DTLS 1.0 or DTLS 1.2 is not working through Citrix Access Gateway Vserver with SNI based certificate

DTLS 1.0 or DTLS 1.2 is not working through Citrix Access Gateway Vserver with SNI based certificate

book

Article ID: CTX275171

calendar_today

Updated On:

Description

On the Citrix Director or on the VDA server, you will we see that the ICA communication happened over TCP rather than UDP.
Issue is seen through Citrix Firmware versions (13.0 47.24 or 13.0 build 52.24).

If you have Certificate X which was bound to Citrix Access Gateway VServer as SNI Certificate, you will see the below command in the configuration.

> bind ssl vserver <Certificate X> -certkeyName <Certificate_key> –SNICert
> set ssl vserver [vserver] -SNIEnable ENABLED

Resolution

Execute the below command to rebind the same certificate X without SNI. You would see two set of Certificates bound to Citrix Gateway VServer (one certificate with SNI option and another certificate is without SNI option).
> bind ssl vserver <Certificate X > -certkeyName <Certificate_key>
The Certificate with SNI option enabled will be used by SSL/TLS communication and the Certificate without SNI option enabled which is bound under the Citrix Access Gateway VServer will be used for DTLS communication.
 

Problem Cause

It's a limitation with the current Citrix Access Gateway firmware as stated below:

The Citrix Gateway Vserver will not support SNI Based certificate for DTLS communication. Hence, Citrix Access Gateway Vserver will not respond to DTLS Client Hello received from Citrix Receiver/Workspace.

NOTE: SNI based certificate for DTLS communication would be supported in the upcoming Citrix firmware.