Jump to content


Photo

XTE server service conflicts with external https site

Started by Gordon Suthorn , 19 June 2008 - 08:23 AM
21 replies to this topic

Gordon Suthorn Members

Gordon Suthorn
  • 8 posts

Posted 19 June 2008 - 08:23 AM

Having a problem with CAE v2.0 in that we are receiving email alerts subject: "Session reliability on server 'XXX' is not functioning". The suggested resolution is: "Restart the Citrix XTE Server service on the server". Manual start is unsuccessful, so we changed the start up type to automatic and restarted the server which brings XTE back but the external https site goes down. To bring the external site back we have to disable XTE and restart the server. KB articles all seem to point to a conflict between XTE and IIS over port 443. IIS shows our default web site on port 80 and CAE external site on port 8080, running netstat on our server shows that CtxSGSvc.exe is listening on XXX:14940 and svchost.exe is listening on XXX:1056 so can’t see any port 443 conflict.

We want the session reliability features to help users on flaky internet connections but only get XTE started at the expense of the external secure site.

Can anyone help?



David Lloyd Citrix Employees

David Lloyd
  • 1,500 posts

Posted 19 June 2008 - 09:19 AM

Hi,

You should have a process called XTE.exe listening on port 2598 that is managing the session reliability.

The corresponding service is the "Citrix XTE Service" and is configured via c:\Program Files\Citrix\XTE\conf\httpd.conf

IIRC, this component is simply installed and started by Citrix Access Essentials and is never altered by Quickstart.

Regards,

David L



Gordon Suthorn Members

Gordon Suthorn
  • 8 posts

Posted 19 June 2008 - 03:04 PM

Thanks for your response David. Sorry to be dim but I can't see XTE.exe listening on port 2598 which is why I assume we are getting the automated emails advising that session reliabilty isn't working. The resolution suggested in the emails is "Restart the Citrix XTE Server service on the server 'XXX'. This service is set to manual but it won't start manually. The only way we have found to get it started is to change it to automatic and restart the server. This starts the service but the external secure site goes down. We would like our external secure site to work as well as session reliability - what would you suggest?

Regards,

Gordon.



David Lloyd Citrix Employees

David Lloyd
  • 1,500 posts

Posted 19 June 2008 - 03:20 PM

Hi,

Could you check and post the httpd.conf files in c:\Program Files\Citrix\XTE\conf and c:\Program Files\Citrix\Secure Gateway\conf\

These should be using the ports in a mutually exclusive fashion. The XTE one should read...

#Citrix_Begin
#Server Root Path
ServerRoot "C:\Program Files\Citrix\Secure Gateway\"
PidFile logs/xte.pid
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3

<IfModule mpm_winnt.c>
ThreadsPerChild 150
MaxRequestsPerChild 0
</IfModule>

ServerName localhost
MultiplexerHandshakeTimeout 100000

# Apache Modules
LoadModule access_module modules/mod_access.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
# XTE Modules
LoadModule socks_module modules/mod_socks.so
LoadModule winevent_log_module modules/mod_winevent_log.so
LoadModule cgp_module modules/mod_cgp.so
LoadModule multiplexer_module modules/mod_multiplexer.so
LoadModule schannel_module modules/mod_schannel.so
LoadModule async_engine_module modules/mod_async_engine.so
LoadModule ticket_module modules/mod_ticket.so

AsyncWorkerThreadCount 0
RequireTicket Off

#CGP Listen Port
Listen 2598

#Max Disconnected Sessions
CgpMaxDisconnectedSessions 100

#Default ICA Local Address and Port Number
CgpDefaultIcaLocalPort 1494

#The length of the CGP cookie in bytes
CgpCookieLength 16

#Allow old clients to request for version 1 CGP cookie
CgpAllowVersionOneCookie On

CgpClientToServerKeepAlive 4000
CgpServerToClientKeepAlive 20000

#CGP Configuration
<VirtualHost *:2598>

#CGP Protocol State
CgpProtocol On

#Max TCP Channels Per Session
CgpTcpChannelsPerSession 50

#Disconnected Sessions Timeout (msec)
CgpInterruptedSessionTimeout 180000
CgpHandshakeTimeout 100000
CgpInterruptedSessionsThreadWakeupInterval 60000
<Location /destination/cgp>
Order Allow,Deny
Allow to 127.0.0.1:1494
</Location>

</VirtualHost>
#Citrix_End



Gordon Suthorn Members

Gordon Suthorn
  • 8 posts

Posted 19 June 2008 - 05:34 PM

httpd.conf in c:\Program Files\Citrix\XTE\conf reads...

