Problem
You cannot connect to publish applications through Citrix Access Gateway or Secure Gateway when using a Microsoft ISA Server as a firewall or proxy. You receive the following error message:
"SSL Error 4: The proxy denied access to;10;STA….;ticket# port 1494"
Cause
The Microsoft ISA Server is configured with a Web publishing rule instead of a server publishing rule to forward requests to the Access Gateway or Secure Gateway server.
When you create a Web publishing rule, you can configure how SSL requests should be redirected — as HTTP requests or as SSL requests, with an SSL Certificate placed on the ISA Server for the connection.
If requests are redirected as SSL requests, the ISA server terminates the SSL connection and encrypts the packets again before passing them on to Access Gateway. ISA also expects the traffic in the original connection to be one that it understands (like HTTP) and if it does not know what the traffic is, the traffic is dropped – which is the case for ICA traffic.
Therefore, this configuration does not work with Access Gateway because the connection between the ICA Client and the Access Gateway service must be a single continuous SSL connection (that is, the Access Gateway / Secure Gateway must be the SSL Termination point).
Resolution
Configure a server publishing rule between the ISA server and the Access Gateway instead of a Web publishing rule.