• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 799
  • Last Modified:

443 access to Citrix and OWA

I have two seperate servers. 1 is for Citrix which listens on port 443. It has it's own certificate "citrix.domain.com" and I have a exchange server listening on port 443 with it's own certificate "mail.domain.com". This was working great until a citrix tech fix a different problem for us. Now when you try to access "from the outside" the citrix server using citrix.domain.com the mail server answeres and gives an error because the certificate is for the citrix server. I have the firewall config with the fallow NAT
ip nat inside source static tcp "exchange inside IP" 443 interface Ethernet1 443
ip nat inside source static tcp "citrix inside IP" interface Ethernet1
ip nat inside source static tcp "citrix inside IP" 443 "external router IP" 443 extendable
Is this correct?
Citrix Presentation Server 4.0 settings
DMZ = Gateway Direct
The Citrix secure gateway is listening on port 444 while IIS is listening on port 443.

1 Solution
cnmgtAuthor Commented:
I need to make a correction. We have 5 public IP's so the NAT looks more like this
ip nat inside source static tcp "exchange inside IP" 443 xxx.xxx.xxx.1 443
ip nat inside source static tcp "citrix inside IP" xxx.xxx.xxx.1
ip nat inside source static tcp "citrix inside IP" 443 xxx.xxx.xxx.2 443 extendable

I have to A records
mail.domain.com points to xxx.xxx.xxx.1
citrix.domain.com points to xxx.xxx.xxx.2

Now, I've tried have both A records and the NAT extendable pointing to the interface Ethernet1 "xxx.xxx.xxx.1

Istvan KalmarCommented:
could you show us the:

sh ip nat trans
sh run
This should be pretty straight forward. Your Citrix server on the outside should be holding its own public IP and your OWA gets its own IP. If you are going to citrix.mycompany.com and getting your exchange server, your public IP's are wrong or your NAT statement has changed, or somehow your internal IP's on your exchange server and your Citrix server were switched.
Carl WebsterCommented:
On your CSG and OWA servers, use IE and go to http://www.whatismyip.com .  Are the Public IPs being reported correct?
cnmgtAuthor Commented:
I configured the "ip nat inside source static tcp "citrix inside IP" 443 "second external router IP" 443 extendable" to my second public IP. My first public IP is my external on the firewall. By creating the "extendable" with the next public IP worked. I had to change my "A records" so that citrix.domain.com went to the public IP on the router and the mail.cnmgt.com to the extendable. Once it populated it worked. Thanks for your help.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now