Secure gateway problem

I have a problem with connecting through Secure Gateway.

The following error occurs when access to the content environment using Secure Gateway

-L' environment manages 2 servers Secure Gateway (load balanced using Fortigate)

-Secure gateway servers are configured to run Connection Broker and RDP using the same IP address

-Its configured to use an ssl wildcard certificate

I cannot pntsc use with success (from the outside) and retrieve the office setting (on Secure Gateway).

The client is configured as below (same FULL domain name is used that matched the wildcard cert)

The proxy for Connection Broker and Proxy for the RDP traffic using the same IP and port, which is accessible from the outside because I can conect with success the broker through the Secure Gateway, what could be the problem with the part of proxy RDP? Specifc parameters for Fortigate?

The bridge of desktop services shows that at the time of the error:

10:56:19 - 2924:2772 - security [972] context OK

10:56:19 - 2924:2772 - SSL handshake ok [972]

10:56:19 - 2924:2772 - [972] given Extra after the SSL handshake

10:56:19 - 2924:2772 - [972] reading data, 569 bytes

10:56:19 - 2924:2772 - client full ticket, broker auth required = true

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket timeout = 300, connect the window = 15

10:56:19 - 2924:2772 - [972] CProxyThread::validateTicket: CTicketCache::handleConnectMsg returned 3

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket not found in the cache, with broker ticket validation...

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: successfully validated the ticket

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: after validating, call the addTicketAfterValidateIf returned 4

10:56:19 - 2924:2772 - CProxyThread::validateTicket [972]: ticket added, connection was not possessed or current thread added to the owners, after validation

10:56:19 - 2924:2772 - CProxyThread::ConnectToServer [816]: disable the nagle algorithm

10:56:19 - 2924:2772 - * Handle to Thread [972 816] 00000478, Id 00000ad4

10:56:19 - 2924:2772 - Start [972 816]: 9:56:19.112 08/01/2014

10:56:19 - 2924:2772 - [972 816] NL, XXXX, XXX, XXX XX XXXX, XXXX, XXXX, Wildcard SSL, *. [email protected], of 10.3.72.32:3389

10:56:29 - 2924:2772 - Server [972 816] Recv 0

10:56:29 - 2924:2772 - [972] CTicketCache::handleProxyEnd returned 10

10:56:29 - 2924:2772 - [972 816] proxy's client 0 bytes, 0 bytes Server

10:56:29 - 2924:2772 - Server SSL channel cleaning [972]

10:56:29 - 2924:2772 - [972] 37 bytes of handshake data sent

10:56:29 - 2924:2772 - [972] 0000 15 03 01 00 20 4 b 5 a: 96 c2 e0 a6 e5 1 7 a 1 d 89... K.Z.... z...

10:56:29 - 2924:2772 - [972] finished cleaning.

10:56:29 - 2924:2772 - end of thread [972 816].

Clues?

People with the same problem, we managed to make it work using the Source IP Hash option in the Fortigate.

Thanks Andrew for the fast support!

Tags: Dell Tech

Similar Questions

  • work around the internal security gateway and the same url for web access external and internal

    role of the broker 1 quest
    1 security with the roles of web access gateway
    1 Server terminal server

    I configured the default gateway with the parameter security rule: "vworkspace security gateway".
    I created a custom with the 172.16.1.177 value rule (it's my client internal windows7).
    When I navigate to the internal url (fqdn's secure gateway server) I bypassed (tsdebug shows no sslgateway).

    But now I want to use 1 internal and external URL to type the same URL.
    Now when I navigate to an external URL of the machine internal with above ip I always get through security gateway, I see a SSLGateway

    Hi Erik,

    I think that this has been fixed in our latest version 8.5 - documents.software.dell.com/DOC252107

    Please download and upgrade your farm and let us know if you still see this problem.

    If you do, it may be best to save a service request so that we can see exactly what is happening.

    Thanks, Sam

  • VPN could not establish a connection to the security gateway

    My VPN connection worked, but now after several hours I can not connect.

    My LAN works. (Windows Server 2003)

    The app:

    Cisco Systems VPN Client

    The error message:

    Opening TCP to 209.189.224.138, port 10000...

    Communicating with the gateway to 209.189.224.138...

    Cannot establish a connection to the security gateway.

    What could be the problem?

    Thank you

    Greg

    Hi greg,.

    on the properties of tunnel-> transport mode, click ipsec over UDP and try to connect... I think that, from now on, you connect via TCP 10000.

    Concerning

    REDA

  • AnyConnect 3.1 - the certificate on the secure gateway is not valid

    Hi guys,.

    I have a problem with the Anyconnect 3.1.01065.

    When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.

    The certificate is a signed cert self.

