Error: “Unable to launch your application.” When Launching Published Applications or Desktops Through NetScaler Gateway

There could be multiple reasons due to which a user might not be able to launch the published application or desktop through NetScaler Gateway. You can learn the traffic flow and how to analyze logs in a Citrix Gateway and Storefront integrated environment by watching below video. You can find the details on some of the reasons in this article also.



Details on some of the reasons:

  1. Install Latest Version of Receiver
  2. User License Exhausted
  3. NetScaler Gateway License Type Mismatch
  4. Certificate Not Linked on the NetScaler
  5. Secure Ticket Authority Not Specified
  6. FQDN of Secure Ticket Authority is Not Resolvable
  7. Verify if the Secure Ticket Authority Configured on NetScaler Returns STA ID
  8. Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront Servers
  9. Make Sure that Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing
  10. Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers

User-added image


Install Latest Version of Receiver

Download and install the latest version of Citrix Receiver to resolve this issue.

User License Exhausted

User-added image

Verify if the license is exhausted on NetScaler Gateway. Navigate to NetScaler configuration utility > NetScaler Gateway > Virtual Server and examine the Maximum Users and Current Users. If you notice that both values are the same then the NetScaler Gateway license is exhausted.

You can also navigate to NetScaler configuration utility > System > Licenses to confirm the number of NetScaler Gateway and ICA licenses.

Complete one of the following steps to resolve this issue:

Install an additional Universal License to accommodate more users. Adjust the maximum number of users to match the new number of total users by navigating to NetScaler Gateway > Global Settings > Change Authentication AAA Settings > Maximum Number of Users.

Note: Retain NetScaler Gateway virtual server in SmartAccess mode.

NetScaler Gateway License Type Mismatch

User-added image

NetScaler Gateway setting should match with the type of license that NetScaler Gateway has. Change the NetScaler Gateway virtual server mode from SmartAccess to Basic. If Basic mode is used under NetScaler Gateway virtual server (ICA Only checkbox checked in latest versions of NetScaler) then unlimited ICA users are allowed.

Refer to CTX125567 – How to Configure NetScaler Gateway Appliance with Unlimited ICA Connections for more information.

Certificate Not Linked on the NetScaler

User-added image

When users launch the published application or desktop, the Receiver would perform an SSL handshake with the NetScaler Gateway virtual server. If the certificate has been issued by a Trusted CA, make sure that the certificate is also on the NetScaler. For more information refer to CTX114146 – How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway.

Secure Ticket Authority Not Specified

User-added image

Verify if NetScaler Gateway has Secure Ticket Authority (STA) specified under NetScaler Gateway > Virtual Server > Published Application. If not, add the STA under Published Applications on NetScaler Gateway to resolve this issue. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.


FQDN of Secure Ticket Authority is Not Resolvable

User-added image

Verify if FQDN of STA server is resolvable. If not, change the STA server FQDN to IP address on StoreFront and NetScaler. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.

Verify if the Secure Ticket Authority Configured on NetScaler Returns STA ID

User-added image

If the Secure Ticket Authority Server is reachable through the NetScaler, then it would send a POST request to the STA Server requesting for an AuthID. The Secure Ticket Server (STA) should return a valid as well as a unique AuthID.

Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront ServersUser-added image

The StoreFront Server needs to contact the Secure Ticket Authority Server to obtain a ticket that will have the IP address/ FQDN of the XenApp/ XenDesktop server that will be able to serve the request for that published application/desktop.

When the ticket is forwarded from the Client to the NetScaler Gateway, it would match the AuthID in the ticket with the AuthID for the STA server specified on the virtual server. If the AuthID does not match, then the launch request would fail.

Make Sure that Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing

User-added image

Starting StoreFront version 3.5, you would be able to define the Secure Ticket Authority Servers only when you select the Usage or Role as Authentication and HDX Routing under Manage NetScaler Gateway Settings. Also, if this option is not selected, then the StoreFront Server would not add the SSL Proxy Host in the Ticket created by the Secure Ticket Authority Server.

Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers

User-added image

The NetScaler will communicate with the XenApp/XenDesktop server on port 1494 (Session reliability OFF) or port 2598 (Session reliability ON). If the SNIP/MIP is not able to establish a TCP connection on the preceding mentioned ports, then the launch would fail.

