Citrix Access Gateway Secure Access Issue
Up until the night before last we were running a XenApp 6.5 server on Windows 2008 R2 servers using Citrix Access Server and the Web Interface with no issues using Gateway Direct as the default access method. Came in yesterday morning and no one could access the farm, as in no credentials were valid. I changed the access method to direct and the XML transport to HTTP from SSL Relay and internal users can access, but external users can't. I've unregistered and registered the xml service on all of the XenApp servers. I've ran a repair on the sites. I've re-run the configuration. Can't figure this one out. Any ideas?
Matt V
You need to add secure access rules on the web interface that make the access method gateway direct for everyone except your directly connected networks. Direct will only work for internal users bypassing the gateway.
This is what I am talking about:
webirules.png
webirules.png
ASKER
What secure access rules? It was working perfectly the way I had it with gateway direct and it stopped. I hadn't changed anything. It just stopped working. I put it all back the way it was and no one can authenticate externally or internally.
ASKER
Sorry, I read "That's what I'm talking about.." and didn't see the attachment, crazy day... I didn't have those rules before. Assumption I'm making, the 172.x.x.x is routable, so that would be external and you have that as direct. 10.x.x.x is not routable so that would be internal and you have that as gateway direct. Is that correct?
Opposite actually. The 172.x.x.x are our internal networks. They hit the web interface directly.
The 10.199.199.0 is the DMZ IP.
What you want to do is set the default to Gateway Direct, and then specify the internal networks that will be direct. Then adjust the order so the default is last.
The 10.199.199.0 is the DMZ IP.
What you want to do is set the default to Gateway Direct, and then specify the internal networks that will be direct. Then adjust the order so the default is last.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do control the firewall, but so does two other people, one of which was off-site working at one of our remotes. He claims he didn't touch anything, but timing is a bit skeptical. I have the firewall set so that if you're having a DNS issue you can access by IP so, the firewall is presenting the source address. I added that and we're getting cut off as not able to connect to server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think something else is going on here. Today, our internal users who have been OK, are now unable to launch apps. They can log on but can no longer apps. I guess I have to change the admin pwd, just to make sure no one else is logging in. I have it set up as you've suggested have had the ica opening up in notepad all along just to see if it was on server having issues or all of them. Still no external connections.
ASKER
Moved past part of the issue. Now have external and internal users basically at the same point. Prior to last week, users could access using only http. On a whim, and why I didn't try earlier, I don't know, I used https, now I can get to the published apps page. Launching an app, I get "Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. Network issues are preventing your conection...". I'll make Google my friend.
ASKER
At the end of the day, believe it or not, this ended up being corrupted STA's. I renamed the ones we had to old, copied fresh ctxsta.dll from install media and up we go. We have four STA servers, so the possibility of them all having an issue is strange to me, but we're up and going and only have Gateway Direct as our Access Method.
ASKER
Although, the solution appears to be something else, your direction led me to look at other things. Thank ou.