configuring netscaler adc load balancing and … · load balancing feature to optimize the...

© 2013 Citrix Systems, Inc. All rights reserved.

App Orchestration 2.0

Configuring NetScaler Load Balancing and NetScaler Gateway for App Orchestration

Prepared by: Christian Paez

Version: 1.0

Last Updated: December 13, 2013

App Orchestration 2.0: Configuring NetScaler Load Balancing and NetScaler Gateway for App Orchestration


Contents Introduction ........................................................................................................................................... 3

NetScaler load balancing ...................................................................................................................... 3

To configure load balancer certificates .............................................................................................. 3

To configure the load balancer .......................................................................................................... 9

NetScaler Gateway ............................................................................................................................. 15

To configure NetScaler Gateway ..................................................................................................... 16

To configure LDAP authentication ................................................................................................... 22

To create session policies ............................................................................................................... 23

To create a NetScaler Gateway virtual server ................................................................................. 29

To configure domains for clientless access ..................................................................................... 33

App Orchestration ............................................................................................................................... 33

To configure App Orchestration for NetScaler Gateway .................................................................. 34

To configure App Orchestration for load balancing ......................................................................... 35

To verify your configuration ............................................................................................................. 35

References .......................................................................................................................................... 37



Introduction

This document provides procedures for the end-to-end configuration of NetScaler and NetScaler Gateway in an App Orchestration environment to enable tenant user authentication and access to XenDesktop and XenApp resources.

The configurations of NetScaler and NetScaler Gateway are similar to the configurations used previously with Web Interface in App Orchestration 1.0. However, with StoreFront replacing Web Interface there are some key differences in the policies and the profiles used to enforce those policies.

NetScaler load balancing

For multiple server StoreFront deployments, external load balancing is required. You can use the NetScaler load balancing feature to optimize the distribution of tenant user connections across StoreFront servers in a multiple server deployment.

To configure load balancer certificates

The default, and recommended, configuration for StoreFront uses SSL to secure tenant user connections. To enable NetScaler to communicate with StoreFront, you must configure NetScaler with an SSL certificate.

1. To create a private key with which to access your certificate request, log on to the NetScaler configuration utility and, in the navigation pane, click Traffic Management > SSL. In the details pane, under SSL Keys, click Create RSA Key. Give the key file a suitable name to enable you to identify it, specify a Key Size of 2048 bits, and for the PEM Encoding Algorithm select DES3. Enter and verify a passphrase, then click Create and close the Create RSA Key dialog box.



2. In the details pane, under SSL Certificates, click Create CSR (Certificate Signing Request). Give the request file a suitable name to enable you to identify it, then browse to and select the private key that you created in the previous step. Select PEM as the key format and enter the passphrase you specified when you created the key. For the certificate Common Name, use the address used to access the website. Enter additional details as required for your organization. Use the passphrase that you specified when you created the private key as the Challenge Password. Click Create and then close the Create CSR (Certificate Signing Request) dialog box.



3. In the details pane, under Tools, click Manage Certificates/Keys/CSRs. Select the request file you created in the previous step and click Download. In the Download Files dialog box, specify a location in which to save the file and click Download. Once the file has been downloaded, close both dialog boxes.

Now you must create a certificate file to import into NetScaler. Although the following steps describe the use of Microsoft Active Directory Certificate Services, you can use your own certificate services server to create the file.



4. Run Internet Explorer as an administrator and browse to your certificate server. Click Request a certificate, click advanced certificate request, and then click Submit a certificate request by using a base-64. Using a text editor, open the file that you downloaded in the previous step and copy the entire contents. On the certificate server webpage, paste the copied text, which is the key, into the Saved Request box. Set the Certificate Template to Web Server and click Submit.

5. On the Certificate Issued page, select Base 64 encoded and click Download certificate chain. Save the file to a suitable location so that it is available to be copied to NetScaler.

The downloaded file should have an extension of .P7B. Downloading the certificate chain means that the root certificate for the domain and any intermediate certificates are also included.



