Netscaler Express Gateway VPX & Web Interface

As many of you know, Web Interface is dying the true death in 2015. That doesn’t stop people from asking me to set up their netscalers in front of it.

You think given how long both of these things have been around that there would be pretty comprehensive guides on how to do this.
You’d be wrong.

If you have your netscaler in 2 arm mode this becomes even more complicated. I’ll outline the issues I went through, and how to resolve them.

The biggest issue you’ll likely face is that once you think you’ve got everything set up you’ll log in and all will look fine, the LDAP auth will complete but then you’ll get a 401 unauthorized error. This is coming from the internal web interface. The reason for this is probably because you can’t resolve the FQDN of the gateway. Or if you can, it resolves to the internet facing IP and for whatever reason (firewalls, etc) the traffic doesn’t make it’s way back to you.
The way around this is to create another gateway with an internal IP, and either create a hosts file or update your internal DNS to point internally.
Check your XenApp server application event logs for any errors, the main one will probably be due to SSL certificates. Make sure your intermediate certs are in the chain, this is the most common mistake that will break things. You’ll see an error saying that you can’t establish a trusted link. Once you get all this working you’ll probably come across another poorly documented error.

You’ll now be able to see the internal web interface with the published app icons, but clicking on them won’t do anything. You’ll never get an ica file and the client won’t launch.
The reason for this is because by default when you create a new site in Web Interface it will bind the Handler Mappings to the latest version of .Net. What we need to do is bind it to .Net2. This is outlined in the following citrix support article: http://support.citrix.com/article/CTX123921
Don’t forget to set your servers to trust XML requests, as these will now be coming from your netscaler gateway.

Once you change this you should have get an ica file and your client should then launch.
Congrats, you’ve now replaced your relatively simple secure gateway box with a far more complicated netscaler express gateway VPX!