PVS, Firewalls, and the mysterious 1039 errors in a working environment…

Posted: April 3, 2014 in Citrix
Tags: , , , ,

I don’t have a lot of time for another post right now, but I found this one particularly interesting.

I was finding a lot of warning errors on my PVS servers.  There were numerous errors, but this was the most common.
The Citrix Broker Service failed to contact virtual machine ‘<machinename>’ (IP address ).
Check that the virtual machine can be contacted from the controller and that any firewall on the virtual machine allows connections from the controller. See Citrix Knowledge Base article CTX126992.
Error details:
Exception ‘Client is unable to finish the security negotiation within the configured timeout (00:00:05). The current negotiation leg is 1 (00:00:05). ‘ of type ‘System.TimeoutException’.

There were several articles on the subject, most of them talking about the VM’s registering, and deregistering, etc. but I didn’t have that problem. I ran down the articles, and none of the problems fit my situation.  Since I wasn’t really having a problem, I dropped the subject for a while.  I had some time recently to start looking back into the subject.

I had followed the best practices for the VM’s (or thought I had).  I ended up calling Citrix support, and went through everything.  We were going through all the same articles again, and not finding anything.  But, the Citrix tech noticed one thing.. I had the firewall turned off for the domain profile, but not for the private or public profiles.  We began discussing the subject, and why it was set that way.  Best practices say that the firewall be turned off for the PVS machines.  Since the machines already belonged to the domain, I turned off the domain profile by GPO.  (To me, this is a pretty typical security view – only enable/disable what you have to, and lock the rest).

It turns out that even though PVS is booting from the network, and that network connection is the very first thing established, as that streamed copy of Windows boots up, it does not recognize the network connection profile as the domain profile until well after the machine is up, and it has already tried to register.   Once it gets up far enough, the GPO takes effect, and the firewall comes down, the re-register works, and everything is good.   I turned around and adjusted the GPO to have the the firewall always off.  Success!  90%+ errors of the errors were gone.  I still get the occasional warning errors, but now they are unusual.

So, the next step will be to check the actual firewall configurations, and forcibly allow all the ports through the firewall in all profiles.

David F.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s