Overview of the Issue

Launching a new user session on Citrix Gateway can sometimes fail for various reasons. The policies in use might not result with the correct authentication behavior or other issues might appear before or after authentication takes place. Sometimes, the use of Endpoint Analysis is involved with the issue also. The articles and links provided below can help to more quickly identify some of the common issues related to these topics..

Appendix: Top Knowledge Content

Troubleshooting Common Launch Problems

• CTX217728 - How to Verify Active Users or ICA Users on Citrix Gateway

• CTX138155 - How to Collect Client VPN Logs for ADC Gateway

• CTX101997 - FAQ: Citrix Secure Gateway/ NetScaler Gateway Secure Ticket Authority

• CTX132334 - Secure Ticket Authority (STA) Status Is Marked As DOWN on Citrix Gateway Virtual Server

• CTX495310 - How to Customize Gateway Login Page Labels for Custom Theme when nFactor Login Schema is enabled

• CTX335902 - VPN Plugin replacing destination IP with 0.0.0.0 for the 172.16.0.0/16 subnet - Spoofed IP to original IP.

Troubleshooting Common Authentication Problems

• CTX235211 - How to Configure NetScaler Gateway to authenticate using MFA (NPS) RADIUS server

• CTX212422 - How to Configure NetScaler to Use Active Directory Authentication and Privileges

• CTX111079 - How to Restrict Access to NetScaler Gateway for only Members of one Active Directory Group

• CTX221631 - How to Deploy and Troubleshoot ADC as a SAML IdP or SP

• CTX219481 - SSO fails when nfactor is used ADC

Troubleshooting Common Endpoint Analysis (EPA) Problems

• CTX124649 - How to Deploy Citrix Gateway Plug-in and Endpoint Analysis Installer Packages for Windows by Using Active Directory Group Policy

• CTX230893 - How to Configure Pre-Auth and Post-Auth EPA Scan as a Factor in nFactor Authentication

• CTX204764 - How to Configure NetScaler Gateway Preauthentication EPA Scan for Antivirus and Firewall Check

Troubleshooting Common Problems related to Policies

• CTX138840 - Citrix ADC Commands to Find the Policy Hits for Citrix Gateway Session Policies

• CTX205285 - How do I configure the Split Tunnel on NetScaler Gateway?

• CTX478810 - How to Force Secure and HttpOnly Cookie Options for Websites Using NetScaler Appliance

• CTX204775 - How to Modify Body Content Using NetScaler Rewrite Policies

• CTX218061 - X-Forwarded-For Header Insert

• CTX291268 - "Http/1.1 Internal Server Error 43531" when accessing Citrix Gateway after upgrading to version 13.0

• CTX241435 - How to convert classic policy expressions to advanced ones?

Tools and Resources

• Citrix ADC Deprecated Classic Policy Based Features and Functionalities FAQs 

• Enabling Citrix Secure Access Logging 

• To configure RADIUS authentication 

• Restrict access to NetScaler Gateway for members of one Active Directory group

• SAML authentication 

• Native OTP support for authentication

• Deploy the Citrix Secure Access client from Active Directory

• Configure pre-auth and post-auth EPA scan as a factor in nFactor authentication

• Integrate NetScaler Gateway with StoreFront

• Delete Old X-Forwarded-For and client-IP headers

• Configure split tunneling

• Enforce the HttpOnly flag on authentication cookies

• How to force Secure and HttpOnly cookie options for websites using the NetScaler appliance

This article provides a summary of some of the useful resources about how to investigate, troubleshoot, and prevent the most common issues related to launching a session on Citrix Gateway. This article includes links intended to help with topics which are related to Authentication, the Policies used with Citrix Gateway and also the use of Endpoint Analysis (EPA).