Jump to content


Cannot connect to the Citrix XenApp server. SSL Error 29: The proxy denied

Started by Obi- Van , 13 December 2008 - 08:00 PM
7 replies to this topic

Obi- Van Members

Obi- Van
  • 31 posts

Posted 13 December 2008 - 08:00 PM


I did some research before I posted this question, but I was not able to fix this problem yet.
So I am asking about solution...
Before I begin I`ll explain my network connections.

The WebInterface and XenApp are installed on the same server on the LAN network.
Secure Gateway is installed on another server which is also on the same LAN as Wi and XenApp.
BUT the Secure Gateway server is NAT-ed to the internet and the port 443 is opened from internet to Secure Gateway server.

When I tried to connect to Secure Gateway 3.1 from the internet and launch published applications I got the error below:

Cannot connect to the Citrix XenApp server.
SSL Error 29: The proxy denied access to; 10;sta_id_etc.... Port 1494

I am able to log on trough SG on WebInterface this part is working and I see the published applications, but when I click on one published app and try to start it, I got citrix dialog box "connecting" and after this I got the error described above in this post.

Than I did some research for errors on the server. First I did was, I logged on the SG server and checked if I can telnet the XenApp and WebInterface on ports (80, 1494) and I was able to telnet no problems at all, because the SG and WebInterface server are on the same LAN.

So I opened "event viewer" on the Secure Gateway server and I found the error:

Assume that is my WAN ip address:

Error connecting to server **:1494 (

But I don`t understand this error because Secure Gateway needs only port 443 not 1494.

Secure Ticket Authority = STA is installed on XenApp and is working just fine, because when I am configuring the Secure Gateway I got no errors that it can``t reach the STA so SG can reach the STA there is no problems.

I hope someone can give me an answer...

Thank you all....

Best regards

Nicolas Ogor Citrix Employees

Nicolas Ogor
  • 32 posts

Posted 17 December 2008 - 09:54 PM

Hello ,

Did you specify the same STA server on the Web Interface configuration ?
If you have more than 1 they need to be in the same order.
I advise you as well to specify the IP address of the STA server instead of the FQDN on the SG and WI configuration.
Double check if you can telnet the port 1494 and 2598 of the PS server from the SG server.



Amanda Marchuk Members

Amanda Marchuk
  • 6 posts

Posted 18 December 2008 - 05:37 PM

Hi Obi,

I'm not sure if you had a chance to review my tutorial, but if not, you can check it our here:

Review the topology on page 1 and then jump to page 5.

Typically SG should be in a DMZ and since NAT is being used you will most likely need to use an [altaddr] command on the PS server. I'm not sure if this is your case, but it's not a good idea to have SG on the same private segment as the rest of your servers, since you will be port forwarding 443 directly into your LAN. Segragating SG in a DMZ is more secure. Some may go as far as to have a double-hop DMZ which is also supported.

I remember getting several errors like this in my testing and the tutorial works it all out for you.

Keep in mind that SG will communicate to the PS server on 1494 (default) or 2598 if you have Session Reliability enabled + the XML service port which is 80 by default. If I remember correctly, I think the proxy error may be caused by an address translation problem since you are using NAT.

Hope this helps,


Nicolas Ogor Citrix Employees

Nicolas Ogor
  • 32 posts

Posted 18 December 2008 - 10:35 PM

Hi guys ,

If the SG , WI and PS farm are in the same Vlan, you need to use the Secure Gateway mode in the Web Interface. You should not use the Address translation this is only used if there is a NAT firewall between the SG and the WI/PS farm.

The Ip address of the SG is nated which is a standard scenario as clients will connect from the Internet and need to reach a public IP address.

As I told you before check if the STA server is the same on the WI and SG configuration.
When configuring the Web Interface site, under Secure access method specify the FQDN of the Secure Gateway.
If the XML service is running on a different port than port 80 , you need to specify that port under the STA configuration http://Ipaddresss:port/script/....

If the problem is still not resolved after that , I advise you run a network trace on the SG to check if the SG server is attempting to connect on port 1494 or 2598.



Obi- Van Members

Obi- Van
  • 31 posts

Posted 20 December 2008 - 09:39 PM

Hello folks !!

Thank You all for reply. We had some problems with internet connection, so I was offline 2 days.
I am back now and I AM REALLY SORRY for delay with my answers.

Nicolas, I`ll try to do as You told me, I think I need to check the STA on the WI.
And as You see in my first post I can telnet on both ports from SG to PS server it is working just fine.

I`ll give You an answer once I try it !

Thank You very much for helping !

Best regards

Obi- Van Members

Obi- Van
  • 31 posts

Posted 20 December 2008 - 09:45 PM

Hello Mark,

just for info, I used altaddr and this part is configured, done.
But I got the same problems, so I`ll try as Nicolas told me to do, (check the STA address on the WI server)

Best regards

Obi- Van Members

Obi- Van
  • 31 posts

Posted 21 December 2008 - 09:49 PM

Hi again Nicolas,

I did as You told me, I checked the WI and STA uses the same URL on the WI server as it uses on the SG server. And I am able to telnet Wi and XenApp on the citrix ports (1494 or 2598.) from SG server.

So all ports between SG and Wi-XenApp server are opened and I am able to telnet.
On the WI I use the "gateway Alternate" and the command altaddr is entered on the XenApp server too, I used my WAN ip in that command.

The SG server is NAT-ed out on the internet on only port 443. And WI and XenApp is installed on the same server and on the same LAN where the SG is installed too. The only difference is that SG server is NAT-ed out to internet.

I know that SG must be in DMZ it will be there later, but I need to test it on this way first...

Any more ideas ?
Thank You for helping.

Best regards

Nicolas Ogor Citrix Employees

Nicolas Ogor
  • 32 posts

Posted 30 December 2008 - 11:23 AM

Hello Obi ,

Sorry for the delay in responding to you.
Is the Web Interface able to resolve the Internal IP address of the SG server ?
If you are only using Nat on the SG server for being accessible from the Internet , you need to set up the Web Interface to "Gateway direct" no need to configure any Address Translation.
You can run a network trace on the SG server ( Wireshark) to check the traffic while launching a publised application.