Hugh Laverty Posted September 16, 2022 Share Posted September 16, 2022 Hi We have a customer that uses citrix netscaler gateway as their vpn solution. we are currently in the process of rolling out new laptops as a part of a domain migration and i have been tasked with testing this connection before the rollout. When I attempt to connect I see the following in the ~nssslvpn log file 2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG | FQDN of the server is REMOVED 2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG | downloaded total 2126 bytes 2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG | ns_HTTPrequest return value is: 2126 2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG | repository header can't be found 2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG | Assuming default repository 2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG | Upgrade type for plugin is Never 2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG | Plugin upgrade is not required 2022-09-16 14:43:27.291 | Tid: 05428 | VERBOSE | Connection type 0x12 name 'LAN Connection' 2022-09-16 14:43:27.291 | Tid: 05428 | ERROR | ns_QueryIEConnectionProxy | 557 | Failed to get INTERNET_PER_CONN_FLAGS_UI. Try getting INTERNET_PER_CONN_FLAGS 2022-09-16 14:43:27.306 | Tid: 05428 | DEBUG | ns_QueryConnectionProxy: bReturn=0 2022-09-16 14:43:27.306 | Tid: 05428 | ERROR | ns_QueryConnectionProxy | 1064 | ns_QueryIEConnectionProxy: return FALSE 2022-09-16 14:43:27.306 | Tid: 05428 | DEBUG | RedrawActiveXWnd: 2013:0 2022-09-16 14:43:27.306 | Tid: 05428 | EVENT | 2013: Failed to read the proxy settings in the Web browser. 2022-09-16 14:43:27.306 | Tid: 05428 | ERROR | ns_start_vpn_preconfig | 1207 | Failed to set manual proxy 2022-09-16 14:43:27.322 | Tid: 05428 | DEBUG | ns_stop_vpn_prelogout() called 2022-09-16 14:43:27.322 | Tid: 05428 | DEBUG | RedrawActiveXWnd: 3:2 2022-09-16 14:43:27.331 | Tid: 05428 | DEBUG | Authenticated with service. 2022-09-16 14:43:27.333 | Tid: 05428 | ERROR | ns_stop_vpn_prelogout | 364 | unknown error , -1 while waiting for select loop termination 2022-09-16 14:43:27.333 | Tid: 05428 | DEBUG | Uninstall driver & cleanup VA settings: Before entering critical section ns_SaveConfigFileCS 2022-09-16 14:43:27.333 | Tid: 05428 | DEBUG | Entered critical section ns_SaveConfigFileCS As far as I can tell Netscaler Gateway cannot query windows for the proxy settings but i cannot understand why. the Laptops are managed via azure/intune and there are software policies and EUD scripts applied to secure the laptops. I'm pretty positive that it's one of the security policies or scripts thats stopping it from working, but the log doesn't really tell me what it going on. Anybody seen this before? Thanks Hugh Link to comment Share on other sites More sharing options...
Rhonda Rowland1709152125 Posted September 16, 2022 Share Posted September 16, 2022 Which version of ADC? And which endpoint OS/version? In the session policy (profile), under connections (second tab) and then advanced settings, there are settings for inheriting proxy based on client endpoint, and if not, a policy could be used to assign one. I don't know why its failing unless the ADC is old and running into an issue with new endpoints OR (vice versa). Would it be possible to set the proxy via the policy if the detection doesn't work in this instance? (Until someone else has a better idea or unless the versions indicate a bug is possible.) Link to comment Share on other sites More sharing options...
Hugh Laverty Posted September 21, 2022 Author Share Posted September 21, 2022 On 9/16/2022 at 7:15 PM, Rhonda Rowland1709152125 said: Which version of ADC? And which endpoint OS/version? In the session policy (profile), under connections (second tab) and then advanced settings, there are settings for inheriting proxy based on client endpoint, and if not, a policy could be used to assign one. I don't know why its failing unless the ADC is old and running into an issue with new endpoints OR (vice versa). Would it be possible to set the proxy via the policy if the detection doesn't work in this instance? (Until someone else has a better idea or unless the versions indicate a bug is possible.) Not sure what ADC is, but the citrix gateway plugin version is 2.7.1.1 and the windows version is 21H2 We don't have any access to the 'backend' as that is hosted by the customer. Link to comment Share on other sites More sharing options...
Rhonda Rowland1709152125 Posted September 22, 2022 Share Posted September 22, 2022 Citrix ADC == NetScaler == NetScaler Gateway: The appliance acting running the gateway vpn vserver. So, if they don't have settings for the vpn config to rely on the client side proxy settings (using local client settings for proxy) OR the settings aren't exposed for you to manage within the VPN client itself, then you can't make changes. They have to configure certain settings on their side. The vpn config could also be affected by split tunnel/split dns/Local Network access or other network settings. So the question is whether the config is setup to allow the proxy detection or if there is a client side security restriction/permissions on the endpoint preventing access or a bug in the gateway plugin. And there just isn't enough information to diagnose. Here's an example of the setting on the Gateway side, to allow proxy detection by the client: https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-plugin-connections/enable-proxy-support-for-user-connections.html Past Issue (2018) required a support ticket; but no way to determine if issue is remotely related to what you are experiencing: https://discussions.citrix.com/topic/393563-netscaler-gateway-windows-plugin-connection-problem/ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now