• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7930
  • Last Modified:

Cannot connect to the Citrix Xenapp server. protocol Driver Error)

Having difficulties accessing accessing Citrix Server / launching applications from the outside thru firewall.

I can get to the Cirtix Logon Screen from the outside but after inicial login / authentication when I try and launch application It does not function appropriatly. Cannot lauch any applications. Receive this error.  (Unable to lauch your application. Contact your heldesk with the following information. Cannot connect to the Citrix Xenapp server. protocol Driver Error)

The Website/Citrix is also using SSL Cert for HTTPS.

Having some issues setting this up correctly "Manage secure client access" in "Citrix Access Management Console".

I can access the Citrix environment from inside the firewall on the local network and access / launch applications without any issues running Citrix Apps from internal. Issue is only coming from public side.

Also only port 80 and 443 is open on our juniper firewall.

The Server is running (Windows 2008 Server 64-Bit, Citrix XenApp 5.0 Advanced Edition.

The Server is connected to local network 192.168.x.x all of the Cirtix Modules / Applications are running a on 1 single Server/Box.

Example: Private IP Internal 192.168.x.x NATs to 170.2.2.2
0
Tech_Me_More
Asked:
Tech_Me_More
  • 11
  • 11
  • 2
  • +2
2 Solutions
 
Carl WebsterCommented:
I recommend that you use Citrix Secure Gateway.

http://dabcc.com/Webster/CSG
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
have you set the alternate address on the servert to it's NATed Address?
0
 
amichaellCommented:
Are you using a Secure Gateway, Access Gateway, or NetScaler?  If not, you'll need 1494 open as well.  If you are using a CSG, AGEE, or NS you'll need 1494 opened between them and your XenApp server.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
Tech_Me_MoreAuthor Commented:
This is a Cirtix Test Server. Did not realize that the Secure Gateway was not installed after completing the overall installation. All of the Citrix Services / Modules are running on the same server. When It comes to the option Configure Inbound Client Connections it defaults Monitor all IPv4 addresses / TCP Port 443. It will not allow me to configure thet Secure gateway because port 443 is already being used which is currently being used by the Web Server IIS.
0
 
amichaellCommented:
You'll want CSG running on 443 and the IIS site running on a different port (usually 444 to make it easy).  
0
 
Carl WebsterCommented:
The link I sent you earlier, will walk you thru all the configurations steps.
0
 
Tech_Me_MoreAuthor Commented:
I followed all the steps in your documentation CarlWebster for Secure Gateway. Now when i try to access the https://  Citrix Site I get error page can not be found.. Now only internal http:// works.. Seems like the SSL / Connectivity for HTTPS:// has broken.
0
 
alexsupertrampCommented:
i didn't read through carl's documentation that you followed yet, but did you ensure that secure gateway is running on port 443 and IIS is on 444?  
iis-ssl444.JPG
0
 
Tech_Me_MoreAuthor Commented:
Here is how I have it set in II6

citrix-IIS.bmp
0
 
Tech_Me_MoreAuthor Commented:
This is IIS runing on Windows Server 2008
0
 
Carl WebsterCommented:
Since you are inside your network, the article I wrote says you need to go to https://fqdn:444
0
 
Carl WebsterCommented:
Right above Figure 10-81 (Page 6):

Open your Internet browser and go to https://FullyQualifiedDomainName:444.  
0
 
Tech_Me_MoreAuthor Commented:
I can access from inside, but not able to access from outside. Here is an example on how it is set up outside vs inside:

Firewall Ports Open: 80/443
SSL Cert: citrix.acme.com

173.11.11.11 Outside:
https://citrix.acme.com (page not found error)

192.22.22.22 Inside:
Citrix Server

On a PC on inside
http://servername (works)
http://servername.domain.local (works)
https:// with and without :444 at end (does not work)

