citrix n etscaler – i ntroduction · create netscaler saml policy to 3rd party idp (google) 143...
TRANSCRIPT
Page: 1
Citrix NetScaler – Introduction
Table of Contents Introduction 4
Who is this guide for? 4 Prerequisites 4
Prepare your Environment 5 Download the NetScaler Firmware 90 day Evaluation – citrix.com/products 5 Download the NetScaler Firmware – mycitrix.com 8 Deploy the OVA File to Hypervisor - VMWare ESXi 6 11 Initial NetScaler Setup - NSIP 16 Download the NetScaler Trial License 21 Install the NetScaler Trial License 23
Basic Authentication 25 Creating an LDAP Authentication Policy - Administrators 25 NetScaler SSH Command References: 28 Binding an LDAP Authentication Policy - Administrators 29 Granting AD Group Permissions to the NetScaler 31 Creating an LDAP Authentication Policy – NetScaler Users 34 NetScaler SSH Command References: 37
Certificates 38 Creating a Private RSA 38 Creating a CSR Request 40 Submitting the CSR to a 3rd party CA - Comodo Free SSL 43 Upload the CA CRT file and Install the Certificate on the NetScaler 48 Intermediary Certificate Linking 50
XenApp & XenDesktop 7.14 Installation 54 Prerequisites 54 Install XA/XD Software 54 Create the XA/XD Site 62 Install the XA/XD VDA (Virtual Delivery Agent) 66 Create a Machine Catalog 72 Test the Citrix Desktop Launch 80
StoreFront Configuration 82 Prerequisites 82
Copyright © 2017 www.mastersof.cloud
Page: 2
Modify the Default Store 82 Create a New StoreFront Store - Stand Alone 87
NetScaler Gateway - ICA Proxy 99 Overview Diagram 99
Prerequisites 100 Configure the NetScaler Gateway for XA/XD - Wizard 100
NetScaler Unified Gateway 106 Prerequisites 106 Create the NetScaler Unified Gateway – Wizard 106
NetScaler Gateway - SSL VPN 113 Create a Basic NetScaler Gateway for SSL VPN 113 Prerequisites 113 Install the NS Gateway Plugin - Windows 119 Prerequisites 119 Create a NetScaler Gateway Preauthentication Policy 123 Configure NetScaler Gateway with Split Tunnelling 130 Create Authorisation Policies for NS Gateway 134 Setup NetScaler Gateway VPN to use a LDAP Authentication Policy 138
Configure NetScaler Gateway with SAML for ICA Proxy (Federated Authentication) 143
Prerequisites 143 Create NetScaler SAML Policy to 3rd Party iDP (Google) 143 Install The Citrix Federated Authentication Service (CFAS) 159 Configure StoreFront to Delegate Authentication to NetScaler 170
Configure NetScaler High Availability 172 Prerequisites 172 Deploy Secondary NetScaler 173 Setup High Availability – NetScaler 1 175 HA Failover NetScaler 1 to NetScaler 2 178
NetScaler Load Balancing 182 Prerequisites 182 Enable the Load Balancing Feature 182 Setup Basic HTTP Load Balancing, Service Groups and Monitors 183
NetScaler Support 192 Backup NetScaler Configuration 192 Firmware Upgrade of the NetScaler HA Pair 195 Clear the NetScaler Configuration 198
Copyright © 2017 www.mastersof.cloud
Page: 3
Disclaimer This guide is offered as a companion to the online video training series from www.mastersof.cloud, or free directly from the www.mastersof.cloud website. This guide can also be used as a stand alone guide. Please note that this guide is provided without warranty of any kind, express or implied, and was designed to be used in a test lab for educational purposes only. Use this guide at your own risk. You should always have multiple backups of your environment, configuration and infrastructure before doing any changes to your environment. Never make untested or unsolicited changes to any production environment. Accuracy of the material contained within this document is very important to us. Every effort has been made to ensure the accuracy of this document at the time of writing however should you notice any discrepancies or incorrect information please notify us immediately at [email protected] so we can review and update where necessary.
Copyright © 2017 www.mastersof.cloud
Page: 4
Introduction Welcome to the ‘Citrix NetScaler - Introduction’ guide. The purpose of this guide is to provide you with the basics you need to deploy and configure a NetScaler device either in a lab or in an enterprise environment. This document is designed to accompany the online courses now available at www.mastersof.cloud and also available at www.udemy.com. We hope you find this course informative and easy to follow. Please do feel free to ask questions or provide any feedback on the training website at www.mastersof.cloud or email [email protected] Note: This guide uses many example screenshots, IP addresses and DNS settings that are specific to the demo environment being used at the time. You will need to use your own settings in place of the examples provided to ensure a working setup. If you are not sure of the configuration options you should consult with your AD, Network, Virtualisation and Cloud teams first for the correct details that are specific to your environment.
Who is this guide for? Chances are if you have come this far you already knew what you were looking for! The guide is a quick start to get you up and running with Citrix NetScaler.
Prerequisites 1) A basic level of understanding of network principles, TCP-IP, DNS, Firewalls and
Network routing 2) Familiarity with connecting to devices via SSH or Putty 3) Familiarity with all Citrix products in general 4) Competency with the latest versions of Microsoft Windows operating systems
This document also serves as a complimentary printed walk through for the Citrix NetScaler Introduction online training at www.mastersof.cloud and also available at www.udemy.com.
Copyright © 2017 www.mastersof.cloud
Page: 5
Prepare your Environment
Download the NetScaler Firmware 90 day Evaluation – citrix.com/products In this walkthrough we going to connect to citrix.com and download a 90 day evaluation of the Citrix Application Delivery Controller (aka ADC)
Step Description Screenshot
1. Connect to http://www.citrix.com/products/
2. Scroll down and select Networking > NetScaler > NetScaler ADC
Copyright © 2017 www.mastersof.cloud
Page: 6
3. Click Try For Free
4. Enter your registration details (username and password) for your trial license
Copyright © 2017 www.mastersof.cloud
Page: 7
5. A code will be generated automatically
6. Expand Step 1 – Review system requirements and download software Select the download most appropriate to you and your hypervisor
Copyright © 2017 www.mastersof.cloud
Page: 8
Download the NetScaler Firmware – mycitrix.com For customers who already use Citrix and have a mycitrix.com account we can also simply obtain the NetScaler firmware from this site (provided you have a mycitrix.com account associated with your Enterprise licenses).
Step Description Screenshot
1. Connect to http://www.mycitrix.com
2. Click Downloads Select NetScaler ADC as the product
Copyright © 2017 www.mastersof.cloud
Page: 9
3. Select the latest release Virtual Appliance (VPX) available to you Note: At the time of writing the latest is 11.1-48.10
4. Select VPX Package for New Installation Select the right package for your hypervisor Note: In the example we are downloading the NetScaler VPX Software for VMWare ESX
Copyright © 2017 www.mastersof.cloud
Page: 10
5. Read the End-User license agreement carefully
6. If you choose to accept the EULA, tick ‘I have read…’ and click Accept You should read the download agreement Be sure you and your country comply with the Export Control laws Finally save the file somewhere easily accessible later
Copyright © 2017 www.mastersof.cloud
Page: 11
Deploy the OVA File to Hypervisor - VMWare ESXi 6 In this section we are going to deploy the newly downloaded NetScaler firmware onto our hypervisor (VMWare).
Step Description Screenshot
1. Connect and authenticate to your VMWare ESX web console
Note: In this example we are connecting to VMWare ESXi 6.0 with a private IP of 192.168.1.1. The default URL is http://192.168.1.1/ui
2. Click Virtual Machines Click Create / Register VM
Copyright © 2017 www.mastersof.cloud
Page: 12
3. Select Deploy a virtual machine from an OVF or OVA File Click the section labelled ‘Click to select files or drag/drop’
4. Select both the OVF and the VMDK files from the firmware file downloaded from citrix, then click Next
Copyright © 2017 www.mastersof.cloud
Page: 13
5. Select an appropriate storage location for your hypervisor to deploy the NetScaler VM
6. Choose the network mappings and disk provisioning best for you
Note: Disk provisioning is set to thin in this example only to save on local hypervisor disk space.