User-added image

Related:

  • No Related Posts

Error: “Unable to launch your application.” When Launching Published Applications or Desktops Through NetScaler Gateway

There could be multiple reasons due to which a user might not be able to launch the published application or desktop through NetScaler Gateway. You can learn the traffic flow and how to analyze logs in a Citrix Gateway and Storefront integrated environment by watching below video. You can find the details on some of the reasons in this article also.



Details on some of the reasons:

  1. Install Latest Version of Receiver
  2. User License Exhausted
  3. NetScaler Gateway License Type Mismatch
  4. Certificate Not Linked on the NetScaler
  5. Secure Ticket Authority Not Specified
  6. FQDN of Secure Ticket Authority is Not Resolvable
  7. Verify if the Secure Ticket Authority Configured on NetScaler Returns STA ID
  8. Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront Servers
  9. Make Sure that Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing
  10. Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers

User-added image


Install Latest Version of Receiver

Download and install the latest version of Citrix Receiver to resolve this issue.

User License Exhausted

User-added image

Verify if the license is exhausted on NetScaler Gateway. Navigate to NetScaler configuration utility > NetScaler Gateway > Virtual Server and examine the Maximum Users and Current Users. If you notice that both values are the same then the NetScaler Gateway license is exhausted.

You can also navigate to NetScaler configuration utility > System > Licenses to confirm the number of NetScaler Gateway and ICA licenses.

Complete one of the following steps to resolve this issue:

Install an additional Universal License to accommodate more users. Adjust the maximum number of users to match the new number of total users by navigating to NetScaler Gateway > Global Settings > Change Authentication AAA Settings > Maximum Number of Users.

Note: Retain NetScaler Gateway virtual server in SmartAccess mode.

NetScaler Gateway License Type Mismatch

User-added image

NetScaler Gateway setting should match with the type of license that NetScaler Gateway has. Change the NetScaler Gateway virtual server mode from SmartAccess to Basic. If Basic mode is used under NetScaler Gateway virtual server (ICA Only checkbox checked in latest versions of NetScaler) then unlimited ICA users are allowed.

Refer to CTX125567 – How to Configure NetScaler Gateway Appliance with Unlimited ICA Connections for more information.

Certificate Not Linked on the NetScaler

User-added image

When users launch the published application or desktop, the Receiver would perform an SSL handshake with the NetScaler Gateway virtual server. If the certificate has been issued by a Trusted CA, make sure that the certificate is also on the NetScaler. For more information refer to CTX114146 – How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway.

Secure Ticket Authority Not Specified

User-added image

Verify if NetScaler Gateway has Secure Ticket Authority (STA) specified under NetScaler Gateway > Virtual Server > Published Application. If not, add the STA under Published Applications on NetScaler Gateway to resolve this issue. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.


FQDN of Secure Ticket Authority is Not Resolvable

User-added image

Verify if FQDN of STA server is resolvable. If not, change the STA server FQDN to IP address on StoreFront and NetScaler. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.

Verify if the Secure Ticket Authority Configured on NetScaler Returns STA ID

User-added image

If the Secure Ticket Authority Server is reachable through the NetScaler, then it would send a POST request to the STA Server requesting for an AuthID. The Secure Ticket Server (STA) should return a valid as well as a unique AuthID.

Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront ServersUser-added image

The StoreFront Server needs to contact the Secure Ticket Authority Server to obtain a ticket that will have the IP address/ FQDN of the XenApp/ XenDesktop server that will be able to serve the request for that published application/desktop.

When the ticket is forwarded from the Client to the NetScaler Gateway, it would match the AuthID in the ticket with the AuthID for the STA server specified on the virtual server. If the AuthID does not match, then the launch request would fail.

Make Sure that Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing

User-added image

Starting StoreFront version 3.5, you would be able to define the Secure Ticket Authority Servers only when you select the Usage or Role as Authentication and HDX Routing under Manage NetScaler Gateway Settings. Also, if this option is not selected, then the StoreFront Server would not add the SSL Proxy Host in the Ticket created by the Secure Ticket Authority Server.

Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers

User-added image

The NetScaler will communicate with the XenApp/XenDesktop server on port 1494 (Session reliability OFF) or port 2598 (Session reliability ON). If the SNIP/MIP is not able to establish a TCP connection on the preceding mentioned ports, then the launch would fail.

