Unable to Launch Citrix Applications - SSL Error 4


I just installed WI on new server due to viruses on old server. Here is my setup....

XenApp and WI both sit behind a TZ190. The WI sits in a DMZ Zone on the TZ190. Keep in mind all was working with the NAT and Access Rules before I installed WI on a new server.

Windows 2008
XenApp 5.0

Windows 2003

Default Website properties
(All Unassigned)
TCP port 81
SSL port 444

Secure Gateway Configuration
Certification found: Citrix.myrapadocs.com
Secure Socket Layer (SSLv3) and TLSv1
Cipher suite: All

Configure inbound client connections
checked - Monitor all IPv4
TCP port: 443
No Network Interface list

No outbound traffic restrictions

Servers running the STA
Identifier: STA362CE7A8D924       FQDN: WIN08CITRIX (Which is the XenApp Server)
Path: /Scripts/CtxSTA.dll
Protocols settings: Unchecked Secure traffic between the STA and Secure Gateway
TCP port: 8080
Use Default: Unchecked

No connection timeout
No Concurrent connection limits
No Logging exclusions

Access Options
Checked - Indirect & Installed on this computer
TCP port: 81

Logging: Warning, errors, and fatel events



Site name: XenApp
Site URL: https://Citrix.myrapadocs.com:444/Citrix/XenApp
Farm Name: RAPA Citrix
XML port: 8080
XML transport: HTTP

Authentication: At Web Interface
Available methods: Explicite
Resource type: Online
Available clients: Native clients

Specify Access method: IP Address: Default - Access method: Gateway Direct
Specify Gateway Settings: Address (FQDN) citrix.rapadocs.com
Port: 443
Checked: Enable session reliability
Unchecked: Request tickets from two STA
Secure Ticket Authority URLs: http://WIN08CITRIX:8080/Scripts/CtxSTA.dll
Bypassed failed server for: 1 Hour

I am able to log on to Citrix and see my Apps, however when I click on an APP I get Error -Unableto launch your application: Cannot connect to the Citrix XenApp Server.
SSL Error 4: Attempted to connect using the TLS V1.0|SSL v3.0 protocols. The server rejected the connection.

I am also getting Warning under Event Viewer - ID 125 - Source: Citrix Secure Gateway
SSL handshake from client failed.

Late last night I got Event ID: 30107
Site path: c:\inetpub\wwwroot\Citrix\XenApp

The Citrix server reported that they are too busy to provide access to the selected resource. This message was reported from the XML Service at address http://WIN08CITRIX:8080

I appreciate your help and support.


Jaime CamposAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jayanta SarmahCommented:
check this out , if you still didn't :

Jaime CamposAuthor Commented:
Did all troublshooting steps, still no fix.
Dirk KotteSECommented:
what does the CSG-diagnostics say?
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Jaime CamposAuthor Commented:
HELLO!!!! Thank god your back....

CSG Diagnostics:
Version = 3.2.0

Computer NetBIOS Name: CITRIXWI
Configuration captured on: 2/15/2012 10:59:48 AM

Secure Gateway Global Settings
  Version = 3.2.0
  Product secured = Citrix XenApp only
  Logging level =  2 (Warning, errors and fatal events)
  Client connection timeout =  100 seconds
  Maximum concurrent connections =  250
  Certificate FQDN = Citrix.myrapadocs.com


  All interfaces ( : 443)
    Protocol = SSL, TLS
    Cipher suites = ALL
    Secured = Yes
    HTTP = No
    ICA = Yes
    SOCKS = Yes
    Gateway Client = No
    LoadBalancerIPs = None defined

Web Interface
  FQDN = localhost
  Port = 81
  Secured = No
  Protocol = SSL, TLS
  Cipher suites = ALL
  Access mode = Indirect
  Tested OK

Authority Servers

  ID = STA362CE7A8D924
    Port = 8080
    Path = /Scripts/CtxSTA.dll
    Type = STA
    Secured = No
    Protocol = SSL, TLS
    Cipher suites = ALL
    Tested OK

Certificate Check
  FQDN = Citrix.myrapadocs.com
  This certificate is currently valid.

Jaime CamposAuthor Commented:
FYI - I also have no NAT going from WI (DMZ) to XenApp (LAN) and Access Rules are open up.

Also....IIS SSL Port is 444
Jaime CamposAuthor Commented:
Take a look at this ticket I have open....do you think it has anything to do with it?

Dirk KotteSECommented:
SSL are very sensitive.
your certificate starts with a big "C" at Citrix.
possible this are the reason.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jaime CamposAuthor Commented:
That's how I had it on old server....
Dirk KotteSECommented:
only an experiment but ...
try to configure the CSG-location within WI also with the big "C".
Jaime CamposAuthor Commented:
Ok....I changed Specify Gateway Settings - FQDN: Citrix.rapadocs.com (Big C) I left port on 443 and left checked Enable session reliability and left uncheck Request tickets from two STAs.

Still no luck.
Jaime CamposAuthor Commented:
Would it hurt if I changed Host name on WI to reflect old WI server's HOST name? I am currently able to resolve Host name to IP from new WI server all is good, but just a thought. When I initially setup my first WI server 2 yrs back, I remember I got same error message, but not sure how I fixed it. I think it has something to do with IIS.
Dirk KotteSECommented:
like the support articles say .. be sure the IIS dont use port 443.
i think thats ok.
Jaime CamposAuthor Commented:
On my XenApp Server I am unable to access Access Management Console due to some weird permissions issues I have not figured out. Do you think that that has anything to do with it? If I go through XenApp advance configuration, I am able to connect to WIN08CITRIX and see my apps. I sent you the link to other ticket.

Not sure what I'm going to do at this point. My boss'es boss asked me how long already....and I must figure this out soon.
Dirk KotteSECommented:
check the proxy-settings within the web-interface-site
it should be set to "auto" mostly.

save the launch.ica file and post them.
Dirk KotteSECommented:
has your WI/CSG server internet access to check the CRL?
Jaime CamposAuthor Commented:
HEY....I just freaking noticed that Gateway Settings - FQDN is Citrix.rapadocs.com and should be Citrix.myrapadocs.com.
Dirk KotteSECommented:
no !
Jaime CamposAuthor Commented:
IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! THANK YOU!!!!!
Dirk KotteSECommented:
nice to hear.
have a happy day.
Jaime CamposAuthor Commented:
dkotte, I really appreciate all your help. You have no idea how much you helped me. I had began to take the WI out of DMZ and test when the light bulb came on. It was cause you mentioned that SSL is sensitive and I had that on my mind when I suddenly looked down at a piece of papper I wrote down Gateway Settings and noticed it was incorrect.

You have a happy day as well my friend.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.