Jump to content
Welcome to our new Citrix community!

SSLVPN - No DFS access, connecting to SSL services shaky.


Recommended Posts

Hi Guys, 

Have implemented NetScaler Gateway SSL VPN.

 

Two MAJOR issues right off the bat.

 

1. While connected, I cannot resolve my internal domains bsae FQDN, and cannot connect to DFS shares where the path is based off the base FQDN ie. \\domainfqdn\data

  • The session profile > network configuration > DNS virtual server is set to a local load balancing vServer with our DNS servers.
  • Intranet IP DNS suffix is set to our domain suffix.
  • I can resolve hostnames of internal services, I can resolve DNS for public services, I cannot resolve our FQDN. 
  • I added some A records to our NetScaler with our FQDN
    • This lets me resolve the FQDN to a domain controller.
    • However hasnt resolved my ability to connect to DFS shares.
    • Also, I cannot connect to \\domainfqdn\netlogon

 

2. When connected to the VPN, I cannot connect to SSL based websites.

  • This ended up being resolved by selecting the default HTTP profile instead of the strict validation http profile on the VPN vServer.

 

Does anyone have any ideas regarding the DFS access? 

 

Note: I am connecting to the VPN from a non domain machine (if this is relevant?). Also, we have not made any changes to sites and services in relation to the NetScaler VPN Client Intranet IP ranges (is this recommended?)

Link to comment
Share on other sites

Hi Joe, 

Sorry, I did not mention, Split Tunnel is set to OFF.

 

I ran a wireshark on the Gateway and decrypted the session.

 

On the client, when I attempt to map a drive or connect via the folder explorer to the DFS share, I am being prompted for a credential (This is being generated by the NetScaler, not the file server). Entering a valid credential (either domain\ or straight username) fails and I am prompted again.

 

assume I am trying to access a home drive on my DFS @  path \\mydomain.internal\folder1\folder2\myname

 

 

 

OPTIONS http://mydomain.internal/ HTTP/1.1

Proxy-Connection: Keep-Alive

User-Agent: Microsoft-WebDAV-MiniRedir/10.0.15063

translate: f

Host: mydomain.internal 

Proxy-Authorization: NTLM **********************************************

Cookie: BCSI-CS-1a5ad14970e5548b=2

 

HTTP/1.1 407 Proxy Authentication Required

Proxy-Authenticate: NTLM *********************************

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Proxy-Connection: Keep-Alive

Set-Cookie: BCSI-CS-1a5ad14970e5548b=2; Path=/

Connection: Keep-Alive

Content-Length: 938

 

<HTML><HEAD>

 

<TITLE>Access Denied</TITLE>

 

</HEAD>

 

<BODY>

 

<FONT face="Helvetica">

 

<big><strong></strong></big><BR>

 

</FONT>

 

<blockquote>

 

<TABLE border=0 cellPadding=1 width="80%">

 

<TR><TD>

 

<FONT face="Helvetica">

 

<big>Access Denied (authentication_failed)</big>

 

<BR>

 

<BR>

 

</FONT>

 

</TD></TR>

 

<TR><TD>

 

<FONT face="Helvetica">

 

Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified.

 

</FONT>

 

</TD></TR>

 

<TR><TD>

 

<FONT face="Helvetica">

 

This is typically caused by an incorrect username and/or password, but could also be caused by network problems.

 

</FONT>

 

</TD></TR>

 

<TR><TD>

 

<FONT face="Helvetica" SIZE=2>

 

<BR>

 

For assistance, contact your network support team.

 

</FONT>

 

</TD></TR>

 

</TABLE>

 

</blockquote>

 

</FONT>

 

</BODY></HTML>

 

OPTIONS http://mydomain.internal/ HTTP/1.1

Proxy-Connection: Keep-Alive

User-Agent: Microsoft-WebDAV-MiniRedir/10.0.15063

translate: f

Host: downergroup.internal

Proxy-Authorization: NTLM *********************************

 

HTTP/1.1 200 OK

Allow: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK

Server: Microsoft-IIS/7.5

Public: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK

DAV: 1,2,3

MS-Author-Via: DAV

X-Powered-By: ASP.NET

Date: Thu, 04 May 2017 22:58:01 GMT

Content-Length: 0

Proxy-Connection: Keep-Alive

Connection: Keep-Alive

 

PROPFIND http://mydomain.internal/folder1/folder2/myname HTTP/1.1

Proxy-Connection: Keep-Alive

User-Agent: Microsoft-WebDAV-MiniRedir/10.0.15063

translate: f

Host: downergroup.internal

Cookie: BCSI-CS-1a5ad14970e5548b=2

 

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 04 May 2017 22:58:01 GMT

Content-Length: 1245

Proxy-Connection: Keep-Alive

Connection: Keep-Alive

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

<title>404 - File or directory not found.</title>

<style type="text/css">

<!--

body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}

fieldset{padding:0 15px 10px 15px;}

h1{font-size:2.4em;margin:0;color:#FFF;}

h2{font-size:1.7em;margin:0;color:#CC0000;}

h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}

#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;

background-color:#555555;}

#content{margin:0 0 0 2%;position:relative;}

.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}

-->

</style>

</head>

<body>

<div id="header"><h1>Server Error</h1></div>

<div id="content">

<div class="content-container"><fieldset>

<h2>404 - File or directory not found.</h2>

<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>

</fieldset></div>

</div>

</body>

</html>

Link to comment
Share on other sites

  • 3 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...