7. Click Finish on summary page
Copyright © 2017 www.mastersof.cloud
Page: 14
8. Click on the VM in the VMWare list
9. Authenticate to the VMWare console prompt with your VMware username and password
10. Click on the Console button to get access to the VM console
Copyright © 2017 www.mastersof.cloud
Page: 15
11. Success! The NetScaler has booted and is operational
Copyright © 2017 www.mastersof.cloud
Page: 16
Initial NetScaler Setup - NSIP
Step Description Screenshot
1. Click on the Console button to get access to the VM console
2. Your NetScaler should be finished initializing and prompting for an IPv4 Address as part of the first run wizard Provide an appropriate free IP address, subnet and default gateway from your local network Once the details are entered type ‘4’ to save and quit and press enter to execute The NetScaler will perform a quick, warm reboot
Note: In this guide we will use the following details for the NSIP IP address: 192.168.1.50 Subnet Mask: 255.255.255.0 (also known as /24) Default Gateway (internet router): 192.168.1.254 However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team.
Copyright © 2017 www.mastersof.cloud
Page: 17
3. After reboot it will return to the login: prompt Enter ‘nsroot’ as the username Enter ‘nsroot’ as the password These are the default NetScaler username and password
4. Once successfully authenticated type ‘show ip’ and press return
Note: This command will show you all IP addresses registered on the active NetScaler Tip: the NetScaler recognises short versions of the same command (provided it’s unique) for example the command ‘sh ip’ will also work
Copyright © 2017 www.mastersof.cloud
Page: 18
5. Type ‘shell’ and press return Type ‘ifconfig’ and press return
Note: you can use the shell to perform more traditional BSD based Linux commands like ifconfig, route, ping, traceroute
6. Open your internet browser and point to the newly added NSIP of your NetScaler Enter ‘nsroot’ as the username Enter ‘nsroot’ as the password
7. Click enable or skip on the Citrix User Experience Improvement Program window
Copyright © 2017 www.mastersof.cloud
Page: 19
8. Welcome to the first time setup config page of the NetScaler GUI
Note: This page shows you that you have already set a NetScaler IP address (NSIP) which can be used for management of the NetScaler device, however you still need to set your DNS, Time Zone, Hostname, SNIP and to add licenses
9. Click on the Subnet IP Address section of the NetScaler GUI
10. Enter a Subnet IP as appropriate for your environment Then click Done
Note: In this guide we will use the following details for the SNIP IP address: 192.168.1.51 Subnet mask: 255.255.255.0 (also known as /24) Default gateway (internet router): 192.168.1.254 However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team Note: A NetScaler will use its NSIP as a management IP address. It will utilise the Subnet IP address (SNIP) to communicate with back end servers etc on that specific assigned subnet
Copyright © 2017 www.mastersof.cloud
Page: 20
11. Click Host Name, DNS IP Address and Time Zone section of the NetScaler GUI
12. Enter the following details as appropriate for your configuration Hostname DNS IP Address Time Zone Then click Done
Note: In this guide we will use the following details for the Hostname, DNS and TimeZone Hostname: ns1 DNS IP Address: 192.168.1.11 & 192.168.1.12 (the IP addresses of my singular Active Directory LDAP servers) Time Zone: GMT+ 00:00-GMT-Europe/London However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team
13. Click Yes
14. The Initial Configuration of the NetScaler is complete
Copyright © 2017 www.mastersof.cloud
Page: 21
Download the NetScaler Trial License Only start this section once you have deployed your NetScaler on your chosen hypervisor platform.
Step Description Screenshot
1. Expand Step 2, click on License Management System to register your temporary license key
2. Sign in with the details you registered your trial license with Tick the Citrix Store NetScaler VPX 1000... license key Click Continue
3. Deploy your NetScaler and obtain its Host ID (MAC Address) Log into the NetScaler console (user: ‘nsroot’, pass: ‘nsroot’) Type ‘shell’ then press enter Type ‘lmutil lmhostid –ether’ then press enter
Copyright © 2017 www.mastersof.cloud
Page: 22
4. Take the Host ID and enter that into the Citrix licensing console Click continue
5. Click confirm
6. Click OK to download the license file(s)
7. Save the file for later use in these Labs
Copyright © 2017 www.mastersof.cloud
Page: 23
Install the NetScaler Trial License Only start this section once you have deployed your NetScaler on your chosen hypervisor platform.
Step Description Screenshot
1. When you access your NetScaler, and if you haven’t yet set a SNIP or a license you may be presented with the first run wizard You can click the ‘Licenses’ section to upload your license file Go to step 3 below
2. You can also access this from the NetScaler > System > Licenses menu and click Add New License
3. Select the option to Upload license files Click Browse
Copyright © 2017 www.mastersof.cloud
Page: 24
4. Browse for the NetScaler license file you downloaded previously to select for upload Restart your NetScaler
Copyright © 2017 www.mastersof.cloud
Page: 25
Basic Authentication
Creating an LDAP Authentication Policy - Administrators In this walkthrough we will create an LDAP policy for administrators of the NetScaler and point this new policy to our singular, private, internal Microsoft AD LDAP server. This will involve creating a server to bind to (i.e. telling the NetScaler what server to communicate with for LDAP services) and we will create a policy that will be bound to this newly created server record. Finally the policy and its associated server profile must be bound to the NetScaler so it knows where and when to use this LDAP policy. We will bind this policy globally to the NetScaler which means all users in the policy will be able to administer the NetScaler device.
Step Description Screenshot
1. Log into your NetScaler Expand System > Authentication > LDAP And click the Add button
Copyright © 2017 www.mastersof.cloud
Page: 26
2. Give the policy a Name e.g. ‘AUTHPOL_LDAP_Administrators’ Set the Expression as ‘ns_true’
Click the + to add a new LDAP Server
to authenticate against
Tip: If you keep the naming of the policies, servers and profile creations consistent it is much easier to find them when you have many multiple policies created on the NetScaler
3. Give the LDAP server profile a Name. I usually give it the imaginative name of something like: ‘AUTHSERVER_LDAP’ Fill out the essential information for this server profile Note: In this guide we are using the following recommended minimum examples: IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: [email protected] (domain administrator account) Admin Password: <password> Search Filter: memberof= CN=Domain Admins,CN=Users,DC=home,DC=local Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Tip: be sure to click the test connection button once you have finished the setup of this LDAP server profile to ensure it connects to your LDAP server successfully
Note: You should use appropriate LDAP details. If you are unsure consult with your AD/LDAP/Authentication team.
Copyright © 2017 www.mastersof.cloud
Page: 27
4. Tip: You can connect to a Domain Controller or any Windows machine with the RSAT tools installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group
Examples: If I want the NetScaler to search the Users OU in AD I could query a user name in that OU to get their Base DN
If you need to obtain the Group details for the ‘Search Filter’
5. Click Test Connection and ensure your LDAP server is reachable
Note: the Admin Password is not copied when you duplicate these settings at a later stage so always be sure to re-enter them when creating additional AUTHSERVERS
6. Click Create at the bottom of the ‘Create Authentication LDAP Server’
Copyright © 2017 www.mastersof.cloud
Page: 28
7. Click Create on the ‘Create Authentication LDAP Policy’ Window
8. Save the NetScaler Configuration Click YES to the ‘Are you sure’ message
NetScaler SSH Command References:
● Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP -serverIP 192.168.1.11 -ldapBase "CN=Users,DC=Home,DC=Local" -ldapBindDn [email protected] -ldapBindDnPassword 1234561234561234561234561234561234561234561234561234561234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn
● Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_Administrators ns_true AUTHSERVER_LDAP
Copyright © 2017 www.mastersof.cloud
Page: 29
Binding an LDAP Authentication Policy - Administrators In this walkthrough we will create a LDAP policy for administrators of the NetScaler and bind it globally to the NetScaler
Step Description Screenshot
1. Log into your NetScaler Expand System > Authentication > LDAP Tick the newly created policy and click Global Bindings
2. Click the > button to choose your newly created LDAP policy Then click Select Click Bind on the System Global Authentication LDAP Policy Binding Window Click Done
Copyright © 2017 www.mastersof.cloud
Page: 30
3. Note: The LDAP Policy will have a green tick in the Globally Bound column, which means all members of the LDAP group you added in the ‘Search Field’ of the server policy will now be able to authenticate against the NetScaler as NetScaler system users
Copyright © 2017 www.mastersof.cloud
Page: 31
Granting AD Group Permissions to the NetScaler In the previous step we created an LDAP policy and bound it globally to the NetScaler so that all users who are members of the Active Directory group Domain Admins would be able to authenticate against the NetScaler and access the WebGUI. However these users will not have permission on the NetScaler itself to perform any administrative tasks, so we must link the AD group to appropriate permissions on the NetScaler.
Step Description Screenshot
Example of error message when logging in as user ‘[email protected]’ Not authorized to execute this command [show ns license] [show ns feature] Note: a user name of just ‘admin’ would also work
Here you can see that the user is able to authenticate, but not perform any tasks on the NetScaler.
1. Log into the NetScaler as nsroot Browse to > System > User Administration > Groups Click the add button
2. Type in Group Name: ‘Domain Admins’ Note: The NetScaler group name must match the LDAP group name and is Case SeNsiTiVE
Copyright © 2017 www.mastersof.cloud
Page: 32
3. Under Command Policies Click Bind Tick Sysadmin Click Insert
Copyright © 2017 www.mastersof.cloud
Page: 33
4. Click Create
5. Users who are members of Domain Admins group in Active Directory will now have the sysadmin role on the NetScaler
6. A list of other roles on the NetScaler and what can be assigned are listed here on the Citrix Website
http://docs.citrix.com/en-us/NetScaler/10-1/ns-system-wrapper-10-con/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html
Copyright © 2017 www.mastersof.cloud
Page: 34
Creating an LDAP Authentication Policy – NetScaler Users In this walkthrough we will create an LDAP policy for basic users of the NetScaler to authenticate against things like a new Virtual NetScaler Gateway. This profile however will be identical to the previous administrators policy, only we will be looking for another AD group. Instead of ‘Domain Admins’ we will look for users who are members of the LDAP group called ‘NetScaler Users’.
Step Description Screenshot
1. Log into your NetScaler Expand System > Authentication > LDAP Click the Servers Tab Tick the already existing AUTHServer_LDAP Click the Add button Tip: Because we selected the already created server profile the configuration details of that profile will be automatically copied into this new policy as ‘defaults’ Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test
Copyright © 2017 www.mastersof.cloud
Page: 35
2.
Give the LDAP server profile a Name e.g. AUTHSERVER_LDAP_NSUsers Provide the following details of your LDAP server: IP Address / or Name Base DN Admin Bind DN Admin Password: Be Sure to RETYPE YOUR PASSWORD and click TEST Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Note: In this guide we are using the following specific details as working examples IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: [email protected] Admin Password: <password> Search Filter: memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local
Note: You should use appropriate LDAP details for your environment. If you are unsure consult with your AD/LDAP/Authentication team.
3. Tip: You can connect to your AD controller or any Windows machine with the Remote Server Administration Tools (RSAT) installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group
Examples: If you need to obtain the Group details for the ‘Search Filter’
Copyright © 2017 www.mastersof.cloud
Page: 36
4. Click Test Connection and ensure your LDAP server is reachable
Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test
5. Click Create at the bottom of the ‘Create Authentication LDAP Server’
6. Create another LDAP Policy to bind this new server profile to Click the Policies tab Tick the existing policy Click Add Note: Because we selected the already created server profile the configuration details of that profile will be copied freshly as a new Server Profile
Copyright © 2017 www.mastersof.cloud
Page: 37
7. Simply rename the policy to something new like AUTHPOL_LDAP_NSUsers Link this new policy to the previously created server profile in steps 1-5 by selecting AUTHSERVER_LDAP_NSUsers from the drop down Leave the Expression as is: ns_true Click Create
8. Two LDAP Authentication policies now exist and can be used for authenticating users on the NetScaler Note: The Administrators policy is the only policy presently bound to the NetScaler
NetScaler SSH Command References:
● Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP_NSUsers -serverIP 192.168.1.11 -ldapBase "CN=Users,DC=Home,DC=Local" -ldapBindDn [email protected] -ldapBindDnPassword 1234123412341234123412341234123412341234123412341234123412341234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local" -groupAttrName memberOf -subAttributeName cn
● Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_NSUsers ns_true AUTHSERVER_LDAP_NSUsers
Copyright © 2017 www.mastersof.cloud
Page: 38
Certificates
Creating a Private RSA
Step Description Screenshot
1. Log into the NetScaler web interface http://192.168.1.50
2. Expand traffic management Right Click SSL And select Enable Feature Note: The yellow exclamation will disappear when the feature is enabled
Disabled
Enabled
Copyright © 2017 www.mastersof.cloud
Page: 39
3. Expand SSL > SSL Files > and click the button Create RSA Key
4. In this example we will enter the details shown: Then click Create
Key filename: gateway.jsconsulting.services.privatekey Key Size(bits)*: 2048 Public Exponent Value: F4 Key Format: PEM PEM Encoding Algorithm: DES3 PEM & Confirm Password: <mypassword> Note: the larger the key size the more CPU will be used encrypting and decrypting the certificates DES3 is simply DES applied 3 times (so in theory it's more secure)
5. Note: The private key should be downloaded and stored away from the NetScaler device (especially if the NetScaler is stored in a DMZ). This is in case the NetScaler device is compromised in any way. If your private keys are lost or compromised you would have to revoke your existing certificates and new certificates should be generated.
Copyright © 2017 www.mastersof.cloud
Page: 40
Creating a CSR Request
Step Description Screenshot
1. Log into the NetScaler web interface http://192.168.1.50
2. Now that our private key has been created we need to create a Certificate Signing Request and sign it with our private key Expand SSL > SSL Files Click CSRs Then click Create Certificate Signing Request (CSR)
3. In our example we will enter these details shown: Then click Create
Copyright © 2017 www.mastersof.cloud
Page: 41
Request File name: gateway.jsconsulting.services.csr Key Filename: gateway.jsconsulting.services.privatekey Key Format: PEM PEM Passphrase: <private key password here> Digest Method: SHA256 Common Name: gateway.jsconsulting.services Organisation Name: JS Consulting Services Organisational Unit: Technologies Email Address: <your email address> City: London State or Province: London Country: UNITED KINGDOM
Copyright © 2017 www.mastersof.cloud
Page: 42
4. CSR is created and signed with the private key all stored on the NetScaler in /nsconfig/ssl
Copyright © 2017 www.mastersof.cloud
Page: 43
Submitting the CSR to a 3rd party CA - Comodo Free SSL We now need to take our CSR created in the previous guide and submit that to a 3rd Party Certificate Authority or CA to verify our CSR and provide us with a certificate response we can combine with our CSR and generate the SSL certificate.
Step Description Screenshot
1. First we need to download our CSR for easy access from the NetScaler Expand Traffic Management > SSL > SSL Files > CSRs tab Tick the newly created .csr file and click Download
2. We are going to browse to comodo and apply for a FREE SSL Certificate
https://ssl.comodo.com/free-ssl-certificate.php
Copyright © 2017 www.mastersof.cloud
Page: 44
3. Click the big Free Trial SSL button
4. Open the downloaded CSR file from step 1 and copy and paste the entire contents into the Comodo SSL site Select Citrix as the Server software Click Next
Copyright © 2017 www.mastersof.cloud
Page: 45
5. Comodo will then perform a domain ownership verification In the example shown to keep it simple I will select the registered email address for jsconsulting.services from (WHOIS)
Copyright © 2017 www.mastersof.cloud
Page: 46
6. Enter your details for registration of the Certificate and for access to the COMODO SSL Site
Copyright © 2017 www.mastersof.cloud
Page: 47
7. Read the terms thoroughly and Accept if you are ready to continue
8. Validate the email sent to your WHOIS registered email
9. Download the CSR Files as a zip
Copyright © 2017 www.mastersof.cloud
Page: 48
Upload the CA CRT file and Install the Certificate on the NetScaler We will now take the CRT file and install it onto the NetScaler device, then use both the CRT and Private key to combine and finally create a fully functional NetScaler certificate.
Step Description Screenshot
1. Expand Traffic Management > SSL > SSL Files Click Upload
2. Browse for your Certificate file (provided by your 3rd Party CA) Click Open Note: The file is uploaded to the NetScaler but not yet usable!
