Unsure why this is happening, but I figure I might ask around to see if anyone might have suggestions on what to try next.
We have thin-clients connecting to our Citrix environment with no issues. Citrix Production environment is setup as a vDisk via Provisioning Services. Then there are some stand-alone Citrix servers offering specific software packages we don't want for all users.
Some of our users connect to a remote Citix environment offering some apps from a supplier. We offer the links to that website within our Citrix environment, so users login to the Citrix environment, get presented with their Citrix desktop, click the URL which opens the browser and accesses the website of the supplier. They then login with the account the supplier provided for them, and end up in a StoreFront NetScaler environment of the supplier. Normally they click any of the offered icons to start the application being on offer. To facilitate this chain of usage the Workspace App was also installed on the Citrix desktop.
To reiterate - The user connects to OUR Citrix environment (which starts a desktop), and then connects to a REMOTE Citrix environment from a supplier from that desktop (using the installed webbrowser and Workspace App from the vDisk), making this a Citrix-on-Citrix connection. The supplier starts a Citrix application which the user can then use.
Quite recently this started failing with an SSL31 error. The user is able to connect to the website from the vDisk offered webbrowser, login and gets the icons presented. Clicking an icon does download te ICA file, but it seems that as that ICA file is passed on to the Workspace App the error occurs.
The funny thing is that it is NOT failing if users try to connect directly from their endpoints to the suppliers site, nor does it fail on the stand-alone Citrix servers (which also use the Citrix-on-Citrix approach). The only place it fails is using the prmary vDisk based Citrix environment. Even worse, even on the vDisk environment the failure isn't consistent... Usually it fails, but there are known cases where it does work.
Initially the issue seemed to stem from the usage of Google Chrome, since if the user reverted to IE there were no problems connecting. More recently it was found that Edge also seemed to work, but that's also been debunked by now as Edge has shown that error a couple of times aswell. And with IE being an obsolete browser being phased out by Microsoft, that solution also isn't feasable. Plus it doesn't make sense that the error occurs when the Workspace App opens the ICA file, which the browser at that point has nothing to do with anymore.
The next thing we checked were the versions of the Workspace App but atleast between the vDisk and stand-alone Citrix servers those are identical (22.3.101.4). The former has issues, the latter does not. So that's been ruled out aswell. We then rebuilt the whole vDisk from scratch... problem did not abate. Certificates then? Seems to be fine in the whole certificate chain presented from within the browser when accessing the Storefront page of the supplier.
I then had a go at looking at the logging of the Citrix Workspace App in hopes it would provide me a readable log of some sort indicating where it was having a problem. Instead I get about 70 MB of data from a lot of sources but from the looks of things nothing to really indicate where the issue stems from (provided I can open the files and actually read their contents). So I'm considering that a bust too... Unless someone has a more pinpoint idea of what files to pick apart.
I might be down to actually installing a packet-sniffer on the endpoint and see if that picks something up, but I'm fairly sure the packetsniffer will only see the network-packets being sent out from the system, so that would be post-certificate encryption. And thus unreadable data. So I'm somewhat ruling that out as a possible solution avenue aswell.
I'm mostly out of ideas on what to try further, and would love to hear some input on what we might be able to try to get this annoying problem out of our environment.
Question
J.R. van Doornik
Unsure why this is happening, but I figure I might ask around to see if anyone might have suggestions on what to try next.
We have thin-clients connecting to our Citrix environment with no issues. Citrix Production environment is setup as a vDisk via Provisioning Services. Then there are some stand-alone Citrix servers offering specific software packages we don't want for all users.
Some of our users connect to a remote Citix environment offering some apps from a supplier. We offer the links to that website within our Citrix environment, so users login to the Citrix environment, get presented with their Citrix desktop, click the URL which opens the browser and accesses the website of the supplier. They then login with the account the supplier provided for them, and end up in a StoreFront NetScaler environment of the supplier. Normally they click any of the offered icons to start the application being on offer. To facilitate this chain of usage the Workspace App was also installed on the Citrix desktop.
To reiterate - The user connects to OUR Citrix environment (which starts a desktop), and then connects to a REMOTE Citrix environment from a supplier from that desktop (using the installed webbrowser and Workspace App from the vDisk), making this a Citrix-on-Citrix connection. The supplier starts a Citrix application which the user can then use.
Quite recently this started failing with an SSL31 error. The user is able to connect to the website from the vDisk offered webbrowser, login and gets the icons presented. Clicking an icon does download te ICA file, but it seems that as that ICA file is passed on to the Workspace App the error occurs.
The funny thing is that it is NOT failing if users try to connect directly from their endpoints to the suppliers site, nor does it fail on the stand-alone Citrix servers (which also use the Citrix-on-Citrix approach). The only place it fails is using the prmary vDisk based Citrix environment. Even worse, even on the vDisk environment the failure isn't consistent... Usually it fails, but there are known cases where it does work.
Initially the issue seemed to stem from the usage of Google Chrome, since if the user reverted to IE there were no problems connecting. More recently it was found that Edge also seemed to work, but that's also been debunked by now as Edge has shown that error a couple of times aswell. And with IE being an obsolete browser being phased out by Microsoft, that solution also isn't feasable. Plus it doesn't make sense that the error occurs when the Workspace App opens the ICA file, which the browser at that point has nothing to do with anymore.
The next thing we checked were the versions of the Workspace App but atleast between the vDisk and stand-alone Citrix servers those are identical (22.3.101.4). The former has issues, the latter does not. So that's been ruled out aswell. We then rebuilt the whole vDisk from scratch... problem did not abate. Certificates then? Seems to be fine in the whole certificate chain presented from within the browser when accessing the Storefront page of the supplier.
I then had a go at looking at the logging of the Citrix Workspace App in hopes it would provide me a readable log of some sort indicating where it was having a problem. Instead I get about 70 MB of data from a lot of sources but from the looks of things nothing to really indicate where the issue stems from (provided I can open the files and actually read their contents). So I'm considering that a bust too... Unless someone has a more pinpoint idea of what files to pick apart.
I might be down to actually installing a packet-sniffer on the endpoint and see if that picks something up, but I'm fairly sure the packetsniffer will only see the network-packets being sent out from the system, so that would be post-certificate encryption. And thus unreadable data. So I'm somewhat ruling that out as a possible solution avenue aswell.
I'm mostly out of ideas on what to try further, and would love to hear some input on what we might be able to try to get this annoying problem out of our environment.
Link to comment
18 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now