NFuse + SSL Relay 3

[nix45]

MetaFrame XP FR3/SP3
NFuse running on a Red Hat Server using Apache, Tomcat, and SSL.

The NFuse server is in a DMZ, while the MetaFrame servers are in the backend network.

I'm having a problem getting the Citrix SSL Relay service to work through an NFuse server.

I can connect to the NFuse box, log in, and browse the published apps no problem. When I try to connect to one of the published apps, I get this error...

“There is no route from the Citrix SSL Relay to the specified subnet address (SSL Error 37)”

I can connect to the published apps over the Internet using the ICA client with SSL+HTTPS no problem, as long as the root certificate for our CA is installed on the client, of course.

In the NFuse.conf file, I changed this field....

SessionField.NFuse_Farm1=citrix.foo.org,Name:Farm1,SSLPort:443,Transport:SSL,BypassDuration:60,LoadBalance:On
SslKeystore=./WEB-INF/cacerts/

NFuse works without using SSL when you send all ICA data over port 1494.


Thanks,
Chris

 

[nix45]

...if I change "AlternateAddress=off" in the NFuse.conf file, everything works okay locally on the internal LAN. Clients can connect to NFuse and run published apps over through the SSL Relay. When AlternateAddress=On, I get the SSL Error 37 (above).

In the SSL Relay Service, I have my internal IP and listed ports 80 and 1494. When I change the internal IP to "Any", which sets it to 0.0.0.0, I get a slightly different error..."There is no route to the specified subnet address".

Chris

 

[nix45]

Anybody ever get this setup working before?

summary of the above posts...
Internet Client --> Firewall --> NFuse --> SSL Relay on MetaFrame Servers

 

[nix45]

...got it working. When using the SSL Relay, the "AlternateAddress" needs to be set to off. This only needs to be on when your connecting direct to port 1494 through a firewall using NAT.

Chris

 

[nix45]

...I forgot to mention why the above is true. When you use SSL, you don't specify any IP addresses in the NFuse.conf file, only hostnames, so there is no alternate IP address to give out to the clients.

 

[CitrixEngineer]

Excellent stuff, nix45 - could you do an FAQ on how you got NFuse working with Apache, and include this info?

Thanks

CitrixEngineer@yahoo.co.uk

 

[nix45]

Sure, no prob. I'm finishing up my notes on it this week. The FAQ will include...

Red Hat Linux 9.0 or Red Hat Advanced Server 2.1
Apache 2.0.46 and/or Apache 1.3.27
Tomcat 4.1.24
mod_jk
mod_ssl
OpenSSL 0.9.7
Sun Java SDK 1.4.1
NFuse (aka Web Interface 2.0)
MetaFrame XP for Windows FR3/SP3 w/ SSL Relay


ChrisP

 

[nix45]

I wrote an FAQ on this here -->

http://www.tek-tips.com/faqs.cfm?spid=48&sfid=3880

The HOWTO involves setting up Citrix NFuse on a Linux server running Apache, Tomcat, and OpenSSL.

ChrisP

 

[dafricano]

GEEZ..
This is the problem Im having except I'm using windows2000

GRRR

 

[bran2235]

Dave,
I have it setup on a Win2000 box and using SSL relay- what questions do you have??? I don't have it public yet but it works great on my LAN- NIX is right, alternate address only needs to be off when NATg your addresses... I think the Web Interface Admin page explains this...

Brandon

 

[dafricano]

OK I solved the issue...

On the SSL Relay the ports that i had assigned to the MFXP box was 80, form Nix's FAQ link i found that 1494 needs to be added to it as well. As soon as I did this It worked perfectly. Thank You.

I too am running it the gateway NAT'd right now. But since it is working right now My next step is to move it out to the DMZ.