Jump to content
Welcome to our new Citrix community!

Access DMZ Adress from Intranet IPs

Recommended Posts

Hello Guys,


we can not access our NSIP from our Split DNS VPN Setup.

Ping is working but https in Firefox fails with the Message: PR_END_OF_FILE_ERROR

We have configured Intranet IP Adresses and of course Intranet Applications. In Intranet Applications the subnet where the NSIP is placed is also configured.


Does anyone have an Idea? Is there a securtiy Policy blocking the Access via VPN?

Also i can not access any DMZ Adress from the Netscaler VPN, maybe because our Netscaler is also in the DMZ?





Link to comment
Share on other sites

Are you configuring split tunnel in addition to split dns?


For the aaa users, make sure you also have allow policy rules.  What you can do as a vpn users with split dns enabled, is dependent on the intranet apps AND any allow rules you configured Intranet apps must identify the destination networks (with or without ports).  Intranet Apps identify the networks to access the vpn client intercepts to send to the vpn.

The allow/deny authorization policies (or allow/deny settings via session policies) are used to allow/deny access to override the default deny.  


For the system IPs themselves, you may have configured ACLs to restrict access only from certain subnets. Which may be excluding access from the vpn tunnel users.


If you check syslog, you should deny events for not meeting allowed policy rules.

ACLs do not log to syslog by default, unless ACL logging is enabled. May want to just see if ACL (extended acls) are or aren't configured. System > Network > ACLs


Link to comment
Share on other sites

Split DNS ist set to "Both" in the Session Policy. For testing i also set the Defaul Authorization Action to "Allow" in the Session Policy.

Also there are no ACLs configured on the System.


What i discoverd is that some DMZ Adresse are working. Only the virtual Servers that are running on the ADC itself are not working.

Link to comment
Share on other sites

  • 2 weeks later...

Yes, i include the complete DMZ subnet(where the VIPS is) in a intranet app.


When i make traceroute in the cmd, for the VIP i get for the Firsthop instantly a timeout.


When i do a trace on the ADC i also can not see any packages from the VPN Client.

In the syslog are´t any deny messages.

Edited by Steven Storp
Spelling issue
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...