[Netscaler VPN using reverse split tunnel Teams unable to call but can message]

I had this issue when we were upgrading 13.0 in July but I have upgraded it to 13.1 51.15 to rule out any 13.0 bugs. I have the list of ip4 addresses mentioned in this document:

Optimizing NetScaler Gateway VPN split tunnel for Office365

 

Netscaler VPN is set up using reverse split tunnel. When you connect to the VPN and launch Teams you can message other people sometimes but you cant make calls or share screen. Do i need to add the ip6 addresses as well? and any advise on how to investigate what would be blocking this?

[Upgrading NetScaler MPX 12.1.65.35 nc to 13.0-92.19_nc]

no issue upgrading straight to 13.0-92.21_nc from 12.1

[How to edit RDP Profile user downloads]

3 hours ago, Steven Miller1709158406 said:

We are on 13.0 built 83.27 and seeing issues with RDP connections from a small subset of remote users.

 

If we upgrade to build 83.29, are we still insulated from that critical CVE from November? 

 

 

The upgrade to 29 has the bug fix for the rdp and latest patches

[How to edit RDP Profile user downloads]

the latest firmware fixed the issue for me.

[How to edit RDP Profile user downloads]

I have a customer with this issue using 13.0 release but I was wondering has anyone tested 13.1 firmware?

 

In my case the deleting of the lines from the rdp file do not work but i get an internal error. This has been very frustrating and citrix support I expect are being slow.

[NTP not syncing on Citrix adc after esxi host upgraded to 7.0.2]

The ESXi hosts got migrated up to 7.0.2 but over the past day the Citrix ADC which was on 12.1 the time drifted. upgraded all the way up to latest 13.1 firmware but same issue. anybody seen anything like this before?

attempted disabling ntp servers and using different one but no success

[Storefront Timeout - hit Log on and it logs on without authentication]

Azure AD via SAML connected by netscaler gateway. I pass through it and sit on storefront. wait until it times out which is now set at 6mins. when it logs you out just click the log on button and it fires me into storefront without requesting my login details. If i choose to logout of storefront then when i hit the log on button it forces me to reauthenticate

 

 

[Storefront Timeout - hit Log on and it logs on without authentication]

Users are hitting the gateway - logging in using azure mfa and able to launch desktop. If they are in storefront and just leave it to timeout it logs out leaving you back to a button that says log on. You click that and it logs you into storefront again without authenticating. This is a major security issue for shared Pc's in an office.

 

I changed the webconfig in storefront so the timeout doesnt disconnect but logsout. In my tests I logged out of storefront and it stopped me from accessing when i hit log on button and instead told me to close the browser window.

 

Any guidance much appreciated

[Issues with connecting to SQL instances after upgrade to 12.1 62-25.]

For info I ended up upgrading to firmware version 13 and this resolved the issue

[SAML Auth through Netscaler using Azure IDP - Cannot complete request - event id 10]

blaming the callback - redid it after removing it and proving it could work with ldap. all working now

[SAML Auth through Netscaler using Azure IDP - Cannot complete request - event id 10]

My frustration is clear on this one. I am coming remotely and hitting the netscaler(12.1 latest fw) which has the azure saml policy set up so of it goes to azure and the mfa works perfectly then back to netscaler and on to storefront. This is where we get the cannot complete request. 

 

The error message on storefront is:

A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null

Authenticate encountered an exception.

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

 

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (403) Forbidden.

Url: https://127.0.0.1/Citrix/CitrixMFAAuth/CitrixAGBasic/Authenticate

ExceptionStatus: ProtocolError

ResponseStatus: Forbidden

   at System.Net.HttpWebRequest.GetResponse()

   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

 

ive checked all the settings and certificates and they all look good. I can log into the store internally so this only happens externally. Any advice very welcome. 

[Issues with connecting to SQL instances after upgrade to 12.1 62-25.]

Just to confirm - I raised a support ticket on this and upgrading to 13 will resolve this issue. I haven't tested it yet to confirm but once i do I will update on here

[Issues with connecting to SQL instances after upgrade to 12.1 62-25.]

Hi John,

 

I was just doing an upgrade from 12.1 57.18 to 62.27 and they are using a SSL VPN and had been connecting to a product that connects to a sql database. After the upgrade it fails to establish a connection.

Did Citrix give any advice if it was worth upgrading to 13 to avoid this issue?

