NetScaler Gateway 12 Tweaks

Last Modified: Sep 2, 2018 @ 7:52 am

Navigation

ūüí° = Recently Updated

Change Log

NetScaler Gateway Feature Licensing

Here is a listing of some NetScaler Gateway features and the licenses they require:

Feature NetScaler Editions Universal Licenses?
StoreFront Load Balancing Standard/Enterprise/Platinum
Global Server Load Balancing (GSLB) Enterprise/Platinum
ICA Proxy and StoreFront Proxy All
Two-factor Auth (RADIUS) All
StoreFrontAuth (nFactor) Enterprise/Platinum
nFactor Authentication Enterprise/Platinum
Native OTP Authentication (nFactor) Enterprise/Platinum
HDX Insight (AppFlow) Enterprise/Platinum
SmartAccess All Yes
SmartControl Platinum Yes
RDP Proxy Enterprise/Platinum Yes
SSL VPN All Yes
PCoIP Proxy Enterprise/Platinum Yes
Unified Gateway Enterprise/Platinum Yes
Citrix SCOM MP for NetScaler Platinum

All Editions = NetScaler Gateway Enterprise VPX, NetScaler Standard, NetScaler Enterprise, and NetScaler Platinum.

  • NetScaler Gateway Enterprise VPX¬†is the cheap VPX appliance that only does NetScaler Gateway. It doesn’t even do Load Balancing.
  • NetScaler Enterprise Edition is the minimum edition for many Gateway features, and thus is recommended for all Gateway purchases.

Gateway Universal Licenses – many NetScaler Gateway features require NetScaler Gateway Universal licenses for each concurrent connection to the NetScaler Gateway Virtual Server. See the above table for which features require these licenses.

When you create a NetScaler Gateway Virtual Server, in the Basic Settings section, the ICA Only setting determines if you need NetScaler Gateway Universal licenses or not. If the Virtual Server is set to ICA Only is true, then features requiring Universal Licenses are disabled. But if ICA Only is set to false, then you need a NetScaler Gateway Universal license for every user that connects to this NetScaler Gateway Virtual Server.

Most editions of NetScaler include Universal licenses:

  • NetScaler Gateway Enterprise VPX¬†does not come with any Gateway Universal Licenses
  • NetScaler Standard Edition¬†comes with 500 Gateway Universal Licenses
  • NetScaler Enterprise Edition¬†comes with 1,000 Gateway Universal Licenses
  • NetScaler Platinum Edition¬†comes with unlimited Gateway Universal Licenses

If your NetScaler Edition does not include a sufficient number of Universal Licenses for your user load, then you can acquire these licenses through other means:

  • XenApp/XenDesktop Platinum Edition includes Gateway Universal licenses for each licensed user
  • XenMobile App Edition and XenMobile Enterprise Edition¬†include Gateway Universal licenses for each licensed user
  • “a la carte” NetScaler Gateway Universal Licenses – these are very inexpensive

You can install more Gateway Universal licenses on the NetScaler appliance. The Gateway Universal licenses are allocated to the case sensitive hostname of each appliance. If you have an HA pair, and if each node has a different hostname, then allocate the Gateway Universal licenses to the first hostname, and then reallocate the same licenses to the other hostname.

To see the hostname, click your username on the top right.

To change the hostname:

  1. Click the gear icon on the top right.
  2. Then click the third section.

Go to mycitrix.com, and allocate your purchased Gateway Universal licenses to the hostname of the appliance.

To upload the allocated Gateway Universal licenses to the appliance, go to System > Licenses > Manage Licenses. A reboot is required.

To see the number of installed Gateway Universal licenses:

  1. On the left, expand System, and click Licenses.
  2. On the right, in the Maximum NetScaler Gateway Users Allowed field is the number of licensed users for NetScaler Gateway Virtual Servers that are not set to ICA Only.

RFWebUI Portal Theme

Citrix Blog Post Branding your Deployment Part 2: Matching NetScaler to StoreFront explains NetScaler Gateway Portal Themes, how to edit the Portal Theme CSS, and warns about GUI changes overwriting CSS file changes.

If you want the logon page for NetScaler Gateway to look more like StoreFront 3.0 and newer, enable the built-in RfWebUI or X1 theme. RfWebUI is optimized for Unified Gateway (Clientless VPN) since it provides the exact same appearance and user experience as StoreFront 3.x. The Unified Gateway RfWebUI theme can display RDP Links, Web Links (bookmarks), PCoIP published icons, along with the familiar StoreFront apps and desktops. Note: RfWebUI requires StoreFront 3.6 or newer.

