Secure Gateway Fails to Proxy Traffic to IIS After Client Certificates are Required

  • CTX108577
  • Created onJun 12, 2014
  • Updated onJun 12, 2014
Article Topic Configuration, Networking

Symptoms or Error

If IIS is configured to require client certificates, end users fail to reach a Web Interface site for which Secure Gateway is acting as a reverse proxy.

The IIS site, if accessed directly with the assigned SSL port of IIS, successfully appears on-screen with a prompt for a client certificate. Thus, IIS is confirmed to be functioning.

When attempting to visit the site via Secure Gateway, end users see the following error:

Bad Gateway!
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /Citrix/MetaFrame
Reason: Error reading from remote server.
If you think this is a server error, please contact the webmaster
Error 502
01/05/06 12:28 PM
Citrix XTE

The Secure Gateway event log reports the following pair of events whenever the issue occurs:

Event ID: 145
Source: Secure Gateway
Category: PROXY
Failed to read status line from server server.fqdn

Event ID: 150
Source: Secure Gateway
Category: PROXY
Failed to handle the proxy request.


To use certificate authentication with a Web Interface server, the Web server must run parallel to Secure Gateway.

Problem Cause

This is an unsupported configuration. Secure Gateway does not support client certificate checking during the SSL handshake or does it support TCP tunneling so that the user's HTTPS stream reaches the Web server unaltered. 

This condition is true for Web Interface sites present on IIS servers that are manually configured to require client certificates, and this condition is also true for Web Interface sites that are configured to use Smart Card authentication in any capacity.

Applicable Products

Automatic translation

Important: This article was translated by an automatic translation system (also referred to as Machine Translation, or MT) and has not been translated or reviewed by people. Citrix offers a machine translated version of this article to allow for greater access to the support content. However, automatic translation is not always perfect and may contain errors of vocabulary, syntax or grammar. Citrix is not responsible for inconsistencies, errors or damage incurred as a result of the use of MT articles from our customers.Thank you.
Click here to see the English version of this article.
Was this helpful?
Thank you for your feedback

Share your comments or find out more about this topic

Citrix Forums