#Citrix_Begin
#Server Root Path
ServerRoot "C:\Program Files\Citrix\XTE"
PidFile logs/xte.pid
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3

<IfModule mpm_winnt.c>
ThreadsPerChild 150
MaxRequestsPerChild 0
</IfModule>

ServerName localhost
MultiplexerHandshakeTimeout 100000

# Apache Modules
LoadModule access_module modules/mod_access.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
# XTE Modules
LoadModule socks_module modules/mod_socks.so
LoadModule winevent_log_module modules/mod_winevent_log.so
LoadModule cgp_module modules/mod_cgp.so
LoadModule multiplexer_module modules/mod_multiplexer.so
LoadModule schannel_module modules/mod_schannel.so
LoadModule async_engine_module modules/mod_async_engine.so
LoadModule ticket_module modules/mod_ticket.so

AsyncWorkerThreadCount 0
RequireTicket Off

#SSL Relay Listening Port
Listen 443
ProtocolMultiplexer *:443
ProtocolSignature SOCKSV5 \005
ProtocolSignature CGP \032CGP

#CGP Listen Port
Listen 2598

#Max Disconnected Sessions
CgpMaxDisconnectedSessions 100

#Default ICA Local Address and Port Number
CgpDefaultIcaLocalPort 1494

#The length of the CGP cookie in bytes
CgpCookieLength 16

#Allow old clients to request for version 1 CGP cookie
CgpAllowVersionOneCookie On

CgpClientToServerKeepAlive 4000
CgpServerToClientKeepAlive 20000

#NameVirtualHost
NameVirtualHost *:443

#Http Proxy Configuration
<VirtualHost *:443>
ServerName www.ourdomain.net

#SSL Protocol Engine State
SSLEngine On

#Certificate hash or ID
SSLCertificateHash "/C=GB/ST=/L=/O=www.ourdomain.net/OU=GT69488236/CN=www.ourdomain.net01c9c7797aae8e00"

#Allowed Protocol (SSLv3, TLSv1)
SSLProtocol +SSLv3

#Allowed CipherSuite (ALL,COM,GOV)
SSLCipherSuite ALL

<Location />
ProxyPass http://127.0.0.1:8001/
</Location>

</VirtualHost>

#SOCKS Configuration
<VirtualHost *:443>
ServerName www.ourdomain.net

#SSL Protocol Engine State
SSLEngine On

#SOCKS Protocol
SocksProtocol On

#Certificate hash or ID
SSLCertificateHash "/C=GB/ST=/L=/O=www.ourdomain.net/OU=GT69488236/CN=www.ourdomain.net01c9c7797aae8e00"

#Registered Protocol (mod_multiplexer)
RegisterProtocol SOCKSV5

#Allowed Protocol (SSLv3, TLSv1)
SSLProtocol +SSLv3

#Allowed CipherSuite (ALL,COM,GOV)
SSLCipherSuite ALL
SocksHandshakeTimeout 100000

#Destination Servers and Ports
<Location /destination>
Order Deny,Allow
Deny to all
Allow to All
</Location>
</VirtualHost>

#CGP Configuration
<VirtualHost *:2598>

#CGP Protocol State
CgpProtocol On

#Max TCP Channels Per Session
CgpTcpChannelsPerSession 50

#Disconnected Sessions Timeout (msec)
CgpInterruptedSessionTimeout 20000
CgpHandshakeTimeout 100000
CgpInterruptedSessionsThreadWakeupInterval 60000
<Location /destination/cgp>
Order Allow,Deny
Allow to 127.0.0.1:1494
</Location>

</VirtualHost>

#CGP Configuration
<VirtualHost *:443>
ServerName www.ourdomain.net

#CGP Protocol State
CgpProtocol On

#Registered Protocol (mod_multiplexer)
RegisterProtocol CGP

#SSL Protocol Engine State
SSLEngine On

#Certificate hash or ID
SSLCertificateHash "/C=GB/ST=/L=/O=www.ourdomain.net/OU=GT69488236/CN=www.ourdomain.net01c9c7797aae8e00"

#Allowed Protocol (SSLv3, TLSv1)
SSLProtocol +SSLv3

#Allowed CipherSuite (ALL,COM,GOV)
SSLCipherSuite ALL

#Max TCP Channels Per Session
CgpTcpChannelsPerSession 50

#Disconnected Sessions Timeout (msec)
CgpInterruptedSessionTimeout 20000
CgpHandshakeTimeout 100000
CgpInterruptedSessionsThreadWakeupInterval 60000
<Location /destination/cgp>
Order Allow,Deny
Allow to 127.0.0.1:1494
</Location>

</VirtualHost>
#Citrix_End

httpd.conf in c:\Program Files\Citrix\Secure Gateway\conf\
reads...