  1. Go to NetScaler Gateway > Virtual Servers, and edit an existing Virtual Server.
  2. If you see the Portal Themes section on the left:
    • Then click the pencil icon.
  3. If you don’t see Portal Themes on the left:
    • On the right, in the Advanced Settings section, click Portal Themes.
  4. On the left, change the Portal Theme drop-down to RfWebUI. Click OK.
  5. Click Done.

    bind vpn vserver gateway.corp.com -portaltheme RfWebUI
  6. When you access the NetScaler Gateway login page you’ll see the theme.
  7. If you want an idle timer for RfWebUI, see CTP¬†Simon Gottschlag RfWebUI Idle Timeout.¬† ūüí°
  8. If you have challenge-based RADIUS authentication, and if you need to remove the second password field from RfWebUI, see¬†CTP¬†Simon Gottschlag Remove “Password 2” from RfWebUI.¬† ūüí°

Custom Portal Theme

You can create your own theme by starting from one of the built-in themes:

  1. Go to NetScaler Gateway > Portal Themes.
  2. On the right, click Add.
  3. Give the theme a name, select RfWebUI as the Template Theme, and click OK.
  4. In the Look and Feel section, there are two sub-sections: one for Home Page Attributes, and one for Common Attributes.
  5. The Home Page Attributes section is for Unified Gateway (aka VPN Clientless Access). Notice that the Websites Sections can be disabled.
  6. The Help Legend link at the top of the section shows you what the other fields modify.

  7. If you want to modify some attributes of the logon page, use the Common Attributes sub-section. The labels are changed later.
  8. The Help Legend link at the top of the Common Attributes section shows you what the fields modify.
  9. Make changes as desired, and click OK at the bottom of the page.
  10. After you click OK, the Language section appears.
  11. In the Language section, select a language, and click OK.
  12. On the right, in the Advanced Settings section, click Login Page.
  13. Make changes as desired (e.g. Password Field Titles), and click OK.
  14. At the top of the screen, click the link to Click to Bind and View Configured Theme.
  15. Select a Gateway Virtual Server, and click Bind and Preview. Notice that you can also bind Portal Themes to AAA vServers.
  16. The logon page is displayed.
  17. You could go to /var/netscaler/logon/themes/MyTheme/css and make more changes to custom.css, but this file gets overwritten any time you make a change in the Portal Themes section of the NetScaler GUI.
  18. Citrix CTX209526 NetScaler; How to Copy a Portal Theme from the Device running version 11.0 to another Device running 11.0.

Public DNS SRV Records

When a user launches Receiver, instead of typing in the Gateway FQDN, the user can enter an email address. Receiver uses the email suffix to lookup the Gateway FQDN. It does this by looking for an SRV record named _citrixreceiver._tcp in the email suffix’s domain (e.g. _citrixreceiver._tcp.corp.com). If you have multiple email suffixes, then you need to add the SRV record to each email suffix DNS zone.

Note: to eliminate certificate and/or trust prompts, the Gateway certificate must match discoverReceiver.email.suffix (e.g discoverReceiver.corp.com). If you have multiple email suffixes, then you need the certificate to match every email suffix.

To enable email-based discovery, add a SRV record to each public email suffix DNS zone. Here are sample instructions for a Windows DNS server:

  1. In Server Manager, click Tools > DNS.
  2. In the left pane of DNS Manager, right-click your DNS domain, and click Other New Records.
  3. In the Resource Record Type dialog box, select Service Location (SRV), and then click Create Record.
  4. In the New Resource Record dialog box, do the following:
    1. In the Service box, enter the host value _citrixreceiver.
    2. In the Protocol box, enter the value _tcp.
    3. In the Port number box, enter 443.
    4. In the Host offering this service box, specify the fully qualified domain name (FQDN) for your NetScaler Gateway Virtual Server in the form servername.domain (e.g. gateway.company.com).
  5. Click OK to close the New Resource Record dialog box.
  6. Click Done to close the Resource Record Type dialog box.

Customize Logon Page

Logon Page Labels

When two factor authentication is configured on NetScaler Gateway, the user is prompted for User name, Password, and Password 2.

