Citrix Gateway unable to connect to Citrix Endpoint Management Cloud server

Citrix Gateway unable to connect to Citrix Endpoint Management Cloud server

book

Article ID: CTX582949

calendar_today

Updated On:

Description

  • Citrix Gateway unable to connect to Citrix Endpoint Management cloud server due to SSL certificate issue
  • Symptoms include the below, 
    • STA shows down. 
    • Secure Hub fails in Enrollments
    • Secure Hub fails to access store

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

It was identified that few customers are facing issues after the update of an Expiring SSL Certificate, few NetScaler systems are missing the appropriate Root certs for DigiCert causing the communication failure between NetScaler Gateway and the Citrix Endpoint Management services MAM LB VIP. 

Download and install the missing certificates in NetScaler from DigiCert URL
With the following serial number 
Root cert: DigiCert Global Root G2 : Serial = 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
Intermediate cert: DigiCert Global G2 TLS RSA SHA256 2020 CA1 : Serial = 0C:F5:BD:06:2B:56:02:F4:7A:B8:50:2C:23:cc:F0:66

    image.png
    image.png
    Note: Please make sure to download the above 

    Steps needed to be taken on the Netscaler

    1) Install both certificates on Traffic Management -> SSL -> Certificates -> CA Certificates and be sure that they are linked.
     

    2) Navigate to Traffic Management -> Load Balancing -> Virtual Servers -> MAM_PROXY_LB_VSERVER -> Load Balancing Virtual Server Service Binding -> <Edit Service> -> Certificates

    3) Add both certificates to the Service and press close

    4) Ensure that the Traffic Management -> Load Balancing -> Virtual Servers -> MAM_PROXY_LB_VSERVER is UP and RUNNING and the issue has been solved

    5) If everything is OK, make sure to save the changes made on the Netscaler

    Problem Cause

    We are in the process of updating SSL certificates for *.xm.cloud.com which is expiring soon.

    It was identified that few customers are facing issues after the update of an Expiring SSL Certificate, few NetScaler systems are missing the appropriate Root certs for Digicert causing the communication between NetScaler Gateway and the Citrix Endpoint Management services MAM LB VIP. 

    As the Digicert Root Certificate and intermediate certificate has changed to "Digicert Global Root G2" and "DigiCert Global G2 TLS RSA SHA256 2020 CA1". Customers will need to update their NetScaler with these because w/o these, SSL handshake with CEM will fail.

    Additional Information

    https://www.digicert.com/kb/digicert-root-certificates.htm
    Powered by Wolken Software