Jump to content
Welcome to our new Citrix community!

Storefront Redirect when External.


Recommended Posts

Hi All,

I've been testing Azure MFA with our Netscalers using a test Storefront page. So far everything is working as expected and functioning.

 

I am a bit stuck on one item. In our production Storefront site, once a user logs into the Netscaler portal then they get redirected to the Storefront page. This happens when both on VPN and also when connecting external without VPN connection. The user will get the Storefront page in both use cases.

 

I right now can only get the page redirection to work when on VPN as  it is able to resolve the url for the Storefront page. 

 

Question is where do I make the changes for this test Storefront page to be redirected when coming from external/non VPN connections?

 

Where are using Netscaler MPX 8200s version 12.1.

 

Any help would be greatly appreciated!

Link to comment
Share on other sites

18 hours ago, Sam Jacobs said:

Do you have your StoreFront servers being load-balanced by the ADC?

If you have DNS set up on your ADC it should be able to resolve your StoreFront FQDN.

If it can't, you can put the IP address of the load-balanced VIP in your session profile.

Yes, SF servers are load balanced by the ADCs. The DNS does resolve the SF FQDN for our Prod SF site. 

I just am probably missing where to add this  setting in the ADC for the test SF site. 

Link to comment
Share on other sites

On 2/18/2021 at 12:33 PM, Sam Jacobs said:

It would go into the Web Interface Address field on the Published Applications tab of the session profile.

1118466938_ADC-SessionProfile-WebInterfaceAddress.thumb.png.ad1fbdfe98c04f99076571412832b059.png

Yep, already had this in place. I did however change it from the dns entry to IP but still no go.

I receive the "Cannot Complete Your Request" error once it successfully authenticate from the ADC login page and then tries to redirect to the SF page. 

Link to comment
Share on other sites

This signals an error in the credential handoff from the ADC to StoreFront.

Check the Event Log(s) on the StoreFront server(s) (under Applications and Services Logs | Citrix Delivery Services).

There is usually an error message there that will give you additional information.

Make sure that you have defined a NetScaler instance (Manage NetScaler Gateways) that has an FQDN that matches the URL the user enters to access the site.

 

Link to comment
Share on other sites

On 2/21/2021 at 1:30 PM, Sam Jacobs said:

This signals an error in the credential handoff from the ADC to StoreFront.

Check the Event Log(s) on the StoreFront server(s) (under Applications and Services Logs | Citrix Delivery Services).

There is usually an error message there that will give you additional information.

Make sure that you have defined a NetScaler instance (Manage NetScaler Gateways) that has an FQDN that matches the URL the user enters to access the site.

 

Interesting, this is what I see in logs:

A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.14.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: https://127.0.0.1/Citrix/AzureSSOAuth/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden

 

Is there something to be changed on the Authentication for this SF page?

Link to comment
Share on other sites

2 hours ago, Sam Jacobs said:

Do you have an SSL certificate on your StoreFront server(s)?

Is it bound to IIS?

Does it have any needed intermediate certificate(s) installed on the StoreFront server?

Yes SSL Cert was actually just renewed a few weeks ago and installed on SF servers and bound to IIS.

I didnt see any Intermedicate certs on the Server certificate portion in IIS. 

Just for my own knowledge if this is a certificate issue wouldnt that also affect when trying to access from VPN? As of now the test SF site redirect works when on VPN.

Link to comment
Share on other sites

On 2/17/2021 at 4:24 PM, Sukhwant Singh1709160818 said:

Question is where do I make the changes for this test Storefront page to be redirected when coming from external/non VPN connections?

You put it into the Web Interface Address field of your session profile:

1965553058_ADC-SessionProfile-WebInterfaceAddress.thumb.png.8aa0deebfd5486563321418352bd1c2f.png

Link to comment
Share on other sites

1 hour ago, Sam Jacobs said:

Are you using https: with the IP address?

What error(s) are you receiving?

Yes, https://x.x.x.x/Citrix/AzureSSOWeb

The errors being received from non corporate machines is "Cannot complete your request". Something isn't resolving properly to where the redirect fails to load SF page after successful authentication. Might be something really simple but I've having a hard time trying to point my finger as to what isnt working.

I mimicked the settings to our production SF page which works just fine on both VPN and NON-VPN connections. For some reason this test SF page on NON VPN connections doesnt redirect/resolve.

Link to comment
Share on other sites

"Cannot complete your request" is a catch-all error.

Look in the event log on the StoreFront server(s) under Citrix Delivery Services.

There should be another entry with the actual error.

Quite frequently it is that there is no NetScaler instance in  StoreFront that matches the FQDN the user entered to log on.

 

Link to comment
Share on other sites

I've attached the pic of the settings on the test Storefront page.

The first line is what I have plugged in Netscaler under Published Applications>Web Interface Address. I also replaced that DNS name with IP but no luck. 

Not seeing anything directly pertaining this login/redirect issue under the CTX Delivery Services log. 

sfpage.JPG

Link to comment
Share on other sites

No DNS entry on the NetScaler is needed.

vpn.domain.com needs to be able to be resolved externally (which it is, if you can get to the logon page).

While you should still be able to access StoreFront the way it's currently set up, if you want full VPN access, you should select the second radio button ("Allow users to access all resources...")

 

Do you have multiple StoreFront servers in the group? Did you check them all for errors in the event log?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...