Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Trouble with access to Citrix farm behind ISA2004.

Posted on 2009-06-29
3
Medium Priority
?
582 Views
Last Modified: 2013-11-11
Network layout as follows:
Internet -> Citrix Secure Gateway -> SBS2003(ISA2004) -> Citrix Farm (LAN)

I have 2 Citrix PS4.5 servers behind ISA2004 with Web interface (WI) loaded on one of them. The STA is also loaded on same server as WI.
The Citrix Secure Gateway (CSG) has CA cert loaded and listens on port443 for users accessing via the internet. Users can access the WI fine and see all their publishid apps, but as soon as they launch an app, it comes up with SSL 29 error...port 1494.

My ISA2004 config seems to be the problem.
Ive created 2 server publishing rules to the CPS4.5 server hosting the WI (port 80) and STA (port81). That seems to be working fine, but my 1494 ICA traffic is not working well.
I created a server publishing rule for 1494 traffic to the same server, but ISA still blocks ICA traffic with the built-in ICA protocol, which is not even the protocol I selected for this rule. That means it's not even picking up the ICA published server rule. However, I can telnet that server on 1494.

Furthermore, these to citrix servers will load balance, so how do I get 1494 traffic traversing to these 2 servers behing ISA?

The 'Secure Client Access' settings on the Wi is set to 'Gateway Direct' and the FQDN & port is set to the same as that Secure Gateway.

Please help, I'm stuck here!
Thanks in advance.

0
Comment
Question by:DocT1000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 24749449
What is the rest of the details of the SSL 29 Error.  I don't have all the errors memorized yet   :-)
The predefined protcols in ISA for ICA are not for Publishing,...they are for outbound access to Citrix Server on the "outside" accessed by users from the "inside".  You have to create new Protocols by duplicating the ones that are there but reversing the traffic directions.  When naming the new Protocols give them the same name but add "Server" onto the end of the name,..this is the typical ISA naming convention for Protocols.
I suspect that this is actually a Web Publishing Situation,...so you have to tell the Publsihing Rule Wizard that you are publishing a Web Farm.   If you have to publish with the Citrix Protcols as well as http/https then you have to also publish the Farm and not an individual Server.  I have not mess with a Citrix Farm before,..but I assume that it has a Virtual IP# that rtepresents the farm as a single entity,...that it what you have to Publish.
0
 
LVL 10

Assisted Solution

by:Kieran_Burns
Kieran_Burns earned 500 total points
ID: 24752499
I agree with pwindell - it's not a Server publishing solution, it's a Web publishing one. You should be publishing the farm via a web interface using 443 and using load balancing internally between the Citrix servers
In essence you could simply use the CSG with an external interface OR publish THAT through ISA and have it direct the users onto the Citrix Servers
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It Is not possible to enable LLDP in vSwitch(at least is not supported by VMware), so in this article we will enable this, and also go trough how to enabled CDP and how to get this information in vSwitches and also in vDS.
Will try to explain how to use the VMware feature TAGs in the VMs and create Veeam Backup Jobs using TAGs. Since this article is too long, I will create second article for the Veeam tasks.
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question