3

Let me first say that my knowledge of Presentation Server and Secure Gateway is very limited. Many thanks to any one who can help me out here.

Alright on to the problem:

We are changing the network design at the main office where the citrix servers are located. The Secure Gateway was on a server that has 2 NIC interfaces, one in the LAN and one in the DMZ. The DMZ is being taken out so I disabled the DMZ interface on the SG. I had to change the listening address but after doing that everything seemed fine, then I realized that apps could not be loaded any more from the Secure Gateway web site.

Users would get the following error when trying to load an app: Cannot connect to the Citrix Presentation Server. Protocol Driver error. Accessing the web site external or internal yields the same problem.

How I assume this works is the user goes to the SG, logs in, launches the app, the SG then sends the request to the Presentation Server then that server communicates directly with the user?

Another change that was made was changing out the firewall / router. All of the NATs should be the exact same as the old firewall but there could be a missing port forward.

I have followed a couple of citrix articals making sure the 1494 and 2598 port are open and responding (they are).

We have two presentation servers and then the SG. Here is some inforamtion about the servers:

Windows 2003 SP2
Secure Gateway 2.0
Presentation Server 4.5.0.0

Assumptions on what could be wrong
Incorrect / absent port forward
A reference in one of the severs that is using the DMZ address instead of the LAN address

I'm not really sure even where to start troubleshooting at this point.

Edit: Here is a diagram of before and after (left is before, right is after) enter image description here

What I think might be going on is that the Secure Gateway is trying to communicate with the other citrix servers via the public IP address instead of the lan address. This request gets denied by the ASA. Still just an idea and not sure how to fix it if it was what is wrong.

evolvd
  • 1,374
  • 6
  • 33
  • 58

1 Answers1

1

Do you know which system is running your web interface? That probably needs to be reconfigured along with the secure gateway. In theory, you should be able to connect directly to the server that's hosting the web interface without issue. Make sure your internal DNS points to the web interface and not the gateway, unless you're ultra paranoide about ICA security.

Secondly, check out this article on setting up a secure gateway from scratch. It will show you the various things to check. http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/install-configure-citrix-web-interface-secure-gateway-part2.html

Finally, it would help to have a diagram of which servers have which roles.

Eric C. Singer
  • 2,319
  • 15
  • 17
  • Thanks for the info. I'll read through the article to get a better idea of whats going on. I posted a diagram to show how things are set up. – evolvd Feb 19 '12 at 05:05
  • Thanks for that link. After reading over it I actually understood what was going on so I could troubleshoot. The problem was that since I took it out of a DMZ I had to change it to directly connected. Once I did that, everything worked. – evolvd Feb 19 '12 at 17:15