We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Sonicwall 500V loads Citrix Storefront but apps won't run

High Priority
51 Views
Last Modified: 2020-05-11
We purchased the 500v so our remote users could access our system apps remotely via web only access (not client install needed.) this works great. Loading external website are fine and internal work but are flaky. Most needed is our Citrix xenapp 7.6 applications  (word, excel, etc.). Remote users click to open the Citrix bookmark menu which does what is expected and shows users available Citrix apps. When clicking on selected app (word, for example) the app spins as if it would open than does nothing. This does work if the virtual office is launched within the local network environment. Only the remote users have this issue.
Comment
Watch Question

Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM
CERTIFIED EXPERT

Commented:
The easiest way to accomplish remote Citrix access is through a NetScaler Gateway, which is available as a VM (ADC VPX).
If you are going to use another method, you will need to:
- Establish a VPN from the user's machine to your local network
- Ensure ports 1494 and 2598 are open to ALL your VDAs
- Ensure that the user can get to all of the VDAs.

You *will* need to install the Workspace App (aka Receiver) client to access Citrix applications.
wlasnerCIO

Author

Commented:
We are using a sonicwall Secure Mobile appliance 500V. It gets to the store front and displays all the apps. I need to know what route the apps take that they cannot open from that point.
thanks
Wayne
CERTIFIED EXPERT

Commented:
Sonicwall don't recognize the connection attempt from external as done by netscaler-gateway.
From where the sonicwall shoud know to which server (i think you have more than one) the user must be connected?
The only way without netscaler i know, is VPN ... as already explained by Sam Jacobs.  
With VPN there are some more firewall-ports...
80 & 443 to Storefront or Loadbalancer
DNS (because the used VDA is listed with the name)
1494 & 2598 TCP&UDP (works without UDP too, but this is more fast ... especially with VPN)

with your problem ... try to capture the launch.ica file.
Within this file you find the servername for the ICA/HDX connection.
 

Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM
CERTIFIED EXPERT

Commented:
@wlasner

Here is a simplified data flow:
When you click on an application, a dynamically-generated ICA file is sent to your PC with the name/IP of the VDA host to connect to.
Your browser will recognize the .ica extension, and send it to the ICA client (Workspace App/Receiver), which must already be installed,
The ICA client will attempt to contact the VDA specified in the ICA file, but will not be able to if any of the following are true:
- you don't have all the necessary ports open,
- it cannot resolve the VDA name/IP in the ICA file, or
- if for any reason it cannot connect to the VDA.
wlasnerCIO

Author

Commented:
Thank you both. I checked and all ports appear to be set in the firewall. The end user is connected to the SMA500. At that point I believe all connections are internal. As mentioned, access to the storefront is not a problem. accessing the VDA is where it seems to get stuck. Host resolution for the VDA's is configured on SMA500V. I am close to giving up on this project. SW does not seem to have the resources to assist adequately.
Very frustrating.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM
CERTIFIED EXPERT

Commented:
Sorry that you got stuck with the SW. You can get a basic NetScaler VPX 200 for about $1K (last time I checked).
I don't know how many users you need to service, but it's a good practice to have 2 of everything, and load-balance them for HA purposes (in case one of them fails).
wlasnerCIO

Author

Commented:
500V, free download and only $600 per year for three years. We only have a bout 20 full time and another 20 part time remote users.
i'm sure netscaler would be less of a headache.

Thanks
Wayne
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM
CERTIFIED EXPERT

Commented:
We can try getting the SW to work ,,, do you see the ICA file that's downloaded to your PC?
Open it with Notepad, and see what's on the address line ... that's the server that needs TCP ports 1494/2598 open.
 StoreFront---ICA-File.png
wlasnerCIO

Author

Commented:
Hold on - I just discovered the issue. in the 500V I had to force "Native Mode" for the Citrix Access type instead of the HTML5. I would rather user HTML5 as it allow to open in a new window. The native mode does not. Users will exit citrix and close out of the portal.
wlasnerCIO

Author

Commented:
Hi Sam, Citrix is telling me I need an SSL computer cert with private key for each VDA.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM
CERTIFIED EXPERT

Commented:
Maybe when going through the 500V, but not when going through the NetScaler.
Senior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
A firewall is not a replacement for Citrix Secure Gateway which is a reverse proxy.

You cannot open port 1494 on the firewall and pass traffic without VPN tunnel that supports split-tunnel and split-DNS.

The SG is a reverse proxy where the incoming from external hits the Internet routable IP address of the Secure Gateway which is configured to use the StoreFront, Secure Ticket Authorities, and XML Broker and the SG would have a SNIP defined for the subnet relative to you XenApp or XenDesktop servers and that is what facilitates the connection.

Otherwise, you are sending back an internal IP address to an external device.  Even if you had a NAT for every server for external to internal your ICA file will have the internal IP address which resolves to internal host names.  Assuming AD integrated zones it is most likely not a registered domain name.  You need a separate FQDN that resolves external in DNS for the Secure Gateway which requires a SSL Certificate binding from a valid PKI solution such as GoDaddy or whichever.  

Then you configure your StoreFront and a NetScaler specific Store that is a custom configuration that works only with Citrix NetScaler Secure Gateway.  Your internal Store for StoreFront is private IP space and internal DNS.

The only exemption here is if you assign an Internet IP address to every internal server and define every host in External DNS.

Otherwise, StoreFront will hand out the same IP address that it hands out for internal connections which is I assume a private IP range not public.  So HTTP/HTTPS connections to StoreFront will work perfectly fine but the moment you click on the application Icon it will return an ICA file of the IP address hosting the application which is not applicable to external traffic.

Your options are to install a VPN client on the external PC's and configure the Firewall as a VPN appliance and once the VPN tunnel is established all traffic uses the VPN connection regardless of which application you use on the client.

