Recently a customer asked me to change the StoreFront Base URL from HTTP to HTTPS. The StoreFront Base URL was load balanced with a Citrix NetScaler VPX appliance (VPX 200 Standard, firmware version 11.0, build 66.11 to be exact).
The steps for doing this are pretty simple, there are many blog sites that explain how this is done. Basically all you have to do (in general) are these steps:
- Import the (.pfx) certificate to Internet Information Services (IIS) Manager on both StoreFront servers
- Bind the certificate to the default web page on both StoreFront servers
- In the StoreFront console, change the Base URL from HTTP to HTTPS
- In Citrix NetScaler:
- import the server certificate (And the root certificate, if provided. Link the certs)
- create a secure monitor for StoreFront
- create a Service Group with protocol type SSL, port 443
- add the StoreFront servers, port 443
- create a StoreFront Load Balancing VIP, protocol type SSL
- add the certifcate(s) to the newly created Load Balance VIP
- optional: create a HTTP to HTTPS redirect for the StoreFront Base URL
After this was done, we tested if we could connect to the StoreFront Base URL through HTTPS via the Load Balancing VIP.
To my surprise, we got the following error message:
I confirmed the Service Group and Load Balance VIP had the status “UP” in the NetScaler configuration. In other words, the StoreFront monitor was able to connect tot the StoreFront servers correctly.
My first thought was we ran into a firewall problem, but testing the VIP from a VM that was in the same network segment showed the same problem. A direct connection to one of the StoreFront servers was also working without a problem.
So, the problem was something with the Load Balancing VIP.
When I looked at the certificate, I noticed it was encrypted with a 4096 Bit public key.
I thought a 4096 Bit public key shouldn’t be any problem, but after some searching I found the following Citrix web site:
It explains a 4096 Bit public key actually is supported for the NetScaler VPX, but not on the backend servers. Only a MPX appliance supports 4096 Bit public keys on the backend servers.
So to conclude, creating a new certificate with a 2048 Bit public key solved the problem!