Getting Error “internal service Error” when accessing the gateway externally

If we get this error first thing to check is if we are able to resolve Storefront FQDN or base URL from netscaler.

If not make an A record in Netscaler DNS.

Or else give the IP of Storefront in session profile like:

*Where is our SF IP and SF is our store name.

Also make sure that the SSO domain that we add in session profile is same as the Userdomain.

To check this run “set” command on storefront command line and check the Userdomain field.

If we still get errors like “cannot complete your request”, check the LDAP profile.

It may have an entry in SSO name attribute field like “cn.”

Remove it.

We need SSO name attribute in only multiple domain environment, and that should be set as “userPrincipalName ” in that case.


  • No Related Posts

Best way to allow single level domain but not sub-domains in SG Policy

I need a solution


I’m looking for best way to allow all sites directly under a domain, but not sites under sub-domains of this domain.


– must be allowed  ( public sites, to be allowed for everyone )

– but not  ( restricted internal sites, not to be allowed for any proxy user )

I’m currently trying achieving that with regex like this one below, but not sure this is the most efficient way.”[^.]*”

Any help appreciated.






  • No Related Posts

Policy with Exception on a specific URL

I need a solution

Hello All, 

Is there a way to configure a policy detection for PCI-DSS but do an exception on this site : ?

Because we detect a lot of false positive on Facebook discussion that looks like a Credit card number.

When we add a “Recipient matches pattern” exception on URL domain, Symantec says with a red banner :  The following 1 url domains are not valid:

But we can not except the whole facebook domain on this policy !

With regards



  • No Related Posts

How to Configure NetScaler Gateway Preauthentication EPA Scan for Domain Check

NetScaler GUI

Complete the following steps to configure NetScaler Gateway preauthentication EPA scan for domain check:

  1. Log on to NetScaler Gateway and navigate to NetScaler Gateway > Policies > Preauthentication > Preauthentication Profiles (tab) > Add. Assign a Name for the new profile and choose Create.

    User-added image

  2. Switch to the Policies tab and choose Add to add a new policy.

    Provide a Name and under Request Action choose the previously created domain-scan-profile.

    User-added image

  3. A pop-up window will appear. Use the expression editor to select Windows to scan Windows based systems, then choose Domain Check.

    User-added image

  4. Select + to the right of the Domain Check option. In this case the check will be to see if ‘’ is the domain suffix. Enter the Domain suffix and comment as shown in the following screen shot and click OK.

  5. Now select Create to create the new policy.

  6. To enable the policy it will now need to be bound to the virtual server. This is done by editing the virtual server itself.

    Navigate to the NetScaler Gateway > Virtual Servers section and select the virtual server and then choose the Edit option. Allow the HTML page to load and towards the bottom of the resulting web page there will be section called Policies.

  7. Choose the + symbol in the top right of the Policies section.

  8. A selection box will appear. Change the Policy type under Choose Policy to Preauthentication and choose Continue.

    User-added image

  9. In the Choose Type section, select the policy created for domain scan under Select Policy and then click Bind button.

    User-added image

  10. Click OK and it should show the other policies as well as the new preauthentication policy bound to the virtual server.

  11. Once the scan has been enabled, test it with a suitable client that has domain membership matching the setting in the policy. Then repeat with a non-confirming client to verify the functionality of the new policy.

NetScaler CLI

To enable preauthentication policy for domain check, run the following command from CLI:

add aaa preauthenticationpolicy <policy name> “CLIENT.SYSTEM(DOMAIN_SUFFIX_anyof_<domain>[COMMENT: Domain check]) EXISTS” <Action Name>


  • No Related Posts

Phish Threat V2: Campaign domains were not resolvable

Users clicking on campaign links were presented with an unresolvable domain page. Campaigns are still being tracked if the link is clicked on by a user. This issue was resolved on January 16, 2019 at 16:00 UTC

Applies to the following Sophos product(s) and version(s)

Phish Threat V2

The “unresolved” Phish Threat domain pages were caused by the hosting provider automatically identifying the domains as phishing and, as such, took them offline. These have now been unblocked and we are in discussions with the hosting provider to prevent this from happening again.

In many cases, normal operations has now resumed. Please be aware that the complete DNS propagation may take up to 48 hours.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.


  • No Related Posts

How do I have two default gateways one for mgmt and one for interception?

I need a solution


I have port 0:0 as the management port with a default gateway associated with the default route domain and I want port 2:0 to have its own default route. Shall I create a new route domain, a new vlan and associate them with interface 2:0, which already has an IP address.

then shall I define a Default gateway for the new route domain?

Would this work?






  • No Related Posts

ProxySG | User privileges for run service of BCAAA

I need a solution

My customer would like to know about user privileges in domain for run service of BCAAA

if don’t want to be domain admin just will be domain user.

we tried to test in lab can use domain user and complete to install agent

but when did on enviroment of customer cannot install have error as below

from error installation requires member of domain but i have check already user to enter when install it be member of domain already.

Best Regards,

Chakuttha R.




  • No Related Posts

VNX: All file menus are gray when customers login control station Unisphere

Article Number: 502876 Article Version: 5 Article Type: Break Fix

VNX1 Series,VNX2 Series

1. There are 2 VNX5400 boxes in the storage domain (We call them VNXA and VNXB temporarily).

2. Domain master is VNX A. When customer logs into Unisphere by using VNX A IP address, VNX A file part showed grey out and VNX B worked fine.

3. After destroying and rebuilding domain on VNXA, everything works fine.

4. Then one manually adds VNXB to VNXA’s storage domain. Now VNXB’s file menus are shown grey out.

5. If one performs the rebuild action on VNXB again and adds VNXA to the storage domain of VNXB, VNXA’s file menus are shown grey out.

6. Destroy the domain on SPs for 2 VNXs by running domain destroy script. Still no work.

7. It is noticed that while domain master is VNXA, everything works fine when logging in Unisphere via SP’s IP of VNXB.

8. It has a Unisphere Warning alert like

Severity : Warning

System : vnx5300cs

Domain : Local

Created : Jul 25, 2017 8:14:19 AM

Message : Logging into encountered an error.

Full Description : An error occurred during the login process. The control station did not log in properly.

Recommended Action : The login error may have occurred because: 1. Certificates are not accepted. 2. Both storage processors or the control station are not accessible. 3. You have logged in to a File or Block system using a local user account not defined on both the File and Block systems.

Event Code : 0xfffffffffffffff9

1. Both VNXA’s control station and VNXB’s control station have the same host name “VNX5400”.

2. Both VNXA’s array name and VNXB’s array name have the same array name “VNX5400”.

This is the root cause.


1.Change the hostname of VNXB’s control station (“VNX5400-117” as an example):

#nas_cs -set -hostname VNX5400-117

2.Change VNXB’s array name fromVNX5400 to VNX5400-117:

#/nas/sbin/navicli -h spa arrayname VNX5400-117

3. Reboot control station and issue is fixed.

To have more than 1 VNX array in the storage domain, please make sure control station’s host name and array’s name are unique across the domain.


  • No Related Posts

The following error occurred during an authentication attempt for user:domain.comabc with realm:

At the Storefront server open a command line and run the following command:

>set u

There would be two fields called USERDOMAIN and USERDNSDOMAIN

And these will be like this:



Open Netscaler Gateway Virtual server session profile.

Go to Published applications tab and look for SSODomain field

As per the error it would be

We need to change it to domain, and save the configuration on Netscaler.

Also confirm that Storefront has either “Any” domain selected or has “” and “domain” added as trusted domain.