On a recent customer deployment, I came across this issue where externally, using access gateway connecting to the citrix environment failing, it passed the LDAP authentication stage and then redirection to the backend storefront (LB/server) was not happening, the page simply goes blank (white) with an hour glass.
- Netscaler MPX 5500
- Netscaler version 11.0 build 62.10.nCore
- Storefront 2.6
- XenDesktop 7.6
- Configured to use single FQDN for both internally and externally
On further investigation, found several errors in the event log in the storefront server:
Log Name: System
Date: 11/09/2015 8:04:52 AM
Event ID: 36874
Task Category: None
Computer: <computer name>
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Searched online and found the following two pointers:
Referred the citrix forum as well – http://discussions.citrix.com/topic/368520-netscaler-11-and-storefront-30-load-balancing-broken/
NS 22.214.171.124.nc release notes suggest that https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_0_62_10.html
Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols incorrectly appear as enabled by default on an SSL virtual server.
Workaround: Disable TLS1.1/1.2 explicitly on the virtual server.
Workaround tried however did not work, then called Citrix support and they suggested to perform the following:
In Netscaler Access Gateway section, under Sessions > Session Profiles > Edit: change the storefront address in the session profiles from https:// to http:// addresses and re-enable the TLS v1.2/1.1
After trying the option, externally, the page now redirects to the citrix storefront page and enumerates the apps/desktops however the published desktop launches and throws an error status code 1030. Went ahead and disabled the TLS v1.2/1.1 on the access gateway page and all worked OK!
This might be a concern for security centric organisations and may be there is a better and convincing way to handle this scenario.
Lastly, as of at the time of writing this blog, this is a known issue in NS MPX + v11.0 firmware – TLS/schannel errors in storefront and external access fails to connect to backend storefront LB/server. Citrix indicates Mircosoft do not support TLS v1.2 on the windows storefront server and/or some issues with the NS v11.0 (still unknown, hope this get fixed in near future)