Home > Citrix, SSL, VPN, XenApp > Installing Citrix Secure Gateway and Web Interface (XenApp 6)

Installing Citrix Secure Gateway and Web Interface (XenApp 6)

In this installment we’ll take a look at setting up Citrix Secure Gateway (CSG) 3.2 and Web Interface (WI) 5.3 together on a single server to provide secure connections to a Citrix XenApp farm.  CSG allows clients to make secure connections to our XenApp servers from the Internet without the use of a VPN.  I will be using the versions of CSG and WI that are provided with Citrix XenApp 6 and I’ll be installing them on Windows Server 2008 R2.  The server will be set up in a DMZ and will not be a member of my Active Directory domain.

This tutorial assumes that you have already installed a XenApp 6 server farm and configured it with published applications.  Click here for details on how to install XenApp 6.  Also you’ll need to make sure and publish an application on your XenApp server, you can find details in this post.  In addition, you’ll need to configure a DNS server or hosts file on your client to allow a domain name to be used when accessing the CSG/WI server from the client.

Installing Web Interface 5.3

First insert the XenApp DVD and if the installation routine doesn’t automatically start run the autorun.exe located in the DVD root directory.

Click Install XenApp Server.

It may prompt for you to install .Net 3.5 Sp1.  Click OK.

Click Add server roles.

Select your edition of XenApp.

Check the box to accept the license terms, then click Next.

Under Common Roles check Web Interface, then click Next.

The are no subcomponents for the Web Interface so just click Next.

Review the prerequisites that will be installed and activated, then click Next.  IIS will be enabled automatically for you.

Click Install.

Pages: 1 2 3 4 5

Categories: Citrix, SSL, VPN, XenApp Tags: ,
  1. Sagar
    May 8, 2010 at 6:51 am

    nice one. can you also share the steps to configured Citrix Secure Gateway for Citrix XenDesktop 4.0.


  2. Chris
    May 18, 2010 at 11:24 pm

    I kept running into the event log error
    Site path: c:\inetpub\wwwroot\Citrix\PNAgent.

    All of the configured Secure Ticket Authorities failed to respond to this XML transaction.

    and I could not really get past this…. Any ideas?

    • May 21, 2010 at 4:43 pm

      Hi Chris,

      First thing I would check is that the DNS name of your XenApp server is resolvable from your Secure Gateway server. Also make sure that the port the XML service uses on the XenApp server is available through your firewall to your Secure Gateway server if it is in a separate network like a DMZ. One other thing check that the Windows firewall is set to allow inbound access to the XML service port, although this should be configured automatically with the XenApp installation.


  3. Chris
    May 25, 2010 at 10:21 pm

    Thank you. It looks like it is working now. DNS must have been a little slow that day.
    Now we are getting the error “SSL Error 86: The security Certificate “” is not suitable for use in SSL connections”.
    My guess is that is because we do not have a secure cert.
    Question being, when we go to purchase a cert do we puchaser a regular cert with 1 domain name? Or do we get a UCC cert so both internal and external names will work?


    • May 26, 2010 at 9:32 pm

      Hi Chris,

      I would expect that if you are using different internal and external names a regular cert would not work. I haven’t tried using a UCC certificate yet with Secure Gateway so I’m not exactly sure if that would solve your issue. I am also in the process of setting up my Secure Gateway with a third party cert. It will be a regular single domain cert and I’m planning on using split DNS so that clients will connect using the same web address regardless of their location. I’ll be preparing an article on this soon!


      • Ben Goodall
        January 20, 2012 at 12:11 am

        Hi Aaron,

        I was wondering whether you ever got around to writing the article on using Split DNS with CSG/WI.

  4. Chris
    May 26, 2010 at 11:16 pm

    Aaron, this site has been a huge help for me so far. Thank you for posting all that you have.
    The only trouble I am running into is connecting external clients. We are not using a 3rd party cert yet (could be the issue). For testing purposes we would like to just use a domain cert we created if possible.
    Internally XENAPP works great. I even have a few users testing it out.
    Externally we can login to the xenapp website\portal.
    When we attempt to open an app we get 1 of the following errors.
    “SSL Error 86: The security Certificate “nameofmycert” is not suitable for use in SSL connections”.
    The Citrix SSL Relay name could not be resolved (SSL error 40).

    This happens even when we create a cert that has our external name (instead of internal).

    Here is the breakdown
    Citrix1 – Xenapp Server – No ports open from firewall
    Citrix2 – Gateway\Web access Server – Ports 443, 1494, 1606 opened up from firewall
    The servers are on the same domain and LAN.

    Any ideas?

    Thank you


    • June 2, 2010 at 9:01 pm

      Hi Chris,

      Hope you have had success getting your external clients connected thru Secure Gateway. You may have been getting that error message if your external clients didn’t have the root certificate of your domain CA imported into their certificate store?

      I recently switched my environment over to a third-party public CA and everything seems to work fine and I have clients that can connect over the internet. I recently published an article about using a free certificate from a public CA with IIS:


      Basically I followed the steps in the article and then re-ran the secure gateway wizard and chose my new public cert.

      All the best,


  5. Toni
    June 21, 2010 at 11:43 am

    Hello Aaron,

    This is exactly what I was looking for, fallowing this steps i succeed to make https connection to my XenApp. Now, how to forbid http?

    • June 22, 2010 at 1:12 am

      Hi Toni,

      When you say that you want to prevent users from connecting with HTTP I am assuming that you are referring to HTTP access from their web browser to the Secure Gateway/Web Interface server? If this is the case there are a couple of options for you. You could use the Windows firewall on the server to prevent inbound access to port 80. If the users are separated from the CSG/WI server by a router/firewall you could filter access to port 80 at the network level. One other option would be to configure IIS on the server to require HTTPS on the Web Interface website.

      One thing to keep in mind is to be careful making any of the changes I suggest above on a server that is also running the XenApp role. I say this because by default XenApp selects 80 as the port the XML Service listens on, and it is extremely important that the XenApp server has this port reachable so that the Web Interface server can retrieve information such as the list of applications each user can access. If you followed my XenApp tutorial the XML Service would be configured on a different port, however.

