Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I've read all of the other posts on this error and cannot find a similar situation.
I have internal users trying to connect to an external Metaframe Nfuse and Citrix XP server to access published applications. The initial connection to the Nfuse seems to be allowed, but when trying to launch one of the published applications, it fails.
On the Windows 2000 Web Proxy, Firewall and SecureNAT client, I receive this error: "Cannot connect to the Citrix Metaframe Server. The thirdparty SSL provider could not proceed (SSL error 5)"
If I do not make the Windows 2000 client a SecureNAT client (only firewall and proxy), I receive this error: "Cannot connect to the MetaFrame Server. There is no route to the specified subnet address"
** Rule info Name: Anonymous SSL Allow: HTTP HTTPS 2598 1494 From: Internal To: xxx.xxx.xxx.xxx and Local Host Users: All Users
** ISA 2004 Monitoring log
source port: 0 dest ip: xxx.xxx.xxx.xxx dest port: 443 protocol: ssl-tunnel action: Failed Connection Attempt rule: (none) URL: www.someurl.com:443 (must have smartcard to access, actual url not provided here) cliet ip: 172.16.5.15 source network: internal username: anonymous dest network: (none) http status code: 13 or 995 with firewall client authenticated: No original cliet ip: 0.0.0.0 transport: TCP
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Notice on the "failed connection attempt" the source port is 0 and the original client ip is 0.0.0.0.
Is this possibly the cause of the problem?
I'm concerned about the client side error "the third party ssl provider could not proceed". It is as if the client is waiting for ISA to negotiate part of the connection and it never happens.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Still looking for suggestions on this one.
Bypass ISA, connection is fine.
I've tried making the client a SecureNAT client, enabling/disabling the firewall client, setting the firewall application to DisableEx 0 and 1 for WFICA32.
The only thing that works is to bypass ISA. I work at a health care facility. This application lets doctors view xrays from community hospitals through a Metaframe XP server at the remote hospitals. There is a lot of pressure to provide this viewing to our doctors. I'm afraid I'll be foreced to bypass ISA and I certainly don't want to do this.
are you sure that HTTP/HTTPS are the only protocols needed? Depending on the Citrix configuration and version, it might be necessary to allow the ICA (TCP port 1494) and/or CGP (TCP port 2598) protocol too. Also, if everything is encapsulated in HTTPS, is it still Web Proxy aware? Maybe you should configure those destinations for direct access.
If you can connect to the NFuse web site, instead of double clicking a published application, right click the link and save it to your desktop. You can open the *.ica file with notepad to verify the communications parameters.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
2598 and 1494 are also enabled.
There are no denies in the ISA log for anything. Just failed connection attempt. It shows different protocols for port 443, smetimes HTTPS, SSL-tunnel or just plain old 443.
I'd be happy to send a detailed log if it would be of use in troubleshooting.
I can get to the site, but when I right click and save the application to my desktop, it is just a link, not the ica file.
I have created a cache rule that denies http and ftp caching. Is this what you mean by direct access or is there something I'm missing?
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Direct access? I am guessing that you mean create a web chaining rule that retrieves the request directly from the internet. If so, I've done that with the same error.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I created a web chaining rule with direct retrieval from the internet for the site with no caching.
I went to web chaining, bridging, and set redirect SSL requests as SSL. I tried it with and without require secure channel and with and without 128 bit encryption. Same error.
The Citrix connection starts regardless of ISA. Initializing, Connection in progress... and here is the difference:
When I bypass ISA, the application starts up and shows, Checking for personal settings, Applying personal settings, Running login scripts, Checking for newer client versions, AND then the application logon screen appears.
When I go through ISA, the application never starts up, it stops at the Citrix Connection in progress.
There are no denies in ISA, only the failed connection attempt.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I'm also curious as to why destination port 443 sometimes is shown as protocl SSL-tunnel and sometimes protocol HTTPS. It always fails on destination port 443 when the protocol is blank, neither SSL-tunnel or HTTPS. Sometimes the failure indicates SSL-tunnel, never HTTPS.
HTTP Status code 995 is logged when the actual URL is listed with source network internal, destination ip the actual internet ip of the server, and destination protocol SSL-tunnel.
HTTP Status code of 13 is logged when no URL is listed with source network blank, destination ip the actual internet ip of the server, and destination protocol is blank.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Thanks for the links. I knew that and actually use it to for OMA and OWA. I don't know what I'm thinking.
I did a netmon capture using the hardware firewall as my gateway and disabling the firewall client and web proxy. I do not see that the link goes anywhere except to the one ip address, but I'm not skilled in reading netmon results. I did a capture with the ISA server as the gateay, the firewall client enabled, and web proxy. I cannot see the ip address even listed in the capture.
I set the internet ip address as a direct access address, and still receive the same error. With and without the firewal client enabled.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I do not give out a default gateway to my clients. I am only using one now for testing. If I bypass ISA for the ip address of the server, I cannot access this site with just the firewall client.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I do have access out directly through the hardware firewall, but this will be changing so the only exit is the ISA server.
ISA's external nic 10.1.0.3 is connected to the optional port 10.1.0.3 of the hardware firewall. The hardware firewall has a connection on the trusted network of 172.16.0.1. ISA has a connection on trusted network 172.16.0.3
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I have the captures on my website. I don't want to expose that much of my network on the internet. I don't think your profile has enabled private messages.