× SSL247 joins forces with Sectigo CA - Find Out More...
Our accreditations and awards:
Cookies
0 items Total $0

Knowledge Base

  

Problem

In an Access Gateway with Advanced Access Control environment, under certain circumstances, you may be unable to launch published applications through a Web Interface site defined as a Web Resource in Advanced Access Control.


During the launch of applications from the Web Interface Web Resource, the following error message appears:

"SSL error 29: The proxy denied access to;10;STA….;ticket# port 1494"

By using Advanced Access Control 4.2 or earlier, you can launch applications from the Program Neighborhood Content Delivery Agent (CDA) in an Access Center in the same Advanced Access Control server farm.

The Access Gateway logs may show the following error message:

"(03/08/07 13:52:58): 2:server:sta_proto: : sta_server_list is NULL. ALL STA TICKET VALIDATION WILL FAIL.
(03/08/07 13:52:58): 2:server:socks_proto: : STA/SOCKS context error!
"

Note: When the Secure Ticketing Authority (STA) within Web Interface is not configured, valid, or resolvable, you receive an error message stating "The resource you are requesting is no longer available."

 

Cause

This error message occurs when one of the following statements is true:

1. The STA has not been defined in the Access Suite Console for the Access Gateway Appliance.

2. The STA is not resolvable by the Access Gateway. The error is reproducible by having a working environment with one STA and altering the IP address in the Advanced Access Control Console.

 

Resolution

  1) Use the following procedure to configure the Access Gateway to use the STA.


1. From the console tree, choose Gateway Appliances.

2. Under Common Tasks, select Edit gateway appliances properties.

3. On the Secure Ticketing Authority page, click New.

4. Type the IP address or FQDN of the server where the STA is installed.

5. In STA Path, type the path of the STA.

6. Choose Use secure communication to secure the connection to the STA.

 

  2) Attempt to diagnose the issue by using IP addresses (instead of the fully qualified domain name (FQDN)) for the STA. Access Gateway 4.5 and later allow for the alteration of the hosts file on the appliance.

Other options are:

  • Allow the Access Gateway to use the internal Domain Name System (DNS) server so it can resolve the STA FQDN
  • Create a new DNS server hosted in the demilitarised zone (DMZ) that the appliance can use and create a record for the STA
  • Use an IP address instead of an FQDN for the STA URL, in which case you might need to let the STA traffic be unsecure


Note
: If the Access Gateway needs to use a network address translation (NAT) address to reach the STA, option 2 is most optimal.

Also, the Advanced Access Control Console must reach the internal STA IP and the appliance must reach the NAT IP. Having a second DNS server just for the appliance allows you to set up two different IPs for the same STA FQDN.

 

Configuring STA Logging


1. Configure a logging level of 3 within the STA’s Ctxsta.config file.

2. Select the file located under Inetpub\Scripts (if the STA is from a standalone install or Internet Information Services (IIS) port sharing with XML on Presentation Server 4.0 or later is used) or under %program files%\Citrix\System32 on Presentation Server 4.0 version or above servers with XML not sharing with IIS.

3. Choose the appropriate method, issue the IISRESET command (if the STA was installed as a standalone or part of Presentation Server 4.0 or above with the IIS/XML Service sharing feature) OR restart the Citrix XML service.

4. Investigate the STA logs.

Was this information Useful?
Comments

Privacy Policy