Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSL Relay ...do i need it?

Status
Not open for further replies.
snootalope

snootalope

IS-IT--Management
Jun 28, 2001
1,706
0
0
US
Hey guys

I'm in the test phase of putting a metaframe server in our DMZ zone here.. The only access I want to allow to this server is https. With https, i'll push them the default citrix web page, the one with the username/pass/domain. From there, they'll access one of our published applications.

Do i need SSL relay for that? I've been trying to get it to work on Windows 2000 now for a few days...can't get it. the ssl relay keeps telling me the port is in use so it won't start.

I tried manually assigning the Citrix site on that server a cert from my CA, and I can at least login that way via https, but i get errors like "the name in the certificate is different than the server name", or "the server is not currently accepting connections" What's the easy way to do this???

btw, using Metaframe XP 1.0 for Windows. And as usual, I couldn't find any information on INSTALLING the ssl on the metraframe server on citrix.com. Only thing i found was someting for Unix. figures.

anyone know how to do this?
 
Sort by date Sort by votes
I am certain there is a white paper on the SSL relay, I did this about 4 years ago. However would you maybe better looking at Secure Gateway ?

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott
 
Upvote 0 Downvote
I'm still a bit confused as to why you want to put metaframe server in a DMZ as opposed to puting just your Nfuse and CSG on the DMZ...indeed you can setup nfuse to connect to your Metaframe Server using SSL relay however this would mean that you won't be able to use CSG to connect to your Metaframe Server reason being that CSG need to decrypt ica packets from nfuse/WI and send these packets to Metaframe Server I've forgetting the Ctx article that says this...aahh...check the CSG administration Guide for this hint.
If intending to configure your Metaframe Server for SSL relay however then you need to install the Server Certificate on the IIS or using mmc to install the Certificate.. the server fully qualified domain name FQDN must match the name of the certificate you're going to use for your server. Check out the SSL relay configuration admin guide via the Citrix Knowledgebase for this....

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
Thanks guys.. this is my first venture at ssl citrix so I apologize if my idea seems a little unorthodox.

I'm using Metaframe XP right now, but i don't have NFuse or CSG. It'd be nice to get away with this without using those, but if I need them, I need them. I should of said it's going to be in our DMZ, that was only an idea...forget i said that it. It is going to be sitting parallel with the dmz but it'll still be on our local net. Part of our drp...

So, i have an in house certificate authority, can i just get away with installing a cert on the server and away i go?

I tried this last week sometimes and I ran into all sorts of errors when tring to lauch published apps from the WI. I've got a stack of Admin guides on my desk that I'm constantly scanning through, but nothing really seems to be answering my questions.
????

Thanks guys..

On a different note. You guys used the Metaframe 4.0 yet? can xp and 4.0 work together? I'd sure like to install and test it..that and the the new WI.
 
Upvote 0 Downvote
Crystal now what your game plan is..Metaframe on LAN is fine. And yes, you can use in house CA be it Enterprise Active Directory integrated or StandAlone CA. If Enterprise, you can choose the web template, it's the same with server certificate, just ensure the FQDN of the server is entered when filling out the cert request. If StandAlone CA, then choose Server Authentication from the webenrollment page and ensure once again that FQDN is entered in your request page using IIS or browser...

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
I haven't used Metaframe 4.0 yet, where can I download this by any chance?...Regarding WI connection with your Backend Citrix Metaframe, it's easy. First install nfuse/WI version 2.0 on your IIS server---this nfuse/WI does't play any function on your Datastore just acting as a pointer to your MF server. then go to the Authentication page of your nfuse and type in your backend domain name and save. Go to the server side firewall and select normal radio buttons, scroll down below and type in your MF ip address and save. Go to the overview mode and click on apply changes for your changes to take effect....give these ago. POST US YOUR FEEDBACK

you can edit using notepad your nfuse.conf located at programe files--citrix--or do a search for nfuse.conf on the drive where you've install nfuse/WI and then scroll down to the bottom to check for the MF ip entries yiou've made when using the GUI page of WI, here you can manually add entries if necessary...

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
Just upgraged internal to PS 4.0 having run the pre-evall for 3 months. Its gooder, but not really tested it out yet.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott
 
Upvote 0 Downvote
Thanks guys.. my test lab has currently been takin over by the helpdesk for training so i have to wait till next week before i can start testing the WI again.. I'll be sure to keep the thread updated.

As for 4.0, i downloaded it from
All kinds of new stuff on there..
 
Upvote 0 Downvote
ctxuser: I followed your instructions and at least i'm getting past all the errors i was seeing before. Only thing now, it establishes it's connection (to a published app), and sits there for about 15 seconds and comes back and says:

"A network error occurred (SLL error 4)"

Any idea what that is?
 
