Jump to content
Welcome to our new Citrix community!

DDC Load Balance


Manoj Rana

Recommended Posts

Hi All,

 

I am trying to Load Balance  my DDC's.

 

Using LB from storefront to DDC securing xml 443 but seem not working checking the storefront event log seeing this.

 

An SSL connection could not be established: None of the SSL cipher suites offered TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 were accepted by the server.. This message was reported from the Citrix XML Service at address https://DNSname of LB /scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services

 

Using the SSL bridge or direct server name it is working.

Any one know ? how to fix SSL cipher suites issue ?

 

Thanks

Manoj

 

Link to comment
Share on other sites

  • 4 weeks later...
  • 1 year later...

I am facing issue of Application enumeration in Server 2019 Delivery controller with Storefront installed in server 2012 R2. I got the same event in SF but for "EDCHE" CIPHER Suits, Is there a known issue of SF in 2012 OS and DC in 2019 causing App/desktop enumeration issues ?

 

I have a standalone sf with no NS, In such case should i need to update SSL order GPO in 2019 Delivery controller ? did someone tried it or faced similar issues... please share your thoughts

Link to comment
Share on other sites

  • 2 weeks later...

Above said issue seems to be a known issue as per the citrix edocs.... https://docs.citrix.com/en-us/storefront/1912-ltsr/known-issues.html

~~~~

 

Applications in a StoreFront store fail to enumerate and launch and an SSL connection error is reported. This issue occurs if the delivery controller is installed on Windows Server 2016 or Windows Server 2019, and StoreFront is installed on Windows Server 2012 R2. To resolve this issue, the cipher suite order list must include the TLS_ECDHE_* cipher suites and these cipher suites must precede any other cipher suites. [LCM-9305]

 

Applications in a StoreFront store fail to enumerate and launch, and an SSL connection error is reported. It happens if you use the Citrix ADC load balancing feature to distribute the load to the delivery controller servers. And StoreFront is using HTTPS to communicate with the load balancing delivery controller services. To resolve this issue, the cipher suite order list on Citrix ADC must include only the TLS_ECDHE_\* cipher suites. If you have assigned a delivery controller server as STA Server in Citrix ADC or StoreFront which is outside your site, the cipher suite order list on StoreFront must also include the TLS_ECDHE_* cipher suites AND these cipher suites must precede any other cipher suites. [LCM-9308]

~~~~

 

As per the above note, [LCM-9308]  is not applicable for me, as I am not LB 'ing DC, so there is no need for me to update CIPHER (TLS_ECDHE_\*) in Citrix ADC.

 

In  my case its enough to update the local group policy (SSL CIPHER Order) in Storefront (win 2012 R2) and Delivery Controller servers (Win 2019)

 

Custom CIPHERS To be added to specific Server Local Group Policy –

 

Computer Configuration –> Administrative Templates –> Network –> SSL Configuration Settings – SSL Cipher Suite Order – Enable

 

~~~~

TLS_ECDHE_*,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE*,TLS_RSA*

~~~~

 

 

Note: Once you enable the policy, there is a Character limit set. You wont be able to add custom ciphers, So I modified the CIPHERS with wild cards, to accommodate default and my Custom ciphers. Apply the policy, reboot the server and make sure the custom policy has all the required servers. If any of the ciphers are clipped due to character limit, you wont be RDP to servers. I faced the issue, thats the reason I used wildcards. please refer above CIPHER list

  • Like 1
Link to comment
Share on other sites

would like to share few info from the above change in adding the CIPHERS to SF and DC

 

1. As expected after upgrading to CU5 and adding CIPHERS Apps and Desktop in Server 2019 Delivery controller started showing. Enumeration was working as expected.

2. It was not a smooth experience post the change. Users had to either Reset citrix worksapce App or Clear Browser cahce in their endpoint device to connect back to the  Citrix session. be it a new or existing session. without that, if user try to login, they  will see only  a white/blank screen. I suspect this may be due to the new CIPHERs updated in SF and DC, due to that old ciphers in the endpoint didnt establish session and it started working post reset/cache refresh it updated with new updated ciphers in endpoint devices

 

Above issue was not documented in edocs under known or fixed issues section. I really had a tough time post the change.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...