User-added image

Related:

  • No Related Posts

Error: “Unable to launch your application.” When Launching Published Applications or Desktops Through NetScaler Gateway

There could be multiple reasons due to which a user might not be able to launch the published application or desktop through NetScaler Gateway. You can learn the traffic flow and how to analyze logs in a Citrix Gateway and Storefront integrated environment by watching below video. You can find the details on some of the reasons in this article also.



Details on some of the reasons:

  1. Install Latest Version of Receiver
  2. User License Exhausted
  3. NetScaler Gateway License Type Mismatch
  4. Certificate Not Linked on the NetScaler
  5. Secure Ticket Authority Not Specified
  6. FQDN of Secure Ticket Authority is Not Resolvable
  7. Verify if the Secure Ticket Authority Configured on NetScaler Returns STA ID
  8. Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront Servers
  9. Make Sure that Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing
  10. Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers

User-added image


Install Latest Version of Receiver

Download and install the latest version of Citrix Receiver to resolve this issue.

User License Exhausted

User-added image

Verify if the license is exhausted on NetScaler Gateway. Navigate to NetScaler configuration utility > NetScaler Gateway > Virtual Server and examine the Maximum Users and Current Users. If you notice that both values are the same then the NetScaler Gateway license is exhausted.

You can also navigate to NetScaler configuration utility > System > Licenses to confirm the number of NetScaler Gateway and ICA licenses.

Complete one of the following steps to resolve this issue:

Install an additional Universal License to accommodate more users. Adjust the maximum number of users to match the new number of total users by navigating to NetScaler Gateway > Global Settings > Change Authentication AAA Settings > Maximum Number of Users.

Note: Retain NetScaler Gateway virtual server in SmartAccess mode.

NetScaler Gateway License Type Mismatch

User-added image

NetScaler Gateway setting should match with the type of license that NetScaler Gateway has. Change the NetScaler Gateway virtual server mode from SmartAccess to Basic. If Basic mode is used under NetScaler Gateway virtual server (ICA Only checkbox checked in latest versions of NetScaler) then unlimited ICA users are allowed.

Refer to CTX125567 – How to Configure NetScaler Gateway Appliance with Unlimited ICA Connections for more information.

Certificate Not Linked on the NetScaler

User-added image

When users launch the published application or desktop, the Receiver would perform an SSL handshake with the NetScaler Gateway virtual server. If the certificate has been issued by a Trusted CA, make sure that the certificate is also on the NetScaler. For more information refer to CTX114146 – How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway.

Secure Ticket Authority Not Specified

User-added image

Verify if NetScaler Gateway has Secure Ticket Authority (STA) specified under NetScaler Gateway > Virtual Server > Published Application. If not, add the STA under Published Applications on NetScaler Gateway to resolve this issue. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.


FQDN of Secure Ticket Authority is Not Resolvable

User-added image

Verify if FQDN of STA server is resolvable. If not, change the STA server FQDN to IP address on StoreFront and NetScaler. For more information refer to Citrix Documentation – Configuring the Secure Ticket Authority on NetScaler Gateway.

Verify if the Secure Ticket Authority Configured on NetScaler Returns STA ID

User-added image

If the Secure Ticket Authority Server is reachable through the NetScaler, then it would send a POST request to the STA Server requesting for an AuthID. The Secure Ticket Server (STA) should return a valid as well as a unique AuthID.

Verify if there is Same STA Servers on NetScaler Gateway Virtual Server as well as on the StoreFront ServersUser-added image

The StoreFront Server needs to contact the Secure Ticket Authority Server to obtain a ticket that will have the IP address/ FQDN of the XenApp/ XenDesktop server that will be able to serve the request for that published application/desktop.

When the ticket is forwarded from the Client to the NetScaler Gateway, it would match the AuthID in the ticket with the AuthID for the STA server specified on the virtual server. If the AuthID does not match, then the launch request would fail.

Make Sure that Usage or Role on the StoreFront Server is Set to Authentication and HDX Routing

User-added image

Starting StoreFront version 3.5, you would be able to define the Secure Ticket Authority Servers only when you select the Usage or Role as Authentication and HDX Routing under Manage NetScaler Gateway Settings. Also, if this option is not selected, then the StoreFront Server would not add the SSL Proxy Host in the Ticket created by the Secure Ticket Authority Server.

