Jump to content
Welcome to our new Citrix community!

Cannot start xenapp application using HTML5 through netscaler gateway

Recommended Posts

I have setup an environment with Xenapp and Netscaler Gateway.

When I connect to the storefront of the Xenapp server (internally) everything works fine through http..

when using https I get the message "Citrix cannot create a secure connection in this browser"


Googling around I have found that I have to use a Netscaler Gateway for the websockets through https

I configured the netscaler gateway and connecting through this gateway I get the same errormessage.


Can't find any policy or setting to use secure websockets i.o. regular websockets....

Link to comment
Share on other sites

Is StoreFront configured to send internal connections through a Gateway? You can do a traditional Gateway deployment of having users authenticate through a Gateway. Or you can configure HDX Optimal Routing for Direct StoreFront connections.


If not, then it's still trying to go directly to the VDA. In that case, you need SSL certs on your VDAs. http://www.carlstalhood.com/virtual-delivery-agent-vda-7-12/#sslvda

  • Like 1
Link to comment
Share on other sites

Yes. I have configured Storefront to send all connections through a gateway.

I also enabled VDA SSL on the VDA's but that didn't make any difference. It looks like the netscaler gateway is trying to connect with "normal" websockets through https instead of secure websockets and I can't figure out where I can change the setting for this.

Link to comment
Share on other sites

Thank you for your respons.


Yes I have have checked that and communication over port 8008 is possible.

It looks like it tries to communicate with websockets instead of secure websockets over port 8008 and hence causing the webbrowser to block the communication because websockets over https is not allowed for security reasons.


To be sure that the firewall is not in the way, I have set a any <-> any allow rule between the netscaler in the DMZ and the internal network on all netscaler IP addresses but I still get the same result.

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...

After several reinstalls and reconfigurations it came out that my server certificate is not working well with TLS 1.2

After reinstalling the netscaler and storefront server for the fifth time I have set the connection netscaler to storefront to HTTP and also changed the STA to HTTP. After this settings everything works fine.


Still trying to get all communications to HTTPS but I guess we need another type of wildcard certificate to do that.


Thank you all for your support !

  • Like 1
Link to comment
Share on other sites

There are known issues with SF3 and Netscaler when using TLS 1.2 for the connection between NS and SF. (These are to do with the way Microsoft interpreted the specs!)


I believe that this may be fixed in the latest release. Alternatively, just disable tls1.2 on the backend connection.

  • Like 2
Link to comment
Share on other sites

  • 2 years later...

I am currently faced with this same issue internally in my secure end to end test deployment.  The entire Citrix stack uses TLS 1.2 connections enforced between all Citrix Components and all legacy versions disabled in Windows and Citrix Gateway. 

Working = Direct Connections to StoreFront using either HTML5 or Citrix Receiver Launcher (protocol handler) launch methods.
This proves my TLS enabled VDAs are configured correctly otherwise the HTML5 launches would fail when logging into StoreFront directly.

Failing = Launches using both HTML5 and Citrix Receiver Launcher when the connection to the VDA is proxied through a Citrix 13.0 Gateway.  Both 2016 and Win10 VDA launches fail in the same way.  I know it is not necessary to ever use HTTP StoreFront deployments as a work around for this.  I also strongly recommend against it for a lot of reasons as it creates many more problems than it solves.  Workspace App will simply refuse to connect to those Stores internally and client detection in Receiver for Web will not work.  Disabling the TLS connection to the VDA is one viable workaround but this is undesirable if you want direct connections to StoreFront to work.  Using Optimal Gateway Routing/On Direct Access Enabled to ensure all launches pass through a Gateway even if the user authenticates via StoreFront directly is one way to allow HTML5 internally but I prefer TLS enabled VDAs to solve this.    

I have narrowed down the problem of the failing Gateway launches to be TLS handshake failure via nstrace and wireshark between the Citrix Gateway SNIP and the TLS enabled VDAs .  I have tried experimenting with disabling TLS 1.0 and TLS 1.1 on the Gateway vServer, modifying the default BackEnd SSL profile and different Cipher Suite ordering bound to the BackEnd profile but I still have not succeeded in solving this.  I am determined to prove this can be made to work without compromising in any way.  

I am still investigating in my own test environment and will post the solution if I resolve the issue.  I suspect others on this forum may also be affected by this issue if they use TLS enabled VDAs as I do. 

Mark Dear
Citrix Workspace and On Prem StoreFront Customer Quality Engineer

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...