If IIS is configured to require client certificates, end users fail to reach a Web Interface site for which Secure Gateway is acting as a reverse proxy.
The IIS site, if accessed directly with the assigned SSL port of IIS, successfully appears on-screen with a prompt for a client certificate. Thus, IIS is confirmed to be functioning.
When attempting to visit the site through Secure Gateway, end users see the following error:
Bad Gateway! The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /Citrix/MetaFrame Reason: Error reading from remote server. If you think this is a server error, please contact the webmaster Error 502 server.fqdn 01/05/06 12:28 PM Citrix XTE
The Secure Gateway event log reports the following pair of events whenever the issue occurs:
Event ID: 145 Source: Secure Gateway Category: PROXY Description: Failed to read status line from server server.fqdn
Event ID: 150 Source: Secure Gateway Category: PROXY Description: Failed to handle the proxy request.
To use certificate authentication with a Web Interface server, run the web server parallel to Secure Gateway.
This is an unsupported configuration. Secure Gateway does not support client certificate checking during the SSL handshake. It supports TCP tunneling so that the user's HTTPS stream reaches the web server unaltered.
This condition is true for the following: