Jump to content
Welcome to our new Citrix community!

Setting up Citrix Gateway with GSLB and publishing Internal and Xenapp application


Norvi de Leon

Recommended Posts

Hi,

 

I was trying to setup a Citrix Gateway. We have 2 Zones with each NetScaler VPX appliance. I need to setup GSLB for Hi-availability for the said gateway. I need to publish both internal application and Citrix Xenapp published app. Can someone advise how to create this successfully? I try to create a Citrix Gateway using the Citrix Gateway Wizard. But upon publishing a test intranet application, nothing shows up in the Web page of the Citrix Gateway.

Link to comment
Share on other sites

Hi @Carl Stalhood,

 

 

Yes, I have Session Profile and have Clientless Access set to On. I create 2 NetScaler Gateway urls on both Zones, 1 for Internal Application Access and 1 for Citrix Publish Apps. My question now is, can 1 URL for both Internal Application and Publish Application works without using the Unified Gateway Setup? I was trying to create internal application but it is not showing, however when i create URL it shows in the netscaler home page.

 

Also for Unified Gateway Setup, seems that the gateway becomes non-addressable if you do the wizard. If I used the Unified Gateway Wizard, will I able to make it work via GSLB? Cause I tried to deploy unified gateway and try to disable it, but it's service in GSLB does not goes down.

 

I'm thinking what will be the simplest setup, if I need to configure 2 urls for xenapp and internal apps, or if I can configure 1 gateway for both. Thank you.

Link to comment
Share on other sites

Universal Gateway creates a Content Switch vServer. It's possible to configure the Content Switch to go down when the other vServers it forwards to are also down. For GSLB, I usually just disable the GSLB Service on whichever pair owns the VIP.

 

Are you seeing the clientless portal? Are you seeing any bookmarks created on the NetScaler? In RFWebUI theme, both NetScaler bookmarks and published apps should be shown in the same clientless portal.

Link to comment
Share on other sites

Hi @Carl Stalhood,

 

17 hours ago, Carl Stalhood1709151912 said:

Universal Gateway creates a Content Switch vServer. It's possible to configure the Content Switch to go down when the other vServers it forwards to are also down. For GSLB, I usually just disable the GSLB Service on whichever pair owns the VIP.

 

Are you seeing the clientless portal? Are you seeing any bookmarks created on the NetScaler? In RFWebUI theme, both NetScaler bookmarks and published apps should be shown in the same clientless portal.

- OK, so GLSB for the Unified Gateway can be tested that way. But if I use a Unified Gateway, will it require the Citrix Gateway Plug in or the Citrix Receiver?

 

Also, if I do not setup Unified Gateway and setup 2 Gateways instead, (1 for Citrix Apps via ICA proxy and 1 for internal apps via Citrix Gateway Plugin). will the user able to use both application and be able to be connected to the 2 gateways the same time? 

 

As for the NetScaler BookMarks, yes it shows if I configure the Clientless portal.

Link to comment
Share on other sites

  • 3 weeks later...

Hi @Carl Stalhood,

 

I was able to setup the GSLB now, but we setup 2 gateway for Citrix Published app user and another for internal web application. 

 

As for the GSLB Setup I'm getting an intermittent "Cannot complete your request" issue. Callback URL and VIP is already configured in store settings for Citrix Gateway. I have 2 Storefronts configured in servergroup. The Store Front 1 reside in Site 1 and Store Fron 2 reside in site 2. I create a GSLB Vserver for these storefronts and FQDN is resolvable from machine. However, when I tried to login to NetScaler, and after passing through and get in to the storefront, there is an issue when I tried to refresh the browser, sometimes it tries to go to the other Storefront and show "Cannot complete your request". I already have persistence set in place in GSLB Vserver and the Vserver in LB tab. The issue does not happen when I try to disable one of the VIP of Storefront.

Link to comment
Share on other sites

Hi @Carl Stalhood,

 

I will do this. Site Persistence and select Connection Proxy - Will this also required for the GLSB vServer for the Gateway?

 

make sure StoreFront has two Gateways configured with separate callback URLs. - Yes this was already setup, I have a dummy Gateway vserver for Callback URL.

 

Link to comment
Share on other sites

Hi @Carl Stalhood,

 

This is noted, I'm observing and seems it is working fine.

 

I got another issue now, so we have Public IP address NAT to  our NetScaler Gateway. The issue is, seems that the netscaler is dropping the connection if the source comes from a public IP. When source nat was created and natted to the firewall internal IP, we are able to access the public IP address of the gateway. However, in this way, we will only see the Internal IP of the Firewall as the client IP in the NetScaler. Is there a way the netscaler log the actual Public IP of the user/client connecting to it? See screen shot.

image.thumb.png.e66c46f2546ef172226aa0ff5c1708ae.png

Link to comment
Share on other sites

Hi Jeff Riechers 

 

GSLB is not yet in the picture when testing the Public IP. The issue is, the source IP (client's public IP) is getting reset and on the tcpdump from the firewall, it shows that the Internal IP of the Gateway is not allowing it. However, if the source IP (client's public IP) was replace to the Internal IP of the firewall (using source NAT) the connection is established.

 

So my question is, is there some configuration in NetScaler that not allowing this? 

Link to comment
Share on other sites

Hi Jeff Riechers,

 

Thanks, we will proceed with the Source Natting on the firewall.

 

Also, we are getting issue with SAML authentication with External Domain with one-way trust to our local domain. After user name assertion to storefront, we are getting cannot complete request and in the event viewer of storefront, it says that "an authentication attempt for user:xxxx.com\xxx with realm: <unknown>".

 

Thanks,

Link to comment
Share on other sites

Hi Jeff Riechers,

 

Yes, SAML now authenticates thru SF, however, I'm having this error message now.

 

"The username or password is incorrect".

 

Kerberos error:

 Error Code: 0x3e KDC_ERR_CLIENT_NOT_TRUSTED
 Extended Error: 0x80092013 KLIN(0)

 

I already installed the CA and SUBCA both in VDA and Domain controllers. Also, check the Domain controller cert, it also has kerberos authentication.

 

image.thumb.png.8a49cef4c49578c06990709e86dec36e.png

 

Thanks,

Link to comment
Share on other sites

Ok, this message usually is one of a couple of things.

 

1. CRL is not accessible.  You can try disabling the CRL checking on the VDA to see if that works. If it does repair the CRL config and then re-enable it.

2. New Windows Security updates.  Look into these registry keys  https://support.citrix.com/article/CTX479236/fas-information-about-microsoft-kb-kb5014754cve202234691-cve202226931-and-cve202226923

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...