On Citrix Server on inside
If I go into IIS Manager and do a "browse" https:// will work
http://servername (works)
http://servername.domain.local (works)
https:// with server name or cert name (works) with and without :444 at end (works)

I'm sure it's something dumb I over looked... :)
0
 
Carl WebsterCommented:
WIndows Firewall on Citrix Server?  Disable and stop the Windows FW service.
0
 
Tech_Me_MoreAuthor Commented:
Yep it was firewall! I can now get to citrix web page from outside and PC on inside. Here is the next bump in the road. From PC onthe inside I can now do https and launch published app. From the outside I can log into citrix login page, but when I click on publish app I get the following...

citrix-error.bmp
0
 
Carl WebsterCommented:
You don't have the WI Site secure access setup properly.
0
 
Carl WebsterCommented:
Sorry, hit submit too soon.

You should be using Gateway Direct.

You can have two options setup.  One for Gateway Direct if you want internal and external users to go thru the CSG.  If you want internal users to hit the WI Site directly, then you add a Direct option and use 192.22.0.0/16.
0
 
Tech_Me_MoreAuthor Commented:
Ok I set the following:

192.22.22.0 255.255.255.0 Direct
Default Gateway Direct

Address (FQDN): citrix.acme.com
Port: 443
Enable Session Reliability (has a checked)

STA: http://servername.domain.local/scripts/ctxsta.dll

Still getting the same error that I just posted.... :(
0
 
Carl WebsterCommented:
In your original question you said you were using local IP 192.168.x.x and later you say 192.22.x.x.  WHich one is correct?
0
 
Carl WebsterCommented:
In CSG, what did you enter for the FQDN for the STA?

What is your XML port?
0
 
Tech_Me_MoreAuthor Commented:
Citrix-Settings.doc

Oops apologize for that. All the IP Addreses / numbers I'm posting are fake numbers. We'll stick with the IP Numbers I posted last. But keep in mind that those are not the actual Private and Public numbers I'm using :)

I have attached some screen shots.
0
 
Tech_Me_MoreAuthor Commented:
I tried "Gateway Translate" as well... I'm guessing this is what I should be using since the private IP is being NAT to a public IP, but still not luck... I bet it's a simple fix and I'm going to be kicking myself once this problem is fixed. :)
0
 
Carl WebsterCommented:
On my router/firewall I redirect all 443 traffic coming from citrix.websterslab.com to the internal IP of my CSG/WI server 192.168.1.105.  I use Gateway Direct and have never had a problem.  That is what I used in the article I referenced earlier.

FQDN - try just CTESTSVR1 (make sure you can ping CTESTSVR1 and CTESTSVR1.domain.local)

What is your XML port?  That is in your farm settings.

If you have a few minutes to troubleshoot, send me an e-mail to my e-mail address in my profile.
0
 
Tech_Me_MoreAuthor Commented:
Hi CarlWebster - Thanks for all your input, but I finally broke down and paid Citrix (an arm and a leg) to help resolve the problem. You had me on the right track, but the link you sent me was telling me to use "Direct". I did try "Gateway Direct" as well, but that did not work either even though "Gateway Direct" is the correct option I should be using. The missing link to my issue was that I had 2 entry

Entry 1: Default - Gateway Direct
Entry 2: 192.168.168.0 255.255.255.0 - Direct
(above setting was set because I found a bunch of links stating I should have "Entry 2" in place to work correctly for internal users)

The Citrix Tech removed "Entry 2" to resolve my problem and that "Entry 2" is not recommended in XenApp 5.0 on MS Server 2008. It was an expensive lesson, but one I'll never forget. :) Thanks for trying to help!!
0
 
Carl WebsterCommented:
I disagree with you.  MY article specifically states on page 8 to use Gateway Direct with CSG.

http://www.dabcc.com/article.aspx?id=15055&page=8

0
 
Tech_Me_MoreAuthor Commented:
I had to pay a Citrix Tech to help figure out what else was causing my issue.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 11
  • 11
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now