# Citrix Secure Gateway Configuration file
# DO NOT MANUALLY EDIT CONFIGURATION SETTINGS IN THIS FILE. ALL MANUAL EDITS WILL
# BE OVER WRITTEN BY THE CONFIGURATION TOOL.
#
KeepAlive On
MaxKeepAliveRequests 500
KeepAliveTimeout 15
Timeout 300

ServerName localhost
UseCanonicalName Off

ServerTokens prod
ServerSignature On

# Socks Protocol settings (5 Minutes / 5 Seconds)
SocksTcpKeepAliveTime 300
SocksTcpKeepAliveInterval 5

# Log rotation

# Global Logging Parameters
# Sock Logs
LogFormat "%t %a %{SocksVersion}n %{SocksResponse}n %{SocksDestinationHost}n %{SocksDestinationPort}n" socks_log
CustomLog "|bin/rotatelogs.exe logs/SocksAccess_%Y_%m_%d.log 3600 60 30D" socks_log env=LOG_SOCKS

# CGP Logs
LogFormat "%t %a %{CgpResponse}n %{CgpDestinationHost}n %{CgpDestinationPort}n %{cgpProtocol}n" cgp_log
CustomLog "|bin/rotatelogs.exe logs/CgpAccess_%Y_%m_%d.log 3600 60 30D" cgp_log env=LOG_CGP

# Access & Error Logs
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "|bin/rotatelogs.exe logs/Access_%Y_%m_%d.log 3600 60 30D" Combined env=LOG_HTTP
ErrorLog "|bin/rotatelogs.exe logs/Error_%Y_%m_%d.log 3600 60 30D"

# Do not log GIF's & requests from localhost
SetEnvIf Request_URI \.gif$ nolog=gif
SetEnvIf Request_URI \.jpg$ nolog=jpg
SetEnvIf Request_URI \.png$ nolog=png
SetEnvIf Request_URI \.js$ nolog=js
#SetEnvIf Remote_Addr ^127.0.0.1$ nolog=127.0.0.1

ServerRoot "C:/Program Files/Citrix/Secure Gateway/"
PidFile logs\httpd.pid

<IfModule mpm_winnt.c>
ThreadsPerChild 500
MaxRequestsPerChild 0
</IfModule>

#Event Log
EventLogServiceName "Secure Gateway"

#Scoreboard file

ScoreBoardFile logs/perf.map

LoadModule access_module modules/mod_access.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule mime_module modules/mod_mime.so
LoadModule socks_module modules/mod_socks.so
LoadModule winevent_log_module modules/mod_winevent_log.so
LoadModule async_engine_module modules/mod_async_engine.so
LoadModule ticket_module modules/mod_ticket.so
LoadModule perfmon_module modules/mod_perfmon.so
LoadModule vhost_throttle_module modules/mod_vhost_throttle.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule include_module modules/mod_include.so
LoadModule multiplexer_module modules/mod_multiplexer.so
LoadModule schannel_module modules/mod_schannel.so

#CSG Modules ...
LoadModule session_module modules/mod_session.so
LoadModule auth_sta_module modules/mod_auth_sta.so
LoadModule cgp_module modules/mod_cgp.so

# Max Connections
MaxConnections CONCURRENT_CONN_LIMIT 500

# Scoreboard Max Connections
ScoreboardMaxConnections 1525

# mod_multiplexer directives
ProtocolSignature SOCKSV5 \005
ProtocolSignature CGP \032CGP/
MultiplexerHandshakeTimeout 100000
ProtocolMultiplexer *:443

