× SSL247 joins forces with Sectigo CA - Find Out More...
Our accreditations and awards:
Cookies
0 items Total $0

Knowledge Base

  

Problem

You cannot connect to publish applications through Citrix Access Gateway or Secure Gateway when using a Microsoft ISA Server as a firewall or proxy. You receive the following error message:

"SSL Error 4: The proxy denied access to;10;STA….;ticket# port 1494"

 

Cause

The Microsoft ISA Server is configured with a Web publishing rule instead of a server publishing rule to forward requests to the Access Gateway or Secure Gateway server.

When you create a Web publishing rule, you can configure how SSL requests should be redirected — as HTTP requests or as SSL requests, with an SSL Certificate placed on the ISA Server for the connection.
If requests are redirected as SSL requests, the ISA server terminates the SSL connection and encrypts the packets again before passing them on to Access Gateway. ISA also expects the traffic in the original connection to be one that it understands (like HTTP) and if it does not know what the traffic is, the traffic is dropped – which is the case for ICA traffic.

Therefore, this configuration does not work with Access Gateway because the connection between the ICA Client and the Access Gateway service must be a single continuous SSL connection (that is, the Access Gateway / Secure Gateway must be the SSL Termination point).

 

Resolution

Configure a server publishing rule between the ISA server and the Access Gateway instead of a Web publishing rule.

Was this information Useful?
Comments

Privacy Policy