Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL Error 37 with SSL for ICA

13 views
Skip to first unread message

Roy Weekes

unread,
Feb 25, 2002, 11:46:58 AM2/25/02
to
I am trying to make use of the SSL support for ICA in MF XP FR1 and the
latest 6.20 ICA clients. I have installed a server certificate on the MF
server, and installed the appropriate root certificate on the ICA client
machine.

I have the network protocol for the published app in PN set to SSL + HTTPS
and have specified the FQDN of the MF server in the address list. I have
tried setting the port to both 80 and 443 but I always get this error
message:

There is no route from the Citrix SSL Relay to the specified subnet address
(SSL error 37)

Does anyone know what this means? I only have one MF server, which is
running the SSL Relay, so I wouldn't have thought there was much routing to
be done!

Thanks,
Roy.


Franco

unread,
Mar 2, 2002, 6:54:54 AM3/2/02
to
Not 100% sure because I'm new to Citrix as well, but you have to set the
external address of your MetaFrame XP Server using the altaddr command.
"Roy Weekes" <roy.w...@clara.co.uk> wrote in message
news:101465555...@eos.uk.clara.net...

Roy Weekes

unread,
Mar 4, 2002, 5:19:58 AM3/4/02
to
Nope, but I shouldn't need to because the client is internal. Getting it to
work externally is the next trick.

"Franco" <hsv...@bigpond.com> wrote in message
news:l13g8.2850$wb7....@newsfeeds.bigpond.com...

Darren Mackay

unread,
Mar 8, 2002, 6:45:34 AM3/8/02
to
Hi,

| There is no route from the Citrix SSL Relay to the specified
| subnet address (SSL error 37)
|
| Does anyone know what this means? I only have one MF server,
| which is running the SSL Relay, so I wouldn't have thought
| there was much routing to be done!

The sslrelay is actually a SOCKS over SSL connection. The sslrelay will
return a SOCKS 'destination unreachable' to the citrix client when the ruel
to allow connection to a specific address and port does not exist. On the
sslrelay server, you need to have at least 2 rules:

1. connection to the citrix xml service (usually on the same server, use
server's ip address)

2. connection to tcp 1494 (again, usually the same server, use the server's
internal ip address)

Contrary to what is mentioned in another post, you do not use the alternate
address when using the ssl relay and the relay terminates on the citrix
server.

Make sure that the CA certificiate is in the /keystore/cacerts directory in
PEM format. The sslrelay server also requires reverse dns lookups of the
hostname in the server certificate to resolve to itself. If you do not have
reverse lookups working for the sslrelay host, then the service will take
forwever to start and may give weird timeout problems now and in the future
when clients connect.

You can debug the conneciton by stopping the sslrelay service, and starting
sslserverrelay form a command prompt - this starts the service in debug
mode (note that it will only service a single connection whilst in debug
mode).

Realistically, you should never terminate an connectionson production
servers. The ssl relay service shouldbe on its own server (ie - not a
production server). Think seriously about using citrix secure gateway -
there are several design guides for this in mycitrix.com. Refer to the
nsa's server hardening guides and encure that you nfuse pages are also ssl.

Enjoy,

Darren Mackay


Sam Simpson

unread,
Mar 17, 2002, 6:11:21 PM3/17/02
to
Roy,

I am trying out SSLRelay at the moment and have the same problem.
Searched the usual sources and no joy, spoke to Citrix support and got a
big 'erm'.

If you have any joy, please post here?


--
Regards,

Sam Simpson
s...@samsimpson.com
http://www.samsimpson.com/
http://www.scramdisk.clara.net/

Message has been deleted

Roy Weekes

unread,
Mar 26, 2002, 11:37:38 AM3/26/02
to

"P.Murrer" <p.mu...@jilka.de> wrote in message
news:fed67af9.02031...@posting.google.com...
> i had the same problem a few weeks ago.
> I am not sure if it has been the error no. 37 but one point has been
> wrong in the 'Citrix SSL-Relay-Konfiguration' (I am sorry but I can
> only tell about the german version.)
> The middle part (in german its called 'Verbindung' it will be named
> 'Connection' I think) you have to route the used HTTP port (usual 80)
> _and_ the Citrix port (usual 1494). Thats one point we didn't think
> about but it seems to be logic ;)
> In the documentation I used this wasn't noticed, maybe you used the
> same one...
>
> Greets
> P.Murrer
>
> P.S. I am sorry for my bad english, but english is not my native
> language.

Many thanks, P and Darren, the problem was that I didn't have port 1494
added on the SSL Relay config. Adding that fixed the problem.

Apologies for not replying sooner, I have been out of the office due to
sickness and courses.

Kind regards,
Roy.


0 new messages