Jump to content
Welcome to our new Citrix community!

External access for Citrix Gateway not accessing storefront


Scott

Recommended Posts

Having issues getting storefront to open when authenticating externally via citrix gateway.
I know the authentication attempt itself is doing something because it recognizes the difference between a good and bad password.
Internal access to storefront works without issue.
When attempting to access externally the page rapidly comes to:
Please log on The server met an error. Please try again or contact your administrator

I've attempted recreation of session policy and profile.
I've also setup a max timeout within these as well.
I've enabled clientless access, set the plug-in type, enabled sso to web-applications, set default authorization action to allow, and attempted a couple of different possibilities for Web Interface Address in the Published Applications tab of the profile.

Any assistance would be appreciated.  If any particular logs are needed just let me know.

Link to comment
Share on other sites

Scott

 

Have you configured the StoreFront server to tell it about the NetScaler (option called 'Manage Citrix Gateways' on StoreFront console)?

Also, you need to set 'TrustRequestsSentToTheXmlServicePort' to True on the delivery controller

 

Regrds

 

Ken

 

 

Link to comment
Share on other sites

On 7/3/2023 at 4:19 PM, Scott said:

Having issues getting storefront to open when authenticating externally via citrix gateway.
I know the authentication attempt itself is doing something because it recognizes the difference between a good and bad password.
Internal access to storefront works without issue.
When attempting to access externally the page rapidly comes to:
Please log on The server met an error. Please try again or contact your administrator

I've attempted recreation of session policy and profile.
I've also setup a max timeout within these as well.
I've enabled clientless access, set the plug-in type, enabled sso to web-applications, set default authorization action to allow, and attempted a couple of different possibilities for Web Interface Address in the Published Applications tab of the profile.

Any assistance would be appreciated.  If any particular logs are needed just let me know.

 

First, which version of Gateway firmware and StoreFront are you using?

So, there's too little details to really troubleshoot the exact issue.  But we can go over the essential requirements for Gateway/StoreFront config to help you narrow it down.

 

Assumptions:

  • you have one store on StoreFront for both internal and external integration (with and without gateway).
  • Your gateway is primarily in ICA Proxy only mode.
  • You have separate FQDNs for Gateway vs. StoreFront access. 

 

On the Gateway, 

  1. Gateway FQDN (gateway.demo.com) resolves to Gateway vpn vserver VIP (via public dns). And you have a trusted cert associated. 
  2. Authentication policiees (advanced engine?) are bound for your LDAP/AD requirements. If doing more complicated authentication, explain.
  3. You have a session policy/profile defined with the following essential settings (If you used the gateway wizard, you may have two policies for OS/Receiver connections and WB/web browser connections):
    • Published Apps Tab:  ICA Proxy: ON
    • StoreFront Address set to the Store name's web address and StoreFront fqdn (example):  https://storefront.demo.com/Citrix/Store-1Web  
    • SSON Domain: <domain>  (Example: demo)
    • Under Security tab: Authorization:Allow (needs to be set for all connections, unless you need granular authorizations to restrict who connects where).
    • Under <second tab>:  Clientless access alone does not support ICA Proxy. The default settings for clientless/vpn client type should be fine.  The Passthrough authentication to web should be enabled. But depending on your use of advanced authentication policies (or more complicated authentication scenarios), you might also need a Traffic policy for SSO as well.  More than likely the settings you have here are correct, but the first 4 bullet points are the essentials.
  4. Configure the List of STA's and validate the gateway can communicate.  STAs must be listed individually and match same STA's in use on StoreFront; cannot point to a lb name on the Gateway.
  5. There are several things to confirm on the communication requirements, which I'll go over after the storefront config summary.

On the StoreFront:

  1. Store Prereqs (confirm store works for internal use, which you already have)
    • Create a store.
    • Bind a cert.
    • Set list of Controllers for XML requests and rest of your settings.
  2. Update Store for gateway authentication. Include explicit and passthrough from gateway on the Store's Authentication methods. Web site will also have gateway integration enabled.
  3. Create Gateway definition:
    • Set Gateway display name
    • Set Gateway FQDN which matches the name users use to get to Gateway:  https://gateway.demo.com
    • Set source ip of Gateway to Gateway VIP (not SNIP)
    • Set list of STA's: controllers and ports. Make sure list matches what you've configured on Gateway itself.
    • Set Callback address.  If not using certain advanced features, callback can be blank. If a callback is needed and the storefront can a) resolve gateway fqdn to vip and b) reach the gateway fqdn for communication, the set the callback address to same a Gateway FQDN:  https://gateway.demo.com.  If previous is not true, and a callback is required, then additional steps are needed to configure callback.
  4. Associate Gateway to Store by configuring Remote Access. For ICA Proxy only, use the first radio button. Once Gateway integration is enabled.
  5. Propagate config changes to all members of StoreFront server group.

