Nfuse 1.7 will not work on HTTPS.

[tekskin]

Hi Everyone.

I have the following setup:-

CSG - xxx.xx.136.201 inside DMZ + Certificate installed
NFUSE - xxx.xx.136.202 inside DMZ _Citrix _NFE installed
STA - xxx.xx.96.230 on internal network on Data Store Server

IP Address xxx.xxx.219.4 set on Netscreen firewall for 443 traffic only.

I can connect from the STA (xxx.xx.96.230) to NFUSE (xxx.xx.136.202) on http.
I can connect from NFUSE (xxx.xx.136.202) to the STA (xxx.xx.96.230) on http.
I can connect to NFUSE (xxx.xx.136.202) on itself on http (it is very slow though, takes about 15 seconds)
I can connect to STA (xxx.xx.96.230) on itself on http (quick)

On my firewall I have allowed the following ports between the STA & CSG and STA & NFUSE boxes : -

80,8080,443,1494,2512,82 - all tcp
57 - udp

I cannot get anything to respond to

https://xxx.xxx.219.4

from the internet, which is set on the firewall to point to NFUSE (xxx.xx.136.202).

Does anyone have any ideas on what I could try to get this working, as it is doing my head in,and it's not meant to be that diffcult to set up?

Cheers

Kevin

 

[jonastremor]

Try going to yourwebsite.com/citrix/nfuseadmin

On the metaframe servers screen change the transport type to https.

 

[tekskin]

Thanks for the update - I will try this and update this message tomorrow.

Kevin

 

[BeerGood]

If that doesn't help, number of other things:
1. The Nfuse server in the DMZ - if it's running IIS make sure you disable IIS admin as that will clash on 443
2. The Citrix server on the internal network - if you are using NAT between it and the CSG box in the DMZ you will need to set the alternate address on the Citrix box
3. If you are running the STA on the Citrix server as well, you will need to change the port the XML service is running on. (You also say you can connect via http quickly to the STA server - if it's also running a web server it might be clashing with the STA service...)

FYI The only ports you really need to open are:
External to DMZ CSG & NFUSE - 443
DMZ to Internal - 80 (sta) 8081 (xml) 1491 (ica)
(assuming you change the xml port to 8081, of course)

Cheers

 

[tekskin]

Thanks for all you help but it is still not working. ;-(

Changed transport to HTTPS as per jonastremor but didn't work.

IISAdmin is disabled. XML on Citrix is runnning on 8080.
(8081 is already used for something else on our net).

Any other ideas?

 

[tbhatt]

Why is XML running on 8080 and not on port 80? If this is the case, in your NFuse.Conf file did you specifiy port 8080 as the port for the XML communication?

 

[Ogi]

Why don't you write a automatic redirection page to go from

http://???.???.???

to

https://???.???.???

Cheers,
Carl.

 

[tekskin]

I did respecify the XML port information to be 8080.

We have taken advice from another engineer from a support management company, and they have concluded that we need to have a certificate on the nfuse box as well as the CSG box. We originally had both the nfuse & CSG on the same box, which should have only required a single certificate, but we are not in the process of engineering another certificate to enable the testing to resume.

 

[tekskin]

Still not working!

I have now split the CSG & Nfuse boxes. On the Nfuse Box I can get the web page to open (http only) and get the applications, but when I try to run it it says the ssl server is not accepting connections. Check the CSG box and the gateway service will not start, despite having the certificate installed.

The Nfuse box wil also not run https, despite also having a certificate. Am i right in thinking this is a certificate issue here? If so, is there anyone with a bit more brain power than me (not difficult I know) who can explain to me the dummies guide to installing certificates? I am certain that I have got this right, but the damn thing just keeps telling me to go forth and multiply!

Kevin

 

[BeerGood]

Check out

http://www.dabcc.com/thinsol/csg/default.htm

- might be some useful info there for you. Have a look at the CSG installation (which includes the certificate installation process) avi's as well.

The thing is pretty straight forward to setup, but the tricky thing is that if you miss any *one* step the whole thing won't work.

If you're using XPFR2 or greater, there's also always CSG2 which has some extra features..... info about it is also at the site noted above.

Cheers

 

[tekskin]

Our Subscription Advantage has expired, so I cannot find anything about Version 2 being available for us. We are running FR2.

I am going to double check the certificates, as I think this is where the problem lies. Is it necessary for the Certificate Server to be installed on the box as well? Or can we just install the certificate from Thawte onto the box via the MMC/Certificates console?

The certificates were not requested on the box they are being installe don, and we do not have a certificate server set up anywhere.

 

[BeerGood]

I wouldn't lose much sleep over it - V1 of CSG should be fine. The certificate server can be anywhere - and if you are using a certificate created by an external provider then you don't need a certificate server at all so yup, mmc is the go.

Definitely go to the dabc site - I'm sure it will help.

Cheers

 

[tekskin]

Fixed it! The problem was that the certificates were created on a different machine, and I had not installed the backup keys properly. They should be in the REQUERST branch of the Certificates MMC, but were in the PERSONAL branch.

Kevin