none
XenApp not working through TMG 2010

    Question

  • Good day,

    After installing a new Microsoft TMG Server 2010 firewall , the XenApp Application couldn't connect , having the following errors.

    ====================================================================================

    Error#1: SSL Error 4: the proxy denied access to ; 10 ; STA00237D35D7AA ; 213E518DB75AA083405B7BD0E3CC9814 port 1494

    =====================================================================================

    Error#2: Unable to launch you application.contact your helpdesk with the following information: Cannot connect to the Citrix XenApp server.

    SSL Error 4: the proxy denied access to ; 10 ; STA00237D35D7AA ; C2FC9547C8B26FB0E61F6B096D30B4B0 port 1494

    =============================================================================

    When entering the credentials it opens the ” Launching … “  window and it keeps hanging.

    Note that on the TMG server the TCP port 1494 (ICA) is allowed for the specified servers, in addition to HTTPS & ICA Session/Session reliability enabled protocols.

    May you assist in solving this issue .

    Regards

    Elias Dayeh

    Monday, December 03, 2012 8:52 AM

Answers

  • Hi,

    Thank you for the post.

    In order to connect to remote Citrix Metaframe server through TMG server, you may perform the following action:

    1 These clients need to be configured as either Secure NAT client or install firewall clients.

    2. When install firewall clients, we need to go to TMG server firewall client settings:

    Go to Networking->configure Forefront TMG Client Settings->application settings:

    Application: wfica32

    Key: Disable

    Value: 0

    Note: If they are using Citrix client (not web client), following SSL tunneling port need to be opened:

    1494

    2598

    Regards,


    Nick Gu - MSFT

    Wednesday, December 05, 2012 5:05 AM
    Moderator
  • Hi,

    you must extend the TMG tunnel port range:
    http://technet.microsoft.com/en-us/library/cc302450.aspx
    http://support.citrix.com/article/CTX104998


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    • Marked as answer by Elias Dayeh Sunday, February 03, 2013 5:12 PM
    Monday, December 03, 2012 4:24 PM
  • Good day,

    in addition to your advice , the following article was also helpful , with a script to apply:

    http://social.technet.microsoft.com/wiki/contents/articles/4915.aspx

    Regards

    Elias Dayeh

    • Marked as answer by Elias Dayeh Sunday, February 03, 2013 5:13 PM
    Sunday, February 03, 2013 5:13 PM

All replies

  • Hi,

    you must extend the TMG tunnel port range:
    http://technet.microsoft.com/en-us/library/cc302450.aspx
    http://support.citrix.com/article/CTX104998


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    • Marked as answer by Elias Dayeh Sunday, February 03, 2013 5:12 PM
    Monday, December 03, 2012 4:24 PM
  • Hi , I did it , still same . Is there any additional configuration such as TMG Firewall client , or proxy to the browser , or on TMG server firewall rules ?

    Regards

    Elias Dayeh

    Monday, December 03, 2012 7:22 PM
  • Hi,

    Thank you for the post.

    In order to connect to remote Citrix Metaframe server through TMG server, you may perform the following action:

    1 These clients need to be configured as either Secure NAT client or install firewall clients.

    2. When install firewall clients, we need to go to TMG server firewall client settings:

    Go to Networking->configure Forefront TMG Client Settings->application settings:

    Application: wfica32

    Key: Disable

    Value: 0

    Note: If they are using Citrix client (not web client), following SSL tunneling port need to be opened:

    1494

    2598

    Regards,


    Nick Gu - MSFT

    Wednesday, December 05, 2012 5:05 AM
    Moderator
  • Hi Nick,

    Thanks for your reply , the application you specified does not exist as per attached screenshot

    Dear Marc, thank you for you approach , I have extended the TMG tunnel port range for ports 1494 & 2598 and Disabled Webfilter for HTTPS traffic, and it worked well, note that for TMG client users when accessing https traffic it is not filtered , it is not secure as needed. is there any better solution for it.

    Regards

    Elias Dayeh

    Thursday, December 13, 2012 10:31 AM
  • Hi,

    “Thanks for your reply , the application you specified does not exist as per attached screenshot” – you should create application: wfica32, and set disabled value: 0.

    Regards,


    Nick Gu - MSFT

    Friday, December 14, 2012 5:02 PM
    Moderator
  • Sorry for late reply.

    Dear Nick, after creating the application wfica32 & set disabled to 0 , is it necessary to extend the TMG tunnel port range , or it is enough to solve the issue ? 

    Since as I stated earlier that extending Tunnel port range is not much accepted

    Regards

    Elias Dayeh

    Tuesday, December 18, 2012 9:13 PM
  • Good day,

    in addition to your advice , the following article was also helpful , with a script to apply:

    http://social.technet.microsoft.com/wiki/contents/articles/4915.aspx

    Regards

    Elias Dayeh

    • Marked as answer by Elias Dayeh Sunday, February 03, 2013 5:13 PM
    Sunday, February 03, 2013 5:13 PM