Citrix Access Gateway Secure Access Issue

Up until the night before last we were running a XenApp 6.5 server on Windows 2008 R2 servers using Citrix Access Server and the Web Interface with no issues using Gateway Direct as the default access method.  Came in yesterday morning and no one could access the farm, as in no credentials were valid.  I changed the access method to direct and the XML transport to HTTP from SSL Relay and internal users can access, but external users can't. I've unregistered and registered the xml service on all of the XenApp servers.  I've ran a repair on the sites.  I've re-run the configuration.  Can't figure this one out.  Any ideas?
Michelle DabneyIT DirectorAsked:
Who is Participating?
 
CoralonConnect With a Mentor Commented:
Ok, if the firewall is presenting the source address, Then you'll set gateway direct as your default, and set your internal LANs as direct rules.  

But, I'd also do a telnet test to each of the ports from the firewall to the XA servers (1494, 2598, XML (80/443?, etc.) make sure they pass through.

From a known system, I would also change the file association for .ica files to notepad, and try to launch it.   You'll open the launch.ica file, and see what address it is giving you (or connect string for a gateway launch). And verify your DNS settings.

Coralon
0
 
Matt VCommented:
You need to add secure access rules on the web interface that make the access method gateway direct for everyone except your directly connected networks.  Direct will only work for internal users bypassing the gateway.
0
 
Matt VCommented:
This is what I am talking about:
webirules.png
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Michelle DabneyIT DirectorAuthor Commented:
What secure access rules?  It was working perfectly the way I had it with gateway direct and it stopped. I hadn't changed anything. It just stopped working.  I put it all back the way it was and no one can authenticate externally or internally.
0
 
Michelle DabneyIT DirectorAuthor Commented:
Sorry, I read "That's what I'm talking about.."  and didn't see the attachment, crazy day...  I didn't have those rules before.  Assumption I'm making, the 172.x.x.x  is routable, so that would be external and you have that as direct.  10.x.x.x is not routable  so that would be internal and you have that as gateway direct.  Is that correct?
0
 
Matt VCommented:
Opposite actually.  The 172.x.x.x are our internal networks.  They hit the web interface directly.

The 10.199.199.0 is the DMZ IP.

What you want to do is set the default to Gateway Direct, and then specify the internal networks that will be direct.  Then adjust the order so the default is last.
0
 
CoralonConnect With a Mentor Commented:
First thing you need to do is to be sure how the firewall is presenting the ip address to the gateway.  

Some firewalls present the real source address, others present the ip address of the firewall itself as the source.   That is what determines how your default address is set.  The rules are based on how the gateway sees the XML services and ICA services of the farm.  

If it presents the real source, then your default needs to be set to gateway direct.
If it presents itself, then you set that address as gateway direct, and then add your subnets as direct or possibly gateway direct as needed.  

Based on your description, do you control the firewall?  Is there any possibility that the firewall got changed?

Coralon
0
 
Michelle DabneyIT DirectorAuthor Commented:
I do control the firewall, but so does two other people, one of which was off-site working at one of our remotes.  He claims he didn't touch anything, but timing is a bit skeptical.  I have the firewall set so that if you're having a DNS issue you can access by IP so, the firewall is presenting the source address.   I added that and we're getting cut off as not able to connect to server.
0
 
Michelle DabneyIT DirectorAuthor Commented:
I think something else is going on here.  Today, our internal users who have been OK, are now unable to launch apps.  They can log on but can no longer apps.  I guess I have to change the admin pwd, just to make sure no one else is logging in.    I have it set up as you've suggested have had the ica opening up in notepad all along just to see if it was on server having issues or all of them.  Still no external connections.
0
 
Michelle DabneyIT DirectorAuthor Commented:
Moved past part of the issue.  Now have external and internal users basically at the same point.  Prior to last week, users could access using only http.  On a whim, and why I didn't try earlier, I don't know, I used https, now I can get to the published apps page.  Launching an app, I get "Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. Network issues are preventing your conection...".   I'll make Google my friend.
0
 
Michelle DabneyIT DirectorAuthor Commented:
At the end of the day, believe it or not, this ended up being corrupted STA's.  I renamed the ones we had to old,  copied fresh ctxsta.dll from install media and up we go.  We have four STA servers, so the possibility of them all having an issue is strange to me, but we're up and going and only have Gateway Direct as our Access Method.
0
 
Michelle DabneyIT DirectorAuthor Commented:
Although, the solution appears to be something else, your direction led me to look at other things.  Thank ou.
0
All Courses

From novice to tech pro — start learning today.