Geeks With Blogs

News Clicky Web Analytics

web stats View David Caddick (davidcaddick@gmail.com)'s profile on LinkedIn

Search this Site!

Locations of visitors to this page
View My Stats eXTReMe Tracker
This posting is provided "AS IS" with no warranties, and confers no rights. The opinions expressed within are my own and should not be attributed to any other Individual, Company or the one I work for. I just happen to be a classic techie who is passionate about getting things to work as they should do (and are sometimes advertised and marketed as being able to?) and when I can I drop notes here to help others falling in to the same traps that I have fallen in to. If this has helped then please pass it on - if you feel that I have commented in error or disagree then please feel free to discuss with me either publically or privately? Cheers, Dave
Thin Clients, VDI and Linux integration from the front lines.... Raw and sometimes unedited notes based on my experiences with VMware, Thin Clients, Linux etc.
So I'd visited a client early last week to look at a System at a bank that had been installed by another Integrator. I believe they'd installed it as a PreSales or Proof of Concept, so it was obviously done pretty quickly and they didn't neccessarily hang around to finish it all off.....  (more's the pity?)
 
So when I did have a look at it, I could understand the WI side, but I wasn't really conversant with how Connectra was setup. However I was able to clearly show that the reason that it wasn't working was that there was no STA on the Citrix side, and Connectra was expecting to take over the role of the CSG but with the way the WI wanted to work the STA was missing. I installed the STA no problems, but I couldn't quite get my head around what was missing for it to work?
 
So during this last week I talked to a few people who knew a little more than me about Connectra and one other point I hadn't considered was trying to just get the WI working as a straight web resource? Surely once you've made an SSL-VPN connection from your browser to the Connectra then you should have access to the LAN? Assuming of course that you have allowed it? 
 
So I turned up this morning ready to have a go at getting it working *with* the STA, or trying to isolate that entirely and see how that goes.
 
Now I was sitting in the driving seat for a change (instead of looking over someone's shoulders and telling them what to do) and when I launched the console in to Connectra I noticed that I got an error regarding the Certificate, I moved on and while reviewing the Citrix Service configuration I also noticed the little warning above it that the Certificate needed to be working to the FQDN or it wouldn't work for Citrix. (It does pay to sit close to the screen and do it yourself occasionally? ;-)
 
Then I started to realise that I'd been told to start the console to the Connectra via an IP address. When I asked the security chap where the Connectra's Cert had come from, he pointed out that they had used the Connectra functionality to create a self-signed Cert based on the FQDN.
 
So, armed with this we tried the Client connection again (simulating an outside or external connection) and as soon as we started at www.<FQDN>.co.uk I got the image below. So I talked them through installing the Cert in to the Trusted Root, once that was done all was working fine.

From my experience it appears that if you are using test or self signed certs these will generally *appear* to work at the client end if you just click on OK at the initial prompt, but if there is a problem like this with the Cert the application will fail to run and you won't neccessarily get any errors or anything in the event log.

Tip is that when you get prompted for OK, View or Install - choose view, check the error, if it's expected because it's a test Cert or self signed and you're OK with it, stop and go back and do it again, then choose Install and add it to the Trusted Root of the Client Machine you're currently using - then you should find it'll work correctly.

Don't forget this will need doing on each Client.....    but you knew that already? right?   Enjoy  ;-)

 
 
Posted on Thursday, March 16, 2006 7:22 PM Citrix , IT Management , Real Cool Stuff , Microsoft Tips , VMware and other Virtualization tools , Security | Back to top


Comments on this post: Connectra SSL-VPN and Citrix Web Interface - how hard can it be?

# re: Connectra SSL-VPN and Citrix Web Interface - how hard can it be?
Requesting Gravatar...
Hi Dave,

Could you give me a call if poss, I'm having problems getting anyone to replicate what you setup in the above post.

We recently relocated to canary wharf and no one can get Connectra and Citrix working again.

Cheers

Andy
Left by Andy Jack on Nov 30, 2007 10:57 PM

Your comment:
 (will show your gravatar)


Copyright © Dave Caddick | Powered by: GeeksWithBlogs.net