Can't connect Citrix Receiver to Netscaler Gateway

[Jesus Martin]

Hi everyone,

 

I’m setting up a new XenApp environment between 2 datacenters, with 2 StoreFronts in each site load balanced using Netscaler. I also configured GSLB between sites as one of our requirement is an Active-Active XenApp environment. My problem is I can’t connect to the gateway “citrix.ourdomain.com” when I am using the Citrix Receiver but I have no issues using Citrix Receiver for Web, I’m getting prompted to key in my username and password and after that I get the below generic error:

 

“Your account cannot be added using this server address. Make sure you entered it correctly. You may need to enter your email address instead”

 

As an additional info, I already created a DNS SRV entry so I can add account using email, which works if I configure the “Host Offering this service” to point to the StoreFront but not if I point it to the Netscaler gateway.

 

 I created my Session Policies in Netscaler for Citrix Receiver and Receiver for Web as per “Carl Stalhood” which is a great guide but still having issues.

 

Thanks in advance for any input.

 

 

[CarlStalhood]

Are you doing Single FQDN (same FQDN internal and external)?

 

What is your internal beacon?

[Jesus Martin]

Hi Carl,

 

I still have to configure our external netscalers, right now what I finished are the internal netscalers but I will implement a single FQDN for internal and external. My internal beacon is set to "Use the service URL", my external beacon goes to "https://www.google.com" and https:.//www.citrix.com".

[CarlStalhood]

Internal NetScaler means load balancing only?

 

Did you configure Gateway objects in your StoreFront console and enable Remote Access on the Store?

[Jesus Martin]

***********Internal NetScaler means load balancing only?

Internal netscaler does load balancing of our 2 StoreFronts in each site. It was also a requirement that internal users should be able to access apps in both datacenters/sites in Active-Active that's why GSLB was setup internally. We will use the external netscaler for home users, which I will also configure GSLB.

 

***********Did you configure Gateway objects in your StoreFront console and enable Remote Access on the Store?

In StoreFront I added only the GSLB Virtual Server gateway "citrix.ourdomain.com", do I have to add the Netscaler Gateways?

I enabled Remote Access on the Store but only for the GSLB Virtual Gateways, I may need to add the Netscaler Virtual Gateways as well?

[CarlStalhood]

On NetScaler, there are multiple types of Virtual Servers:

 

GSLB Virtual Server - listens for DNS names and responds with IP addresses. That's it.

 

Load Balancing Virtual Server - has a VIP that forwards traffic to one or more servers.

 

NetScaler Gateway (VPN) Virtual Server - has a VIP that asks for authentication, proxies HTTP to StoreFront, and proxies ICA to VDAs.

 

Which ones did you configure? NetScaler Gateway is usually only needed externally. Did you configure this internally? Then did you configure StoreFront with the NetScaler Gateway object and FQDN?

 

Or when you say "citrix.ourdomain.com", are you referring to the StoreFront Base URL, which is not NetScaler Gateway?

[Jesus Martin]

On NetScaler, there are multiple types of Virtual Servers:

 

GSLB Virtual Server - listens for DNS names and responds with IP addresses. That's it.

Load Balancing Virtual Server - has a VIP that forwards traffic to one or more servers.

NetScaler Gateway (VPN) Virtual Server - has a VIP that asks for authentication, proxies HTTP to StoreFront, and proxies ICA to VDAs.

Which ones did you configure? NetScaler Gateway is usually only needed externally.

 

I configured them all:

- GSLB Virtual Server - I used for ADNS as per your remarks.

- Load BAlancing Virtual Server - I used to load balance 2 StoreFront Servers in each site

- Netscaler Gateway Virtual Server - I used to proxy to StoreFront and ICA to VDAs, I configured this to make sure internal users can still access the applications in case one of our datacenter blows up. The Netscaler Gateway Virtual Server FQDN resloves to "Citrix.Ourdomain.com" which we are using  for Receiver for Web and Citrix Receiver.

 

Honestly I don't like the internal users to connect to gateway internally as we lost the SSO capability but because its required for disaster recovery scenario.

 

 

[Jesus Martin]

Sorry Carl, the "Citrix.Ourdomain.com" points to the GSLB Domain.

 

Weird thing is that only Citrix Receiver is having issue, Citrix Receiver for web is just fine.

[CarlStalhood]

The StoreFront Base URL must resolve to a Load Balancing VIP, not a Gateway VIP.

 

If your StoreFront Base URL and the Gateway URL are the same, then that's called Single FQDN. In that case, you must change the internal beacon to something other than the service URL. Set it to an internal address that can't be reached externally (e.g. Intranet).

 

For Citrix.ourdomain.com, when internal, does it resolve the Gateway VIP? Or does it resolve to a Load Balancing VIP?

 

Your best option is to engage a Citrix Partner to review your design and configuration.

[Mohammed Shajin]

Hi Carl,

 

We are experiencing similar issue except in our case we don't want internal users to go through NS gateway. Our storefront base URL is storefront.domain.com and gateway URL is remote.domain.com. Storefront URL is load balanced via DNS round robin that points to each of the storefront servers (which is also the delivery controllers). Like OP, web works beautifully whereas Citrix Receiver comes up with "cannot contact site" error. Any pointers?

 

Thanks.

[GeorgeD]

sorry to bump an old post, but i'm having similar issues when testing my new gateways. we never used native receiver before.

always receiver for web. 

receiver can't get past the gateway vserver/site url entry.

it does seem work when i enter the load balanced storefront vip directly. 

 

[GeorgeD]

found my issue. 

nfactor:

 

https://www.carlstalhood.com/nfactor-authentication-citrix-gateway-13/

 

hoping this note works: 

 

Workspace app 1809 and newer with Citrix Gateway 12.1 build 49 and newer support nFactor authentication. Older Receivers and older NetScalers don’t support nFactor, so you’ll instead have to use a web browse