Citrix - Getting SSL 443 Proxy Denied Access Errors?

The Geeksultant's picture

When troubleshooting XenApp or XenDesktop with Netscaler Gateway issues and SSL error 43, Proxy Denied Access, and you've ruled out the obvious fixes, don’t forget that both your Netscaler and Storefront (or Web Interface, if still in use) need to be using the exact same STA (Secure Ticketing Authority) servers. You cannot list different ones, nor should you have different quantities. They must match. Also, if using FQDN (Fully Qualified Domain Name) or if using the STA servers IP’s, use the same on both the Netscaler and the Storefront servers. Do not use IP’s on one and FQDN on the other. Consistency is the key. In larger environments, where multiple Citrix farms might exist, with multiple STA servers in each farm, this issue can rear it's ugly head. The best course of action is to build two dedicated STA servers and use them as the STA server for all your farms. STA servers can be used across different versions of XenApp and XenDesktop. Just make sure to build your STA servers with the latest version available.

For XenApp 6.5 and earlier, STA is installed by default on any ZDC - Zone Data Collector server
For XenDesktop, or XenApp 7.x and later - STA is install by default on any DDC - Desktop Delivery Controller server

It is possible to install STA by itself onto any IIS server, however, this is not supported by Citrix today.