    Woks AnyConnect 2.5 without problems.

    Image of the ASA: 8.4 (2).

    [27.11.2012 15:58:27] Ready to connect.

    [27.11.2012 16:01:49] Contact IP_WAN.

    [27.11.2012 16:01:52] Please enter your username and password.

    [27.11.2012 16:02:01] User credentials entered.

    [27.11.2012 16:02:02] Establish the VPN session...

    [27.11.2012 16:02:03] Checking for updates to profile...

    [27.11.2012 16:02:03] Checking for updates...

    [27.11.2012 16:02:03] Checking for updates of customization...

    [27.11.2012 16:02:03] Execution of required updates...

    [27.11.2012 16:02:08] Establish the VPN session...

    [27.11.2012 16:02:08] Setting up VPN - initiate the connection...

    [27.11.2012 16:02:09] Disconnection in progress, please wait...

    [27.11.2012 16:02:13] Connection attempt failed.

    Anyone had this problem before?

    Thank you very much.

    Hello Cristian,

    Please see this:

    CSCua89091 Details of bug
    the local certification authority must support the EKU and other necessary attributes

    Symptom:
    The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround:
    Configure the cert on the customer's profile

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091

    And the following:

    DOC: Anyconnect supports Extended Key use specific attributes in CERT

    Symptom:
    When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof :
    Use a certificate of id on the ASA with one other than «authentication server» EKU
    Use a certificate of id on the client that has one another EKU that '-l' client authentication.

    Workaround solution:
    Generate a new certificate of ID with correct extended key usage

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472

    If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.

    HTH.

    Please note all useful posts

  • Secure Gateway has refused the connection

    Having a problem with VPN sending this back to the end-users.  Have changed the Cert-plan and other things but still this message.  Here's a copy of CLI errors and configuration.

    the exact error is:

    The secure gateway rejected the connection attempt.  A new connection attempt the same or another secure gateway is required, which requires re-authentication.  The following message was received from the secure gateway: no assigned address

    type tunnel-group SRHVPN remote access
    attributes global-tunnel-group SRHVPN
    address (outside) SRHVPN pool
    address SRHVPN pool
    Group Policy - by default-GroupPolicy_SRHVPN
    DHCP-server 10.10.10.253
    tunnel-group SRHVPN webvpn-attributes
    authentication certificate
    enable SRHVPN group-alias
    tunnel-Group-map enable rules
    by default-group SRHVPN tunnel-Group-map
    WebVPN
    allow outside
    AnyConnect image disk0:/anyconnect-win-4.2.01022-k9.pkg 2
    AnyConnect image disk0:/anyconnect-macosx-i386-4.2.01022-k9.pkg 3
    AnyConnect profiles SRHVPN_client_profile disk0: / SRHVPN_client_profile.xml
    webvpn_file_encoding.c:webvpn_get_file_encoding_db_first [68]
    AnyConnect enable
    tunnel-group-list activate
    tunnel-group-preference group-url
    CERT certificate-Group-map - map 10 SRHVPN
    type of tunnel-group SRHVPN default citrix receiver application
    attributes of Group Policy DfltGrpPolicy
    VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
    SR.VPN.donot.TS value by default-field
    internal GroupPolicy_SRHVPN group strategy
    attributes of Group Policy GroupPolicy_SRHVPN
    value of server WINS 10.10.10.253
    value of server DNS 10.10.10.252
    VPN - connections 3
    VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client
    SR.VPN.donot.TS value by default-field
    the address value SRHVPN pools

    You have a dhcp server that is configured on the tunnel-group. Who would take the preference for an address assignment. Order of an address assignment is AAA, DHCP and then local.

    attributes global-tunnel-group SRHVPN
    address (outside) SRHVPN pool
    address SRHVPN pool
    Group Policy - by default-GroupPolicy_SRHVPN
    DHCP-server 10.10.10.253

    I recommend you remove this configuration if you do not use a dhcp server.

    Also, when is assigned by DHCP, the ASA may disable a local vpn address assignment. The default value is a hidden command, so you should see "run all" to see. Like this:

    ASA # sh run all | in vpn-addr
    No vpn-addr-assign aaa
    No dhcp vpn-addr-assign
    VPN-addr-assign local reuse-delay 0

    If you use only the local pool to assign ip addresses, the above would be the configuration you need. If you need to DHCP or AAA ip address assignment active the parameter by adding the command.

