citrix n etscaler – i ntroduction · create netscaler saml policy to 3rd party idp (google) 143...

Page: 1

Citrix NetScaler – Introduction

Table of Contents Introduction 4

Who is this guide for? 4 Prerequisites 4

Prepare your Environment 5 Download the NetScaler Firmware 90 day Evaluation – citrix.com/products 5 Download the NetScaler Firmware – mycitrix.com 8 Deploy the OVA File to Hypervisor - VMWare ESXi 6 11 Initial NetScaler Setup - NSIP 16 Download the NetScaler Trial License 21 Install the NetScaler Trial License 23

Basic Authentication 25 Creating an LDAP Authentication Policy - Administrators 25 NetScaler SSH Command References: 28 Binding an LDAP Authentication Policy - Administrators 29 Granting AD Group Permissions to the NetScaler 31 Creating an LDAP Authentication Policy – NetScaler Users 34 NetScaler SSH Command References: 37

Certificates 38 Creating a Private RSA 38 Creating a CSR Request 40 Submitting the CSR to a 3rd party CA - Comodo Free SSL 43 Upload the CA CRT file and Install the Certificate on the NetScaler 48 Intermediary Certificate Linking 50

XenApp & XenDesktop 7.14 Installation 54 Prerequisites 54 Install XA/XD Software 54 Create the XA/XD Site 62 Install the XA/XD VDA (Virtual Delivery Agent) 66 Create a Machine Catalog 72 Test the Citrix Desktop Launch 80

StoreFront Configuration 82 Prerequisites 82

Copyright © 2017 www.mastersof.cloud

http://www.mastersof.cloud/

Page: 2

Modify the Default Store 82 Create a New StoreFront Store - Stand Alone 87

NetScaler Gateway - ICA Proxy 99 Overview Diagram 99

Prerequisites 100 Configure the NetScaler Gateway for XA/XD - Wizard 100

NetScaler Unified Gateway 106 Prerequisites 106 Create the NetScaler Unified Gateway – Wizard 106

NetScaler Gateway - SSL VPN 113 Create a Basic NetScaler Gateway for SSL VPN 113 Prerequisites 113 Install the NS Gateway Plugin - Windows 119 Prerequisites 119 Create a NetScaler Gateway Preauthentication Policy 123 Configure NetScaler Gateway with Split Tunnelling 130 Create Authorisation Policies for NS Gateway 134 Setup NetScaler Gateway VPN to use a LDAP Authentication Policy 138

Configure NetScaler Gateway with SAML for ICA Proxy (Federated Authentication) 143

Prerequisites 143 Create NetScaler SAML Policy to 3rd Party iDP (Google) 143 Install The Citrix Federated Authentication Service (CFAS) 159 Configure StoreFront to Delegate Authentication to NetScaler 170

Configure NetScaler High Availability 172 Prerequisites 172 Deploy Secondary NetScaler 173 Setup High Availability – NetScaler 1 175 HA Failover NetScaler 1 to NetScaler 2 178

NetScaler Load Balancing 182 Prerequisites 182 Enable the Load Balancing Feature 182 Setup Basic HTTP Load Balancing, Service Groups and Monitors 183

NetScaler Support 192 Backup NetScaler Configuration 192 Firmware Upgrade of the NetScaler HA Pair 195 Clear the NetScaler Configuration 198



Page: 3

Disclaimer This guide is offered as a companion to the online video training series from www.mastersof.cloud, or free directly from the www.mastersof.cloud website. This guide can also be used as a stand alone guide. Please note that this guide is provided without warranty of any kind, express or implied, and was designed to be used in a test lab for educational purposes only. Use this guide at your own risk. You should always have multiple backups of your environment, configuration and infrastructure before doing any changes to your environment. Never make untested or unsolicited changes to any production environment. Accuracy of the material contained within this document is very important to us. Every effort has been made to ensure the accuracy of this document at the time of writing however should you notice any discrepancies or incorrect information please notify us immediately at [email protected] so we can review and update where necessary.





Page: 4

Introduction Welcome to the ‘Citrix NetScaler - Introduction’ guide. The purpose of this guide is to provide you with the basics you need to deploy and configure a NetScaler device either in a lab or in an enterprise environment. This document is designed to accompany the online courses now available at www.mastersof.cloud and also available at www.udemy.com. We hope you find this course informative and easy to follow. Please do feel free to ask questions or provide any feedback on the training website at www.mastersof.cloud or email [email protected] Note: This guide uses many example screenshots, IP addresses and DNS settings that are specific to the demo environment being used at the time. You will need to use your own settings in place of the examples provided to ensure a working setup. If you are not sure of the configuration options you should consult with your AD, Network, Virtualisation and Cloud teams first for the correct details that are specific to your environment.

Who is this guide for? Chances are if you have come this far you already knew what you were looking for! The guide is a quick start to get you up and running with Citrix NetScaler.

Prerequisites 1) A basic level of understanding of network principles, TCP-IP, DNS, Firewalls and

Network routing 2) Familiarity with connecting to devices via SSH or Putty 3) Familiarity with all Citrix products in general 4) Competency with the latest versions of Microsoft Windows operating systems

This document also serves as a complimentary printed walk through for the Citrix NetScaler Introduction online training at www.mastersof.cloud and also available at www.udemy.com.



https://www.udemy.com/course/1232494



https://www.udemy.com/course/1232494


Page: 5

Prepare your Environment

Download the NetScaler Firmware 90 day Evaluation – citrix.com/products In this walkthrough we going to connect to citrix.com and download a 90 day evaluation of the Citrix Application Delivery Controller (aka ADC)

Step Description Screenshot

1. Connect to http://www.citrix.com/products/

2. Scroll down and select Networking > NetScaler > NetScaler ADC


http://www.citrix.com/products/

http://www.citrix.com/products/


Page: 6

3. Click Try For Free

4. Enter your registration details (username and password) for your trial license



Page: 7

5. A code will be generated automatically

6. Expand Step 1 – Review system requirements and download software Select the download most appropriate to you and your hypervisor



Page: 8

Download the NetScaler Firmware – mycitrix.com For customers who already use Citrix and have a mycitrix.com account we can also simply obtain the NetScaler firmware from this site (provided you have a mycitrix.com account associated with your Enterprise licenses).


1. Connect to http://www.mycitrix.com

2. Click Downloads Select NetScaler ADC as the product


http://www.mycitrix.com/

http://www.mycitrix.com/


Page: 9

3. Select the latest release Virtual Appliance (VPX) available to you Note: At the time of writing the latest is 11.1-48.10

4. Select VPX Package for New Installation Select the right package for your hypervisor Note: In the example we are downloading the NetScaler VPX Software for VMWare ESX



Page: 10

5. Read the End-User license agreement carefully

6. If you choose to accept the EULA, tick ‘I have read…’ and click Accept You should read the download agreement Be sure you and your country comply with the Export Control laws Finally save the file somewhere easily accessible later



Page: 11

Deploy the OVA File to Hypervisor - VMWare ESXi 6 In this section we are going to deploy the newly downloaded NetScaler firmware onto our hypervisor (VMWare).


