03-27-2012 06:24 AM
I'm just wondering if anyone on the forum has or is currently supporting Juniper SSL VPN behind Citrix Netscalers?
We have a single SA device behind the NS at our HQ and the same setup at our DR location. The goal is to have the flexibility of failing over seamlessly to our DR site in the event our prod environment goes down. To the user this is completely transparent (user connects to SA device via a single URL which is GSLB'd via DNS).
We recently tried to put our SA devices behind our Netscaler 7500's (NS). We were successful at getting the Network Connect client to connect to the SA while behind the NS and access all company resources, however it seems we are continuously falling back to SSL transport mode. When not behind the NS, we can connect with ESP transport mode (our preferred method).
Has anyone seen this type of behavior? I am searching for answers using the web, however seems I am running into a wall. I am going to attempt to post this on the Citrix forums to see if I get some feedback. Could anyone provide any guidance?
Thanks in advance.
03-27-2012 06:32 AM
I can't speak as someone with access to a Netscaler, but does it show any failures in the logs about denying the ESP connection? It is possible that it doesn't allow the UDP 4500 traffic through that is needed for the ESP tunnel; but I don't know for sure if it does or if yes, if it can be allowed.
03-27-2012 07:27 AM
Unfortunately I did not look at the logs when we tested this last time. I will be re-testing this today so I hopefully the logs will reveal something.
03-27-2012 11:37 AM
I opened a case with Citrix Support and apparently the netscaler does not understand ESP protocol. Hence why it falls back to SSL each time I connect. I am waiting to see if there is a workaround for this, would be nice if it was supported.