6. Double-click the downloaded file to open it and select Certificates. On the right side of the screen, the certificates you need to download are listed. Double-click the certificate with the website address that you entered as the common name in your request. Select the Details tab and click Copy to File to open the Certificate Export Wizard. Click Next. Select Base-64 encoded and click Next. Give the certificate a suitable name to enable you to identify it, click Next, and then click Finish. Repeat the process for any other certificates listed.



7. In the navigation pane of the NetScaler configuration utility, click Traffic Management > SSL. In the details pane, under Tools, click Manage Certificates/Keys/CSRs. Click Upload and, in the Select Files dialog box select the certificates that you created in the previous steps. Click Select and, once the certificates have been uploaded, click Close.

8. In the navigation pane of the NetScaler configuration utility, click Traffic Management > SSL > Certificates and then click Install. Give the certificate key pair a suitable name to enable you to identify them. Under Certificate File Name, browse to and select a certificate that you uploaded in the previous step. For non-root certificates, under Private Key File Name, browse to and select the private key file you created earlier. You do not need to do this for root certificates. Enter the password that you used when you created the key and click Install. Repeat the process for any remaining certificates.

Finally, you must link the installed certificates to the root certificates. This enables the tenant users’ browsers, NetScaler, and StoreFront to make secure connections.



9. In the navigation pane of the NetScaler configuration utility, click Traffic Management > SSL > Certificates and select the newly installed certificate. Click Link, select the root certificate you installed, and click OK.

To configure the load balancer

NetScaler load balances connections to StoreFront server groups by pointing a virtual IP address to the IP addresses or host names of the StoreFront servers. Incoming requests to the virtual IP address are distributed to the StoreFront servers based on load balancing algorithms such as round robin or least connection.

1. To configure load balancing, log on to the NetScaler configuration utility and, in the navigation pane, click Traffic Management > Load Balancing > Servers. In the details pane, click Add and give the server entry a suitable name to enable you to identify the StoreFront server to which the entry relates. Enter the IP address of the server and click Create. Repeat the process for the remaining servers in the StoreFront server group. When you have created entries for all the servers, click Close.

You must now create services to map protocols to the servers, which enables NetScaler to send HTTP or SSL requests, for example, to the appropriate servers.



2. In the navigation pane, click Traffic Management > Load Balancing > Service Groups. In the details pane, click Add and give the service group a suitable name to enable you to identify it. On the Members tab, under Specify Member(s), click Server Based and select the servers that you created in the previous step. Enter the appropriate port number, leaving the remaining settings with their default values, and click Add.



3. Click the Monitors tab, select the appropriate monitor protocol, and click Add.



4. Click the Advanced tab and, in the Settings section, select the Override Global check box. Select Client IP and, in the Header box, type X-Forwarded-For. Click Create and then click Close.

You must now create the virtual server, which will be the IP address to which tenant users will connect.



5. In the navigation pane, click Traffic Management > Load Balancing > Virtual Servers. In the details pane, click Add and give the virtual server a suitable name to enable you to identify it. Select the appropriate protocol and specify the port to use. Enter the IP address for the virtual server.

The virtual server IP address should be set up for address resolution on your DNS server. This address must be unique and must not be in any DHCP scopes to prevent address conflicts.



6. Click the Service Groups tab and select the service group that you created in the previous steps.



7. Click the Method and Persistence tab. For the load balancing method, select Least Connection and, under Persistence, select COOKIEINSERT. You can use alternative load balancing and persistence settings if they are more appropriate for your deployment. Click the SSL Settings tab, select the load balancer certificate that you created earlier, and click Add. Click Create and then click Close.

NetScaler Gateway

You can secure access to your App Orchestration deployment with NetScaler Gateway (formerly known as Access Gateway), which enables you to apply policy and action controls while providing tenant users with secure access to their desktops and apps.



To configure NetScaler Gateway

NetScaler Gateway enables you to apply endpoint analysis to user connection requests. You can use endpoint analysis to verify, for example, the operating system version and the presence of antivirus software before permitting user devices to connect to your network. But first, you must configure NetScaler Gateway with an SSL certificate.