      Best wishes,


  6. RC
    August 19, 2010 at 3:58 pm

    Ok. I have a few questions. The tutorial I understand until I get to a certain point. I have successully followed your steps all the way to the instll of the WI on the WorkGroup / CSG / 2008 R2 Server. (Which is also DHCP).
    I think I get lost when you changed the screen shots from HTTP to the HTTPS. Could you please fill me in / in that area. Am I supposed to Log into the CGS website with my domain user name and password? (If so, I am unable to do so.)
    Btw I am not using Xenapp but trying to use XenDesktop 4.0.
    lol. I apreciate your help. And I might have more questions to come!

    • August 21, 2010 at 6:56 pm

      Hi RC,

      Yes, you should be able to use a domain user to log in to a WI/CSG workgroup server as long as the XenApp/XenDesktop farm and it’s servers are specified during the Web Interface set up. My suggestion would be to install the Web Interface component and test logging on to the WI website using a domain user and launch a published application before proceeding to install CSG. I’m not quite sure what you are saying that you are getting lost changing from HTTP to HTTPS. Perhaps you are talking about switching the HTTPS ports for the WI/IIS website? The CSG service will listen for HTTPS traffic on port 443 and by default the WI/IIS website uses the same port for HTTPS, we need to change the WI/IIS website HTTPS listener to a different port since both processes cannot share it. But this will not affect the clients, since they will still connect to the WI/IIS website using HTTPS via the CSG.

      Best wishes,


  7. RC
    August 22, 2010 at 3:21 am

    Aaron, thanks for the input. After I have configured my DMZ on my sonicwall and i can access the http://citrix.xx.com/citrix/xenapp / It loads up slow, and once i get the logon screen, I can not log in using my domain user credintails. I know we configured the https:// etc/// however when I place the address in the internet explorer. I shows a blank page. Strange. Thanks for your help again!

    • August 26, 2010 at 5:32 am

      Hi RC,

      That is certainly a puzzler what is happening to you. The best advise I can give is to double check your access rules on your Sonicwall firewall as well as the software firewall on your Windows 2008 R2 servers and make sure all necessary ports are open (these should all be listed at the end of the article). One thing you may also want to consider at least for the testing phase is to set up a WI/CSG server on the same LAN as your XenDesktop farm and connect through CSG using test clients that are also on that same LAN. Then you could move the WI/CSG into the DMZ and start testing Internet clients once you’ve confirmed that a more basic configuration with everything on the same LAN works.

      Good luck,


  8. Bruno Bertelli
    August 27, 2010 at 7:09 pm

    Excellent Tutorial! Amazing work.

    Thanks for share this information.


    Bruno Bertelli

  9. Andy Bayford
    October 27, 2010 at 3:36 pm

    This looks really useful, and I followed most of it. I have a small farm on our secure network. I want the WI and the CSG on the same box in the DMZ which seems to be what you are doing. There is no mention of what needs to be done on the firewall seperating the DMZ from the secure network. I might be missing something clearly, but surely ports etc need to open in order for the WI to talk to the farm at all?



    • October 27, 2010 at 11:57 pm

      Hi Andy,

      Check out the very end of the article on page 5, I have details there on what ports need to be opened up from the DMZ to your secure/XenApp server network. If for some reason it doesn’t show up for you, I have pasted the section below. Good luck! Aaron

      Internet to DMZ

      TCP port 443 to CSG/WI server

      DMZ to XenApp Farm Network

      TCP 80 (or non-default port of XML Service)
      TCP 443 (if STA traffic encrypted)
      TCP 1494 (no session reliability) or TCP 2598 (session reliability)

  10. Andy Bayford
    November 8, 2010 at 4:47 pm

    Thanks for this Awalrath, I confess that I am still a little confused, for example when configuring the CSG on page 4, you mention adding the STAs. I think need to add each of my XenApp Servers here, but when I do I get “The STA specified cannot be contacted” To be honest I would expect that, since how is a box in the DMZ able to see the STA boxes which are Domain Servers. On the very same issue, when testing, how is a user going to authenticate to the Domain when the Web Interface is in the DMZ. I think there is likely to be something very obvious I am missing, but I would love your help.


    • November 9, 2010 at 3:16 am

      Hi Andy,

      If you are not able to add the STAs (XenApp servers) when configuring your CSG my guess is either your hardware firewall or the Windows firewall on your XenApp servers may be preventing proper communication. As a test you could set up a CSG/WI server and a XenApp server on the same LAN segment, then you could determine if your hardware firewall is causing the problem adding the STAs. Obviously this is not a configuration that you would want to expose to the internet.

      Even though the CSG/WI server that you set up is not a member of the domain it will pass through authentication requests to the STA on a XenApp server which will then verify the domain credentials.

      All the best,


  11. November 8, 2010 at 9:16 pm

    just installed a new server to the farm but clients on the outside of the SGW are unable to access the Server but they can access other servers in the farm what did i forget to do at the WI level?

    • November 9, 2010 at 3:27 am

      Hi Wendy,

      I believe that you need to configure both the Secure Gateway service and the Web Interface with the Secure Ticket Authority of the XenApp server. So you would need to make a configuration change in both management consoles.

      All the best,


  12. Andy Bayford
    November 10, 2010 at 9:59 pm

    Hi Aaron, I confess I am still having a little difficulty around the area of firewalls and ports. I know what to open as your document makes it pretty clear. I did install the CSG in the LAN and it had no problem recognising the STA’s as I would expect. I am still confused. Are you using ISA as your internal firewall, if so what steps did you follow on there. Surely if you are connecting through 443 you are going to need a cert on the firewall. It just seems that there is a peice of the puzzle missing.


    • November 12, 2010 at 5:54 am

      Hey Andy,

      I’m glad you were able to at least get CSG installed on the LAN with the XenApp STA’s. I am actually using a Cisco router as my firewall. Your firewall should be able to pass 443 thru to another device without needing the cert installed, only if the firewall itself was the endpoint for 443 should it be needed. I’ll take a look at my configuration and see if my post is missing a port. You could also install Network Monitor or Wireshark on your CSG and monitor the network traffic that it attempts to send. Aren’t firewalls frustrating? Half the problems I encounter are generally seem to be firewall related, whether it be a network device or the software firewall on a host. But a necessary evil I guess.


