Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Citrix Presentation 3 configuration help

Status
Not open for further replies.
webcortech

webcortech

MIS
Joined
Nov 19, 2003
Messages
42
Location
US
I am setting up the new P3 in a lab currently.

The Farm is built and running great. (2 servers)

Secure Gateway is giving me problems...

An Invaild/Unexpected Response was recieved for the logon agent... it wants to specify the Authentication Service running (a FQDN name) so I put in my STA server and keeps rejecting it. The Server is in a workgroup, the rest of the servers are in a domain. Eventually, once i get the Secure Gateway working, I will move it outside to my DMZ and run it from there.

Citrix seems to have dropped the ball on explaining Secure Gateway in the Documentation. I can not find anything about a CA server. If you do not use Verisign, you should be able to issue a CA from a MS machine in the domain correct? One it is issued, it should then be able to run authentication.... That is my other error meesage.

No server Cert available for this machine....

how do I install one? I went my Windows 2000 server and installed one from there.. but I take it that is not the correct cert it wants?

any help would be great!
thansk
tc
 
Sort by date Sort by votes
Upvote 0 Downvote
I am confused about all the CA's flying around. In a traditional NFuse enviroment, a front end server is running and "knows" about the rest of the Citrix Farm. The firewall passes port 80 and 14xx yada yada through the front end server. Everything works perfect.

in a secure gatway setup, every client will need to connect to AND have a CA issued to them? Does the SG hand out CA's to the remote clients or does someone have to issue them to each client?

I looked at that link.. it's quite drawn out... how much of that do I really need? just the copy root to the SG from the STA? (CA server and STA are on the same server)

thanks much for your help!

tc
 
Upvote 0 Downvote
A CA is a Certificate Authority.
That means it's a server that is allowed to give out ssl certifications.
A company like verisign has a bunch of those. In exchange for getting a certificate from on of thoset, you pay a few hundred $ a year.

Your browser AUTOMATICLY trusts certificates coming from versign. A CSG server running a versign cert, is automaticly trusted.

If you deside to create your OWN CA (not public) with MS windows server, it's a whole other ballgame, when it comes to trusting.
No IE out there will trust your just created MS CA.
Every client will need the Root Certificate from your CA, and install it in it's CA root store. (together with all the rest of the ca's like versign, thawte etc)

Once your CA is trusted, the client's IE will accept any certificate you have created. (including the one you used for setting up your CSG/WI)

If this is all abracadabra to you, i would suggest paying up the few hundred a year, and let the pro's (verisign or whatever) create a certificate for your setup.

Stefan
 
Upvote 0 Downvote
Poof! I got it. I used a CA server for wireless authentication internal. for example.. an endloser had to hit the CA to get a certifcate to allow them to connect to the wireless. once they checked out a basic certificate, the Radius would take over and verfify everything was good to go.

The problem I see is that my CA server is inside my firewall, hence, if the users have a home computer, we would need to email a cert or give it them on a CD or floppy to bring home. Once they have this install in their browser... will work for them.

Any other quicker ways of dishing out certs at the Secure Gateway, or not possible?


Abracadabra..... steve miller... and I can't spell!
 
Upvote 0 Downvote
>Any other quicker ways of dishing out certs at the Secure Gateway, or not possible?

Once the root CA is installed, and the client has hit the WI page, it has all the certs loaded it needs for the connection to the csg.

If you prefer to distribute the root ca cert in a simple way, you can use asp for that.

Here's the code, for an automatic cert installation for IE:


<HTML>
<HEAD>
<TITLE>Installing A Root Certificate</TITLE>
<BR>Root Certificate Authority Installation
<BR>
<BR>

<%@ LANGUAGE="VBScript"%>
<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set MyFile = fs.OpenTextFile("c:\root.cer", 1)

Output = ""

Do While MyFile.AtEndOfStream <> true
line = Chr(34) & MyFile.ReadLine & Chr(34)
If MyFile.AtEndOfStream <> true then
line = line & " & _" & Chr(10)
End If
Output = Output & line
Loop

MyFile.Close

Set MyFile = Nothing
Set fs = Nothing
%>

<SCRIPT language="VBSCRIPT">
on error resume next
Dim Str, CEnroll

Set CEnroll = CreateObject("CEnroll.CEnroll.1")
Str = <% Response.Write Output %>

CEnroll.installPKCS7(Str)

Set CEnroll = Nothing
</SCRIPT>
</HEAD>
</HTML>

Stefan
 
Upvote 0 Downvote
Just to keep you in the loop and thanks for your help btw:

So here is what I have running so far...

In my SG diags:

SG settings OK
Interfaces OK
Logon Agent/Web interface OK
Certificate Check OK

Authority Server is NOT ok...

I can not get the SG server to talk to my STA server for anything. It's the last piece of the puzzle for me.

Currently the server configs are this:

STA server and licensing on Server1
Secure Gateway and Web Inteface on Server2
Presentation 3 on Server3
Presentation 3 on Server4

Everything is on the same subnet, same hub, etc.

Eventually, Server 2 will head out to the DMZ. Server 1,3, and 4 will stay on the trusted internal network.

How do FQDN work when in the DMZ? will it still resolve to an internal server? or do I need use an LMhost file etc?


For the CA server, i have it loaded on server1. Here, I exported the MS CA to a backup key. On the Secure Gateway, I ran Certifcate services and import the backup key (copied from server1) Then is IIS, I selected my CA to use for IIS.. then everything clicked on, except the Authority Service.


"An invalid/unexpected response was recieved."
 
Upvote 0 Downvote
>For the CA server, i have it loaded on server1. Here, I exported the MS CA to a backup key.

Are we talking about the ROOT CA cert here?
Besides the normal cert, the ROOT CA cert needs to be installed on all clients/csg servers.

The code mentioned before, is for distributing the ROOT CA cert via an asp webpage.

Stefan
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

damienenglish
  • Locked
  • Question Question
Citrix Replication Fault Detection
Replies
0
Views
487
damienenglish
damienenglish
DreemaGurl
  • Locked
  • Question Question
Can't log on to Citrix through emote access portal
Replies
1
Views
871
ntinlin
ntinlin
Hfnet
  • Locked
  • Question Question
Office 2010 KMS stoppped working on PVS Citrix
Replies
0
Views
454
Hfnet
Hfnet
dpsmith
  • Locked
  • Question Question
Citrix Policy disappears?
Replies
0
Views
277
dpsmith
dpsmith
SpenceWaller
  • Locked
  • Question Question
Citrix CSG - Allow users to change password
Replies
0
Views
321
SpenceWaller
SpenceWaller

Part and Inventory Search

Sponsor

Back
Top