Solved

Cannot connect to the Citrix Xenapp server. protocol Driver Error)

Posted on 2011-02-14
26
7,608 Views
Last Modified: 2012-05-11
Having difficulties accessing accessing Citrix Server / launching applications from the outside thru firewall.

I can get to the Cirtix Logon Screen from the outside but after inicial login / authentication when I try and launch application It does not function appropriatly. Cannot lauch any applications. Receive this error.  (Unable to lauch your application. Contact your heldesk with the following information. Cannot connect to the Citrix Xenapp server. protocol Driver Error)

The Website/Citrix is also using SSL Cert for HTTPS.

Having some issues setting this up correctly "Manage secure client access" in "Citrix Access Management Console".

I can access the Citrix environment from inside the firewall on the local network and access / launch applications without any issues running Citrix Apps from internal. Issue is only coming from public side.

Also only port 80 and 443 is open on our juniper firewall.

The Server is running (Windows 2008 Server 64-Bit, Citrix XenApp 5.0 Advanced Edition.

The Server is connected to local network 192.168.x.x all of the Cirtix Modules / Applications are running a on 1 single Server/Box.

Example: Private IP Internal 192.168.x.x NATs to 170.2.2.2
0
Comment
Question by:Tech_Me_More
  • 11
  • 11
  • 2
  • +2
26 Comments
 
LVL 36

Assisted Solution

by:Carl Webster
Carl Webster earned 500 total points
Comment Utility
I recommend that you use Citrix Secure Gateway.

http://dabcc.com/Webster/CSG
0
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
have you set the alternate address on the servert to it's NATed Address?
0
 
LVL 14

Expert Comment

by:amichaell
Comment Utility
Are you using a Secure Gateway, Access Gateway, or NetScaler?  If not, you'll need 1494 open as well.  If you are using a CSG, AGEE, or NS you'll need 1494 opened between them and your XenApp server.
0
 

Author Comment

by:Tech_Me_More
Comment Utility
This is a Cirtix Test Server. Did not realize that the Secure Gateway was not installed after completing the overall installation. All of the Citrix Services / Modules are running on the same server. When It comes to the option Configure Inbound Client Connections it defaults Monitor all IPv4 addresses / TCP Port 443. It will not allow me to configure thet Secure gateway because port 443 is already being used which is currently being used by the Web Server IIS.
0
 
LVL 14

Expert Comment

by:amichaell
Comment Utility
You'll want CSG running on 443 and the IIS site running on a different port (usually 444 to make it easy).  
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
The link I sent you earlier, will walk you thru all the configurations steps.
0
 

Author Comment

by:Tech_Me_More
Comment Utility
I followed all the steps in your documentation CarlWebster for Secure Gateway. Now when i try to access the https://  Citrix Site I get error page can not be found.. Now only internal http:// works.. Seems like the SSL / Connectivity for HTTPS:// has broken.
0
 
LVL 4

Expert Comment

by:alexsupertramp
Comment Utility
i didn't read through carl's documentation that you followed yet, but did you ensure that secure gateway is running on port 443 and IIS is on 444?  
iis-ssl444.JPG
0
 

Author Comment

by:Tech_Me_More
Comment Utility
Here is how I have it set in II6

citrix-IIS.bmp
0
 

Author Comment

by:Tech_Me_More
Comment Utility
This is IIS runing on Windows Server 2008
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
Since you are inside your network, the article I wrote says you need to go to https://fqdn:444
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
Right above Figure 10-81 (Page 6):

Open your Internet browser and go to https://FullyQualifiedDomainName:444.  
0
 

Author Comment

by:Tech_Me_More
Comment Utility
I can access from inside, but not able to access from outside. Here is an example on how it is set up outside vs inside:

Firewall Ports Open: 80/443
SSL Cert: citrix.acme.com

173.11.11.11 Outside:
https://citrix.acme.com (page not found error)

192.22.22.22 Inside:
Citrix Server

On a PC on inside
http://servername (works)
http://servername.domain.local (works)
https:// with and without :444 at end (does not work)

