Jump to content
Welcome to our new Citrix community!

EDT/DTLS not working through Gateway URL


Pushkar Misra

Recommended Posts

I have Netscaler VPX version 12.0.57.4. I enabled DTLS on the Gateway Vserver and HDX.CGP,Session reliability etc on the VDA servers but can not get the EDT/UDP traffic working for app launches.

When we bypass the NEtscaler and go straigh through servers Launch is happening through UDP but not when we use Netscaler Gateway.

We have DTLS enabled in Vserver

We have CGP/Session reliability and HDX enabled at the server side.

 

All the launches show up as TCP due to fall back when UDP launch fails. I can not see any UDP traffic in WIreshark. ICA file does show UDP preferred.

 

Link to comment
Share on other sites

1) Do all components meet minimal versions for UDP/EDT to be supported?  (Since you said it works direct, we'll assume YES...but you know what they say about assumptions).

2) Do you have the 443:UPD(DTLS) ports open on the external firewall to the gateway VIP AND the 2598:UDP / 1494:UDP ports open on the SNIP to all VDA's.  Use a trace to confirm, if necessary.

3) Did you enable the DTLS opion on the vpn vserver (gateway) properties?  Located under the "basic settings > more" section in the vpn vserver properties?

In addition, If you created your vpn vserver, bound the ssl cert to it, then enabled DTLS support (after the cert was bound), then the cert essentially attaches to the TCP/SSL handler only and not the DTLS handler. So your gateway looks like its configured right, but rejects all DTLS attempts forcing the client to fall back to TCP/SSL based communication. Again, a trace should show you if the problem is at the firewall vs at the gateway.  To Fix:  be sure the DTLS setting is enabled and then unbind/rebind the cert to attach to both ssl and dtls handlers.

 

 

Link to comment
Share on other sites

  • 1 month later...

Upgrade ADC to latest build, many improvements have been made to DTLS app streaming.

Latest build today for 12.0 architecture is 63.xx

Also, latest builds of Workspace/Receiver uses only one cipher for DTLS 1.0 streaming which is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

Workspace/Receiver also uses DTLS 1.2 with these three:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

Make sure those TLS ciphers are bound to the Citrix Gateway.

 

Overview of the Crypto Kit updates in Citrix Workspace for Windows and Mac

https://support.citrix.com/article/CTX250104

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...