Jump to content
Welcome to our new Citrix community!

NetScaler - 2 Virtual Server and 1 StoreFront Store / SSLProxyHost and Certificate

Recommended Posts

Hello together,

I hope you can help me.

I have created on my NetScaler two virtual server with different fqdn. Because one are for an public access and one are for internal access. On my StoreFront system I want only have a single store. So I have configured on the StoreFront the two different gateways and on the "Configure Remote Access Settings" mark the two created NetScaler Gateways with the optione "No VPN Tunnel" marked.

Example of names of the virtual servers:
external: external.try.com
Internal: internal.try.com

The external access works fine. My issue is the internal access and the ica file because under the point "SSLProxyHost" is not written "internal.try.com:433" but the same from the external access ("external.try.com:443). When I start from citrix workspace app the connection manager and I take a look into properties of the launched application I will receive the certificate from the external access and not from the internal.

Thanks in advanced.

Kind regards

Link to comment
Share on other sites

Just to confirm you have two different gateway FQDNs on same vpn vserver, directing traffic to a single storefront fqdn/store. (or do you also have storefront behind two different access points).


The challenge is that you have very few ways to distinguish external vs. internal access in this config.  


Benefit of two stores:  If you had external gateway directing traffic to https://storefront.demo.com/Citrix/ExternalStoreWeb vs internal gateway going to /Citrix/internalStoreWeb you might have more flexibility.  As each store would only need to to know a single gateway integration point.    (If you had two gateways, it would also be easy to distinguish one from another on single store as you could use a net profile to assign separate backend ips or identify each VIP so storefront can tell which gateway the transaction originated from.)


So with one store and one gateway doing two types of access:

The problem you may be facing with two different gateways externalgw vs internalgw going to same storefront store /Citrix/StoreWeb is that  there is no "easy" way for the storefront to detect gateway 1 vs gateway 2 as all traffic uses the SAME VIP and same SNIP (or other alternate ip if net profile is used), because there is only one vpn vserver.  You would have to leave this "<blank>" in the gateway definition of both gateways.  The "internal beacon" is only resolved by "internal" users on internal network and unable to be resolved by external users; I think in this config you might have to use some other FQDN of an internal resources instead of the default storefront name. But try both ways to see.


Optimal gateway routing might have to be configured as well, but I'm not sure if it has a criteria that can be used in this case.  Note your "external" gateway should still be default for "safety" if there is no way to distinguish one from the other.


So I would start by looking at the two gateway's configuration (on the storefront) and whether you did or didn't specify a  vip/snip or left it blank.

Reconfirm your beacon configuration and see if that is causing all traffic to be seen as "external" as opposed to able to split the external vs internal.

Also, confirm your session policies on the gateway are properly filtered for external vs internal networks.


I *think* its doable just challenging to guarantee the selection method; but two stores would make this "easier" to implement.






















Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...