  13. Jahn Ray
    November 19, 2010 at 2:51 am

    Hi Aaron,

    Im currently running a Secure gateway in my DMZ and currently serving my metaframeap servers. Also applications published in metaframeap servers can be accessed from the internet.

    My question is i had set up a xendesktop infra in the same network as my metaframeap and it has it’s own web interface, is it possible to also connect my new web interface for xendesktop in the same secure gateway as my metaframeap server?

    Is secure gateway a 1 CSG to 1 Web Interface only?

    Thank you…

    • November 20, 2010 at 5:49 pm

      Hi Jahn,

      Yes, if you have a dual role CSG/Web Interface server in your DMZ it should be able to serve clients for both your Metaframe/XenApp farm and your XenDesktop farm with one web portal. You have to run your clients through the same CSG/WI server and add all of your Xen farms to it. If you have CSG and WI separated into different servers this may still work but I don’t have any experience with it.

      We’re kind of in this together because I am working on this at the moment for my production environment too! I think I will document my experience integrating these, I should have when I was first testing it out!

      Best Wishes,


      • Jahn Ray
        November 21, 2010 at 12:50 pm

        Hi Aaron,

        Yeah i have my SG separated to my WI and that WI is being used by my Metaframe Server, problem is the metaframe server where WI is installed is not a member of a domain just plain worgroup and user accounts are made locally in that server.(I was not the one who configured it that way and they dont want it changed). So then i created XenDesktop which is all joined to the domain and authenticates via AD. now instead of using my own WI for XenDesktop i created a site in the metaframe’s WI. I can access the XenDesktop site from outside but the problem is when i authenticate. I can’t. I think that is because of the WI server not joined in the domain…

        Is that possible?


      • November 21, 2010 at 7:54 pm

        Hi Jahn,

        In the tutorial you’ll see that I initially set up WI on a non-domain server (Page 2) and I am able to authenticate to my XenApp farm, so I’d think what you are saying should be possible. Personally I would try and set up a completely new WI workgroup server without MetaFrame or any other roles and see if you can access your Metaframe and XenDesktop farms from that. That way you’d find out if Metaframe was interfering with the WI authentication to the XenDesktop farm. Hope that helps.


  14. Jahn Ray
    November 22, 2010 at 12:56 am

    Thanks for the fast reply Aaron, actually i had already done that having a diffrent WI interface for my XenDesktop and its the newer one… i can access everything locally and no problems and obviously the next step is to publish it to the internet. I wanted to add the interface in our current SG which is the metaframe server is also using but when i try and add my STA server in the SG it actually ask for the FQDN of the WI where the current set up is using the metaframes WI. I think i can’t add an additional WI in the SG and the relationship would be 1 WI to 1 SG and it cannot be 2 WI and 1 SG.

    I think ill just nid to set up a new SG for my XenDesktop Infra…

    Thank you for the responses. Hopefully i could resolve this help someone…

    Have a nice Day…

  15. Shaun Belcher
    November 24, 2010 at 5:00 pm

    Hello all,
    New to Citrix, we are setting up a test server for Xen App,… We can get internal working, but are having issues externally. We can log in just fine. But when we go to launch any app, it doesn’t work. Acts like it is, but it just goes back to the app screen. We have everything running on a single server currently. Any ideas?

    • November 27, 2010 at 11:45 pm

      Hi Shaun,

      Are both your internal and external clients connecting through the Secure Gateway service? Or are the internal clients connecting differently than the external, using the Web Interface or directly with the Citrix Full Plugin icon?


  16. November 26, 2010 at 3:47 pm

    Great job. Thanks a lot.

  17. Rick
    December 1, 2010 at 10:23 pm

    Followed the tutorial and installed WI 5.3 on a Windows 2008 R2 VM with IIS 7.5, which is only our web server – no other XenApp 6 roles installed. Users can authenticate and display the page with published desktops/applications but cannot launch anything. No other links on the page open a new web page, either – Messaging tab, Preferences tab, etc.

    Tried finishing tutorial install and configured IIS site for SSL. Same result. After installing CSG, HTTPS URLs fail, but HTTP URLs open the authentication page (kind of backwards from what CSG is supposed to be doing, I thought)

    Not sure where to go from here, but do need the WI working.

    • December 2, 2010 at 5:34 am

      Hi Rick,

      When you are testing clients connecting to the WI initially, is your WI located on the same LAN as you XenApp server or in a DMZ? Also where are your connecting clients located?

      Most commonly for me difficulties like this arise from firewall configurations. One option starting off would be to set up a test environment with clients, WI, and XenApp all on the same LAN. Then you could verify that a network router or firewall is not filtering TCP/IP traffic and preventing the apps from launching. Also it is possible that the Windows host firewall on the WI is interfering with the connection process, although in my experience the WI installation has automatically configured the necessary rules.



      • Rick
        December 12, 2010 at 8:39 pm

        The servers and clients are all located in the same LAN. Firewalls are disabled on the servers and clients.

        I had gone back and uninstalled/reinstalled WI 5.3 and got this working for HTTP. Authenticates and launches published desktop/applications.

        However, after reinstalling CSG, the same issue comes up – HTTPS access does not open the authentication page, but rather the ‘Under Construction’ page while HTTP access opens the authentication page.

  18. Michael M
    December 21, 2010 at 5:08 pm

    On the Xen6 server, does it make sense that ctxsta.dll is in the system32 folder, when it says it should be scripts/ctxsta.dll? I’m curious because tomorrow night i’m going to move the STA to our xen6 servers, and decomission our 4.0 servers. Thanks.

    • December 22, 2010 at 5:39 am

      Hi Michael,

      I am running XenApp 4.5 and XenApp 6 and the ctxsta.dll is located in the same location for both (c:\program files\citrix\system32), aside from the difference on the 32-bit and 64-bit platforms with Program Files and Program Files (x86). I’m not exactly sure how the secure gateway reads the path to the STA DLL, but /scripts/ctxsta.dll works for me on XenApp 6.

