Error: "HTTP/1.1 Gateway Timeout" When Using NetScaler with Secure Web

book

Article ID: CTX235080

calendar_today

Updated On:

Description

After launching Secure Web Gateway, some websites report an error message "HTTP/1.1 Gateway Timeout".
This is common with ADFS.

Resolution

Enable SNI for backend on Netscaler Gateway if 12.0 +

Create a service with SNI enabled for the website in question, and route the Gateway traffic through a load balancer that uses that service. Use the following CTX article for instructions: CTX229601 - SSL Handshake Fails When Server Name Indication (SNI) is Enabled on NetScaler

To properly monitor SSL services, you should make sure to unbind the default TCP monitor that is created and use TCPS. This will do a SSL handshake which is appropriate for an SSL service. If SNI is required the service will show down unless SNI is configured on the service.

Problem Cause

Some websites use and require SNI (Server Name Indication). This allows for multiple certificates to serve up the same IP/Port. Since the server typically does not know the FQDN that is being requested by the client until after the handshake is complete, SNI will add an extension to the Client Hello of the SSL Handshake, allowing for the server to choose which certificate is used for the connection when multiple are being used to serve the IP/Port.

This is common for ADFS and is becoming popular for cloud providers as well.

Issue/Introduction

After launching Secure Web, some websites report an error message "HTTP/1.1 Gateway Timeout". This is common with ADFS.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"