?
Solved

Citrix Secure Gateway & WI - can't connect to citrix XenApp server.

Posted on 2009-04-30
7
Medium Priority
?
5,569 Views
Last Modified: 2012-05-06
Hi
I have setup a secure Gateway 3.1 and WI 4.6 on the same box.  I followed Carl Websters and Patrick Rouses article's to virtually the letter using verisign cert.  

The only difference iare
XML port on port 8080
The Server is going to be internal not on the DMZ (don't ask)  Users will connect via VPN
The certifcate was also purchased as Servername NOT servername.domain.com

When testing internally I can enter the https:\\servername and I get the web interface to login to and see all the applications.  However when trying to launch an app I get the Error message
"cannot connect to the Citrix Xenapp server, could not find the specified xenapp server"

I have set the Web interface DMZ settings to gateway direct and entered FQDN and the gateway setting with port 443 and the sta settings with the data collecters name and the specified port such as denctx01.domain.com:8080

Everything on Web Interface looks correct.  I have tried connecting directly via WI by setting DMZ settings to Direct and it works fine however via CSG i get the error mentioned.

The ICA file shows the STA server

[Encoding]
InputEncoding=UTF8

[WFClient]
CPMAllowed=On
ClientName=WI_LI9Cx26TjjIFI_1A8
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=no
TransparentKeyPassthrough=Local
TransportReconnectEnabled=Off
VSLAllowed=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Notepad=

[Notepad]
Address=;10;STA2C3B73E64FEF;08C8F72327A7183F58B8744DFEBC4664
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
ClearPassword=3C8100AC4CC760
ClientAudio=Off
DesiredColor=4
DesiredHRES=1024
DesiredVRES=768
DoNotUseDefaultCSL=On
Domain=\5A60660E822EFA29
HTTPBrowserAddress=!
InitialProgram=#Notepad
LPWD=203
Launcher=WI
LocHttpBrowserAddress=!
LogonTicket=3C8100AC4CC7605A60660E822EFA29
LogonTicketType=CTXS1
LongCommandLine=
NRWD=203
ProxyTimeout=30000
ProxyType=Auto
SSLCiphers=all
SSLEnable=On
SSLProxyHost=servername.domain:443
SecureChannelProtocol=Detect
SessionsharingKey=313639319
StartIFDCD=1241109397953
StartSCD=1241109397953
TRWD=0
TWIMode=On
TransportDriver=TCP/IP
UILocale=en
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll


I am stuck now, I have been told the ports 1494, 8080 are open, session reliability is not used..
There are no errors in eventvwr on WI and I have run secure gateway diagnostics and that is fine also...

any ideas please, be much appreciated.  

thanks

Phil
0
Comment
Question by:The_Waltzing_Shark
  • 3
  • 3
7 Comments
 
LVL 11

Expert Comment

by:pfcjoker
ID: 24273364
Cert has to match how you configure SG. In your case you should not be using FQDN anywhere due to the fact that you got a <servername> cert instead of <servername>.<domain> certificate.

The SG prevents man-in-the-middle attacks by validating the certificates configured - if it finds any mismatches or a cert it is not expecting it will deny the connection.

You will also likely see some SSL related errors in the eventlog that would point you to this issue.
0
 
LVL 19

Expert Comment

by:BLipman
ID: 24273673
Were you to reissue that certificate ever I would suggest considering the use of a true FQDN and not a NetBIOS host name; you may be confusing things when it resolves "servername" to "servername.mydomain.local" although I am not sure if Verisign (or any other CA for that matter) would issue a certificate in a domain for which you are not publicly authoritative.  If you have them coming in via a VPN why not use your own CA at that point?  Anyway, not necessary the issue at hand.  
Can you get this working from the CSG box itself?  You want to work OUT as you troubleshoot...you can test from the outside initially but if it fails I always suggest starting at the CSG, make sure you can connect to itself, and then work your way out to the client.  

Well, back to my first thought: "servername.domain:443" this does not match your certificate; again, I am not sure this is part of the issue but it may be a component.  Are you using the same DNS namespace internally as externally or do you have a .local or something internally?  
I find it odd Verisign issued you a cert with a common name like you are saying.  
0
 

Author Comment

by:The_Waltzing_Shark
ID: 24274193
pfcjoker - Thanks for answering, there are no error logs or ssl errors in the event log.  I had to put the servername.domain in the Gateway Settings of the WI as it won't allow anything else but a FQDN.  The Citrix Secure Gateway Diagnostics all passed the tests and looks fine.  I would of thought I would get a ssl error if there was any problems with the cert.

I will try from the CSG/WI server itself and see how I get on.  I didn't order the cert myself so will double check that.   I can connect internally from my Pc to the CSG using https:\\servername - this produces the WI pages and I can login no problems.  Its just launching the apps..

I try what you both suggested and report back, though it be tomorrow now, thanks for you time
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 19

Expert Comment

by:BLipman
ID: 24274207
Just an FYI, with CSG you should not need any other ports coming in through the FW except for 80 and 443 (80 is even optional).  All traffic should proxy though the gateway.  
0
 

Author Comment

by:The_Waltzing_Shark
ID: 24277026
I have logged onto CSG and tried to launch the app from there and you are bot correct with the certifcate mismatch.  I get SSL error 59.

I am in process of getting the cert reissued/new one.

We have the XML service running on port 8080, will this make any difference at all ??  

Thankyou for your help so far.  Something I wished I thought of myself..

I shall post back with the results.
0
 
LVL 19

Accepted Solution

by:
BLipman earned 500 total points
ID: 24280667
I think you are on the right track, you have "denctx01.domain.com:8080", the :8080 is usually what gets people at that point.  
0
 

Author Closing Comment

by:The_Waltzing_Shark
ID: 31576563
BLipman, works fine now with the new certificate.  
Many thanks for your help with this.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#CITRIX #XENDESKTOP #POC #Citrix Studio
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question