Netcaler ADC 12.1 - got an A+ on SSL Labs and broke everything

Matthew Weiner

So, as the topic says - I managed to blow up my NetScaler gateway in the process of trying to fix up TLS and make the Windows Workspace app not hate my setup and fail out with errors.  However, in return for my efforts I get "cannot complete request" and can't log in.  Rolling back all the changes restores my functionality with HTML5 and Chrome OS, etc. but at the expense of the Workspace app.  I have no idea what's wrong, just that it fails out with "cannot complete request" if I put on Dixie-Hellman, ECC curves, and all the modern TLS stuff that pleases the security checks (and the Windows Workspace app which seems to want ECHDE as well).  I can only suspect that it has something to do with talking to my Server 2016 Storefront cluster and IIS's oh so friendly TLS implementations, but I can't find anything in the logs to correlate this theory.  I'm running the latest Storefront 1912 LTSR on Server 2016 so it ought to be compatible with TLS 1.2, etc.  I'm using HTTP for my STA servers and at no point did they go down.  As soon as I rolled off the TLS changes it picked right up and ran again and I can't find anything in the logs to say exactly where to look at what could be causing this.


I plan on opening a support case tomorrow morning but figured I'd solicit the advice of some of the people who have "been there, done that" here in the forums.  Any help would be much appreciated.

does the "Cannot complete your Request" come from Storefront? Is there anything in the eventlog of Storefront that Storefront is not able to reach the citrix gateway.


My first guess would be that storefront cannot establish a SSL Connection to the citrix gateway and therefore cannot process the request. Maybe try to reach the citrix gateway from storefront, does this work?


Best Regards,


  • Create New...