SSL Error 4 when connecting through Citrix Secure Gateway or the SSL Relay

RoyATokeshi
February 2, 2004 8:01 am

Citrix states in their article: CTX524634

CTX524634 - Error: SSL Error 4 when connecting through Citrix Secure Gateway or the SSL Relay Service

This document was published at: http://support.citrix.com/kb/entry.jspa?externalID=CTX524634

Document ID: CTX524634, Created on: Aug 20, 2002, Updated: Apr 23, 2003

Products: Citrix Secure Gateway 1.0, Citrix Secure Gateway 1.1

When the ICA client reports SSL Error #4, you may be connecting to the HTTPS interface of an IIS server instead of a Citrix Secure Gateway server or the Citrix SSL Relay Service.

By default, Microsoft Internet Information Services (IIS) will listen for incoming connections on all network interfaces at TCP port 443.This is the same port that the Citrix Secure Gateway (CSG) and Citrix SSL Relay services bind to for their services. If IISis enabled on the same server with CSG or the Citrix SSL Relay service, a port conflict will arise.

If the intended CSG or SSL Relay service to which an ICA client connects is actually an IIS server, IIS rejects the traffic as non-HTTPS and the connection is broken.

Under these circumstances, the Win32 ICA client reports the following error:

Cannot connect to the Citrix server:
A network error occurred (SSL error 4)

Possible causes and resolutions for this error include the following:

• The Citrix Secure Gateway server is also running IIS, and the IIS service is blocking the Citrix Secure Gateway service from starting.

To resolve this issue, disable the IIS Admin service and all its dependent services on the CSG server, or change the IIS SSL port to something other than 443.

• NFuse Classic is misconfigured, using the fully-qualified domain (FQDN) name of an IIS web server instead of the Citrix Secure Gateway server.

To resolve this issue, ensure that the client can resolve the FQDN of the secure gateway server to the IP address of a server running CSG, not IIS. If you wish to run CSG and NFuse Classic on the same server, please refer to atricle Running Citrix Secure Gateway and IIS/NFuse on the same server - Running Citrix Secure Gateway and IIS/NFuse on the same server.

• IIS is running on the MetaFrame server, claiming TCP port 443 before the Citrix SSL Relay service can bind to it.

To resolve this issue, disable the IIS Admin service and all its dependent services on the MetaFrame server, or change the IIS SSL port to something other than 443.

Additional Troubleshooting Tips

• Does the Gateway have a sufficient route to the client?

• Does adjusting the STA and Gateway Timeout help?

• The server certificate may be corrupt.

• What happens when SSL is not used?

• Ensure the ICA File has SSLEnable=ON and does not include a "d" after SSLEnable.



Primary links

Custom Search

User login

Who's new

  • Cachleferah
  • Weedbacuupe
  • vororourn
  • vDonellaCandrah
  • SnnaSusi

Who's online

There are currently 0 users and 4 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.