Sunday, August 27, 2006
CSG/CWI Interaction
For someone who has been working with Citrix for years, this is probably a very simple concept, but it just "clicked" for me the other day. (You know when a concept is just out of reach but then one day it just clicks and suddenly makes sense? I love it when that happens!)
I'm talking about the interaction between Citrix Secure Gateway (CSG) and Citrix Web Interface (CWI). In some environments, these roles are separated out onto multiple servers so that this interaction makes much more sense, but in my case they are both on the same physical server.
I was having an issue where after I thought I had it all configured and it should be working, the clients were receiving an IIS "Bad Request (Invalid Hostname)" error. It turns out this was because I had defined a host header value on the IIS Default Web Site (used for the Citrix Web Interface).
The SSL certificate for the URL is primarily used by CSG. When the client hits the server on 443, it's talking with CSG. Then CSG internally hits the CWI site at
Here's a diagram that I whipped up to show the interaction. I'm very much a visual learner, so I often create things like to this to help me visualize what's happening. The diagram also gives which ports are needed through the firewalls; once setup this is all visible using
I'm talking about the interaction between Citrix Secure Gateway (CSG) and Citrix Web Interface (CWI). In some environments, these roles are separated out onto multiple servers so that this interaction makes much more sense, but in my case they are both on the same physical server.
I was having an issue where after I thought I had it all configured and it should be working, the clients were receiving an IIS "Bad Request (Invalid Hostname)" error. It turns out this was because I had defined a host header value on the IIS Default Web Site (used for the Citrix Web Interface).
The SSL certificate for the URL is primarily used by CSG. When the client hits the server on 443, it's talking with CSG. Then CSG internally hits the CWI site at
http://localhost
, not the URL. I found a post on Brian Madden's forums that suggested for additional security you should configure the IIS website to only listen on 127.0.0.1 instead of a specific external IP or All Unassigned. So removing the host header value from the IIS site fixed my problem, but I also set it to only listen on the local IP and all is still good.Here's a diagram that I whipped up to show the interaction. I'm very much a visual learner, so I often create things like to this to help me visualize what's happening. The diagram also gives which ports are needed through the firewalls; once setup this is all visible using
netstat
on each system.
Comments:
<< Home
I loved this blurb. Just when I needed a concise explanation of what the hell was going on with my boxes, I come across this gem. Many thanks.
Mike
Post a Comment
Mike
<< Home