The Password field labels can be changed to something more descriptive, such as Active Directory or RSA:

To change the labels, edit a Portal Theme:

  1. Go to NetScaler Gateway > Portal Themes, and edit an existing theme. You can’t edit the built-in themes, so you’ll have to create one if you haven’t already.
  2. If you see the Login Page section on the left:
    • Click the pencil icon in the¬†Login Page section.
  3. If you don’t see the Login Page section on the left:
    • On the right, in the Advanced Settings column, click Login Page to add it to the left.
  4. On the left, in the Login Page section, change the two Password fields to your desired text.
  5. Click OK to close the Login Page section.
  6. If you are using the RfWebUI theme, the default text size for the form field labels is 17px. However, the Portal Themes editor defaults to 12px. You can change it back to 16px or 18px by doing the following:
    1. In the Look and Feel section, click the pencil icon.
    2. Scroll down to the Common Attributes section.
    3. Change the Form Font Size drop-down to 16px or 18px.
    4. Click OK to close the Look and Feel section.
  7. In the Portal Theme section at the top of the page, you can Click to Bind and View Configured Theme to Preview your changes.
  8. You might have to invalidate the loginstaticobjects Integrated Caching Content Group (Optimization > Integrated Caching > Content Groups) before the changes appear. This seems to be true even if Integrated Caching is disabled.

 Logon Security Message (Disclaimer, EULA)

You can force users to agree to a EULA before they are allowed to login.

Clicking the Terms & Conditions link allows the user to view the EULA text that you have entered.

Do the following to configure the EULA:

  1. Go to NetScaler Gateway > Resources > EULA.
  2. On the right, click Add.
  3. Give the EULA a name, and enter some text. You can even enter HTML code. See the example posted by Chris Doran at Citrix Discussions.
  4. Scroll down, and click Create.
  5. Edit a Gateway Virtual Server.
  6. On the right, in the Advanced Settings column, click EULA.
  7. On the left, in the EULA section, click where it says No EULA.
  8. Click where it says Click to select.
  9. Click the radio button next to the previously created EULA, and click Select.
  10. Click Bind.
  11. Mike Roselli at Automatic EULA Acceptance by Cookie Rewrite Guide at Citrix Discussions details Rewrite policies that change the behavior so that users only have to accept the EULA once. It records acceptance in a cookie.
  12. Sam Jacobs Adding an EULA for AAA Login at CUGC explains how to enable the EULA on the AAA logon page.

Theme File Customization

The original themes (Default, Green Bubble, and X1) use files from /netscaler/ns_gui/vpn/js and /var/netscaler/logon/themes. A commonly edited file is /netscaler/ns_gui/vpn/js/gateway_login_form_view.js since this file is responsible for rendering the logon form.

The new RfWebUI theme is different than the original themes, because it pulls files from¬†/var/netscaler/logon/LogonPoint/receiver. This means the customizations for NetScaler 11.0 won’t work with the new RfWebUI theme.¬†When reviewing customization guides for NetScaler 11, be aware that most of them won’t work for the RfWebUI theme.

Citrix CTX202444 How to Customize NetScaler Gateway 11 logon Page with Links shows how to add links to the NetScaler Gateway 11 logon page. This only works in the Default, Green Bubble, and X1 themes (no RfWebUI theme).

Other Customizations

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page РPart 2 at CUGC explains how to add text to the RfWebUI theme logon page. The process for RfWebUI is quite different than the older themes:

  • Text is stored in /var/netscaler/logon/themes/<theme>/strings.<language code>.json
  • Custom CSS is stored in /var/netscaler/logon/themes/<theme>/css/theme.css
  • Sample Logon Page:
    Logon screen with footer.jpg

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page РPart 1 at CUGC explains how to modify custom.css and en.xml to add text below the logon box on the Logon Page. No Rewrite policies or source code modifications needed.

Citrix CTX215817 NetScaler : How to Customize Footer of NetScaler Gateway Login Page. This article does not work with the RfWebUI theme, but it works with the X1 theme.

Mike Roselli at Netscaler 11 Theme Customization – How to Add Links and Verbiage at Citrix Discussions has sample rewrite policies to customize the NetScaler Gateway logon page with additional HTML.

 

Craig Tolley¬†Customising the NetScaler 11 User Interface ‚Äď Adding Extra Content: add new sections to login page. These sections pull content from local HTML files.

