TPBPIT
asked on
Problems configuring SSL Relay with Presentataion server 4.5
I cannot get SSL Relay to work right. I'm hoping someone can lend some guidance.
I have WI set up on a 2003 box, and PS 4.5 on another (the PS box also contains SSL Relay). Eventually the WI will reside in a DMZ, but for setup/troubleshooting reasons, I have them both internally now. I have installed the server certificate on the PS 4.5 box, using the SSL Relay Autoconfig tool. It appears to have installed properly. I have also installed the root certificate on the WI box using the web interface. In SSL Relay, I have adjusted the SSL Relay listening port to 444. However, when I open the Access Management Console and navigate to my site, and then to Manage Server Farms, and change the ssettings so the servers communicate via SSL Relay on port 444, I cannot log in via the web interface. I can view the login page fine, but when I enter my user/pass/domain credentials, I get the following error message.
The supplied credentials could not be validated. Either they are incorrect, or there is a problem with the authentication system. Try again, or contact your help desk or system administrator for help.
And here are a couple of entries in the applications log on the WI server:
1.) An error occurred while attempting to make a connection with the SSL Relay: "brcitrix-a.tp.tpbp.com:44
2.) An error occurred while attempting to make a connection with the SSL Relay: "brcitrix-b.tp.tpbp.com:44
3.) All of the configured XML Services for farm "TPBP" failed to respond to this XML transaction. [Log ID: 8152976a]
And, again, if I go to Access Manager Console and se the Itransprtation type back to HTTP from SSL Relay, all works fine. I'm very ignorant with Citrix, and would greatly appreciate the assistance. If anyone can help, it would be greatly appreciated.
Thank you,
Brandon
I have WI set up on a 2003 box, and PS 4.5 on another (the PS box also contains SSL Relay). Eventually the WI will reside in a DMZ, but for setup/troubleshooting reasons, I have them both internally now. I have installed the server certificate on the PS 4.5 box, using the SSL Relay Autoconfig tool. It appears to have installed properly. I have also installed the root certificate on the WI box using the web interface. In SSL Relay, I have adjusted the SSL Relay listening port to 444. However, when I open the Access Management Console and navigate to my site, and then to Manage Server Farms, and change the ssettings so the servers communicate via SSL Relay on port 444, I cannot log in via the web interface. I can view the login page fine, but when I enter my user/pass/domain credentials, I get the following error message.
The supplied credentials could not be validated. Either they are incorrect, or there is a problem with the authentication system. Try again, or contact your help desk or system administrator for help.
And here are a couple of entries in the applications log on the WI server:
1.) An error occurred while attempting to make a connection with the SSL Relay: "brcitrix-a.tp.tpbp.com:44
2.) An error occurred while attempting to make a connection with the SSL Relay: "brcitrix-b.tp.tpbp.com:44
3.) All of the configured XML Services for farm "TPBP" failed to respond to this XML transaction. [Log ID: 8152976a]
And, again, if I go to Access Manager Console and se the Itransprtation type back to HTTP from SSL Relay, all works fine. I'm very ignorant with Citrix, and would greatly appreciate the assistance. If anyone can help, it would be greatly appreciated.
Thank you,
Brandon
BLipman
Well, honestly I don't usually set up SSL Relay but I think you would be well served by setting 443 as your SSL port; why did you use 444 on this box? Secondly, are you absolutely sure your url has the exact name as issues on your certificate?
ASKER
I used port 444 because I've read that the IIS will use 443. And I'll need IIS and SSL on the WI box for a HTTPS web connection, preferably with port 443.
And, yes, the name of the presentation server box is BRCITRIX-B.TP.TPBP.COM. That is exactly the name of the certificate.
Here's what I learned yesterday:
I opened the SSL Relay Configraton tool and clicked on the Connections Tab. There I deleted out all server names and IP addresses and added Any. The SSL Relay now works fine. But I'm concerned that leaving this setting set to Any defeats the purpose of SSL Relay.
Unfortunatley I'm extremely new to Citrix, and the documentation from citrix as well as on the internet is extremely vague with concerns to SSL Relay. It seems citrix works very hard to get people to purchase the Gateway piece.
