Hi Al, CSG proxies the ICA connections, so your client only needs HTTPS access to the CSG server(s). The CSG server(s) require the following... - HTTP access to the STA servers, typically port 80, although it may be different in your environment - ICA (tcp 1494) access to all XenApp servers - CGP (tcp 2598) access to all XenApp servers, if using Session Reliability If your Web Interface is also on the same box, or in the DMZ, it requires... - HTTP access to the STA servers, typically port 80, although it may be different in your environment - HTTP access to the XML servers, typically port 80, although it may be different in your environment Some things may vary. But this is a typical deployment scenario. You should enable STA logging on the XenApp servers to help you work through this connectivity issue. This will help to identify firewall rules, ticketing issues, etc. Also, when you change IP Address of a CSG server, you also need to re-run the CSG Configuration Wizard. You don't need to make any changes, but you just need to run through it so that the settings are reinitialised, and re-written to the configuration files. Cheers, Jeremy. From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of alan tropper Sent: Friday, 12 February 2010 1:30 PM To: thin@xxxxxxxxxxxxx; Gardiner, Jeffrey (H USA) Subject: [THIN] Re: [SPAM] Re: Hello me again! Hi All, More info from checking my Citrix Secure Proxy server I can see connections in netstat to my citrix app servers using both ports 1494 and 2598 so Im guessing I don't need to open 2598 between client PC and the Citrix Secure Gateway, can anyone confirm this one way or another that client will talk to CSG using port 80/443 only and that when a XML connection has been made between client and app server then all communication is only sent over port 443? Cheers Al ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of alan tropper Sent: Friday, 12 February 2010 10:32 AM To: Gardiner, Jeffrey (H USA); thin@xxxxxxxxxxxxx Subject: [THIN] Re: [SPAM] Re: Hello me again! Hi Jeffrey, All citrix servers in my farm are running XenApp 4.5 R05, Win2003 Sp2. In the web interface config settings I have selected 3 STA servers from the farm, and in the Secure Gateway I have also selected the same servers for the STA connections. Cheers Al ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Gardiner, Jeffrey (H USA) Sent: Friday, 12 February 2010 9:50 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: [SPAM] Re: Hello me again! Alan, What version of XenApp is running on you ticketing server? ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of alan tropper Sent: Thursday, February 11, 2010 7:41 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: [SPAM] Re: Hello me again! Hi Andy, Firstly thanks for the reply! I tried turning off Session reliability from the farm settings but this didn't fix the issue as I was still getting the same errors as below from the CSG, however session reliability was still enabled on the web interface gateway settings, should I turn this off or do I need to open up port 2598 between my CSG, CSP & WI servers? Errors: Event ID 100 - Client IP sent bad ticket, connection dropped (Source Citrix Secure Gateway) (Cat: Ticketing) Event ID 103 Incoming citrix gateway protocol downstream data could not be processed (Source:Citrix Secure Gateway (Cat:CGP) I can also telnet using port 2598 to my citrix application servers from the WI server, is port 2598 used between the CSG, CSP & WI servers at all or is this communication traffic all on port 443 as I cannot connect to port 2598 between these servers at present? The strangest part is that the server is just a clone of the production server and has nothing of any difference apart from the WI versions so Im confused why one works and the other doesn't? Any input would be much appreciated from all J ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Andy Friar Sent: Thursday, 11 February 2010 10:29 PM To: thin@xxxxxxxxxxxxx Subject: [SPAM] [THIN] Re: Hello me again! Switch off Session reliability or ensure that the firewall rules are open. Rgds Andy ________________________________ ________________________________ ________________________________ Andy Friar Technical Consultant T 01260 292500 M 07720 470551 F 01260 292505 E Andy.Friar@xxxxxxxxxxx Novus Networks Ltd The Old Corn Mill Congleton Road Siddington Macclesfield SK11 9JR The information in this E-Mail is intended for the named recipients only. It may contain privileged and confidential information. If you are not the intended recipient you must not copy, distribute or take any action or place reliance on it. If you have received this E-Mail in error, please notify the sender immediately by using the E-Mail address and then delete the message. The views expressed in this message are personal and not necessarily those of Novus Networks. Company Reg No 3858005 Disclaimer added by CodeTwo Exchange Rules 2010 www.codetwo.com From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of alan tropper Sent: 11 February 2010 14:19 To: thin@xxxxxxxxxxxxx Subject: [THIN] Hello me again! Hi All, Im hoping someone can save the day with this issue! Basically I have a web interface server running WI4.5 and this hooks in to a Citrix Secure Proxy Server that talks to the Citrix Secure Gateway 3.1.1. I cloned the WI4.5 and upgraded to WI5.2 which looked great, I configured it to download latest client 'CitrixOnlinePlugin.' When I switched the clone to production for testing I ran the CSG diagnostics and all worked fine, although I had to re-join domain for WI clone. When I would run the old citrix client software I received an error when selecting a published application concerning a protocol error. When I ran the new client software and tried to connect to a published app I would not see any errors but would get errors as follows in the CSG logs: Event ID 100 - Client IP sent bad ticket, connection dropped (Source Citrix Secure Gateway) (Cat: Ticketing) Event ID 1-3 Incoming citrix gateway protocol downstream data could not be processed (Source:Citrix Secure Gateway (Cat:CGP) I tried to re-set the STA's in CSG3.1 and still no luck! When I dropped the clone and put my old WI4.5 server back online all worked again...any ideas to go on would be great?? Cheers Al ------------------------------------------------------------------------ ---- This message and any included attachments are from Siemens Medical Solutions and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to Central.SecurityOffice@xxxxxxxxxxx Thank you ##################################################################################### Confidentiality and Privilege Notice This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. #####################################################################################