On Citrix Server on inside
If I go into IIS Manager and do a "browse" https:// will work
http://servername (works)
http://servername.domain.local (works)
https:// with server name or cert name (works) with and without :444 at end (works)

I'm sure it's something dumb I over looked... :)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
WIndows Firewall on Citrix Server?  Disable and stop the Windows FW service.
0
 

Author Comment

by:Tech_Me_More
Comment Utility
Yep it was firewall! I can now get to citrix web page from outside and PC on inside. Here is the next bump in the road. From PC onthe inside I can now do https and launch published app. From the outside I can log into citrix login page, but when I click on publish app I get the following...

citrix-error.bmp
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
You don't have the WI Site secure access setup properly.
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
Sorry, hit submit too soon.

You should be using Gateway Direct.

You can have two options setup.  One for Gateway Direct if you want internal and external users to go thru the CSG.  If you want internal users to hit the WI Site directly, then you add a Direct option and use 192.22.0.0/16.
0
 

Author Comment

by:Tech_Me_More
Comment Utility
Ok I set the following:

192.22.22.0 255.255.255.0 Direct
Default Gateway Direct

Address (FQDN): citrix.acme.com
Port: 443
Enable Session Reliability (has a checked)

STA: http://servername.domain.local/scripts/ctxsta.dll

Still getting the same error that I just posted.... :(
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
In your original question you said you were using local IP 192.168.x.x and later you say 192.22.x.x.  WHich one is correct?
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
In CSG, what did you enter for the FQDN for the STA?

What is your XML port?
0
 

Author Comment

by:Tech_Me_More
Comment Utility
Citrix-Settings.doc

Oops apologize for that. All the IP Addreses / numbers I'm posting are fake numbers. We'll stick with the IP Numbers I posted last. But keep in mind that those are not the actual Private and Public numbers I'm using :)

I have attached some screen shots.
0
 

Author Comment

by:Tech_Me_More
Comment Utility
I tried "Gateway Translate" as well... I'm guessing this is what I should be using since the private IP is being NAT to a public IP, but still not luck... I bet it's a simple fix and I'm going to be kicking myself once this problem is fixed. :)
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
On my router/firewall I redirect all 443 traffic coming from citrix.websterslab.com to the internal IP of my CSG/WI server 192.168.1.105.  I use Gateway Direct and have never had a problem.  That is what I used in the article I referenced earlier.

FQDN - try just CTESTSVR1 (make sure you can ping CTESTSVR1 and CTESTSVR1.domain.local)

What is your XML port?  That is in your farm settings.

If you have a few minutes to troubleshoot, send me an e-mail to my e-mail address in my profile.
0
 

Accepted Solution

by:
Tech_Me_More earned 0 total points
Comment Utility
Hi CarlWebster - Thanks for all your input, but I finally broke down and paid Citrix (an arm and a leg) to help resolve the problem. You had me on the right track, but the link you sent me was telling me to use "Direct". I did try "Gateway Direct" as well, but that did not work either even though "Gateway Direct" is the correct option I should be using. The missing link to my issue was that I had 2 entry

Entry 1: Default - Gateway Direct
Entry 2: 192.168.168.0 255.255.255.0 - Direct
(above setting was set because I found a bunch of links stating I should have "Entry 2" in place to work correctly for internal users)

The Citrix Tech removed "Entry 2" to resolve my problem and that "Entry 2" is not recommended in XenApp 5.0 on MS Server 2008. It was an expensive lesson, but one I'll never forget. :) Thanks for trying to help!!
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
I disagree with you.  MY article specifically states on page 8 to use Gateway Direct with CSG.

http://www.dabcc.com/article.aspx?id=15055&page=8

0
 

Author Closing Comment

by:Tech_Me_More
Comment Utility
I had to pay a Citrix Tech to help figure out what else was causing my issue.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

CITRIX XENAPP 6.5 FARM CUSTOM POLICY - CHANGE MANAGEMENT WINDOW REBOOT SCHEDULE
Citrix XenDesktop 7.6 Citrix Policies Graphics
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now