2X Secure Client Gateway & DMZ configuration issue.

Hi everyone,

I'm in the process of setting up a new 2X farm, but I'm having an issue with setting up the Secure Client Gateway.

Everything I have installed in the latest version 10.5 downloaded today.

Here's the scenario:

I have two Windows 2003 R2 servers. One is on the LAN and has the 2X publishing agent installed & the TS agent installed. The other one is in the DMZ and has Secure Client Gateway installed.

The firewalls are configured as follows:

WAN > FIREWALL1 > DMZ > FIREWALL2 > LAN

Ports 80 and 443 are allowed from the WAN to the DMZ, and ports 20002 & 20003 are allowed from the DMZ to the LAN.

On the machine running the Secure Client Gateway I have the ownership set to Normal mode with the address of the server running the publishing agent and the default port 20002.

In the Gateways list on the server running the Publishing agent, the Secure Gateway Server is listed, ticked and shows as verified.

Here's my problem:

I have selected Properties for the Secure Gateway and set the following:

Properties Tab:
Enable Secure Access Gateway in Farm - Ticked
Server: Hostname of server
IP: IP Address of server (it's IP address in the DMZ).
Description: blank

Network Tab:
2X Secure Client Gateway port: Ticked and set to 80
Everything else is unticked.

Advanced Tab:
Forward requests to 2X publishing agent and HTTP server: Selected
HTTP Server: localhost:81
2X Publishing Agent: <server's full DNS name on the LAN>:20002
(I have checked that the name is resolvable from the server in the DMZ and it is).

Bind gateway to address: all available
Enable RDP DOS attack filter: ticked.

SSL/TLS tab:

Enable SSL on Port: ticked 443

I have created a self-signed certificate. We'll be putting a proper certificate in once this is working properly.

Security tab:

Unchanged - totally default.

Wyse tab:

Disabled.
--------------------------------------------------------

With those settings applied, I checked the information page on the server in the DMZ and I see this:

2X Secure Client Gateway running normally
2X Secure Client Gateway running on 0.0.0.0:80 (TCP)
Citrix gateway running on 0.0.0.0:1494 (TCP)
Broadcast service running on 0.0.0.0:20000 (UDP)

Obviously this isn't right as I have disabled broadcast and Citrix and enabled SSL which isn't showing above.

I am unable to connect with the 2X client either in Gateway mode or Gateway SSL mode.

Both modes report that the server can't be found, but SSL mode reports it instantly whereas just Gateway mode takes quite some time to show the error.

Once I get this working I plan to install the web portal on the server in the DMZ as well.

Am I missing something here or has anyone else had/resolved the same or similar issue?

Any help would be appreciated.

Thanks

Iain.

 

Hi Iain,
Couple of things
1) Maybe Test first with firewall open to all DMZ to LAN and LAN to DMZ(only for testing). Then close when you know it works. Enable logging to make sure you are not missing something.
2) I did not see what version you have, but if it is SMB you will only be able to do (1) Gateway. The server will not allow a secondary gateway to work even if you deactivate the primary gateway.

What you posted sounds reported to Tech Support a while ago.

If you are testing and this is not (2), just keep this in mind when you order.

Hope this helps.
Vito

 

Hi,

This did turn out to be a licensing problem.

Although I only had one gateway ticked in the list of gateways, it still treated it as if I had more than one and wouldn't communicate with the one I had ticked.

Re-installing the software on the server running the publishing agent and choosing custom and deselecting Secure Gateway and then adding the gateway alone to the server in the DMZ has worked now.

It seems to be a weird quirk with this software, it warns you about the licensing if you try to tick more than one gateway in the list, but says nothing about just having more than one agent installed even if it isn't enabled.

I've noticed exactly the same behaviour with the terminal services agent.

Cheers.

Iain.