1. Connect and authenticate to your VMWare ESX web console

Note: In this example we are connecting to VMWare ESXi 6.0 with a private IP of 192.168.1.1. The default URL is http://192.168.1.1/ui

2. Click Virtual Machines Click Create / Register VM



Page: 12

3. Select Deploy a virtual machine from an OVF or OVA File Click the section labelled ‘Click to select files or drag/drop’

4. Select both the OVF and the VMDK files from the firmware file downloaded from citrix, then click Next



Page: 13

5. Select an appropriate storage location for your hypervisor to deploy the NetScaler VM

6. Choose the network mappings and disk provisioning best for you

Note: Disk provisioning is set to thin in this example only to save on local hypervisor disk space.

7. Click Finish on summary page



Page: 14

8. Click on the VM in the VMWare list

9. Authenticate to the VMWare console prompt with your VMware username and password

10. Click on the Console button to get access to the VM console



Page: 15

11. Success! The NetScaler has booted and is operational



Page: 16

Initial NetScaler Setup - NSIP


1. Click on the Console button to get access to the VM console

2. Your NetScaler should be finished initializing and prompting for an IPv4 Address as part of the first run wizard Provide an appropriate free IP address, subnet and default gateway from your local network Once the details are entered type ‘4’ to save and quit and press enter to execute The NetScaler will perform a quick, warm reboot

Note: In this guide we will use the following details for the NSIP IP address: 192.168.1.50 Subnet Mask: 255.255.255.0 (also known as /24) Default Gateway (internet router): 192.168.1.254 However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team.



Page: 17

3. After reboot it will return to the login: prompt Enter ‘nsroot’ as the username Enter ‘nsroot’ as the password These are the default NetScaler username and password

4. Once successfully authenticated type ‘show ip’ and press return

Note: This command will show you all IP addresses registered on the active NetScaler Tip: the NetScaler recognises short versions of the same command (provided it’s unique) for example the command ‘sh ip’ will also work



Page: 18

5. Type ‘shell’ and press return Type ‘ifconfig’ and press return

Note: you can use the shell to perform more traditional BSD based Linux commands like ifconfig, route, ping, traceroute

6. Open your internet browser and point to the newly added NSIP of your NetScaler Enter ‘nsroot’ as the username Enter ‘nsroot’ as the password

7. Click enable or skip on the Citrix User Experience Improvement Program window



Page: 19

8. Welcome to the first time setup config page of the NetScaler GUI

Note: This page shows you that you have already set a NetScaler IP address (NSIP) which can be used for management of the NetScaler device, however you still need to set your DNS, Time Zone, Hostname, SNIP and to add licenses

9. Click on the Subnet IP Address section of the NetScaler GUI

10. Enter a Subnet IP as appropriate for your environment Then click Done

Note: In this guide we will use the following details for the SNIP IP address: 192.168.1.51 Subnet mask: 255.255.255.0 (also known as /24) Default gateway (internet router): 192.168.1.254 However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team Note: A NetScaler will use its NSIP as a management IP address. It will utilise the Subnet IP address (SNIP) to communicate with back end servers etc on that specific assigned subnet



Page: 20

11. Click Host Name, DNS IP Address and Time Zone section of the NetScaler GUI

12. Enter the following details as appropriate for your configuration Hostname DNS IP Address Time Zone Then click Done

Note: In this guide we will use the following details for the Hostname, DNS and TimeZone Hostname: ns1 DNS IP Address: 192.168.1.11 & 192.168.1.12 (the IP addresses of my singular Active Directory LDAP servers) Time Zone: GMT+ 00:00-GMT-Europe/London However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team

13. Click Yes

14. The Initial Configuration of the NetScaler is complete



Page: 21

Download the NetScaler Trial License Only start this section once you have deployed your NetScaler on your chosen hypervisor platform.


1. Expand Step 2, click on License Management System to register your temporary license key

2. Sign in with the details you registered your trial license with Tick the Citrix Store NetScaler VPX 1000... license key Click Continue

3. Deploy your NetScaler and obtain its Host ID (MAC Address) Log into the NetScaler console (user: ‘nsroot’, pass: ‘nsroot’) Type ‘shell’ then press enter Type ‘lmutil lmhostid –ether’ then press enter



Page: 22

4. Take the Host ID and enter that into the Citrix licensing console Click continue

5. Click confirm

6. Click OK to download the license file(s)

7. Save the file for later use in these Labs



Page: 23

Install the NetScaler Trial License Only start this section once you have deployed your NetScaler on your chosen hypervisor platform.


1. When you access your NetScaler, and if you haven’t yet set a SNIP or a license you may be presented with the first run wizard You can click the ‘Licenses’ section to upload your license file Go to step 3 below

2. You can also access this from the NetScaler > System > Licenses menu and click Add New License

3. Select the option to Upload license files Click Browse



Page: 24

4. Browse for the NetScaler license file you downloaded previously to select for upload Restart your NetScaler



Page: 25

Basic Authentication

Creating an LDAP Authentication Policy - Administrators In this walkthrough we will create an LDAP policy for administrators of the NetScaler and point this new policy to our singular, private, internal Microsoft AD LDAP server. This will involve creating a server to bind to (i.e. telling the NetScaler what server to communicate with for LDAP services) and we will create a policy that will be bound to this newly created server record. Finally the policy and its associated server profile must be bound to the NetScaler so it knows where and when to use this LDAP policy. We will bind this policy globally to the NetScaler which means all users in the policy will be able to administer the NetScaler device.


1. Log into your NetScaler Expand System > Authentication > LDAP And click the Add button



Page: 26

2. Give the policy a Name e.g. ‘AUTHPOL_LDAP_Administrators’ Set the Expression as ‘ns_true’

Click the + to add a new LDAP Server

to authenticate against

Tip: If you keep the naming of the policies, servers and profile creations consistent it is much easier to find them when you have many multiple policies created on the NetScaler

3. Give the LDAP server profile a Name. I usually give it the imaginative name of something like: ‘AUTHSERVER_LDAP’ Fill out the essential information for this server profile Note: In this guide we are using the following recommended minimum examples: IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: [email protected] (domain administrator account) Admin Password: <password> Search Filter: memberof= CN=Domain Admins,CN=Users,DC=home,DC=local Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Tip: be sure to click the test connection button once you have finished the setup of this LDAP server profile to ensure it connects to your LDAP server successfully

Note: You should use appropriate LDAP details. If you are unsure consult with your AD/LDAP/Authentication team.