Upvote 0 Downvote
Yeah, Your WI is it in a DMZ still? and can you ping the FQDN of the Backend MF server?...This usually happens when there is an intermittent connection to the MF server. Also ensure you're using the IP of the MF server on the nfuse/WI entries as opposed to FQDN, WI sometime fails resolving the FQDN of MF server instead edit the nfuse.conf and scroll down the notepad and change the FQDN portion of the MF server to IP address. I'm thinking you're not using CSG yet..? Just WI/nfuse to MF server, relax your firewall rules at this point if any just for trouble shooting, untill all is well with WI--MF server then apply your firewall again. Also do not setup your SSL relay yet... Just WI and MF server connection for now, once this is out of the way then progress with SSL relay or CSG..remember you cannot have both SSL relay and CSG trying to connect to your MF server.
I will not be around today untill tomorrow UK timezone and continue from there...

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
thanks again. For the time being, i'm not trying to connect to this server through the firewall, just all internal hosts until i get it working.

Weird, I'm checking out my nfuse.conf file and i'm not seeing anything in there concerning my mf server fqdn or ip addy.. I'm assuming it should be in this line:

"SessionField.NFuse_Farm1=localhost,Name:Farm1,XMLPort:80,
Transport:HTTP,SSLRelayPort:443,
BypassDuration:60,LoadBalance:On"

Is that right?

Also, no CSG yet. I'm just trying to get an ssl session working with a published app accessed via the WI.

Thanks for your help!
 
Upvote 0 Downvote
nfuse.conf file browse down the list, last few lines down the lists...Is the ssl you're trying to use for WI or SSL relay which is a totally different thing...?

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
I'm trying to use the ssl with the WI.

What i've done so far is opened computer management and went to the "Default Web Site" under IIS. From there, I requested/installed a cert from my CA. Now, I can successfully connect to the server via https, just keep getting that socket 4 error.

So, i'm not using ssl relay, i don't think i need to actually..nor am i using CSG.

Hopefully what i'm trying to do is possible.....???
 
Upvote 0 Downvote
YES it is possible. So, are you able to click on the published apps icon from your icaweb browser connected to the nfuse/WI url and then you get that error message, yes?

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
This Link is refering to the a CSG being present

Let's ensure that the server side firewall has no entries for a CSG and that normal as opposed to secure gateway authentication or something like that radio button is selected. Do not select sta either just normal authentication. From the Nfuse/WI telnet the 1494 port to the MF server and ping the FQDN from the CMD as well just to ensure there is connectivity...

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
Ok, i'll check all that stuff out. YES, i'm able to click on the published desktop icon in my icaweb browser. See, I'm running WI on the citrix server itself. It's a member of my main farm as well. So, i'm connecting to the WI on this server and then lauching a published desktop that will come from that same server, well at least that's my goal!

thanks man
 
Upvote 0 Downvote
Right so, you've go the the WI that participate in the administration of your citrix farm as opposed to WI version 2.0 that acts as a pointer to your Backend Citirx MF, is this correct?..if it is, there are indeed some issues here.
So basically you've got all on one server. Ideally, you should have WI 1.x or 2.0 on a server with the server certicate installed for SSL and via this WI url i.e. configure it to point to your Citrix MF which has been installed on a different server whose xml, IMA, citrix network services are running. Your job if setup this way would have a lot easier.

Sometimes, you just have to forget your head and grab your balls ...!
 
Upvote 0 Downvote
Hey guys, i finally got it working. I disabled the SSL/TLS option for the published app and that did it.

I've moved on to exposing this server to the public web. I opened https on my firewall and used NAT/PAT to point the external clients to my internal metaframe server. That portion works great, I get the web interface, sign in, and then try connecting to the published app/desktop. Starts the client, and just sits at 'connecting.........' it finally times out and says:

"There's no Citrix Server configured for the specified address"

It's obviously a DNS/routing issue. Cuase my external client is an AOL user, has a completly different IP than my metaframe. So, how do i specify what this web interface can do for external clients. I messed around with the Server-side firewall settings in the WI admin, but couldn't get it figured out.

any advice?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

J
  • Question
laptop battery issue
Replies
2
Views
216
js78477
J
fbizzell
  • Locked
  • Question
thread75-1123232 I need a copy of 1
Replies
4
Views
58
goombawaho
goombawaho
sneakerware
  • Locked
  • Question
Need Picker Belt for RW530 Optical Jukebox on VAX
Replies
2
Views
63
sneakerware
sneakerware
sodax
  • Locked
  • Question
SPOOLSV need to be killed in order to have printers and Session in windows 2003
Replies
0
Views
35
sodax
sodax
dumbchemist
  • Locked
  • Question
Using IDE to SATA/SATA to IDE converters with Netware 5
Replies
18
Views
165
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top