      Best Wishes,


  19. Michael M
    December 22, 2010 at 9:01 pm

    Thanks Aaron,

    I’m taking down my network in an hour, and am just trying to put my ducks in a row. I apprechiate you responding, i think I’m good to go we will see.

  20. Michael M
    December 22, 2010 at 9:10 pm

    I moved it and get “protocol driver error” when i try to launch apublished app.

  21. Michael M
    December 22, 2010 at 9:42 pm

    Issue i had was i had to update it in the Web interface as well as Secure Gateway, thanks for your documentation, awesome AAron

    • December 23, 2010 at 1:25 am

      Good point about updating the Web Interface as well as the Secure Gateway, Michael. Glad everything worked out.

  22. Jim K
    December 30, 2010 at 3:49 pm

    Hi Aaron,

    I can get a appliation like notepad to open fine but when I try to open a desktop, I get the ssl error 59. Basically saying that internal dns name(myserver.myschool.local) doesn’t match the public certificate(home.myschool.org); which it doesn’t.

    I have all the services installed on one machine and seemingly workining except for this. This installation xa6 and wi5.3 is for remote access only, not for internal use. Your documentation was awsome, I’m just not sure what I did wrong.

    Thanks for any ideas you may have.


    • January 1, 2011 at 8:41 pm

      Hi Jim,

      That is very strange because there shouldn’t be a functional difference between publishing a desktop and an application. I can tell you that in my environment I am publishing to the Internet with a publicly available DNS name (with a matching certificate) and my servers have a different private DNS name. I have separate XenApp and CSG/WI servers though but I wouldn’t think that would make a difference.

      When you get the error are you accessing using a URL with the public DNS name, correct?

      Best Wishes,


  23. Ilya
    January 24, 2011 at 4:59 pm

    I am using 2 separate servers. 1 for WI and 1 for CSG. I also have my own CA server. I am getting the following error when trying to launch an app from WI: “The Citrix SSL server you have selected is not accepting connections.”

    How do I properly configure this? How do I create an SSL cert that will match on WI and CSG?

    Thank you.

    • January 25, 2011 at 3:50 am

      Hi Ilya,

      In my experience I have only set up environments where CSG and WI are installed on the same server(s). Is there any reason in particular that you do not want to have WI also installed on the CSG?

      One thing to check would be the configuration of the WI with how it forwards client connections. You may need to configure an additional Gateway Direct option under Secure Access for your external clients.

      I am not sure if you need a cert that matches both servers but if you do you’d need to create a UCC or wildcard cert. I can’t remember if Win 2003 CA is capable of this out of the box, but I’m pretty sure 2008 is.

      Best Wishes,


      • Ilya
        January 25, 2011 at 1:39 pm

        We just wanted to keep things segregated in case something goes wrong with one of the servers. I read in the admin guide that it shouldn’t be an issue to have 2 separate servers.

        I was able to resolve the previous SSL error, everything is working internally and i do see the sessions in CSG when i connect through the WI.

        But now when I launch an application externally i get the following ssl error. “SSL error 47: An unclassified SSL network error occurred. (error code: error:140770FC:lib(20):func(119):reason(252))

        any ideas? :(

      • Ilya
        January 25, 2011 at 7:14 pm

        My environment:

        1. Server 2008 R2 running WI 5.3 (CITRIXWEB.domain.com)
        2. separate Server 2008 R2 running CSG 3.2 (CSG.domain.com)
        3. Both of the above servers have a certificate assigned from local CA
        4. We have 2 XenApp 6 servers
        5. Internally everything works fine. I see sessions in CSG.
        6. Users connect externally through URL: https://citrix.domain.com
        7. Externally, when I try to launch an application from WI i get the following error:

        SSL Error 47: An unclassified SSL network error occured. (err code: error:140770FC:lib(20):func(119):reason(252))

  24. nopatiencetoday
    January 29, 2011 at 3:10 am

    Hi Aaron – your documentation saved my project! i was 3 days into rebuilding xenapp6 half dozen times when i found your articles. After following through them once, both internal and external access (including ssl cert) were all up and running! the only difference is that because we had iis installed first, xml is sharing port 80. i can’t figure a way back from that but it’s working.. I am just stuck on this one last (and probably the biggest) problem. We have 1 xenapp6 server hosting the site, gateway and xenapp roles. We plan to add a second xenapp6 server to the farm once we are 100% online. We can access the site internall and launch applications. We can access the site externally but when we launch applications we get “There is no Citrix XenApp server configured on the specified address” error. netstat shows a connection to my internal address – so it doesn’t look like routing is configured. I have gateway direct setup, and followed your directions but am stuck! We do not have the server behind a DMZ (future plans to but not right now – they’re VMs). I would really appreciate your help and thoughts.Thanks!

    • nopatiencetoday
      January 29, 2011 at 4:42 pm

      just an update – when i save the ica file to my desktop externally – the IP address shows the internal address. if i change that address to show my external address – i can launch applications. help! what am i doing wrong? i need to find the source of whatever is putting that IP address and just change it… sounds so easy… any help much appreciated! let me know what else you need for info. we’re just a small company with only 10 citrix users remotely – we don’t want to use the DMZ port

      • January 31, 2011 at 3:23 am

        Hi nopatience,

        For your testing with internal clients connections, are you using HTTP or HTTPS to connect to the Web Interface page? Also, are you using different domain names to connect internally and externally? Having the IIS and the XML service sharing port 80 shouldn’t make a difference with the problems you are describing, as long as you have specified the default of port 80 when configuring the STA in the Web Interface and the Secure Gateway configs.

        Best Wishes, Aaron

  25. Ron P
    February 6, 2011 at 1:20 am

    Hi Aaron, Great resource. Thanks for the visual. I’m stuck on the CSG, maybe you can point me in the right direction. WI and CSG installed on my webserver. Prior to installing CSG 3.2 I verified I could access the login page using http and https. After installing CSG I can access the the login page using http://webaddress and https://webaddress:444 however when I try to connect using https://webaddress I receive Not Found HTTP Error 404. The requested resource is not found. Configured as specified in your article but must have missed something. I have it installed using 2 ips on one NIC for testing. The xenapp website is configured to a single ip instead of all unassigned. Wild card cert and using Gateway Indirect for secure access in the WI. Any assistance you can provide is greatly appreciated.

