I work with XenApp from WinFrame and MetaFrame days. At the time, we had to create altaddr entries and NAT on the firewall to allow connections from the Internet. Later, we moved to CSG (Citrix Secure Gateway) that allowed only 443 and only one IP address to be exposed to the Internet to access the internal battery Presentation Server.
Now, the preferred method is to NetScaler Access Gateway. The problem is, for XenDesktop XenApp person like me, NetScaler can be overwhelming. With this, I decided to write this post about the installation, configuration and configure a NetScaler for use with XenDesktop and XenApp. Again, I am not an expert NetScaler. However, I had to put in place to support proof of concepts for my clients.
This post will cover only the basics for NetScaler and running to support XenDesktop XenApp. It in no case will help you make a more advanced NetScaler things.
MIPS'S SNIP'S'S NSIP and VIPs, Oh My!
Before we begin, let's get some terminology of the road. The main thing to know is four IP addresses different than the NetScaler uses
MIP -. mapped IP address. You use MIP addresses to connect to back-end servers and Reverse Network Address Translation (NAT). The MIP address is one of the IP addresses belonging to NetScaler. You must specify at least one MIP address when configuring the device for the first time
SNIP -. Subnet IP address. This is an IP address that allows you to access a NetScaler appliance from an external host that exists on a different subnet. When you add an address SNIP, the device adds an entry in the routing table. The SNIP enables the NetScaler appliance to connect to the subnet that is different from the MIP address and NSIP similar local
NSIP -. NetScaler IP address. The NSIP is the IP address at which you access the NetScaler for management purposes. The NetScaler can have only one NSIP, which is also called the IP network device management
VIP -. Virtual Server IP Address. VIP is the IP address associated with a virtual server. It is the public IP address to which clients connect. A NetScaler managing a wide range of traffic can have many personalities configured.
The diagram below shows how the MIP and SNIP are used. NetScaler in the chart is on the same local network as 10.1.1.0. It uses the MIP 10.1.1.8 to access these servers. However, uses the SNIP of 10.2.2.9 to access servers on the network 10.2.2.0.
How do I install this thing?
Obviously, the first step is to get NetScaler and running. For this post, I am using the NetScaler VPX. This is the virtual version of the NetScaler appliance. This can be downloaded to your MyCitrix account. There is a NetScaler VPX for XenServer, Hyper-V and ESX VMW. For this post, I'll use XenServer (shocker). If you use a physical device, you can skip this step.
Go download the XVA file MyCitrix.
Now with the downloaded file XVA, it's time to import the virtual appliance in XenCenter. XenCenter select file -.> Import
Browse your XVA file, then click Next .
Select the desired host, then click Next .
Select the desired storage and click Import .
Select the desired network interface. In some cases this will be more than one. Also, you may want in your DMZ. Click Next .
Check the import information. Also, check Start VM (s) after importing . Click Finish .
I Got the imported Appliance, Now What?
In order to access the device via the remote console, you must first have an IP address. Once IP'd all management is done via a Web browser.
Go to the console of the virtual appliance newly created NetScaler. The console must be an incentive IPv4 address. The IP address, it is seeking is the NSIP (NetScaler IP address). This is the IP management NetScaler.
Enter desired IP subnet mask and Default Gateway NSIP. Once complete, select Option 4 to Save and close .
After the NetScaler appliance has an IP address, the rest of the NetScaler services will begin. It takes about a minute. Once the console displays "Login", which should indicate that you can now access the device via a web browser
Open Internet Explorer and type the NSIP in the address bar .. Information default credentials for a user's device NetScaler nsroot for the user name and password
Note :. The NetScaler Web console requires the Java plug-in. If prompted by IE, enable the plug-in to run.
Once in the console, run the setup wizard near the bottom of the Web console.
step Config Network wizard is used to add MIP and SNIP of. Click Subnet IP radio and enter your SNIP. Click Next to continue. Select Skip this step on the Choose the application tab. Click Next and Finish to add the SNIP.
You can always review the IP information (NSIP, SNIP, VIP) by clicking network -.> IP in the console tree on the left
Yes, you are Having a license This Thing ...
for models XenDesktop XenApp there, like myself, licensing does not work as we know it works. Essentially, you do not point to a NetScaler license server. Instead of loading the file directly from the NetScaler LIC. At a request of the LIC from your MyCitrix, you must know the hostname of the NetScaler
Important :. The hostname of the NetScaler is not what you saw in the previous step where we added the SNIP. The hostname required for licensing is actually the MAC address of the NetScaler.
To find the host name (MAC address), log on to the NetScaler appliance console. If you have not changed the password for the username and password is nsroot . Once connected, tap Shell . This will leave the NetScaler CLI and enter the CLI system. For the host name type the following command:
lmutil lmhostid -ether
The result of the command will be The FLEXnet host ID of the machine is . The quoted text will be the host name that is used for licensing.
Once the LIC file was downloaded from your MyCitrix account, navigate to System -> Licences . Click Managing licenses at the bottom of the screen. Click Add to find and add your LIC file.