 

Daniel Ruiz Set up a maintenance page on NetScaler Gateway: configure a Responder policy (see the blog post for sample HTML code). During maintenance, manually bind the Responder policy to the Gateway. Manually remove the policy after maintenance is complete.

 UDP Audio Through Gateway

From John Crawford at Citrix Discussions and Marius Sandbu Enabling Citrix Receiver audio over Netscaler Gateway with DTLS

Note: Enabling DTLS on the Gateway also enables the Gateway to support EDT (Adaptive Transport) and Framehawk.

Requirements for UDP Audio:

  • Citrix Receiver 4.2 or newer
  • UDP 443 allowed to NetScaler Gateway Virtual Server
  • UDP 16500-16509 allowed from NetScaler SNIP to the VDAs

To enable UDP Audio through Gateway, make changes on both the NetScaler Gateway Virtual Server, and in Receiver:

  1. Edit a NetScaler Gateway Virtual Server.
  2. In the Basic Settings section, click the pencil icon.
  3. Click More.
  4. Enable the DTLS option, and click OK.
  5. After enabling DTLS, it probably won’t work until you unbind the Gateway certificate, and rebind it.
    1. On the left, click where it says 1 Server Certificate.
    2. Click Add Binding.
    3. Click where it says Click to select.
    4. Click the radio button next to the same certificate that’s already bound. Click¬†Select.
    5. Click Bind.
    6. Click Close.
    7. Click Continue to close the Certificate section.

Client-side configuration

There are two methods of enabling RTP on the client side:

  • Edit default.ica on the StoreFront server
  • Use GPO to modify the client-side config

To edit the default.ica file on the StoreFront server (h/t Vipin Borkar): Edit the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica and add the following lines to the Application section:

EnableRtpAudio=true
EnableUDPThroughGateway=true
AudioBandwidthLimit=1

To use GPO to modify the client-side config:

  1. Copy the receiver.admx¬†(and .adml) policy template into PolicyDefinitions if you haven’t already.
  2. Edit a GPO that applies to Receiver machines. You can also edit the local GPO on a Receiver machine.
  3. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Receiver | User Experience.
  4. On the right, edit the setting Client audio settings.
  5. Do the following in the Client audio settings dialog box.
    1. Enable the setting.
    2. Set audio quality as desired. Higher quality = higher bandwidth.
    3. Check to Enable Real-Time Transport.
    4. Check to Allow Real-Time Transport through Gateway.
  6. Click OK to close the Client audio settings dialog box.
  7. Look in the client-side registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Audio to make sure the registry keys applied.
  8. When you launch the first session after enabling Real-Time Transport, you might be prompted to enable it through the client-side firewall.

To view the current UDP Audio sessions:

  1. In the NetScaler GUI, click the NetScaler Gateway node.
  2. On the right, click DTLS ICA Connections.
  3. This will show you all users that have UDP Audio connections through NetScaler Gateway. Note: this is different than EDT. To see EDT (UDP) HDX connections, click ICA Connections instead.

Citrix VPN from Mobile Devices

Links:

Citrix VPN Clients on Mobile Devices (Android, iOS) contain one of the following in their User-Agent strings. You can use this text in a Session Policy expression.

  • CitrixReceiver/NSGiOSplugin
  • CitrixReceiver/CitrixVPN

To block the Citrix VPN client connections from mobile devices, do one of the following:

  • Create an AppExpert > Responder > Policy with Action = DROP and Expression = HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/NSGiOSplugin")|| HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/CitrixVPN").¬†Either bind the Responder Policy Globally, or bind it to the Gateway vServers.
  • In your Gateway Session Policies, on the Client Experience tab, set the Plug-in Type to Java. If any of them are set to Windows/MAC OS X, then VPN for Mobile is allowed.

StoreFront – Rewrite X-Citrix-Via

When NetScaler Gateway communicates with StoreFront, it adds a header called X-Citrix-Via that contains the FQDN entered in the user’s address bar. StoreFront uses this header to find a matching Gateway object so StoreFront knows how to handle the authentication. In NetScaler 11.0 and newer, you can create a rewrite policy to change this header. This is useful when changing URLs or using DNS aliases for Gateways. See¬†CTX202442¬†FAQ: Modify HTTP Header X-Citrix-Via on NetScaler for more details.

