Web Interface 5.4 and Citrix Secure Gateway on the same server..., in the Citrix XenApp / Presentation Server forum on BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.

Web Interface 5.4 and Citrix Secure Gateway on the same server..., in the Citrix XenApp / Presentation Server forum on BrianMadden.com

rated by 0 users
Answered (Not Verified) This post has 0 verified answers | 8 Replies | 2 Followers

Not Ranked
Points 85
Plaethos posted on Wed, May 25 2011 12:18 PM

Good day all. 

I am trying to figure out what I am missing when trying to setup Secure Gateway with Web Interface 5.4 .  Before it is recommended, I have been googling information, rehashing steps from setup how tos, including this link:  http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/install-configure-citrix-web-interface-secure-gateway-part2.html

 

I honestly feel as I am missing some stupid small step.  I have broken down the setup configs for each section in hopes someone can see something I can’t.

 

Secure Gateway  3.2:

1.      I have a Cert from a Trusted CA.

2.      I am monitoring all IPv4 addresses under TCP Port 443.

3.      NO outbound traffic restrictions.

4.      My ticket info:  FQDN = portal.citrixsiteexample.com with a TCP Port of 8080

 

Web Interface 5.4:

Summary Screen:

1.      XML Service:   svrCitrix (servername)

2.      XML port:  8080

3.      XML Transport:  HTTP

4.      Explicit, at web interface, authentication.

 

Secure Access Screen:

1.      IP Address = Default/Access Method = Gateway Direct

2.      FQDN=  portal.citrixexamplesite.com  /  port  443   /  Enable session reliability

3.      Secure Ticket Auth:  http://portal.citrixexamplesite.com:8080/scripts/ctxsta.dll

 

            IIS:

1.      Website:  Private IP is specified/Port 80/Host Header Value= portal.citrixexamplesite.com

2.      ASP.Net is running at v2

 

 

What I am currently seeing: 

https will gives you a http 400 Bad Request screen  I’ve also shut down IIS and tried it – same result.

https on a test server resulted in getting a security cert warning, followed by HTTP 400 when continuing on.

 

http lets you log right in and you can access programs etc.

 

People are connecting to    http://.....  Not   https://.....  And yet, through the session Information of Secure Gateway, I am seeing all of my connections.

 

I hope I’ve provided enough info to gather some help on this.  I need to clarify something as well…does it matter what ports you have assigned in IIS?

 

Thanks for your Help!

 

 

  • | Post Points: 20

All Replies

Top 10 Contributor
Points 48,811
Suggested by Dan Murray

You bet it matters what port(s) you have assigned to IIS.  Since you are running both IIS and CSG on the same server, they will compete for port 443.  You should actually flip your IIS to use port 444 or something.  That way when you hit the outside via port 443, the CSG can intercept the request and redirect to IIS for login credentials.

You should check your Secure Access settings.  Your STA should be pointing to an internal server and not the external IP address. From the information you provided, it looks like you are using the same FQDN for your STA and your WI, which wouldn't work.

Dan

Why is it called "Common Sense"? It doesn't seem all that common!

  • Post Points: 20
Not Ranked
Points 85

As of now, I have

  • my STA pointing to   citrix.domain.local, using port 8080

  • my STA under my secure access pointing to   citrix.domain.local:8080....

  • My ssl port for my IIS is on 444

 

Still getting the same thing.  Not sure why...it's driving me nuts. 

 

Thank you very much for your response Dan! 

  • | Post Points: 20
Top 10 Contributor
Points 48,811

Can you run a "netstat -o" command on the CSG server and make sure you see something other than IIS listening on port 443?

Dan

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 20
Not Ranked
Points 85

Ran the netstat -o and nothing came up.  I ran the netstat -a and it shows that the server running CSG is listening...

Not sure if it makes a difference or not, but if I enter a regular http address, I connect just fine.

 

  • | Post Points: 20
Top 10 Contributor
Points 48,811

That sure sounds like something is competing for port 443.  When you hit it on port 443, the CSG should pass you through to IIS. Have you checked the CSG configuration to make sure it is pointing to the local install of IIS and on the correct port?

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 20
Not Ranked
Points 85

My thoughts appear to be onboard with yours...I have been thinking there was a "traffic transfer" issue going on between the CSG and IIS...  I'll run through the settings one more time: 

 

CSG:

Standard

Certs Found (public cert - portal.citrixexample.com)

Monitor all IPs -- port 443

No Outbound Traffic restrictions

STA:  citrix.domain.local  -- port 8080

Indirect:  Installed on this computer:  Port 80

 

 

Secure Access Gateway settings:

address (FQDN)  portal.citrixeample.com (matches my SSL Cert)    port:  443

STA:  http://citrix.domain.local:8080/scripts/ctxsta.dll

 

IIS:

port 80 and for ssl:  port 444

  • | Post Points: 20
Top 10 Contributor
Points 48,811

Also, check on the Web interface side.  You might want to check that the site(s) are configured to point to port 444 as well.  Everything else sounds like it's OK.

Why is it called "Common Sense"? It doesn't seem all that common!

  • | Post Points: 20
Not Ranked
Points 85

Not sure what this has to do with anything...but I decided to re-create the website and everything from scratch.  Upon doing so, I tested accessing the website everytime I made an adjustment so I could focus in on the issue.  Turns out (which is something I read somewhere) the Header of my IIS website is what appears to have been causing it.  As soon as I took out the header, it began working.  SO, for IIS:

IP address is unassigned

Port 80 -

SSL:  444

 

Thanks for your time Dan!  I appreciate it.

 

 

 

  • | Post Points: 5
Page 1 of 1 (9 items) | RSS