End users are unable to access Intranet HTTPS site when connecting remotely by using Secure Socket Layer (SSL) Virtual Private Network (VPN) client. End users' Internal HTTPS sites over a full VPN tunnel using Access Gateway Enterprise Edition client can access HTTP sites without any issue. This issue is specific to HTTPS only internal sites.

The same HTTPS site can be accessed over HTTP without any issues. If you open the website by using Mozilla Firefox, the following error message appears:

​"An error occurred using a connection to <site name> SSL received a record that exceeded the maximum permissible length

(Error code:ssl_error_rx_record_too_long)"/

If you open the website by using Google Chrome, the following error message appears:

SSL connection error

"Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don’t have.
Error 107 (net::ERR _SSL_PROTOCOL_ERROR): SSL_protocol error".

If you open the website by using Internet Explorer, the site is intermittently accessible with certain objects missing.

The port 443 is not an HTTP port and removing it from Global VPN parameter settings or associated profile settings must resolve the issue. You need to verify the following configuration at a Global VPN parameter setting for port number and remove the entry 443:

1. From Graphical User Interface of the NetScaler appliance, select Access Gateway > Global Settings > Under Settings > Change global settings > Network Configuration > Advanced and remove the 443 for HTTP Ports, as shown in the following screen shot:

   

2. To remove the port using the command line interface, run the following command:
   set vpn parameter -httpPort 80 443 -dnsVserverName DNS -splitDns REMOTE –defaultAuthorizationAction

3. To remove 443 port at the session profile bound to the affected VPN virtual server, open Profile Settings > Network configuration > Advanced.

   
   The following line is from the configuration file on the NetScaler appliance with the port information:
   add vpn sessionAction "abc profile" -httpPort 80 443

4. Run the following command from the command line interface to remove the port 443:
   unset vpn parameter -httpPort

Problem Cause

The issue might be caused by a misconfiguration of VPN parameters or session profile settings where HTTP port is set to 443.