The following error is displayed when launching applications from a computer in a remote location, accessing the Web Interface site through a NetScaler Gateway:
"Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. SSL Error 29: The proxy denied access to;10;STAXXXXXXXXXX port 1494."

Complete the following steps to troubleshoot this issue:

1. Open ports 1494 and 2598 on the firewall between the NetScaler and the XenApp servers.

2. Verify that the Secure Ticket Authorities (STA) configured in the NetScaler Gateway are being successfully contacted. Examine the lists of configured STAs to verify if the STAs are UP. If the STAs are DOWN, then the problem is either an issue resolving the FQDN of the STA, or an issue reaching the configured port of the STA.

   To verify the health of the configured STAs in the NetScaler configuration utility, navigate as follows:
   NetScaler Gateway > Global Settings > Servers > Bind/Unbind STA Servers to be used by the STA.
   [Defined NetScaler Gateway virtual server] > Published Applications > Secure Ticket Authority.

   To verify the health of the configured STAs from the NetScaler command line, use the following syntax:
   show vpn global

   STA Server: http://10.10.10.10:8080/scripts/ctxsta.dll
   State: UP
   STA Server: http://10.10.10.20:8080/scripts/ctxsta.dll
   State: UP

   show vpn vserver [Defined NetScaler Gateway virtual server name]

   1) STA Server: http://10.10.10.10:8080/scripts/ctxsta.dll
   State: UP
   2) STA Server: http://10.10.10.20:8080/scripts/ctxsta.dll
   State: UP

3. To verify that the STA servers defined on the NetScaler Gateway use FQDNs that are successfully resolvable, test resolution of the FQDNs using the ping tool available in the NetScaler configuration utility. To find the ping tool in the NetScaler configuration utility, navigate as follows:
   System > Diagnostics > Utilities > Ping.

   To find the ping tool using the NetScaler command line, use the following syntax:
   ping STA_SERVER_FQDN

4. To verify that the port number of the STA servers is accessible, remove the STA from the NetScaler Gateway configuration, then re-add the STA as a service of type TCP, with a monitor of type tcp.

   To add the STA as a TCP service in the NetScaler configuration utility, navigate as follows:
   Traffic Management > Virtual Servers > Services > Add.

   To add the STA as a TCP service using the NetScaler command line, use the following syntax:
   add service TestSTA STA_SERVER_IP_ADDRESS TCP STA_SERVER_PORT_NUMBER

5. Re-use the strategy of testing the STA port accessibility to also investigate accessibility by the NetScaler Gateway to ports 1494 and 2598 on the XenApp servers. Be advised that XenDesktop VDA resources do not actively keep ports 1494 and 2598 open at all times. The XenDesktop ICA port listener is only active and listening for a small window of time immediately after a connection is requested for the same VDA resource through Web Interface or Storefront.

Problem Cause

The NetScaler was unable to contact the STA listed in the configuration causing the application launch to fail.

CTX113250 - Required Ports for Citrix NetScaler Gateway in DMZ Setup