Copyright © 2017 www.mastersof.cloud
Page: 49
3. Browse to Traffic Management > SSL > Server Certificates Click Install
4. Give the new ‘Server Certificate’ a unique easily identifiable name Certificate File: Choose the Certificate you just uploaded in step 2 Key File Name: select your private key file that is on the NetScaler Provide the private key password Click Install
Your certificate is now installed and ready to be used on NetScaler services, VIPs, NetScaler gateway etc.
Copyright © 2017 www.mastersof.cloud
Page: 50
Intermediary Certificate Linking Sometimes there can be more certificate between the server certificate and the root cert we have created on the NetScaler and the Root CA Certificate. These certificates ‘in the middle’ are known as intermediary or subordinate certificates and form a link or ‘chain’ between the root CA certificate and our newly created NetScaler certificate. When some operating systems don’t have the full chain of intermediary certificates installed (and trusted) they will display a ‘certificate invalid’ message even when the certificate itself is valid. This is because the operating system is unable to verify your server certificate all the way up the certificate chain to the root certificate. These certificates can be installed and provide to the end users to greater enhance the user’s ability to connect to the NetScalers regardless of their endpoint or client device.
Step Description Screenshot
1. Example: Connecting to a service or VIP on the NetScaler interface where we have bound the new Certificate shows an error in Chrome on Mac OSX Note: This will vary between operating system and between CA certificate providers
Copyright © 2017 www.mastersof.cloud
Page: 51
2. Log into the NetScaler web interface http://192.168.1.50
3. Expand SSL > SSL Files Click SSL > Certificates > CA Certificates Click Install
4. Upload the bundled certificate from your 3rd party CA Click Install
Copyright © 2017 www.mastersof.cloud
Page: 52
5. Expand SSL > SSL Files Click SSL > Certificates > Server Certificates Tick your newly created server certificate Select Action - ‘Link’
6. Select the CA Certificate uploaded in step 3 Tip: The NetScaler will automatically select the correct / valid certificate (if it is installed correctly and exists)
Copyright © 2017 www.mastersof.cloud
Page: 53
7. Repeat this step for every certificate in the certificate chain including the root certificate
Copyright © 2017 www.mastersof.cloud
Page: 54
XenApp & XenDesktop 7.14 Installation As part of the NetScaler gateway setup we are going to create a fully self contained Citrix XenApp and XenDesktop (referred from now on as XAXD) Delivery controller (aka Desktop Delivery Controller – DDC).
Prerequisites
Description
● Windows 2012/2016 Server & Domain joined
● You have patched the server and installed KB2919355 - Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update: April 2014 (prerequisite patch)
(Note: If you download this update without updating the Operating system first it may say the patch is not applicable – If this happens run windows updates for the first time before then try reinstalling the patch)
● Downloaded copy of XA&XD ISO from myCitrix.com website
● Local administrative rights to the W2012 Server where you are installing XA/XD
● You can avoid the locate media prompts if you extract the ISO locally for a ‘locatable’ installation post reboots
Install XA/XD Software
Step Description Screenshot
1. Log into your 2012 server
Copyright © 2017 www.mastersof.cloud
Page: 55
2. Right click and ‘mount’ the XAXD ISO
3. Run the autoselect
4. Click start on XenDesktop
Copyright © 2017 www.mastersof.cloud
Page: 56
5. Click Delivery Controller
6. Read and accept the license agreement and click Next
Copyright © 2017 www.mastersof.cloud
Page: 57
7. Install All Core Components
8. Select all optional features Click Next
Copyright © 2017 www.mastersof.cloud
Page: 58
9. Click Next
10. Click Install
Copyright © 2017 www.mastersof.cloud
Page: 59
11. Reboot
12. After restart it may prompt for XD install media – as the ISO wont be mounted and the installer won't be able to find the ISO – simply click cancel Remount the ISO (right click + mount) Run Auto Select, Select XenDesktop Select Delivery Controller The installation will continue
Copyright © 2017 www.mastersof.cloud
Page: 60
13. Reboot when prompted
14. After restart it may prompt for XD install media – as the ISO wont be mounted and you won't be able to find the ISO – simply click cancel Remount the ISO run Auto Select Select XenDesktop Select Delivery Controller The installation will continue
Copyright © 2017 www.mastersof.cloud
Page: 61
15. Skip the Smart Tools connection
16. At Completion, ensure Launch Studio is selected and click Finish
Copyright © 2017 www.mastersof.cloud
Page: 62
Create the XA/XD Site
Step Description Screenshot
1. The Citrix Studio will launch after setup / install
2. Select Site Setup - Deliver applications and desktops to your users
Copyright © 2017 www.mastersof.cloud
Page: 63
3. Select Fully Configured In this example we will setup the site name as Production
4. Select the default Create and setup databases from studio The SQL Express setup will be detected and details entered
Copyright © 2017 www.mastersof.cloud
Page: 64
5. In this example we will select the 30 day trial and proceed with the defaults
6. In this example as this is a standalone XA/XD Machine we will not setup a hypervisor connection (machine management)
Copyright © 2017 www.mastersof.cloud
Page: 65
7. We will not install AppDNA or – App-V Publishing features These can be added later if required
8. Review the summary page and click Finish
Copyright © 2017 www.mastersof.cloud
Page: 66
Install the XA/XD VDA (Virtual Delivery Agent)
Step Description Screenshot
1. Mount the XA/XD ISO and run AutoSelect.exe
2. Select Prepare Machines and Images – Virtual Delivery Agent for Windows Server OS
Copyright © 2017 www.mastersof.cloud
Page: 67
3. Select Enable connections to a server machine
4. Leave the defaults and click Next
Copyright © 2017 www.mastersof.cloud
Page: 68
5. Do not select any additional components Click Next
6. Select Do It Manually for the locations of the delivery controller Enter the localhost server name for the Controller address (itself) Click Test Connection and click Add (next button will only highlight after this) Click Next (Note that you can allow MCS or AD discovery to setup this for you automatically and is recommended in a
Copyright © 2017 www.mastersof.cloud
Page: 69
production environment)
7. Select all Features Click Next
8. Click Next
Copyright © 2017 www.mastersof.cloud
Page: 70
9. Click Install
10. Reboot when promoted
11. Cancel the ‘locate media’ prompts
12. Remount the ISO, run AutoSelect, re-select Prepare Machines and Images – Virtual Delivery Agent for Windows Server OS
Copyright © 2017 www.mastersof.cloud
Page: 71
13. The Installation will continue
14. Click Finish
Copyright © 2017 www.mastersof.cloud
Page: 72
Create a Machine Catalog
Step Description Screenshot
1. Once the Site has been set up the console will be ready Click Setup machines for desktops and applications or remote PC access
2. Click Next
Copyright © 2017 www.mastersof.cloud
Page: 73
3. Select Server OS and click Next We will install this on the XA/XD DDC for demo purposes only (not recommended in Production)
4. As we previously did not setup machine management, leave the default options selected
Copyright © 2017 www.mastersof.cloud
Page: 74
5. Click add computers Enter your server name add your DDC Click Next
Copyright © 2017 www.mastersof.cloud
Page: 75
6. Give your machine catalog a name and description Click Finish
7. Click Delivery Groups 3 – Setup delivery groups to assign to desktops and applications to your users
Copyright © 2017 www.mastersof.cloud
Page: 76
8. Click Next
9. Select the (only) Machine Catalog created in the previous steps Click Next
Copyright © 2017 www.mastersof.cloud
Page: 77
10. Browse your AD configuration for the users you wish to have permission to launch these desktops In our example we will simply choose home\domain users (not recommended for production)
11. Skip the application selection / Publication
Copyright © 2017 www.mastersof.cloud
Page: 78
12. Assign the desktops (for VDI) click Add Setup the Desktop as follows assigning a display name, description and restrict the desktop to specific domain users (in this instance we have again selected Domain users) Ensure Enable desktop is selected Click Next Note: You could also select ‘allow everyone with access to this delivery group to use a desktop’ which simplifies permissions management but assumes you want all users of this delivery group to have access to a Citrix Desktop
Copyright © 2017 www.mastersof.cloud
Page: 79
13. Enter a name for the delivery group, enter a description and click Finish
Copyright © 2017 www.mastersof.cloud
Page: 80
Test the Citrix Desktop Launch
Step Description Screenshot
1. Open a Browser locally on the Citrix server. The default page will already be setup and created for you @ http://localhost/Citrix/StoreWeb/
2. Login as a member of the group that has access to the desktop published in the previous steps – In our example we can log in as any user who is a member of ‘domain user’ (all user accounts by default)
Copyright © 2017 www.mastersof.cloud
Page: 81
3. Select the Desktops Tab and click the Server Desktop
4. If the setup has been successful the Citrix desktop session will start
Copyright © 2017 www.mastersof.cloud
Page: 82
StoreFront Configuration Whilst the StoreFront site will already be preconfigured by the XA/XD Setup wizard, there are some settings we need to set up in order for NetScaler to be able to connect to the StoreFront server and launch sessions.
