Upgrading Citrix ADC breaks either StoreFront SSO or SSL VPN

If you have recently upgraded your Citrix ADC (NetScaler ADC) to the latest build, such as ver. 13.0 build 64 or newer, you may have lost your Citrix published apps and desktops. This is because Citrix (once again) changed the default Citrix ADC behavior to enhance security and the SSO option in Session Profile is no longer sending credentials to StoreFront.

To fix this, you need to create a Traffic Action and Policy that enables SSO.
Carl Stalhood described this in detail.

However, by creating and binding this Traffic Policy to your Citrix Gateway, you will fix the StoreFront SSO but break SSL VPN. Your HTTP/HTTPS services will likely be fine when accessed via VPN, but TCP services, such as RDP or SMB will stop working.

How do you fix this? You change your Traffic Policy expression from “true” to:
HTTP.REQ.METHOD.EQ(post) || HTTP.REQ.METHOD.EQ(get) && false
This will ensure it is applied to HTTP traffic only.

So, your complete Traffic Policy configuration should look like:
add vpn trafficAction StoreFront_SSO_trprof http -SSO ON
add vpn trafficPolicy StoreFront_SSO_trpol "HTTP.REQ.METHOD.EQ(post) || HTTP.REQ.METHOD.EQ(get) && false" StoreFront_SSO_trprof
bind vpn vserver YOUR_CITRIX_GATEWAY_vSERVER_NAME -policy StoreFront_SSO_trpol -priority 100 -gotoPriorityExpression END -type REQUEST

With this both StoreFront SSO and SSL VPN should work just fine 🙂

Right in your email inbox
Useful data from iRangers Experts

Subscribe to our mailing list and get interesting updates and tips.

Leave a Reply

Your email address will not be published. Required fields are marked *