SSL Error 29: proxy denied access to port 1494 STA... from Web Resource in an Advanced Access Control Farm

Symptoms

In an Access Gateway with Advanced Access Control environment, under certain circumstances users are unable to launch published applications through a Web Interface site defined as a Web Resource in Advanced Access Control.

When launching applications from the Web Interface Web Resource, users may receive the following error message:

“SSL error 29: The proxy denied access to;10;STA….;ticket# port 1494”

When using Advanced Access Control 4.2 or earlier, users can launch applications from the Program Neighborhood Content Delivery Agent (CDA) in an Access Center in the same Advanced Access Control server farm.

The Access Gateway logs may show the following:

"(03/08/07 13:52:58): 2:server:sta_proto: : sta_server_list is NULL. ALL STA TICKET VALIDATION WILL FAIL.
(03/08/07 13:52:58): 2:server:socks_proto: : STA/SOCKS context error!"

Note: When the Secure Ticketing Authority (STA) within Web Interface is not configured, valid, or resolvable, you receive an error message stating "the resource you are requesting is no longer available."

Cause 1

The STA has not been defined in the Access Suite Console for the Access Gateway Appliance.

Cause 2

The STA is not resolvable by the Access Gateway. The error is reproducible by having a working environment with one STA and altering the IP address in the Advanced Access Control Console.

Resolution 1

Use the following procedure to configure the Access Gateway to use the STA.

From the console tree, select Gateway Appliances.
Under Common Tasks, click Edit gateway appliances properties.
On the Secure Ticketing Authority page, click New.
Type the IP address or FQDN of the server where the STA is installed.
In STA Path, type the path of the STA.
Select Use secure communication to secure the connection to the STA.

Resolution 2

Attempt to diagnose the issue by using IP addresses (instead of the fully qualified domain name (FQDN)) for the STA. Access Gateway 4.5 and later allow for the alteration of the hosts file on the appliance.

Other options are:

• Allow the Access Gateway to use the internal Domain Name System (DNS) server so it can resolve the STA FQDN

• Create a new DNS server hosted in the demilitarized zone (DMZ) that the appliance can use and create a record for the STA

• Use an IP address instead of an FQDN for the STA URL, in which case you might need to let the STA traffic be unsecure
Note: If the Access Gateway needs to use a network address translation (NAT) address to reach the STA, option 2 is most optimal.

Also, the Advanced Access Control Console must reach the internal STA IP and the appliance must reach the NAT IP. Having a second DNS server just for the appliance allows you to set up two different IPs for the same STA FQDN.

The following articles can be used to isolate this error: CTX105390 – Troubleshooting SSL Error 4 with Secure Gateway and CTX101997 – Citrix Secure Gateway Secure Ticket Authority Frequently Asked Questions.

Configuring STA Logging

Configure a logging level of 3 within the STA’s Ctxsta.config file.
The file is located under Inetpub\Scripts (if the STA is from a standalone install or Internet Information Services (IIS) port sharing with XML on Presentation Server 4.0 or later is used) or under %program files%\Citrix\System32 on Presentation Server 4.0 or later servers with XML not sharing with IIS.
Choosing the appropriate method, issue the IISRESET command (if the STA was installed as a standalone or part of Presentation Server 4.0 or later with the IIS/XML Service sharing feature) or restart the Citrix XML service.
Investigate the STA logs. See CTX101716 – Error: The SSL Server You Have Selected is not accepting connections.