Today I have been troubleshooting a Citrix NetScaler configuration, where some clients received the Protocol Driver Error message when executing a published application. This error message is mostly related to a wrong configuration of the Security Ticket Authorities (STA’s). I spent a lot of time troubleshooting this issue and focused on the STA configuration. I have been deleting, adding and modifying multiple STA’s to the configuration of the NetScaler without any luck. I checked the configuration of the firewall, but this wasn’t the problem either.
I decided to go back to basic and just added one STA to the Virtual Server and the STA service group used by the Web Interface. I was able to login with that STA server, but after a while I wasn’t able to login and received the Protocol Driver Error again.
While browsing through the NetScaler I noticed one thing. Every time I wasn’t able to login, there were 5 concurrent users already connected with the NetScaler. I did some more research on the internet and found the following article.
Reading the article, tells me that, by default, only 5 concurrent ICA sessions are possible through the NetScaler. I checked the license and the customer has a license for 50 SSL VPN connections, like shown below:
> show license
Web Logging: YES
Surge Protection: NO
Load Balancing: YES
Content Switching: YES
Cache Redirection: NO
Sure Connect: NO
Compression Control: NO
Delta Compression: NO
Priority Queuing: NO
SSL Offloading: YES
Global Server Load Balancing: NO
GSLB Proximity: NO
Http DoS Protection: NO
Dynamic Routing: YES
Content Filtering: YES
Integrated Caching: NO
SSL VPN: YES (Maximum users = 50)
OSPF Routing: NO
RIP Routing: NO
BGP Routing: NO
IPv6 protocol translation: YES
Application Firewall: NO
HTML Injection: NO
NetScaler Push: NO
I increased the default value to 50 with the following command:
> set aaa parameter -maxAAAUsers 50
From that point on I was able to start another ICA connection, while there were already 5 concurrent users connected. Now I have to wait and see if this actually solved the problem, but I guess it has.
I tried to increase the –maxAAAUsers value to a value higher than 50, but that isn’t possible as you can see.
> set aaa parameter -maxAAAUsers 100
ERROR: MaxAAAUsers value not allowed by license
I have deployed more Juniper SA 2000 appliance and in overall I am pleased with the working of the appliance. Sometimes we have minor problems when publishing ICA sessions through the appliance.
My colleagues have customers with connection problems, where suddenly the ICA sessions get disconnected and we cannot find the cause of these disconnects. Load balancing through the SA is also “hard” to configure. You have to define a custom ICA file and add the correct parameters for load balancing the sessions. In our opinion the Juniper SA appliance is a decent SSL VPN appliance, but not suitable for native Citrix environments. In native Citrix environments we prefer Citrix Secure Gateway or Citrix Access Gateway.
Now I recently noticed something strange with the Juniper SA. I am publishing a ICA session with a custom ICA file. The firmware of the Juniper is 5.5R2.1. Now I noticed that it isn’t possible to connect from a Windows 2003 server. When trying to connect you will receive the following error message:
I checked the compatible platforms for Secure Terminal Access and Terminal Services for the 5.5 firmware and yes……Windows 2003 server isn’t supported!!!
Looking at the compatible platform for the latest firmware (6.2) Windows 2003 is supported for Secure Terminal Access and Terminal Services. So I hear you think: JUST UPGRADE THE DAM THING, but I don’t know the impact on the current configuration and published services.
I guess it would be great to check if it is possible to “hack” a Windows 2003 server and adjust the security features of the server. Because I guess that the security policies, introduced in Windows 2003 server, are the cause of not connecting the ICA session.
I hope: TO BE CONTINUED…..