Unable to connect using Citrix SSL Relay

Im configuring a Citrix Presentation Server on Windows Server 2003 that needs to be securely accessed via SSL. To that end I have implemented Citrix SSL Relay on the same server. Everything works fine as long as I access the web interface with HTTP, but the moment I try for an SSL connection, I get:

Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /Citrix/AccessPlatform.
Reason: DNS lookup failure for:

This happens whether I attempt it on the LAN or from the Internet. What did I miss?

Many thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

One thing to keep straight is the difference between SSL on a WI page and SSL Relay.  SSL enabling a web interface will use SSL between the client's browser and the Web Interface server.  SSL Relay is security that happens between the WI server and a farm server.   You can have SSL between client and server but use http or https between the farm and the WI instead of SSL Relay.  
SSL Relay is the most secure and is needed for environments concerned with a man in the middle attack: someone is in your network sniffing packets and you don't want them to have a shot at cracking the WI to farm chat.  
For all settings regarding SSL you MUST use the certificate FQDN, not the domain name of the server itself.  You might have WISVR1.mydomain.local as the domain name but you will access these securely via apps.mycompany.com.  You must use the cert FQDN or the handshake will fail.  

Let me know where you get.  
SusanPKAuthor Commented:
Thanks for the quick reply BLipman. But I'm really groping in the dark here. I thought the SSL relay was to allow clients to connect securely?  If I configure IIS on that server (everything is on one box) to use HTTP the XML connection quits working. So not sure where to go next exactly.

I was looking at this part of the error:  and thought perhaps the issue was a missing /? But if so, where?
SusanPKAuthor Commented:

"If I configure IIS on that server (everything is on one box) to use HTTP " SHOULD refer to HTTPS not HTTP.  Sorry.

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Here is an explanation:

Under normal circumstances, the NFuse Web server sends XML data in plain text across the network to the Citrix XML
Service running on port 80 at the MetaFrame server. This XML data stream can include usernames, weakly-scrambled
passwords, and application lists. When configured for use with SSL Relay, this XML data is first subjected to strong
encryption by the NFuse Web extensions and sent to the SSL Relay Service on port 443 of the MetaFrame server. The
SSL Relay decrypts and relays the XML data internally to the XML service so that clear-text XML is never visible on the

As you can see, the SSL Relay Service comes into play when the WI talks to the XML service on a MetaFrame server in order to obtain the app list a user has rights to.  WI to Farm or Secure Gateway to Farm.  Here is the document, it walks you through setting it up.  These are old instructions but the process should be more or less the same.  I don't enable it because I run under the assumption that my LAN is secure (maybe not the safest thing but reduces overhead and simplified things).  

The Secure Gateway is pretty much a must to secure the WI to client traffic; that is the other side of the equation.  SSL Relay is WI to Farm, Secure Gateway is client to WI security.  In fact, there is a 3rd level of encryption, optional ICA protocol encryption.  When you enable 40, 56, or 128 bit encryption in a published app, that is doing protocol whereas SSL is encapsulating that protocol and wrapping it up in SSL.  I would go through the setup steps and see if your errors improve.  Let me know how far through you get.  You may want to start with http and get everything working before complicating stuff with SSL Relay.  
Is the SSL cert on you WI box from a Trusted Root Cert, like Thawte? If so, make sure you have the SSL cert on your WI box, SG box(usually the same box) and the CPS server hosting the XML/STA service(typically first CPS server in your farm). The SSL cert needs a FQDN, so if you have issues resolving the FQDN from internal to DMZ, you know you have a DNS issue that needs to be fixed by adding an entry to DNS or manually editing the host file on the box that can't resolve the FQDN internally.  The reason why HTTP is working is because when connecting to WI using HTTP(port 80) you are essentially bypassing Secure Gateway(listenign on 443) and allowing WI to contact your CPS server, enumerate the apps and send an unencrypted ICA file back to you client. To verify, right click the enumerated app and save the launch.ica file, open in a text editor and you will see your interanal CPS server IP address exposed.

