Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Citrix Access Gateway Secure Access Issue

Posted on 2013-11-07
12
Medium Priority
?
3,444 Views
Last Modified: 2013-11-13
Up until the night before last we were running a XenApp 6.5 server on Windows 2008 R2 servers using Citrix Access Server and the Web Interface with no issues using Gateway Direct as the default access method.  Came in yesterday morning and no one could access the farm, as in no credentials were valid.  I changed the access method to direct and the XML transport to HTTP from SSL Relay and internal users can access, but external users can't. I've unregistered and registered the xml service on all of the XenApp servers.  I've ran a repair on the sites.  I've re-run the configuration.  Can't figure this one out.  Any ideas?
0
Comment
Question by:Michelle Dabney
  • 7
  • 3
  • 2
12 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 39634728
You need to add secure access rules on the web interface that make the access method gateway direct for everyone except your directly connected networks.  Direct will only work for internal users bypassing the gateway.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 39634743
This is what I am talking about:
webirules.png
0
 

Author Comment

by:Michelle Dabney
ID: 39634756
What secure access rules?  It was working perfectly the way I had it with gateway direct and it stopped. I hadn't changed anything. It just stopped working.  I put it all back the way it was and no one can authenticate externally or internally.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:Michelle Dabney
ID: 39634765
Sorry, I read "That's what I'm talking about.."  and didn't see the attachment, crazy day...  I didn't have those rules before.  Assumption I'm making, the 172.x.x.x  is routable, so that would be external and you have that as direct.  10.x.x.x is not routable  so that would be internal and you have that as gateway direct.  Is that correct?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 39634883
Opposite actually.  The 172.x.x.x are our internal networks.  They hit the web interface directly.

The 10.199.199.0 is the DMZ IP.

What you want to do is set the default to Gateway Direct, and then specify the internal networks that will be direct.  Then adjust the order so the default is last.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1500 total points
ID: 39635154
First thing you need to do is to be sure how the firewall is presenting the ip address to the gateway.  

Some firewalls present the real source address, others present the ip address of the firewall itself as the source.   That is what determines how your default address is set.  The rules are based on how the gateway sees the XML services and ICA services of the farm.  

If it presents the real source, then your default needs to be set to gateway direct.
If it presents itself, then you set that address as gateway direct, and then add your subnets as direct or possibly gateway direct as needed.  

Based on your description, do you control the firewall?  Is there any possibility that the firewall got changed?

Coralon
0
 

Author Comment

by:Michelle Dabney
ID: 39639731
I do control the firewall, but so does two other people, one of which was off-site working at one of our remotes.  He claims he didn't touch anything, but timing is a bit skeptical.  I have the firewall set so that if you're having a DNS issue you can access by IP so, the firewall is presenting the source address.   I added that and we're getting cut off as not able to connect to server.
0
 
LVL 25

Accepted Solution

by:
Coralon earned 1500 total points
ID: 39640529
Ok, if the firewall is presenting the source address, Then you'll set gateway direct as your default, and set your internal LANs as direct rules.  

But, I'd also do a telnet test to each of the ports from the firewall to the XA servers (1494, 2598, XML (80/443?, etc.) make sure they pass through.

From a known system, I would also change the file association for .ica files to notepad, and try to launch it.   You'll open the launch.ica file, and see what address it is giving you (or connect string for a gateway launch). And verify your DNS settings.

Coralon
0
 

Author Comment

by:Michelle Dabney
ID: 39640545
I think something else is going on here.  Today, our internal users who have been OK, are now unable to launch apps.  They can log on but can no longer apps.  I guess I have to change the admin pwd, just to make sure no one else is logging in.    I have it set up as you've suggested have had the ica opening up in notepad all along just to see if it was on server having issues or all of them.  Still no external connections.
0
 

Author Comment

by:Michelle Dabney
ID: 39640557
Moved past part of the issue.  Now have external and internal users basically at the same point.  Prior to last week, users could access using only http.  On a whim, and why I didn't try earlier, I don't know, I used https, now I can get to the published apps page.  Launching an app, I get "Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. Network issues are preventing your conection...".   I'll make Google my friend.
0
 

Author Comment

by:Michelle Dabney
ID: 39645810
At the end of the day, believe it or not, this ended up being corrupted STA's.  I renamed the ones we had to old,  copied fresh ctxsta.dll from install media and up we go.  We have four STA servers, so the possibility of them all having an issue is strange to me, but we're up and going and only have Gateway Direct as our Access Method.
0
 

Author Closing Comment

by:Michelle Dabney
ID: 39645814
Although, the solution appears to be something else, your direction led me to look at other things.  Thank ou.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question