#Listen directives
Listen 443

#NameVirtualHost directives
NameVirtualHost *:443

#STA servers
STAHOST Farm-master http://localhost:8001/Scripts/CtxSTA.dll

#Async Engine directives
AsyncWorkerThreadCount 0

#SSL settings
SSLProtocol +SSLv3 +TLSv1
SSLCipherSuite ALL

#Log level
LogLevel warn

#WI Config
<VirtualHost *:443>

ServerName www.ourdomain.net:443

# SSL Params
SSLEngine On
SSLCertificateHash 8aaaaada6b446601a33427606a300aa944696cd8

# Document Root and Directory directives
DocumentRoot "C:/Program Files/Citrix/Secure Gateway"
<Directory "C:/Program Files/Citrix/Secure Gateway/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
LanguagePriority en ja cs de es fr it nl sv pt-br ro
ForceLanguagePriority Prefer Fallback
</Directory>

ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_



David Lloyd Citrix Employees

David Lloyd
  • 1,500 posts

Posted 19 June 2008 - 06:37 PM

Hi,

Have you used the Citrix Presentation Server SSL Relay configuration tool on the XTE server of this system? It isn't supported for use with Citrix Access Essentials (and is conflicting with the Secure Gateway system).

You should replace your XTE configuration file with the one I posted above. CAE configures XTE to handle CGP support, the file you have posted configures it to do SSL relay activity.

Regards,

David L



Gordon Suthorn Members

Gordon Suthorn
  • 8 posts

Posted 20 June 2008 - 02:45 PM

The SSL Relay Configuration tool was activated, but I am not even sure why. Anyway, we have disabled it, restarted the server and now the XTE service is running with the external secure site working just fine.

Many thanks for your help.

Gordon Suthorn.



Gordon Suthorn Members

Gordon Suthorn
  • 8 posts

Posted 20 June 2008 - 02:45 PM

The SSL Relay Configuration tool was activated, but I am not even sure why. Anyway, we have disabled it, restarted the server and now the XTE service is running with the external secure site working just fine.

Many thanks for your help.

Gordon Suthorn.



Gordon Suthorn Members

Gordon Suthorn
  • 8 posts

Posted 20 June 2008 - 02:46 PM

The SSL Relay Configuration tool was activated, but I am not even sure why. Anyway, we have disabled it, restarted the server and now the XTE service is running with the external secure site also working.

Many thanks for your help.

Gordon Suthorn.



Jonathan Pulley Members
  • #10

Jonathan Pulley
  • 14 posts

Posted 15 September 2008 - 03:52 PM

I may need to start a new thread but we are having similar issues and we have the SSL Relay running as well. What exactly does the SSL Relay service do?

The problems we are having:

XTE Service fails to start and we get the The Citrix XTE Server service terminated with service-specific error 1 (0x1).
error in the event log.

Can not telnet to port 2598 on the citrix host.

The XTE log shows:
(OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs

We have our internal site on port 80 and out external on 8080. SSL Relay is listening on 443.

I can telnet to 443 and 1494

Is there a "standard" setup for CAE with ISA firewall and a secured external site? Thanks!

Jonathan

Edited by: Jonathan Pulley on Sep 15, 2008 11:54 AM



David Lloyd Citrix Employees
  • #11

David Lloyd
  • 1,500 posts

Posted 15 September 2008 - 03:56 PM

Hi,

SSLRelay is not supported in Citrix Access Essentials. The only supported SSL configuration is through the Quickstart External Access task.

When external access is enabled as "Direct to this server", CAE opens the 443 port and handles both web-based and ICA traffic. You should not attempt to configure IIS https support as this will not encrypt the ICA traffic itself.

Regards,

David L



Jonathan Pulley Members
  • #12

Jonathan Pulley
  • 14 posts

Posted 15 September 2008 - 04:00 PM

i updated my above post by the way.

To get a secure/encrypted tunnel from the client to citrix server what needs to be done? Will CAE handle everything correctly?

Our external site is set as Gateway Direct and not Direct.
Our internal site is set as Direct.

Edited by: Jonathan Pulley on Sep 15, 2008 12:04 PM



David Lloyd Citrix Employees
  • #13

David Lloyd
  • 1,500 posts

Posted 15 September 2008 - 04:11 PM

Hi,

SSL Relay should never be running in a CAE deployment. Out of the box, there should be no processes listening on the https port (443). You can check this by running "netstat -ab" to see that the port is closed.

CAE always accepts unencrypted traffic on the http port (80). Any application launched through the unencrypted page will also be unencrypted and connected over port 1494 or 2598. This is only suitable for trusted networks (basically internal use).