Here’s a sample rewrite policy for this header:

enable ns feature REWRITE

add rewrite action rwact_storefront replace "HTTP.REQ.HEADER(\"X-Citrix-Via\")" "\"mystorefront.mydomain.com\""

add rewrite policy rwpol_storefront "HTTP.REQ.HEADER(\"X-Citrix-Via\").NE(\"mystorefront.mydomain.com\")" rwact_storefront

bind vpn vserver mygateway-vs -policy rwpol_storefront -priority 100 -type REQUEST

Device Certificates

NetScaler Gateway can require Device Certificates (machine based) before a user can login. The Endpoint Analysis Plug-in reads the machine certificate, and compares it to a CA certificate that is bound to the NetScaler Gateway Virtual Server.

  • Device Certificates are different from User Certificates.
  • Administrator permissions are required to access the machine certificate’s private key. NetScaler Gateway Plug-in (VPN client) can workaround this requirement.
  • OCSP is required. You can use Microsoft Online Responder.

To enable Device Certificates

  1. Create a OCSP Responder on NetScaler, and bind it to the CA Certificate. See CTX200290 How to Configure Device Certificate on NetScaler Gateway for details. At Traffic Management > SSL > Certificates > OCSP Responder.

    1. The URL for Microsoft Online Responder is http://ocsp_server_FQDN:80/ocsp.
    2. Misja Geuskens at¬†Netscaler Device certificate checks fails with W2K12R2 Online responder says don’t check the Nonce box.
  2. Import CA certificates for Root and Intermediate. At Traffic Management > SSL > Certificates > CA Certificates.
  3. Right-click each CA certificate, and click OCSP Bindings.

    1. Select the OCSP Responder you created earlier.
  4. Bind the CA certificates to the Gateway Virtual Server in the CA certificates section.

  5. Enable Device Certificates in the NetScaler Gateway Virtual Server > Basic Settings > More section. Move the same CA certificates to the right.

User Experience

Users will be prompted to install the Endpoint Analysis plugin.

Click Yes to run the scan. Note: if the user is not an administrator of the local machine, then you must also install the NetScaler Gateway Plug-in (VPN client) to handle the security restrictions.

If there are multiple certificates on the client machine, the user will be prompted to select one.

The chosen machine certificate is stored in %localappdata%\Citrix\AGEE\config.js. The user won’t be prompted for certificate selection again unless you delete this file.

This same folder contains nsepa.txt, which lets you troubleshoot device certificate checking. The most common issue is lack of permissions, which is handled by installing the NetScaler Gateway VPN Plug-in. The Gateway VPN Plug-in version must match the firmware version.

23 thoughts on “NetScaler Gateway 12 Tweaks”

  1. Hi Carl,
    I am planning to upgrade Citrix Netscaler (MPX8200) from 11.0 build 66 to 12.0 build 58. I have Enterprise license.
    When I tried to download from Citrix it gave me too many options like :
    NetScaler ADC
    Netscaler App Firewall
    Netscaler Gateway
    Netscaler MAS
    NetScaler SD-WAN

    I am confused how can i verify which one is applicable for my Netscaler.
    Any help would be highly appreciated.

      1. Thanks for your quick reply.
        Is there any way I could verify either from GUI or Putty to netscaler through some command

        1. SD-WAN and MAS are completely different products.

          NetScaler MPX = ADC.

          NetScaler Gateway is just a special license for ADC.

          1. Great I did upgrade from Netscaler 11.0 build 70.16 to 12.0 build 58.15 without any issue.
            Thanks for your help in understanding firmware download options.

            The reason I upgraded was duplicate radius authentication bug in 11.0 but unfortunately i could see same behavior in 12.0. If you can help me in this help would be much appreciated.

            I have Radius policy configured on Netscaler and have pointed to Microsoft NPS server. When users open website (let say user has configured MFA to get phone calls) sometime website keep spinning and users get calls 3 times in the interval of 120 sec which i have set time out on Netscaler.
            Every time users receive the call and press # but nothing happens and website keep spinning.

            Any suggestion ?
            Citrix support captured the logs and ask me to upgrade they did see duplicate request going out from Netscaler but even after upgrade its not working.

          2. Are the RADIUS responses not making it back to NetScaler? Are you load balancing RADIUS? If not, is it perhaps sending the RADIUS request using a SNIP interface but the source IP is NSIP and the RADIUS server doesn’t know how to route the packet back to the NSIP? If you load balance RADIUS then it uses SNIP instead of NSIP.

