Related to Web Interface, NFuse, Secure Gateway, Access Gateway and everything that is used to get access from the Internet to the private LAN.
Questions and Answers
I got Citrix ICA Protocol Driver Error with CSG 3.0?
When updating the ICA Client to version 9.x and connecting through Secure Gateway 3.0 with enbled session reliability support you will get the error "Citrix ICA Protocol Driver Error".
This is a Problem with the Gateway 3.0 and Session reliability where Citrix has published an update to fix the issue.
- SGE300W002 - For Citrix Secure Gateway 3.0 for Windows 2000 Server and Windows Server 2003
What CSG can I use with what Citrix Server versions?
Secure Gateway works as sort of proxy for ICA traffic and therefore doesn't care what servers are in the backend. You can use ANY CSG Version with ANY Citrix Server but you might lose features. CSG 3.0 supports session reliability but you need also MPS 3.0 or PS 4.0 and the new STA 4.0
Web Interface 4.0 and the Java Client, location and privat certs?
The Java Client 9.x has a Multilanguage format. Since WI4 supports multiple sites, Web Interface needed a more central place to store the clients.
ICAWEB clients are now located at:
and the java client at
When using private certificates with the java client then you have two options:
1. Store the root cert in icajava but that will only work with the MS Virtual Machine and the client will fall back to version 8.2 and therefore not support some of the new features.
2. Switch to Sun Java but then you have to import the private root ca to the sun keystore on every client with a small utility from sun. This is described in the java client admin guide. Only sun java will give you the full functionality of the java 9.x client.
How do I use the STA with Presentation Server 4.0?
With Presentation Server 4.0 (PSE) the Secure Ticked Authority (STA) is now build into the Citrix XML service that is installed by default on every Presentation Server, but how to use it?
Secure Gateway 3.0 settings
Use the MPS 4.0 IP or FQDN (with default port 80) or FQDN (default port 443)
Web Interface 4.x settings
STA 4.0 settings
CSG 3.0 can work with older STA version but some features will not work like session reliability through CSG.
For securing CSG 3.0 and STA 4.0 communication the SSL Relay has to be configured on the PSE 4.0 server.
When you change the XML port, then remember that you have also changed the STA port!
STA Compatibility with Other Citrix Products
I get a Type mismatch or internal error with NFuse/WI?
When you open the login page you receive a "Type mismatch" with NFuse and a internal error with Web Interface. Check the IIS log when you running WI and you might see also a Type mismatch error.
This is a issue when the session state is disabled, for instance the Microsoft Software Update Service (SUS) disables the session state.
How to activate the Session State?
- Start the IIS manager
- Open the properties of the web you want to edit
- Go to "Home Directory" and there click an "Configuration"
- At the option Tab you can activate "Session State" and can configure the Session timout (Default: 20 minutes)
How can I debug Web Interface 3.0?
Edit web.config in the /Citrix/MetaFrame/site folder and change the customErrors tag from "On" to "Off".
- How to Disable the Default Error Message in Web Interface 3.0 / 4.x
How many concurrent conncetions can we expect with the CSG?
The Windows version of Citrix Secure Gateway 2.0 running on a single Intel CPU Server doesn't exhibit a significant increase in latency until about 1400 users.
A dual-CPU Wintel box can handle over 2000 concurrent connections and still have latency as low as 250ms.
With Secure Gateway 3.0 the binary is build on apache and therefore the maximum limit has become 1670 connection regardless what todays Harware you use.
Web Interface (WI) and NAT
For instance you internal IP range is 192.168.x.x
With a default installation of the Web Interface it will work for your LAN Clients. Of course, when connecting over the Internet, a home User will NOT get any response from 192.168.x.x
Set the Public IP for the Citrix XenApp Servers
Whether residing on the DMZ, or the local LAN. Let's also say, the Public IP is 126.96.36.199 On the Citrix servers you need to run the altaddr command, to tell the servers to responds with the public address, if needed.
On the command line run: altaddr /set 188.8.131.52
FireWall Settings for Citrix & Web Interface
Asuming Citrix MetaFrame/Web Interface are in the DMZ,
enable following rules:
- Allow TCP Port 1494 WAN to DMZ inbound (Citrix ICA)
- Allow TCP Port 2598 WAN to DMZ inbound (Citrix CGP)
- Allow high TCP Ports (1023 - 5000) outbound (Citrix ICA)
- Allow TCP Port 80 WAN to DMZ In- and outbound (HTTP)
(Check FW from outside with:
"Telnet 184.108.40.206 1494" and "Telnet 220.127.116.11 80")
Web Interface NAT Configuration
On the Web Interface Server either configure:
A: The alternative address can be set in the WI console
B: Make sure the two sample lines below are in the Webinterface.conf
(Don't forget the last dot in the local IP range!)
After these changes, the template will get filled with the alternate address for Internet users, and the internal address for your LAN Clients.
- Configuring NFuse 1.x for Use with Network Address Translation (NAT)
Windows XP Professional with Service Pack 2
With Service Pack 2 for Windows XP Microsoft has added more security to the Internet Explorer. With the default settings you will be always ask if you want to open/download the template.ica file when starting an Publish Application within Web Interface. The reason is the new MIME Handling with SP2.
To resolve this issue install the ICA Client version 8.x
How to use Web Interface with Novell?
How can I set the Client Proxy within Web Interface?
The WebInterface 2.x uses the auto proxy detection of the Citrix ICA Client by setting ProxyType=Auto in the template.ica file and should be enabled by default but earlier versions omitted it. Saving and applying the changes usually (but obviously not always) corrected that.
ProxyType=Auto tells Web Interface to inspect the default browser, and use whatever proxy settings it finds there.
Go to the proxy settings page in WIAdmin, and without doing anything, click Save and Apply Changes.
You can make sure that the setting is enabled, by inspecting the template.ica file and you have to find
[NFuse_SOCKSSettings] <-- THIS VALUE
[NFuse_SOCKSSettings] <-- THIS VALUE
I have Web Interface and ICA Client problems!
- Empty your cache in IE, close the browser and try again.
Verify you do not have "Do Not Save Encrypted Pages to Disk" selected.
(This is located in IE/Tools/Internet Options/Advanced/scroll to bottom section. Unselect "Do Not Save Encrypted Pages to Disk."
- Do a search for wfica.ocx and wfcrun32.exe on your box? Right click select properties and check the version. You should have the latest. If multiple versions, remove all instances of clients and reinstall.
- Right click the application, do a "Save Target As", If you save a "launch.ica", save it to the desktop and try to launch from there. If you save a launch.asp, return to app page and run again, check the error message in the message center. (If no message is return, right click and do open in new window, you should be returned an error message.)
- If using a Windows 9x, ME or XP, type msconfig at Start/Run, General tab,
choose selective start option, unselect load startup items, click apply. Reboot system
- If the ICA Clients starts but nothing happen then, see the MS Licensing FAQ
- CTX101683 - Error: ICA file not found
- CTX395275 - Error: ICA file not found
With Web Interface and RSA Integration, my first login attempt is successful but subsequent attempts fail!
This implies that the web user account is unable to write the new node secret to the registry on the web server.
On your WI server, check the registry permissions with regedt32 on the following key:
Most common error when you install the RSA Agent AFTER the WI installation.
CSG 2.0 and Web Interface (NFuse 2.0) on the same box?
In a Nutshell:
- Change the IIS SSL port to port 444
- Run IISRESET at a command prompt
- Install Secure Gateway with all of the default values
(which uses port 443 and proxies WI traffic over localhost:80).
- Access your site with the following URL
a. Note that it uses HTTPS, not HTTP!
b. Of course, you need an SSL certificate with the gateway-FQDN as the Common Name on the certificate.
If you create a file called default.asp in your wwwRoot directory with the following:
your users can access the site by merely typing //gateway-FQDN/
- The page must be viewed over a secure channel
- ICA Java Client Window Fails to Close for Secure Gateway Users