Jump to content


Photo

NetScaler works internally but not for external users

Started by Chris Lewis , 08 December 2016 - 10:51 PM
15 replies to this topic

Best Answer Stefano Losego , 21 December 2016 - 02:34 PM

Hi Chris,

 

check in the store settings that HDX optimal gateway routing has no entry (delivery controller) configured in the 'direct HDX connection' row.

i've seen a similar issue when the storefront has been configured with file imported from netscaler gw.

 

let me know,

bye

Ste

Chris Lewis Members

Chris Lewis
  • 13 posts

Posted 08 December 2016 - 10:51 PM

I am hoping the solution is simple because I have tried everything I can think of and I am not able to make it work.

 

Our setup:

 

NetScaler VPX 10.1

XenDesktop 7.11 - 2 DDC's

Server 2012 R2 - Hyper-V host

SCVMM 2012R2 - MCS Host

 

For internal clients, everything works great. Users can access the StoreFront directly, or use the Netscaler and it's solid.

 

External users either get a message saying they could not connect to the session or that IE could not establish a secure connection. This is after you login to the NetScaler and click on the available desktop.

 

The funny thing is if I login internally and start a session, I can login from an external system and it looks like my session is transferred, but I still get an error on the external machine saying it could not connect to the session.

 

Internal address is vdi.domain.local (changed to protect the innocent)

External address is storefront.domain.external (changed to protect the innocent)

I can access the load balanced vserver from internal machine and it works.

 

The kick is this setup USED to work when we were on XenDesktop 7.5. We had some issues with the DDC's and had to rebuild the environment so decided to just go with 7.11 instead of dealing with an upgrade.

 

I made sure we used the same internal and external URL's, or so I think I did....

 

Help! I am learning as I go here.

 



Carl Stalhood CTP Member

Carl Stalhood
  • 12,347 posts

Posted 08 December 2016 - 11:49 PM

In StoreFront, did you configure a Gateway object? Did you go to Stores > Enable Remote Acccess?

Chris Lewis Members

Chris Lewis
  • 13 posts

Posted 08 December 2016 - 11:53 PM

Just found this post which describes my issues exactly:

 

http://discussions.citrix.com/topic/347286-the-connection-to-desktops-failed-with-status-1030/

 

Did what Carl Stalhood recommended and logged the ICA file. Found that my StoreFront servers are not recognizing it as a Gateway connection and giving out the internal IP.

 

Any idea's why StoreFront is not seeing my NetScaler as a Gateway?



Carl Stalhood CTP Member

Carl Stalhood
  • 12,347 posts

Posted 09 December 2016 - 12:07 AM

Did you do this? http://www.carlstalhood.com/storefront-3-5-configuration-for-netscaler-gateway/#storefront

Chris Lewis Members

Chris Lewis
  • 13 posts

Posted 09 December 2016 - 12:21 AM

Trying to post screenshots...

 

Thanks for your quick response Carl. I actually looked through your site earlier today to see if I was missing anything. I do show that Remote Access is enabled under the "Remote Access" tab, but it shows "Internal network only" when I click on Stores and it shows the listings for my store service.

 

I will remove that and try adding it back.

 

There may be confusion on my part on which URL to use where.

 

We have our NetScaler URL - https://hyperdrive.externaldomain.com  <-- Yes we are Star Wars fans :D

Our Load balanced URL - https://storefront.externaldomain.com

And our internal urls - https://hv-vdi01.internaldomain.com and https://hv-vdi02.internaldomain.com  <--NetScaler shows that both are UP and responding.

 

All URLS are accessible internally, but only the hyperdrive address is externally accessible. Do I need to make the storefront.externaldomain.com accessible externally? By that I mean we only have a DNS host record on our internal DNS server pointing to that VIP.

 

Thanks again for your help!



Chris Lewis Members

Chris Lewis
  • 13 posts

Posted 09 December 2016 - 12:44 AM

Carl,

 

Thank you for your assistance. I found your site earlier and tried those steps. I just removed the NetScaler entry and tried it again. It is doing the same thing. When I check the logs it does show an internal IP in the ICA file.

 

Even though I have the NetScaler setup, it shows "Internal network only" under Citrix StoreFront > Stores > Next to the listing for the store service.

 

It shows Authenticated = Yes, Subscription Enabled = Yes, Access = Internal Network Only.

 

Internal Beacon: https://storefront.externaldomain.com (service URL)         *This resolves to our load balanced VIP

External Beacons: https://hyperdrive.externaldomain.com and ping.citrix.com *Hyperdrive resolves to our NetScaler

 

*My previous post has not shown up and says it's waiting for moderator approval due to multiple URLS.



