Table of Contents
Issue
Recently I saw quite a few broken HTML5 Workspace Sessions, when trying to connect via Citrix Gateway (using internal directly HTML5 to Secure ICA is working fine) after updating the Site to 1912 LTSR CU5 or 2203 LTSR CU1. NetScaler is on different builds on 12.1 or 13.0 – doesn’t matter.
I tried different latest HTML5 Workspace App versions on StoreFront, as the old one like 20.10.0.4135 was working fine, newer builds never will connect. When starting a HTML5 Session via Citrix Gateway, it starts spinning up and stuck forever.
When using Internet Explorer 11 it is working fine, so it looked like an issue with modern browsers.
Solution
Together with Citrix Support we were able to identity the issue. The latest HTML5 Workspace Versions introduced certain Javascript code, which is breaking the legacy CVPN (CVPN V1).
The solution is to use and enable Advanced CVPN (-> Advanced Clientless VPN Mode) in your Citrix Gateway Session Profile.
Make sure that the following two settings are enabled. After changing these settings and relogin to your Citrix Gateway, modern browsers like MS Edge / Chrome / Firefox / Safari will work with HTML5, again. Even Internet Explorer 11 will continue to work.
Summary
I hope this Quickpost will save you some time troubleshooting HTML5 connection issues with Citrix Gateway.
Hi Julian,
I have tried this out the HTML light version which most our people rely on – we have an issue with the same problem as described above. For weeks and for the life of me I cant fix this problem for our users we are having to resort to ICA file download and receiver mode instead.
The HTML code refers to Content-Security-Policy: Couldn’t parse invalid host ‘wasm-eval’ and lots more blocked code ,this happened in May suddenly and hasnt worked for us since even with citrix support!!
It works in safari as it ignores the CSPolicy and we are using ADCs @13.0
I have tried your method with no avail.
Can you help?
Hi Ryu,
are there any Rewrite policies bound to your NSGW where Securityheader’s like Content-Security-Policy are configured? If so, can you please share these policies to check further?
Hi Julian,
Sorry for the long delay in replying I have three policies policy_adv , pol_web_adv . view_policy_adv all which have advanced clientless vpn mode disabled. do I enable them all?
Thanks
Ryan
Hi Ryan,
in general only for the policy which has the expression HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”).NOT – so it will only hit when using Receiver for Web (Webbrowser Logon)
This has been enabled to no avail , we do have the unable to establish secure connection at internal level.
SSL certs are ok. It refers to no websocket connection at 8008 can be made.
It does work in an older safari no problem. Our netscaler is out of support but is updated to 13.0 latest f/w. with advanced policies in place.
I see this in the safari and and IE11.
[Error] The source list for Content Security Policy directive ‘script-src’ contains an invalid source: ”wasm-eval”. It will be ignored.
[Error] The source list for Content Security Policy directive ‘script-src’ contains an invalid source: ”wasm-unsafe-eval”. It will be ignored.
I would assume thats why its able to go through because the browser ignores it.
Would you say my problem (which happened suddenly in mid may. we are a large organisation and we need the light version working again.) is still the CSP header?
Happy to let you review this in a call?
Ryan