Problem Definition
The Access Gateway and Advanced Access Control provide granular role-based access to applications, files shares, and other internal resources. Due to some integration/stability issues that arose in version 4.2 release, customers started to break apart these two components and run them in standalone mode. However, running in standalone mode limits the amount of control and power gained when the two are integrated.
Some settings that are not apparent to the administrator when separating the Access Gateway and Advanced Access Control to run in standalone mode cause the Access Gateway to hang. One of the key settings that has caused issues is the Address Mode when defined to use Access Gateway.
If all the settings are not cleaned up when separating the two components, the Advanced Access Control server sends an invalidate AuthService ticket to the Access Gateway, which it does not know how to process and causes a hang, necessitating a restart.
Environment
• Access Gateway 4.2 – 4.5
• Advanced Access Control 4.2 – 4.5
• Win32 Secure Access Client
Scenario
1. User establishes a secure connection using the Secure Access Client to the Access Gateway.
2. User then launches a Web browser and connects to the Advanced Access Control server.
3. User logs in and is redirected to the Access Center.
4. User launches a published application.
5. The ICA connection fails with no error, and the Access Gateway becomes unresponsive for all connections and the Administration Tool.
6. What has happened is even though the two components are running separately, the Advanced Access Control server is still setup to issue tickets to applications defined in the Program Neighborhood CDA. The AuthService, which is a component of Advanced Access Control, issues and validates tickets for published applications when the Address Mode is set to Access Gateway.
7. The Access Gateway received the AuthService ticket in the form of an ICA file, which it does not know how to process, since the two components are not integrated.
a. If the Advanced Access Control servers were added, the Access Gateway would forward the AuthService ticket request to the Advanced Access Control server for validation.
8. A way to confirm this is by saving the ICA file to local desktop and opening it with Notepad.
Example of ticket issued:
Address=AS;P7XXQEFRFRYWOMC1VXSS;BB828B5B4D02E858403D3F09246A6C38
Troubleshooting Methodology
To integrate the two components, modifications need to be done on both the Access Gateway and the Advanced Access Control . This allows all the authentication and policies to be configured and validated on the Advanced Access Control server.
1. The selected Advanced Access Control option is selected in the Administration Tool for the Access Gateway to forward all information to the Advanced Access Control server.
2. In Advanced Access Control, define the Presentation Server Farm to work with the Program Neighborhood CDA, which is part of the Access Center. The Access Center component is a legacy front end left over from the MetaFrame Secure Access Manager as illustrated below.
Access Center Setup
1. The Program Neighborhood CDA is configured in the Access Server Farm Properties, which can be accessed by right-clicking the Farm Node. Here, configure the backend Citrix Presentation Server or Servers.
2. Select New.
3. Enter the Citrix Presentation Server Farm name.
4. Define a Citrix Presentation Server.
5. Here is the key area that causes the issue: defining the applications to use the Access Gateway. This is standard practice when the two components are integrated. The IP address sent to the client is the actual address of the Access Gateway appliance.
Configuring the Address Mode
Here CitrixAuthService on the Advanced Access Control server is set to issue and validate ticket requests. Define the FQDN of the Access Gateway.
Resolution
When separating the two components, it is important that all the integrated settings are removed and set to function in a standalone mode.
In the Access Gateway Administration Tool, select The Administration Tool - configures appliances only.
Setting the Address Mode to normal allows the client to connect directly to the Presentation Server and not send the request back to the Access Gateway.
Here is a list of options to set the address mode to that should not cause issues with the Access Gateway when running in standalone mode:
In the Accesss Suite Console, change the Address Mode to one of the following options:
• Normal. The IP address sent to the client is the actual address of the server. This is the default setting.
• Alternate Address. The IP address sent to the client is the alternate address of the server. Alternate addresses are configured on the server running Citrix Presentation Server. To use this option, you must have a firewall with NAT enabled and alternate IP addresses assigned to the servers. For more information about setting alternate addresses, see the Citrix Presentation Server Administrator’s Guide.
• Translated Address. The IP address sent to the client is based on the configured address translation mappings.
Citrix has added an error message to the Access Gateway login version 4.5.1 and 4.2.4 for when it recives an AuthService ticket when it is not setup to intergrate with Advanced Access Control. It denies the users connection and writes this to the log:
Invalid validation: AS ticket received when not in AAC mode [%s]!",ticket);
This is an indication that there is a client sending AuthService tickets to the Access Gateway and that the Access Gateway is not setup to function in this mode.