  • PCoIP Tunneling for secure gateway

    Connection to the Server - 5.3.0 - 1427931

    Security Server - 5.3.0 - 1427931

    We are running a trial of VMware View First Horizon, and I have problems with PCoIP tunneling. According to our technical sales representative, tunnels always security server, and the connection to the server can create a tunnel if you turn it on ('Use PCoIP Secure Gateway for PCoIP connection on the desktop' under connect to server > edit). However, our experience is in contradiction with it. With the default, PCoIP connections and external internal configuration (for the connection to the server) (for Security Server) try to connect on PCoIP directly on the comments/VM/office. However, if I enable 'PCoIP Secure Gateway' on the login server, then the security server and the login server begin to tunnel traffic PCoIP well as them.

    The goal is to tunnel from the outside, all with connections directly to VM guests from inside, but the only way I can understand how to do this is to stand additional connection (replica) servers. I have read the documentation (Installation / Adminisstration guides), googling and watch videos of training like mad, but no one seems to be able to explain it.

    Your help is very appreciated.

    OK, you need another broker.

    Linjo

  • Secure Gateway

    Hello

    We have a mixture of zero clients and software, and I'm having a problem where the internal software customers seem to be tunnelling through the gateway PCoIP secure servers for internal connection, rather than connect directly on the desktop. This works until we do maintenance on our servers connection, as software clients disconnected when we reboot a server connection.

    In the example below, the top one is a client software, the bottom is a zero client.

    Sessions.png

    Our internal connection servers have no "Use PCoIP Secure Gateway" checked as shown below.

    Connection Server.png

    Anyone has an idea why this happens? Can we change the behavior so that clients of the software don't not tunnel by connecting servers, or what are the expected behavior?

    We run see 5.1, Win 7 mV with agent 5.1 connection.

    Thank you

    The answer is on the screenshot you posted - nothing happens through PCoIP Secure Gateway, but software clients always establish an HTTP (S) Secure Tunnel connection to the login server. This is used for the channel framework (used for the USB transport for customers of software) and MMR, among other things. If you want real direct connections then this should also be disabled. Please see the administration guide for more details on this setting.

    Mike

  • HP mini 110 unlock, after successful computer unlock, website security certificate problem

    Web site security certificate problem

    Ok

  • Best practices to configure NLB for Secure Gateway and Web access

    Hi team,

    I'm vworksapce the facility and looking for guidance on best practices on NLB with webaccess and secure gateway. My hosted environment is Hyper-v 2012R2

    My first request is it must be configure NLB, firstly that the role of set up or vice versa.

    do we not have any document of best practice to configure NLB with 2 node web access server.

    Hello

    This video series has been created for 7.5 and 2008r2 but must still be valid for what you are doing today:

    https://support.software.Dell.com/vWorkspace/KB/87780

    Thank you, Andrew.

  • AnyConnect 4.1 - cannot get the secure gateway configuration

    So I AnyConnect working on one SAA however, ASA another located in another country, I get the following error:

    "Unable to get the secure gateway configuration.

    I get a prompt for the username and password seems to be authentication very well however in step 'check' the profile updates this error.

    I was comparing my two setups and they look identical.

    Working ASA model: 5512 worm 9.1 (4)

    Does not not ASA: 5510 worm 9.1 (4)

    Client version: 4.1.02011

    Any ideas?

    Thank you

    Hello, Kevin.

    I know, if there is no customer profile configured on ASA, the software Anyconnect client will use the client profile by default, which is placed on the local computer (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) when installing Anyconnect software.

  • vSphere 5, vCSA, View Manager and Secure Gateway

    Hello world

    I need some advice...


    A new vSphere infrastructure situation 5:

    3 HP Proliant server, each connected via iSCSI to external storage
    VMware vSphere Essentials Plus Kit 5 (used for the server VM) main virtualization infrastructure
    VMware View 5 first add-on for virtualizing a desktop machine
    approx. 20 VM server
    approx. 10 desktop VM
    My questions:
    for the vCenter, I thought to use vCenter Server Appliance (vCSA) which can be used up to 5 host and VM 50,
    but for the View Manager manage the office machine, what should I use?
    There is also a View Manager device?
    Or I need to install it on a separate Windows 2008 Server?
    Need to be a member of the Windows domain?
    And for the VMware Secure Gateway ?
    There is a device or must be installed on a separate Windows 2008 Server?
    When he used the vCSA, you must have a domain on the network controller?
    Thanks for your reply guys

    No.... the vCenter and view managed use 'ADAM' which is AD in user mode and is not compatible with an AD domain controller.

    You need at least 3 Server Wiindows (DC 1 AD + DNS + DHCP, 1 vCenter + music, 1 View Manager)

  • Problems with PCoIP secure Gateway

    I am using view 4.6 and faced with this configuration.  Under the "view Configuration", "Servers", then "view connection server" it shows my connection to the server.  The PCoIP column he says no secure portal is installed which is true.  See screenshoot

    View-Admin1.jpg

    the problem arises in the settings of the connection servers.

