Has anyone created a tunnel connection to hub through Citrix Netscaler?I tried to do this with Netscaler version 10.0 without any success.What I have done so far, have been two different approaches.
At beginning installed a hub with DMZ wizard, created the certificate and setup the tunnel server.Then:
First with SSL_BRIDGECreated virtual server and service on Netscaler with SSL_BRIDGE, since the traffic between the master hub and client hub is SSL traffic. No luck to get the tunnel up. The log on the master hub gives:
Jul 2 17:35:37:517  hub: SSL_read error occurred (SSL_ERROR_SYSCALL) Jul 2 17:35:37:517  hub: tsess_read - SSL_ERROR_SYSCALL err=0,bytes=-1 Jul 2 17:35:37:517  hub: CTRL receive message failed for get id command (connection closed) Jul 2 17:35:37:517  hub: CTRL failed to get ID from ***.***.***.***/48003 Jul 2 17:35:37:517  hub: SSL_shutdown on TSESS-530696 failed Jul 2 17:35:37:517  hub: Error shutting down SSL connection Jul 2 17:35:37:517  hub: CTRL is waiting for 0 TSESS to terminate Jul 2 17:35:37:517  hub: CTRL waited 0 seconds for 0 TSESS to terminate Jul 2 17:35:37:517  hub: CTRL N/A is terminating with exit code 0
I can telnet to the port from the master hub, but the connection doesn't get established.Then I tried it by configuring the tunnel to the Netscaler with plain TCP connection, but same results. Can telnet to the tunnel port 48003, but can not extablish a tunnel connection.
Does anyone have any ideas, or has done the tunnel through Citrix Netscaler?
Got this sorted out by myself.
By default Netscaler doesn't use the mode Use Source IP which affects on this issue. If in the specified situation you can not use the Use Source IP mode, the Nimsoft Hub sees the tunnel connection originated from the Netscaler rather than from our master hub.The Solution and little basic info
We are a service provider and we were setting up the tunnel connection between our Master HUB and hub installed to new client environment. This environment allready had Citrix Netscaler in use, so we decided to use it to provide the tunnel connection for the monitoring also. Since in this envirinment we weren't able to activate the Use Source IP mode on Netscaler, it uses its configured Subnet IP (SNIP) when communicating to the hub. So the hub sees the tunnel connection originated from the Netscaler, which actually just lets the connection through without doing any other alternation to it than changing the source ip on the TCP packets. And this made the connection not work, since the hub checks that the IP which is spedified on the client certificate for the tunnel connection matches with the source IP where the connection originates.
So rather than specifying on the Common Name field our Master HUBs public IP, I needed to input there the SNIP of the Netscaler, after which the tunnel connection was established succesfully.
Here's also a image to make it easier to understand.
You can also create a wildcard certificate rather than using either IP address, if that would be appropriate in your environment.
Did you try using the option in the hub to not validate IP address (disable IP valifdation) and when you import the client cert de-select the related option (check server common name)? This may help too.
I think that only helps in the other direction because you set it on the tunnel client. The equivalent of that for the tunnel server would be a wildcard certificate.