Category Archives: Load Balancers

Ensuring Cisco Unity UM Validation when using Exchange 2013 and Citrix NetScalers

When using Citrix NetScalers to load balance Exchange services, a comment/question I’ll receive on occasion is as follows, “With the NetScalers in place, my mail works, but my Unity voicemails are not delivered to the Inbox.  Why is that?”

Within the Unity management interface, if you Test the connection between Unity and Exchange, you may see a “401: Incorrect service account name or password” error as shown below:


In my experience, customers will have this problem if they point Unity to the same NetScaler Virtual IP (VIP) Address that is load balancing the Exchange CAS servers, in this example

If you read the Citrix NetScaler/Exchange 2013 Deployment Guide released by Citrix, you’ll see the recommended Method and Persistence settings for the OWA/SSL services on page 14 and shown below:


I believe the problem with Unity stems from COOKIEINSERT being set as the Persistence method for the OWA virtual server object.  Certainly this configuration works great with Exchange-based SSL services, but it causes a disruption in the interaction with Unity.

To resolve the Unity validation 401 error and allow voicemails to be sent to an Inbox, you will need to create a new virtual server using the following values:

  • Name:  Unity_Connection_to_Exchange_2013_SSL (or whatever you prefer)
  • Protocol:  SSL
  • Port:  443
  • Services:  Use the same services in use by the Exchange OWA virtual server (Exchange CAS SSL Services)
  • Cert:  Same certificate used by Exchange OWA virtual server
  • Method:  Least Connection
  • Persistence:  SOURCEIP


With the new virtual server created, return to the Unity configuration page and set the new VIP, in this case, and test the connection.  You should be good to go at this point if you are load balancing Exchange 2013.


If you are load balancing Exchange 2010, you’ll still need an additional VIP, but the virtual server needs to be setup a little differently in that I’ve had to set the Protocol to TCP and the Port to *

Leave a comment

Filed under Citrix, Load Balancers, Microsoft

Pass-through authentication and the NetScaler Web Interface

This feels like one of those things I should have known, but in the midst of projects and customer calls, it can be a challenge at times to simply consider, “What am I doing?”  To that end, I’m just passing along some information obtained by opening a call with Citrix support regarding pass-through authentication when using the Citrix web interface deployed on a NetScaler.  I’ve used it before to provide applications to tablets and it just didn’t register that providing applications to Windows clients would be any different but when I configured my Windows-based Citrix Receiver to access the PN Agent site on the NetScaler, I was unable to get pass-through authentication working.

Turns out this is the expected behavior, and once I was told, it made sense.  Here is the summary of the issue provided by Citrix NetScaler support:

A Web Interface XenApp services site published on Web Interface of NetScaler cannot inherently deploy using pass-through authentication mode as this requires the Web Interface server to be part of the domain.  As you may have already surmised, a NetScaler cannot join a Windows Active Directory domain.

Thus, the ability to use pass-through authentication is strictly a feature of Web Interface installed on Microsoft Windows Server/IIS.   Pass-through authentication functions by challenging the client computer with for NTLM authentication, and the Web Interface/IIS computer authenticates the user to the domain.  Further, the ICA files do not have the same user/password ticket references as typical ICA files. This is because the end user computer’s SSONSVR.EXE hidden Windows service (part of the Citrix Receiver) is going to pass the end user’s security token to the target XenApp server instead of a pre-negotiated password ticket.

1 Comment

Filed under Citrix, Load Balancers, VDI

iPhone "ERROR" when connecting to Citrix Applications

When testing remote access to Citrix applications using an iPhone, I received this very helpful error message when I tried to connect with the Citrix Receiver:

In this case, my Citrix environment is front-ended by a Citrix NetScaler and Android devices worked with no problem. After doing a quick search, the following was found on Richard Parmiter’s blog:

After much messing about, it seems that when creating a XenApp service site on the Netscaler, a checkbox is provided stating “enable connection through mobile receiver”. When this is selected a few “rewrite” rules are created to resolve a problem with the iPad/iPhone receiver connections but the rewrite feature is not enabled at the same time on the Netscaler. Simply right clicking the “rewrite” menu in the left panel and selecting to enable the feature is enough to resolve the problem.

After doing this, all mobile receivers can connect as expected.”

Sure enough, the Rewrite feature on my NetScaler had not been enabled. Once enabled, iPhones and iPads were able to connect.

Be sure to save the configuration!


Filed under Apple, Citrix, Load Balancers

Citrix NetScaler – Creating a Web Interface site to integrate with the Access Gateway

You can use the Web Interface wizard on the NetScaler to provide access to local LAN or remote access users. To integrate the Access Gateway with the web interface running on the NetScaler, follow the steps below:

1. In the navigation pane, expand System, and then click Web Interface.

2. In the details pane, click Web Interface Wizard.

3. On the Introduction page, click Next.

4. On the Configure Web Interface Site page, specify the values for the following parameters, which correspond to parameters described in Parameters for configuring Web interface sites:

• Site Path (You cannot change the name of an existing Web interface site.)
• Site Type
• Published Resource Type
• Kiosk Mode

Select Gateway Direct Mode and specify values for the following parameters, which correspond to the following parameters:

• Authentication Point
• Access Gateway URL
• Add DNS Entry
• Trust SSL Certificate
• STA Server URL
• STA Server URL (2)
• Session Reliability

5. Click Settings to the right of the Access Gateway virtual server and specify values for the following parameters:

ICA Proxy – ON
Web Interface Addresshttp://
The address above is used because we are running the web interface on the NetScaler and it uses port 8080.
Web Interface Portal Mode – NORMAL
Single Sign-on Domain – DOMAINNAME
• Enable the SSO to Web Applications option

Click OK on the Settings window.

6. When returned to the Configure Web Interface Site screen, click Next.

7. On the Configure XenApp/XenDesktop Farm screen, click Add to add an existing XenApp or XenDesktop farm.

8. In the Create XenApp/XenDesktop Farm or Configure XenApp/XenDesktop Farm dialog box, specify values for the following parameters:

• Name
• XML Service Addresses
• XML Service Port
• Transport
• Load Balance

After the appropriate values have been entered, click Create.

9. When returned to the Configure XenApp/XenDesktop Farm screen, click Next, and then click Finish.

The wizard creates an Access Gateway Session Policy based on the settings specified. Make sure that the appropriate session policies are set on the Access Gateway virtual server and then test remote connectivity.

Leave a comment

Filed under Citrix, Load Balancers

Citrix Access Gateway – Creating an Access Gateway Virtual Server

The Access Gateway works with the Web Interface and Secure Ticket Authority (STA) to provide authentication, authorization, and redirection to published applications hosted on a computer running Citrix XenApp or published desktops provided by Citrix XenDesktop. The Access Gateway virtual server serves as the access point through which clients access these services. The Access Gateway wizard helps you quickly create an Access Gateway virtual server for accessing resources using the SSL VPN functionality of the NetScaler. The settings that configure how users connect to the Access Gateway are as follows:

• Virtual servers
• Certificates
• Name service providers
• Authentication
• Authorization
• Port redirection
• Clientless access
• Clientless access for SharePoint

To create the Access Gateway virtual server, perform the following steps:

1. In the NetScaler management console, click Access Gateway and then on the right-hand pane, click Access Gateway wizard.

2. On the Access Gateway Wizard Introduction screen, click Next.

3. On the Create or choose a virtual server screen, select New and specify an IP Address, Port, and Virtual Server Name then click Next.

4. On the Specify a server certificate screen, select the appropriate certificate and click Next to continue. In this example, I am using a test certificate which points to the name access.cps.demo.

5. On the Name Service Providers screen, specify the Configured DNS Server and click Next.

6. On the Configure authentication screen, specify the LDAP server information and click Next.

7. On the Configure additional settings screen, under Configure Authentication, click Allow and under Redirect Requests for Port 80, enable Redirect to secure web address and click Next to continue.

8. On the Configure clientless access screen, accept the defaults (shown below) and click Next.

9. On the Summary screen, click Finish to create the new Access Gateway virtual server.

10. When the Access Gateway has been successfully configured, click Exit. Remember to save the configuration.

With the Access Gateway virtual server now created, we can create a web interface site and then integrate it with the Access Gateway virtual server.


Filed under Citrix, Load Balancers