Storefront (HTTPS Traffic) to Cloud Connectors

[Timothy Joynson]

Good afternoon, 

 

I hope you're all well! 

My team and I (we are no experts) are creating a POC for Citrix Cloud. We've have gotten to a point where we are stuck. Our environment is as follows;

 

Citrix CVAD Version 1912 CU5.

2x Netscalers with a GLSB, pointing to 4 Storefront Servers located in two different DCs.

4x OnPrem Storefront Servers on Windows Server 2012r2

4x Cloud Connectors on Windows Server 2022. 

 

We've created a new POC Store, when adding the Cloud Connectors to the Store and setting traffic to http, we can enumerate applications and can broker connections to our UAT VDIs just fine (woo), but we're just having a huge problem when turning on https traffic. 

 

We have configured http SSL certificate via netsh and binding it to 0.0.0.0:443, and restarted the connectors, but when logging into Storefront, apps and desktops are not enumerating giving us the blank "There are no apps or desktops available to you at this time" screen and looking in the event logs on the storefront servers, we are getting the following errors;

 

Quote

The Citrix XML Service at address hostname01.domain.uk:443 has failed the background health check and has been temporarily removed from the list of active services. Failure details: An SSL connection could not be established: None of the SSL cipher suites offered TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 were accepted by the server.. This message was reported from the Citrix XML Service at address https://hostname01.domain.uk/scripts/wpnbr.dll[UnknownRequest].

 

Which then tells us that there are no services running and they have been removed from service (event id 4012).

 

We have ensured that all SSL Certificates CN and SANs have the same domain as the GLSB/Local Storefront SSL certificates, we have also created a GPO to amend cipher suite order for the connectors but no avail.

 

I have created a test Storefront Instance that sits on a Windows Server 2019 box and we had no cipher issues, which indicates may be an issue with OS 2012r2 & 2022 and incompatible cipher suites (weak vs strong).

 

I was curious if anyone has experienced the same when using a older OS vs newer OS? and what has been their resolution.

We're still waiting on Citrix Support on providing us a solution but we're still going through the generic KB stage and info gathering.

 

We would consider upgrading further down the line, but it is out of scope at the moment due to the tight deadline we have.

 

Thanks for reading and I look forward to hearing from you all.

[Timothy Joynson]

On 10/20/2022 at 2:55 PM, Timothy Joynson said:

Good afternoon, 

 

I hope you're all well! 

My team and I (we are no experts) are creating a POC for Citrix Cloud. We've have gotten to a point where we are stuck. Our environment is as follows;

 

Citrix CVAD Version 1912 CU5.

2x Netscalers with a GLSB, pointing to 4 Storefront Servers located in two different DCs.

4x OnPrem Storefront Servers on Windows Server 2012r2

4x Cloud Connectors on Windows Server 2022. 

 

We've created a new POC Store, when adding the Cloud Connectors to the Store and setting traffic to http, we can enumerate applications and can broker connections to our UAT VDIs just fine (woo), but we're just having a huge problem when turning on https traffic. 

 

We have configured http SSL certificate via netsh and binding it to 0.0.0.0:443, and restarted the connectors, but when logging into Storefront, apps and desktops are not enumerating giving us the blank "There are no apps or desktops available to you at this time" screen and looking in the event logs on the storefront servers, we are getting the following errors;

 

 

Which then tells us that there are no services running and they have been removed from service (event id 4012).

 

We have ensured that all SSL Certificates CN and SANs have the same domain as the GLSB/Local Storefront SSL certificates, we have also created a GPO to amend cipher suite order for the connectors but no avail.

 

I have created a test Storefront Instance that sits on a Windows Server 2019 box and we had no cipher issues, which indicates may be an issue with OS 2012r2 & 2022 and incompatible cipher suites (weak vs strong).

 

I was curious if anyone has experienced the same when using a older OS vs newer OS? and what has been their resolution.

We're still waiting on Citrix Support on providing us a solution but we're still going through the generic KB stage and info gathering.

 

We would consider upgrading further down the line, but it is out of scope at the moment due to the tight deadline we have.

 

Thanks for reading and I look forward to hearing from you all.

 

Hello, 

 

I have now resolved this, in the end I managed to find a piece of documentation from 1912 LTSR Documentation and it speaks about TLS on 2016 and 2019 (https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/secure/tls.html). Applied the same logic to our Windows Server 2022 Citrix Cloud Connectors, ensured TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 & TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 to highest priority preceding any TLS_DHE cipher suites.

 

We also went ahead to disable TLS 1.2 but I think this is a red herring and will complete some further testing.

 

Thanks again, 

Tim.

Edited October 25, 2022 by tjoynso116
Adding URL.