Jump to content
Welcome to our new Citrix community!

Outlook Certificate Error with NetScaler


Recommended Posts

Hi All!

 

I've been digging around this problem that I have with a Outlook and Netscaler for over 3 weeks now and I feel like I've really hit a wall. I hope anyone can help me out.

 

The scenario is this, my client has an existing exchange 2013. They want it to pass through the Netscaler for optimization and SSL Offloading. So we deployed 2 Netscalers and I started on the configuration. Now, i followed the official deployment guide provided by citrix.

 

When I tested it out, my client's outlook web app works fine as well as live mail. but some outlook users receives a certificate error which says "There is a problem with the proxy server's security certificate. The security certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server (Error Code 8)"

 

Now there are 2 things that puzzled me with this error:

 1.) The certificate I used was a certificate that my client purchased from global sign

 2.) The error occurs in other departments of the company except for the IT department

 

So I continued to dig in to it and found this topic in the forum

 

https://discussions.citrix.com/topic/362170-citrix-please-fix-the-exchange-2013-document-or-take-it-down/

 

and this article by Daniel Ruiz

 

http://danielruiz.net/2015/05/26/exchange-2013-layer-7-single-namespace-loadbalancing-with-citrix-netscaler/

 

I followed the additional information i got, i.e. adding set_test_mode(ignorecase) in the policies for content switching, disabled SSLv3, and added custom ciphers. Still, that didn't do any good. I also thought that since the CAS is still doing encryption, somehow there should still be authentication between netscaler and CAS, so i enabled server authentication in the service level but still the error persists.

 

I just don't understand why these errors occur for several users but not all. When i test it out using a test-pc and test mail provided by the client, everything works fine. What could i be missing? Is this a netscaler issue? I hope someone can help me out.

 

 

Ivan

 

Link to comment
Share on other sites

Hi Ketil,

 

Thanks for your response. I'm not really that familiar with SSL certificates yet. This might help. I did see in the certification path on the globalsign certificate that there is an intermediate certificate. I'll try that and I'll let you know.

 

Just another question. If this does solve it, does that mean that the intermediate certificate is not required to be installed in the netscaler if web applications are used? Because I also optimized a few more web applications and web sites and the SSL certificates of those applications does have an intermediate certificate in the certification path but it works fine. I guess I need to read more on intermediate certificates.

 

Anyway, I'll try this out and hope this solves it. Thanks!

Link to comment
Share on other sites

Hi Ivan,

Best practice is to always link in any intermediate certificates on all your SSL offloading vserver's certificate if they have any. But most of the updated and normal web browsers contains these intermediate certificates themself and therefor does not need the chain from NetScaler to verify the certificate.

Other clients might just have only the common root certificates and no intermediate certificates, and they will need the chain from the NetScaler to verify the certificate.

This is also why you might get different result on different versions of Outlook or different versions of OS.
 

  • Like 1
Link to comment
Share on other sites

Hi Ketil,

 

It worked and now they don't receive the certificate error anymore.

 

However, another issue came up. Seems like some users could not send emails using outlook and windows live mail. But the web page works just fine. Their emails just get stuck in outbox. They can receive emails but not send. No error pops up, though. It's just the send/receive status at the bottom does not move at all. Any idea what could be causing this?

 

Ivan

Link to comment
Share on other sites

  • 4 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...