Prerequisites
Item Description
● You will need to know the FQDN of your NetScaler Gateway
● The internal or private IP Address of the VIP assigned to the NetScaler Gateway*
● Know the details of your Citrix Server STA (our Citrix DDC(s))
* The StoreFront server must be able directly communicate with the VIP of the NetScaler Gateway, otherwise when the StoreFront server resolves the FQDN it will resolve the internet IP address and potentially will not work.
Modify the Default Store
Step Description Screenshot
1. Log into Citrix Studio Expand Citrix StoreFront Select the Existing Store ‘Store Service’ Click Manage NetScaler Gateways
Copyright © 2017 www.mastersof.cloud
Page: 83
2. Click Add Enter the Display name and the FQDN of the external Gateway URL (In this example my gateway FQDN is called ‘gateway.jsconsulting.services’ Click Next
3. Click Add Enter the Name of your DDC In our example we only have one server – which is the http://citrixserver.home.local/scripts/ctxsta.dll Click Next
Copyright © 2017 www.mastersof.cloud
Page: 84
4. Enter the callback URL of the NetScaler Gateway ensuring your StoreFront server is able to resolve the FQDN to an internal/private ip address. Click Create
5. Close the Manage NetScaler gateways screen
6. Ensure the StoreFront / Citrix server can resolve the FQDN to the inside IP Address of the NetScaler Gateway Use locally managed DNS if you have the Zone configured on your local DNS server(s) Or use the Windows host file to add a private entry.
Note: Windows host file is located in c:\windows\system32\drivers\etc\hosts and has no extension. You may need to copy it to the users desktop first, manipulate the file, and copy it back due to Windows User Account Control (UAC)
Copyright © 2017 www.mastersof.cloud
Page: 85
7. Ensure the StoreFront server resolves the FQDN to the NetScaler inside VIP address
Note: In production environments ping may not be allowed between the NetScaler network and the StoreFront network(s) – you need to ensure that 443 TCP is opened and allowed through the Firewall from the StoreFront servers to the NetScaler VIP
8. Back in the Studio expand Manage Authentication Methods
Copyright © 2017 www.mastersof.cloud
Page: 86
9. Ensure Pass-through from NetScaler Gateway is ticked
10. Back in Studio Select your store and click Configure Remote Access Settings Ensure you Enable remote access Select No VPN Tunnel Tick the NetScaler Gateway appliance listed Click OK
Copyright © 2017 www.mastersof.cloud
Page: 87
Create a New StoreFront Store - Stand Alone
Step Description Screenshot
1. Open the Citrix StoreFront Console Expand Citrix StoreFront Click Stores Click Create Store
2. Click Next
Copyright © 2017 www.mastersof.cloud
Page: 88
3. Give the store a name Select Set this receiver for Web site as IIS Default Click Next
Copyright © 2017 www.mastersof.cloud
Page: 89
4. Click Add On the Add Delivery Controller screen click Add Add Delivery Controllers FQDN Untick Servers are load balanced Select Transport type as HTTP (you should use HTTPS if the SF server is in a DMZ or for extra security) Click OK
Copyright © 2017 www.mastersof.cloud
Page: 90
5. Click Next
6. Enable Remote Access Ensure Allow Users to access resources only delivered through StoreFront (No VPN Tunnel) is selected Click Add
Copyright © 2017 www.mastersof.cloud
Page: 91
7. Enter details for the new gateway Example: my gateway is called gateway.jsconsulting.services and the URL is https://gateway.jsconsulting.services Click Next
8. On the STA Screen Click Add Enter the FQDN of the Citrix XA/XD server
Copyright © 2017 www.mastersof.cloud
Page: 92
9. Enter the FQDN of the STA server Click OK
10. Untick Load balance multiple sta servers Tick Enable session reliability Untick request tickets from two stas, where available Click Next
Copyright © 2017 www.mastersof.cloud
Page: 93
11. Enter the NetScaler details – Leave logon type as domain Enter Callback URL as the same entered in step 6 https://gateway.jsconsulting.services Click Create
Copyright © 2017 www.mastersof.cloud
Page: 95
13. Ensure default appliance is the NetScaler appliance created / added in steps 1 through 12 Click Next
Copyright © 2017 www.mastersof.cloud
Page: 96
14. Ensure that both methods of Authentication are selected – Username and password and Pass through from NetScaler Gateway Click Next
Copyright © 2017 www.mastersof.cloud
Page: 97
15. Leave both options ticked Click Create
Copyright © 2017 www.mastersof.cloud
Page: 98
16. Click Finish
17. Back in the StoreFront console click Receiver for Web Sites tab and copy your StoreFront URL Open your internet browser and test this URL
& https://gateway.jsconsulting.services
Copyright © 2017 www.mastersof.cloud
Page: 99
NetScaler Gateway - ICA Proxy
Overview Diagram
Copyright © 2017 www.mastersof.cloud
Page: 100
Prerequisites
Item Description
● DNS is configured on the NetScaler correctly
● The internal or private IP Address of the VIP assigned to the NetScaler Gateway *
● Know the details of your Citrix Server STA (our Citrix DDC(s))
● Firewall ports are open between the NetScaler and the StoreFront server
● StoreFront already configured and setup (otherwise retrieve attributes won’t work)
In this section of the course we will connect the NetScaler to our basic Citrix XA/XD Environment. Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Gateway. NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved or follow the previous XA/XD and StoreFront setup guides.
Configure the NetScaler Gateway for XA/XD - Wizard
Step Description Screenshot
1. Log into NetScaler GUI
2. Under Integrate with Citrix Products - Click XenApp and XenDesktop Click Get Started
Copyright © 2017 www.mastersof.cloud
Page: 101
3. Ensure StoreFront Is selected and Click Continue on the Prerequisites NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved.
Copyright © 2017 www.mastersof.cloud
Page: 102
4. Provide the details that are relevant to your StoreFront and Citrix XenApp setup Gateway FQDN: gateway.jsconsulting.services Gateway IP Address: Inside private IP address for the Virtual Server. (aka VIP) Port: 443 (SSL) Redirect: Tick this option if you are also forwarding http traffic to this VIP so the NetScaler will redirect the users to https. Then click Continue Note: In this guide we are using the following specific details as working examples – you should use the appropriate settings for your environment
5. Because we enabled port 80 redirection the wizard will enable the LoadBalancing Feature on the NetScaler – Click Yes
Copyright © 2017 www.mastersof.cloud
Page: 103
6. Select the certificate you have previously installed on the NetScaler. Note: you should have the complete certificate chain installed on the NetScaler – a later video will go through these steps to ensure the complete Certificate chain is installed. Click Continue
7. Keep Authentication as Domain Select Use Existing Server Select the server that has the ‘NSUsers’ profile associated (will be listed in order of creation so usually the second server in the list)
Copyright © 2017 www.mastersof.cloud
Page: 104
8. Click Continue
9. Enter the details of your StoreFront server The retrieve stores button will not work if the StoreFront server is not configured. You will not be able to proceed with this wizard if you can't ‘retrieve store’ as the wizard will not let you proceed manually In this example our StoreFront and Citrix XenApp are installed on the same box so the URLs can point to the same server
10. Click Continue
Copyright © 2017 www.mastersof.cloud
Page: 105
11. On the summary pages, now all the basic settings have been entered you can click Done
Copyright © 2017 www.mastersof.cloud
Page: 106
NetScaler Unified Gateway
Prerequisites
Item Description
● DNS is configured on the NetScaler correctly
● The internal or private IP Address of the VIP assigned to the NetScaler Gateway *
● Know the details of your Citrix Server STA (our Citrix DDC(s))
● Firewall ports are open between the NetScaler and the StoreFront server
● StoreFront already configured and setup (otherwise retrieve attributes doesn't work)
In this section of the course we will connect the NetScaler to our basic Citrix XA/XD Environment. Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Gateway. NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved or follow the previous XA/XD and StoreFront setup videos.