1. To create a private key with which to access your certificate request, log on to the NetScaler Gateway configuration utility and, in the navigation pane, click Traffic Management > SSL. In the details pane, under SSL Keys, click Create RSA Key. Give the key file a suitable name to enable you to identify it, specify a Key Size of 2048 bits, and for the PEM Encoding Algorithm select DES3. Enter and verify a passphrase, then click Create and close the Create RSA Key dialog box.

2. In the details pane, under SSL Certificates, click Create CSR (Certificate Signing Request). Give the request file a suitable name to enable you to identify it, then browse to and select the private key that you created in the previous step. Select PEM as the key format and enter the passphrase you specified when you created the key. For the certificate Common Name, use the address used to access the website. Enter additional details as required for your organization. Use the passphrase that you specified when you created the private key as the Challenge Password. Click Create and then close the Create CSR (Certificate Signing Request) dialog box.



3. In the details pane, under Tools, click Manage Certificates/Keys/CSRs. Select the request file you created in the previous step and click Download. In the Download Files dialog box, specify a location in which to save the file and click Download. Once the file has been downloaded, close both dialog boxes.

You can use either Active Directory Certificate Services or your own certificate services server to create a certificate file to import into NetScaler Gateway.



4. To use Active Directory Certificate Services, run Internet Explorer as an administrator and browse to your certificate server. Click Request a certificate, click advanced certificate request, and then click Submit a certificate request by using a base-64. Using a text editor, open the file that you downloaded in the previous step and copy the entire contents. On the certificate server webpage, paste the copied text, which is the key, into the Saved Request box. Set the Certificate Template to Web Server and click Submit.

5. On the Certificate Issued page, select Base 64 encoded and click Download certificate chain. Save the file to a suitable location so that it is available to be copied to NetScaler Gateway.

The downloaded file should have an extension of .P7B.



6. Double-click the downloaded file to open it and select Certificates. On the right side of the screen, the certificates you need to download are listed. Double-click the certificate with the website address that you entered as the common name in your request. Select the Details tab and click Copy to File to open the Certificate Export Wizard. Click Next. Select Base-64 encoded and click Next. Give the certificate a suitable name to enable you to identify it, click Next, and then click Finish. Repeat the process for any other certificates listed.



7. In the navigation pane of the NetScaler Gateway configuration utility, click Traffic Management > SSL. In the details pane, under Tools, click Manage Certificates/Keys/CSRs. Click Upload and, in the Select Files dialog box select the certificates that you created in the previous steps. Click Select and, once the certificates have been uploaded, click Close.



8. In the navigation pane of the NetScaler Gateway configuration utility, click Traffic Management > SSL > Certificates and then click Install. Give the certificate key pair a suitable name to enable you to identify them. Under Certificate File Name, browse to and select a certificate that you uploaded in the previous step. For non-root certificates, under Private Key File Name, browse to and select the private key file you created earlier. You do not need to do this for root certificates. Enter the password that you used when you created the key and click Install. Repeat the process for any remaining certificates.

9. To link the installed certificates to the root certificates, in the navigation pane of the NetScaler Gateway configuration utility, click Traffic Management > SSL > Certificates and select the newly installed certificate. Click Link, select the root certificate you installed, and click OK.



To configure LDAP authentication

You can enable authentication integration between NetScaler Gateway and Active Directory (or other directory services.) To do this, you add an authentication connection between NetScaler Gateway and the domain controllers in your environment.

1. To add an authentication connection, log on to the NetScaler Gateway configuration utility and, in the navigation pane, click System > Authentication > LDAP.

2. In the details pane, click Add and give the authentication server a name that enables you to identify its function. Enter the IP address of your domain controller, specify the port to use, and, for Type, select AD. Under Connection Settings, specify the distinguished name of the tenant user domain and enter the Active Directory name and password for an administrator account. Click Create and then click Close.

For security reasons, Citrix recommends that you use SSL for LDAP authentication and that the account you use for administrator binding should have only the permissions necessary to perform the validation.



