NetScaler Access Gateway Enterprise Edition Training May 2011 Training Goals • Learn AGEE as it pertains to XenApp / XenDesktop • Implement VPX in small/lab environments • Provide Hands-on Experience • Installation Procedures • Consoles & Initial Admin Tasks • Integration with XA • Communicate Consulting Best Practices • IA Topics • Design Principles Citrix Confidential - Do Not Distribute Agenda (1 of 2) • Training Goals • NetScaler Types • Architecture & Deployment Options • Administration Overview • Load Balancing Citrix Confidential - Do Not Distribute Agenda (2 of 2) • Access Gateway & XenApp Integration • Global Server Load Balancing • Web Interface on NetScaler • NS Best Practices • Access Gateway VPX Citrix Confidential - Do Not Distribute NetScaler Hardware and Features NetScaler Hardware MPX 5500 MPX 7500 and MPX 9500 MPX 10500/12500/15500 MPX 17500/19500/21500 VPX Differences Between MPX and VPX • Three main differences exist between NS MPX and VPX: • System capacity • Performance • Tagged VLAN Configuration • NetScaler VPX system capacity: • No hardware SSL acceleration • Processing not offloaded to dedicated silicon Citrix Confidential - Do Not Distribute When to Use Which? NetScaler Appliances NetScaler VPX • Gig+ performance • Labs/test environments • High volume SSL Offload • Development environments • >100 SSL VPN CCUs • “Datacenter-in-a-box” • FIPS requirements • CPU-intensive workloads • Physical device security • Frequently moved apps • Fast/remote deployment NetScaler SDX – Announcing at Synergy • Instances, not partitions • Complete CPU isolation • Complete memory isolation • Version independence • High availability independence • Lifecycle independence Introducing NetScaler SDX NetScaler MPX 21500 NetScaler SDX 21500 50 Gb/s 50 Gb/s Single VIP 16 instances Up to 18Gbps per instance 8M packets/second NetScaler Features Citrix Confidential - Do Not Distribute ICA Proxy for All • NetScaler MPX • NetScaler VPX • Access Gateway Enterprise Edition • Access Gateway Standard Edition • Access Gateway VPX • Secure Gateway Citrix Confidential - Do Not Distribute ~10 Steps to “Typical” AGEE 1. IP & Routing 2. Licensing 3. HA 4. Authentication 5. Authorization 6. Certificates 7. Web Interface 8. SSL VPN 9. Session Policies 10. Logging & Monitoring Citrix Confidential - Do Not Distribute Architecture & Deployment Options Deployment Options • AG in a Secure Network • AG in DMZ with WI • WI behind AG • AG parallel to WI • AG in DMZ with WI internally • AG in Double-Hop Citrix Confidential - Do Not Distribute Physical Deployment Modes One-Arm 2. User Request 1. User Request Public/Front VLAN 3. Response 4. Response Private/Server VLAN • One interface, no risk of bridge loops • Can utilize LANs with 802.1q tagging • Can utilize Link Aggregation to satisfy bandwidth requirements Citrix Confidential - Do Not Distribute Physical Deployment Modes Two-Arm Public/Front VLAN 1. User Request 2. User Request 4. Response 3. Response Private/Server VLAN • Accommodates topologies in situations where one-armed does not • Allows layer 3 (routed) deployments with split subnets (as shown) • Allows layer 2 (bridged) deployments with one subnet on both sides Citrix Confidential - Do Not Distribute NetScaler Terms • NetScaler IP (NSIP) – Management IP • Mapped IP (MIP) – Used for server-side connection, replaces Source IP with the MIP • Subnet IP (SNIP) – Same as a MIP. SNIP were introduced in newer releases of code. • Virtual IP (VIP) – IP address associated with a Virtual Server Citrix Confidential - Do Not Distribute Administration Overview GUI / CLI • Access the GUI by going to NSIP • Access the CLI through SSH client (PuTTY) • Access file system through SFTP client (WinSCP) Citrix Confidential - Do Not Distribute Key CLI Commands > show run > show route > show ns feature > show ns mode > show ha node > show license Citrix Confidential - Do Not Distribute Running Config, Saved Config • ns.conf loaded on startup • Changes reflected in running config • Changes must be commited to saved config Citrix Confidential - Do Not Distribute Lab 1 –VPX Initial Configuration Objectives: » Import VPX » Configure IP and Licensing » Configure HA » Run basic CLI commands Lab 1 Discussion • What items need to be planned in advance for a NS VPX POC? Citrix Confidential - Do Not Distribute Load Balancing Load Balancing Primer • Servers, Services, vServers, Monitors • Load Balancing applies to TCP or UDP and