Dont know if you resolved this but we are having a similar issue here. We are tryin to use the Gina client for our DR site on new machines which are pushed out. Of course, no user has logged into these before, so a "new profile" is always created. NC is configured as a Gina setup. New user logs in and cant use HC because it is not installed. Using a certificate check on the role or the realm level presents "you are not allowed to sign in" because the cert check cant find the certificate on the local machine. So no new users can log on and use gina. ... View more

Managed to sort this out. The Net Connect profile wasnt assigned to the role I was using. Doh! All working now - just have another problem with Host Checker. ... View more

Tried turning this off, and although the speed was increased when connecting to the farm, the same error message appears. I have done some logging on this and the connection from the citrix listed applications when you fire up an icon for the user which does not work does this: Connecting using ICA File (Server: ICOServer) [ApplicationServers] ICOServer= [Encoding] InputEncoding=ASCII [ICOServer] Client-Type=Internet IconPath=C:\Program Files\Citrix\ICA Client\wfica32.exe IconIndex=0 Connecting using ICA File (Server: ICOServer) [ApplicationServers] ICOServer= [Encoding] InputEncoding=ASCII [ICOServer] Client-Type=Internet IconPath=C:\Program Files\Citrix\ICA Client\wfica32.exe IconIndex=0 Connecting using ICA File (Server: ICOServer) [ApplicationServers] ICOServer= [Encoding] InputEncoding=ASCII [ICOServer] Client-Type=Internet IconPath=C:\Program Files\Citrix\ICA Client\wfica32.exe IconIndex=0 Now, on my machine as myself the ICOServer parts are replaced by the actual application name, and this connects ok. Tried this on my machine as the user which does not work and the same logs above come up and permission denied on the 1494 connection. But if I create a custom ICA file, and get the user to use this going to the same application logged in as him then it works ok. Really lost on this now. ... View more

Tell them to sort out their scanning tools :) Why it came up as windows I dont know. We use a 3rd party company called NCC Group. They are good at doing pen test and scans, and identified this as a hardened OS. ... View more

We run Wsam on 6.3r2 and works fine so far. No problems reported apart from a netbios share mapping issue. So looks like an issue with 6.4 ... View more

Just spent on hour on the phone to jtech. What we have tested: 2 users: Both in the same groups, same permission on citrix, same role permissions, same firewall rules, same ICA client - only difference is the username. User A connects ok and can use listed applications, user B connects but cant use listed applications. user A goes to user B machine and works fine - abeit a little slow. user B goes to user A machine and does not work. User B always gets the "unable to connect" error. User A never gets this. Sent all logs to Juniper. What I can see in the user log is that when User A logs in, it tries on 1494 and connects fine, and logs into the application - job done. When User B logs in, there is this error: Request to connect to (IP of citrix server) port 2598 permission denied. This is the same for port 1494. This does not matter on location, the same on any computer, and even the same when trying from a jtech machine in india. So you would think "the user has not got access to the citrix server!". Not correct, because User B has an ica file which is exactly the same application and permisions which is on the listed applications and this works fine, so its not a user permission problem connecting to exchange. No resolution as yet, will check again tomrrow. ... View more

Sounds like either vista is trying to be too clever for its own good, or there is a bug with the vista client. There was an issue with windows XP where the SAM client wouldnt pick up any TCP data at all. this was because the tcp.sys file was not allowing reverse loopback to tunnel connections through via SSL. I wonder if there is a similar issue but with vista dns resolution. As dns works, it will use host file before dns and then broadcast if no dns is available, so it shows there is an issue with the vista machine resolving dns. ... View more

Hi Still the same issue. I have created a Citrix Listed Applications profile pointing to the Citrix farm server's xml port and then created an auto policy to allow *:* access which appears first in the policy list. Still does not work when trying to use citrix listed applications on the IVE I keep getting an error "The Xenapp server you have selected is not accepting connections". However, if I configure a custom ICA file, and create a new profile based on this instead of using a Citrix Listed Applications profile, it works fine going to the same server. Its almost like the citrix server does not like the client which is used for Citrix Listed Appliactions. I cant find anywhere which tells me info about the client connection used when it tries to connect. I am using WSAM. I know the xml port is working fine, because it gives me a list of the applications based on the permissions from the citrix server. Its just that none of the applications load up in the list. As a work around I have had to create each application for citrix manually, using custom ICA files and then create policies and roles for these and assigned them to the necessary realms. It would have been easier just to use the Listed Applications instead of doing it this way. ... View more

