Secure Gateway 2.0 Setup Problems

[netadminTO]

Hi - I'm trying to setup CSG 2.0 and am having a couple of issues:

Here's my setup....

1 server running Windows 2003 Server/IIS/WI in DMZ

1 server running Windows 2003 Server/Secure Gateway/SSL Certificate in DMZ

1 server running Windows 2003 Server and Citrix MF XP 1.0/STA on the LAN

Port 443 open from WAN to DMZ
Port 8081 (XML), 443, 1494 open from DMZ to LAN

Do I need IIS on the MetaFrame XP/STA server?

Do I need a certificate on the WebInterface as well? If so, can it be the same one as CSG? Also, does the Web Interface also need a public IP address?


I can open the main login page of Citrix web, login and see applications. I can run them on the network but cannot outside - says "Cannot connect to the Citrix MetaFrame server. There is no Citrix MetaFrame server configured on the specified address."

The secure gateway has the IP address 192.168.X.X (which is a nat policy on our firewall to translate the actual public IP address 204.X.X.X. The Web Interface has a 192.168.X.X address in the DMZ. The MetaFrame, of course, has a 172.X.X.X address on the LAN.

Please help!


Thanks,

NetadminTO

 

[netadminTO]

Oh - one more thing on top of my original blabber.....

Can Ctrix STA run on the metaframe server or should it be separate?

 

[rjs]

Yes, you need IIS on the STA and yes you can run it on one of your Metaframe servers.

Yes, you need a public IP for the Web Interface. The SSL cert for this is optional. As I understand it, without an SSL cert on the WI, the initial login is not encrypted. But once logged in, you are going through the Secure Gateway which is encrypted.

When you say you can run apps from inside, is that through the WI in the DMZ?

Have you configured the WI to use the CSG? How are you resolving the names between the WI, CSG and internal MF servers? I would look at where the WI and CSG servers are looking for DNS - do they point to internal DNS servers or public DNS servers? If the CSG and WI boxes are pointing to external DNS, they won't be able to resolve internal names.

Have you run both the WI debug.asp and the CSG diagnostic tools? These will give you good indications of where your problem is.


R.Sobelman

http://www.tracklogins.com

 

[netadminTO]

I can hit the Citrix login website and run the applications when on the LAN, but from the outside it says no server available on this address. Like you said, this is obviously because users are not resolving the internal address of the MFXP server. How do I go about setting this up?


...so let me get this straight:

DMZ:
1. Web Interface w/certificate, IIS, public IP address
2. Secure Gateway w/certificate, IIS (no public address, just DMZ)

LAN:

1. Citrix MetaFrame XP w/STA, IIS

 

[rjs]

No, the Secure Gateway w/Certificate I believe also needs a public IP address - the SSL certificate is to a fully qualified domain name (e.g. csg.company.com). That means a public DNS entry which means a resolvable public IP address.


R.Sobelman

http://www.tracklogins.com