Citrix Secure Gateway

I am having an issue /w Citrix Secure Gateway 3.2. I have 2 remote environments that are identically set up (as far as I can tell).

1st Environment: There is a secure gateway, a separate web interface server, a secure ticket authority, and several presentation server hosts. Applications are able to launch internally AND externally from the web interface. I am also able to see incoming connections, from the Citrix secure gateway; which reports my connection & IP.

2nd Environment: There is a secure gateway, a separate web interface server, a secure ticket authority, and several presentation server hosts. Applications are able to launch internally BUT NOT externally, from the web interface. The error: There is no Xenapp server configured on the specified address/There is no SSL server configured on the specified address (varies between these errors).

**I don't know of anything that has been changed lately, and although I don't have access to configure firewalls I compared the 2 environments using telnet, and the connectivity seems to be matching up as far as port access & configuration. I have a nagging feeling that I am missing something simple here; so any help is appreciated.

Thanks,
dtek1xAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carl WebsterCitrix Technology Professional - FellowCommented:
After you get everything working, you MUST update to the latest (and last) version of CSG.

http://support.citrix.com/article/CTX137662

Even the latest version of CSG is a security nightmare.

In env 2, check your WI settings and compare them to WI in env 1 for the external site that is configured for Gateway Direct.
dtek1xAuthor Commented:
Our Citrix support is expired, and we do not have access to the latest version.
Carl WebsterCitrix Technology Professional - FellowCommented:
That update to CSG is available to anyone. What happens when you click on the link? I am not logged in to my Citrix account and I can access the link.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

dtek1xAuthor Commented:
Ok I just completed the upgrade, and nothing has changed; same errors after clicking an application externally. Yet, everything still works internally (and /w vpn).
Carl WebsterCitrix Technology Professional - FellowCommented:
OK, I said to do the upgrade AFTER you got everything working. :)

Did you compare the settings in WI between the 2 environments for the external site using Gateway Direct?
dtek1xAuthor Commented:
Yes, and I found that the this:

1. On the 'externally successful' site, Xenapp Web Sites is set for Gateway Direct, and Xenapp Services site is set for Direct.

2. If I set the 'externally unsuccessful' site the same way, NOTHING works (internally or externally). It does work internally. However, if I set Xenapp Web Sites for Direct, and Xenapp Services site for Gateway Direct (swapped) it works; but still NOT externally.
Carl WebsterCitrix Technology Professional - FellowCommented:
Direct is used when access is coming from the same subnet as the servers. i.e. everything is on the same LAN.

Gateway Direct is used when CSG sits in front of Web Interface  and users will enter the URL for the CSG and CSG will direct traffic to and from the CSG/WI server and the XenApp servers.

What is the XML Port used in the 2 XenApp farms? Are they the same or different? The XML port must be configured in CSG.

Is there a reason you are using two CSG/WI instead of one for both farms?

This article will show you some of the settings you need in CSG/WI and also how you could be possibly be doing this with just one CSG/WI server.

http://carlwebster.com/using-one-citrix-web-interface-site-with-multiple-xenapp-farms-3/
dtek1xAuthor Commented:
Yes. The sites are in separate geographic regions; one in Asia, then other in Europe. Thanks for the link. I'll check that out.
dtek1xAuthor Commented:
Good afternoon! After reevaluating my configuration, I changed my STA to an alternate server, and now I'm getting the following error:

- SSL Error 4: The proxy denied access to ;10;STA202E8A8C566; A9B" "; port 1494

Does this mean something is being blocked, perhaps port 1494? Is there anything else I need to check to confirm this?

Many thanks,
Carl WebsterCitrix Technology Professional - FellowCommented:
Who is giving you that error? CSG or WI?
dtek1xAuthor Commented:
This error occurs on the client attempting to access the Citrix app, from the Internet (directly after logging into the web interface & clicking an application).
Carl WebsterCitrix Technology Professional - FellowCommented:
Try the first link in the message I Just sent.
dtek1xAuthor Commented:
Where are these logs, they speak of? How do I set the logging level for them?
Carl WebsterCitrix Technology Professional - FellowCommented:
dtek1xAuthor Commented:
Carl,

I've been out for a few days, but I do have an update. I noticed that on the site where I am unable to launch applications with 'Gateway Direct' set as the access method, connections do not appear to be attempted on 443 to the Secure Gateway, from the outside. I did a wireshark, and there was no incoming traffic to it all actually.

So, my question now is, is this the way it's supposed to work:

- After logging into the web interface, the user clicks the application
- The ica file directs the user to the requested application, and specifies STA, through Secure Gateway on default port 443
- The Secure Gateway authorizes the connection with the STA on 8080 (our configuration)
- The Secure Gateway brokers the connection with application host (on 1494)
Carl WebsterCitrix Technology Professional - FellowCommented:
dtek1xAuthor Commented:
Ok so we've decided to go with a workaround of installing secure gateway on the web interface server, and disable the standalone secure gateway.

The problem now is that secure gateway & IIS don't seem to be able to use 443 for SSL, at the same time. If I change the IIS site to a different port than 443, the site becomes externally inaccessible.

If I reconfigure WI & SG to a different port than 443, then the apps do not launch.

Any suggestions?
Carl WebsterCitrix Technology Professional - FellowCommented:
CSG MUST use port 443 and IIS MUST be configured to use a different port for SSL. That is just the way it is.
dtek1xAuthor Commented:
Thanks Carl. I got around that issue, by setting IIS up for http, and letting CG/WI convert the connection to https. I'm now getting an error regarding STA communicating over SSL. I can't provide the exact error since I'm internal right now, with no way to connect externally until later today.

I checked the logs on the CSG server, and I'm seeing "SSL handshake from client failed". Any idea what that means?
Carl WebsterCitrix Technology Professional - FellowCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dtek1xAuthor Commented:
Ok here is the error I am getting externally. "SSL Error 4: The proxy denied access to:10;STA64XXXX; b18XXXX PORT 1494.

There's obviously a 'breakdown' of some sort in the process of launching the application, externally. I was on the line with a few different Citrix engineers, and none of them could tell me exactly where this 'breakdown' was occurring. The only thing they can come up with is that the firewall is blocking ports, but the firewall team is saying that nothing is being blocked...smh
Carl WebsterCitrix Technology Professional - FellowCommented:
Your network and or firewall team(s) should be able to do a packet capture or traffic capture to see what is happening.

http://support.citrix.com/article/CTX103696

http://support.citrix.com/article/ctx105390
dtek1xAuthor Commented:
We have found the solution to our Secure Gateway issues. I had to perform some maintenance on a Web Interface site in a different region, regarding a certificate that was about to expire soon. As I installed the new cert, I ended up getting the same error, that I got on the site that we've been working on. After further examination, the entry in DNS on the DMZ was mismatched when compared to the name on the cert. After matching the cert name with the hostname in DNS on the DMZ, everything worked properly on the site I was performing maintenance on.

This was a pretty big hunch for us, so I decided to try this on the site I had the initial problem with. After making this change, everything began to work properly!

Thanks for all your help Carl!



Thanks again,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.