    When I select my connection to the server and fill in the external URL 'Tunnel secured HTTP (S)' and uncheck it ' user secure Tunnel connection to the Office I cam continue to use the internal connection server.

    When I check the box and check also the "gateway of PCoIP PCoIP connections for desktop machine, so this will work remotely, but not internally.  Also the external URL PCoIP is grayed out.

    To sum up I can't get this to work for internal or external use and not both at the same time.

    You can do this work with just a single server connection or an external as internal access, but it will mean that internal PCoIP is unnecessarily sent by gateway through a connection to the server or security server.

    It is best to dedicate servers to connect to internal and external to internal PCoIP direct access between the client and the virtual office.

    There is a detailed description of this http://communities.vmware.com/docs/DOC-14974 here, which includes a video detailing a deployment configuration of view for internal and external access.

    Select this option.

  • 2016-002 App Store of security update problem

    I downloaded and installed Security Update 2016-002 10.10.5 three times, and it always appears as an update that is available on the App Store.

    It also appears as having been installed 3 times today (each of these updates in double has its own line) under "Installed updates in the last 30 days" under updates.

    What gives?

    This means generally that it is not actually be installed.

    I recommend that you manually download this update combo, which is supposed to have that security update as well and see if that fixes the problem and that he fixes what might be bad start.

    Download update of OS X El Capitan 10.11.4 Combo

    Sorry, I do not take that you're still in Yosemite! Here is this update of security for Yosemite itself that you can install manually.

    Download Security Update-2016-002 Yosemite

    By the end of 2012 mini Mac, OS X El Capitan 10.11.4. Apple Watch, 38 mm silver AL, Watch OS 2.2; iPad 2 Air & iPhone 6 + iOS 9.4

  • Security update problem - trying to update from McAfee!

    try to install McAfee 2011 3 users Total Protection with installation CD.  After spending the last 4 hours online with them, they claim I have windows update problem - shows up in the history as: for.NETon of a security update windows XP, windows Server 2003, windows vista, windows 7, vista windows 2008... KB2160841.  Finally, they said that the problem of 'failure' to be fixed through windows before my McAfee can be updated? !!! Help!  already four hours online trying to fix! :(

    See Andre.Ziegler response to a previous post, involving the KB:

    Error: WindowsUpdate_00000002 when installing .NET Framework 4 (KB2160841)

    http://social.answers.Microsoft.com/forums/en-us/vistawu/thread/07e67bc5-1841-4972-Bac4-7a1d81dba8e7

  • Update of security causing problem

    July 15 security updates caused my computer does not recognize is not the secondary hard drive, which is the cd-rom drive, ideas on how to fix? I am running XP.

    http://www.Microsoft.com/communities/newsgroups/list/en-us/default.aspx?DG=Microsoft.public.windowsupdate&cat=en_us_d99bb655-a5d5-4C07-bdb0-90caf9f30c42&lang=en&CR=us

    Microsoft.public.windowsupdate discussions

    The focus group above will help you with your XP update problems.

    XP discussion groups:

    http://www.Microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?DG=Microsoft.public.WindowsXP.General

    Link above is to the XP newsgroups.

    There is a list of groups of discussion XP to the bottom of the left column.

    You get the help you need there.

    Here is the Vista Forums.

    See you soon

    Mick Murphy - Microsoft partner

Maybe you are looking for

  • When I place an icon on the home screen, can I change the label?

    When I place an icon on the home screen using firefox for android on my tablet from Samsung, the label is inserted for me. How can I change

  • Download PDF - why not intuitive?

    Hello! New Firefox user here, since I'm too bored with IE crashing. So, I often download PDFs from the Web. With IE, you get a pop-up window asking you to choose a location to save the download. I like that. But with Firefox, all I can do is to downl

  • Manual Sony RX100?

    I was just notified that my RX100 shipped from Pennsylvania yesterday, July 18, so I'm looking forward to read the user manual to get ahead. But in an online review, it has been said that Sony only provides a "getting started" booklet and a document

  • Windows Vista Ultimate Media Center cannot connect to Xbox 360

    Hi, I can not connect my PC Ultimate Windows Vista for my Xbox 360 as an Extender. My configuration is: Xbox connected to the router, PC connected to the routerXbox connects to Live (e.g. internet) very wellPC connects to the internet Here is a list

  • Have a Pavillion DV ^-3250us, Win 7, 64 Bit. WIFI does not illuminate

    Wireless won't turn on; wired connection is fine. HP wireless Asst says that the wireless is activated by the keyboard. Steady orange light & does not illuminate. If I turn off the power & remove the battery, I can get a blue light when I turn on the