The other option is Split-Tunnel and Split-DNS VPN design which you configure for ICA traffic internal but other websites external will continue to use the Internet connection and ICA over the VPN.

Or, you can get the Citrix NetScaler VPX appliance with Secure Gateway or it's baby brother the SG Express.

Those are your only 3 options
1. SG
2. VPN
3. VPN Split Tunnel, Split DNS

Keeping in mind that the acquisition of the NetScaler appliances and technology was in part to replace the Secure Gateway that was running on a Windows Server.

Today, NetScaler is a full blown ADC / Load Balancer / Content Switch / GSLB virtual or physical appliance and this depends on the licensing as to what features you can leverage.

But the core architecture has not changed relative to Secure Gateway's role.

It is a core component that facilitates the reverse proxy of ICA traffic from external to internal.  On StoreFront, you would now have an Internal Store and an External Store.  The External store points to NetScaler.  The Secure Gateway on the NetScaler points to your internal StoreFront, your internal XML services, your Internal STA (secure ticket authorities).  Between the SG and StoreFront handling all the heavy lifting on the back-end they leverage one another so that external users can authenticate against StoreFront but when launching an application that is a hand-off to the Citrix Receiver/Workspace and in laments terms a dynamic SSL VPN reverse proxied connection between Receiver, Secure Gateway and Secure Gateway to your internal hosted XenApp servers.

This alleviates having to punch holes in the firewall, create 1 to 1 NAT's for every service and IP of the XenApp Servers, XML, STA and so forth.

It is the holistic design, the purposeful acquisitions, the combining of all these technologies as part of the Citrix infrastructure stack that is what allows any user to connect from anywhere from any device.  This becomes more critical if you intend to implement MFA, Dual Factor and many other technologies that are part of the NetScaler piece.  This is where you get the ability to have multiple internal subnets where you can isolate by services and define SNIPs on the Netscaler to talk to just those subnets.  You have the load balancing aspect relative to high availability where you don't want (don't need) a single point of failure for any of these servers or services where N+1 should apply.  Two Delivery Controllers (which double as your two STA's and two XML brokers), two StoreFront servers, Citrix PVS, Director and so forth - this is where it all comes together.

And this all ties in to the proprietary protocol ICA/FMA where if that were not the case then every Firewall vendor and Load Balancing vendor would ship with Secure Gateway for ICA technology or at least provide it as an option - it isn't.  It is specific to Citrix NetScaler and Secure Gateway on Windows Server back in NT 4.0/2000 days was the bridge for the gap that was NFUSE which back then was one of the limiting factors to having a solution accessible both internal and external.

The best way to use Citrix is to use Citrix as it was designed to be used and the different components in the stack when combined correctly is what separates Citrix as the Enterprise Solution that is the clear winner when it comes to a end user (our customer) unified experience where the customer can access their centralized hosted applications from a single unified interface from any device and any internet connected location.  

If you implement Citrix XenApp/XenDesktop and StoreFront without Netscaler you have a internal only solution.  When you have 100's or 1000's of SDWAN or WAN or VPN connected remote sites that "internal" solution works great as long as your private IP space is configure properly with no overlap and correct subnets or supernets.  

Once you cross over that bridge from internal private IP to external internet IP is where the Citrix Secure Gateway has always filled the gap dating back to the first iterations that ran on Windows Server.  Then NetScaler was born and now you have SG running on BSD variant of UNIX that is hardened and it's own separate appliance and fast forward now a virtual appliance or physical SDX's running virtual appliances on XenServer hypervisor.  

Sometimes it is easier to explain if you provide some context and history.  In this case, SG has been a core part of the equation to not just fill the Gap for accessing business applications external but it is in part the proprietary technology when used correctly is an instrumental aspect of your overall security posture.

So it is access from any device, anywhere, anytime - Securely.  When we talk of NetScaler SG that includes the Secure Ticket Authorities, the XML brokers, the StoreFront servers, Active Directory authentication, the ability to control access to published applications using Active Directory Groups, Citrix Policies (GPO and Native).  There is even an option for FIPS-2 compliance which is rather simple today compared to other solutions.  The major difference is the FIPS-2 NetScaler can only be a physical appliance because of the FIPS Chip and start around 100K each.  I implemented 12 of the (12500 series) at the largest Blue Cross Blue Shield in the world.  The one in South Carolina that processes 100% of all Department of Defense and every branch of the military (TRICARE) claims.

Each component of the Citrix stack serves a specific purpose or was created/acquired to fill a gap and ongoing mitigation of risks whether from man in the middle attacks or extrapolating traffic out of the ICA channel - which you would get nothing but screen scrapes and keystrokes.

Depending on what license you go with on the virtual or physical appliance you have a built in Firewall, enterprise class load balancer, a content switch option where you can host thousands of websites using a single external IP address and a single wildcard certificate.  The ability to define custom policies based on incoming connections that automatically compensate to suite that traffic, SSL compression, and from a monitoring perspective you have the AppFlow technology which you can enable on Secure Gateway and integrate that data to Citrix Director where you have a complete view of every hop, ICA latency, everything you need to know about every connection so as to quickly identify root cause where in many scenarios your external users might claim to have 1Gig Internet and the best WiFi routers you can buy but fact is you don't know - that's Appflow.  

The point being, use the technology as it was intended to be used.  If you bring it all together you and your customer benefit.  Life will be easier, tickets will be lower, and troubleshooting root cause is less painful and with Director and Appflow tied in you provide this tool to Tier 1 and Tier 2, train, create a help desk troubleshooting guide so that their lives are easier and their first hit closure ratios go up and now your setting a trend of changing the perception of IT.

It's a win win.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.