Error: "Access to your company network is not currently available"

Error: "Access to your company network is not currently available"

book

Article ID: CTX215800

calendar_today

Updated On:

Description

The following error is displayed when attempting to enroll a device or launching an application:
"Access to your company network is not currently available"

Resolution

Complete the following steps to troubleshoot this issue:

Citrix Secure Mail

  1. Run the Secure Mail Test Tool. Follow the suggested solutions.
  2. On the Secure Mail MDX App Policy section, verify that the specified “Background Service URL” matches the correct NetScaler Gateway FQDN over port 443.
  3. If the Exchange server is internal, then set the Secure Mail “App Network Access” to "Tunneled to the internal network".
  4. On Active Directory User Properties > Security tab, confirm that Inheritance is enabled.
  5. Test access using a 3G/4G network instead of connecting to the company network (this rules out internal networking issues).
  6. Verify STA specified on the NetScaler Gateway is UP.
  7. Under Secure Mail MDX policy > App Settings Disable IRM (Information Right Management).
  8. Verify if NetScaler Gateway is able to resolve the backend Exchange server (SSH into appliance and ping FQDN).
  9. Confirm if port 443 is open between NetScaler SNIP and Exchange server.
  10. Collect Secure Mail debug logs while reproducing the issue, to troubleshoot further.
 

Citrix Secure Hub

Run the XenMobile analyzer tool and follow recommended solutions​.
User-added image
If the recommended solutions do not address the issue, follow the additional steps below.

On XenMobile Server:

1. Gather XenMobile Server debug logs and look for Authentication Failed exceptions, matching the timestamp with the username that was used to reproduce the issue.
2. On XenMobile Server and NetScaler Gateway configuration, verify if client certificate authentication is disabled and the option to deliver the certificate with App Controller is not checked.
3. Disable XenApp/XenDesktop (Settings > XenApp/XenDesktop ) integration on XenMobile Server if HDX applications are being published.
4. Add Domain alias on XenMobile Server LDAP console.
5. Verify if the FQDN of the NetScaler Gateway specified within the XenMobile console is correct.
6. For cached devices within XenMobile Server, delete the device from console and re-enroll the device.
7. Confirm if LDAP policies specified within XenMobile and the NetScaler Gateway are correct.
8. Confirm that XenMobile Server and NetScaler Gateway are both aligned to search by UPN or samAccountName (samAccountName is not supported in multi-domain authentication).
9. Specify correct Domain Alias in XenMobile Server LDAP settings.
10. Verify that there is adequate amount of licensing.
11. Perform a connectivity check from the XenMobile server. Ensure that all required ports are open. For more information refer to - http://docs.citrix.com/en-us/xenmobile/10/xmob-system-requirements/xmob-deploy-component-port-reqs-con.html.
12. Align server time between XenMobile nodes.
13. If XenMobile Server is clustered, ensure port 80 is open between nodes.
 

On ​NetScaler:

  1. Ensure that the FQDN specified within the ​NetScaler session policy points to the correct FQDN.
  2. Verify certificate chain on the NetScaler Gateway and Load Balancers.
  3. Make sure that the MAM Load Balancer is sending the traffic.
  4. If “NetScaler Application Firewall” feature is turned on but not configured, then either turn it off or configure it properly.
  5. Verify if the DNS entry of App Controller cluster VIP is present in the host file of the MDM servers.
  6. Add SSO Name Attribute to UPN on the NetScaler Gateway LDAP policy.
  7. Remove the SSO Domain from global settings/session policy published apps.
  8. Verify that the STA specified on the NetScaler Gateway is UP.
  9. MAM Load balancing VIP needs to use an RFC 1918 compliant IP Address.
  10. Confirm that the Server IDs specified within the NetScaler Load Balancers match the appropriate XenMobile node. On XenMobile console, click the wrench icon on top right > under “Advanced” options > click ”Cluster Information”; node IDs are displayed.
  11. Confirm XenMobile Server nodes on NetScaler Load Balancer are UP.
  12. Delete and re-run the NetScaler Gateway wizard, ensuring all the requested information are correct.
  13.  Check Netscaler to confirm there is a default route configured.  (System -> Network -> Routes). You should see a route for network 0.0.0.0 with Netmask 0.0.0.0 and gateway IP address that points to the IP network default gateway. If this route is not present, Add it manually from the NS Web Console.
  14. Check the network route to Gateway. If using XenMobile Cloud, then check that Netscaler has a route and firewall permits to reach internet
XenMobile How Do I

Issue/Introduction

The following error is displayed when attempting to enroll a device or launching an application: "Access to your company's network is not currently available"

Additional Information

The following articles show all the commands generated on NetScaler by the wizard.  You can use these as a reference to look for misconfigurations.
CTX205773 - Commands Generated by XenMobile Wizard on NetScaler - SSL Offload
CTX205771 - Commands Generated by XenMobile Wizard on NetScaler - SSL Bridge

Powered by Wolken Software