Good day all.
I am trying to figure out what I am missing when trying to setup Secure Gateway with Web Interface 5.4 . Before it is recommended, I have been googling information, rehashing steps from setup how tos, including this link: http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/install-configure-citrix-web-interface-secure-gateway-part2.html
I honestly feel as I am missing some stupid small step. I have broken down the setup configs for each section in hopes someone can see something I can’t.
Secure Gateway 3.2:
1. I have a Cert from a Trusted CA.
2. I am monitoring all IPv4 addresses under TCP Port 443.
3. NO outbound traffic restrictions.
4. My ticket info: FQDN = portal.citrixsiteexample.com with a TCP Port of 8080
Web Interface 5.4:
1. XML Service: svrCitrix (servername)
2. XML port: 8080
3. XML Transport: HTTP
4. Explicit, at web interface, authentication.
Secure Access Screen:
1. IP Address = Default/Access Method = Gateway Direct
2. FQDN= portal.citrixexamplesite.com / port 443 / Enable session reliability
3. Secure Ticket Auth: http://portal.citrixexamplesite.com:8080/scripts/ctxsta.dll
1. Website: Private IP is specified/Port 80/Host Header Value= portal.citrixexamplesite.com
2. ASP.Net is running at v2
What I am currently seeing:
https will gives you a http 400 Bad Request screen I’ve also shut down IIS and tried it – same result.
https on a test server resulted in getting a security cert warning, followed by HTTP 400 when continuing on.
http lets you log right in and you can access programs etc.
People are connecting to http://..... Not https://..... And yet, through the session Information of Secure Gateway, I am seeing all of my connections.
I hope I’ve provided enough info to gather some help on this. I need to clarify something as well…does it matter what ports you have assigned in IIS?
Thanks for your Help!
You bet it matters what port(s) you have assigned to IIS. Since you are running both IIS and CSG on the same server, they will compete for port 443. You should actually flip your IIS to use port 444 or something. That way when you hit the outside via port 443, the CSG can intercept the request and redirect to IIS for login credentials.
You should check your Secure Access settings. Your STA should be pointing to an internal server and not the external IP address. From the information you provided, it looks like you are using the same FQDN for your STA and your WI, which wouldn't work.
Why is it called "Common Sense"? It doesn't seem all that common!
As of now, I have
my STA pointing to citrix.domain.local, using port 8080
my STA under my secure access pointing to citrix.domain.local:8080....
My ssl port for my IIS is on 444
Still getting the same thing. Not sure why...it's driving me nuts.
Thank you very much for your response Dan!
Can you run a "netstat -o" command on the CSG server and make sure you see something other than IIS listening on port 443?
Ran the netstat -o and nothing came up. I ran the netstat -a and it shows that the server running CSG is listening...
Not sure if it makes a difference or not, but if I enter a regular http address, I connect just fine.
That sure sounds like something is competing for port 443. When you hit it on port 443, the CSG should pass you through to IIS. Have you checked the CSG configuration to make sure it is pointing to the local install of IIS and on the correct port?
My thoughts appear to be onboard with yours...I have been thinking there was a "traffic transfer" issue going on between the CSG and IIS... I'll run through the settings one more time:
Certs Found (public cert - portal.citrixexample.com)
Monitor all IPs -- port 443
No Outbound Traffic restrictions
STA: citrix.domain.local -- port 8080
Indirect: Installed on this computer: Port 80
Secure Access Gateway settings:
address (FQDN) portal.citrixeample.com (matches my SSL Cert) port: 443
port 80 and for ssl: port 444
Also, check on the Web interface side. You might want to check that the site(s) are configured to point to port 444 as well. Everything else sounds like it's OK.
Not sure what this has to do with anything...but I decided to re-create the website and everything from scratch. Upon doing so, I tested accessing the website everytime I made an adjustment so I could focus in on the issue. Turns out (which is something I read somewhere) the Header of my IIS website is what appears to have been causing it. As soon as I took out the header, it began working. SO, for IIS:
IP address is unassigned
Port 80 -
Thanks for your time Dan! I appreciate it.