Unable to Launch Citrix Applications - SSL Error 4

Hello,

I just installed WI on new server due to viruses on old server. Here is my setup....

XenApp and WI both sit behind a TZ190. The WI sits in a DMZ Zone on the TZ190. Keep in mind all was working with the NAT and Access Rules before I installed WI on a new server.

Windows 2008
XenApp 5.0

Windows 2003
WI
CSG

Default Website properties
Default
(All Unassigned)
TCP port 81
SSL port 444

Secure Gateway Configuration
Certification found: Citrix.myrapadocs.com
Secure Socket Layer (SSLv3) and TLSv1
Cipher suite: All

Configure inbound client connections
checked - Monitor all IPv4
TCP port: 443
No Network Interface list

No outbound traffic restrictions

Servers running the STA
Identifier: STA362CE7A8D924       FQDN: WIN08CITRIX (Which is the XenApp Server)
Path: /Scripts/CtxSTA.dll
Protocols settings: Unchecked Secure traffic between the STA and Secure Gateway
TCP port: 8080
Use Default: Unchecked

No connection timeout
No Concurrent connection limits
No Logging exclusions

Access Options
Checked - Indirect & Installed on this computer
TCP port: 81

Logging: Warning, errors, and fatel events

--------------------------------------------------------------------

WI

Site name: XenApp
Site URL: https://Citrix.myrapadocs.com:444/Citrix/XenApp
Farm Name: RAPA Citrix
XML Service: WIN08CITRIX
XML port: 8080
XML transport: HTTP

Authentication: At Web Interface
Available methods: Explicite
Resource type: Online
Available clients: Native clients

Specify Access method: IP Address: Default - Access method: Gateway Direct
Specify Gateway Settings: Address (FQDN) citrix.rapadocs.com
Port: 443
Checked: Enable session reliability
Unchecked: Request tickets from two STA
Secure Ticket Authority URLs: http://WIN08CITRIX:8080/Scripts/CtxSTA.dll
Bypassed failed server for: 1 Hour

I am able to log on to Citrix and see my Apps, however when I click on an APP I get Error -Unableto launch your application: Cannot connect to the Citrix XenApp Server.
SSL Error 4: Attempted to connect using the TLS V1.0|SSL v3.0 protocols. The server rejected the connection.


I am also getting Warning under Event Viewer - ID 125 - Source: Citrix Secure Gateway
SSL handshake from client failed.

Late last night I got Event ID: 30107
Site path: c:\inetpub\wwwroot\Citrix\XenApp

The Citrix server reported that they are too busy to provide access to the selected resource. This message was reported from the XML Service at address http://WIN08CITRIX:8080
[com.citrix.xml.NFuseProtocol.RequestAddress].

I appreciate your help and support.

Thanks,

nimdatx
LVL 1
Jaime CamposAsked:
Who is Participating?
 
Dirk KotteSECommented:
SSL are very sensitive.
your certificate starts with a big "C" at Citrix.
possible this are the reason.
0
 
Jayanta SarmahCommented:
check this out , if you still didn't :

http://support.citrix.com/article/CTX524634
1
 
Jaime CamposAuthor Commented:
Did all troublshooting steps, still no fix.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Dirk KotteSECommented:
hi,
what does the CSG-diagnostics say?
0
 
Jaime CamposAuthor Commented:
HELLO!!!! Thank god your back....

CSG Diagnostics:
Version = 3.2.0

Computer NetBIOS Name: CITRIXWI
Configuration captured on: 2/15/2012 10:59:48 AM
------------------------------------------------

Secure Gateway Global Settings
------------------------------
  Version = 3.2.0
  Product secured = Citrix XenApp only
  Logging level =  2 (Warning, errors and fatal events)
  Client connection timeout =  100 seconds
  Maximum concurrent connections =  250
  Certificate FQDN = Citrix.myrapadocs.com

Interfaces
----------

  All interfaces (0.0.0.0 : 443)
  ------------------------------
    Protocol = SSL, TLS
    Cipher suites = ALL
    Secured = Yes
    HTTP = No
    ICA = Yes
    SOCKS = Yes
    Gateway Client = No
    LoadBalancerIPs = None defined

Web Interface
-------------
  FQDN = localhost
  Port = 81
  Secured = No
  Protocol = SSL, TLS
  Cipher suites = ALL
  Access mode = Indirect
  Tested OK

Authority Servers
-----------------

  ID = STA362CE7A8D924
  --------------------
    FQDN = WIN08CITRIX
    Port = 8080
    Path = /Scripts/CtxSTA.dll
    Type = STA
    Secured = No
    Protocol = SSL, TLS
    Cipher suites = ALL
    Tested OK

Certificate Check
-----------------
  FQDN = Citrix.myrapadocs.com
  This certificate is currently valid.

EOF
0
 
Jaime CamposAuthor Commented:
FYI - I also have no NAT going from WI (DMZ) to XenApp (LAN) and Access Rules are open up.

Also....IIS SSL Port is 444
0
 
Jaime CamposAuthor Commented:
Take a look at this ticket I have open....do you think it has anything to do with it?

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Citrix/Q_27586360.html
0
 
Jaime CamposAuthor Commented:
That's how I had it on old server....
0
 
Dirk KotteSECommented:
only an experiment but ...
try to configure the CSG-location within WI also with the big "C".
0
 
Jaime CamposAuthor Commented:
Ok....I changed Specify Gateway Settings - FQDN: Citrix.rapadocs.com (Big C) I left port on 443 and left checked Enable session reliability and left uncheck Request tickets from two STAs.

Still no luck.
0
 
Jaime CamposAuthor Commented:
Would it hurt if I changed Host name on WI to reflect old WI server's HOST name? I am currently able to resolve Host name to IP from new WI server all is good, but just a thought. When I initially setup my first WI server 2 yrs back, I remember I got same error message, but not sure how I fixed it. I think it has something to do with IIS.
0
 
Dirk KotteSECommented:
like the support articles say .. be sure the IIS dont use port 443.
i think thats ok.
0
 
Jaime CamposAuthor Commented:
On my XenApp Server I am unable to access Access Management Console due to some weird permissions issues I have not figured out. Do you think that that has anything to do with it? If I go through XenApp advance configuration, I am able to connect to WIN08CITRIX and see my apps. I sent you the link to other ticket.

Not sure what I'm going to do at this point. My boss'es boss asked me how long already....and I must figure this out soon.
0
 
Dirk KotteSECommented:
check the proxy-settings within the web-interface-site
it should be set to "auto" mostly.

save the launch.ica file and post them.
0
 
Dirk KotteSECommented:
has your WI/CSG server internet access to check the CRL?
0
 
Jaime CamposAuthor Commented:
HEY....I just freaking noticed that Gateway Settings - FQDN is Citrix.rapadocs.com and should be Citrix.myrapadocs.com.
0
 
Dirk KotteSECommented:
no !
:-)
0
 
Jaime CamposAuthor Commented:
IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! THANK YOU!!!!!
0
 
Dirk KotteSECommented:
nice to hear.
have a happy day.
0
 
Jaime CamposAuthor Commented:
dkotte, I really appreciate all your help. You have no idea how much you helped me. I had began to take the WI out of DMZ and test when the light bulb came on. It was cause you mentioned that SSL is sensitive and I had that on my mind when I suddenly looked down at a piece of papper I wrote down Gateway Settings and noticed it was incorrect.

You have a happy day as well my friend.

nimdatx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.