Citrix SSL Certificate (FQDN Config)

Hello - I have XenApp 5.0 and in the process installing and configuring Citrix Web Interface and Citrix Gateway.

I have a domain registered with godaddy ( that I'd like to use when users connect outside into Citrix applications. I also purchase a SSL certificate/wildcard and have generated a certificate download.

I'm in the process of setting up CSG, however during the IIS Certificate Wizard, in the Common name, I put the domain I registered with godaddy. Not sure if I should have done it this way, but my instructions said that was ok as long as I set it up for DNS to resolve to the Citrix server.

How would I accomplish DNS to resolve to Citrix server?

Which server (XenApp or Web Interface) do I point the domain name to?

I really appreciate all your help.

Jaime CamposAsked:
Who is Participating?
Carl WebsterCommented:
If your internal DNS name is then just add an "A" record for Citrix that points to the internal IP address of your CSG/WI server.

If your internal DNS name is not then just add a zone for and then add an "A" record for Citrix that points to the internal IP address of your CSG/WI server.

Obviously Pinging is disabled by your hosting provider but does resolve to from here in middle TN.
Carl WebsterCommented:
If your users will hit your server using, then you will need to register an "A" record for CITRIX  with whoever hosts your external DNS.  If the Public IP for your CSG/WI server is, then CITRIX.myrapadocs.coms will resolve to  You will then add into your router/firewall a rule that routes all TCP Port 443 traffic coming in to to the internal IP address of your CSG/WI server.
Jaime CamposAuthor Commented:
Great. Glad to see you online. It's been a great Citrix adventure.

When you say, your talking about host name of WI or do i use it's internal IP?

AD domain name: rapa.local
Citrix WI host name:
Citrix XenApp host name;

public ip i will use is
I think I understand the AR/routes to CSG/WI server. I will have this completed.
Do I need to do anything on my internal DNS server?

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Jaime CamposAuthor Commented:
Here is the godaddy account information for domain name.
Carl WebsterCommented:
However you want you users to connect to your CSG/WI is the external name you will use.  I have customers that use:


Just make you a host name, say citrix, that goes to whatever points to

Then in the users browser from home or on the road they will go to and hit your CASG/WI server.  They will then logon to the site and get access to their published apps.

If I were to ping, it should resolve to
Jaime CamposAuthor Commented:
This is what I got setup. Note I have not installed CSG yet, but I i think I got routes and godaddy setup.

Host: Citrix Points to:

MX: o @

Do I set anything up on my internal DNS?


Jaime CamposAuthor Commented:
one more thing...
While setting up IIS certificate, in your site's common name I used and not Is that ok?
Carl WebsterCommented:
ON my wildcard SSL cert, my Common Name is *  I would call GoDaddy and ask them if it makes a difference.  GoDaddy makes it very simple to reissue an SSL cert if yours is indeed wrong.
Jaime CamposAuthor Commented:
On the secure ticketing authority details, I've entered the FQDN of the XenApp server WIN08CITRIX.RAPA.local:8080 and I'm getting an error:

The server TA specified can not be contacted. To ignore the warning and enterID click continue.

Any Ideas why?
Jaime CamposAuthor Commented:
I using port 8080 for XML (WINO*CITRIX), port 80 for HTTP, 444 for SSL & 443 for the port that Secure Gateway.

I am confused as to how the CtxSTA.dll is created & where it is supposed to be created by default. I think this is part of my problem but I am not sure how to go about setting it up correctly. When I install CSG I have no /Scripts folder anywhere on the server & the only place I can find any CtxSTA.dll is in C:\Program Files\Citrix\System32 of a Presentation Server.

I don't think this is an XML port issue. I think it has to do with the placement & permissions of this CtxSTA.dll.

Can anyone provide me in the right direction to get this aspect of the CSG install corrected?

Carl WebsterCommented:
should be win08citrix:8080.rapa.local
The STA is your application server (the one running XenApp/Presentation Server).  If your XML port on the application server is set to 8080 then your STA URL should look like this (in the Secure Gateway Configuration application):

FQDN: the FQDN of your terminal server (ex. citrix.mydomain.local)
Path: /Scripts/CtxSTA.dll
ID: (auto, this will fill itself in)
Protocol Settings: (uncheck "Secure traffic...")
TCP port: 8080 (uncheck "Use default")

In your Web Interface configuration, you should have something like this:
Address (FQDN): (FQDN to secure gateway)
Port: 443
Enable Session Reliability (leave unchecked)
Secure Ticket Authority URLs: http://FQDNofTerminalServer.local:8080/scripts/ctxsta.dll

Try these settings.  I am a bit confused though, you say in one post
"I've entered the FQDN of the XenApp server WIN08CITRIX.RAPA.local:8080 "
and then "the only place I can find any CtxSTA.dll is in C:\Program Files\Citrix\System32 of a Presentation Server"

Your STA is the presentation server, not the CSG unless you are running an "All in one".  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.