NetScaler 10, WI 5.4 and the Citrix Receiver 5.7.. “The gateway settings are incorrect”
For one of my projects I was configuring a NetScaler HA Pair and after configuring the SSL VPN for laptops I wanted to configure a session profile to reroute mobile users based on their User-Agent in the HTTP Header to a ICA Proxy enabled WI Services site. The SSL VPN was working including 2fact auth and SSO so I knew the start was good 😉
So I created the following session policy based on this manual:
Return to the NetScaler VPX configuration utility click Access Gateway > Policy Manager > Change group settings and user permissions.
Select Session Policies and Create new session policy.
The Create Access Gateway Session Policy window appears. Enter MobileAccess for the policy name and click New.
Name the Session Profile MobileDevices, on the Published Applications tab Override Global for ICA Proxy, Web Interface Address, Web Interface Portal Mode and Single Sign-On Domain.
Enter the following:
ICA Proxy: ON
Web Interface Address: http://XA.demo.local/Citrix/MobileAccess/config.xml
Web Interface Portal Mode: NORMAL
Single Sign-on Domain: ctxdemo
In the Configure Access Gateway Session Policy window, next to Match Any Expression, click Add…
Expression Type: General
Flow Type: REQ
Header Name: User-Agent
Select OK, Create and Close. The Access Gateway Session policy appears as an icon in the Access Gateway Policy Manager.
Under Configured Policies / Resources, expand the Virtual Servers > SmartAccess node and then drag the MobileAccessicon onto the SmartAccess > Session Policies icon.
Modify the priority of the policy so the MobileAccess policy has a high priority than the Remote Access policy. This is done by assigning a lower policy number.
Close the Access Gateway Policy Manger and Save the configuration
After the configuration I tested it with my Ipad and got an error “the gateway settings are incorrect”. After an extensive search on google I found this post on the Citrix forums.
Apparently the Citrix Receiver has a changed client header:
Which isn’t the problem but I am curious about the VpnCapable description that was added. The real problem was “Due to some new strings contained within the 5.7 Receiver“… So the Receiver 5.7 has some new strings that causes an error “The address given did not provide a valid App list. Please check the address, gateway settings, and your network connection”.
I changed the AG profile according to John War’s post:
On your AG session profile, ensure the following is set:
Access URL encoding: Clear
Plugin Type: Java
The The gateway settings are incorrect error was resolved but I got new error that the app list couldn’t be retrieved, the solution was pretty easy. For the SSL VPN I had configured Client Clean Up and I had to overrule these settings in my Session Profile for the mobile clients in order to make this work.
After configuring the client clean up I could connect with both my ipad, iphone and galaxy SII.
Thank you !!! Loosing so many hours to do it , helps me a lot !!! JAVA & client clean up 🙂
Hi Kees, a great post and fixed the problem I have been getting…Can you shed any light on what on earth Citrix might be doing with their Receiver development when it comes to things like this?
Also, I found I was able to access it with the URL Encoding still set to ‘Obscure’ so is was the JAVA setting that was crucial for me as clientless was already correct.