Now that the license must be charged (may require a restart to appear), we need to activate the functions that are necessary for our configuration. In the NetScaler Web console, go to system -> Settings . click Configuring Basic Functions . For our purposes, enable SSL Offloading Load Balancing and Access Gateway .
Web Interface Configuration ... Finally something interesting
now we finally get to the part that we care. Adding XML and Web Interface NetScaler. After this step, you'll be able to hit the Web Interface page via the VIP we create
From the Web UI NetScaler go to Load Balancing -.> The servers . Click Add at the bottom of the screen. Type the name and the IP address of one of your Web Interface servers and click Create . Do this for each Web interface in your environment. We hope that you have at least two. Once the Web Interface servers are entered, they should show that On . At any time, a server can be manually Disabled for maintenance reasons.
Now we need to create an HTTP service for the NetScaler to communicate with those servers. Navigate to Load Balancing -> Services . Click Add at the bottom of the screen. Give the service a name. Usually, the name is the server name and port it uses. For example, if your server name is DDC1, the service name could be service_DDC1_80 . Then select the server that you created in the previous step in the Server drop-down field. Choose HTTP to the Protocol tap 80 for the port . Finally, select http monitor and click Add . Click Create to add the service. An HTTP service must be added for each Web Interface server
Note :. The HTTP Monitor uses port 80 to ensure that the server is running. Ping could also be used, but using the correct monitor for the service ensures that the server is working properly. If the monitor detects that it can not communicate with the server, it will mark it down. Also, several monitors can be used.
With VPS servers and services, we need to create a balanced virtual server load. The virtual server will use a VIP all clients will use to access the Web interface using the NetScaler. The VIP is a new address, which may be related to a DNS entry for users to type in their browser
To create the virtual server go to Load Balancing -.> Virtual servers . Click Add at the bottom of the screen. Enter a name for the virtual server. Enter the IP address to be used as VIP for both Web Interface servers. Choose HTTP to Protocol and enter 80 for the port .
On Services tab check the boxes for both services of the previously created Web interface. The Method and Persistence tab select less Connection to method and COOKIEINSERT to Persistence .
at this stage it is a good time to save the configuration if you have not already. Click Save top of the GUI web page NetScaler. With Virtual Server and VIP created, you should not be able to hit the VIP from an IE browser.
Remember XML
Another great use of NetScaler is to create a VIP for your XML servers. Once the VIP is created, it can be used in configuring the web interface to XML. The advantage of using NetScaler to manage is that it has the ability to monitor the XML Service to ensure that it is. He does this in addition to the search service, to low. It sends an XML query on a regular interval and retrieves the name of the farm. This proves not only that the service is running, but is also functional.
To use these features, a new monitor must be created. This new monitor uses XML to send a request to the XenApp farm. Note that this only works for XenApp and XenDesktop not
To monitor access Load Balancing -.> Monitors . Click Add at the bottom of the screen. Give the new monitor a name and select CITRIX-XML-SERVICE as Type . Click on the tab Special Settings . Indicate the name of a published application in your environment. I saw some people publish the notebook on the XML servers with a published application name "XML Test". Click Create to create the new XML Monitor.
The next step is to create a VIP that can be used in the configuration of the Web Interface.
from the Web GUI NetScaler, create an S erver entry for each XML server. To do the same thing you did earlier for the Web Interface servers. Then create the S ervices entries for each XML server. This schedule TCP as the service and enter the port that is used for XML. Use the newly created XML monitor for Monitor . finally create a VIP combines all XML Services just created. Make sure TCP is selected for the VIP protocol. This VIP can now be used in the Web Interface configuration for XML services in the farm.
Access Gateway FTW (for the win)
Now that we have set for NetScaler load balancing between multiple servers in the web interface and even XML servers, it's time to configure external access to your XenDesktop XenApp environment. Honestly, that's what you're here for anyway.
Certificates ... The bane of the existence of every IT person
When it comes to Access Gateway, the only way you can access is via SSL ( 443) with a certificate. This means that any implementation Access Gateway must begin with the installation of a certificate, and if necessary, the certificate chain.
For the purposes of this blog, I will use an internal Microsoft Certificate Authority (CA) for the certificate.
The first step is to create a certificate key. Navigate to SSL in the GUI NetScaler. Click Create RSA Key . Use the following to enter the required fields:
Name: AG.key (or whatever makes sense to you)
Key Size (bits): 2048
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: password (or any password you want)
then we need to create a demand we will send to the CA. Navigate to SSL in the GUI NetScaler. Click Create CSR (Certificate Signing Request) . Use to enter the required fields as follows:
name File Request: AG.req (or whatever makes sense to you)
Key File name: AG. key (browse to the key created in the previous step)
Key Format: PEM
PEM Passphrase: password (same password used to create the key in the previous step)
common name: access.xendesktop.lab (which is the name that users will type into their browsers)
organization name: Citrix (use the name of your organization here)
State province name: DC (use your own state)
now, we need to download our application form to use for importing the CA Access SSL in the GUI NetScaler. Click Manage certificates / keys / CSRs (found under tools section). Find the application file (AG.req) created in the previous step and click Download . In the File Download window, click Browse and save the file to a convenient location.
