Please select one of the following login page

[pieter watteeuw]

Hi,

 

When i logon to the netscaler gateway i keep getting "Please select one of the following" without options.

Clientless Access = ON

Client choises is disabled.

 

Netscaler version: NetScaler NS12.0: Build 51.24.nc, Date: Jul 15 2017

 

[Paul Blitz]

No, in your case, clientless is NOT (necessarily) disabled, I'm sorry to say.

 

When a session profile does not have a setting set locally (ie "global override" is TICKED), then whilst you will see the global setting in the profile (greyed-out), that setting can be (and in your case must be...) inherited from another matching policy. For example, here's 3 session policies:

 

10 IF (it's windows, with corporate AV, and I can find a hidden file) THEN profile 1

20 IF (it's windows, with one of a list of suitable AVs) THEN profile 2

30 IF TRUE THEN profile 3

 

The first one matches your corporate laptops, the second any decent Windows setup, and the last catches everything.

 

Your corporate laptops actually match all three of those policies. So if Profile 1 doesn't have a setting locally (=  "global override" is TICKED) then it will then check, in order, Profile 2 then Profile 3, for that setting. If none of those has the setting locally, finally, you will get the default global settings (= what's shown in a profile, greyed out).

 

So, if a setting is important to you, SET IT LOCALLY!!

 

In your case, just go into that profile, tick the "override global" box, and set choices to UNticked, and you'll be ok. The setting is now set locally in that profile, and noone can take it away from you (then repeat another 100 times for all the other settings in the profile!!!)

[CarlStalhood]

Is HSTS enabled in a SSL Profile, or in the vServer’s SSL Parameters?

[pieter watteeuw]

Is HSTS enabled in a SSL Profile, or in the vServer’s SSL Parameters?

 

Yes it's enabled on the NetScaler Gateway Virtual Server.

I have tested this without HSTS and than it works.

Is there a way to let this work with HSTS?

What is the reason for this?

 

THX!

[CarlStalhood]

Bug.

 

You can still implement HSTS by binding a Rewrite Response policy.

[Rhonda Rowland1709152125]

About the client choices option (everything Paul said is true).

Global Override: Disabled means you are not asserting a value. Default state is setting is ENABLED.

Global Override: Enabled means you are asserting a value.

  HOWEVER, even if the left-hand checkbox looks "off" when you first enable the control, there is a GUI defect where the "checkbox" is enabled and not shown.  Usually click until the left checkbox turns on, then clear. To disable client choices.

  Or check the policy after enabling global override (by closing and re-opening the profile) and then you will see the value is still "enabled".

 

If client choices is off (and global override on) AND ICA Proxy:ON, then you will default to ICA proxy only mode.

If ICA Proxy is OFF, and Client Choices is OFF, then your Clientless Access: ON setting will determine if you are clientless only mode or clientless and vpn mode (without choices).

[pieter watteeuw]

Inserting HSTS header with a Rewrite Response policy works.


Thanks Carl.

[Mark Brilman]

Has this bug resurfaced again? I have several NetScalers hanging again and disabling the HSTS checkbox solves the issue. Version 13.0.85.19 (latest 13)

[Tobias Wende1709163199]

Hi Mark, I can confirm, we see the same old bug in 13.0 85.19 (and newer) with one of our customers.

[Maarten Annema]

Hi all, this bug is also present in build 13.0 88.14

We came from 13.0 83.27 wich had no problem using HSTS and after upgrade to 88.14 the bug was present.

[Paul Burden]

I've been told by citrix support today that the latest version 13.0.88.16 fixes this issue, although i can't see the mention in the release notes.  i've asked them to clarify before i upgrade to this .  Just in case others want to try and see if it does indeed resolve the issue

[Brian Gentile]

I am running 13.1.33.52 and I am seeing this bug as well. 

[Helder Souza1709162900]

88.16 the issue happens, I'll try the HSTS rewrite policy.