For external access, there are two options in CAE Quickstart:

1) Direct to this server

In this mode, the CAE Master server opens port 443 (https) and sets up SSL using the certificate that you supply in Quickstart. Connecting a web-browser to the "https" web-site results in applications launched using SSL. Note that the unencrypted web-site is still available. Only port 443 should be opened to the Internet.

2) Via a VPN

In this mode, CAE accepts NAT translated VPN connections. In this mode, all encryption from an external location is handled by "third-party infrastructure". An example of a VPN is Citrix Access Gateway, which is not included with Citrix Access Essentials.

There is a third option "DMZ server" which is basically the same as "Direct to this server", except that port 443 is not opened on the Master server - instead a cut down version of the system is installed on a separate machine and pointed at the Master server.

You can set up SSL support without obtaining a "real" certificate using the "Generate temporary certificate" option in Quickstart's External Access Wizard. You should ensure that the system is working using thisoption before purchasing a real certificate.

Regards,

David L



Jonathan Pulley Members
  • #14

Jonathan Pulley
  • 14 posts

Posted 15 September 2008 - 04:15 PM

Thanks for all the info!

Jonathan

Edited by: Jonathan Pulley on Sep 15, 2008 1:14 PM



Jonathan Pulley Members
  • #15

Jonathan Pulley
  • 14 posts

Posted 15 September 2008 - 05:47 PM

Is the SSLRelay included in the install or CAE?

If so, does CAE use the SSLRelay to do its SSL stuff or is SSLRelay not used at all?

Should SSLRelay be installed at all?

I guess what I am asking is, Does SSLRelay get installed with CAE and its actually used but we are not supposed to mess with the settings because it gets configured by CAE on the install?

Also if its not supposed to be on there or used or whatever, how do you suggest we go about removing it and making sure the configuration still works. Currently everything seems to be working fine except the above error messages and XTE. Thanks!



Gordon Suthorn Members
  • #16

Gordon Suthorn
  • 8 posts

Posted 15 September 2008 - 09:50 PM

Jonathan,

The simple, less technically elongated advice that worked a treat for us was as follows:

Start > All Programs > Citrix > Administration Tools > Citrix SSL Relay Configuration Tool

Uncheck the Enable SSL Relay box.

This seems strange because why would it even be there if it interferes (?) but I'm sure someone more competent than me will be able to explain. Suffice it to say the SSL part is handled elsewhere in CAE.

It worked for us, give it a go.

Gordon.



David Lloyd Citrix Employees
  • #17

David Lloyd
  • 1,500 posts

Posted 16 September 2008 - 06:44 AM

Hi,

SSL Relay is installed on a CAE box as it is part of the Citrix XenApp 4.5 (Presentation Server 4.5) product. Citrix Access Essentials is basically a full version of Citrix XenApp with all the bits installed, and an additional tool "Quickstart" that is used to configure the system.

The idea is that, when using Citrix Access Essentials, the system is controlled by Quickstart, but if you wish to upgrade to Citrix XenApp, all you need is change the license and switch management consoles.

If you have administration experience with Citrix XenApp then you can use the XenApp system directly in CAE. This is the more complicated route, and we cannot provide support for the full XenApp product under a CAE license. If you have appropriately experienced sysadmins (e.g. CCA) this may be the route to take for your company, though.

Regards,

David L



Jonathan Pulley Members
  • #18

Jonathan Pulley
  • 14 posts

Posted 16 September 2008 - 12:26 PM

Thank again for the clairification! Thanks to you too Gordon.

I still have one question though...
Do we need to set our external site as direct or gateway direct or does it matter?



David Lloyd Citrix Employees
  • #19

David Lloyd
  • 1,500 posts

Posted 16 September 2008 - 01:28 PM

Hi,

Where are you configuring this option?

If this is the "Direct to this server" option in the "External Access" task of Quickstart, then "Direct to this server" is normally the option you want to choose.

The other option is Access Gateway for which you need to install a separate VPN product (the Citrix recommendation is Citrix Access Gateway).

Regards,

David L



Jonathan Pulley Members
  • #20

Jonathan Pulley
  • 14 posts

Posted 16 September 2008 - 02:09 PM

I see this option in the Access Management Console/Configuration Tools/Web Interface/External Site

If understand everything you have said correctly, we do NOT need to go in to Access Management Console for anything. Everything should be done from quickstart correct?