Try installing the Root CA on the client. Joe -----Original Message----- From: Daniel Schoppmann [mailto:dschoppmann@xxxxxx] Sent: Wednesday, January 08, 2003 2:13 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] SSL Problems with NFUSE/CSG Access from within a cooperate Network and via java client Hi List We have NFuse 1.71 / CSG 1.1 in DMZ with Certificates from Globalsign. All secured over 443. STA in Cooperate Network. From outside company network (internet) access via ICA-full and = webclient works perfect. Here the 2 problems we still have: 1. From inside the coorperate Network (the client has to traverse Proxy, Firewall, Router) it is not possible to open Metaframe apps. SSL error = 40 ! First of all I thought this doesn't matter for our network, because I = also have an internal NFUSE Server for access within the VPN. But know we = want to access our Metaframe server through our NFUSE in DMZ from other = companies cooperate networks (or Intranet or whatever the common name is) using = their Internet access way.(ASP) The NFuse "client side firewall" settings are set to "use proxy settings from Browser". No my question: I think all that is need to be open on the client side firewall is Port 80 and port 443. Am I right ? The first test we made from another companies network brought ssl error = 40. Any ideas ? Anyone made same experience from other companies network with such an = ASP like environment ? 2. As already said above, from outside company network (internet) access = via ICA-full and webclient works perfect. The Java Client doesn't work. It start and then brings an error sounds = like, that Translated from German: The security certificate of the server is not trustworthy. To allow = access to this server, you have to install the certificate "GlobalSign Root CA" Details shows: SslCertificateNotTrustedException. Issuer "GlobalSign Root CA" at com/citrix/sdk/security/exceptions/SslException.convert at com/citrix/sdk/security/ssl/SslOutputStream.write at com/citrix/sdk/security/socks/authentication/DefaultAuthenticator.beginSo= cks 5Handshake at com/citrix/sdk/security/socks/a/b.a at com/citrix/sdk/security/socks/a/b.b at com/citrix/sdk/security/socks/a/b.<init> at com/citrix/sdk/security/Socks5SocketFactory.createSocket at com/citrix/sdk/security/SocketFactory.createSocks5Socket at com/citrix/sdk/security/SocketFactory.createMultiplexedSslSocket at java/lang/reflect/Method.invoke at com/citrix/client/io/net/ip/x.b at com/citrix/client/io/net/ip/x.c at com/citrix/client/io/net/ip/x.a at com/citrix/client/io/net/ip/x.connect at com/citrix/client/io/net/ip/v.<init> at com/citrix/client/io/net/ip/v.<init> at com/citrix/client/module/td/tcp/TCPTransportDriver.q at com/citrix/client/module/td/TransportDriver.run I have already opened a call at citrix, but we already seem to have = checked everything. - Root and server Certs are installed on both CSG and NFUSE and remember, it works perfectly with local ica-clients. That is realy = crazy ! Is their perhaps a known issue with certificates from Globalsign ? I am wishufully waiting on some genious ideas !!! Ciao, Daniel dschoppmann@xxxxxx http://www.schoppmann.com/ Meer=E4ckerstr. 24 68163 Mannheim home: 0621/8191407 mobil:0172/6395617 ***********************************************=20 This Weeks Sponsor: WM Software WMS Messenger for TSE Affordable Instant Messaging for Terminal Servers http://www.wmsoftware.com/wmsm/ ************************************************ For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm *********************************************** This Weeks Sponsor: WM Software WMS Messenger for TSE Affordable Instant Messaging for Terminal Servers http://www.wmsoftware.com/wmsm/ ************************************************ For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm