Jared Grayden Posted March 16, 2017 Share Posted March 16, 2017 I have setup a Netscaler VPX 11.1-50.10 (on ESXi) and installed XenApp 7.13 with Storefront on a single new 2012 R2 server. After logging in through the Gateway on the Netscaler VPX it just hangs on a white page https://netscaler.domain.com/cgi/setclient?wica I know others have had this issue. I am not load balancing and I am just trying to get this to work internally first before even trying external access. I can log directly onto Storefront and load my apps just fine. The problem comes when trying through the Netscaler. If I turn my base URL into http instead of https and update the session policy settings on the Netscaler it does work as it should. I need it to work, of course, with https. Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 20, 2017 Author Share Posted March 20, 2017 Any suggestions at all? Link to comment Share on other sites More sharing options...
Shalu Verma1709157343 Posted March 20, 2017 Share Posted March 20, 2017 Hi Jared, Refer to this link http://discussions.citrix.com/topic/347718-hangs-on-setclientwica/ . It might help you. Please ignore if already have a look at this. Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 20, 2017 Author Share Posted March 20, 2017 Thanks for the reply Shalu. I have looked at that link: The Netscaler can ping the storefront server by DNS name and IP address. There is no firewall between the two and the Windows firewall is off I have switched the Session policy from DNS name to IP address anyways I believe I followed step 3 correctly by making an 'Address Record' under Traffic Management>DNS>Records>Address Records but this also did not help Link to comment Share on other sites More sharing options...
Shalu Verma1709157343 Posted March 20, 2017 Share Posted March 20, 2017 Check for Use Source IP checked on NetScaler Modes under system > settings > Configure Modes. This is a setting on the global mode of the NetScaler which causes the NetScaler to use the Client IP instead of the SNIP when communicating with back-end resources. If this is configured, it is a likely the cause of the problem. When this setting is checked at the "Configure Modes" level, it will be used by the NetScaler Gateway, and new Services will have this mode checked automatically. This setting can be toggled for Services on NetScaler, but the Gateway must rely on the global setting. If your NetScaler Session Policy points to a load balancer on the NetScaler, check the services bound to the load balancer to ensure that they are not set to use Use Source IP. This can be found under the "settings" section of the service on 10.5 and 11.0, and under "advanced" on the service for 10.1. Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 20, 2017 Author Share Posted March 20, 2017 Thanks again for the reply. I did look and confirmed that the 'Use Source IP' box was unchecked. Also, I have not setup or configured load balancing yet so the session policy shouldn't be pointing to any load balancer. Link to comment Share on other sites More sharing options...
Shalu Verma1709157343 Posted March 20, 2017 Share Posted March 20, 2017 Just look at this link. It might help http://discussions.citrix.com/topic/366624-netscaler-hangs-on-cgisetclientwica/ Please ignore if already have a look Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 21, 2017 Author Share Posted March 21, 2017 I took a look at that link. Is there any documentation on how to setup a VIP as directed? I found the following website but am unsure if this is what I need to do: http://www.carlstalhood.com/storefront-load-balancing/ Lastly, what exactly do I change in the session profile to reference the VIP as is suggested at the link you provided? Link to comment Share on other sites More sharing options...
Aparna Sharma Posted March 21, 2017 Share Posted March 21, 2017 Hi Jared, To setup a VIP for SF, in Session policy> Published Applications>Web Interface Address put in the VIP instead of the storefront server FQDN. For example- https://1.1.1.1/Citrix/StoreWeb, where 1.1.1.1 is your VIP. You can follow the below article to create a NetScaler Load Balanced StoreFront Virtual Server https://support.citrix.com/article/CTX202400 Regards, Aparna Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 21, 2017 Author Share Posted March 21, 2017 Thanks Aparna, good news - I am able to access my storefront page when navigating to the VIP or DNS associated with the VIP. One question I have, does this actually route connections through the Netscaler Gateway? I never had to login or authenticate at the Netscaler Gateway - it skipped it and went right to Storefront. The whole point of this setup is to provide external access that has to authenticate at the Netscaler Gateway and then pass those credentials to Storefront. If I try to authenticate through Netscaler Gateway, it still hangs at /cgi/setclient?wica Link to comment Share on other sites More sharing options...
Shalu Verma1709157343 Posted March 21, 2017 Share Posted March 21, 2017 Hi Jared, In session profile you have to specify VIP for SF. Instead of putting the storefront FQDN you have to mention the VIP. You can follow the article that Aparna has mentioned. Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 21, 2017 Author Share Posted March 21, 2017 Thanks! A positive development - I am able to access my storefront page when navigating to the VIP or DNS associated with the VIP. One question I have, does this actually route connections through the Netscaler Gateway? I never had to login or authenticate at the Netscaler Gateway - it skipped it and went right to Storefront. The whole point of this setup is to provide external access that has to authenticate at the Netscaler Gateway and then pass those credentials to Storefront. If I try to authenticate through Netscaler Gateway, it still hangs at /cgi/setclient?wica Link to comment Share on other sites More sharing options...
