Citrix XML Service DNS Address Resolution & Access Gateway Enterprise SSL error 38
Posted on April 9th, 2010
I recently set up a Citrix Access Gateway Enterprise solution on a pair of netscaler 7000 devices running v9.1 build 101.5.
It was set up in traditional ‘smart access’ configuration and the Web Interface site was configured for 3 seperate farms – XenApp4.5, XenDesktop 4 & Presentation Server 4.0.
Launching sessions through the CAG for the XenApp farm was fine, but I was getting an SSL error 38 – The proxy denied access to message for the other two farms.
In checking the settings I noticed that the farms that produced the error had the ‘XML Service DNS address resolution’ option selected in the farm properties.
Unselecting this option enabled remote connections to work as normal, however this option was required and needed to be re-enabled.
It turns out that the firewall rules had not been set up properly from the DMZ to the DNS servers, so the Netscaler devices were unable to perform DNS lookups. As soon as the Firewall settings were resolved, the Netscalers could perform DNS lookups and resolved the problem.
Tags: CAG Enterprise, Citrix Netscaler, DNS, ssl error 38, the proxy denied access to, XML Service DNS Address resolution
Filed under Citrix Access Gateway, Citrix Netscaler | No Comments »
Access Gateway Enterprise – ‘page not found’ due to incorrect certificate type
Posted on February 27th, 2010
I recently came across this problem at a site.
They had an internally generated certificate from their company Root CA. The certificate request was generated and then the cert was applied to the Netscaler 7000 device in the usual way.
When a client device made a connection to the Access Gateway Enterprise site, the browser simply showed a page cannot be displayed message.
Removing the Root CA from the client device was enough to prove that the connection was reaching the Netscaler as it then came up with the certificate warning message, but continuing this also showed page cannot be displayed.
It turns out that an internal documented process for this client was incorrect and the security team had issued an incorrect certificate. Rather than issuing a “webserver” type certificate, they issued an “SSL tunnel terminaltion” certificate. However, because it was still a valid certificate the netscaler showed it as valid – However, it wasn’t valid for the Access Gateway Enterprise connection through and this is why the page cannot be displayed message appeared.
Re-issuing the correct certificate type from the csr request and reapplying to the Netscaler was enough to resolve this.
Note: be careful to double check the cert type being issues by an internal CA.
Tags: Access Gateway, CAG EE, CAG Enterprise, cert, certificate, Citrix Netscaler, enterprise, page cannot be found
Filed under Citrix Access Gateway, Citrix Netscaler | No Comments »
Web Interface 5.2 Client deployment
Posted on February 24th, 2010
Web Interface 5.2 uses a different folder structure for auto client deployment.
During the installation of Web Interface it asks for the clients folder and copies this to the website location however if it copies from the clients folder on an older XenApp CD/DVD the copied structure is wrong and must be changed to work properly. Also if WI is upgraded from a previous version the structure is not changed.
However, If copied from the XenApp 5 Feature Pack 2 CD the structure is correct, but most users would be upgrading from a previous version and therefore have to fix this afterwards.
The new folder structure is as follows:
C:\Program Files (x86)\Citrix\Web Interface\Version\Clients
* \de\Unix
Place the Clients for UNIX installation files (solaris.tar.Z, sol86.tar.Z) with German language support in this folder.* \en\Unix
Place the Clients for UNIX installation files (solaris.tar.Z, sol86.tar.Z) with English language support in this folder.* \es\Unix
Place the Clients for UNIX installation files (solaris.tar.Z, sol86.tar.Z) with Spanish language support in this folder.* \fr\Unix
Place the Clients for UNIX installation files (solaris.tar.Z, sol86.tar.Z) with French language support in this folder.* \ja\Unix
Place the Clients for UNIX installation files (solaris.tar.Z, sol86.tar.Z) with Japanese language support in this folder.* \Java
Place the Client for Java files in this folder.* \Linux
Place the Citrix Receiver for Linux installation file (linuxx86-11.0.140395.tar.gz) in this folder.* \Mac\Web Online Plug-in
Place the Citrix online web plug-in for Macintosh installation file (Citrix online plug-in (web).dmg) in this folder.* \Windows\Offline Plug-in
Place the Citrix offline plug-in installation file (CitrixOfflinePlugin.exe) in this folder.* \Windows\Online Plug-in
Place the Citrix online plug-in web installation file (CitrixOnlinePluginWeb.exe) in this folder.
The following resources are useful:
Citrix Document Library: To copy the client files to the Web Interface on Microsoft IIS
CTX123420: How to Deploy the CitrixOnlinePluginWeb.exe Client 11.2 on Web Interface 5.2
Innitech Blog: Web Interface 5.2 ICA Client Auto Deployment
Citrix Forum posts: Thread: How to auto deploy client from WI 5.2
Tags: 5.2, Client, deployment, plug-in, web interface
Filed under Citrix Web Interface | No Comments »
Web Interface 5.2 will not launch apps from Presentation Server 4.0 Farm
Posted on February 8th, 2010
Web Interface 5.2 is not set up by default to allow the launching of applications from a Presentation Server 4.0 farm.
This is true for Web Interface and PNAgent sites.
The errors shown are:
PNAgent: Citrix XenApp could not contact the server. Please check your network connection
WI: The remote server failed to execute the application launch request. Please contact your administrator for further details
To allow the launching of applications from these legacy farms the following change must be made:
- Edit the webinterface.conf file for that site
- Locate the entry for # RequireLaunchReference=On
- Remove the # and change to RequireLaunchReference=Off
Detailed in ctx123003
Tags: 4.0, 5.2, legacy farm, RequireLaunchReference, RequireLaunchReference=Off, RequireLaunchReference=On, web interface
Filed under Citrix Web Interface | No Comments »
Web Interface 5.2 breaks Citrix Desktop Viewer
Posted on January 29th, 2010
When connecting to XenApp Servers or XenDesktop provisioned Desktops the Citrix Desktop Viewer (part of the 11.x clients) enables the small bar at the top of the session to quickly allow the connection of USB devices or to dynamically change the resolution by adjusting the window size.
Even if you have this later client (11.X), the desktop viewer will not be active for session initiated via Web Interface 5.2
The way to enable this is to manually edit the webinterface.conf file for the WebSite and change the following line:
# ShowDesktopViewer=Off
Change it to the following:
ShowDesktopViewer=On
The Desktop viewer will now be enabled for connections.
Tags: 11.2, 11.x, 5.2, desktop viewer, ShowDesktopViewer, ShowDesktopViewer=Off, ShowDesktopViewer=On, web interface, webinterface.conf
Filed under Citrix Web Interface | 2 Comments »