When a Citrix NetScaler is configured using a graphical interface a browser is used to connect to the Citrix NetScaler. Starting NetScaler release 10 a part of the configuration is migrated from Java Applets to HTML5, but most configuration are still depending on Java Applets.
When you open a more advanced configuration the Java Applet is loaded automatically., If it hangs at 1% “Downloading Applet…” you might want to read this article.If it hangs at 99% “Logging in” continue reading.
After loading the Java Applet and trying to log in the following error is raised.
Diagram
In my case the Citrix NetScaler was placed in a different VLAN than my client was, the VLANs where separated by a firewall.
What is good to know is that for the normal GUI communication is done via TCP port 80 for non-secure (HTTP) or TCP port 443 for secure (HTTPS). The Java Applet communicates uses different ports: TCP port 3008 for secure or TCP port 3010 for non-secure .
Source: Communication ports used by Citrix Technologies [PDF]
Port Query
To determine if your client could reach the port you can use Port Query GUI (provided by Microsoft – link). This standalone utility can verify if ports can be reached and tells you within seconds if this is the problem.
- Specify the destination IP or FQDN of the NetScaler IP (NSIP)
- Select query type Manually input query ports
- Ports to query: 80,443,3008,3010
- Protocol: TCP
- Click on Query
The query should return LISTENING for port 80+3010 for non-secure communication or 443+3008 for secure communication.
This example clearly shows that TCP port 3008 and 3010 are filtered by a firewall.
.
Nice troubleshooting Ingmar! This has been the case for all previous versions of the config utility too… Not just 10.x.
Hi Ronan, long time no see (august, stockholm)!
Thanks for the additional information.
Hello Ingmar, everything ok?
I noticed that your article states that 3008 is for unsecure and 3010 for secure. I believe it is the other way around: http://support.citrix.com/article/CTX122167 & http://support.citrix.com/article/CTX135271
Hi Marcel. Good! You? You’re right, I switched 3008 and 3010 in one place (luckely the image was good). Thanks for the feedback.