EUC Weekly Digest – July 4, 2020

Last Modified: Nov 7, 2020 @ 6:34 am

Interesting EUC items from last week:

Citrix Virtual Apps and Desktops

Citrix VDA

Citrix Provisioning

Citrix StoreFront

Citrix Workspace app

Citrix ADC

Citrix Gateway

  • New nFactor EPA section describing how to do SmartAccess using nFactor EPA –

Citrix Endpoint Management


For more immediate updates, follow me at

For a list of updates at, see the Detailed Change Log.

10 thoughts on “EUC Weekly Digest – July 4, 2020”

  1. Carl, one additional question; have you seen this before? Before dropping using the NS and just moving on to connecting directly, I thought I’d try one additional thing. I put in as the Servers both the LAN and the DMZ IPs of the WAP server. Then I built service groups for both of them using SSL_Bridge as in the article. Then I built a VIP server using those groups and pointing to the IP I want as the VIP of the NS. To my surprise this worked and I can see all of the traffic to all of the IPs, including traffic from the DMZ IP to it’s LAN IP. So, then I tried to add in the actual second leg, but that didn’t work so, anyway, I went back to my original config as I’ve outlined above. And now, of course, it doesn’t work. I’ve completely broken down the config and rebuilt it as I did first thing this morning and something that was working is now not…Until I started this project with the WAP/ADFS servers, I’ve never seen this with the NS devices.

  2. So, that worked… or at least it did :(… this is one of the frustrations that I’m having with the Netscaler that I’m not used to having issues with. I read thru the article and tried to glean out of it what I could use. So, I changed the subnet IP to be on the DMZ and in the LB area I changed the Servers IP to be the DMZ IP of the WAP server. I also changed the protocol from TCP to SSL_Bridge. And it worked… YEAH!!! So, now I wanted to put in the IP address of the ADFS server, which only has a LAN IP, and that LAN IP is seeable from the DMZ. To test that, after building it, I disabled the Server object that was configured with the DMZ IP of the WAP server, and, of course, it didn’t work. OK.. so let’s go back and start again. I completely removed the ADFS object and made sure that the Service Group, Virtual servers and Persistency group were back to what I had originally above that just worked. When I tried it now, it failed to work…grrr…I have discovered that sometimes with the Netscaler, if I reboot that seems to fix some things, although I don’t know why. Anyway, I’d left the browser session open on my PC, trying to connect to the Office authentication server and when the NetScaler came back up, I was presented with the login screen,.. whoo hoo… that worked. However, when I then went and tried to get a new browser session to Office, it’s not working. It eventually times out.

  3. Carl, Question… I’m trying to create a LB using the VPX appliance to LB our WAP server which is involved in authenticating us to Office 365. I’ve worked from your Horizon article, making changes where I felt it was correct. I’ve got the Server pointed to the IP of the WAP server. I’ve got two Service groups (80 and 443), using TCP and 80 and 443 instead of the SSL_Bridge that I’d have used for Horizon and I have the Virtual Server set to the VIP that I want to come thru the firewall and hit. I didn’t set up any monitors and I have a Persistency group based on IP and with a timeout of 2. The thing is, and it’s very frustrating, I set this up yesterday with a very simple set up just to see if I could pass traffic to the WAP server (Which ultimately talks to our ADFS server). That worked, and I was able able to go thru the LB directly to the ADFS server. So then I made it more complex by adding a second NIC to the WAP server in our DMZ. I was unable to get that to work, so I went back to the beginning to retest and now, no matter what server the LB is trying to hit, it doesn’t work. BTW, when I do a trace on the LB, no matter what IP I’m trying to hit, the trace shows all of the right IP addresses, so it looks like it’s passing into the LB and attempting to go to the right IP. Do you have any words of wisdom? Thanx…

      1. Yes, if I point the IP address that the public IP is supposed to hit, directly to the WAP server, either it’s LAN IP or it’s DMZ IP, I can get my login to Office to give me the password prompt. And I swear I had this working at least in some form thru the VPX yesterday, but now can’t. I’m using 13.x.

          1. I tried a reply, but not sure it went thru so here it is again.

            I read thru the article and took out of it what I thought was useful. I changed the Subnet IP of the NS to be in the DMZ. I redid the config of the LB area to use SSL_Bridge instead of TCP. When I got done, it worked. I was able to route it to the DMZ IP of the WAP server and I got a password prompt from Office. So then, I tried to add in the ADFS server as a Server destination in the config to LB with. It only has a LAN IP, but that IP is viewable from the DMZ. That didn’t work, so I reset back to the config without that ADFS info and now, of course, it’s not working. I’ve completely disassembled the NS config and rebuilt it to have what I did above and it’s still not working 🙁

            So, my experience with this NS appliance over the last few days is that occasionally if I reboot it, something what wasn’t working will start to work. So, I rebooted it. I’d left my browser attempting to connect to Office for authentication and as soon as the NS came back up, I got the password prompt for Office. So, I thought that did it, but no, I can’t get it to work now. This has been a major frustration with this that I’m not used to experiencing with the NS appliances I’ve done in the past for Horizon connection servers.

            Since I can actually get to the WAP server by going directly to it thru the firewall, I probably don’t really need the NS, but I’m concerned that my boss will want it 6 months from now for something we’re not anticipating and it’s easier to set that up now and get it working when no one is using it than when it’s in production.

          2. Never mind Carl… I think I made a fundamental error originally… although how it connected the first time is beyond me. I need to look at it again.

          3. OK, I made a fundamental error in the Subnet IP of the NS; I just fat-fingered it. However, now that I have it set correctly, when I build the LB piece, I get the effective state of the Service Group as down. And the article isn’t clear enough to help me configure something I might be missing. I’ve tried both TCP/443 and SSL_Bridge/443 as protocols and it doesn’t make a difference. I’ve tried to include the ADFS server in the mix, as that seems to be what the article is telling me to do, but I’m not sure how to do that and anything I’ve tried continues to have an effective state of down. Unless you have some simple words of wisdom, I think I’m going to abandon this and work without it since that actually does work.

          4. So, wonder if you’ve seen this before. Before I just drop trying to make the NS work, I went in this morning and redid the config and I made a Server entry for the WAP’s LAN IP and one for it’s DMZ IP. Then I created Service Groups using SSL_Bridge and then created the VIP. I also move the Subnet IP of the NS back to it’s LAN IP. Much to my surprise this worked. I tried it several times and even ran a packet trace and all looked OK. Obviously a LB needs a second device to Load balance between so I created another Server with the ADFS’s IP I re did the config to include this into the mix and of course it failed… which I half expected. Anyway, I removed everything to do with ADFS and, of course, the config that was working just fine, is now not. I ripped out everything, rebooted the NS and rebuilt the config exactly like I did earlier in the day and it doesn’t work… I have had this happen a number of times in this project. I will say that I have never seen this before when dealing with the NS and the Horizon config.

Leave a Reply

Your email address will not be published. Required fields are marked *