Jump to content


Photo

HTML5 on Chrome, Firefox, & Mobile Browsers - Pls Help!

Started by Steve Szuster , 19 April 2017 - 03:33 AM
3 replies to this topic

Steve Szuster Members

Steve Szuster
  • 6 posts

Posted 19 April 2017 - 03:33 AM

Hey'ya Folks,

 

I'm in dire need of some assistance here.  I work for a large retailer who has trading partners for which they would like to deliver applications within the trusted network to.  We have a NetScaler SPX (VPX v.11) in our DMZ that's configured as our AG to our XenApp 7.13 farm... err... "site". Everything is working peachy in the realm of delivering Apps via ICA, but the catch is there's a business requirement to go Receiver-less for a certain contingent of partners, so naturally I opened up my big mouth and all but exclaimed: HTML5! to the business folks.

 

I got HTML5 working a-ok via the AG, however, it only works on Internet Explorer, Microsoft Edge, & Apple Safari.  From my understanding, and please do correct me if I'm wrong, this should also work quite seamlessly with the latest versions of Chrome, Firefox, and mobile browsers.  Working on Chrome without having the end user to install anything is really the business requirement here.

 

Here is my setup:

  • XenApp 7.13 Site
  • HTML5 (Websockets) enabled on the VDAs in question.
  • 2 NetScaler VPXs acting as load balancers in front of:
  • 2 StoreFront 3.9.0.56 w/ (latest) HTML5 Receiver that came with it
  • 1 NetScaler SPX with VPX 11.0 65.35.nc (DMZ) with a valid trusted Class 3 SHA256 cert.

 

Symptoms:

  • As mentioned, when launching a published app from an HTML5 enabled VDA using IE, Edge or Safari, everything works as expected.
  • When launching from Firefox, I get the new tab that opens with black background like it's trying to launch via HTML5, however, the wheel keeps spinning with "This may take a few moments.", and it just hangs there.  This occurs when I launch via the AG, but I also get the exact same behavior if I attempt to launch by connecting internally direct to StoreFront over HTTP.  The latter makes sense because it's http and not https, which the AG does the proxying and brokering for.  This makes me suspect that the issue is to do with the NetScaler and its SSL handling, hence why I didn't open this post in the Storefront forum.. (I suppose the logic could also work the other way too....).
  • When launching from Chrome or a mobile browser, either via AG or direct/http, it prompts me to download an .ica file.  For some reason, it doesn't do the HTML5 fallback that I have configured on Storefront.  If, on Storefront, I change to Receiver for HTML5 only, it then mimics the same above behavior as Firefox.

 

What I've tried (to no joy):

  • Because Chrome and Firefox are so much pickier SSL security-wise than IE, I checked our public AG URL on SSL Labs and found it to be an abysmal D-.  I followed the below great article and brought it to a semi respectable A-.

https://www.citrix.com/blogs/2016/06/09/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-2016-update/

 

The only thing that stands out in my new report is:  "the server does not support Forward Secrecy with the reference browsers. Grade reduced to A-", which is to do with not having ECDHE ciphers setup on my NetScaler.  When I try and select ECDHE ciphers on the vserver, I get this error: "Warning: "No usable ciphers configured on the SSL vserver/service" was observed on NetScaler Appliance".  I also don't think this error is the false positive cited in CTX135519, because when changing cipher suites from Default to High, I didn't get the error.

 

I also get this when viewing my Security under Development Tools in Chrome:

Obsolete Connection Settings

The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_256_CBC with HMAC-SHA1).

 

Could cipher suites possibly have anything to do with my issue?

  • I also opened up a case with Citrix.  Although we have premier support, I am still working my way up through the ranks, and because this isn't a Production issue (yet), it hasn't been escalated to the next levels of Engineering yet.

 

Anyway folks, I know this has been a long winded posting, and I thank your for reading it through and thank you in advance for any insights you might be able to provide... I've got PMs and Managers filling my inbox up on this, so any help would earn my eternal gratitude and beer.  :-)

 

Cheers,

 

Steve

 



Shruthi Udayakumar Citrix Employees

Shruthi Udayakumar
  • 8 posts

Posted 19 April 2017 - 11:47 AM

Hi Steve,

 

1) When launching from Firefox, I get the new tab that opens with black background like it's trying to launch via HTML5, however, the wheel keeps spinning with "This may take a few moments.", and it just hangs there. 

 

Could you please share us the logs to troubleshoot further. You can follow steps to collect the logs here - https://support.citrix.com/article/CTX217352

 

Also can you check if the VDA has the websocket configured properly. To do so, open command prompt inside VDA and type netstat -at and click enter. Check if the port 8008 is listed there.

 

2) When launching from Chrome or a mobile browser, either via AG or direct/http, it prompts me to download an .ica file.  For some reason, it doesn't do the HTML5 fallback that I have configured on Storefront.  

 

Probably the native receiver is installed on the device and it is downloading .ica file. You can change to launch with HTML5 receiver by clicking on user (top right corner) then Change Citrix REceiver then Use light version. After this, app/desktop launched should open in new tab.



Steve Szuster Members

Steve Szuster
  • 6 posts

Posted 21 April 2017 - 07:16 PM

** UPDATE **

 

Launching Chrome / Firefox from Desktop now works with HTML5.   It seems the issue had to do with a "strict validation http policy" on our DMZ NetScaler.  A new http policy was created that did not drop invalid http requests and enabled Websockets.

 

I am still however facing an issue launching with mobile browsers wherein they all (Android, Apple) try and download the .ica file and HTML5 never seems to get invoked on the device.

 

I have made sure that I didn't have any Native Receivers installed.

 

I feel it's something in the web.config on Storefront.

 

Any ideas?



Shruthi Udayakumar Citrix Employees

Shruthi Udayakumar
  • 8 posts

Posted 24 April 2017 - 03:36 AM

Great to hear that you were able to launch HTML5 Rx Sessions in desktop browsers.

 

For Mobile browsers, if you have set the policy to use the fallback option then can you try click on the user name and change Citrix Receiver then Use light version. After this, app/desktop launched should open in new tab.

 

I guess it is to do with the cookies and it might be downloading .ica file.

 

If you have set it to use HTML5 always then it should work as is.




Also tagged with one or more of these keywords: HTML5, Storefront 3.9, HTML2.5, XenApp 7.13, NetScaler, SSL