Jump to content
Welcome to our new Citrix community!

NS GW 1 SF URL for internal and external communication

Recommended Posts

good day to everyone,

i have specific issue with running configuration to run apps from internal, external communication works. all communication is based on SSL, and valid certs, using following components:

a) NS 13.1 37.38

b) SF 2203.0.2000.5

Im using nfactor to decide whether users comes from external subnet or internal subnets, allowing them to use 2FA or 1FA. Next steps is filtering users based on AD group membership, and binding Session profile based on AD group. external URL must be usable from internal and external env, because of above filtering, we want to use just 1 CAG URL .

1. First try has been to use external URL bind to CAG, SF LB VIP on NS pointing to one store. on SF configured NS GW with beacons related to external and internal communication as required. All communication must goes through NS SNIP due to NW setup and FW on path, allowing only bunch of ports available like 443, 80, 1494, 2598.

Connections from external env can run apps from SF, connections from internal NOT.

2. second try has been to create second NS CAG on different subnet, second SF store on same SF, second NS GW configured on SF allowing only domain logon.

User is using external URL, based on nfactor will get 1 FA authentication, based on AD group will get internal SF store (created as second for this purpose), user can see apps, but can't start, no app working.

if user check connection via second NS CAG, it works, as it is on internal subnet.

3. i have followed article https://support.citrix.com/article/CTX200866/how-to-configure-netscaler-and-storefront-for-internal-and-external-connections to make it work with 2 NS GW, 2 SF stores, 2 diff subnets, and 1 URL for both external and internal

net profile doesn't work per article if it is binded to service nor traffic LB VIP, there is error "Cannot complete request". to net profile is bind an IP of second NS GW per article, if net profile is removed, it works, but apps not.

Is there any functional set up how to make it work? This is completely nightmare, and any citrix article contains vague informations, or some which definitely not works.

achieve is to have 1 NS GW URL, 1 SF URL for ext and int communication, which must go over NS SNIP (no its not matter of beacons, tested all possible scenarios) external FQDN is reachable from ext and int, internal SF FQDN, beacon FQDN is reachable only from internal.



Link to comment
Share on other sites

well, it's hard to explain, trying to achieve, 1 NS GW URL, with 1 SF store for internal and external users. i had try fake beacon too but that didnt work, i've followed your page and used registered "accounts" FQDN to use as internal beacon, only with this setting i get a store from workspace app. running apps either from web or workspace app internally doesnt work.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...