There could be multiple reasons due to which a user might not be able to launch the published application or desktop through NetScaler Gateway. You can learn the traffic flow and how to analyze logs in a Citrix Gateway and Storefront integrated environment by watching below video. You can find the details on some of the reasons in this article also.
Details on some of the reasons:
- Install Latest Version of Receiver
- User License Exhausted
- NetScaler Gateway License Type Mismatch
- Certificate Not Linked on the NetScaler
- Secure Ticket Authority Not Specified
- FQDN of Secure Ticket Authority is Not Resolvable
- Verify if the Secure Ticket Authority Configured on NetScaler Returns STA ID
- Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront Servers
- Make Sure that Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing
- Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers
Download and install the latest version of Citrix Receiver to resolve this issue.
Verify if the license is exhausted on NetScaler Gateway. Navigate to NetScaler configuration utility > NetScaler Gateway > Virtual Server and examine the Maximum Users and Current Users. If you notice that both values are the same then the NetScaler Gateway license is exhausted.
You can also navigate to NetScaler configuration utility > System > Licenses to confirm the number of NetScaler Gateway and ICA licenses.
Complete one of the following steps to resolve this issue:
Install an additional Universal License to accommodate more users. Adjust the maximum number of users to match the new number of total users by navigating to NetScaler Gateway > Global Settings > Change Authentication AAA Settings > Maximum Number of Users.
Note: Retain NetScaler Gateway virtual server in SmartAccess mode.
NetScaler Gateway setting should match with the type of license that NetScaler Gateway has. Change the NetScaler Gateway virtual server mode from SmartAccess to Basic. If Basic mode is used under NetScaler Gateway virtual server (ICA Only checkbox checked in latest versions of NetScaler) then unlimited ICA users are allowed.
Refer to CTX125567 – How to Configure NetScaler Gateway Appliance with Unlimited ICA Connections for more information.
When users launch the published application or desktop, the Receiver would perform an SSL handshake with the NetScaler Gateway virtual server. If the certificate has been issued by a Trusted CA, make sure that the certificate is also on the NetScaler. For more information refer to CTX114146 – How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway.
Verify if NetScaler Gateway has Secure Ticket Authority (STA) specified under NetScaler Gateway > Virtual Server > Published Application. If not, add the STA under Published Applications on NetScaler Gateway to resolve this issue. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.
Verify if FQDN of STA server is resolvable. If not, change the STA server FQDN to IP address on StoreFront and NetScaler. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.
If the Secure Ticket Authority Server is reachable through the NetScaler, then it would send a POST request to the STA Server requesting for an AuthID. The Secure Ticket Server (STA) should return a valid as well as a unique AuthID.
Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront Servers
The StoreFront Server needs to contact the Secure Ticket Authority Server to obtain a ticket that will have the IP address/ FQDN of the XenApp/ XenDesktop server that will be able to serve the request for that published application/desktop.
When the ticket is forwarded from the Client to the NetScaler Gateway, it would match the AuthID in the ticket with the AuthID for the STA server specified on the virtual server. If the AuthID does not match, then the launch request would fail.
Starting StoreFront version 3.5, you would be able to define the Secure Ticket Authority Servers only when you select the Usage or Role as Authentication and HDX Routing under Manage NetScaler Gateway Settings. Also, if this option is not selected, then the StoreFront Server would not add the SSL Proxy Host in the Ticket created by the Secure Ticket Authority Server.
Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers
The NetScaler will communicate with the XenApp/XenDesktop server on port 1494 (Session reliability OFF) or port 2598 (Session reliability ON). If the SNIP/MIP is not able to establish a TCP connection on the preceding mentioned ports, then the launch would fail.