Aparna Sharma Posted March 21, 2017 Share Posted March 21, 2017 Even if you put the VIP instead of SF FQDN, you should still go through NetScaler Gateway. The process remains the same as it would have been with SF FQDN in session profile, just that in case of reaching the SF directly, now the NetScaler Gateway will reach the SF through Load Balancing Virtual Server. Can you confirm if you are accessing the SF through NetScaler Gateway IP/FQDN? Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 21, 2017 Author Share Posted March 21, 2017 Hi Aparna, I have tried to access SF through the NetScaler Gateway IP/FQDN and it still hangs at the /cgi/setclient?wica page. Thats the problem. If I enter in the newly created VIP (or Storefront address), it goes directly to the StoreFront login page. This works, but as you stated I should be going directly through the NetScaler Gateway IP/FQDN and that is still not working. Link to comment Share on other sites More sharing options...
Shalu Verma1709157343 Posted March 21, 2017 Share Posted March 21, 2017 Hi Jared, Just wanted to confirm what is version of Storefront you are using? While searching i found that If SF is 3.0 version you need to disable TLS 1.2 Directed the gateway vserver to Lb vserver , and the lb vserver to the storefront server. Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 21, 2017 Author Share Posted March 21, 2017 I have SF 3.9.0.56 I have just disabled TLS 1.2 under BOTH Traffic Management>Virtual Servers AND NetScaler Gateway>Virtual Servers. It still hangs on /cgi/setclient?wica Link to comment Share on other sites More sharing options...
Aparna Sharma Posted March 22, 2017 Share Posted March 22, 2017 Hi Jared, Please confirm the following: > On NetScaler, LB FQDN should be resolving to LB VIP > On Storefront Servers, LB FQDN is resolving to itself. If not, please add a host entry on the servers to make it resolve to itself Try accessing now and see if you are able to access. If not, try the following: > On the NetScaler Gateway vServer > Session Profile > set the Web Interface Address to http://<IP_of_SF>/Citrix/Store Check if the app enumerates now If above test works, then we can narrow down to be an issue with SSL. We can try disabling TLSv1.1/1.2 on the Service/Service Group level and see if that helps. Also, I believe the gateway certificates are installed on the Storefront. Try accessing the AG FQDN from Storefront directly and see if you get any certificate warning. Also, I'd appreciate if you could check the Event Viewer for any errors around the time of issue. Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 27, 2017 Author Share Posted March 27, 2017 Hi Aparna, To ensure I understand you, lets say: My LB FQDN is LB.domain.com (setup on Netscaler following https://support.citrix.com/article/CTX202400) My LB VIP is 192.168.1.5 (created DNS A record on Windows DNS server to point LB.domain.com to 192.168.1.5) My StoreFront Windows Server IP is 192.168.1.6 Are you stating that if I ping LB.domain.com from the Netscaler it should resolve 192.168.1.5 but if I ping LB.domain.com from my StoreFront Windows Server it should resolve to 192.168.1.6? Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 30, 2017 Author Share Posted March 30, 2017 Hi Aparna Sharma, I decided to completely start over and redo my Netscaler from the ground up. Unfortunately, I am still facing the same problem. I have tried setting the storefront address to the IP address instead of the DNS name with no improvement. I have also installed my public certificates including the intermediate certificate and ensured it is bound correctly. I do not get any certificate warnings/errors. I also checked in Event Viewer and did not find any warnings/errors under Citrix Delivery Services. Any other suggestions? Link to comment Share on other sites More sharing options...
Aparna Sharma Posted March 30, 2017 Share Posted March 30, 2017 Hi Jared, Apologies for the delayed reply. As for your previous comment, yes you did understand me correctly. This is the configuration you do when you are load balancing storefront on Virtual Server. You can try the following: 1) Could you please tell me the Ciphers that are bound at Gateway VIP? If there are customized ciphers, can you try using default ciphers. 2) Please check if the certificate bound on the back-end server is 2048 bit, as the NetScaler VPX does not support 4096 bit on the back-end. 3)Have you tried accessing it using any other browser. (Use a browser other than IE) 4)Try to unable TLS 1.2 using the below command on CLI: set ssl parameter -svctls1112disable enable -montls1112disable enable 5) You can try taking a trace on NetScaler with Storefront on HTTP (so that you don't have to decrypt it) In case you are getting a reset in trace, do let me know the reset code. You can refer the below article for the same: https://support.citrix.com/article/CTX128655 1 Link to comment Share on other sites More sharing options...
Jared Grayden Posted March 30, 2017 Author Share Posted March 30, 2017 YES! Thanks for your assistance Aparna! Step 4 above disabling TLS 1.2 fixed the issue! Is this a bug? If so, will there be a time in the future when this can be re-enabled? Link to comment Share on other sites More sharing options...
Mark Kroehler 2 Posted June 20, 2019 Share Posted June 20, 2019 I'll second the TLS Settings fix. Had used IISCrypto on the StoreFront servers (3.15) to lock it down to TLSv1.2 only. Even though the Virtual Server was configured to use 1.0, 1.1 & 1.2, it wouldn't connect. Relaxed the setting on the web server, and it worked. Unfortunately, the NetScaler is 10.5 (don't ask) and I'm trying not to break it. Fortunately, I'm replacing it as part of this project. :-) Link to comment Share on other sites More sharing options...
GeorgeD Posted December 28, 2019 Share Posted December 28, 2019 any updates from anyone with this problem. what was the end fix? we dont want to disable tls1.2 or enable weaker protocols to make this work. Link to comment Share on other sites More sharing options...
Jared Grayden Posted December 31, 2019 Author Share Posted December 31, 2019 We worked on this a couple years ago and (if I remember correctly) the issue was resolved with upgrading to a 12.1 version of VPX. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now