Jump to content
Welcome to our new Citrix community!

Can I have two different gateway configurations using the same STA and StoreFront servers?


Matt Cameron

Recommended Posts

I am trying to build a second Gateway on my Citrix VPX ADC. I have a working Gateway pointing to a single STA server and single StoreFront. This is working fine right now. I am trying to configure another gateway using a different public address and gateway address but the same wizard settings as the first e.g. storefront server, sta server. (Referring to Configuration > XenApp and XenDesktop > Create New Gateway). 

 

When I get to the section about StoreFront when I put in the same Secure Ticket Authority URL* as my working configuration and try to test it I get DOWN when I try to test connectivity. I am to understand that this isn't a local firewall rule not a problem with our DMZ rules per our network admin. They don't see any dropped traffic to the STA server. I was asking them to monitor traffic from the new gateway address but that showed nothing. I think that the traffic is actually going to come from the SNIP address. 

 

I read the article https://support.citrix.com/article/CTX132334 which should cover this but most of the troubleshooting is contradicted because the target server is alive in another Gateway configuration. So, am I not allowed to have 2 configurations using the same server?

 

NS12.1 60.16

Link to comment
Share on other sites

Yes, you can have multiple gateways using the same StoreFront server(s) and STA servers.

However, you also need to create another NetScaler Instance on your StoreFront server(s) with the second FQDN.

BTW, it is *highly* recommended to have at least 2 StoreFront and DDCs (and STAs) in a production environment to remove any single point of failure.

Link to comment
Share on other sites

12 hours ago, Sam Jacobs said:

However, you also need to create another NetScaler Instance on your StoreFront server(s) with the second FQDN.

I intend to. The plan was once I vetted the config it does allow me to export a configuration file to import into storefront. 

 

12 hours ago, Sam Jacobs said:

BTW, it is *highly* recommended to have at least 2 StoreFront and DDCs (and STAs) in a production environment to remove any single point of failure.

Understood.

 

So, basically, what I am doing is possible so I need to figure out why the test is failing. 

Link to comment
Share on other sites

48 minutes ago, Sam Jacobs said:

I have defined multiple gateway vServers using the same StoreFront servers, DDCs and STAs many times.

I don't use the wizard, so I'm not sure if the wizard itself is messing you up when you try to allocate the second gateway.

 

I suppose I don't need to do it that way but I have been since that is how I got the first one working. Also that is the only supported way to import configuration into storefront. However I could likely just import that manually as well using the other as a template. 

 

I guess I need to figure out how to setup the gateway manually or at least verify what the wizard has done for me. 

Link to comment
Share on other sites

I found where I can add manual bindings for STA servers. Configuration > Citrix GatewayVirtual Servers > select the one I am trying to create and scroll down to STA Servers

Just a couple of boxes to enter address and ipv4/v6. Nothing I can do to "test" it in that location. It just insists its down. For fun I unbound the STA server there and readded it but no change. 

 

Do you know how it verifies that? I had assumed the traffic would come from the server virtual IP but networking guy saw no traffic coming from the DMZ. 

Link to comment
Share on other sites

23 minutes ago, Sam Jacobs said:

And in the first gateway server the same STAs are marked as UP?

 

Yes. I know its not particularly useful for supporting my position but I attached an image that shows both gateway configs. They are configured to use the same single STA server defined by FQDN. 

 

I looked at some documentation on firewall rules and it looks like communication to STA servers is on TCP80 via the SNIP address. I know that is already working on my production site so I am not sure what the problem is. The storefront server shows as up (same storefront used in both gateways as well). The only thing that is different is the virtual IP. I can find anything in the  event logs pertinent to my problem. 

 

 

gateways.png

Link to comment
Share on other sites

22 minutes ago, Sam Jacobs said:

It looks like you are not using the same STA -  one is .102, the other is .103.

I suppose I might be getting terminology wrong....

Those IPs are for the Gateway IP Address (see attached). Its what I see when I look at Configuration > Citrix Gateway >

Citrix Gateway Virtual Servers. The STA is separate property of each server configuration which I see under VPN Virtual Server STA Server Binding recorded as Secure Ticket Authority Server in the same area. Its the server I have there that is the same between both configurations. 

 

I assumed that I could not have a separate site running with the same gateway address which I why I went down this path. 

2020-12-15 13_14_06-prd-col-dmz01 - RD Tabs.png

Link to comment
Share on other sites

1 hour ago, Matt Cameron said:

I assumed that I could not have a separate site running with the same gateway address which I why I went down this path. 

2020-12-15 13_14_06-prd-col-dmz01 - RD Tabs.png

 

I didn't read all the thread. You are right, these are the gateways. The .102 is using a proper STA, while the .103 does not. I bet, you're using different IPs or FQDNs.

  • Like 1
Link to comment
Share on other sites

12 minutes ago, Johannes Norz said:

I didn't read all the thread. You are right, these are the gateways. The .102 is using a proper STA, while the .103 does not. I bet, you're using different IPs or FQDNs.

 

I wanted to prove to you I wasn't crazy.... In doing so I found what my problem was. My build guide for the first gateway I made had a typo in it. Not for the IPs or FQDN but the protocol. I never noticed it until I found the config lines back to back so I could copy them in there. 

bind vpn vserver _XD_10.90.1.102_443 -staServer "http://.........."
bind vpn vserver _XD_10.90.1.103_443 -staServer "https://.........."

I have read several times that it use 80 by default to communicate to the STA. I dropped the s and update my notes. It's coming back green. Thanks for sticking with me. 

Link to comment
Share on other sites

Just now, Matt Cameron said:

 

I wanted to prove to you I wasn't crazy.... In doing so I found what my problem was. My build guide for the first gateway I made had a typo in it. Not for the IPs or FQDN but the protocol. I never noticed it until I found the config lines back to back so I could copy them in there. 


bind vpn vserver _XD_10.90.1.102_443 -staServer "http://.........."
bind vpn vserver _XD_10.90.1.103_443 -staServer "https://.........."

I have read several times that it use 80 by default to communicate to the STA. I dropped the s and update my notes. It's coming back green. Thanks for sticking with me. 

 

You could also use https://, however your server would need a certificate and your firewall needs port 443 open.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...