Jump to content
Welcome to our new Citrix community!
  • 1

Netscaler connecting directly to VDA


Question

I am having an issue connecting to my XenApp apps and desktops. When I attempt to connect using HTML5 receiver, web access on the Android app, or Workspace on iPad, it is trying to websock connect me direct to the VDA. For obvious reasons, this does not work. I am not sure where I went wrong however. I am including a log from my attempt to access from a Chromium based browser on my phone.

 

NS Version: NS12.1 49.23.nc

XenApp: 7.15 LTSR CU2

HTML5 Receiver: 18.9.1.4047

 

Any guidance is greatly appreciated!

Link to comment

11 answers to this question

Recommended Posts

  • 1

If you use a web browser to connect to a Gateway, then the ICA connection should also use the Gateway, including SSL proxy of WebSockets. This happens automatically with no special configuration needed anywhere.

 

Workspace app uses beacons and might switch the ICA connection to internal instead of through Gateway.

 

Maybe your Gateway (ADC) doesn't have firewall open to the VDAs hosting the published desktop.

  • Like 1
Link to comment
  • 0
55 minutes ago, BART JACOBS1709152229 said:

I think this may guide you:

 

https://support.citrix.com/article/CTX223503

 

I did try that, the outcome was the same. The websocket connection attempt is directly to the VDA though. It is my understanding this is why we need Netscaler, so we do make a direct connection like that. That article doesn't even work for internal access anymore with the big push by the browsers for everything to be publicly signed SSL.

 

I was attempting to use the guided XenApp and XenDesktop setup, but I made a copy of my config. I will swap it back and make sure that setting was checked.

Link to comment
  • 0

Websocket is on for my HTTP profile. So the log that I attached would be with the config from the article you suggested.

 

A little more background, HTML5 used to work internally. It suddenly stopped around the time Google changed Chrome to not allow the "proceed anyway" to deemed unsafe sites. I also accidentally allowed the cert that was in use on the VDAs to lapse, but that has been remedied and it still doesn't work. It does sort of work on the iPad's which for web interface it seems. You just have to add our internal CA as being trusted. I would like to not have to do this however by going through Netscaler.

Link to comment
  • 0
11 minutes ago, Carl Stalhood1709151912 said:

If your StoreFront URL is https (recommended), then WebSockets also must be https. The easy way to do that is to connect to a Citrix Gateway.

 

If you prefer to connect without a Gateway, then you'll need to install certificates on your VDAs. https://www.carlstalhood.com/virtual-delivery-agent-vda-7-15-ltsr/#sslvda

 

I used your guide back 2 years ago before we had our Netscaler gateway to set up https access to our VDAs internally. Now we want external access and have a gateway. Everything is https, sotrefront and gateway. I can connect to the gateway just fine and get the store, internal and external, using HTML5 or workspace. However when I launch my desktop it only works from workspace on PC and Android (internally, externally I get a different error which I will ask about once done with this) because they are both capable of not using a web interface.

 

Am I wrong in my assumption that the gateway is supposed to proxy my connection so I don't connect directly to the VDA? If I am, that means the only way to fix this is to buy a publicly issued wildcard cert for my VDAs. At that point the requirement for Netscaler externally is absurd.

Edited by JLeonard_1439
Added part in parenthesis.
Link to comment
  • 0
11 minutes ago, Carl Stalhood1709151912 said:

If you use a web browser to connect to a Gateway, then the ICA connection should also use the Gateway, including SSL proxy of WebSockets. This happens automatically with no special configuration needed anywhere.

 

Workspace app uses beacons and might switch the ICA connection to internal instead of through Gateway.

 

Maybe your Gateway (ADC) doesn't have firewall open to the VDAs hosting the published desktop.

 

I had considered the beacons. So I actually made the internal beacon something that doesn't exist in order to try to make it use the gateway no matter what. Then I have my gateway and ping.citrix.com as my external beacons which are always reachable.

 

Also I just noticed it appears my log did not attach to the first post? So I am attaching it to this post. The log is from external HTML5 access from my phone.

 

To the last point I am not aware that the ADC has a firewall, or do you mean having the ports open on our firewall for external access? I allowed the ports as outlined by Citrix.

 

I am going to try HTML5 access from storefront and see what the logs look like. I believe that is currently also not working.

XenApp Desktop $S1-2@^_1552069488877(1).log

Link to comment
  • 0
On 08/03/2019 at 7:19 PM, Jesse Leonard1709160747 said:

I am having an issue connecting to my XenApp apps and desktops. When I attempt to connect using HTML5 receiver, web access on the Android app, or Workspace on iPad, it is trying to websock connect me direct to the VDA. For obvious reasons, this does not work. I am not sure where I went wrong however. I am including a log from my attempt to access from a Chromium based browser on my phone.

 

NS Version: NS12.1 49.23.nc

XenApp: 7.15 LTSR CU2

HTML5 Receiver: 18.9.1.4047

 

Any guidance is greatly appreciated!

 

Do you see any errors on the VDA event log?

 

Link to comment
  • 0
On 3/11/2019 at 0:05 PM, Kishore Kunisetty said:

 

Do you see any errors on the VDA event log?

 

Not that I can see. The only error I have is Unexpected failure. Error code: 490@01010004, which looks to be unrelated. I am going to also check the Storefront server logs. I do not believe the error is happening on the VDA end however, I believe it is the browsers rejecting to connect due to connection to the local PC name.

 

I also see some errors about RFwin. Apparently I haven't installed the new workspace in the image. I am going to update and reprovision now for thoroughness.

Edited by JLeonard_1439
Added Info
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...