Hi, Did you have any joy with this as I am having the same problem pushing the list to our 4.5 server. I have configured the XML port on port 80, and opened up all the ICA ports going to our farm internally (not going to the web interface box) and I get the application list up but I cant connect to any application at all. ... View more

i had the same problem today with not being able to see the content. Any fix for this at all ? ... View more

This is because the juniper software does an application hook and runs as a double extension. Default mcafee policies see this acting as a virus, although it is not. Its the way the application has been installed. You can get around this by using the mcafee HIP (host intrusion protection) software and create a rule which allows this application behaviour. ... View more

The First thing you need to make sure of is that DNS is working. This is the first thing which I looked at, because the timeout could have been a DNS problem. Just configure your DNS in the nework overview page. Also put in a hostname of your appliance which can be resolved both internally and externally. Then, on your internal firewall, open up and NAT udp/tcp 53 for DNS. Then on your internal firewall, open up http and https from the juniper physical and virtual interfaces if you have a cluster setup. Make sure you open up http and https for all destinations. Next, from the box, make sure you can lookup hostnames. Goto the Troubleshooting/tools/commands section and run a ping to www.google.com or something. This should do an external lookup with the IP address. Dont worry about if the ping does not get back, so long as it does a DNS lookup with an external address, then this is working. If it does not do a dns lookup, then you have a dns problem, and I suggest why it is not looking up DNS. If it does a DNS lookup, and you just timeout on web pages, then its a firewall rule problem. Remember, the internal interface of the SA to a firewall will be treated like any other clien trying to get internet access to certain sites via a firewall. If you deny everything from the juniper box, to the internal network, apart from certain ip addresses, then your web sites are not going to work. You need to allow http/https - juniper internal interface > any. ... View more

Have a look at your Web ACL list. By defualt there is a policy which allows *:* for web browsing. You may want to disable this. Dont know if this will fix it or not but can give it a go. ... View more

I did a little bit of work on this. Our clients can access the net at the moment without a proxy on because this is on a trial basis. So if i plug my laptop in, the routes take me out on the internet via our firewall. The gateway I use is exactly the same gateway which the VPN's internet NIC can see. When I do a packet trace from the VPN, I can see the box connect to DNS, resolve the IP. It then sends a SYN to the IP, with the next hop as the gateway. However, nothing happens to the packet. It just tries to SYN, SYN, SYN and then will time out. Again, I could do with more time to look at this, but I will look again with using proxy and see if that behaves the same way. ... View more

this remains unresolved. I have submitted an RFC to juniper to change the way SAM works on these type of applications. ... View more

Ok, changed this message.. the application is using winsock. Also using all the comctl32.ocx files. Next step is to have a look at this with the SAM client active. Message Edited by KevinW on 02-03-2009 02:13 AM ... View more

Thanks guys. This was going to be my next step, just a little busy at the moment. Usually, I would use something like strace on unix to trace out the application so ill get one of these tools installed and then find out what its doing and then let you know. ... View more

Tried this out and still does not work. Getting the same windows error message "the dcom subsystem could not connec to server (servername). Check that the server is available blah blah blah" Using a command prompt resolves the server name ok, and again, using the net connect client then the RPC request gets sent through. I am not sure what I am supposed to see in the SAM client itself. I assume it would be svchost.exe trying to make the call to the server, but I am not seeing anything in the client. Any advice would be good. ... View more

I have tried adding the hostname of the server, but not the IP address. I did notice that the client does not even try and contact the hostname of the server, even though I can resolve it and DNS is working fine, but I will try adding the IP address instead. Tried this on a Net Connect role too, and appears to work ok. Its although the SAM application is not capturing the request for DCOM to use RPC. I will try this and post back. ... View more

If that does not work, you may have to install the cert, and then copy to file and set the file to export as a pkcs7 file. Or you may have to export to a pkcs12 file and export a private key. ... View more