    • February 7, 2011 at 4:30 am

      Hi Ron,

      If you cannot access the WI website on HTTPS there is something wrong with the CSG service, since this is what listens on the default HTTPS/443 socket. I would check that the CSG service is running in the Services MMC as well as check the Secure Gateway logs. Secure Gateway registers it’s own event log so I’d check there was well as the default Windows event logs. I am not sure if it would be related to having 2 NICs in your machine since I haven’t set one up in this manner but more than likely not.

      Best Wishes,

    • William
      February 18, 2011 at 2:24 am


      I am having this same issue. I can only access the secure site if I qualify with the https://sitename:444/citrix/xenapp. Any other ideas is greatly appreciated. I have spent almost a week working on this. I have worked with server 2003 and CSG 3.1. This is my first rendezvous with XEN 6. You help is greatly appreciated.

  26. Ron P
    February 7, 2011 at 5:36 pm

    Hi Aaron,
    Thanks for the response. Added all unassigned to the binding. Now I can get the login screen. Getting SSL server not excepting connections when running remoteapp and see bad ticket in the CSG logs. Reselected the STA and updated WI but still get the error. I’ll continue troubleshooting.
    Thanks again,

  27. makeitwork
    February 10, 2011 at 10:50 pm


    Great writeup! I was able to set this up in no time. Everything works internally. Externally, I can get to the WI/CSG and logged on, but I cannot launch any applications. I get the error “Citrix SSL Relay name could not be resolved (SSL error 40). Seems like a dns issue, so I modified the external machine’s host file so it can resolve my WI/CSG machine and voila, app launches and works fine. So my question is, how do get my DMZ WI/CSG machine to be a known presence on the internet, so that any client can resolve it? I named my WI/CSG in the same manner as your guide, i.e. wicsg.test.local. I also have a ddyns address setup for dhcp address. I can’t really register a *.local domain, so how can i accomplish this? I’d appreciate any pointers on how this is accomplished. I am a newbie with these web thing. Thanks.

    • February 15, 2011 at 5:19 am


      It sounds to me as though you are using a certificate on your CSG/WI that you have created with an internal certificate authority. If so you’re external clients wouldn’t be able to resolve the host/domain name without editing the hosts file as you mentioned. Basically your options are:

      1) Obtain a certificate that matches a domain name that you have registered publicly. For this to work it needs to be a domain that you control at the root level (subdomains from DynDNS won’t work). StartCom offers free personal certificates and cheap UCC/wildcard certs that can be used for more than one host name.

      2) Use a certificate signed by an internal CA that matches your DynDNS address and export this certificate to your external clients. This solution isn’t very scalable and would require significant maintenance if you have a lot of clients.

      Best Wishes,


  28. omnimod
    February 20, 2011 at 7:09 pm

    Aaron, thanks a lot for your post.

  29. Jahn Ray
    March 4, 2011 at 7:09 am

    Hi, Aaron…

    Reading through comments and suggestions had me finished my CSG and WI configuration. However i would like to know if it is possible instead of connecting directly to CSG server to access my apps and desktops, i will make a linux base reverse proxy then users will connect to it then to CSG to WI…

    It’s like this:

    Client(Internet) -> Reverse Proxy(Linux Based) -> CSG -> WI

    Reverse Proxy and CSG in DMZ.

    We have many other web applications in our company and we want all user access from outside pass through that Reverse Proxy.

    Thank you.

    • March 5, 2011 at 9:19 pm

      Hi Jahn,

      At the moment I run Linux hosts with Haproxy/keepalived as load balancers/reverse proxies for my CSG servers. In my environment I have a dedicated virtual IP address on the load balancers forwarding port 443 to the CSG servers, and clients are able to connect to XenApp without problems.

      Best Wishes,


      • Jahn Ray
        March 6, 2011 at 1:23 am

        Hi Aaron,

        Can i ask how did you configure your csg and web interface. do your clients connect to your xenapp using the reverse proxies url?

        for the certificate, what certificate will the clients use? is it the reverse proxy certificate or the root certificate?

        I can actually access my WI and authenticate but the desktop wont display on the client’s computer….

        Hope you can share some idea…

        Thank you…

      • March 6, 2011 at 2:20 am

        I use a separate domain name for my Citrix clients to connect to, but in DNS it is set to resolve to the virtual IP on the load balancers. Then on the proxies I have a rule that maps the virtual IP and port 443 to my CSG servers. So basically it is a matter of getting DNS set properly.

        Also I am using an SSL certificate with a common name matching the Citrix specific domain name. In my environment I didn’t need to configure anything on the proxies for SSL, basically I am just transparently forwarding the SSL requests on to the CSGs and decryption happens there. Of course if SSL is terminated at the proxy there would be more configuration involved. I tried to set up Haproxy with Stunnel to accomplish this at one point but I could never get it to function correctly.

        Hope that helps some, Jahn.


  30. Jahn Ray
    March 6, 2011 at 2:43 am

    Thanks Aaron, appreciate it.

    I will check how does the other reverse proxy is working because the guy set it up says that when a user connect to the web interface through reverse proxy, packets are being passed up to the virtual machine and the machine can be started but when ddc replies to the request, the packets is only until csg but did not pass to the reverse proxy.

    in my WI i actually set access to gateway translated.

    Thank you…

  31. Nathan Pinko
    March 27, 2011 at 3:46 am

    That post got you pretty busy :-) Thanks for creating it, I was able to follow it and configure it all with no issues. I do have one question and forgive me if it was already answered above.
    Right now after all done, to reach the site from client browser, its https://domainname.com/Citrix/XenApp . I’d like to be able to simply type domainname.com and get redirected to the https://domainname.com/Citrix/XenApp
    I know, it will come from my users that the link is too long…

    It must be some simple redirector, I hope.

