SSL connection from NetScaler to IIS back-end breaks when you load balance SSL websites using IIS and Citrix NetScaler. Recently I ran into a problem which, according to this Citrix article, should not be a problem anymore in the most recent Citrix NetScaler build.

In my case I was trying to load balance two Citrix StoreFront servers. On both servers the StoreFront website was configured to use SSL. Direct connections from end-points were working fine, but when I tried to access the StoreFront page using the load balancing virtual server, I get presented with the SSL certificate (same one I had on StoreFront), and then the website just kept loading while showing only a blank page. I then remembered the Citrix article: https://support.citrix.com/article/CTX205578.

NetScaler version

At this point I was the running the latest version of Citrix NetScaler (11.1 51.26nc).

Event ID 36888

I went to my StoreFront server, and opened up the Event Viewer. This was the event ID I saw.

Disable TLS 1.1 and 1.2 on Citrix NetScaler Service Group

The next step is to disable TLS version 1.1 and 1.2 on the Service Group which I configured on the load balancing virtual server.

Click on the Edit icon on the SSL Parameters horizontal bar.

Make sure to uncheck TLSv11 and TLSv12. Leave TLSv1 checked. Then click on OK.

That should do the trick and your SCHANNEL events should not be happening anymore, load balancing virtual server should be working fine and all should be well.

This concludes this blog post. Feel free to contact me of you have any questions or comments.

You can follow me on twitter or add the RSS feed from my blog and you will be notified when I add new posts.