I recently helped stand up a pair of NetScaler MPX 7500 appliances as a public Internet facing front-end to large Citrix implementation. The goal was to utilize the NetScalers to provide basic Access Gateway functionality similar to the legacy Citrix Secure Gateway (CSG) and Citrix Access Gateway (CAG) solutions. It’s not rocket science by any means and it was pretty straight forward until we started testing some Google Android devices and quickly found that as usual nothing is ever that simple.
I had two devices with which to test, an original Motorola Droid (Verizon Wireless) running Android 2.2.2 and a Motorola Xoom (Wi-Fi Only) running Android 3.1. The SSL certificate installed on the pair of MPX 7500s was purchased from VeriSign and issued from an intermediate certificate authority – “VeriSign Class 3 International Server CA – G3” (February 2010) which was in turn issued by “VeriSign Class 3 Public Primary Certification Authority – G5” (November 2006). I’m was guessing that the November 2006 certificate is probably part of the base Android operating system but the February 2010 is probably missing. Unfortunately there’s no way to actual view the installed root certificates on either device? What’s up with that?
There are some well documented issues here and here with Google’s Android around the inability of the operating system to import private or additional root and intermediate certificates. It appears that you can import additional root certificates for VPN and wireless authentication but not for web based SSL or email authentication. That’s essentially what I found on both the Motorola Droid and Motorola Xoom, however, a friend showed me a Motorola Blur running Android 2.2.1 today that actually allows you to import additional root and intermediate certificates and it appeared to work for both web browser SSL sessions as well as the Citrix receiver. Is this an add-on feature by Motorola that’s not included in the base operating system? Is there anyone reading this that can enlighten me?
In the end I discovered that the certificate installed into the NetScaler wasn’t chained properly to the VeriSign intermediate certificate. SSL Shopper has a great tool to check the certificate chaining. And thanks to this post from Jason I was able to configure the NetScaler properly and now both the Motorola Droid and Xoom can make an SSL connection without any certificate warnings.
Just about to start working with a CAG next week to stand up a remote-access iPad gateway.
Alas can’t get them to talk to our existing remote-access Contivity farm!
Michael McNamara says
We had success getting the iPad and Android tablet connecting to our Juniper Secure Access SSL VPN appliances using the Juniper Pulse client. We’ve actually been migrating all our legacy Contivity VPN access to Juniper SSL VPN.