Page: 27

4. Tip: You can connect to a Domain Controller or any Windows machine with the RSAT tools installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group

Examples: If I want the NetScaler to search the Users OU in AD I could query a user name in that OU to get their Base DN

If you need to obtain the Group details for the ‘Search Filter’

5. Click Test Connection and ensure your LDAP server is reachable

Note: the Admin Password is not copied when you duplicate these settings at a later stage so always be sure to re-enter them when creating additional AUTHSERVERS

6. Click Create at the bottom of the ‘Create Authentication LDAP Server’



Page: 28

7. Click Create on the ‘Create Authentication LDAP Policy’ Window

8. Save the NetScaler Configuration Click YES to the ‘Are you sure’ message

NetScaler SSH Command References:

● Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP -serverIP 192.168.1.11 -ldapBase "CN=Users,DC=Home,DC=Local" -ldapBindDn [email protected] -ldapBindDnPassword 1234561234561234561234561234561234561234561234561234561234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn

● Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_Administrators ns_true AUTHSERVER_LDAP



Page: 29

Binding an LDAP Authentication Policy - Administrators In this walkthrough we will create a LDAP policy for administrators of the NetScaler and bind it globally to the NetScaler


1. Log into your NetScaler Expand System > Authentication > LDAP Tick the newly created policy and click Global Bindings

2. Click the > button to choose your newly created LDAP policy Then click Select Click Bind on the System Global Authentication LDAP Policy Binding Window Click Done



Page: 30

3. Note: The LDAP Policy will have a green tick in the Globally Bound column, which means all members of the LDAP group you added in the ‘Search Field’ of the server policy will now be able to authenticate against the NetScaler as NetScaler system users



Page: 31

Granting AD Group Permissions to the NetScaler In the previous step we created an LDAP policy and bound it globally to the NetScaler so that all users who are members of the Active Directory group Domain Admins would be able to authenticate against the NetScaler and access the WebGUI. However these users will not have permission on the NetScaler itself to perform any administrative tasks, so we must link the AD group to appropriate permissions on the NetScaler.


Example of error message when logging in as user ‘[email protected]’ Not authorized to execute this command [show ns license] [show ns feature] Note: a user name of just ‘admin’ would also work

Here you can see that the user is able to authenticate, but not perform any tasks on the NetScaler.

1. Log into the NetScaler as nsroot Browse to > System > User Administration > Groups Click the add button

2. Type in Group Name: ‘Domain Admins’ Note: The NetScaler group name must match the LDAP group name and is Case SeNsiTiVE



Page: 32

3. Under Command Policies Click Bind Tick Sysadmin Click Insert



Page: 33

4. Click Create

5. Users who are members of Domain Admins group in Active Directory will now have the sysadmin role on the NetScaler

6. A list of other roles on the NetScaler and what can be assigned are listed here on the Citrix Website

http://docs.citrix.com/en-us/NetScaler/10-1/ns-system-wrapper-10-con/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html


http://docs.citrix.com/en-us/netscaler/10-1/ns-system-wrapper-10-con/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html




Page: 34

Creating an LDAP Authentication Policy – NetScaler Users In this walkthrough we will create an LDAP policy for basic users of the NetScaler to authenticate against things like a new Virtual NetScaler Gateway. This profile however will be identical to the previous administrators policy, only we will be looking for another AD group. Instead of ‘Domain Admins’ we will look for users who are members of the LDAP group called ‘NetScaler Users’.


1. Log into your NetScaler Expand System > Authentication > LDAP Click the Servers Tab Tick the already existing AUTHServer_LDAP Click the Add button Tip: Because we selected the already created server profile the configuration details of that profile will be automatically copied into this new policy as ‘defaults’ Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test



Page: 35

2.

Give the LDAP server profile a Name e.g. AUTHSERVER_LDAP_NSUsers Provide the following details of your LDAP server: IP Address / or Name Base DN Admin Bind DN Admin Password: Be Sure to RETYPE YOUR PASSWORD and click TEST Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Note: In this guide we are using the following specific details as working examples IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: [email protected] Admin Password: <password> Search Filter: memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local

Note: You should use appropriate LDAP details for your environment. If you are unsure consult with your AD/LDAP/Authentication team.

3. Tip: You can connect to your AD controller or any Windows machine with the Remote Server Administration Tools (RSAT) installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group

Examples: If you need to obtain the Group details for the ‘Search Filter’



Page: 36

4. Click Test Connection and ensure your LDAP server is reachable

Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test

5. Click Create at the bottom of the ‘Create Authentication LDAP Server’

6. Create another LDAP Policy to bind this new server profile to Click the Policies tab Tick the existing policy Click Add Note: Because we selected the already created server profile the configuration details of that profile will be copied freshly as a new Server Profile



Page: 37

7. Simply rename the policy to something new like AUTHPOL_LDAP_NSUsers Link this new policy to the previously created server profile in steps 1-5 by selecting AUTHSERVER_LDAP_NSUsers from the drop down Leave the Expression as is: ns_true Click Create

8. Two LDAP Authentication policies now exist and can be used for authenticating users on the NetScaler Note: The Administrators policy is the only policy presently bound to the NetScaler

NetScaler SSH Command References:

● Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP_NSUsers -serverIP 192.168.1.11 -ldapBase "CN=Users,DC=Home,DC=Local" -ldapBindDn [email protected] -ldapBindDnPassword 1234123412341234123412341234123412341234123412341234123412341234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local" -groupAttrName memberOf -subAttributeName cn

● Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_NSUsers ns_true AUTHSERVER_LDAP_NSUsers



Page: 38

Certificates

Creating a Private RSA


1. Log into the NetScaler web interface http://192.168.1.50

2. Expand traffic management Right Click SSL And select Enable Feature Note: The yellow exclamation will disappear when the feature is enabled

Disabled

Enabled


http://192.168.1.50/


Page: 39

3. Expand SSL > SSL Files > and click the button Create RSA Key

4. In this example we will enter the details shown: Then click Create

Key filename: gateway.jsconsulting.services.privatekey Key Size(bits)*: 2048 Public Exponent Value: F4 Key Format: PEM PEM Encoding Algorithm: DES3 PEM & Confirm Password: <mypassword> Note: the larger the key size the more CPU will be used encrypting and decrypting the certificates DES3 is simply DES applied 3 times (so in theory it's more secure)

5. Note: The private key should be downloaded and stored away from the NetScaler device (especially if the NetScaler is stored in a DMZ). This is in case the NetScaler device is compromised in any way. If your private keys are lost or compromised you would have to revoke your existing certificates and new certificates should be generated.



Page: 40

Creating a CSR Request



2. Now that our private key has been created we need to create a Certificate Signing Request and sign it with our private key Expand SSL > SSL Files Click CSRs Then click Create Certificate Signing Request (CSR)

3. In our example we will enter these details shown: Then click Create


http://192.168.1.50/


Page: 41

Request File name: gateway.jsconsulting.services.csr Key Filename: gateway.jsconsulting.services.privatekey Key Format: PEM PEM Passphrase: <private key password here> Digest Method: SHA256 Common Name: gateway.jsconsulting.services Organisation Name: JS Consulting Services Organisational Unit: Technologies Email Address: <your email address> City: London State or Province: London Country: UNITED KINGDOM



Page: 42

4. CSR is created and signed with the private key all stored on the NetScaler in /nsconfig/ssl



Page: 43

Submitting the CSR to a 3rd party CA - Comodo Free SSL We now need to take our CSR created in the previous guide and submit that to a 3rd Party Certificate Authority or CA to verify our CSR and provide us with a certificate response we can combine with our CSR and generate the SSL certificate.