Ahh, great call on the DNS issue part, you need to have a lookup zone in your internal domain that will allow for the certificate FQDN to resolve to the FQDN of your STA (the farm server your WI talks to).  Here's the thing though, you really don't need to use a "real" certificate for SSL Relay.  Since it is all on your LAN between a small, fixed number of servers you control, you can simply generate a cert, load the trused root on your WI with the cert on your STA.  You probably want to use a real cert (purchased through a 3rd party authority) for your WI or SG since users are coming in from machines you cannot easily load your root on (normally).  
3rd party certs are a must for you WI/SG box, the newest citrix clients don't support self signed certs like they used to.
SusanPKAuthor Commented:
OK. Ive removed all mention of SSL and disabled the relay agent. We are still testing things and so do not yet have a proper 3rd party cert installed, only a self-signed one. So back to that later.

Ive recreated the WI site with default settings. The farm is configured for port 80. For access method Ive set alternate and indicated address translation between the internal and external IP addresses of the server for ports 80, 443, 1494 and 2598.

When I configured the firewall to only open those four ports to this server, a remote user could log in all right, but the citrix connection timed out. When I opened all ports, the connection went through just fine. Am I missing a port?

The launch.ica files point to the correct public IP address (not a FQDN) on port 1494. Needless to say, connectivity from the LAN is now kaput. Although I should mention that this is not critical at this time. The server is being put in for remote users only.

So now back to square one.

- How to implement SSL?  (Step-by-step please; Im a very confused novice here.)
- How to allow access to users on the LAN? (Secondary goal at best, but would be nice if possible.)

Many thanks for your help.
You mention you are using address translations but have yoru DMZ settings to alternate.  I would do one or the other:  
-configure alternate addresses from the command line (altaddr /set x.x.x.x) and use alternate as your DMZ setting
-configure translations in the AMC and set the DMZ settings to translated

As for LAN access, that will come with another line in your DMZ settings.  I would suggest something like this:
default    -    alternate (or translated)
x.x.x.x    -    direct

the x.x.x.x will be whatever your LAN subnet is ( for example).  This way the WI knows based on the incoming IP what address to give out.  

Here is an excellent guide for configuring MetaFrame XP (the SSL Relay stuff should be consistent with PS4.0 and 4.5).  http://www.dabcc.com/miab/miab30/
Doug's new book isn't quite done yet.  

The Citrix Administrator's Guide is an excellent reference: http://support.citrix.com/article/CTX112223

As well as the Advanced Concepts Guide (there isn't one for 4.5 yet): http://support.citrix.com/article/CTX107059

And then the WI Admin Guide of course: http://support.citrix.com/article/CTX111709

I am posting all of this because there really isn't a simplified guide for doing what you are asking.  SSL Relay isn't something I have ever configured or even suggested because it seems unnecessary to me.  There are many other things on your LAN that have far worse security than WI to STA traffic.  As long as you are using a VPN from the outside or the Secure Gateway your external traffic is secured.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SusanPKAuthor Commented:
OK. Very good day here on this issue (which is really just my sad lack of knowledge on this very complicated software). I followed your suggestions, BLipman, and now can access all published apps via HTTP both internally and externally. (After I figured out what I was not doing right on the router as well.)

For grins I made one solitary change. I set the access platform portion of the default web site on IIS to require SSL at 128 bits. Voila! HTTPS access. Something tells me though theres more to it than that. It just sounds too easy&. I see there are some encryption options for the individual applications. When I enable those, yes, I get an error telling me that Im not trusting the server that issued the cert, so Im assuming this is where I need to go and finish up encryption configuration once I have the final cert in place.

At this point I just want to keep it very, very simple. Am I on the write track?
Yep, you are doing quite well.  Now that you have the main part working I would start going down the Citrix Secure Gateway road...it comes with the purchase so all you need to buy extra is an SSL cert.  You can get a 2 year cert for $74 here:
I have used these RapidSSL entry level certs for a dozon separate jobs now (not including 3 sites in my own network); they work fine.  

The CSG is always recommended if you are exposing the site to the Internet.  You can still do the SSL Relay part if you really want to but I would suggest CSG first since it is protecting your Internet-facing communications.  Good job so far!  Citrix can be tough to configure properly but once you learn it you will love what it can do for you.  
SusanPKAuthor Commented:
Thanks so much for all your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.