Solved

Citrix Access Gateway Secure Access Issue

Posted on 2013-11-07
12
2,644 Views
Last Modified: 2013-11-13
Up until the night before last we were running a XenApp 6.5 server on Windows 2008 R2 servers using Citrix Access Server and the Web Interface with no issues using Gateway Direct as the default access method.  Came in yesterday morning and no one could access the farm, as in no credentials were valid.  I changed the access method to direct and the XML transport to HTTP from SSL Relay and internal users can access, but external users can't. I've unregistered and registered the xml service on all of the XenApp servers.  I've ran a repair on the sites.  I've re-run the configuration.  Can't figure this one out.  Any ideas?
0
Comment
Question by:dabneym
  • 7
  • 3
  • 2
12 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 39634728
You need to add secure access rules on the web interface that make the access method gateway direct for everyone except your directly connected networks.  Direct will only work for internal users bypassing the gateway.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 39634743
This is what I am talking about:
webirules.png
0
 

Author Comment

by:dabneym
ID: 39634756
What secure access rules?  It was working perfectly the way I had it with gateway direct and it stopped. I hadn't changed anything. It just stopped working.  I put it all back the way it was and no one can authenticate externally or internally.
0
 

Author Comment

by:dabneym
ID: 39634765
Sorry, I read "That's what I'm talking about.."  and didn't see the attachment, crazy day...  I didn't have those rules before.  Assumption I'm making, the 172.x.x.x  is routable, so that would be external and you have that as direct.  10.x.x.x is not routable  so that would be internal and you have that as gateway direct.  Is that correct?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 39634883
Opposite actually.  The 172.x.x.x are our internal networks.  They hit the web interface directly.

The 10.199.199.0 is the DMZ IP.

What you want to do is set the default to Gateway Direct, and then specify the internal networks that will be direct.  Then adjust the order so the default is last.
0
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 500 total points
ID: 39635154
First thing you need to do is to be sure how the firewall is presenting the ip address to the gateway.  

Some firewalls present the real source address, others present the ip address of the firewall itself as the source.   That is what determines how your default address is set.  The rules are based on how the gateway sees the XML services and ICA services of the farm.  

If it presents the real source, then your default needs to be set to gateway direct.
If it presents itself, then you set that address as gateway direct, and then add your subnets as direct or possibly gateway direct as needed.  

Based on your description, do you control the firewall?  Is there any possibility that the firewall got changed?

Coralon
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:dabneym
ID: 39639731
I do control the firewall, but so does two other people, one of which was off-site working at one of our remotes.  He claims he didn't touch anything, but timing is a bit skeptical.  I have the firewall set so that if you're having a DNS issue you can access by IP so, the firewall is presenting the source address.   I added that and we're getting cut off as not able to connect to server.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 39640529
Ok, if the firewall is presenting the source address, Then you'll set gateway direct as your default, and set your internal LANs as direct rules.  

But, I'd also do a telnet test to each of the ports from the firewall to the XA servers (1494, 2598, XML (80/443?, etc.) make sure they pass through.

From a known system, I would also change the file association for .ica files to notepad, and try to launch it.   You'll open the launch.ica file, and see what address it is giving you (or connect string for a gateway launch). And verify your DNS settings.

Coralon
0
 

Author Comment

by:dabneym
ID: 39640545
I think something else is going on here.  Today, our internal users who have been OK, are now unable to launch apps.  They can log on but can no longer apps.  I guess I have to change the admin pwd, just to make sure no one else is logging in.    I have it set up as you've suggested have had the ica opening up in notepad all along just to see if it was on server having issues or all of them.  Still no external connections.
0
 

Author Comment

by:dabneym
ID: 39640557
Moved past part of the issue.  Now have external and internal users basically at the same point.  Prior to last week, users could access using only http.  On a whim, and why I didn't try earlier, I don't know, I used https, now I can get to the published apps page.  Launching an app, I get "Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. Network issues are preventing your conection...".   I'll make Google my friend.
0
 

Author Comment

by:dabneym
ID: 39645810
At the end of the day, believe it or not, this ended up being corrupted STA's.  I renamed the ones we had to old,  copied fresh ctxsta.dll from install media and up we go.  We have four STA servers, so the possibility of them all having an issue is strange to me, but we're up and going and only have Gateway Direct as our Access Method.
0
 

Author Closing Comment

by:dabneym
ID: 39645814
Although, the solution appears to be something else, your direction led me to look at other things.  Thank ou.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now