1. First we need to download our CSR for easy access from the NetScaler Expand Traffic Management > SSL > SSL Files > CSRs tab Tick the newly created .csr file and click Download

2. We are going to browse to comodo and apply for a FREE SSL Certificate

https://ssl.comodo.com/free-ssl-certificate.php


https://ssl.comodo.com/free-ssl-certificate.php


Page: 44

3. Click the big Free Trial SSL button

4. Open the downloaded CSR file from step 1 and copy and paste the entire contents into the Comodo SSL site Select Citrix as the Server software Click Next



Page: 45

5. Comodo will then perform a domain ownership verification In the example shown to keep it simple I will select the registered email address for jsconsulting.services from (WHOIS)



Page: 46

6. Enter your details for registration of the Certificate and for access to the COMODO SSL Site



Page: 47

7. Read the terms thoroughly and Accept if you are ready to continue

8. Validate the email sent to your WHOIS registered email

9. Download the CSR Files as a zip



Page: 48

Upload the CA CRT file and Install the Certificate on the NetScaler We will now take the CRT file and install it onto the NetScaler device, then use both the CRT and Private key to combine and finally create a fully functional NetScaler certificate.


1. Expand Traffic Management > SSL > SSL Files Click Upload

2. Browse for your Certificate file (provided by your 3rd Party CA) Click Open Note: The file is uploaded to the NetScaler but not yet usable!



Page: 49

3. Browse to Traffic Management > SSL > Server Certificates Click Install

4. Give the new ‘Server Certificate’ a unique easily identifiable name Certificate File: Choose the Certificate you just uploaded in step 2 Key File Name: select your private key file that is on the NetScaler Provide the private key password Click Install

Your certificate is now installed and ready to be used on NetScaler services, VIPs, NetScaler gateway etc.



Page: 50

Intermediary Certificate Linking Sometimes there can be more certificate between the server certificate and the root cert we have created on the NetScaler and the Root CA Certificate. These certificates ‘in the middle’ are known as intermediary or subordinate certificates and form a link or ‘chain’ between the root CA certificate and our newly created NetScaler certificate. When some operating systems don’t have the full chain of intermediary certificates installed (and trusted) they will display a ‘certificate invalid’ message even when the certificate itself is valid. This is because the operating system is unable to verify your server certificate all the way up the certificate chain to the root certificate. These certificates can be installed and provide to the end users to greater enhance the user’s ability to connect to the NetScalers regardless of their endpoint or client device.


1. Example: Connecting to a service or VIP on the NetScaler interface where we have bound the new Certificate shows an error in Chrome on Mac OSX Note: This will vary between operating system and between CA certificate providers



Page: 51


3. Expand SSL > SSL Files Click SSL > Certificates > CA Certificates Click Install

4. Upload the bundled certificate from your 3rd party CA Click Install


http://192.168.1.50/


Page: 52

5. Expand SSL > SSL Files Click SSL > Certificates > Server Certificates Tick your newly created server certificate Select Action - ‘Link’

6. Select the CA Certificate uploaded in step 3 Tip: The NetScaler will automatically select the correct / valid certificate (if it is installed correctly and exists)



Page: 53

7. Repeat this step for every certificate in the certificate chain including the root certificate



Page: 54

XenApp & XenDesktop 7.14 Installation As part of the NetScaler gateway setup we are going to create a fully self contained Citrix XenApp and XenDesktop (referred from now on as XAXD) Delivery controller (aka Desktop Delivery Controller – DDC).

Prerequisites

Description

● Windows 2012/2016 Server & Domain joined

● You have patched the server and installed KB2919355 - Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update: April 2014 (prerequisite patch)

(Note: If you download this update without updating the Operating system first it may say the patch is not applicable – If this happens run windows updates for the first time before then try reinstalling the patch)

● Downloaded copy of XA&XD ISO from myCitrix.com website

● Local administrative rights to the W2012 Server where you are installing XA/XD

● You can avoid the locate media prompts if you extract the ISO locally for a ‘locatable’ installation post reboots

Install XA/XD Software


1. Log into your 2012 server



Page: 55

2. Right click and ‘mount’ the XAXD ISO

3. Run the autoselect

4. Click start on XenDesktop



Page: 56

5. Click Delivery Controller

6. Read and accept the license agreement and click Next



Page: 57

7. Install All Core Components

8. Select all optional features Click Next



Page: 58

9. Click Next

10. Click Install



Page: 59

11. Reboot

12. After restart it may prompt for XD install media – as the ISO wont be mounted and the installer won't be able to find the ISO – simply click cancel Remount the ISO (right click + mount) Run Auto Select, Select XenDesktop Select Delivery Controller The installation will continue



Page: 60

13. Reboot when prompted

14. After restart it may prompt for XD install media – as the ISO wont be mounted and you won't be able to find the ISO – simply click cancel Remount the ISO run Auto Select Select XenDesktop Select Delivery Controller The installation will continue



Page: 61

15. Skip the Smart Tools connection

16. At Completion, ensure Launch Studio is selected and click Finish



Page: 62

Create the XA/XD Site


1. The Citrix Studio will launch after setup / install

2. Select Site Setup - Deliver applications and desktops to your users



Page: 63

3. Select Fully Configured In this example we will setup the site name as Production

4. Select the default Create and setup databases from studio The SQL Express setup will be detected and details entered



Page: 64

5. In this example we will select the 30 day trial and proceed with the defaults

6. In this example as this is a standalone XA/XD Machine we will not setup a hypervisor connection (machine management)



Page: 65

7. We will not install AppDNA or – App-V Publishing features These can be added later if required

8. Review the summary page and click Finish



Page: 66

Install the XA/XD VDA (Virtual Delivery Agent)


1. Mount the XA/XD ISO and run AutoSelect.exe

2. Select Prepare Machines and Images – Virtual Delivery Agent for Windows Server OS



Page: 67

3. Select Enable connections to a server machine

4. Leave the defaults and click Next



Page: 68

5. Do not select any additional components Click Next

6. Select Do It Manually for the locations of the delivery controller Enter the localhost server name for the Controller address (itself) Click Test Connection and click Add (next button will only highlight after this) Click Next (Note that you can allow MCS or AD discovery to setup this for you automatically and is recommended in a



Page: 69

production environment)

7. Select all Features Click Next

8. Click Next



Page: 70

9. Click Install

10. Reboot when promoted

11. Cancel the ‘locate media’ prompts

12. Remount the ISO, run AutoSelect, re-select Prepare Machines and Images – Virtual Delivery Agent for Windows Server OS



Page: 71

13. The Installation will continue

14. Click Finish



Page: 72

Create a Machine Catalog


1. Once the Site has been set up the console will be ready Click Setup machines for desktops and applications or remote PC access

2. Click Next



Page: 73

3. Select Server OS and click Next We will install this on the XA/XD DDC for demo purposes only (not recommended in Production)