Create the NetScaler Unified Gateway – Wizard
Step Description Screenshot
1. Log into NetScaler Click Unified Gateway in the Left Pane under ‘Integrate with Citrix Products’
Copyright © 2017 www.mastersof.cloud
Page: 107
2. Click Get Started
3. Click Continue
Copyright © 2017 www.mastersof.cloud
Page: 108
4. Enter the following details as appropriate for your configuration
5. Use the existing certificate already installed Click Continue
Copyright © 2017 www.mastersof.cloud
Page: 109
6. Select the appropriate LDAP server Click Continue
7. Change Portal Theme to the New RFWebUI (note RFWebUI does not currently work with SAML)
8. Click the + Icon
Copyright © 2017 www.mastersof.cloud
Page: 110
9. Select XenApp & XenDesktop Select Integration point as StoreFront
10. Enter the Details of your XA&XD STA and StoreFront server URLs then click Retrieve Stores Receiver for Web Path will appear and be validated Click Continue
11. Click Done
Copyright © 2017 www.mastersof.cloud
Page: 111
12. You will be returned to the Applications Page and a StoreFront application will appear
13. Click Continue
14. On the summary page click Done
Copyright © 2017 www.mastersof.cloud
Page: 112
15. Access the Unified Gateway Page and check you can log into the NetScaler page
16. Select Clientless Access Click Desktops and ensure you can see your XA&XD Desktops Load the desktop to ensure a full end to end test is performed
Copyright © 2017 www.mastersof.cloud
Page: 113
NetScaler Gateway - SSL VPN
Create a Basic NetScaler Gateway for SSL VPN
Prerequisites
Item Description
● NetScaler configured with IP Address, Certificates and accessible from the clients either internally or remotely over the internet.
● Ensure Split Tunnelling is Off
● Port 443 forwarded from firewall / router to the NetScaler VIP
● Ensure the Default Authorization on the global configuration is set to allow
Step Description Screenshot
1. Check NetScaler gateway feature is enabled
System > Settings > Configure Basic Features
2. Ensure Global settings for NS Gateway is set to Allow
Copyright © 2017 www.mastersof.cloud
Page: 114
3. Expand NetScaler Gateway Click NetScaler Gateway Wizard
4. A Separate Wizard page will open Click Get Started
Copyright © 2017 www.mastersof.cloud
Page: 115
5. Provide the details of your new gateway Note: my details are provided as an example only
6. Select the existing Certificate already installed on your NetScaler Click Continue
Copyright © 2017 www.mastersof.cloud
Page: 116
7. Select the default authentication of Local and Don't select a secondary auth method Once the wizard has completed create a user called nsgw-localuser password: <yourpassword> User Administration> AAA Users > Add Button Click Continue
Copyright © 2017 www.mastersof.cloud
Page: 117
8. You may close the dashboard that is opened by default after creation of the new Gateway
9. Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from) Open a web browser to the NetScaler VIP Login
Copyright © 2017 www.mastersof.cloud
Page: 119
Install the NS Gateway Plugin - Windows
Prerequisites
Item Description
● You should be a local administrator of the device where you are install the gateway plug-in
Step Description Screenshot
1. Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from) Open a web browser to the NetScaler VIP Login
Copyright © 2017 www.mastersof.cloud
Page: 120
Select Network Access
Click Download
Copyright © 2017 www.mastersof.cloud
Page: 121
Click Run
Click Install Note: You must be a local administrator to install this Software
Click Yes to any Windows UAC prompts
Copyright © 2017 www.mastersof.cloud
Page: 122
Click Finish
The Gateway VPN will connect automatically and the web page will display the NetScaler VPN Home Page.
Copyright © 2017 www.mastersof.cloud
Page: 123
Create a NetScaler Gateway Preauthentication Policy
Step Description Screenshot
1. Expand >NetScaler Gateway > Policies > Preauthentication
2. Click Add
Copyright © 2017 www.mastersof.cloud
Page: 124
3. Name the policy something like PreAuthPol_Notepad-is-running Click the + next to Request Action Note: you can call it whatever you want, I like to keep a standard format when creating policies and profiles so they are distinguishable in the various screens and in the ns.conf file as well
4. Click Create
Copyright © 2017 www.mastersof.cloud
Page: 125
5. Click Expression Editor Select Expression Type of: Client Security Component: Process Name*: notepad.exe Operator: EXISTS Then click Done
6. Note the expression is automatically created for you now as CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS
CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS
Copyright © 2017 www.mastersof.cloud
Page: 126
7. Click Create
8. Bind the new policy globally Select NetScaler Gateway > NetScaler Gateway Policy Manager
9. Click the + on AAA Global
10. Click Add Binding
Copyright © 2017 www.mastersof.cloud
Page: 127
11. Click in the Click to Select
12. Select the only PreAuthPolicy available Click Select
13. Click Bind
Copyright © 2017 www.mastersof.cloud
Page: 128
14. Click Done
15. Click Done
Copyright © 2017 www.mastersof.cloud
Page: 129
16. Browse to the gateway and check that before you type in any authentication credentials that the EPA scan is invoked Click Yes
17. EPA Scan with notepad not running
Copyright © 2017 www.mastersof.cloud
Page: 130
18. EPA Scan with notepad Running Your users can now authenticate
19. Authenticate against the NetScaler page again and then confirm you can access all NetScaler resources
Configure NetScaler Gateway with Split Tunnelling
Step Description Screenshot
1. In order that our users devices know which network is ‘local’ and which network is remote we need to define our remote network resources
Copyright © 2017 www.mastersof.cloud
Page: 131
2. First we ensure that split tunnelling is enabled NetScaler gateway > Global Settings > Change Global Settings Click the Client experience tab Change Split Tunnel* to ON Click OK
3. Expand NetScaler gateway > Resources > Intranet Applications Click Add
Copyright © 2017 www.mastersof.cloud
Page: 132
4. Here we add the remote networks we want the users / VPN tunnel to have access to when the Gateway client is logged on In this example we will use the full home.local network Click Create
5. Browse back to NetScaler gateway > Global Settings tab Click Define intranet applications...
Copyright © 2017 www.mastersof.cloud
Page: 133
6. Click Add
7. Click the Right Arrow (or the + symbol next to the Resource) to include the new Intranet Resources for our Split Tunnel
Copyright © 2017 www.mastersof.cloud
Page: 134
Click OK
8. Save your NetScaler configuration
9. Test your VPN connectivity
Create Authorisation Policies for NS Gateway
Step Description Screenshot
1. Expand >NetScaler Gateway > Global Settings > Change Global Settings
Copyright © 2017 www.mastersof.cloud
Page: 135
2. Click Security tab Change Default Authorization Action to DENY Note: This change will affect all Gateways configured on the NetScaler that do not specifically reverse.
3. Expand NetScaler Gateway > Policies > Authorization Policies Click Add
4. Create a new policy In this example we will call it AuthPol_VPN_192.168.1.1 as the only ‘destination’ this policy will allow is to 192.168.1.1
Copyright © 2017 www.mastersof.cloud
Page: 136
5. Click Switch to Classic Syntax Click Expression Editor
6. Enter the IP address details into the Expression Editor of the destination IP you want to allow access to
Copyright © 2017 www.mastersof.cloud
Page: 137
7. Click Create Note: the Reg Expression has been ‘built for you by the editor’ you can type these manually if you know the commands (or find them online!)