Thanks,
Brandon
And, yes, the name of the presentation server box is BRCITRIX-B.TP.TPBP.COM. That is exactly the name of the certificate.
Here's what I learned yesterday:
I opened the SSL Relay Configraton tool and clicked on the Connections Tab. There I deleted out all server names and IP addresses and added Any. The SSL Relay now works fine. But I'm concerned that leaving this setting set to Any defeats the purpose of SSL Relay.
Unfortunatley I'm extremely new to Citrix, and the documentation from citrix as well as on the internet is extremely vague with concerns to SSL Relay. It seems citrix works very hard to get people to purchase the Gateway piece.
Thanks,
Brandon
SSL Relay only protects back-end services, not client to interface communications. SSL Relay is used to secure the WI/CSG to Citrix PS Server communications. The Citrix Secure Gateway is the piece you need to run on the WI; that will SSL proxy everything safely into your farm. Relay happens when the Web Interface communicates with the STA; the WI server should have its IIS SSL port set to 444 with the Secure Gateway on 443. The Citrix Presentation Server (STA) should be listening on 443, you can give IIS port 444 if there is a conflict. I would definitely use the default port for Secure Gateway and SSL Relay if you can get it working that way.
You can have that set to Any, it is rare you would have an attacker impersonate a Citrix server, plus, this is on a LAN or a DMZ, right? Who is listening behind your firewall? The client to server piece is absolutely critical. You want to use SSL with your Web Interface (via the Citrix Secure Gateway, its free, or the CAG device, it is not free) as well as enabling fairly strong ICA encryption within the properties of your apps. This will encrypt the data stream and CSG will wrap it all up in SSL.
This is all confusing stuff, have you read both the Administrators Guide, the Advanced Concepts Guide, and the Web Interface Administrators Guide? It is a lot to read but Citrix lays it all out pretty well. I agree SSL Relay has thin documentation but, again, many people don't care about back-end encryption because the servers are talking on your LAN together. It is not a bad idea but secondary to securing the WI properly.
You can have that set to Any, it is rare you would have an attacker impersonate a Citrix server, plus, this is on a LAN or a DMZ, right? Who is listening behind your firewall? The client to server piece is absolutely critical. You want to use SSL with your Web Interface (via the Citrix Secure Gateway, its free, or the CAG device, it is not free) as well as enabling fairly strong ICA encryption within the properties of your apps. This will encrypt the data stream and CSG will wrap it all up in SSL.
This is all confusing stuff, have you read both the Administrators Guide, the Advanced Concepts Guide, and the Web Interface Administrators Guide? It is a lot to read but Citrix lays it all out pretty well. I agree SSL Relay has thin documentation but, again, many people don't care about back-end encryption because the servers are talking on your LAN together. It is not a bad idea but secondary to securing the WI properly.
ASKER
So then I need to go and download Secure Gateway 4.5? And it's free with our purchase of Presentation Server 4.5?
I was under the impression that installing a certificate on the WI box and setting up IIS to only allow SSL connections would secure the client browser / WI connection, and then the SSL Relay would secure the WI / PS connection. But you're saying this is not the case, and unless we install and configure the Secure Gateway peice we won't really be sucured?!?!
Am I close?
Thanks for the good information.
Brandon
I was under the impression that installing a certificate on the WI box and setting up IIS to only allow SSL connections would secure the client browser / WI connection, and then the SSL Relay would secure the WI / PS connection. But you're saying this is not the case, and unless we install and configure the Secure Gateway peice we won't really be sucured?!?!
Am I close?
Thanks for the good information.
Brandon
You can load Secure Gateway 3.0 from the Citrix CD (or zip you downloaded). I think it is on the first download, not the Components CD/zip. Yes, Web Interface and Secure Gateway are free but CSG does require a certificate. I have been using www.ssl247.com, the RapidSSL cert costs $74 for 2 years.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you BLipman. You're a gentleman and a scholar. I really appreciate the advice...
Brandon
Brandon