4. As we previously did not setup machine management, leave the default options selected



Page: 74

5. Click add computers Enter your server name add your DDC Click Next



Page: 75

6. Give your machine catalog a name and description Click Finish

7. Click Delivery Groups 3 – Setup delivery groups to assign to desktops and applications to your users



Page: 76

8. Click Next

9. Select the (only) Machine Catalog created in the previous steps Click Next



Page: 77

10. Browse your AD configuration for the users you wish to have permission to launch these desktops In our example we will simply choose home\domain users (not recommended for production)

11. Skip the application selection / Publication



Page: 78

12. Assign the desktops (for VDI) click Add Setup the Desktop as follows assigning a display name, description and restrict the desktop to specific domain users (in this instance we have again selected Domain users) Ensure Enable desktop is selected Click Next Note: You could also select ‘allow everyone with access to this delivery group to use a desktop’ which simplifies permissions management but assumes you want all users of this delivery group to have access to a Citrix Desktop



Page: 79

13. Enter a name for the delivery group, enter a description and click Finish



Page: 80

Test the Citrix Desktop Launch


1. Open a Browser locally on the Citrix server. The default page will already be setup and created for you @ http://localhost/Citrix/StoreWeb/

2. Login as a member of the group that has access to the desktop published in the previous steps – In our example we can log in as any user who is a member of ‘domain user’ (all user accounts by default)



Page: 81

3. Select the Desktops Tab and click the Server Desktop

4. If the setup has been successful the Citrix desktop session will start



Page: 82

StoreFront Configuration Whilst the StoreFront site will already be preconfigured by the XA/XD Setup wizard, there are some settings we need to set up in order for NetScaler to be able to connect to the StoreFront server and launch sessions.

Prerequisites

Item Description

● You will need to know the FQDN of your NetScaler Gateway

● The internal or private IP Address of the VIP assigned to the NetScaler Gateway*

● Know the details of your Citrix Server STA (our Citrix DDC(s))

* The StoreFront server must be able directly communicate with the VIP of the NetScaler Gateway, otherwise when the StoreFront server resolves the FQDN it will resolve the internet IP address and potentially will not work.

Modify the Default Store


1. Log into Citrix Studio Expand Citrix StoreFront Select the Existing Store ‘Store Service’ Click Manage NetScaler Gateways



Page: 83

2. Click Add Enter the Display name and the FQDN of the external Gateway URL (In this example my gateway FQDN is called ‘gateway.jsconsulting.services’ Click Next

3. Click Add Enter the Name of your DDC In our example we only have one server – which is the http://citrixserver.home.local/scripts/ctxsta.dll Click Next



Page: 84

4. Enter the callback URL of the NetScaler Gateway ensuring your StoreFront server is able to resolve the FQDN to an internal/private ip address. Click Create

5. Close the Manage NetScaler gateways screen

6. Ensure the StoreFront / Citrix server can resolve the FQDN to the inside IP Address of the NetScaler Gateway Use locally managed DNS if you have the Zone configured on your local DNS server(s) Or use the Windows host file to add a private entry.

Note: Windows host file is located in c:\windows\system32\drivers\etc\hosts and has no extension. You may need to copy it to the users desktop first, manipulate the file, and copy it back due to Windows User Account Control (UAC)



Page: 85

7. Ensure the StoreFront server resolves the FQDN to the NetScaler inside VIP address

Note: In production environments ping may not be allowed between the NetScaler network and the StoreFront network(s) – you need to ensure that 443 TCP is opened and allowed through the Firewall from the StoreFront servers to the NetScaler VIP

8. Back in the Studio expand Manage Authentication Methods



Page: 86

9. Ensure Pass-through from NetScaler Gateway is ticked

10. Back in Studio Select your store and click Configure Remote Access Settings Ensure you Enable remote access Select No VPN Tunnel Tick the NetScaler Gateway appliance listed Click OK



Page: 87

Create a New StoreFront Store - Stand Alone


1. Open the Citrix StoreFront Console Expand Citrix StoreFront Click Stores Click Create Store

2. Click Next



Page: 88

3. Give the store a name Select Set this receiver for Web site as IIS Default Click Next



Page: 89

4. Click Add On the Add Delivery Controller screen click Add Add Delivery Controllers FQDN Untick Servers are load balanced Select Transport type as HTTP (you should use HTTPS if the SF server is in a DMZ or for extra security) Click OK



Page: 90

5. Click Next

6. Enable Remote Access Ensure Allow Users to access resources only delivered through StoreFront (No VPN Tunnel) is selected Click Add



Page: 91

7. Enter details for the new gateway Example: my gateway is called gateway.jsconsulting.services and the URL is https://gateway.jsconsulting.services Click Next

8. On the STA Screen Click Add Enter the FQDN of the Citrix XA/XD server


https://gateway.jsconsulting.services/



Page: 92

9. Enter the FQDN of the STA server Click OK

10. Untick Load balance multiple sta servers Tick Enable session reliability Untick request tickets from two stas, where available Click Next



Page: 93

11. Enter the NetScaler details – Leave logon type as domain Enter Callback URL as the same entered in step 6 https://gateway.jsconsulting.services Click Create





Page: 94

12. Click Finish



Page: 95

13. Ensure default appliance is the NetScaler appliance created / added in steps 1 through 12 Click Next



Page: 96

14. Ensure that both methods of Authentication are selected – Username and password and Pass through from NetScaler Gateway Click Next



Page: 97

15. Leave both options ticked Click Create



Page: 98

16. Click Finish

17. Back in the StoreFront console click Receiver for Web Sites tab and copy your StoreFront URL Open your internet browser and test this URL

& https://gateway.jsconsulting.services




Page: 99

NetScaler Gateway - ICA Proxy

Overview Diagram



Page: 100

Prerequisites

Item Description

● DNS is configured on the NetScaler correctly

● The internal or private IP Address of the VIP assigned to the NetScaler Gateway *


● Firewall ports are open between the NetScaler and the StoreFront server

● StoreFront already configured and setup (otherwise retrieve attributes won’t work)

In this section of the course we will connect the NetScaler to our basic Citrix XA/XD Environment. Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Gateway. NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved or follow the previous XA/XD and StoreFront setup guides.

Configure the NetScaler Gateway for XA/XD - Wizard


1. Log into NetScaler GUI

2. Under Integrate with Citrix Products - Click XenApp and XenDesktop Click Get Started



Page: 101

3. Ensure StoreFront Is selected and Click Continue on the Prerequisites NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved.