Troubleshooting configuration:

  1. Summary of events:
    • User authentication to gateway. 
      • If authe on gateway fails, authe stops and you get an authentication error and you still see the Gateway FQDN with gateway paths listed (Anything other than /Citrix/<StoreNameWeb>).
    • After authentication, authorization is confirmed. Session policy or authorization policy must be applied to AAA user or AAA group or set via session policy against the vpn vserver to allow communication.  Deny messages may look like gateway succeeds, but you have no access to a connection through the gateway. Syslog will show deny authorization events. (Unlikely this is the problem)
    • NetScaler runs an internal probe to confirm the storefront is accessible and IF IT DOESN'T THINK it is, gateway doesn't attempt the ICA Proxy result.
      • This can result in "choices" mode, where the user only sees the options to connect VPN or Clientless. No ICA Proxy option.
      • In choiceless/ICA Proxy only mode, gateway displays a white page and doesn't attempt the passthrough to StoreFront at all.
      • You likely won't see the /Citrix/<Storename> in the path, and still see the Gateway <paths> at this point.
      • I'll add notes on investigating this issue below.
    • One the user is authentication and authorized, the gateway forwards the request to the SToreFront Store. if authentication fails here, then you will see the following:
      • URL in browser will show https://gateway.demo.com/Citrix/<storeNameWeb> meaning the gateway was fine with handoff and the error is at SToreFront side.
      • Check storeFront event logs under the Applications > Citrix Delivery Service for more specific details. Might still be an issue with the Gateway authentication policy or sson handoff but the gateway tried to send you to StoreFront, so start with StoreFront events first. Then go back to Gateway syslog.

Investigating if Gateway is failing its storefront probe:

  • Gateway does an internal probe to the <storefront fqdn> to see if the name resolves to an IP and if the IP is reachable. Even if this IP is a VIP owned by the NetScaler, the NetScaler treats it as an external probe so  SNIP must be available for the probe to leave to reach the storefront VIP.  If the Gateway cannot do a dns resolution of the storefront fqdn to the vip (hosted locally or not) this can also fail. 
    • This event is also not seen in syslog, but in nslog.

shell

cd /var/nslog

nsconmsg -K newnslog -d event

nsconmsg -K newnslog -d consmsg

 

Should be in the "event" log, and look for monitor probe results pointing the <storefront fqdn> you listed in your session policy.

 

To troubleshoot, Gateway issues with authentication/authorization or other config issues, view syslog:

shell

cd /var/log

tail -f ns.log | grep -v CMD_EXEC

more ns.log | grep -v CMD_EXEC

 

This will show all events as they occur minus the audited commands as gateway events can include: AAA, TCP, VPN events.

If you get as far as launch requests, storefront issues and sta redemption issues will also show up in syslog.

 

Final thing if you've checked all the gateway and storefront configs is to run a trace to see where in the process you are.

But issue sounds like session policy isn't actually configured for ICA Proxy, sso handoff issue that might require a traffic policy too, or the storefront probe issue on gateway.

 

 

 

Link to comment
Share on other sites

Ken and Rhonda, thank you for your replies!
I attempted the TrustRequestsSentToTheXmlServicePort but it did not seem to make any difference.

Rhonda thank you for the detailed breakdown on how this is supposed to work and be setup together.

I think I've gotten most of this correct but would like to go back and verify it.  On the following, where do I go to set the source IP?
Create Gateway definition:

Set Gateway display name

Set Gateway FQDN which matches the name users use to get to Gateway:  https://gateway.demo.com

Set source ip of Gateway to Gateway VIP (not SNIP

StoreFront version is showing 1912.0.0.40
ADC VPX (50)/Gateway appliance is running on release NS13.1 42.47.nc


I'm not sure if this helps, but this is supposed to be a fairly basic setup from what I was told.
Only 1 STA and 1 Gateway (both are on the ADC).
 

Thank you again and have a great day!

 

Link to comment
Share on other sites

On the StoreFront, when you configure the Gateway definition, there is a point where it asks you for a SNIp, VIP or other, then you need to tell SToreFront what the GATEWAY VPN VSERVER VIP is.  VIP is needed instead of SNIP in case you are using your NetScaler to load balance StoreFront too. So look at your vpn vserver (or cs vserver if using unified gateway) and specify the VIP you assigned to your Gateway vserver in this field on the SToreFront when definining the Gateway configuration.  StoreFront has to know about Gateway.

 

The STA is specified on the Gateway, but must point to the CVAD controller acting as the STA.  StoreFront must have the same STA listed.

Usually you don't want a single point of failure for SToreFront xml brokers (cvad controller list) or the SToreFront list/Gateway list of STA's (also cvad controllers).

 

The trustxmlbrokers setting IS NOT needed on the controllers unless you are using smartaccess (gateway passthrough of policies to cvad) or certain advanced authentication methods. It won't necessarily hurt; but its not the reason for your issue either.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...