Remote access to Citrix fundamentals 6.0 fails with SSL error 61

I have a new installation of Citrix Fundamentals 6.0 and used the Quick start to configure external access directly to the server.  I configured a customer port 444 since 443 is already used by OWA.  I configured the ASA firewall to for this port and server.  When I go to the URL I get a log in prompt and can log in and see my applications, when I launch an application it fails for (the Citrix Receiver could not establish a connection)  or SSL error 61

This is a self signed certificate, do I need to export a certificate into internet explorer on the client PC.  If this is yes, what is the procedure?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ayman BakrSenior ConsultantCommented:
Cláudio RodriguesFounder and CEOCommented:
Couple things:
1. I noticed (as you mentioned) you are using an internal certificate. In this case you either need the Root CA (the internal one) loaded on the PCs people will connect from OR you need the certificate itself loaded on their Trusted Certificates (again on their PCs).
2. The Citrix Web Interface simply creates icons for the apps available that are really .ICA (text) files and are passed to be parsed by the local ICA Client (Citrix Receiver + Online Plugin). If you are NOT using Citrix Secure Gateway (CSG) or Citrix Access Gateway (CAG) that means the .ICA file is telling the client to connect directly to the Citrix servers on port 1494 or 2598 (if session reliability is on). In that case the firewall MUST be opened AND you must use ALTADDR on the XenApp Servers.
When you use CSG or CAG all traffic goes through HTTPS (443) all the way to the CSG/CAG and from there goes ICA to the XenApp servers. In this case only port 443 needs to be opened.
As you are already using port 443 for mail, you have two options:
1. Get a second IP, second DNS entry (i.e. and install the web interface AND Citrix Secure Gateway on another server and open the firewall for that second IP to send HTTPS to the CSG/WI machine. Then you simply configure the CSG to handle port 443 (no need for 443 on the WI as the CSG will intercept/take care of that) and you set the WI to 'Gateway Direct'. Of course you need to load the certificate for on the CSG (ideally get it issued by a third party certification authority like Entrust, RapidSSL, Verisign, etc).
2. Open as many ports on your firewall as you have XenApp servers and set the alternate address to be the external IP. In this case each XenApp will be on a different port (i.e. 1494, 1495 and so on). The firewall as I said must be then opened for each port, each one going to a different XenApp.

Option 1 is the BEST way to go. Simple to do and works flawlessly.


Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
Cláudio RodriguesFounder and CEOCommented:
Oh if you have no idea about what I am saying, that means go get a Citrix consultant to do it for you. :-)

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
BlueGloryAuthor Commented:
The SSL cert was corrupt the the provider fixed it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BlueGloryAuthor Commented:
The other solutions did not apply
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.