Page: 102

4. Provide the details that are relevant to your StoreFront and Citrix XenApp setup Gateway FQDN: gateway.jsconsulting.services Gateway IP Address: Inside private IP address for the Virtual Server. (aka VIP) Port: 443 (SSL) Redirect: Tick this option if you are also forwarding http traffic to this VIP so the NetScaler will redirect the users to https. Then click Continue Note: In this guide we are using the following specific details as working examples – you should use the appropriate settings for your environment

5. Because we enabled port 80 redirection the wizard will enable the LoadBalancing Feature on the NetScaler – Click Yes



Page: 103

6. Select the certificate you have previously installed on the NetScaler. Note: you should have the complete certificate chain installed on the NetScaler – a later video will go through these steps to ensure the complete Certificate chain is installed. Click Continue

7. Keep Authentication as Domain Select Use Existing Server Select the server that has the ‘NSUsers’ profile associated (will be listed in order of creation so usually the second server in the list)



Page: 104

8. Click Continue

9. Enter the details of your StoreFront server The retrieve stores button will not work if the StoreFront server is not configured. You will not be able to proceed with this wizard if you can't ‘retrieve store’ as the wizard will not let you proceed manually In this example our StoreFront and Citrix XenApp are installed on the same box so the URLs can point to the same server

10. Click Continue



Page: 105

11. On the summary pages, now all the basic settings have been entered you can click Done



Page: 106

NetScaler Unified Gateway

Prerequisites

Item Description

● DNS is configured on the NetScaler correctly

● The internal or private IP Address of the VIP assigned to the NetScaler Gateway *


● Firewall ports are open between the NetScaler and the StoreFront server

● StoreFront already configured and setup (otherwise retrieve attributes doesn't work)

In this section of the course we will connect the NetScaler to our basic Citrix XA/XD Environment. Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Gateway. NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved or follow the previous XA/XD and StoreFront setup videos.

Create the NetScaler Unified Gateway – Wizard


1. Log into NetScaler Click Unified Gateway in the Left Pane under ‘Integrate with Citrix Products’



Page: 107

2. Click Get Started

3. Click Continue



Page: 108

4. Enter the following details as appropriate for your configuration

5. Use the existing certificate already installed Click Continue



Page: 109

6. Select the appropriate LDAP server Click Continue

7. Change Portal Theme to the New RFWebUI (note RFWebUI does not currently work with SAML)

8. Click the + Icon



Page: 110

9. Select XenApp & XenDesktop Select Integration point as StoreFront

10. Enter the Details of your XA&XD STA and StoreFront server URLs then click Retrieve Stores Receiver for Web Path will appear and be validated Click Continue

11. Click Done



Page: 111

12. You will be returned to the Applications Page and a StoreFront application will appear

13. Click Continue

14. On the summary page click Done



Page: 112

15. Access the Unified Gateway Page and check you can log into the NetScaler page

16. Select Clientless Access Click Desktops and ensure you can see your XA&XD Desktops Load the desktop to ensure a full end to end test is performed



Page: 113

NetScaler Gateway - SSL VPN

Create a Basic NetScaler Gateway for SSL VPN

Prerequisites

Item Description

● NetScaler configured with IP Address, Certificates and accessible from the clients either internally or remotely over the internet.

● Ensure Split Tunnelling is Off

● Port 443 forwarded from firewall / router to the NetScaler VIP

● Ensure the Default Authorization on the global configuration is set to allow


1. Check NetScaler gateway feature is enabled

System > Settings > Configure Basic Features

2. Ensure Global settings for NS Gateway is set to Allow



Page: 114

3. Expand NetScaler Gateway Click NetScaler Gateway Wizard

4. A Separate Wizard page will open Click Get Started



Page: 115

5. Provide the details of your new gateway Note: my details are provided as an example only

6. Select the existing Certificate already installed on your NetScaler Click Continue



Page: 116

7. Select the default authentication of Local and Don't select a secondary auth method Once the wizard has completed create a user called nsgw-localuser password: <yourpassword> User Administration> AAA Users > Add Button Click Continue



Page: 117

8. You may close the dashboard that is opened by default after creation of the new Gateway

9. Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from) Open a web browser to the NetScaler VIP Login



Page: 118

10. Success!



Page: 119

Install the NS Gateway Plugin - Windows

Prerequisites

Item Description

● You should be a local administrator of the device where you are install the gateway plug-in


1. Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from) Open a web browser to the NetScaler VIP Login



Page: 120

Select Network Access

Click Download



Page: 121

Click Run

Click Install Note: You must be a local administrator to install this Software

Click Yes to any Windows UAC prompts



Page: 122

Click Finish

The Gateway VPN will connect automatically and the web page will display the NetScaler VPN Home Page.



Page: 123

Create a NetScaler Gateway Preauthentication Policy


1. Expand >NetScaler Gateway > Policies > Preauthentication

2. Click Add



Page: 124

3. Name the policy something like PreAuthPol_Notepad-is-running Click the + next to Request Action Note: you can call it whatever you want, I like to keep a standard format when creating policies and profiles so they are distinguishable in the various screens and in the ns.conf file as well

4. Click Create



Page: 125

5. Click Expression Editor Select Expression Type of: Client Security Component: Process Name*: notepad.exe Operator: EXISTS Then click Done

6. Note the expression is automatically created for you now as CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS



Page: 126

7. Click Create

8. Bind the new policy globally Select NetScaler Gateway > NetScaler Gateway Policy Manager

9. Click the + on AAA Global

10. Click Add Binding



Page: 127

11. Click in the Click to Select

12. Select the only PreAuthPolicy available Click Select

13. Click Bind



Page: 128

14. Click Done

15. Click Done



Page: 129

16. Browse to the gateway and check that before you type in any authentication credentials that the EPA scan is invoked Click Yes

17. EPA Scan with notepad not running



Page: 130

18. EPA Scan with notepad Running Your users can now authenticate

19. Authenticate against the NetScaler page again and then confirm you can access all NetScaler resources

Configure NetScaler Gateway with Split Tunnelling


1. In order that our users devices know which network is ‘local’ and which network is remote we need to define our remote network resources



Page: 131

2. First we ensure that split tunnelling is enabled NetScaler gateway > Global Settings > Change Global Settings Click the Client experience tab Change Split Tunnel* to ON Click OK

3. Expand NetScaler gateway > Resources > Intranet Applications Click Add



Page: 132

4. Here we add the remote networks we want the users / VPN tunnel to have access to when the Gateway client is logged on In this example we will use the full home.local network Click Create

5. Browse back to NetScaler gateway > Global Settings tab Click Define intranet applications...



Page: 133

6. Click Add

7. Click the Right Arrow (or the + symbol next to the Resource) to include the new Intranet Resources for our Split Tunnel



Page: 134

Click OK

8. Save your NetScaler configuration

9. Test your VPN connectivity

Create Authorisation Policies for NS Gateway


1. Expand >NetScaler Gateway > Global Settings > Change Global Settings



Page: 135

2. Click Security tab Change Default Authorization Action to DENY Note: This change will affect all Gateways configured on the NetScaler that do not specifically reverse.

3. Expand NetScaler Gateway > Policies > Authorization Policies Click Add

4. Create a new policy In this example we will call it AuthPol_VPN_192.168.1.1 as the only ‘destination’ this policy will allow is to 192.168.1.1



Page: 136

5. Click Switch to Classic Syntax Click Expression Editor

6. Enter the IP address details into the Expression Editor of the destination IP you want to allow access to



Page: 137

7. Click Create Note: the Reg Expression has been ‘built for you by the editor’ you can type these manually if you know the commands (or find them online!)