To create session policies

Session policies contain logic that NetScaler Gateway applies to determine whether to permit or deny access. These policies can be used to restrict access to system resources for user devices that do not meet specific criteria.

For the configuration described in this document, you must set up one profile for Citrix Receiver and another for Receiver for Web sites. Each connection requires its own policy and the policies use profiles for connection-specific information, such as the StoreFront URL.

1. To create a profile for Citrix Receiver, log on to the NetScaler Gateway configuration utility and, in the navigation pane, click NetScaler Gateway > Policies > Session. In the details pane, click the Profiles tab and click Add. Give the session profile a suitable name to enable you to identify it and click the Client Experience tab. Under Home Page, Clientless Access, and Single Sign-on to Web Applications, select the Override Global check boxes. For the Home Page, enter the URL of the load balancer you created earlier. Set Clientless Access to On and select the Single Sign-on to Web Applications check box.



2. Click the Security tab and, under Default Authorization Action, select the Override Global check box and set the action to ALLOW.



3. Click the Published Applications tab and, under ICA Proxy, Web Interface Address, and Single Sign-on Domain, select the Override Global check boxes. Set ICA Proxy to OFF and, for Web Interface Address, enter the URL of the load balancer you created earlier. For Single Sign-on Domain, specify the domain name. Click Create and then click Close.

You must now configure a policy for Citrix Receiver that uses this profile.



4. In the navigation pane, click NetScaler Gateway > Policies > Session. In the details pane, click the Policies tab and click Add. Give the session policy a suitable name to enable you to identify it and, under Request Profile, select the profile that you created in the previous steps. Under Expression, click Add. For Expression Type, select General, set Flow Type to REQ, and, for Protocol, select HTTP. Set Qualifier to HEADER, for Operator select CONTAINS, and, for Value, enter CitrixReceiver. For Header Name, specify the value User-Agent and click OK.

5. In the Add Expression dialog box, change the Operator setting to EXISTS and, for Header Name, enter X-Citrix-Gateway. Click OK and then click Close.



6. With all the settings configured for the Citrix Receiver session policy, click Create and then click Close.

You must now create a policy for Receiver for Web sites.

7. In the navigation pane, click NetScaler Gateway > Policies > Session. In the details pane, click the Policies tab and click Add. Give the session policy a suitable name to enable you to identify it and, under Request Profile, select the profile that you created previously for Citrix Receiver. Under Expression, click Add. For Expression Type, select General, set Flow Type to REQ, and, for Protocol, select HTTP. Set Qualifier to HEADER, for Operator select NOTCONTAINS, and, for Value, enter CitrixReceiver. For Header Name, specify the value User-Agent and click OK.



8. In the Add Expression dialog box, change the Operator setting to EXISTS and, for Header Name, enter Referer. Click OK and then click Close.

9. With all the settings configured for the Receiver for Web sites session policy, click Create and then click Close.



To create a NetScaler Gateway virtual server

You must now create a NetScaler Gateway virtual server to act as the entry point for remote access to the internal resources. This virtual server will use the policies and profiles you created in the previous procedure to permit or deny access. A unique IP address is assigned to the virtual server so you must create a DNS entry in your environment with the appropriate IP address and host name.

1. To create a virtual server, log on to the NetScaler Gateway configuration utility and, in the navigation pane, click NetScaler Gateway > Virtual Servers. In the details pane, click Add. Name the virtual server with the common name you used in the certificate you created earlier. Enter the unique IP address you assigned to NetScaler Gateway. Set Protocol to SSL and specify an appropriate port. Click the Certificates tab, select the certificate you created earlier for NetScaler Gateway, and click Add to bind the certificate to the virtual server. Leave the remaining settings with their default values.



2. Click the Authentication tab and click Insert Policy. Select the LDAP authentication policy that you created earlier.



3. Click the Policies tab and click Insert Policy. Select the policies that you created for Citrix Receiver and Receiver for Web sites in the previous procedure.



