Jump to content
Welcome to our new Citrix community!

DTLS + Content Switching + Gateway vServer (Not working, dropping to TLS1.2)


Recommended Posts

Hello.

 

I have a content switching vserver that is handling a Citrix Gateway, and DTLS is not working.

 

I have confirmed by creating a secondary Citrix Gateway vServer, using the same configuration but with its own VIP, that DTLS works through the NetScaler (by using HOSTS file).  However if I use the Content Switching vServer, I can successfully connect to my XenDesktop VDA but only in TLSv1.2.  If I make changes to the SSL parameters on the CGVS, it doesn't seem to affect anything, if I change it on the content switching vserver then of course it takes affect.

 

It looks to me that the CS vserver, since DTLS is not a parameter there, its dropping to TLSv1.2.  I can't find much online, most say its supported but no definitive items listed, and other than a few obscure discussion posts I can't find much else.

 

https://discussions.citrix.com/topic/393834-content-switch-dtls/

 

 

Notes on the setup:

 

CS_VS

  • Type: SSL
  • IP: X.1.X.51
  • Policy Bind
    • CSP_XD
  • SSL: wildcard*.internal.network

CSA_XD

  • Type: NetScaler Gateway Virtual Server
  • Virtual Server: CGSV_XD

CSP_XD

  • Action: CSA_XD
  • Expression: HTTP.REQ.HOSTNAME.EQ("citrix.internal.network")

CGSV_XD

  • Type: SSL
  • IP: NONADDRESSABLE
  • DTLS: Enabled
  • SSL: wildcard*.internal.network
  • STA: storefront.internal.network
Link to comment
Share on other sites

So my first reaction was that you would need a CS vserver for DTLS...except that doesn't apparently exist.

So then my next question does unified gateway support DTLS/EDT. According to this list it does:  https://docs.citrix.com/en-us/netscaler-gateway/12/hdx-enlightened-data-transport-support/configuring-netscaler-gateway.html

 

But regarding the parameters, that makes sense. The CS vserver is the actual IP:PORT listener/entry point for traffic the gateway is the internal entity. So most of your ssl settings/profiles/parameters need to be set on both the CS vserver and the vpn vserver to be effective.

 

So assuming it is supported, did you enable DTLS before or after you bound the ssl cert to the vpn vserver?

If after, unbind and rebind the cert so it attaches to both the DTLS and SSL listeners.  If you have the cert bound first, and turn DTLS on second, you're not really attached to the DTLS.

If this isn't the problem; see what a trace says and maybe compare to the separate vpn vserver. 

At that point it may need support or hopefully an engineer will stop by this thread with better information than I have.

Finally, be sure the client trusts the cert on the cs/vpn vservers. Otherwise your connections will fail.

 

Also, Your STA shouldn't be storefront. Your STA points to your XenDesktop xml broker (controllers); unless you are co-locating the controllers with storefront.

 

Apologies if none of that was helpful.

 

Link to comment
Share on other sites

1 hour ago, Rhonda Rowland1709152125 said:

So my first reaction was that you would need a CS vserver for DTLS...except that doesn't apparently exist.

So then my next question does unified gateway support DTLS/EDT. According to this list it does:  https://docs.citrix.com/en-us/netscaler-gateway/12/hdx-enlightened-data-transport-support/configuring-netscaler-gateway.html

 

But regarding the parameters, that makes sense. The CS vserver is the actual IP:PORT listener/entry point for traffic the gateway is the internal entity. So most of your ssl settings/profiles/parameters need to be set on both the CS vserver and the vpn vserver to be effective.

 

So assuming it is supported, did you enable DTLS before or after you bound the ssl cert to the vpn vserver?

If after, unbind and rebind the cert so it attaches to both the DTLS and SSL listeners.  If you have the cert bound first, and turn DTLS on second, you're not really attached to the DTLS.

If this isn't the problem; see what a trace says and maybe compare to the separate vpn vserver. 

At that point it may need support or hopefully an engineer will stop by this thread with better information than I have.

Finally, be sure the client trusts the cert on the cs/vpn vservers. Otherwise your connections will fail.

 

Also, Your STA shouldn't be storefront. Your STA points to your XenDesktop xml broker (controllers); unless you are co-locating the controllers with storefront.

 

Apologies if none of that was helpful.

 

Thanks, I'll take a look at a trace and see what the difference of the two was.  I also thought myself the first go around the certificate was the issue so I unbound/rebound the certificate after enabling DTLS.  However I only did it on the VPN vserver side, I'll redo it on the CS VS just in case.

Connections do work through the CS VS then to VPN VS then onto XD, it just doesn't use DTLS, only TLSv1.2.  If I disable that SSL type on the CS VS, the whole thing does fail, so I do know from that stand point that the CS VS seems to be the one handling the SSL parameters.

I do find it odd that it says its supported, but the CS VS doesn't have the SSL type for DTLS.  I imagine its handing it through, but I'm not seeing it.

Also, my apologizes, the storefront server is also the delivery controller/license server, its a single all in one box for testing purposes right now so I just used that URL since I have internal traffic using that URL as well.

Link to comment
Share on other sites

I figured on the storefront side that was the case, but was double checking.

 

Which version of NS are you running?  Some versions had different issues than others.

And for completeness in case an engineer knows something: Which version of XenDesktop (CVAD) and Citrix Receiver/Workspace App in use?

 

Since DTLS was enabled, double check settings for AppFlow and ULFD settings as in the 12.0 releases certain combinations would prevent EDT from working as well.

(They might need to be disabled)

And confirm the firewalls allow UDP traffic.

 

One article on a specific bug fixed in specific versions:  https://support.citrix.com/article/CTX226014

 

 

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...