8. Bind this new policy to a NetScaler User NetScaler Gateway > User Administration >AAA Users Select the user + Edit Click + Authorization Policies Select the Authorization policy Click Bind Tip: to bind this to LDAP users you must have username locally that matches



Page: 138

Setup NetScaler Gateway VPN to use a LDAP Authentication Policy


1. Let’s Bind the LDAP_NetScaler_Users policy now to this VPN / Gateway

2. Browse to the gateway and click Edit

3. Click the + on Basic Authentication Choose LDAP as policy Choose Primary Authentication Click Continue



Page: 139

4. Select the LDAP policy you have created for NetScaler Users (and not administrators)

5. Click Done

6. Test and confirm

7. We must create an AAA Group and bind an authorisation policy to this group Expand NetScaler Gateway > User Administration > AAA Groups Click Add



Page: 140

8. Create a group name that MATCHES (Case sensitive) the AD group specified in the LDAP Policy/Profile Click OK

9. Attach the Authorization Policy to this group Click + Authorization Policies on the right

10. Click the > to bring up the policy selection window



Page: 141

11. Select the Authorization Policy previously created

12. Click Bind



Page: 142

13. Click Done



Page: 143

Configure NetScaler Gateway with SAML for ICA Proxy (Federated Authentication)

Prerequisites

Description

● Citrix FAS Service installation

● XA/XD 7.6 or newer

● StoreFront 3.6 or newer (I've tested with 3.9)

● SAML Provider acting as the iDP (Google in this instance)

● NetScaler Gateway configured as the SP

● Active Directory Certificate Services

● Access to edit Windows GPOS and OUs to assign the CFAS service its service location

Create NetScaler SAML Policy to 3rd Party iDP (Google) In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP. Note: this cannot be bound to a Gateway when using the rfwebUI ‘theme’.


1. Connect to admin.google.com


http://admin.google.com/


Page: 144

2. Click Apps

3. Click SAML Apps

4. Click the + to add a new SAML Application



Page: 145

5. Select Setup my own custom app



Page: 146

6. Take note of the IDP data you are provided and copy and paste your URL Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later.



Page: 147

7. Describe your new app



Page: 148

8. Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth



Page: 149

9. Click Finish



Page: 150

10. Summary of the App SSO Setup in the Google admin panel

11. Be sure to enable the new Application click the three dots ... Select ON for everyone Note: this new configuration can take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message.



Page: 151

12. Note: users will have access to a shortcut to this new app in their Google Console



Page: 152

13. Upload the Google IDP Certificate to the NetScaler



Page: 153

14. Install the CA Certificate

15. Here you can see the certificate installed as another CA Certificate



Page: 154

16. Expand NetScaler > Security>AAA - Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers Enter appropriate details for your new SAML profile Note: the redirect URL and Single Logout URL will be unique to your Google account



Page: 155

17. Create a new SAML Authentication Policy set the expression of this policy to ns_true Link that to the newly created Google SAML Server

18. Bind this policy to your NetScaler Gateway Click the + against Basic Authentication Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method.



Page: 156

19. Choose SAML Choose Primary Click Continue

20. Select the SAML binding

21. Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field NetScaler Gateway > Click Session Policies



Page: 157

22. Select the policy and edit the profile

23. Ensure Single Sign-on Domain is empty



Page: 158

24. Ensure your google email matches your AD User Logon Name

25. If not you can add a new UPN for the domain from Active Directory Domains and Trusts

26. Add any Additional UPN suffix you may require to match your google email sign-in



Page: 159

Install The Citrix Federated Authentication Service (CFAS)


1. Mount the XA/XD ISO on your server and select the Federated Authentication Service

2. Read the license agreement and make your choice

3. Click Next



Page: 160

4. Click Next

5. Click Install



Page: 161

6. Click Finish

7. Create the GPO to point the FAS server to itself (see step 9) When the GPO exists the ‘address’ field will be filled in for you automatically

8. Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory c:\windows\policydefinitions



Page: 162

Service\PolicyDefinitions

to

9. Edit group policy to have the server point to itself for FAS open gpmc.msc browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication Enter the DNS server address of the server hosting the FAS service (as per screenshot) Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied

10. run gpupdate /force



Page: 163

11. Right click the CFAS Administration console and always Run As Administrator

12. You should now have the CFAS server listed Click OK



Page: 164

13. Click on Step 1 - Start Button

14. Click OK

15. You can verify the creation of the templates in ADCS



Page: 165

16. Once this is completed without errors click Start on Step 2

17. Click OK



Page: 166

18. Finally click Start on Step 3

19. Click OK



Page: 167

20. The console is waiting for the request to be approved (issued) from the AD Certificate Services

21. Log into the ADCS and Approve the pending Certificate request Right click the Pending request Select All Tasks Select Issue



Page: 168

22. Step 3 will go green

23. Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate

24. Click Edit and Add the StoreFront Server to be able to use the ‘rule’



Page: 169

Remove domain computers as they will be set to ‘deny’

25. Click Apply



Page: 170

Configure StoreFront to Delegate Authentication to NetScaler


1. Open Citrix Studio or StoreFront management

2. Select your Store and left click Manage Authentication Methods

3. Click Passthrough from NetScaler Gateway > Configure Delegated Authentication



Page: 171

4. Click OK

5. Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers. RDP to each Delivery Controller as a Citrix or local administrator Open Powershell type ‘asnp Citrix*’ type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true’

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

6. Note: You can verify if this was successful by running get-brokersite



Page: 172

Configure NetScaler High Availability

Prerequisites

Description

● Two NetScaler devices on the same network both with NetScaler IPs (NSIPs) assigned

● The devices must be able to communicate to each other on TCP 3003

● Not have any other NetScaler devices already joined as part of an HA Pair

● On creation of the HA pair the NetScalers may temporarily disconnect active ICA sessions

● Must deploy the same firmware version on both NetScaler appliances before configuring HA

● Primary NetScaler should be set to ‘stay primary’



Page: 173

Deploy Secondary NetScaler


1. Power on and deploy another Secondary NetScaler 11.1.x

2. Assign this device a new NSIP (one that’s obviously not in use) Then reboot the NetScaler

3. Be sure to apply a NetScaler license (see Install the NetScaler Trial License)

You can skip the Subnet IP Address addition in the Welcome wizard as it will get this configuration when the HA is set up You just need to configure timezone, DNS, hostname and



Page: 174

install the trial license



Page: 175

Setup High Availability – NetScaler 1


1. Log into NetScaler 1

2. (Recommended) During the setup – Set the Synchronisation state of the Primary (First) NetScaler as ‘Stay Primary’ Expand System > High Availability



Page: 176

3. Select NetScaler Click Edit Change HA Status to Stay Primary Click OK

4. Click Add Enter the Details of the Secondary NetScaler provisioned Then click Create



Page: 177

5. Under System > High Availability check there are now two NetScaler nodes available

6. Save the config

7. Synchronisation should read ‘Success’



Page: 178

HA Failover NetScaler 1 to NetScaler 2 Now that the NetScalers are synchronised we can fail the active / primary node over from NS1 to NS2 and check all services are still up and running.