Carl Stalhood CTP Member

Carl Stalhood
  • 12,347 posts

Posted 09 December 2016 - 01:21 AM

Internal access only is a 3.7 bug.

What's in Event Viewer?

You're doing SSON from Gateway to StoreFront? I also have NetScaler config instructions.

Carl Stalhood CTP Member

Carl Stalhood
  • 12,347 posts

Posted 09 December 2016 - 01:21 AM

HDX Optimal Routing is not configured?
Helpful Answer

Chris Lewis Members

Chris Lewis
  • 13 posts

Posted 09 December 2016 - 08:28 PM

HDX Optimal Routing is not configured

We are doing SSON from Gateway to StoreFront. It does appear to be passing the credentials properly as the users can login externally and be presented with the desktops that are assigned to them. 

 

Here are some screenshots:

 

https://drive.google.com/open?id=0B-NymNA6LenoMml2SHotWm5vY3c

https://drive.google.com/open?id=0B-NymNA6LenoRGdBb2dKQU1ZdWs

https://drive.google.com/open?id=0B-NymNA6LenoVjBGM0w0VXlUVmM



Paul Blitz Members
  • #10

Paul Blitz
  • 4,036 posts

Posted 15 December 2016 - 12:55 PM

Assuming that the netscaler / remote access is all set up on the SF, the next thing I would look at are the Beacons: check that (a) external users can NOT see the internal beacon (they will if you use the same fqdn for Netscaler Gateway as the Storefront), (B) external users CAN see the external beacon.



Chris Lewis Members
  • #11

Chris Lewis
  • 13 posts

Posted 15 December 2016 - 09:47 PM

Paul,

 

Thanks for your response. I verified that (a) External users can NOT see the internal beacon (https://hv-vdi01.internaldomain) (B) External users CAN see the external beacon (https://hyperdrive.hillsboro-oregon.gov)

 

I'm starting to think it's an issue with our NetScaler at this point. I have tried restoring from past config's that have worked with the previous setup, but still not able to get it working.

 

I'm missing something simple... I just can't find it :(



Jens Ostkamp Members
  • #12

Jens Ostkamp
  • 53 posts

Posted 16 December 2016 - 03:13 PM

When trying to establish a connection via NSGW from external network, what does your event log on your SF Server say when it fails?

Event Log -> Applications and Services Logs -> Citrix Delivery Services

 

What certificate(s) are you using for your NSGW vServer and for your IIS within the SF server?

Did you check if your confiured STAs on your NetScaler GW vServer match these you entered on your StoreFront when you configured the NetScaler Gateway there?

E: Can you post a screenshot of the exact error message displayed?



Chris Lewis Members
  • #13

Chris Lewis
  • 13 posts

Posted 16 December 2016 - 07:35 PM

Jens,

 

Thank you for your help!

 

I checked the Event Log and I am not seeing any errors show up when I attempt to connect with an external device.

 

The system I tried (Win 7) received an error "The connection to "Training Lab" failed with the status (1030)"

 

Certificates:

Netscaler - Public cert from DigiCert (Verified it was installed correctly with DigiCert's SSL Checker)

IIS - is using internal cert from our CA.

 

 

Under StoreFront > Stores > Manage NetScaler Gateways - it shows my current NetScaler GW with the correct URL of https://hyperdrive.externaldomain.com. Usage or role is set to "Authentication and HDX routing"

 

STA setting lists both of the delivery controllers. Authentication settings show the correct version and logon type is domain. no Vserver or callback URL has been entered. We are not using Smart Access.



Jens Ostkamp Members
  • #14

Jens Ostkamp
  • 53 posts

Posted 20 December 2016 - 02:36 PM

You may try to configure a callback URL, even tho it is optional and not required when you don't use SmartAccess.

 

https://support.citrix.com/article/CTX135009

 

Did you try these steps?



Stefano Losego Members
  • #15

Stefano Losego
  • 53 posts

Posted 21 December 2016 - 02:34 PM

Hi Chris,

 

check in the store settings that HDX optimal gateway routing has no entry (delivery controller) configured in the 'direct HDX connection' row.

i've seen a similar issue when the storefront has been configured with file imported from netscaler gw.

 

let me know,

bye

Ste

Attached Thumbnails

  • 2016-12-21_15-23-43.png

Best Answer Helpful Answer

Chris Lewis Members
  • #16

Chris Lewis
  • 13 posts

Posted 23 December 2016 - 11:35 PM

Carl and Stefano,

 

You both had the right idea! I was able to resolve our issue simply by unchecking our delivery controllers in the "Direct HDX Connection".

 

NetScaler is now providing the correct URL's and external clients are connecting again!!!

 

THANK YOU!