Gateway Application is not supported on Edge browser

[Ashutosh Padhi]

Dear Experts,

 

We have recently done a F5 APM (F5 LB) migration on Citrix Gateway (Netscaler ADC). We are stucked with a problem and looking for suggestion to resolve the same.

 

We have 02 Different ADC , Internal ADC and External ADC

 

We have a application Eg :   abc.yyz.com  , the Vserver (Eg: 10.10.10.10) is hosted on Internal ADC and things are working fine (with any browser) when accessed via this Vserver. This is usually accessed by Internal LAN Users.

 

Same application is also hosted on External ADC with Citrix Gateway (Gateway Vserver : 192.168.10.10 ) without any REWRITE or any other Influencing Policies. There is a bookmark(URL) abc.yyz.com  configure there under Citrix Gateway.  This is for External (Internet) users. We are expericing problem here while accessing the application from Internet. External URL is :  portal.pricing-abc.com

 

Note : As per design this application is compatible with Microsoft Edge browser (with IE mode).

 

Problem Statement :  Authentication is happening fine and getting redirected to application (abc.yyz.com) page directly. But Scroller (for scrolling UP and DOWN) is not reflecting on page. As this is big page we have manage the show by ZOOM IN / ZOOM OUT and selecting the desired things. After selecting the required options  , when we clicked on SUBMIT button, that is also not working and stucked with PROCESSING only i.e not getting redirected to the next page.  However, as mentioned above all these things are available and working fine when accessed from Internal ADC Vserver.

 

We have captured NS Trace and Developer Tool logs as well for non-working scenario … all files are showing loading properly as per Developer tool outcome.

 

Please suggest, What we missing here and If there any special setting available anywhere for Citrix Gateway where we need to look for .

[Julian Jakob]

How's your Bookmark configured - I mean, how did you publish the webapp to external? Is it combined with a content switch + aaa vserver for authentication or you're using clientless vpn / advanced clientless vpn?

[Ashutosh Padhi]

We have configured URLs on Published Applications and using advanced clientless VPN.

[Rhonda Rowland1709152125]

You might try a test with full vpn client and a browser over vpn tunnel.

then a clientless link

 

And see if its just clientless/rewrite issues Or the external/internal communication

Or deny authorization events on the gateway.  Check syslog to see if any content requests are being blocked by gateway.

IF its affecting page navigation it might be affected by cookies issues with the external domain vs. the internal which means a rewrite might in fact be needed.

 

I would also share the settings you used on the bookmark to see how it was created.  

 

 

[Somnath Chakraborty]

Hi Rhonda,

 

I am not clear on the first line - "You might try a test with full vpn client and a browser over vpn tunnel. then a clientless link". Could you please help me understand this.

 

Check syslog to see if any content requests are being blocked by gateway. - What is the command i can use to verify this on syslog.

[Rhonda Rowland1709152125]

Syslog first:

Go to cli:

shell

cd /var/log

tail -F ns.log | grep -v CMD_EXEC

 

This will output a live run of the recent syslog events in the /var/log/ns.log output.

The "grep -v CMD_EXEC" excludes all the audited configuration commands and should allow you to see vpn, aaa, authorization allow/deny events etc.

While the output is being display, do your user logon and test bookmark access and see if any events show up.

 

You can also run an nstrace from System > Diagnostics to see if anything else is going on to affect the traffic.

 

At this point, don't test the full vpn client test as you don't seem to know what that is.

[Somnath Chakraborty]

Currently I have enabled Advanced CVPN and the URLs are configured under Published Applications - URLs.

I found this article "https://docs.citrix.com/en-us/citrix-gateway/current-release/vpn-user-config/advanced-policy-support-for-enterprise-bookmarks.html"

and tried to configure the URLs same way but it gives me error - ""

 

I have removed the Urls under published application  but still getting the same error and unable to bind the VPN URL as advanced policy. 

Please guide me if i am making this wrong.

[Rhonda Rowland1709152125]

Bookmarks used to be just resources bound to entities. Now with the vpn urlpolicy/urlaction objecs they are advanced engine based. But you have to use only the advanced engine policies instead of legacy bookmarks.

These are based on the command formats:

add vpn url <urlobject>

bind <entity> -urlname <urlobject>

 

 

You need to look in your config for URL bindings on any entity: vpn global, vpn vservers (all), aaa group, aaa user.

 

In the advanced engin, the bookmarks are created as vpn urlactions/vpn urlpolicy commands.

 

 

 

Go to cli and do a filter on the runningconfig:

1) Look to see if you have any classic bookmarks bound:

show ns runningconfig | grep "vpn url" -i

show ns runningconfig | grep "-urlname" -i

show ns runningconfig | grep "bind vpn .* -ur.name" -i

show ns runningconfig | grep "bind aaa .* -urlname" -i

 

2) Now look to see what advanced bookmark policies you have created / are bound (if any). Depends on if you are going from classic to advanced (or you currently have advanced and you were trying to work with classic by mistake).

 

show ns runningconfig | grep "vpn urlpolicy" -i

# this should help you find all url vpn policy, then you have to figure out which ones are classic engine ns_true or other classic expression vs. advanced expressions "true" or other.

 

# You can then search for each policy by name to see where it is bound:

show ns runningconfig | grep <policyname> -i

 

# or check all the bind points, for policy bindings...

show ns runningconfig | grep "bind vpn .* -policy"

show ns runningconfig | grep "bind aaa .* -policy"

# this will find all sorts of policies on the bind points:  vpn vserver, vpn global, aaa user, aaa group, such as session policies, authorization, etc... and not just the vpn policies.

 

Anyway, you have to be all classic or all advanced for policies of a given type.  So all the vpn urlpolicies in use must be all advanced engine. unbind any classic policies and replace with advanced engine policies and rebind.