          3. Are the RADIUS responses not making it back to NetScaler? Are you load balancing RADIUS? If not, is it perhaps sending the RADIUS request using a SNIP interface but the source IP is NSIP and the RADIUS server doesn’t know how to route the packet back to the NSIP? If you load balance RADIUS then it uses SNIP instead of NSIP.

  2. Curious if anyone has been able to customize the “Enterprise Websites” or “Personal Website” sections (Web and SAAS Apps and Personal Bookmarks). I want them to appear but they take up a lot of real estate on the screen and I’m not a fan of the background colours, etc.

  3. In Unified gateway, there’s an “E-Mail Home” icon that shows up, even when we don’t fill in that field. Can we remove that icon entirely?

  4. Currently when we login to Unified Gateway, it defaults to icons verses Categories – is there a way to force default to the category view?

    1. Yes, on the netscaler under /var/netscaler/logon/themes/ edit the scripts.js file

      //This will maintain landing on category tab
      CTXS.Extensions.onViewChange = function (viewName) {
      if (viewName == ‘store’) {
      window.setTimeout(function () {
      CTXS.ExtensionAPI.navigateToFolder(‘\\’);
      }, 0);
      }
      };

      See https://support.citrix.com/article/CTX217238

  5. Hi Carl,

    Thanks for the great articles you’re enriching the Citrix User Communuity with.
    I am fresh to Citrix and these articles help to speed up the learning side of things a lot..

    I could use some help with the VPN side of things if you’d be so nice to provide your insight to the issue.
    Currently we are hitting a problem with VPN & NLA (happens on Win7 and Win10).
    Seems Citrix VPN Client is having problems with the Multi Firewall Profiles feature (e.g. WLAN Nic -> Public profile and Citrix-/VPN-NIC -> Domain profile).
    At the same time we have set Block for Inbound & Outbound traffic for the Private-/Public-Profile, unless it is white-listed through a firewall rule. The Firewall is turned of completly for the Domain Profile.

    In this constellation, after we establish the VPN connection, there no access possible to Intranet (NW-Shares, internal Collab-Sites) and to the Internet (www.bing.com, http://www.google.ch, etc..) possible. Not even a ping…
    Seems the Windows Filtering Plattfrom (which accordig to MS acts even before the Firewall) seems to block outgoing packets, because it consideres them to be trying crossing Profiles (from Public -> Domain or Domain -> Public) and blocks them. This is according to MS due to the Strong-Host-Model scheme they have to the Multi-Profile feature.

    The reason seems to be that Citrix (also Cisco??) is using 172.0.0.1 or 192.0.0.1 as Default-Gateway, DNS and DHCP Servers when internaly the 172.23.x.x., 172.26.x.x are used as subnets for the internal-network setup..

    According to Citrix this usage of 172.0.0.1 is intrinsic (e.g. embedded into the source code) and cannot be modified.
    Seems odd that we couldn^t change/modify this 172.0.0.1 IP to something that is “closer” to the final VPN-Client IP, e.g. we would like to use 172.23.x.1 (first IP of the VPN subnet) as the default gateway IP and thus hopefull avoding the whole Profile_Crossing trap we seem to be running into..

    Any chance you’d have encountered something similar or would have an idea how we could change this 172.0.0.1 IP to something we define as a more “apropiate” IP-Adress.

    Just to point it out: Our Citrix TMR stated that latley more customers did run into this and they “simply” dectivated the Firewall on the Cient-PC’s to solve the issue. This seems a bit strange to open up the client’s security to have VPN working properly…

    -snip-
    13:43:41.6653816 [Microsoft-Windows-Windows Firewall With Advanced Security/Firewall ] Network profile changed on an interface.
    Adapter GUID: {5617a1c7-4d37-4670-bca9-1f66bfe0035f}
    Adapter Name: ethernet_7
    Old Profile: Public
    New Profile: Domain

    Next you will see the drop happening:

    13:43:41.7837785 [Microsoft-Windows-WFP/Analytic] WFP: Packet Dropped – Filter Run-Time ID: 0x775CF, Layer Run-Time ID: 0x2C ?1601?-?01?-?01T00:00:00.000000000Z, 16, 172.23.244.130:3148, 16, 172.0.0.1:9748, 0, \device\harddiskvolume2\program files\citrix\secure access client\nsload.exe, S-1-5-21-1266304161-2867343829-1920029268-41660, 0xB, 1, 3, Inbound, false

