Solved

The citrix ssl relay name could not be resolved (SSL error 40)

Posted on 2007-03-22
14
22,438 Views
Last Modified: 2009-10-28
Hi all,
I have a citrix secure gateway setup (Secure Gateway Management Console Version: 3.0) for remote access via the web. www-> firewall -> static nat -> presentation server -> citrix farm

All windows server 2003

Error is "the citrix ssl relay name could not be resolved (SSL error 40)"

It works fine on the internal LAN which makes me think that it is an external DNS/ name resolution issue.

If I add the FQDN for the server to the hosts file on the client i am getting the error "the citrix SSL server you have sleceted cannot be reached"

I have to confess that I'm not a whizz at this so if someone could point me in the right direction t would be appreciated.

Thanks in advnance
Nick
0
Comment
Question by:nickramm
14 Comments
 
LVL 18

Expert Comment

by:mgcIT
ID: 18774054
does the name on your SSL certificate name match the FQDN  of your SG server?

http://support.citrix.com/article/CTX103569&searchID=40943952

0
 
LVL 18

Expert Comment

by:mgcIT
ID: 18774084
0
 

Author Comment

by:nickramm
ID: 18778621
Thanks mgcIT for the prompt response really much appreciated, I will take a look ASAP.

Unfortunatly other things have taken a priority ! ... who'd of thought it !
Thanks
Nick
0
 

Author Comment

by:nickramm
ID: 18781179
Yes it does match . . . I have tried disabling the virus/firewall software on the PC but no avail.

Version = 3.0.1

Computer NetBIOS Name: lalala
Configuration captured on: 23/03/2007 14:55:20
----------------------------------------------

Secure Gateway Global Settings
------------------------------
  Version = 3.0.1
  Product secured = MetaFrame Presentation Server only
  Logging level =  3 (All events including information)
  Client connection timeout =  100 seconds
  Maximum concurrent connections =  250
  Certificate FQDN = lalala.domain.local

Interfaces
----------

  All interfaces (0.0.0.0 : 444)
  ------------------------------
    Protocol = SSL, TLS
    Cipher suites = ALL
    Secured = Yes
    HTTP = No
    ICA = Yes
    SOCKS = Yes
    Gateway Client = No
    LoadBalancerIPs = None defined

Web Interface
-------------
  FQDN = localhost
  Port = 80
  Secured = No
  Protocol = SSL, TLS
  Cipher suites = ALL
  Access mode = Indirect
  Tested OK

Authority Servers
-----------------

  ID = STA96C8FA226374
  --------------------
    FQDN = blahblahblah.domain.local
    Port = 80
    Path = /Scripts/ctxsta.dll
    Type = STA
    Secured = No
    Protocol = SSL, TLS
    Cipher suites = ALL
    Tested OK

Certificate Check
-----------------
  FQDN = lalala.domain.local
  This certificate is currently valid.

EOF
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 18785476
>> All interfaces (0.0.0.0 : 444)


444 is not the default ssl port (it is 443) so have you tried accessing your site from the outside by also specifying the port?

for example

https://mydomain.citrix.com:444/


also, in the Access Suite Console, what do you have set as your default connection under Manage Secure Client Access > Edit DMZ Settings?
0
 

Author Comment

by:nickramm
ID: 18792670
Yes, sorry I should of said.

I am aware of this, it is because we use a third party plugin for a one time passwords authentication which uses 443.  (securenvoy.com) and it can't share ports.

It is set to secure gateway direct.

I have tried connecting on 444 but i get a timeout as it is configured to listen on 443.

I really appreciate your help so far
Thanks
Nick

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 18

Expert Comment

by:mgcIT
ID: 18793674
>> it is configured to listen on 443.

why would you have it configured to listen on 443 if securenvoy is using that and cannot share ports?

do you have port 444 open on your firewall pointing to your SG?
0
 

Author Comment

by:nickramm
ID: 18798713
I'm no pro at this, i'm trying to give you detail but it was setup by a third party. Is there a way I can get the config off the servers for you to take a look at ?

I have three servers IIS/WI and CSG server - Securenvoy server and a STA server.

The firewall port forwards 443 requests to the iis / CSG / WI box which authenticates with the DC and the securenvoy box given a sta to allow resource on the presentation server.

The secure gateway port is set to 444.

Thanks again.
Nick
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 18800559
your setup seems fine but I think the problem you get is when you say "the firewall port forwards 443 requests to the iis / CSG / WI box"

If your CSG is configured to use port 444, you aren't doing any good by opening port 443 to it from the firewall.  In your firewall config open 444 to your CSG instead of 443 and see if you can access your site by specifying the port:

https://mydomain.citrix.com:444/
0
 

Author Comment

by:nickramm
ID: 18842277
the csg is listening on port 443.
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1045           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1046           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5800           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5900           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:14940        0.0.0.0:0              LISTENING
  TCP    172.16.10.30:139       0.0.0.0:0              LISTENING
  TCP    172.16.10.30:444       0.0.0.0:0              LISTENING
  TCP    172.16.10.30:1044      172.16.10.95:389       CLOSE_WAIT
  TCP    172.16.10.30:5900      172.16.1.12:4992       ESTABLISHED
  TCP    172.16.10.30:32188     172.16.10.95:389       CLOSE_WAIT
  TCP    172.16.10.30:32880     172.16.10.95:135       TIME_WAIT
  TCP    172.16.10.30:32881     172.16.10.95:1026      TIME_WAIT
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1025           *:*
  UDP    0.0.0.0:1026           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1027         *:*
  UDP    127.0.0.1:1034         *:*
  UDP    127.0.0.1:1049         *:*
  UDP    172.16.10.30:123       *:*
  UDP    172.16.10.30:137       *:*
  UDP    172.16.10.30:138       *:*

the secure gateway port is set to 444 for comms after the initial connection is made.
0
 

Author Comment

by:nickramm
ID: 18849578
Ok, I fixed it.

The problem was the certificate, I changed ti to reflect the name of the website (not the name of the internal server) and although I got another error this was fixed by using an earlier version of the client.

Thanks for your help with this, I understand how frustrating it must be.
Cheers
Nick
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19301471
PAQed with points refunded (500)

Computer101
EE Admin
0
 
LVL 1

Expert Comment

by:matt_str
ID: 23493310
hey!
it seems to be that your computer does not see the csg server, try to set up a normal dns settings, or simply add your csg to the etc/hosts.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

#Citrix #XenApp #Citrix XenApp #Citrix Concurrent License #Citrix Licensing #Citrix Policies
Several part series to implement Internet Explorer 11 Enterprise Mode
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now