Now we will submit the application to the authority Open a web browser and type http: //
Now the time to download the certificate that the CA has created for us. Click the radio button for Base 64 encoded , then click Download certificate chain .
Now the next part can be confusing. The file we just downloaded is a P7B package. Essentially, it is a file that contains all certificates. It will contain the actual certificate, we asked for more the root CA certificate, and all intermediaries (if any). Double-click to open the new Certnew.p7b file. The Certificate window displays all certificates within the P7B file. First, open the file that has the common name of the certificate request that you created earlier (for me it is access.xendesktop.lab). Click the Details tab , then click Copy to file.
This will launch the Assistant Export Certificate . During the wizard choose Base-64 X.509 (.cer) when prompted.
Save the convenient share any file. Make sure you name the file something that you know what is earlier. For example, save it as AG.cer. Remember, this is the actual certificate to the Access Gateway site. Other certificates that we will export are the root and all intermediaries.
Now that we have the exported certificate, do the same for all other certificates that are part of P7B package. At a minimum, you will have a root certificate to export. Again, naming these files is important. The root can be named root.cer. Intermediaries can be Int1.cer, Int2.cer, etc.
Ok, now let's get these certificates downloaded on the NetScaler. Navigate to SSL in the GUI NetScaler. Click Manage certificates / keys / CSRs (found under tools section). This time, choose Upload. Download each certificate file fromt the previous step. This includes the certificate, the root, and all intermediaries.
Just copy the file does not mean it is installed. We now need to install certificates. Navigate to SSL -> Certificates in the GUI NetScaler. Click Install at the bottom of the screen. Use the following to enter the required fields:
Certificate-Key Name Pair: AG-Cert (or any other name you like)
Name of the certificate file: AG. cer (browse to the certificate from the previous step)
Private Key File name: AG.key (browse to the key file created much earlier)
Password password (or password you created for the key earlier)
certificate format: PEM
Ok, nearly finished, I promise. Repeat the above step for each certificate that was part of the original P7B file. This means load the root certificate and intermediate certificates. Finally, we need to link the server certificate (AG.cer) the root certificate (root.cer). To do this, go to SSL -> Certificates . Click the server certificate that was previously installed (AG-Cert). Then click on Link at the bottom of the screen. Select the root CA from the drop down menu, then click OK. This same step must occur if intermediate certificates as well. However, linking through to the root, and all intermediate byproducts through above.
Finally Made with certificates, now let's do some Access Gateway Stuff
We need to create an Access Gateway virtual server and VIP. To do this, go to Access Gateway -> virtual servers. Click Add at the bottom of the screen. On the Create Virtual Server Access Gateway screen enter Name new site Access Gateway. This should match the common name of the certificate created earlier. Assign IP address that will be used as a VIP for this connection. Finally, add the certificate created earlier (AG-Cert).
Now that we have a virtual server created VIP Access Gateway and we will try to access it. Open a web browser and go to the https: //access.xendesktop.lab (obviously use the FQDN you created). Make sure you use the HTTP protocol S to access the site. The access gateway will not listen over HTTP (port 80). Remember to hit the FQDN you created, an entry in the DNS (or host file) should be created pointing to the new VIP. The page should show no certificate warning. If there are warnings, check the certificate chaining.
From now on, the Access Gateway site is not going to do much. We still need to configure Access Gateway to the Web interface and LDAP authentication.
add LDAP authentication ...
To add LDAP to Access Gateway virtual server, we start my creation of an LDAP server on NetScaler. To do this, go to system -.> Authentication Click The tab servers then click Add at the bottom of the screen. Use the following to enter the required fields:
Name: AD (or whatever name you want to give it)
Authentication Type: LDAP
IP address: 192.168.12 (use the IP address of one of your domain controllers)
base DN: XenDesktop DC =, DC = lab (use the DN for your domain)
administrator Bind DN: XenDesktop UserAdmin (does not need to be an admin Use the domain user format)
administrator password :. password (the password for the above user)
Click through Get Attributes to test the connection.
now, will create the political LDAP NetScaler which needs to bind to the Access Gateway virtual server. To create the policy go to system -> authentication. Click tab Policies then click Add at the bottom of the screen. Use the following to enter the required fields:
Name: policy_LDAP (or any other name you like)
Authentication Type: LDAP
server: AD (this is the server created in the previous step)
expression any term -> General -> True (click Add Expression )
Finally, we'll get this terminal to the Access Gateway Virtual Server . Navigate to Access Gateway -> virtual servers. Open your Access Gateway virtual server and open the Authentication . Click integration policy and select the LDAP policy created above.
At this stage, you should be able to connect to the Access Gateway site.
We are expandable home. Time For Web Interface
.In most cases, you will want to create a new Web Interface site for use with Access Gateway. In fact, for Access Gateway to be the point of authentication, your only option is to create a new site because it can not be changed after a site is created.
So from your Web Interface server, open the Citrix Web Interface Management console. Right click on XenApp Web Sites and select Create site . Make the site the way something that specifies Access Gateway. For example: / Citrix / AccessGateway. There is no need to define it as the default page for IIS as NetScaler will do it for us.
The next step is important.
0 Komentar