Daniel Litschewsky Posted July 5, 2017 Share Posted July 5, 2017 Hi all, does anyone have Adaptive Transport (EDT) running via NS Gateway on NetScaler 12. I followed up every article to get it running on NS 12 but no luck. ICA sessions only run on 1494/2598 TCP. Didn't test it with NS 11.1-51.21, maybe someone knows if it is supported with NS 12 or not. Or is it only supported with NS 11.1-51.21? Via LAN UDP works fine. DTLS also active on NS Any hints on that issue Best Regards, Daniel Link to comment
0 Raul Gonzalez Posted July 5, 2017 Share Posted July 5, 2017 Did you unbind and rebind the certificates on the Netscaler? Link to comment
0 Kyle Peterson Posted July 5, 2017 Share Posted July 5, 2017 I think you need to allow udp port 443 to the netscaler from your clients as well. Had the same issue here until i did that Link to comment
0 Daniel Litschewsky Posted July 6, 2017 Author Share Posted July 6, 2017 yes, I rebound the public certificate on the vserver Definitely no Firewall issue since my Firewall guy configured any any from the vserver, SNIP and NSIP to the infrastructure servers and workers with no luck Link to comment
0 Raul Gonzalez Posted July 6, 2017 Share Posted July 6, 2017 Did you set the HDX Adaptive Transport policy to Preferred in Citrix Studio? Link to comment
0 Kyle Peterson Posted July 6, 2017 Share Posted July 6, 2017 For the firewall rule i mentioned it would be udp port 443 from All external -> Netscaler vserver The rules you mentioned above are fine but you also need this one, without edt you would just have a rule thats tcp port 443 from All external->vserver Link to comment
0 Daniel Litschewsky Posted July 6, 2017 Author Share Posted July 6, 2017 Thank you Kyle. That could be the missing rule I will check it. Thank you Link to comment
0 Raul Gonzalez Posted July 7, 2017 Share Posted July 7, 2017 Well I regret to inform that Netscaler 12 and 11.1 are broken. I have been having issues getting EDT working and Netscaler 12 has BUG0686774 and won't be fixed until Netscaler 12.1 according to a Citrix Escalation Engineer. Link to comment
0 Kyle Peterson Posted July 7, 2017 Share Posted July 7, 2017 I'm on the latest version 12 of netscaler and EDT is working great here what are the details of the bug you are talking about? Link to comment
0 Raul Gonzalez Posted July 7, 2017 Share Posted July 7, 2017 He didn't say. I just asked him that question. I wonder. The SSL certificate and CA's you have installed are all SHA256? None are SHA384? Link to comment
0 Raul Gonzalez Posted July 8, 2017 Share Posted July 8, 2017 Then maybe they didn't fully check that they supported anything above SHA256 for EDT. My CA certs are SHA384 But this is what the guy told me: The issue is with EDT/DTLS itself when it is enabled on the Netscaler and and HDX Adaptive Transport is enabled on XenApp site Link to comment
0 Daniel Litschewsky Posted July 26, 2017 Author Share Posted July 26, 2017 get EDT still not working in my environment. We are load balancing StoreFront via KEMP Load Balancer. But as I already said in the LAN EDT works also running over the KEMPM load balancer I opened the UDP Ports 443 from external IP --> DNAT --> VIP Gateway NetScaler Subnet IP 1494,2598 TCP + UDP to Worker LAN and StoreFront Load Balancer Did I forget anything Link to comment
0 Raul Gonzalez Posted August 21, 2017 Share Posted August 21, 2017 Try the updated firmware that just came out: Netscaler 11.1 55.10. Has some fixes for EDT/DTLS Link to comment
0 Daniel Litschewsky Posted September 12, 2017 Author Share Posted September 12, 2017 I updated to NS 12.0.53.6 but still get EDT not working for external users. Maybe it has something to do with the KEMP Load Balancer. We do not use NetScaler to load balance all Services, because we only have the Access Gateway licenses. Link to comment
0 Christoph Kolbicz1709156882 Posted November 21, 2017 Share Posted November 21, 2017 i tried to get EDT working over a Netscaler 12 aswell and i discovered that it works with the latest build, but NOT when using Unified Gateway. when i use a normal gateway, it works fine. this site states unified gateway is supported: https://docs.citrix.com/en-us/netscaler-gateway/12/hdx-enlightened-data-transport-support/configuring-netscaler-gateway.html - but i remember that this was discussed already when EDT came out and i was surprised to see Unified Gateway support on this list. DTLS and UDP 443 enabled - same configuration works with a NSGW but not with UGW. EDIT: i found out, that using SNI was the problem. its not caused by the UGW - it works properly without SNI. seems this is not supported yet? Link to comment
0 Fernando Klurfan1709153904 Posted November 25, 2017 Share Posted November 25, 2017 @derdani82 Does it work if you launch the EDT session from the internal network, bypassing NSG? If not, focus on the ICA file (does it inlcude HDXoverUDP = Preferred), or check the UDP ports are listening on the VDA. If it did, is Receiver attempting UDP and getting a reply from NSG VPN vServer? Use Wireshark to double check. If there are UDP/DTLS packets back and forth, proceed to check UDP packets between NSG backend SNIP and VDA. Use Wireshark again. Link to comment
0 dpalchu521 Posted July 15, 2019 Share Posted July 15, 2019 Just ran into the same issue with 1903 and NS 11.1 61.7. Enabling UDP 443 seems to work at least in test. Link to comment
0 Daniel Litschewsky Posted July 16, 2019 Author Share Posted July 16, 2019 Try disabling IPv6 on client and endpoint Link to comment
0 dpalchu521 Posted July 18, 2019 Share Posted July 18, 2019 On 7/16/2019 at 5:54 AM, Daniel Litschewsky said: Try disabling IPv6 on client and endpoint Yes looks like its a no go on the prod environment since its running ipv4/ipv6 gateways (even though VDA's are ipv4 only). On the ipv4 test systems the UDP 443 is what I missed when opening ports from Netscaler to the VDA. Now its working. I will need to test further to see if the performance differences will be high enough to trigger the discussion on at least temporarily getting rid of the ipv6 gateway (from support perspective the dual stack has def not made things easy). One interesting note, when the VDA's and the farm were upgraded from 7.15 to 1903, suddenly a number of Mac's running Workspace clients stopped working via Netscaler. This was not the problem on the 7.15 VDA's that have not been upgraded. The only way to get the users back on was to downgrade Workspace clients to LTSR Receiver. Turns out that with non-functional NS-VDA EDT connectivity they weren't falling back to TCP. Shutting off the Adaptive transport via policy allowed the use of Mac workspace clients again. PC clients worked fine, however. Link to comment
Question
Daniel Litschewsky
Hi all,
does anyone have Adaptive Transport (EDT) running via NS Gateway on NetScaler 12.
I followed up every article to get it running on NS 12 but no luck. ICA sessions only run on 1494/2598 TCP.
Didn't test it with NS 11.1-51.21, maybe someone knows if it is supported with NS 12 or not.
Or is it only supported with NS 11.1-51.21?
Via LAN UDP works fine. DTLS also active on NS
Any hints on that issue
Best Regards,
Daniel
Link to comment
19 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now