8. Bind this new policy to a NetScaler User NetScaler Gateway > User Administration >AAA Users Select the user + Edit Click + Authorization Policies Select the Authorization policy Click Bind Tip: to bind this to LDAP users you must have username locally that matches
Copyright © 2017 www.mastersof.cloud
Page: 138
Setup NetScaler Gateway VPN to use a LDAP Authentication Policy
Step Description Screenshot
1. Let’s Bind the LDAP_NetScaler_Users policy now to this VPN / Gateway
2. Browse to the gateway and click Edit
3. Click the + on Basic Authentication Choose LDAP as policy Choose Primary Authentication Click Continue
Copyright © 2017 www.mastersof.cloud
Page: 139
4. Select the LDAP policy you have created for NetScaler Users (and not administrators)
5. Click Done
6. Test and confirm
7. We must create an AAA Group and bind an authorisation policy to this group Expand NetScaler Gateway > User Administration > AAA Groups Click Add
Copyright © 2017 www.mastersof.cloud
Page: 140
8. Create a group name that MATCHES (Case sensitive) the AD group specified in the LDAP Policy/Profile Click OK
9. Attach the Authorization Policy to this group Click + Authorization Policies on the right
10. Click the > to bring up the policy selection window
Copyright © 2017 www.mastersof.cloud
Page: 141
11. Select the Authorization Policy previously created
12. Click Bind
Copyright © 2017 www.mastersof.cloud
Page: 143
Configure NetScaler Gateway with SAML for ICA Proxy (Federated Authentication)
Prerequisites
Description
● Citrix FAS Service installation
● XA/XD 7.6 or newer
● StoreFront 3.6 or newer (I've tested with 3.9)
● SAML Provider acting as the iDP (Google in this instance)
● NetScaler Gateway configured as the SP
● Active Directory Certificate Services
● Access to edit Windows GPOS and OUs to assign the CFAS service its service location
Create NetScaler SAML Policy to 3rd Party iDP (Google) In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP. Note: this cannot be bound to a Gateway when using the rfwebUI ‘theme’.
Step Description Screenshot
1. Connect to admin.google.com
Copyright © 2017 www.mastersof.cloud
Page: 144
2. Click Apps
3. Click SAML Apps
4. Click the + to add a new SAML Application
Copyright © 2017 www.mastersof.cloud
Page: 145
5. Select Setup my own custom app
Copyright © 2017 www.mastersof.cloud
Page: 146
6. Take note of the IDP data you are provided and copy and paste your URL Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later.
Copyright © 2017 www.mastersof.cloud
Page: 148
8. Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth
Copyright © 2017 www.mastersof.cloud
Page: 150
10. Summary of the App SSO Setup in the Google admin panel
11. Be sure to enable the new Application click the three dots ... Select ON for everyone Note: this new configuration can take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message.
Copyright © 2017 www.mastersof.cloud
Page: 151
12. Note: users will have access to a shortcut to this new app in their Google Console
Copyright © 2017 www.mastersof.cloud
Page: 152
13. Upload the Google IDP Certificate to the NetScaler
Copyright © 2017 www.mastersof.cloud
Page: 153
14. Install the CA Certificate
15. Here you can see the certificate installed as another CA Certificate
Copyright © 2017 www.mastersof.cloud
Page: 154
16. Expand NetScaler > Security>AAA - Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers Enter appropriate details for your new SAML profile Note: the redirect URL and Single Logout URL will be unique to your Google account
Copyright © 2017 www.mastersof.cloud
Page: 155
17. Create a new SAML Authentication Policy set the expression of this policy to ns_true Link that to the newly created Google SAML Server
18. Bind this policy to your NetScaler Gateway Click the + against Basic Authentication Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method.
Copyright © 2017 www.mastersof.cloud
Page: 156
19. Choose SAML Choose Primary Click Continue
20. Select the SAML binding
21. Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field NetScaler Gateway > Click Session Policies
Copyright © 2017 www.mastersof.cloud
Page: 157
22. Select the policy and edit the profile
23. Ensure Single Sign-on Domain is empty
Copyright © 2017 www.mastersof.cloud
Page: 158
24. Ensure your google email matches your AD User Logon Name
25. If not you can add a new UPN for the domain from Active Directory Domains and Trusts
26. Add any Additional UPN suffix you may require to match your google email sign-in
Copyright © 2017 www.mastersof.cloud
Page: 159
Install The Citrix Federated Authentication Service (CFAS)
Step Description Screenshot
1. Mount the XA/XD ISO on your server and select the Federated Authentication Service
2. Read the license agreement and make your choice
3. Click Next
Copyright © 2017 www.mastersof.cloud
Page: 160
4. Click Next
5. Click Install
Copyright © 2017 www.mastersof.cloud
Page: 161
6. Click Finish
7. Create the GPO to point the FAS server to itself (see step 9) When the GPO exists the ‘address’ field will be filled in for you automatically
8. Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory c:\windows\policydefinitions
Copyright © 2017 www.mastersof.cloud
Page: 162
Service\PolicyDefinitions
to
9. Edit group policy to have the server point to itself for FAS open gpmc.msc browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication Enter the DNS server address of the server hosting the FAS service (as per screenshot) Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied
10. run gpupdate /force
Copyright © 2017 www.mastersof.cloud
Page: 163
11. Right click the CFAS Administration console and always Run As Administrator
12. You should now have the CFAS server listed Click OK
Copyright © 2017 www.mastersof.cloud
Page: 164
13. Click on Step 1 - Start Button
14. Click OK
15. You can verify the creation of the templates in ADCS
Copyright © 2017 www.mastersof.cloud
Page: 165
16. Once this is completed without errors click Start on Step 2
17. Click OK
Copyright © 2017 www.mastersof.cloud
Page: 166
18. Finally click Start on Step 3
19. Click OK
Copyright © 2017 www.mastersof.cloud
Page: 167
20. The console is waiting for the request to be approved (issued) from the AD Certificate Services
21. Log into the ADCS and Approve the pending Certificate request Right click the Pending request Select All Tasks Select Issue
Copyright © 2017 www.mastersof.cloud
Page: 168
22. Step 3 will go green
23. Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate
24. Click Edit and Add the StoreFront Server to be able to use the ‘rule’
Copyright © 2017 www.mastersof.cloud
Page: 169
Remove domain computers as they will be set to ‘deny’
25. Click Apply
Copyright © 2017 www.mastersof.cloud
Page: 170
Configure StoreFront to Delegate Authentication to NetScaler
Step Description Screenshot
1. Open Citrix Studio or StoreFront management
2. Select your Store and left click Manage Authentication Methods
3. Click Passthrough from NetScaler Gateway > Configure Delegated Authentication
Copyright © 2017 www.mastersof.cloud
Page: 171
4. Click OK
5. Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers. RDP to each Delivery Controller as a Citrix or local administrator Open Powershell type ‘asnp Citrix*’ type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true’
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
6. Note: You can verify if this was successful by running get-brokersite
Copyright © 2017 www.mastersof.cloud
Page: 172
Configure NetScaler High Availability
Prerequisites
Description
● Two NetScaler devices on the same network both with NetScaler IPs (NSIPs) assigned
● The devices must be able to communicate to each other on TCP 3003
● Not have any other NetScaler devices already joined as part of an HA Pair
● On creation of the HA pair the NetScalers may temporarily disconnect active ICA sessions
● Must deploy the same firmware version on both NetScaler appliances before configuring HA
● Primary NetScaler should be set to ‘stay primary’
Copyright © 2017 www.mastersof.cloud
Page: 173
Deploy Secondary NetScaler
Step Description Screenshot
1. Power on and deploy another Secondary NetScaler 11.1.x
2. Assign this device a new NSIP (one that’s obviously not in use) Then reboot the NetScaler
3. Be sure to apply a NetScaler license (see Install the NetScaler Trial License)
You can skip the Subnet IP Address addition in the Welcome wizard as it will get this configuration when the HA is set up You just need to configure timezone, DNS, hostname and
Copyright © 2017 www.mastersof.cloud
Page: 174
install the trial license
Copyright © 2017 www.mastersof.cloud
Page: 175
Setup High Availability – NetScaler 1
Step Description Screenshot
1. Log into NetScaler 1
2. (Recommended) During the setup – Set the Synchronisation state of the Primary (First) NetScaler as ‘Stay Primary’ Expand System > High Availability
Copyright © 2017 www.mastersof.cloud
Page: 176
3. Select NetScaler Click Edit Change HA Status to Stay Primary Click OK
4. Click Add Enter the Details of the Secondary NetScaler provisioned Then click Create
Copyright © 2017 www.mastersof.cloud
Page: 177
5. Under System > High Availability check there are now two NetScaler nodes available
6. Save the config
7. Synchronisation should read ‘Success’
Copyright © 2017 www.mastersof.cloud
Page: 178
HA Failover NetScaler 1 to NetScaler 2 Now that the NetScalers are synchronised we can fail the active / primary node over from NS1 to NS2 and check all services are still up and running.
