Troubleshooting CAG and AAC
Today I had a problem with a CAG and AAC that was not accepting any incomming ICA connections. The error I got was;
”SSL Error 29: proxy denied access to port 1494 STA… from Web Resource in an Advanced Access Control Farm”
The problem is created by STA identifiers wich FQDN can not be resolved by the CAG.
Error in the CAG logging,
“(09/10/08 13:52:58): 2:server:sta_proto: : sta_server_list is NULL. ALL STA TICKET VALIDATION WILL FAIL.
(09/10/08 13:52:58): 2:server:socks_proto: : STA/SOCKS context error!”
This due to the fact that the CAG cannot resolve the DNS server in the LAN, so port 53 TCP/UDP from the DMZ towarts the LAN segment is closed.You don’t want to open these ports because you DNS server could become vulnerable for attacks so keep this port closed if possible. You could put an extra DNS server in the DMZ but I think thats no solution.
In the CAG you can create a HOST file where you can put the FQDN and IP adresses of the Citrix servers. Be sure that the STA identifiers in your WI, AAC and CAG are exactly the same in all places otherwise you could still have connection problems. After doing this, reboot the CAG and then it can resolve the STA identifiers and applications can be launched. Problem solved.
Edwin,
This is the correct procedure when implementing a server in a DeMilitarized Zone (DMZ). The server should have as less connections to the inside network as possible. Probably the server doesn’t need any connections to the outside network (Internet), so working with a HOSTS file is the most secure way.
I always use a HOSTS file on servers in the DMZ. If the server needs to resolve DNS names on the internet, I always use a public DNS server and create a HOSTS file for all internal DNS names. In that way the server never queries the internal DNS servers.
I had the exact same issue as above, that started two years after install, just after license renewal. added the FQDN and the IP of the STA’s into the CAG and rebooted and all access now working