External access to Citrix Server through ISA 2004

The SSL Tunneling is key; you need to leave Secure Gateway's SSL untouched for it to be happy.  That and the tranlation rule that allows the proper ports through.  Here is some testing:
--Direct ICA: telnet from the outside of your network to the URL (try the IP if that fails) on port 1494; you should get the ICA sounder "ICA ICA ICA".  If you don't then you know 1494-tcp is not coming through.  On the other hand, you don't need this port if you are using the SG.
--Direct Web

I posted prematurely above...continuing...

--Direct Web Interface: If your WI and SG are configured to allow this you should be able to contact the WI on port 80; do you get to the sign on page?
--Secure Gateway: assuming you are using this and not just putting SSL on the WI page (its free, why wouldn't you use it?).  Try to get to the page on port 443 (https://).  

Please let us know what is and is not working and we can proceed.  

Citrix server was setup before I started with this company and I am not very familiar with the way it works. I can telnet from an external address to URL on port 1494 and receive ICA. How can I check to see if Secure Gateway is being used? I can get to the address from internally using the servername.domain.com/citrix/metaframe.

The fact that you have 1494 open would lead me to believe you are not using secure gw but you can check in the Access Suite Console, in the DMZ Settings, let us know what entries are in there.  If all you have is Secure Gateway Direct then that should tell us how the system is configured.  There are tons of ways this can be configured.  
Also, check the Start Menu, look for the Secure Gateway product.  There is a program that allows you to monitor connections via SG.  

Do you get the logon screen for the Web Interface when you hit the URL in your web browser?

Here is the error I get when trying to access the page from an external ip

 The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

--------------------------------------------------------------------------------

Please try the following:
Click the  Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is spelled correctly.

To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
See if your Internet connection settings are being detected. You can set Microsoft Windows to examine your network and automatically discover network connection settings (if your network administrator has enabled this setting).
Click the Tools menu, and then click Internet Options.
On the Connections tab, click LAN Settings.
Select Automatically detect settings, and then click OK.
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the  Back button to try another link.


Cannot find server or DNS Error
Internet Explorer  

DMZ settings i have the following.

Default -- Alternate
192.168.1.0 255.255.255.0 Direct

Secure Gateway settings shows

FQDN = servername.wealthmgmt.com
Secure Gateway Port = 443
Bypass Duration = 3600

Oh, and one minor thing, make sure your IIS site has its SSL set to 444; 443 needs to be owned by SG.  

How to I check/Change the SSL for IIS site?

I have changed the default setting to Secure Gateway Direct. Should the Secure Gateway FQDN be the servername.domain.com or the sitename.domain.com?

It should match the name on your SSL Cert and also the URL from which users access it.  You can check the SSL port by going into IIS, looking at each web site there (bound to the IP that SG uses) and look in the properties.  

Clients only access via the website typically externally. I am the only one that access internally and that is generally via the WI.

I see the port 443 for SSL under properties for the default site but not for any other site. Citrix is under the default site tree. However I can not see any way to change this setting to a different port number.

I checked the previous settings that were documented for our citrix server and we never used the SG in the past the settings were just as stated above Default Alternate followed by direct for internal. Is it possible that the site needs to be rebuilt and if so how do I do that.

Not rebuilt, just tweaked a bit; I am at TechEd and cannot go into depth at the moment.  I can say that you will want to check your IIS and document what sites you have and what IPs they use.  Then, plan to change the one that is on the same IP as SG to use 444.  You may need to run SG setup again but that is pretty simple and can be done a few times until all is right.  You will need to play around in Access Management Console a bit too since your DMZ settings are set to make external users come in via the Program Neighborhood and not the SG.  

Ok I have gotten the web interface up. We do not use secure gateway just the alternative address running through port 1494. I can logon to the server just fine but when I try to launch any application I get the following error.

Cannot connect to the Citrix Presentation Server. There is no Citrix Presentation Server Configured on the specified address.

I have right clicked and saved the launch.ica and then opened with notepad. Below is the text from that.,

[Encoding]
InputEncoding=ISO8859_1

[WFClient]
ClientName=WEALT-<USERNAME>-ppzjl
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Microsoft Outlook=

[Microsoft Outlook]
Address=<internal ip address of server>:1494
AutologonAllowed=ON
ClearPassword=2D3542DEBDC472
ClientAudio=Off
DesiredColor=2
Domain=\C803ED2AB5547470
InitialProgram=#Microsoft Outlook
Launcher=WI
LongCommandLine=
ProxyTimeout=30000
SSLEnable=Off
ScreenPercent=85
SessionsharingKey=2-basic-none-<domain.com>-<username>-<farm>
TWIMode=On
TransportDriver=TCP/IP
Username=petersoj
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

Any help on what the issue could be that would prevent the application from launching.

Ok I now have the problem solved. The issue was with the way I had published the Citrix server within ISA 2004. Please be advised that NO ONE stated that citrix could not be published as a web server which would be the logical choice for me not being that familiar with citrix but that it must be published as a regular server that hands out services. ONce I found this out by searching for over 2 wks on the internet and changed the way the server was published. For more information search google for the following document which greatly explains publishing citrix with different proxy firewalls
Citrix Technical Support - Brief Troubleshooting Guide.PDF
Thank you to all that helped.

i am ubable to access to citrix from outside of the company how to publish it in isa could u give me steps to solve the prblem