Step Description Screenshot
1. Log into NetScaler 1
2. Check IP assignments on this NetScaler are all showing as Active
3. Check SSL Certificates are available on the Secondary Node and that they have synchronised fully
Copyright © 2017 www.mastersof.cloud
Page: 179
4. Under System > High Availability select NS1 and change High Availability Status to Enabled (Actively Participate…) Click OK
5. Select Action > Force Failover
6. Click OK
7. Confirm NS1 is now the ‘secondary node’
Copyright © 2017 www.mastersof.cloud
Page: 180
8. Connect to NS2 administration URL (in this example its https://192.168.1.60) Ensure the device Master State is now Primary
9. Confirm settings like all IPs are active on the NetScaler (and not passive)
Copyright © 2017 www.mastersof.cloud
Page: 181
10. Test the Gateway Virtual Server and ensure the page displays and perform a full end to end connection test
Copyright © 2017 www.mastersof.cloud
Page: 182
NetScaler Load Balancing
Prerequisites
Description
● Two Web Servers (Linux or Windows) publishing a simple html page as red or blue background - A.K.A the services you want to load balance
● New Internal Virtual IP address for the Virtual server (a load balanced VIP) on a network
● A target service that represents the application on the servers (e.g. port 80 for web traffic)
Enable the Load Balancing Feature
Step Description Screenshot
1. Expand Traffic Management Right click Load Balancing Select Enable Feature (assuming your NetScaler is licensed for this)
2. The exclamation mark should disappear when the feature is enabled
Copyright © 2017 www.mastersof.cloud
Page: 183
Setup Basic HTTP Load Balancing, Service Groups and Monitors
Step Description Screenshot
1. Expand Traffic Management Right click Load Balancing Select Enable Feature
2. Select Servers Click Add Enter the details of the server In our example we will add 192.168.1.11 which is a Window server running AD, DNS and IIS and another IIS server only running on 192.168.1.12 Click Create Note: Repeat these steps for each server name or IP address you want to load balanced services on
Copyright © 2017 www.mastersof.cloud
Page: 185
4. Add your Service(s) These are the services you want to bind to the servers you added in your previous step for example: Web Traffic (port 80 or 43) DNS Traffic (port 53) LDAP traffic on 389 or 636 (secure)
5. Change the default monitors on these services Select the service > Edit > Monitors
Copyright © 2017 www.mastersof.cloud
Page: 186
6. Click Add Binding Select HTTP Monitor Keep the defaults in the configure monitor window click OK
7. Optional Create a Service group Note: A Service group is an easier way to bind monitors to these ports for both services rather than having to configure it individually on each service
Copyright © 2017 www.mastersof.cloud
Page: 187
8. Click Traffic Management > Load Balancing > Virtual Servers Click Add
Copyright © 2017 www.mastersof.cloud
Page: 188
9. Enter the details of the new Load Balancing Virtual Service IP Address is the Virtual IP address you will assign to the NetScaler and will be the IP address that clients need to be able to resolve and connect directly to It is this VIP that should be added to your DNS FQDN so clients can resolve the Load Balancing service correctly
10. Choose whether to bind services directly or service groups Click either of the following options We will choose the Servicegroup binding Note: Service groups allow you to manage multiple groups of services for things like
`
Copyright © 2017 www.mastersof.cloud
Page: 189
binding, monitoring etc
11. Select the Service Group created in the previous steps - lbsg_http_webservers01_02
12. On the LBVS Click the + on Method Change the Load Balancing method to ROUNDROBIN Click OK Click Done Note: You can choose any Load Balancing method, we are just using Round Robin as an example
Copyright © 2017 www.mastersof.cloud
Page: 191
13. Click Done
14. Connect to the LBVS IP Address and you should see that you are being load balanced between the servers in the servicegroup in a Round Robin fashion
Copyright © 2017 www.mastersof.cloud
Page: 192
NetScaler Support
Backup NetScaler Configuration Note when backing up the config of the NetScaler the following options will be available ‘NetScaler Basic backup’ will backup config only - for the more frequently updated files. ‘NetScaler Full backup’ will include basic backup and the /nsconfig/SSL sub directory , /nsconfig/license, and/nsconfig/fips directory under nsconfig and the /var/NetScaler/ssl/* and /var/wi if you are using the Web interface on NetScaler (WIonNS)
Step Description Screenshot
From the Shell
1. Open PuTTy and SSH into your NetScaler
2. Type ‘save ns config’
3. Type ‘command create system backup ‘name’ -level <basic | full > -comment ‘string’
Example: create system backup -level full (creates backup without comment) Example: create system backup -level full -comment “This is a Full NS Backup”
4. Confirm the backup was completed Type ‘show system backup’
From the GUI
Copyright © 2017 www.mastersof.cloud
Page: 193
5. Open the NetScaler GUI
6. Select System > Backup and Restore (last option in the system list) Note: you will see the backup already created by the Shell in the previous step(s) if you followed that section
7. Click Backup
Copyright © 2017 www.mastersof.cloud
Page: 194
8. Enter the information as shown (leave filename empty for it to use the default scheme again) Click Backup Note: Add - allows you to upload a previously downloaded NetScaler backup tar file
9. Back in the shell you will be able to view both backups using the show system backup command Type ‘show system backup’
Copyright © 2017 www.mastersof.cloud
Page: 195
Firmware Upgrade of the NetScaler HA Pair In this section we will walk through how to perform a simple firmware upgrade of the our Production NetScalers which are in a HA availability pair. Upgrading the Passive node first, disabling HA sync, rebooting then confirm the device is OK before forcing a HA failover and repeating the upgrade steps on the other NetScaler.
Step Description Screenshot
1. Download the latest firmware for Citrix NetScaler VPX
2. Open a PuTTy session and SSH to the Passive NetScaler and login as nsroot Type ‘shell’
3. browse to /var/nsinstall by typing ‘cd /var/nsinstall’
4. Create a new directory called 12nsinstall Type ‘mkdir 12nsinstall’
Copyright © 2017 www.mastersof.cloud
Page: 196
5. Open WinSCP
6. Browse to the newly created directory in the WinSCP console /var/nsinstall/12nsinstall Upload the NetScaler firmware downloaded in step 1
7. When copying completes extract the tar file type ‘tar -zxvf ./build-12.0-41.22_ns_32.tgz’
Copyright © 2017 www.mastersof.cloud
Page: 197
8. Stop the replication between the NetScalers
set ha node -hasync disabled Note: newer versions of NetScaler will do this automatically when they detect a Version mismatch.
9. Once extraction is complete run the upgrade script type ‘./installns’
10. Reboot the NetScaler Type ‘y’ and press enter / return key
11. Ensure the NetScaler has rebooted without errors or issues and then failover the NetScalers. From the NetScaler shell type ‘force HA failover’
12. Repeat all the above steps on the other NetScaler (the now passive server)
Copyright © 2017 www.mastersof.cloud
Page: 198
Clear the NetScaler Configuration Per https://support.citrix.com/article/CTX112695/ We can clear the NS config via the GUI and the Shell.
Step Description Screenshot
From The GUI
1. Log into your NetScaler web GUI
2. Expand System > Diagnostics Click Clear Configuration under ‘Maintenance’ section
3. Select Full This will reset the entire device except for the NSIP and the default gateway (leaving management network connectivity untouched and the device license!) Click Clear
Copyright © 2017 www.mastersof.cloud
Page: 199
Note: Force applies changes without further prompts
4. You must finally SAVE
5. Click System > Reboot in order for the changes to take effect
From the Shell
Open a PuTTy session to the NetScaler shell and type ‘clear ns config -force full’
Copyright © 2017 www.mastersof.cloud
Page: 200
Type ‘save ns config’
Type ‘reboot’ and press enter
Copyright © 2017 www.mastersof.cloud