lan
ica(1494 to) service dmz to IP of citrix server more than one entry if more than one server
http service dmz to lan
default dmz to wan
default lan to wan
http service wan to dmz
https servcie wan to dmz
deny default wan to dmz