Jump to content
Welcome to our new Citrix community!

White load page ...cgi/setclient?wica


Jared Grayden

Recommended Posts

I have setup a Netscaler VPX 11.1-50.10 (on ESXi) and installed XenApp 7.13 with Storefront on a single new 2012 R2 server. 

 

After logging in through the Gateway on the Netscaler VPX it just hangs on a white page https://netscaler.domain.com/cgi/setclient?wica

 

I know others have had this issue. I am not load balancing and I am just trying to get this to work internally first before even trying external access.

 

I can log directly onto Storefront and load my apps just fine. The problem comes when trying through the Netscaler. If I turn my base URL into http instead of https and update the session policy settings on the Netscaler it does work as it should. I need it to work, of course, with https.

Link to comment
Share on other sites

Thanks for the reply Shalu. I have looked at that link: 

  1. The Netscaler can ping the storefront server by DNS name and IP address. There is no firewall between the two and the Windows firewall is off
  2. I have switched the Session policy from DNS name to IP address anyways
  3. I believe I followed step 3 correctly by making an 'Address Record' under Traffic Management>DNS>Records>Address Records but this also did not help
Link to comment
Share on other sites

Check for Use Source IP checked on NetScaler Modes under system > settings > Configure Modes.  

 

This is a setting on the global mode of the NetScaler which causes the NetScaler to use the Client IP instead of the SNIP when communicating with back-end resources.  If this is configured, it is a likely the cause of the problem.  When this setting is checked at the "Configure Modes" level, it will be used by the NetScaler Gateway, and new Services will have this mode checked automatically.  This setting can be toggled for Services on NetScaler, but the Gateway must rely on the global setting. If your NetScaler Session Policy points to a load balancer on the NetScaler, check the services bound to the load balancer to ensure that they are not set to use Use Source IP. This can be found under the "settings" section of the service on 10.5 and 11.0, and under "advanced" on the service for 10.1.

Link to comment
Share on other sites

Hi Jared,

 

To setup a VIP for SF, in Session policy> Published Applications>Web Interface Address put in the VIP instead of the storefront server FQDN. For example- https://1.1.1.1/Citrix/StoreWeb, where 1.1.1.1 is your VIP.

 

You can follow the below article to create a NetScaler Load Balanced StoreFront Virtual Server

 

https://support.citrix.com/article/CTX202400

 

Regards,

Aparna

Link to comment
Share on other sites

Thanks Aparna, good news - I am able to access my storefront page when navigating to the VIP or DNS associated with the VIP. 

 

One question I have, does this actually route connections through the Netscaler Gateway? I never had to login or authenticate at the Netscaler Gateway - it skipped it and went right to Storefront. 

 

The whole point of this setup is to provide external access that has to authenticate at the Netscaler Gateway and then pass those credentials to Storefront. If I try to authenticate through Netscaler Gateway, it still hangs at /cgi/setclient?wica

Link to comment
Share on other sites

Thanks! A positive development - I am able to access my storefront page when navigating to the VIP or DNS associated with the VIP. 

 

One question I have, does this actually route connections through the Netscaler Gateway? I never had to login or authenticate at the Netscaler Gateway - it skipped it and went right to Storefront. 

 

The whole point of this setup is to provide external access that has to authenticate at the Netscaler Gateway and then pass those credentials to Storefront. If I try to authenticate through Netscaler Gateway, it still hangs at /cgi/setclient?wica

Link to comment
Share on other sites

Even if you put the VIP instead of SF FQDN, you should still go through NetScaler Gateway. The process remains the same as it would have been with SF FQDN in session profile, just that in case of reaching the SF directly, now the NetScaler Gateway will reach the SF through Load Balancing Virtual Server.

 

Can you confirm if you are accessing the SF through NetScaler Gateway IP/FQDN?

Link to comment
Share on other sites

Hi Aparna, I have tried to access SF through the NetScaler Gateway IP/FQDN and it still hangs at the /cgi/setclient?wica

 page. Thats the problem.

 

If I enter in the newly created VIP (or Storefront address), it goes directly to the StoreFront login page. This works, but as you stated I should be going directly through the NetScaler Gateway IP/FQDN and that is still not working.

Link to comment
Share on other sites

Hi Jared,


 


Please confirm the following:


 


> On NetScaler, LB FQDN should be resolving to LB VIP


> On Storefront Servers, LB FQDN is resolving to itself. If not, please add a host entry on the servers to make it resolve to itself


 


Try accessing now and see if you are able to access. If not, try the following:


> On the NetScaler Gateway vServer > Session Profile > set the Web Interface Address to http://<IP_of_SF>/Citrix/Store


Check if the app enumerates now


If above test works, then we can narrow down to be an issue with SSL. We can try disabling TLSv1.1/1.2 on the Service/Service Group level and see if that helps.


 


Also, I believe the gateway certificates are installed on the Storefront. Try accessing the AG FQDN from Storefront directly and see if you get any certificate warning.


 


Also, I'd appreciate if you could check the Event Viewer for any errors around the time of issue.


Link to comment
Share on other sites

Hi Aparna,

 

To ensure I understand you, lets say:

  • My LB FQDN is LB.domain.com (setup on Netscaler following https://support.citrix.com/article/CTX202400)
  • My LB VIP is 192.168.1.5 (created DNS A record on Windows DNS server to point LB.domain.com to 192.168.1.5)
  • My StoreFront Windows Server IP is 192.168.1.6

Are you stating that if I ping LB.domain.com from the Netscaler it should resolve 192.168.1.5 but if I ping LB.domain.com from my StoreFront Windows Server it should resolve to 192.168.1.6

Link to comment
Share on other sites

Hi Aparna Sharma,

 

I decided to completely start over and redo my Netscaler from the ground up. Unfortunately, I am still facing the same problem. I have tried setting the storefront address to the IP address instead of the DNS name with no improvement.

 

I have also installed my public certificates including the intermediate certificate and ensured it is bound correctly. I do not get any certificate warnings/errors.

 

I also checked in Event Viewer and did not find any warnings/errors under Citrix Delivery Services. Any other suggestions?

Link to comment
Share on other sites

Hi Jared,

 

Apologies for the delayed reply. As for your previous comment, yes you did understand me correctly. This is the configuration you do when you are load balancing storefront on Virtual Server.

 

You can try the following:

 

1) Could you please tell me the Ciphers that are bound at Gateway VIP? If there are customized ciphers, can you try using default ciphers.

 

2) Please check if the certificate bound on the back-end server is 2048 bit, as the NetScaler VPX does not support 4096 bit on the back-end.

 

3)Have you tried accessing it using any other browser. (Use a browser other than IE)

 

4)Try to unable TLS 1.2 using the below command on CLI:

                set ssl parameter -svctls1112disable enable -montls1112disable enable

 

5) You can try taking a trace on NetScaler with Storefront on HTTP (so that you don't have to decrypt it) In case you are getting a reset in trace, do let me know the reset code. You can refer the below article for the same:

                https://support.citrix.com/article/CTX128655

  • Like 1
Link to comment
Share on other sites

  • 2 years later...

I'll second the TLS Settings fix. Had used IISCrypto on the StoreFront servers (3.15) to lock it down to TLSv1.2 only. Even though the Virtual Server was configured to use 1.0, 1.1 & 1.2, it wouldn't connect. Relaxed the setting on the web server, and it worked. Unfortunately, the NetScaler is 10.5 (don't ask) and I'm trying not to break it. Fortunately, I'm replacing it as part of this project. :-)

Link to comment
Share on other sites

  • 6 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...