Forum Discussion

Mark_Smith_-_NC's avatar
Mark_Smith_-_NC
Icon for Altocumulus rankAltocumulus
Feb 03, 2018

Citrix storefront

We are trying to replace a Netscaler Gateway with F5 APM/LTM using the latest iApp but are experiencing some issues.

 

Current setup Client --> Firewall --> Netscaler GW --> Storefront --> Delivery Cont.

 

New Setup Client --> Firewall --> F5 --> Storefront --> deliver cont.

 

The original Netscaler setup works fine, however when we amend the firewall NAT rule to swing the connection to the F5 the clients get the new logon page (we've customised it to be different) served up by F5 APM and they login but then receive a 404 error (connection timed out).

 

On the internal LAN we can login fine and looking at the ICA file the F5 is re-writing it so the SSLProxy setting is to itself but I believe the issue is further downstream with the Storefront or Delivery cont.

 

When we did a packet trace on the firewall it seems the Storefront is trying to communicate back to the firewall itself rather than talking to the F5 but this traffic is not seen when we are using the Netscaler.

 

On the Storefront server in the Citrix Delivery Services log we see these two errors. The remote address is the F5. The X-forwarded address is the Firewall internal interface.

 

EXAMPLE 1 A request was sent to service 'Authentication Service' that was detected as passing through a gateway. This service is configured with the gateways [cc4bdb0c-3ebb-4144-99cd-685bc0ba5f5e,bb906ec6-6e96-44b6-8fd7-d8007204073f,f8f8c49b-6861-4517-873b-1f727f555bf9], but none of these matched the request. Request details: X-Citrix-Gateway: X-Citrix-Via: XenDesktop.domain.com:443 X-Citrix-Via-VIP: Remote Address: 10.0.0.10 X-Forwarded-For: 172.0.0.10

 

EXAMPLE2 Gateway data from the request and the authentication token are not matching. Request was made to store NCCXD7.

 

Request data: Remote Address: 10.0.0.10 X-Citrix-Via: X-Citrix-Gateway: X-Forwarded-For: 172.0.0.10 X-Citrix-TrustCertRef:

 

Token data: Remote Address: X-Citrix-Via: 10.0.0.10 X-Citrix-Gateway: XenDesktop.domain.com X-Forwarded-For: X-Citrix-TrustCertRef: 172.0.0.10, 172.0.0.10

 

Gateway configuration: System.String[]

 

I did notice that on the iApp the Citrix STA servers had not been defined? Could this be the issue? Anybody got any advice/pointers on what I can check or try please?

 

Thanks in advance

 

3 Replies

  • Bit of an update to this. I set the STA servers on the iApp. I could then see the login page and input credntials but received an error.

     

    Within Storefront on the NEtscaler Gateway the "callback" option was set and as it was no longer talking to a Netscaler Gateway and an F5 I assumed this was why it was failing the NS validation. After removing the callback entry I could successfully login.

     

    Unfortunately I'm not behind a firewall so am unable to truly test the setup that we see for our devices in the remote network.

     

  • Sorry - I also forgot to mention that LAN connections going to the web page are working fine even without the STA entry.

     

    So it currently has: 1. No STA entry in the iApp 2. The callback option is set in the Netscaler Gateway setting in Storefront.

     

    This works for LAN connections Remote connections behind the firewall get connection timed out errors and the firewall shows traffic coming from the Storefront server to it's internal NAT'ed interface.

     

    • KyleB's avatar
      KyleB
      Icon for Altostratus rankAltostratus

      Hi Mark.....were you able to figure this out for remote connections ?