1. Log into NetScaler 1

2. Check IP assignments on this NetScaler are all showing as Active

3. Check SSL Certificates are available on the Secondary Node and that they have synchronised fully



Page: 179

4. Under System > High Availability select NS1 and change High Availability Status to Enabled (Actively Participate…) Click OK

5. Select Action > Force Failover

6. Click OK

7. Confirm NS1 is now the ‘secondary node’



Page: 180

8. Connect to NS2 administration URL (in this example its https://192.168.1.60) Ensure the device Master State is now Primary

9. Confirm settings like all IPs are active on the NetScaler (and not passive)


https://192.168.1.60/


Page: 181

10. Test the Gateway Virtual Server and ensure the page displays and perform a full end to end connection test



Page: 182

NetScaler Load Balancing

Prerequisites

Description

● Two Web Servers (Linux or Windows) publishing a simple html page as red or blue background - A.K.A the services you want to load balance

● New Internal Virtual IP address for the Virtual server (a load balanced VIP) on a network

● A target service that represents the application on the servers (e.g. port 80 for web traffic)

Enable the Load Balancing Feature


1. Expand Traffic Management Right click Load Balancing Select Enable Feature (assuming your NetScaler is licensed for this)

2. The exclamation mark should disappear when the feature is enabled



Page: 183

Setup Basic HTTP Load Balancing, Service Groups and Monitors


1. Expand Traffic Management Right click Load Balancing Select Enable Feature

2. Select Servers Click Add Enter the details of the server In our example we will add 192.168.1.11 which is a Window server running AD, DNS and IIS and another IIS server only running on 192.168.1.12 Click Create Note: Repeat these steps for each server name or IP address you want to load balanced services on



Page: 184

3. Servers Added



Page: 185

4. Add your Service(s) These are the services you want to bind to the servers you added in your previous step for example: Web Traffic (port 80 or 43) DNS Traffic (port 53) LDAP traffic on 389 or 636 (secure)

5. Change the default monitors on these services Select the service > Edit > Monitors



Page: 186

6. Click Add Binding Select HTTP Monitor Keep the defaults in the configure monitor window click OK

7. Optional Create a Service group Note: A Service group is an easier way to bind monitors to these ports for both services rather than having to configure it individually on each service



Page: 187

8. Click Traffic Management > Load Balancing > Virtual Servers Click Add



Page: 188

9. Enter the details of the new Load Balancing Virtual Service IP Address is the Virtual IP address you will assign to the NetScaler and will be the IP address that clients need to be able to resolve and connect directly to It is this VIP that should be added to your DNS FQDN so clients can resolve the Load Balancing service correctly

10. Choose whether to bind services directly or service groups Click either of the following options We will choose the Servicegroup binding Note: Service groups allow you to manage multiple groups of services for things like

`



Page: 189

binding, monitoring etc

11. Select the Service Group created in the previous steps - lbsg_http_webservers01_02

12. On the LBVS Click the + on Method Change the Load Balancing method to ROUNDROBIN Click OK Click Done Note: You can choose any Load Balancing method, we are just using Round Robin as an example



Page: 190



Page: 191

13. Click Done

14. Connect to the LBVS IP Address and you should see that you are being load balanced between the servers in the servicegroup in a Round Robin fashion



Page: 192

NetScaler Support

Backup NetScaler Configuration Note when backing up the config of the NetScaler the following options will be available ‘NetScaler Basic backup’ will backup config only - for the more frequently updated files. ‘NetScaler Full backup’ will include basic backup and the /nsconfig/SSL sub directory , /nsconfig/license, and/nsconfig/fips directory under nsconfig and the /var/NetScaler/ssl/* and /var/wi if you are using the Web interface on NetScaler (WIonNS)


From the Shell

1. Open PuTTy and SSH into your NetScaler

2. Type ‘save ns config’

3. Type ‘command create system backup ‘name’ -level <basic | full > -comment ‘string’

Example: create system backup -level full (creates backup without comment) Example: create system backup -level full -comment “This is a Full NS Backup”

4. Confirm the backup was completed Type ‘show system backup’

From the GUI



Page: 193

5. Open the NetScaler GUI

6. Select System > Backup and Restore (last option in the system list) Note: you will see the backup already created by the Shell in the previous step(s) if you followed that section

7. Click Backup



Page: 194

8. Enter the information as shown (leave filename empty for it to use the default scheme again) Click Backup Note: Add - allows you to upload a previously downloaded NetScaler backup tar file

9. Back in the shell you will be able to view both backups using the show system backup command Type ‘show system backup’



Page: 195

Firmware Upgrade of the NetScaler HA Pair In this section we will walk through how to perform a simple firmware upgrade of the our Production NetScalers which are in a HA availability pair. Upgrading the Passive node first, disabling HA sync, rebooting then confirm the device is OK before forcing a HA failover and repeating the upgrade steps on the other NetScaler.


1. Download the latest firmware for Citrix NetScaler VPX

2. Open a PuTTy session and SSH to the Passive NetScaler and login as nsroot Type ‘shell’

3. browse to /var/nsinstall by typing ‘cd /var/nsinstall’

4. Create a new directory called 12nsinstall Type ‘mkdir 12nsinstall’



Page: 196

5. Open WinSCP

6. Browse to the newly created directory in the WinSCP console /var/nsinstall/12nsinstall Upload the NetScaler firmware downloaded in step 1

7. When copying completes extract the tar file type ‘tar -zxvf ./build-12.0-41.22_ns_32.tgz’



Page: 197

8. Stop the replication between the NetScalers

set ha node -hasync disabled Note: newer versions of NetScaler will do this automatically when they detect a Version mismatch.

9. Once extraction is complete run the upgrade script type ‘./installns’

10. Reboot the NetScaler Type ‘y’ and press enter / return key

11. Ensure the NetScaler has rebooted without errors or issues and then failover the NetScalers. From the NetScaler shell type ‘force HA failover’

12. Repeat all the above steps on the other NetScaler (the now passive server)



Page: 198

Clear the NetScaler Configuration Per https://support.citrix.com/article/CTX112695/ We can clear the NS config via the GUI and the Shell.


From The GUI

1. Log into your NetScaler web GUI

2. Expand System > Diagnostics Click Clear Configuration under ‘Maintenance’ section

3. Select Full This will reset the entire device except for the NSIP and the default gateway (leaving management network connectivity untouched and the device license!) Click Clear


https://support.citrix.com/article/CTX112695/


Page: 199

Note: Force applies changes without further prompts

4. You must finally SAVE

5. Click System > Reboot in order for the changes to take effect

From the Shell

Open a PuTTy session to the NetScaler shell and type ‘clear ns config -force full’



Page: 200

Type ‘save ns config’

Type ‘reboot’ and press enter



citrix n etscaler – i ntroduction · create netscaler saml policy to 3rd party idp (google) 143...

Documents