Link to home
Start Free TrialLog in
Avatar of MikeLeePIT
MikeLeePITFlag for United States of America

asked on

Citrix Access Gateway using .local internal domain and .com external domain

How you do configure the External and Internal certificates? Now let me state that when I am using .com for the internal domain, everything works, but when I try using a .local for the internal domain which most folks/companies would have in place, I run into all kinds of issues with the certs on the NetScaler and Storefront.
I purchased a wildcard cert from GoDaddy and installed in my Netscaler Access Gateway by the way I can hit my VIP, and it loads the older black web interface looking portal - that portion works.
When I attempt to log in, I get an HTTP 403 forbidden page right away. Now from the internal network I can navigation to my storefront site which is using a .local domain signed cert and can log in and display my resources with no issues.
After every login attempt from the external access gateway site, I get the following event error in the “Citrix Delivery Services” logs on my Storefront server -
Failed to run discovery
Citrix.Web.DeliveryServicesProxy.ConfigLoader.DiscoveryServiceException, ReceiverWebConfigLoader, Version=, Culture=neutral, PublicKeyToken=null
An error occured while contacting the Discovery Service

I tried binding the internal .local domain signed cert to my Access Gateway virtual server together with the GoDaddy wildcard .com cert but got an error indicating only one binding can be present
The same thing for my internal IIS binding for the Storefront server “Default Wed site” can only bind the domain signed cert.
How does this work? I cannot find any documents on how to configure this. They all show the external and internal domains using the same .com fqdn domain name prefix.
Any help will be greatly appreciated. Thanks again,
Avatar of Tom Cieslik
Tom Cieslik
Flag of United States of America image

If you do have external certificate you don;t need to and you don't should use internal domain name.
There is no reason to do it.
Just create additional forward lookup zone in your internal DNS with your external name and create A record inside with local Exchange IP address and all should work ok and certificate will be accepted by all your services.
Avatar of Aanand Singh Karki
Aanand Singh Karki
Flag of India image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MikeLeePIT


Thanks again Aanand. configuring the split dns allowed me to install a wildcard cert using a inside a internal domain of example.local. Just had to create a new forward lookup zone using as the name and creating a a record pointing to my storefront server. Bingo it worked.