Verify Communication on port 1494/2598 from the Subnet IP/Mapped IP to the XenApp/XenDesktop Servers

User-added image

The NetScaler will communicate with the XenApp/XenDesktop server on port 1494 (Session reliability OFF) or port 2598 (Session reliability ON). If the SNIP/MIP is not able to establish a TCP connection on the preceding mentioned ports, then the launch would fail.

User-added image

Related:

  • No Related Posts

TCP Profiles on NetScaler

TCP configurations for a NetScaler appliance can be specified in an entity called a TCP profile, which is a collection of TCP settings. The TCP profile can then be associated with services or virtual servers that want to use these TCP configurations.

Built-in TCP Profiles

For convenience of configuration, the NetScaler provides some built-in TCP profiles. For a list of built-in profiles, refer to Citrix Documentation – Built-in TCP Profiles.

For a list of options that are available for a TCP profile, refer to Citrix Documentation – ns tcpProfile.

Note: These values can have serious impacts on network performance. Use these values carefully when adjusting them manually in existing profiles, or when creating new profiles.

To specify service or virtual server level TCP configurations

Command line interface

  1. Configure the TCP profile:

    set ns tcpProfile <profile-name>

  2. Bind the TCP profile to the service or virtual server.

    To bind the TCP profile to the service:

    set service <name>

    For example:

    > set service service1 -tcpProfileName profile1

Configuration utility

  1. Configure the TCP profile.

    Navigate to System >Profiles > TCP Profiles, and create the TCP profile.

  2. Bind the TCP profile to the service or virtual server.

    Navigate to Traffic Management > Load Balancing > Services/Virtual Servers, and create the TCP profile, which should be bound to the service or virtual server.

Related:

  • No Related Posts

Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass Vulnerability

A vulnerability in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to allow connections despite the management plane protection that is configured to deny access to the SNMP server of an affected device.

This vulnerability is due to incorrect LPTS programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by connecting to an affected device using SNMP. A successful exploit could allow the attacker to connect to the device on the configured SNMP ports. Valid credentials are required to execute any of the SNMP requests.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-7MKrW7Nq

Security Impact Rating: Medium

CVE: CVE-2021-1243

Related:

  • No Related Posts

After Upgrade the Citrix ADC to 11.0-67.12 Access to Internal Resources Fails With the Following Message: “Http/1.1 Internal Server Error 43531”

The following options will lead to this issue:

  1. StoreFront servers are load balanced on ADC.
  2. Load balancing IP used to load balance StoreFront servers is a non-routable IP. This means that you cannot reach the load balancing VIP from client machine or any other machine, or there is no route added on ADC for Load balancing VIP. For example if a ADC is in 10.x.x.x subnet and you configure the load balancing VIP in 192.x.x.x.subnet for which there is no route on the ADC.
  3. Gateway session profile pointing to load balancing VIP under “Published Applications” tab.

This issue is seen because of a design change from ADC 11.0-67+ builds, where when you add StoreFront URL in Gateway session profile, ADC will internally try to probe the load balancing VIP that is added.

In few cases the probe will fail as NetScaler is not able to find the source IP for probing non-routable load balancing VIP.

In previous ADC builds it was working as the load balancing VIP was not probed. This behavior was changed since the previous design occasionally led to crashes.

Related:

  • No Related Posts

After Upgrade the Citrix ADC to 11.0-67.12 Access to Internal Resources Fails With the Following Message: “Http/1.1 Internal Server Error 43531”

The following options will lead to this issue:

  1. StoreFront servers are load balanced on ADC.
  2. Load balancing IP used to load balance StoreFront servers is a non-routable IP. This means that you cannot reach the load balancing VIP from client machine or any other machine, or there is no route added on ADC for Load balancing VIP. For example if a ADC is in 10.x.x.x subnet and you configure the load balancing VIP in 192.x.x.x.subnet for which there is no route on the ADC.
  3. Gateway session profile pointing to load balancing VIP under “Published Applications” tab.

This issue is seen because of a design change from ADC 11.0-67+ builds, where when you add StoreFront URL in Gateway session profile, ADC will internally try to probe the load balancing VIP that is added.

In few cases the probe will fail as NetScaler is not able to find the source IP for probing non-routable load balancing VIP.

In previous ADC builds it was working as the load balancing VIP was not probed. This behavior was changed since the previous design occasionally led to crashes.

Related:

  • No Related Posts