    A closer look reveals the reason for it:

    timeStamp>2018-02-23T12:43:41.787Z

    FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
    FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
    FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
    FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
    FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
    FWPM_NET_EVENT_FLAG_APP_ID_SET
    FWPM_NET_EVENT_FLAG_USER_ID_SET
    FWPM_NET_EVENT_FLAG_IP_VERSION_SET
    FWPM_NET_EVENT_FLAG_REAUTH_REASON_SET

    FWP_IP_VERSION_V4
    17
    172.23.244.130
    172.0.0.1
    3148
    9748
    0

    5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650032005c00700072006f006700720061006d002000660069006c00650073005c006300690074007200690078005c007300650063007500720065002000610063006300650073007300200063006c00690065006e0074005c006e0073006c006f00610064002e006500780065000000
    \.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.2.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.c.i.t.r.i.x.\.s.e.c.u.r.e. .a.c.c.e.s.s. .c.l.i.e.n.t.\.n.s.l.o.a.d…e.x.e…

    S-1-5-21-1266304161-2867343829-1920029268-41660

    FWPM_NET_EVENT_TYPE_CLASSIFY_DROP

    488911
    44
    8 FWP_CONDITION_REAUTHORIZE_REASON_PROFILE_CROSSING
    1 NlincPublic
    3 NlincDomainAuthenticated

    The filter ID 488911 points to the build-in filter previously initialized:

    2018-02-23T12:43:41.664Z

    FWPM_CHANGE_ADD
    {c024ce67-6957-45f8-bbe0-d690420dcd58}
    488911

    {c024ce67-6957-45f8-bbe0-d690420dcd58}

    Query User
    Prompt the User for a decision corresponding this Inbound Traffic

    {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}

    a00e000000000000
    ……..

    FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
    {b3cdd441-af90-41ba-a745-7c6008ff2301}

    FWP_UINT8
    8

    FWPM_CONDITION_ORIGINAL_PROFILE_ID
    FWP_MATCH_EQUAL

    FWP_UINT32
    1

    FWP_ACTION_BLOCK

    0

    488911

    FWP_UINT64
    9223372036854776256

    -snip-

    Hope I was somewhat able to convey the problem we are having.
    Any insight, tipps & tricks are appreciated to help solving this issue..

    Thanks and best regards,
    ErolU

  6. Hi Carl,

    Good Article, would you also share a customizations to prompt specific Citrix Receiver version from Netscaler authentication page.

    1. Are you trying to block older Receiver? Or are you trying to tell the user what version of Receiver is installed?

      StoreFront has an option to offer Receiver upgrades.

      1. I’m trying to force users to prompt Receiver 4.3.100 who are using Windows 10 operating system on Netscaler Authentication page.

  7. Under Public DNS SRV Records:
    We could not add _discoverReceiver.domain.com in SAN portion of SSL. It took without ” _ ” though.

  8. Great article, thank you. Would you happen to know where the background image for the Storefront logout is? It looks like /netscaler/ns_gui/vpn/media/X1-bg-img.jpg, but I customized that one and for some reason I keep getting the old image after logging out of Storefront. I already tried clearing my browser cache.

    1. Isn’t it /Citrix/StoreWeb/receiver/images/common/ReceiverFullScreenBackground_46E559C0E6B5A27B.jpg on the StoreFront server?

  9. We found a few issues with RfWebUI (running NetScaler 12.0.53.13). One being that the WfWebUI portal theme loaded inconsistently across many devices (desktop and phone). We had to remove the cache policies that are automatically added when you create the NSGW virtual server (_cacheTCVPNStaticObjects, etc). Looks like the theme flips out when it tries to perform 302 or 304 requests for the web resources. I found a known issue Citrix article that kind of alluded to that, but didn’t mention caching. This was with Enterprise licensing too, which means I couldn’t change the policies (as I’m not licensed), but I could unlink them. Also, we’ve found the RfWebUI theme loads really poorly over high latency (e.g, 300 ms+) connections. Way worse than the default themes. Even X1 is a bit better, but no mobile support. I also assume this is related to all the AJAX requests the theme makes. Haven’t got a solution for that yet. The theme definitely looks better, but also has pretty serious flaws.

Leave a Reply