    Thanks again

    • March 28, 2011 at 4:08 am

      Hi Nathan,

      Good point, keep it as simple as possible I say. What you are looking for is an HTML Redirect. So basically create a file such as “c:\inetpub\wwwroot\index.htm” and make it’s contents something like this (make sure the meta tag is placed in between the head tags):

      <meta http-equiv=”refresh” content=”0;url=https://domainname.com/citrix/xenapp/”>

      Best Wishes,


  32. Joshua Post
    April 1, 2011 at 4:08 pm

    This was very helpful. Thank you for providing it.

  33. Jen L
    April 13, 2011 at 7:23 pm

    Hi Aaron,

    Thanks so much for this great write-up. You helped me stand up a Citrix environment with no previous experience.

    If I could trouble you with a follow-up question. I am trying to make applications available via Citrix Receiver for iPad. I established a XenApp Services site, which lets me log on and shows me icons…but when I click on published apps, I get “Please wait…” and then it times out without error. Any ideas on what I may be doing wrong? Thanks so much.

    • April 14, 2011 at 4:12 am

      Hi Jen,

      While I don’t have any experience with the receiver on the iPad let me try and offer a few possibilities. I have experienced issues getting the published apps to start when there are problems with Citrix licensing. Also I have had similar issues when I attempted to access an app that was only published on a XenApp server that was down at the time, so you may want to double check that everything is connected and running properly. Also you may want to test with other types of clients to verify if it is something more general or just specific to the iPad receiver.

      One other possibility is if you are running through the Secure Gateway is with the SSL certificate you may be using, the cert of the Certificate Authority may not be available by default on the iPad and you may need to import it from somewhere else, perhaps your browser directory. I have encountered this issue on OS X and Linux clients, while on the Windows clients it was either included with the OS or it was imported automatically. But in this case I always received an error about the SSL certificate not being trusted.

      Best Wishes,


      • Jen L
        April 14, 2011 at 2:06 pm

        I think something is amiss in my XenApp Services Site. But I have it working correctly via the client Online Plug-In, so I am not sure what I have missed. I will keep investigating and see what I can come up with.

        Thanks again for the great write-up.

  34. Art
    April 14, 2011 at 10:26 pm

    We are currently having some slow issue when launching an application from the WI/SCG that is connected to the DMZ, but if we launch the application thru the internal Web Interface the application is launching fast. Any idea how to fix the problem? appreciate your help.


  35. dimo
    May 11, 2011 at 9:45 pm

    Thank you! What Citrix couldn’t or wouldn’t want to provide, you did! Great job!

  36. Robert
    May 28, 2011 at 8:48 am

    Hi Aaron,
    Great job! your posts are perfects.

    I started from them to deploy my WI/SCG on the same server.

    I found a problem because I need to have 2 WI, 1 for internal users to http://servername.company.local/…. and 1 for external web user, that should respond at https://publicname.company.com/….
    I have 2 network cards with 2 different static IP.
    The first IP is for internal web interface only and the second IP is NATted with the public IP address for external web interface on 443 port.

    The server is Windows2003R2 and it’s for WI/SCG only.
    IIS has, other than the default web site – not in use-, the 2 sites “internal access” and “external access”. Both with TCP port 80 and the second site (External access) with SSL port 444.
    I bought a CA certificate for external access only, assigned to https://publicname.company.com/

    Internal users can connect and use both WI and PNagent connections using the WI “internal access” http://servername.company.local/……
    External users are not able to connect.

    I suppose that the public server name is not resolved on the internal servers and on the WI/CSG server.

    Did you never try this scenario (2 WI -internal and external- and 1 SCG on the same server)? Any idea how to fix?

    Thanks for all your job Aaron.

    All the best

    • May 29, 2011 at 4:10 am

      Hi Robert,

      Actually I have never set up two web interface sites with 1 CSG on the same machine. I don’t believe that it is necessary to have 2 WI sites in your scenario, in the Web Interface site properties there are options available to differentiate between internally and externally connecting clients. In particular, you can identify your internal clients by the source IP subnet to connect “Direct” and all traffic from all other subnets (your external clients) to connect via “Gateway Direct”. You should be able to specify all other subnets by setting Gateway Direct as the default option. This way the internal clients could connect to the WI/CSG server with HTTP/80 and would subsequently connect directly to the XenApp server on 1494 or 2598 when they start an application. The external clients could connect through CSG on HTTPS/443 and when they start an app all their traffic to the XenApp server would still be tunnelled to the CSG/WI thru HTTPS.

      Another option that you have is for all of your clients to connect through HTTPS to the same domain name. You could configure your internal DNS servers with the internally accessible DNS address of the WI/CSG for the internal clients; and keep your external clients connecting to the DNS configuration out on the internet as you have it now to your publicly accessible IP address. Be careful with this though because you will have more CPU resources needed for all the HTTPS encrypting of your internal client connections (particularly if most of your clients are inside). You could also share the domain name between internal/external clients (with the DNS config as mentioned) but still keep them connecting different by HTTP/HTTPS if you wish as well.

      In our environment we run distinct sets of servers. CSG/WI in our DMZ for external clients, and WI on the internal server LAN for the internal clients. IMHO this is the preferred option. That is, if you have the Windows server licenses and computer resources available.



  37. Jack
    May 31, 2011 at 6:00 pm

    Hi Aaron,
    I am trying to setup a WI and Secure Gateway on a single server 2008R2. This is just for testing purpose and server is internal not in DMZ.
    I am able to launch the application if I set the secure Access as “Direct”. If I set the secure access as “Gateway direct.” I get an “ SSL Error 61: You have not chosen to trust “ server. XYZ.loca”, The issuer of the server’s security certificate.”.

    • June 1, 2011 at 12:27 am

      Hi Jack,

      What operating system are the clients on? I have run into an error message like this with Mac OS X and Linux clients, the Citrix Receiver does not have as comprehensive a list of trusted CA certs and intermediate certs (if used) by default as Windows. The solution to this for me was to copy the CA and intermediate cert .crt files into “/usr/lib/ICAClient/keystore/cacerts” (Linux) or “/Applications/Citrix ICA Client/keystore/cacerts” (OS X). On Windows I didn’t have this issue because the Windows/Internet Explorer has more CAs included and will automatically retrieve intermediate certs if needed to allow a cert chain.

