NetScaler unified gateway is one of the great new features in NS version 11. If you’ve worked with some of the more advanced features, then you may be familiar with one of the more common requests:
Make a NetScaler Gateway (CAG) the target vServer of a content switching vServer.
Fortunately, this is exactly what Unified Gateway does – essentially, Unified Gateway is a content switching vServer with one of the possible target vServers as a non-addressable NetScaler Gateway. This is slightly different than the 10.5 enhancement release feature which allowed for CSW policies to be bound to a CAG\VPN vServer. While the ability to do this still exists in NS version 11, the unified gateway is the preferred method to accomplish this.
I recently switched to a unified gateway configuration and ran into an issue with native receiver – or self-service – or mobile receiver – or whatever you want to call Receiver on Android\iOS.
The New Configuration
The new NetScaler Gateway vServer is a non-addressable as you can see here (IP\port are 0.0.0.0:0):
And all of the content switching policies are on the CSW vServer itself. The issue I ran into was that I could not connect with my mobile device via Receiver – despite the mobile receiver policy being bound to the CAG vServer.
The Problem
When I tried to connect with my mobile Receier app, I was not able to connect – once I sent the support logs via email, I noticed the following:
02-02 06:56:43.317 D/DSDownloadAccountRecordTask::getAccountRecord( 6054): Entry 02-02 06:56:43.317 D/DSDownloadAccountRecordTask::getAccountRecord( 6054): accountServiceUrlAfterRewrite=https://apps.customer.com/Citrix/Roaming/accounts 02-02 06:56:43.317 D/getAGHeaders( 6054): adding X-Citrix-Gateway header 02-02 06:56:43.358 I/HttpClientHelper( 6054): SslSdkProtocolNumber value is 0x2 from user's settings 02-02 06:56:43.358 I/HttpClientSocketFactory( 6054): Tring to configure TLSv1 02-02 06:56:43.358 I/HttpClientSocketFactory( 6054): Enabling protocol TLSv1(2) 02-02 06:56:43.470 E/DSDownloadAccountRecordTask::getAccountRecord( 6054): Received unexpected HTTP 503 response 02-02 06:56:43.472 W/System.err( 6054): com.citrix.client.deliveryservices.utilities.DeliveryServicesException 02-02 06:56:43.473 W/System.err( 6054): at com.citrix.client.deliveryservices.accountservices.asynctasks.DSDownloadAccountRecordTask.getAccountRecord(DSDownloadAccountRecordTask.java:229)
If you notice above, there was an HTTP 503 response when trying to reach the account services address on the VPN vServer.
The Solution
There are probably two solutions to this, though I have not verified both of them.
The first solution is to create a content switching policy that points to the CAG\VPN vServer – this policy basically says that any traffic coming from the Receiver app should be directed to the CAG vServer.
The expression in this case is:
HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”)
The other option that would likely work in this case is to set the CAG\VPN vServer as the default content switching action on the CSW vServer, though I have not tested this.