DX Unified Infrastructure Management

 View Only
  • 1.  Hub tunnel through Citrix Netscaler

    Posted Jul 02, 2012 06:00 PM

    Has anyone created a tunnel connection to hub through Citrix Netscaler?

    I tried to do this with Netscaler version 10.0 without any success.
    What I have done so far, have been two different approaches.


    At beginning installed a hub with DMZ wizard, created the certificate and setup the tunnel server.

    First with SSL_BRIDGE
    Created virtual server and service on Netscaler with SSL_BRIDGE, since the traffic between the master hub and client hub is SSL traffic. No luck to get the tunnel up. The log on the master hub gives:

    Jul  2 17:35:37:517 [5200] hub: SSL_read error occurred (SSL_ERROR_SYSCALL)  Jul  2 17:35:37:517 [5200] hub: tsess_read - SSL_ERROR_SYSCALL err=0,bytes=-1  Jul  2 17:35:37:517 [5200] hub: CTRL receive message failed for get id command (connection closed)  Jul  2 17:35:37:517 [5200] hub: CTRL failed to get ID from ***.***.***.***/48003  Jul  2 17:35:37:517 [5200] hub: SSL_shutdown on TSESS-530696 failed  Jul  2 17:35:37:517 [5200] hub: Error shutting down SSL connection  Jul  2 17:35:37:517 [5200] hub: CTRL  is waiting for 0 TSESS to terminate  Jul  2 17:35:37:517 [5200] hub: CTRL  waited 0 seconds for 0 TSESS to terminate  Jul  2 17:35:37:517 [5200] hub: CTRL N/A is terminating with exit code 0 

     I can telnet to the port from the master hub, but the connection doesn't get established.

    Then I tried it by configuring the tunnel to the Netscaler with plain TCP connection, but same results. Can telnet to the tunnel port 48003, but can not extablish a tunnel connection.


    Does anyone have any ideas, or has done the tunnel through Citrix Netscaler?

  • 2.  Re: Hub tunnel through Citrix Netscaler
    Best Answer

    Posted Jul 04, 2012 02:03 PM
      |   view attached

    Got this sorted out by myself.


    By default  Netscaler doesn't use the mode Use Source IP which affects on this issue. If in the specified situation you can not use the Use Source IP mode, the Nimsoft Hub sees the tunnel connection originated from the Netscaler rather than from our master hub.

    The Solution and little basic info

    We are a service provider and we were setting up the tunnel connection between our Master HUB and hub installed to new client environment. This environment allready had Citrix Netscaler in use, so we decided to use it to provide the tunnel connection for the monitoring also. Since in this envirinment we weren't able to activate the Use Source IP mode on Netscaler, it uses its configured Subnet IP (SNIP) when communicating to the hub. So the hub sees the tunnel connection originated from the Netscaler, which actually just lets the connection through without doing any other alternation to it than changing the source ip on the TCP packets. And this made the connection not work, since the hub checks that the IP which is spedified on the client certificate for the tunnel connection matches with the source IP where the connection originates.

    So rather than specifying on the Common Name  field our Master HUBs public IP, I needed to input there the SNIP of the Netscaler, after which the tunnel connection was established succesfully.


    Here's also a image to make it easier to understand.


    Tunnel connection with Netscaler

  • 3.  Re: Hub tunnel through Citrix Netscaler

    Posted Jul 04, 2012 10:54 PM

    You can also create a wildcard certificate rather than using either IP address, if that would be appropriate in your environment.

  • 4.  Re: Hub tunnel through Citrix Netscaler

    Posted Jul 05, 2012 10:06 AM

    Did you try using the option in the hub to not validate IP address (disable IP valifdation) and when you import the client cert de-select the related option (check server common name)? This may help too.

  • 5.  Re: Hub tunnel through Citrix Netscaler

    Posted Jul 05, 2012 04:19 PM

    I think that only helps in the other direction because you set it on the tunnel client. The equivalent of that for the tunnel server would be a wildcard certificate.