      If your OS is Windows I am unsure what the issue might be. You will want to make sure the URL that users enter and the common name on the certificate match exactly, although if you are able to access the web interface site with HTTPS without error that shouldn’t be the issue.

      Best Wishes,


  38. Jack
    June 1, 2011 at 7:32 pm

    The OS is windows XP.I recreated the CA and issue was resolved.

    Now After clicking the application, Its trying to launch the application after few moment I get an error ” Unable to launch your application.Contact your help desk with the following information: Cannot connect to the Citrix Xenapp server. Protocol Driver error.”

    • Jack
      June 22, 2011 at 7:43 am

      Hi Aaron,
      I have my Xenapp Website up and I am able to launch the application from the WI/Secure Gateway. I also created a Xenaap service sites on the same server which I am having problem.
      From the Citrix web interface management console, I am able to create the XenApp service sites. But unable to connect from the Citrix Online Plugin. I am getting this error “Citrix XenApp could not contact the server entered. This may be because the server is down, there is an error in the configuration file from the server, or the details entered are incorrect. Please try again.” I have notice that virtual directories are not created on the IIS 7 for the pnagent,. I have created the virtual directories for the pnagent, but still no luck.
      Please help.

  39. Jack
    June 1, 2011 at 11:04 pm

    Got it resolved.. it was an incorrect port setting on Web interface in secure access setting under Specify Gateway setting, port 443. Thanks Aaron

    • June 2, 2011 at 12:09 am

      Glad you got it figured out, Jack. Thanks for following up!

      • Jack
        June 22, 2011 at 4:09 pm

        June 22, 2011 at 7:43 am | #74 Reply | Quote Hi Aaron,
        I have my Xenapp Website up and I am able to launch the application from the WI/Secure Gateway. I also created a Xenaap service sites on the same server which I am having problem.
        From the Citrix web interface management console, I am able to create the XenApp service sites. But unable to connect from the Citrix Online Plugin. I am getting this error “Citrix XenApp could not contact the server entered. This may be because the server is down, there is an error in the configuration file from the server, or the details entered are incorrect. Please try again.” I have notice that virtual directories are not created on the IIS 7 for the pnagent,. I have created the virtual directories for the pnagent, but still no luck.
        Please help.

  40. Grant
    July 12, 2011 at 5:23 pm

    Hi there, I’ve installed WI and CSG according to your tutorial.

    However, as the WI and CSG is installed on a IIS web server that is hosting another SSL website, we bought a wildcard cert from godaddy.

    WI is on “domain2.abc.com”
    Other site is on “domain1.abc.com”

    Problem is, when we use WI or Citrix Receiver to launch a published app. the error message like this will pop up and the app. is never be able to launch

    “SSL Error 59: The server sent a security certificate identifying “domain1.abc.com”, the SSL connections were to “domain2.abc.com”

    Am I having some wrong configuration or WI itself does not support wildcard cert. configuration?

    Many thanks!

    • Jen L
      July 12, 2011 at 5:43 pm

      Grant, I just went through some problems with Receiver that warranted a call to Citrix support. The receiver won’t support the wildcard cert. Mine was purchased through DigiCert, and they gave me a non-wildcard cert free of charge. Hopefully GoDaddy will do the same thing to help you.

      • Grant
        July 12, 2011 at 6:53 pm

        Hi Jen, not just the receiver having the problem, but same when accessing through WI :(

  41. Clemens
    August 8, 2011 at 5:00 am

    Hi Aaron
    Thanks for that. I had to install WI and CSG on a 2008R2 box only hosting these components.
    I want to put emphasis on the need to go through the “MAIN Install” Routine offered by the XA6 Installation media rather than using the “Install Components” or the standalone Installers. Thess do not install the Roleservices as required and you run into strange issues with IIS7. Once I read your article, I checked Roles and Features on my 2008R2 box, ran back to my Snapshot on ESXi, reinstalled both components from the Main Dialogue as supposed in your article!
    I’m a bit disappointed about that though. Citrix should put some hints into the Install Dialogues..

    Cheers Clemens

  42. Dave
    August 18, 2011 at 7:50 pm


    First off thanks for helping those of us who needs to be hand-held through installs. :)

    I’ve re-run through my setup(s) to try and see where my problem lies and I still cannot find it. I have a XenApp6 server (citrix1) and another server that I want to host the WI and CSG services (actual name web1, but has a dns record and ssl cert for citrix). My goal is to have users type citrix.domain.tld in the browser (or in pad, etc) and have everything go happily through 443. Currently I can log into the web interface and get a list off apps, but when I try to launch them the details shows it is trying to log into the internal ip and 1494. Normally in a single server environment I would expect to just change the WI secure access to alternate and use altaddr to add my public ip.

    I have the WI/CSG server set currently to gateway direct as default and direct as default on my citrix1 server. One of course the ip it is connecting to is wrong and two the port is wrong. What info can I give you to help me figure this one out?

    • Dave
      December 5, 2011 at 8:13 pm

      I still have this issue. If I set up a VPN to effectively log in form the ‘inside’ it works fine. Whenever I try to connect form the outside I always get info for my internal IPs and port 1494 not the external IP and 443.

      Anyone have ideas of what I can try?

  43. Cordt
    September 14, 2011 at 1:39 am

    Hi Aaron,

    I’m trying to get all traffic to use port 443. We have some very secure areas and the use of other ports is ….. not encouraged. Is there any way to have all traffic use only 443? If so, what are the steps?



    • September 14, 2011 at 2:58 am

      Hi Cordt,

      Absolutely it is possible to use SSL/TLS 443 all the way from client > Secure Gateway/Web Interface > XenApp server to achieve full end to end encryption. I’ve done this recently in my environment. First you would need to configure SSL Relay on the XenApp server, and configure SG/WI to use SSL for the XML service that authenticates and enumerates the list of published applications. I was working on a guide for this but got interrupted ATM. Second you would need to publish applications/desktops with the option to enable SSL and TLS protocols, this is found in the Citrix management console inside the properties for each application. Hope that helps some and I’ll see if I can get around to publishing that SSL relay article.

