• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 957
  • Last Modified:

Remote access to Citrix fundamentals 6.0 fails with SSL error 61

I have a new installation of Citrix Fundamentals 6.0 and used the Quick start to configure external access directly to the server.  I configured a customer port 444 since 443 is already used by OWA.  I configured the ASA firewall to for this port and server.  When I go to the URL https://mail.shawbrothers.com:444 I get a log in prompt and can log in and see my applications, when I launch an application it fails for (the Citrix Receiver could not establish a connection)  or SSL error 61

This is a self signed certificate, do I need to export a certificate into internet explorer on the client PC.  If this is yes, what is the procedure?
0
BlueGlory
Asked:
BlueGlory
  • 2
  • 2
1 Solution
 
Ayman BakrSenior ConsultantCommented:
0
 
Cláudio RodriguesFounder and CEOCommented:
Couple things:
1. I noticed (as you mentioned) you are using an internal certificate. In this case you either need the Root CA (the internal one) loaded on the PCs people will connect from OR you need the certificate itself loaded on their Trusted Certificates (again on their PCs).
2. The Citrix Web Interface simply creates icons for the apps available that are really .ICA (text) files and are passed to be parsed by the local ICA Client (Citrix Receiver + Online Plugin). If you are NOT using Citrix Secure Gateway (CSG) or Citrix Access Gateway (CAG) that means the .ICA file is telling the client to connect directly to the Citrix servers on port 1494 or 2598 (if session reliability is on). In that case the firewall MUST be opened AND you must use ALTADDR on the XenApp Servers.
When you use CSG or CAG all traffic goes through HTTPS (443) all the way to the CSG/CAG and from there goes ICA to the XenApp servers. In this case only port 443 needs to be opened.
As you are already using port 443 for mail, you have two options:
1. Get a second IP, second DNS entry (i.e. citrix.shawbrothers.com) and install the web interface AND Citrix Secure Gateway on another server and open the firewall for that second IP to send HTTPS to the CSG/WI machine. Then you simply configure the CSG to handle port 443 (no need for 443 on the WI as the CSG will intercept/take care of that) and you set the WI to 'Gateway Direct'. Of course you need to load the certificate for citrix.shawbrothers.com on the CSG (ideally get it issued by a third party certification authority like Entrust, RapidSSL, Verisign, etc).
2. Open as many ports on your firewall as you have XenApp servers and set the alternate address to be the external IP. In this case each XenApp will be on a different port (i.e. 1494, 1495 and so on). The firewall as I said must be then opened for each port, each one going to a different XenApp.

Option 1 is the BEST way to go. Simple to do and works flawlessly.

Cheers.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
0
 
Cláudio RodriguesFounder and CEOCommented:
Oh if you have no idea about what I am saying, that means go get a Citrix consultant to do it for you. :-)

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
0
 
BlueGloryAuthor Commented:
The SSL cert was corrupt the the provider fixed it.
0
 
BlueGloryAuthor Commented:
The other solutions did not apply
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now