I'm in dire need of some assistance here. I work for a large retailer who has trading partners for which they would like to deliver applications within the trusted network to. We have a NetScaler SPX (VPX v.11) in our DMZ that's configured as our AG to our XenApp 7.13 farm... err... "site". Everything is working peachy in the realm of delivering Apps via ICA, but the catch is there's a business requirement to go Receiver-less for a certain contingent of partners, so naturally I opened up my big mouth and all but exclaimed: HTML5! to the business folks.
I got HTML5 working a-ok via the AG, however, it only works on Internet Explorer, Microsoft Edge, & Apple Safari. From my understanding, and please do correct me if I'm wrong, this should also work quite seamlessly with the latest versions of Chrome, Firefox, and mobile browsers. Working on Chrome without having the end user to install anything is really the business requirement here.
Here is my setup:
- XenApp 7.13 Site
- HTML5 (Websockets) enabled on the VDAs in question.
- 2 NetScaler VPXs acting as load balancers in front of:
- 2 StoreFront 184.108.40.206 w/ (latest) HTML5 Receiver that came with it
- 1 NetScaler SPX with VPX 11.0 65.35.nc (DMZ) with a valid trusted Class 3 SHA256 cert.
- As mentioned, when launching a published app from an HTML5 enabled VDA using IE, Edge or Safari, everything works as expected.
- When launching from Firefox, I get the new tab that opens with black background like it's trying to launch via HTML5, however, the wheel keeps spinning with "This may take a few moments.", and it just hangs there. This occurs when I launch via the AG, but I also get the exact same behavior if I attempt to launch by connecting internally direct to StoreFront over HTTP. The latter makes sense because it's http and not https, which the AG does the proxying and brokering for. This makes me suspect that the issue is to do with the NetScaler and its SSL handling, hence why I didn't open this post in the Storefront forum.. (I suppose the logic could also work the other way too....).
- When launching from Chrome or a mobile browser, either via AG or direct/http, it prompts me to download an .ica file. For some reason, it doesn't do the HTML5 fallback that I have configured on Storefront. If, on Storefront, I change to Receiver for HTML5 only, it then mimics the same above behavior as Firefox.
What I've tried (to no joy):
- Because Chrome and Firefox are so much pickier SSL security-wise than IE, I checked our public AG URL on SSL Labs and found it to be an abysmal D-. I followed the below great article and brought it to a semi respectable A-.
The only thing that stands out in my new report is: "the server does not support Forward Secrecy with the reference browsers. Grade reduced to A-", which is to do with not having ECDHE ciphers setup on my NetScaler. When I try and select ECDHE ciphers on the vserver, I get this error: "Warning: "No usable ciphers configured on the SSL vserver/service" was observed on NetScaler Appliance". I also don't think this error is the false positive cited in CTX135519, because when changing cipher suites from Default to High, I didn't get the error.
I also get this when viewing my Security under Development Tools in Chrome:
Obsolete Connection Settings
The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_256_CBC with HMAC-SHA1).
Could cipher suites possibly have anything to do with my issue?
- I also opened up a case with Citrix. Although we have premier support, I am still working my way up through the ranks, and because this isn't a Production issue (yet), it hasn't been escalated to the next levels of Engineering yet.
Anyway folks, I know this has been a long winded posting, and I thank your for reading it through and thank you in advance for any insights you might be able to provide... I've got PMs and Managers filling my inbox up on this, so any help would earn my eternal gratitude and beer. :-)