4. Click the Published Applications tab and, under Secure Ticket Authority, click Add. Enter the URLs for the Secure Ticket Authorities (STAs) on your Delivery Controllers in the form http://ipaddress/scripts/ctxsta.dll, where ipaddress is the address of the Delivery Controller. Ensure that these values match exactly the entries on the StoreFront servers. Click Create and then click Close.



To configure domains for clientless access

You must specify one or more domains that tenant users can access through NetScaler Gateway to enable authentication through NetScaler Gateway in your environment.

1. To specify domains, log on to the NetScaler Gateway configuration utility and, in the navigation pane, click NetScaler Gateway > Global Settings. In the details pane, under Clientless Access, click Configure Domains for Clientless Access.

2. Select Allow domains and add to the list the domains to which tenant users need access. Click OK and then click Close.

App Orchestration

App Orchestration is designed to help facilitate the provisioning and configuration of XenDesktop, XenApp, and StoreFront. Each of these products have their own identity, but App Orchestration uses smart logic to quickly and efficiently configure the environment for you. This makes the administration of the system easier to manage, especially for complex environments with multiple users and clients.



To configure App Orchestration for NetScaler Gateway

1. During initial configuration of App Orchestration, on the Global Settings page, select the Enable Access Gateway check box. Enter your NetScaler Gateway URL and click Save.

2. Alternatively, to configure App Orchestration with NetScaler Gateway after initial configuration, log on to the App Orchestration web management console. On the home screen, click Global > Settings. Select Access Gateway and click Save.

Several workflows become active, indicating that the system has triggered the configuration. Once the workflows are complete, you can configure the environment.

3. On the home screen of the web management console, click Define > Datacenters. Click the first datacenter and click Edit. Click the Access Gateway tab, enter your NetScaler Gateway URL, and click Save Datacenter. Repeat this process for any other datacenters in your environment



To configure App Orchestration for load balancing

In order for StoreFront to interact with NetScaler, you must configure the load balancer address in App Orchestration. When you create a StoreFront server group in the App Orchestration web management console, enter the URL of the load balancer you created earlier on the Basic Settings screen.

Ensure that you enter the load balancer URL correctly as once you create the server group you cannot modify the URL. If you need to change the load balancer URL for the StoreFront server group, you must delete the server group in the App Orchestration web management console. Then, you must move the StoreFront servers from the DecommissionedServers OU to the appropriate resource OU in Active Directory and create a new server group in the web management console using the new load balancer URL.

To verify your configuration

Once you have finished configuring your deployment, verify the settings on the StoreFront servers to ensure that tenant users can access the deployment.

1. Log on to the StoreFront server specified in the configuration. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile. Select the Server Group node in the left pane of the Citrix StoreFront management console. Ensure that the load balanced URL you entered previously in App Orchestration is shown under Base URL in the results pane of the console.



2. Select the NetScaler Gateway node in the left pane of the console. Verify that the NetScaler Gateway URL you entered earlier in App Orchestration is shown in the results pane of the console.

3. In the Actions pane of the console, click Secure Ticket Authority. Confirm that the STA URLs shown in the Manage Secure Ticket Authority Settings dialog box are identical to the STA URLs you configured for NetScaler Gateway earlier.

Once you have verified the StoreFront configuration, you can check that tenant users can access the deployment.



4. On a suitable user device, install Citrix Receiver. During initial configuration, click Add Account, enter the URL of the load balancer you created earlier, and click Next. Ensure that Citrix Receiver can connect to StoreFront through the NetScaler load balancer.

References

NetScaler for the XenDesktop\XenApp Dummy

http://blogs.citrix.com/2012/04/10/netscaler-for-the-xendesktopxenapp-dummy/

XenDesktop 5 with Access Gateway

http://support.citrix.com/article/CTX127595

How to Configure NetScaler Gateway with StoreFront and App Controller


http://blogs.citrix.com/2012/04/10/netscaler-for-the-xendesktopxenapp-dummy/



configuring netscaler adc load balancing and … · load balancing feature to optimize the...

Documents