Netscaler Access Gateway v11 fails to connect to storefront due to TLSv1.2 schannel errors

Scenario

On a recent customer deployment, I came across this issue where externally, using access gateway connecting to the citrix environment failing, it passed the LDAP authentication stage and then redirection to the backend storefront (LB/server) was not happening, the page simply goes blank (white) with an hour glass.

Environment

  • Netscaler MPX 5500
  • Netscaler version 11.0 build 62.10.nCore
  • Storefront 2.6
  • XenDesktop 7.6
  • Configured to use single FQDN for both internally and externally

Findings

On further investigation, found several errors in the event log in the storefront server:

Log Name: System
Source: Schannel
Date: 11/09/2015 8:04:52 AM
Event ID: 36874
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: <computer name>
Description:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Searched online and found the following two pointers:

Referred the citrix forum as well – http://discussions.citrix.com/topic/368520-netscaler-11-and-storefront-30-load-balancing-broken/

NS 11.0.62.10.nc release notes suggest that https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_0_62_10.html

Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols incorrectly appear as enabled by default on an SSL virtual server.
Workaround: Disable TLS1.1/1.2 explicitly on the virtual server.
[# 576274]

Workaround tried however did not work, then called Citrix support and they suggested to perform the following:

Workaround 1

In Netscaler Access Gateway section, under Sessions > Session Profiles > Edit: change the storefront address in the session profiles from https:// to http:// addresses and re-enable the TLS v1.2/1.1

Workaround 2

After trying the option, externally, the page now redirects to the citrix storefront page and enumerates the apps/desktops however the published desktop launches and throws an error status code 1030. Went ahead and disabled the TLS v1.2/1.1 on the access gateway page and all worked OK!

This might be a concern for security centric organisations and may be there is a better and convincing way to handle this scenario.

Conclusion

Lastly, as of at the time of writing this blog, this is a known issue in NS MPX + v11.0 firmware – TLS/schannel errors in storefront and external access fails to connect to backend storefront LB/server. Citrix indicates Mircosoft do not support TLS v1.2 on the windows storefront server and/or some issues with the NS v11.0 (still unknown, hope this get fixed in near future)

Advertisements

About cloudray

Predominantly based around Virtualization, but will include other technology related information and anything else I find interesting and feel the need to share with you. I also use this Blog as both a place to store useful information that I think that will come in handy to me at some point in the future, and also a place to help aid my learning. I find a great way to learn about something is to research about it and then write it up in my own words. I'm Pushpal Ray, from India. As a certified VCP3/4/5 professional, I am currently working as an Independent Consultant. Over 10 years of IT-industry experience, currently focused around the Desktop Virtualization(End-User Computing). I also have extensive experience in Windows Administration, Datacenter Migration, Workload profiling & benchmarking. At my leisure, I enjoy hiking, running, photography, spend hours in my fav coffee shop & spend quality time with my wife. Occasionally, catch up with few friends for a drink!
This entry was posted in Enterprise Virtualization, NetScaler Gateway and tagged , . Bookmark the permalink.

2 Responses to Netscaler Access Gateway v11 fails to connect to storefront due to TLSv1.2 schannel errors

  1. Jason Richards says:

    With Workaround 1 – why would you re-enable TLS 1.1 and 1.2 when the URL is set to http? What would TLS actually do in that situation?

    • cloudray says:

      Currently there are issues with different versions of netscaler n storefront combination around TLS and ciphers etc. for this specific scenario TLS for backend communication was disabled which means NS SNIP to Storefront backend servers. Frontend is still TLS I.e. NS gateway to SNIP. This is a workaround until Citrix resolves the issue in the future releases

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s