 

 

 

[SAML Relaystate logging - issues with some users]

Thanks for details on the ignore case - i had thought about that but checked the user was using lower case and then changed it to AAA.LOGIN.RELAYSTATE.EQ("https://myapps.example.com/") || AAA.LOGIN.RELAYSTATE.EQ("https://remote.example.com/") but no luck.

 

Ive set up a test tomorrow for the users that have issues and a couple who havent to add the chrome extension SAML Message Decoder - this gets me the relaystate although when i decrypt mine i get ns_policy=policynamehttps://myapps.example.com/

 

hoping i can find the smoking gun tomorrow. Thanks for the other info.

 

 

[SAML Relaystate logging - issues with some users]

I have a setup where they can come in from remote.example.com or myapps.example.com. The remote.example.com gets forwarded by dns to myapps.example.com. This then hits the Netscaler on firmware 12.1 62.25. On the latest release i added the new relaystate rule recommended by citrix on the saml policy (the netscaler is the SP and my1login is the idp)

 

the rule I added was:

AAA.LOGIN.RELAYSTATE.CONTAINS_ANY("samlaccess")

 

added patset saml access

bind patset samlaccess "https://myapps.example.com/"

bind patset samlaccess "https://remote.example.com/"

 

I tested and for me ti worked but the next day i had a select set of users getting the relaystate error message below:

"RelayState in Response does not match with rule in Action. Please contact your administrator"

 

Now i know i can use a chrome extn to see the relaystate but can this be found in the citrix adc logs anywhere? Id like to see what it failed on so I can modify the rule

 

[citrix cloud gateway using mfa with azure getting There was a failure with the mapped account]

Being working on a set up where we have moved to citrix cloud and setup citrix gateway using azure mfa - all been working well until users got this message "There was a failure with the mapped account" when logging in.

So it corrected itself after an hour and everyone can get in. I checked azure sync for errors and found known, checked storefront and couldnt find any errors that could point at this. My understanding is that this is caused by the saml token. Normally id expect to hit the netscaler and look through the ns.log to see the saml request to the idp (Azure AD) and then the message back showing a success. 

 

Anybody any guidance on how to view logs on the citrix cloud gateway?

[Citrix Storefront giving event id 2 and 10 after Netscaler uses saml to authenticate (NS as SP)]

The Netscaler is 13.0 58.32 using it as an SP with my1login as the idp. I have the FAS server setup and followed the link you sent. 

 

I noticed a tick box on the store for receiver for web was set to domain pass through - removed this and now its working. 

 

Appreciate the time to reply Sam.

[Citrix Storefront giving event id 2 and 10 after Netscaler uses saml to authenticate (NS as SP)]

I am setting up a Netscaler as the SP with my1login as the idp. I can confirm I have that part working successfully but when i get to storefront I get the Cannot complete request error. In the event logs I am getting this error event id 10:

 

A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.12.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: https://127.0.0.1/Citrix/Remote_MFAAuth/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
 

and event id 2:

 

Access is denied. Contact your system administrator.
Citrix.DeliveryServices.Security.Authentication.Exceptions.MissingDomainException, Citrix.DeliveryServices.Security, Version=3.12.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856
The domain of the credential cannot be determined.
   at Citrix.DeliveryServices.Security.Authentication.UserInfo.Parse(String username, String domain, String defaultDomain, String password, Nullable`1 passwordExpired)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.AuthenticateWithoutPassword(String username, String domain, AccessInfo accessInfo)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.Authenticate()

 

 

any help is greatly appreciated

[Best way to allow a certain set of users to access the citrix desktop if on a managed machine and not using receiver/workspace]

I have my virtual gateway but I want to only allow a certain set of users access if they have a managed laptop and that they are using the browser and not citrix receiver to log in. The reason for this is to stop a user picking their iphone up and logging into the citrix desktop. However I have other users that are allowed to get access no matter what they choose to use.

 

I had debated a responder policy so

HTTP.REQ.USER.IS_Member_OF("MyADGroup") && REQ.HTTP.HEADER User-Agent CONTAINS Win

 

which i think will work or just have the responder policy bound to the AAA group MyADGroup with REQ.HTTP.HEADER User-Agent CONTAINS Win. I was looking at EPA as a way to find out if it was a managed computer or if that was required. I havent set up EPA before but I am still reading the possibility of setting up a post-authentication bound to the AAA group.

 

I am hoping someone might have set this up before and I wasnt sure if EPA was the way to go as its for a small set of users and I am guessing that the EPA software will needed downloaded to everyone and just to a specific AD group.

 

I hope I explained that well enough