Netscaler gateway problem

[Hugh Laverty]

Hi

We have a customer that uses citrix netscaler gateway as their vpn solution. we are currently in the process of rolling out new laptops as a part of a domain migration and i have been tasked with testing this connection before the rollout.

When I attempt to connect I see the following in the ~nssslvpn log file

 

2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG   | FQDN of the server is REMOVED
2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG   | downloaded total 2126 bytes
2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG   | ns_HTTPrequest return value is: 2126
2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG   | repository header can't be found 
2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG   | Assuming default repository
2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG   | Upgrade type for plugin is Never 
2022-09-16 14:43:27.291 | Tid: 05428 | DEBUG   | Plugin upgrade is not required 
2022-09-16 14:43:27.291 | Tid: 05428 | VERBOSE | Connection type 0x12 name 'LAN Connection'
2022-09-16 14:43:27.291 | Tid: 05428 | ERROR   | ns_QueryIEConnectionProxy | 557 | Failed to get INTERNET_PER_CONN_FLAGS_UI.  Try getting INTERNET_PER_CONN_FLAGS
2022-09-16 14:43:27.306 | Tid: 05428 | DEBUG   | ns_QueryConnectionProxy: bReturn=0
2022-09-16 14:43:27.306 | Tid: 05428 | ERROR   | ns_QueryConnectionProxy | 1064 | ns_QueryIEConnectionProxy: return FALSE
2022-09-16 14:43:27.306 | Tid: 05428 | DEBUG   | RedrawActiveXWnd: 2013:0
2022-09-16 14:43:27.306 | Tid: 05428 | EVENT   | 2013: Failed to read the proxy settings in the Web browser.
2022-09-16 14:43:27.306 | Tid: 05428 | ERROR   | ns_start_vpn_preconfig | 1207 | Failed to set manual proxy
2022-09-16 14:43:27.322 | Tid: 05428 | DEBUG   | ns_stop_vpn_prelogout() called
2022-09-16 14:43:27.322 | Tid: 05428 | DEBUG   | RedrawActiveXWnd: 3:2
2022-09-16 14:43:27.331 | Tid: 05428 | DEBUG   | Authenticated with service.
2022-09-16 14:43:27.333 | Tid: 05428 | ERROR   | ns_stop_vpn_prelogout | 364 | unknown error , -1 while waiting for select loop termination 
2022-09-16 14:43:27.333 | Tid: 05428 | DEBUG   | Uninstall driver & cleanup VA settings: Before entering critical section ns_SaveConfigFileCS
2022-09-16 14:43:27.333 | Tid: 05428 | DEBUG   | Entered critical section ns_SaveConfigFileCS

 

As far as I can tell Netscaler Gateway cannot query windows for the proxy settings but i cannot understand why.

 

the Laptops are managed via azure/intune and there are software policies and EUD scripts applied to secure the laptops. I'm pretty positive that it's one of the security policies or scripts thats stopping it from working, but the log doesn't really tell me what it going on.

 

Anybody seen this before?

 

Thanks

Hugh

[Rhonda Rowland1709152125]

Which version of ADC? And which endpoint OS/version?

In the session policy (profile), under connections (second tab) and then advanced settings, there are settings for inheriting proxy based on client endpoint, and if not, a policy could be used to assign one.

 

I don't know why its failing unless the ADC is old and running into an issue with new endpoints OR (vice versa).  

Would it be possible to set the proxy via the policy if the detection doesn't work in this instance?

 

(Until someone else has a better idea or unless the versions indicate a bug is possible.)

[Hugh Laverty]

On 9/16/2022 at 7:15 PM, Rhonda Rowland1709152125 said:

Which version of ADC? And which endpoint OS/version?

In the session policy (profile), under connections (second tab) and then advanced settings, there are settings for inheriting proxy based on client endpoint, and if not, a policy could be used to assign one.

 

I don't know why its failing unless the ADC is old and running into an issue with new endpoints OR (vice versa).  

Would it be possible to set the proxy via the policy if the detection doesn't work in this instance?

 

(Until someone else has a better idea or unless the versions indicate a bug is possible.)

 

Not sure what ADC is, but the citrix gateway plugin version is 2.7.1.1 and the windows version is 21H2

 

 

We don't have any access to the 'backend' as that is hosted by the customer. 

[Rhonda Rowland1709152125]

Citrix ADC == NetScaler == NetScaler Gateway:  The appliance acting running the gateway vpn vserver.

 

So, if they don't have settings for the vpn config to rely on the client side proxy settings (using local client settings for proxy) OR the settings aren't exposed for you to manage within the VPN client itself, then you can't make changes.   They have to configure certain settings on their side. The vpn config could also be affected by split tunnel/split dns/Local Network access or other network settings.

 

So the question is whether the config is setup to allow the proxy detection or if there is a client side security restriction/permissions on the endpoint preventing access or a bug in the gateway plugin. And there just isn't enough information to diagnose.

 

Here's an example of the setting on the Gateway side, to allow proxy detection by the client:  https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-plugin-connections/enable-proxy-support-for-user-connections.html

 

Past Issue (2018) required a support ticket; but no way to determine if issue is remotely related to what you are experiencing:  https://discussions.citrix.com/topic/393563-netscaler-gateway-windows-plugin-connection-problem/