      Best Wishes,


  44. Bob Brumm
    October 19, 2011 at 12:28 pm

    Having a simiar issue. I have two CSG 3.3 and WI 5.4 servers on Windows 2008 R2 in a DMZ. #1 Server can connect to STA on XenApp6.5 server and users can connect, see applications and connect to applications. #2 server has issues. Users get a login error before seeing applications.

    I noticed the Citrix Secure Gateway Service was not started on #2 server, triied to start it and received error “Windows cannot start Citrix Secure Gateway on Server #2 … Server specific error code #1”. CSG service is set on both servers to login as network service.

    What could be the difference with two servers built the same with same f/w rules etc.?

  45. November 18, 2011 at 7:19 am

    I dont disagree with this writing!!!

  46. C1XX2
    November 28, 2011 at 2:45 pm

    I have setup XenApp as per the tutorial. I have CSG running and can access this externally…. I can login and see the published apps etc but recieve this message when launching an application. “Citrix SSL Server Can not be reached”. I have made sure all ports are open on the firewall. i.e. 1494, 443, 80.

    Any ideas?

  47. Unknown
    December 15, 2011 at 5:55 am

    Hi Anyone, everyone

    I have setup Secure Gateway and web Interface using gateway direct on 1 server. I am able to access the site externally and see all the published applications. If session realibility is enabled (gateway settings on WI) I am unable to launch the app. Error client sees is “cannot connect to the citrix Xenapp server. Protocol driver error”.
    When session reliability is unchecked then I am able to launch the app. I am using the latest client. SG 3.2.1, WI 5.4. Any ideas ?

  48. jdough90210@gmail.com
    February 3, 2012 at 6:13 am

    Followed this article and am getting the following error when external users log in and click on a published app, “Unable to launch your application. Contact your help desk with the following information; Cannot connect to the Citrix XenApp server. There is no Citrix XenApp server configued on the specified address”.

    Internal users log into the SG/WI on the internal IP address and can launch apps with no problem.

    Anyone know what can be causing this?

  49. March 2, 2012 at 2:34 pm


    All works well for me, have configured my system to use SSL for logon. Only problem I have is:
    – Internally launching an app on Xenapp6 takes 10 seconds (Good)
    – Going through the web gateway takes 40 seconds to load the same app which uses the same backend xenapp 6 server. (Bad)

    It’s not bandwidth, the same effect is seen usng the CSG from internally in the office or from home over 10Mb cable broadband.

    Gateway direct
    443 TCP Internet > CSG
    1494 TCP CSG > Xenapp 2 x servers
    8080 TCP CSG > Xenapp 2 x servers

    Secure gateway v3.2.0

    Secure gateway config is set as IP address against port 443 secured (set as IP address to avert the issue where a reboot requires reconfig of you Secure Gateway (there’s a CTX articel ref that). Doing this allows gateway to function post reboot without going back through the config.

    Xenapp 6 behind firewall is on Rollup 1.

    Any thoughts on this?



  50. March 5, 2012 at 10:02 am

    I fixed my problem:
    One of the possible causes is if the WI server cannot resolve the XenApp server’s hostname or FQDN even if it’s listed in the Server Farm list by IP address.

    Try adding entries to the hosts file if the WI server is unable to resolve the IP addresses to the hostname/FQDN of the XenApp/Presentation servers.

    Found this on Citrix forum, effectively going through your secure gateway config, reference your Xenapp servers by name & not IP, obviously you’ll need to use a hosts file, hope this helps someone else :)

  51. JK
    March 28, 2012 at 1:05 pm

    Very Nice document. i wants to say thanks to you dear. all steps are very clear and very usefull. thanks Dear

  52. Cesar
    March 29, 2012 at 4:49 am

    I am new to Citrix. I’m setting up a xenapp server on the internal Lan and a SG and WI on 1 server in a single hop DMZ. I was wondering how many certificates I need for the infrastructure Citrix infrastructure? Also, i’m getting the error “The specified STA cannot be contacted” from the SG/WI server. Is that because i don’t have my certificates in place?



  53. June 13, 2012 at 10:29 am

    I having one doubt basically my application servers are linux and solaris based using these applications servers through xenapp 6.5 we can publish the applications is it possbile ?possbile means how it is….

  54. AUSSUpport
    June 28, 2012 at 12:56 am

    Without Citrix Secure Gateway and using WI isnot secure?
    What is the different with the CSG?


  55. Justin
    July 2, 2012 at 4:37 pm

    thanks a ton for this write-up Aaron! It was very helpful to me in establishing my own single server setup. One thing id like to note, is that when securing the access on the Xenapp websites, I was getting SSL Relay error 40 constantly. I did a ton of troubleshooting, but believe it or not, turning ON session reliability actually stopped the error from occurring. I just finished a test from an external pc, and im actually routing through the CSG and able to run apps. Again, thanks a TON for the write-up! ( i accidentally posted this on another of your write-ups!)

  56. Satya
    July 27, 2012 at 4:37 am

    How do i load balance web interfaces servers?

  57. Ami
    August 1, 2012 at 12:46 pm


    does anyone have WI / CSG / Microsoft Direct Access combination? What is the right way to do that?

    Another question is how do i make dns-alias (for example dns.domain.com) to default page for WI that when i go to that address, it goes to my WI page? Sorry my bad english…

  58. September 28, 2012 at 11:55 pm

    Dude, you are the MAN for putting together this post!! Just saved me a ton. Thanks a lot. Anytime you are in Orange COunty CA I would gladly buy you beer

  59. October 22, 2012 at 3:27 pm

    Aaron, I have followed this doc to a tee, and I am getting the following error when I try and launch the application onced logged into the URL https://securegate.dom

    “An error occurred while making the requested connection”

    If I change the settings to direct instead of gateway direct I can access the applications from internal address but not from external..

  60. oren
    November 26, 2012 at 9:42 am

    Hello and thank you for the great manual

    After configuring the WI when I press the site preview I get a blank screen. The WI was installed on 2008 R2.


  61. December 19, 2012 at 10:23 pm

    Hi Ilya,
    I currently have an issue with Citrix SSL 47. Can you tell me how do you fixed?

    Thanks in advanced

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: