NetScaler 10, WI 5.4 and the Citrix Receiver 5.7.. “The gateway settings are incorrect”

Share Button

For one of my projects I was configuring a NetScaler HA Pair and after configuring the SSL VPN for laptops I wanted to configure a session profile to reroute mobile users based on their User-Agent in the HTTP Header to a ICA Proxy enabled WI Services site. The SSL VPN was working including 2fact auth and SSO so I knew the start was good 😉

So I created the following session policy based on this manual:

Return to the NetScaler VPX configuration utility click Access Gateway > Policy Manager > Change group settings and user permissions.

Select Session Policies and Create new session policy.

The Create Access Gateway Session Policy window appears. Enter MobileAccess for the policy name and click New.

Name the Session Profile MobileDevices, on the Published Applications tab Override Global for ICA Proxy, Web Interface Address, Web Interface Portal Mode and Single Sign-On Domain.

Enter the following:

ICA Proxy: ON

Web Interface Address: http://XA.demo.local/Citrix/MobileAccess/config.xml

Web Interface Portal Mode: NORMAL

Single Sign-on Domain: ctxdemo

In the Configure Access Gateway Session Policy window, next to Match Any Expression, click Add…

Expression  Type: General

Flow Type: REQ

Protocol: HTTP

Qualifier: HEADER

Operator: CONTAINS

Value: CitrixReceiver

Header Name: User-Agent

Select OKCreate and Close. The Access Gateway Session policy appears as an icon in the Access Gateway Policy Manager.

Under Configured Policies / Resources, expand the Virtual Servers > SmartAccess node and then drag the MobileAccessicon onto the SmartAccess > Session Policies icon.

Modify the priority of the policy so the MobileAccess policy has a high priority than the Remote Access policy.  This is done by assigning a lower policy number.

Close the Access Gateway Policy Manger and Save the configuration

After the configuration I tested it with my Ipad and got an error “the gateway settings are incorrect”. After an extensive search on google I found  this post on the Citrix forums.

Apparently the Citrix Receiver has a changed client header:

“CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiver-iPad CFNetwork Darwin VpnCapable

Which isn’t the problem but I am curious about the VpnCapable description that was added. The real problem was “Due to some new strings contained within the 5.7 Receiver“… So the Receiver 5.7 has some new strings that causes an error “The address given did not provide a valid App list. Please check the address, gateway settings, and your network connection”.

I changed the AG profile according to John War’s post:

On your AG session profile, ensure the following is set:

Clientless Access: Allow
Clientless Access URL encoding: Clear
Plugin Type: Java

 

The The gateway settings are incorrect error was resolved but I got new error that the app list couldn’t be retrieved, the solution was pretty easy. For the SSL VPN I had configured Client Clean Up and I had to overrule these settings in my Session Profile for the mobile clients in order to make this work.

After configuring the client clean up I could connect with both my ipad, iphone and galaxy SII.

Share Button
  1. David CamdenDavid Camden05-07-2014

    Thank you

  2. thomasthomas11-05-2013

    Thank you !!! Loosing so many hours to do it , helps me a lot !!! JAVA & client clean up 🙂

  3. AndyAndy04-22-2013

    Hi Kees, a great post and fixed the problem I have been getting…Can you shed any light on what on earth Citrix might be doing with their Receiver development when it comes to things like this?

    Also, I found I was able to access it with the URL Encoding still set to ‘Obscure’ so is was the JAVA setting that was crucial for me as clientless was already correct.

Leave a Reply to David Camden Click here to cancel reply.