Jump to content
Welcome to our new Citrix community!

Net Profiles on Citrix Gateway not working


Jens Ostkamp

Recommended Posts

Hey everyone,

 

im having difficulties telling my NetScaler to use a specific SNIP for all traffic for one vServer on my Gateway.

Background is, that I want to separate service communication with different SNIPs (for example, SNIP-exchange, SNIP-Citrix, SNIP-Radius etc.). This works well for each service, only when i bind my net profile to Citrix Gateway vServer it just gets ignored and acts like no net profile at all is bound (round robin from all SNIPs).

I could workaround that by adding a LB vServer (even tho just one SF / DDC exists) with StoreFront server behind it and bind the net profile to this LB vServer/service. Problem is - STA communication (and i guess worker communication as well, but i didnt get that far to test it) is not easily done this way, as STA will fail when i target it to a LB vServer and my StoreFront Gateway configuration aren't pointing to these exact same LBs (which I obviously want to avoid as it creates a weird network route for STAs).

 

So - did I do/think something wrong implementing net profiles on my Gateway or is it a known bug? 

 

Thank you very much in advance for any help! :)

 

Best regards

 

Link to comment
Share on other sites

Hello,

 

Netprofile won't work for dynamically generated services (like STA, nor SF monitor). I've opened an enhancement already for this purpose. As a workaround for STA and other dynamically generated services you could bind the netprofile to those monitors directly and it will be used at that point. Downside of this approach is if you have multiple Gateways on the same appliance all will use the same netprofile for those monitors as configured before.

 

Thanks

  • Like 1
Link to comment
Share on other sites

20 minutes ago, Roman Dario Lemes Gonzalez said:

Hello,

 

Netprofile won't work for dynamically generated services (like STA, nor SF monitor). I've opened an enhancement already for this purpose. As a workaround for STA and other dynamically generated services you could bind the netprofile to those monitors directly and it will be used at that point. Downside of this approach is if you have multiple Gateways on the same appliance all will use the same netprofile for those monitors as configured before.

 

Thanks

Hey,

 

thank you very much for your response!

So, if i bind that netprofile to the monitor - will only the monitor use the dedicated SNIP? Because as soon as a user connects over Gateway, there will be traffic to STA, SF, Worker for that user and if, i need to ensure that ALL traffic goes over that one SNIP to these three backends, since my client wants to separate firewall policies by services (hence regarding the different SNIPs).

 

Thank you for your support!

 

Best regards

Link to comment
Share on other sites

21 minutes ago, Roman Dario Lemes Gonzalez said:

Traffic from NSGW to STA should use Netprofile bound to VPN Gateway, only monitor traffic is the one will not honor this. If this is not the case, open a case with Citrix Support. What version are u running? 13.0.64.x should work good.

 

Thanks

Hey,

 

i am using latest 12.1 build. Should work with that aswell i guess?

 I will be doing some tests regarding your feedback, maybe i saw the monitor packets in my packet trace.

What is about the ICA traffic to worker server?

 

thanks again!

Link to comment
Share on other sites

  • 1 year later...
On 10/6/2020 at 4:04 PM, Roman Dario Lemes Gonzalez said:

Traffic from NSGW to STA should use Netprofile bound to VPN Gateway, only monitor traffic is the one will not honor this. If this is not the case, open a case with Citrix Support. What version are u running? 13.0.64.x should work good.

 

Thanks

Hello Roman,

 

are you able to give some details about ICA Traffic? Is NetProfile working to separate different Citrix Gateway vServer for different SNIP 2598 Usage to Citrix VDA on Backend? If so, starting with which firmare?

 

Thank you so much

Best Regards

Julian

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...