Let me first say that my knowledge of Presentation Server and Secure Gateway is very limited. Many thanks to any one who can help me out here.
Alright on to the problem:
We are changing the network design at the main office where the citrix servers are located. The Secure Gateway was on a server that has 2 NIC interfaces, one in the LAN and one in the DMZ. The DMZ is being taken out so I disabled the DMZ interface on the SG. I had to change the listening address but after doing that everything seemed fine, then I realized that apps could not be loaded any more from the Secure Gateway web site.
Users would get the following error when trying to load an app: Cannot connect to the Citrix Presentation Server. Protocol Driver error. Accessing the web site external or internal yields the same problem.
How I assume this works is the user goes to the SG, logs in, launches the app, the SG then sends the request to the Presentation Server then that server communicates directly with the user?
Another change that was made was changing out the firewall / router. All of the NATs should be the exact same as the old firewall but there could be a missing port forward.
I have followed a couple of citrix articals making sure the 1494 and 2598 port are open and responding (they are).
We have two presentation servers and then the SG. Here is some inforamtion about the servers:
Windows 2003 SP2
Secure Gateway 2.0
Presentation Server 4.5.0.0
Assumptions on what could be wrong
Incorrect / absent port forward
A reference in one of the severs that is using the DMZ address instead of the LAN address
I'm not really sure even where to start troubleshooting at this point.
Edit: Here is a diagram of before and after (left is before, right is after)
What I think might be going on is that the Secure Gateway is trying to communicate with the other citrix servers via the public IP address instead of the lan address. This request gets denied by the ASA. Still just an idea and not sure how to fix it if it was what is wrong.
Do you know which system is running your web interface? That probably needs to be reconfigured along with the secure gateway. In theory, you should be able to connect directly to the server that's hosting the web interface without issue. Make sure your internal DNS points to the web interface and not the gateway, unless you're ultra paranoide about ICA security.
Secondly, check out this article on setting up a secure gateway from scratch. It will show you the various things to check. http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/install-configure-citrix-web-interface-secure-gateway-part2.html
Finally, it would help to have a diagram of which servers have which roles.