I desperately need help. Scenario: We built a 2 server farm, published apps., separate STA machine, separate Webinterface machine - all 2003, Checkpoint firewall, one public IP on web server with the interface and secure gateway. Everything works internally through website but when outside the domain, when I click on published apps I get page can't be found.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Webinterface Presentation Server 3.0
- Thread starter marishen
- Start date
There are 2 options you can use:
option 1:
Configure the citrix farm to use alternate address and open port 1494 (ica) in the firewall....
Not really a thing I recommend.. but it is an option...
option 2:
Install a Citrix Secure Gateway server in the dmz.
In the dmz will then be the Citrix Secure Gateway and the Webinterface server.
Clients on the internet will talk to the CSG server over port 443. The CSG server will then talk to the internal Citrix servers over port 1494...
This is the most secure option.
Petje
A+, MCP, MCSE on NT4.0 and windows 2000 and Windows server 2003 and CCEA
option 1:
Configure the citrix farm to use alternate address and open port 1494 (ica) in the firewall....
Not really a thing I recommend.. but it is an option...
option 2:
Install a Citrix Secure Gateway server in the dmz.
In the dmz will then be the Citrix Secure Gateway and the Webinterface server.
Clients on the internet will talk to the CSG server over port 443. The CSG server will then talk to the internal Citrix servers over port 1494...
This is the most secure option.
Petje
A+, MCP, MCSE on NT4.0 and windows 2000 and Windows server 2003 and CCEA
Hi Petje,
I have a more or less same situation. I have 2 Metaframe Server and STA setup in same domain on internal LAN. In DMZ I have Web Interface 3.0 and Secure Gateway on same machine. I have this all connected with a trihomed ISA2004 machine. Between DMZ en Internal a route relationship is defined (with for the time being all <-> communication) and between external and DMZ I have a NAT relationship defined.
I can succesfully connect from the external LAN to the published SSL delivered by the sec. gateway. I can login, and get a list of my apps. When I try to start an application, the client says connecting ... and after a while I recieve "A network error has occured. SSL error 4". I already had SSL error 61 before and that was solved by placing the SSL certificates in the trusted root stores of the local machine. However, no recieve a SSL error 4 and I have no idea what to do with it. The certificates are derived from a root CA which resides on my internal LAN.
Do you have any idea ?
BR and thanks for reading.
Topski
CCA, MSCE NT4.0, 2000, 2003
I have a more or less same situation. I have 2 Metaframe Server and STA setup in same domain on internal LAN. In DMZ I have Web Interface 3.0 and Secure Gateway on same machine. I have this all connected with a trihomed ISA2004 machine. Between DMZ en Internal a route relationship is defined (with for the time being all <-> communication) and between external and DMZ I have a NAT relationship defined.
I can succesfully connect from the external LAN to the published SSL delivered by the sec. gateway. I can login, and get a list of my apps. When I try to start an application, the client says connecting ... and after a while I recieve "A network error has occured. SSL error 4". I already had SSL error 61 before and that was solved by placing the SSL certificates in the trusted root stores of the local machine. However, no recieve a SSL error 4 and I have no idea what to do with it. The certificates are derived from a root CA which resides on my internal LAN.
Do you have any idea ?
BR and thanks for reading.
Topski
CCA, MSCE NT4.0, 2000, 2003
Hi Dugas,
Yep, I had a look at it. Situation has not been changed. I have IIS 6.0 and CSG 2.0 on the same box. IIS has SSL listening to 444.
The weird things is that I can run everything fine in the DMZ. My client shows 'Remote 128-bit SSL/TLS' so that is fine. I have published the URL from my DMZ with a publishing rule using ISA 2004. The SSL certificate bound to the listener is the same as on the Web Interface/SGW machine. My public DNS resolved fine, my ISA 2004 box resolves the address to the machine on my DMZ.
This is really wearing me out. Spend already 5 to 6 days getting this $^*$#**& job done now.
Any info/help would be greatly appreciated.
BR,
Ronald Top
Yep, I had a look at it. Situation has not been changed. I have IIS 6.0 and CSG 2.0 on the same box. IIS has SSL listening to 444.
The weird things is that I can run everything fine in the DMZ. My client shows 'Remote 128-bit SSL/TLS' so that is fine. I have published the URL from my DMZ with a publishing rule using ISA 2004. The SSL certificate bound to the listener is the same as on the Web Interface/SGW machine. My public DNS resolved fine, my ISA 2004 box resolves the address to the machine on my DMZ.
This is really wearing me out. Spend already 5 to 6 days getting this $^*$#**& job done now.
Any info/help would be greatly appreciated.
BR,
Ronald Top
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question