HTTP/HTTPs • A load balancing virtual server is bound to services – "listeners" on ports Citrix Confidential - Do Not Distribute LB Methods • Least Connections (default) • URL Hash • Domain Name Hash • Round Robin • Weighted Round Robin • Source IP Hash • Least Response Time • Destination IP Hash • Least Bandwidth • Source/Dest IP Hash • Least Packets • LB using SNMP • LRTM • SASP/Call ID Hash • Token Citrix Confidential - Do Not Distribute Session Persistence • Source-IP (w/ netmask) • Cookie Insert (HTTP/SSL only) • SSL Session-ID • URL passive • Custom Server ID • Destination IP • Rule Citrix Confidential - Do Not Distribute Load Balancing TFTP • Reverse Network Address Translation & Use Source IP required • USIP provides client IP to backend (TFTP) servers • Default gateway for TFTP (on PVS) needs to point to NS SNIP • http://support.citrix.com/article/CTX110459 Citrix Confidential - Do Not Distribute Lab 2 – Load Balancing Objectives: » Manually create LB VIP for WI & XML » Use wizard for WI & XML Lab 2 Discussion • When would you need SSL_BRIDGE type of LB? • What do you do without a hardware load balancer? • Who uses XML LB? Advantages/disadvantages? Citrix Confidential - Do Not Distribute Access Gateway and XA/XD Integration Access Gateway Components • Access Gateway virtual servers bind with • Certificates • Authentication • Policies • Profiles • STA Citrix Confidential - Do Not Distribute Access Gateway Configuration Options • Full SSL VPN – requires client component • ICA Proxy – WI integration with SSL for ICA • Clientless Connections – web application proxy Citrix Confidential - Do Not Distribute Global Settings • Default settings applied to all AG sessions Citrix Confidential - Do Not Distribute Session Profile • Customizes the session behavior • ICA Proxy ON tells AGEE not to launch the Secure Access Client • URL to the Web Interface site • e.g. http://wiserver/citrix/xenapp • Embedded Web Interface display format • Full or Compact • Single Sign-On Domain specifies the users domain is logged on to Citrix Confidential - Do Not Distribute Session Policies • Define the conditions to invoke a session profile Citrix Confidential - Do Not Distribute Policy + Action + vServer • add vpn sessionAction prof_smart_phone -sessTimeout 30 -splitTunnel ON defaultAuthorizationAction ALLOW -clientIdleTimeout 30 -SSO ON -icaProxy ON wihome "https://sfdc.com/Citrix/XenApp/PNAgent/config.xml" -ntDomain SFDC • add vpn sessionPolicy pol_smart_phone "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" prof_smart_phone • bind vpn vserver sfm-cxi-ag1.salesforce.com -policy pol_smart_phone -priority 10 Citrix Confidential - Do Not Distribute Policy Expressions • ns_true • REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver • REQ.HTTP.HEADER Host == access.citrix.com • CLIENT.FILE('C:\\\\file.dat').TIMESTAMP == 7dy -frequency 5 • CLIENT.SVC('Symantec\\ AntiVirus').VERSION == 10.0 -frequency 5 • CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS • CLIENT.OS(winxp) EXISTS Citrix Confidential - Do Not Distribute Policy Priority • Results aggregated from all true policies • Priority determines result in the event of conflict • Lowest bind point wins with policies bound to different bind points (Global > Virtual Server > Group > User) Citrix Confidential - Do Not Distribute Policy Priority Exercise Policy A Priority 100 Home page www.citrix.com Split Tunnel ON Single Sign-on -not set- Home page www.google.com Split Tunnel -not set- Single Sign-on OFF Home page www.sales.com Split Tunnel OFF Single Sign-on ON Home page www.sales.com Split Tunnel OFF Single Sign-on ON Global Policy B Priority 100 Virtual Server Policy C Priority 100 Group Resulting Configuration Citrix Confidential - Do Not Distribute Policy Priority Exercise Policy A Priority 10 Home page www.citrix.com Split Tunnel -not set- Single Sign-on -not set- Home page www.google.com Split Tunnel -not set- Single Sign-on OFF Home page www.sales.com Split Tunnel OFF Single Sign-on ON Home page www.citrix.com Split Tunnel OFF Single Sign-on OFF Global Policy B Priority 20 Virtual Server Policy C Priority 30 Group Resulting Configuration Citrix Confidential - Do Not Distribute Policy Priority Exercise Policy A Priority 100 Home page www.citrix.com Split Tunnel ON Single Sign-on OFF Home page www.google.com Split Tunnel -not set- Single Sign-on ON Home page www.sales.com Split Tunnel OFF Single Sign-on -not set- Home page www.google.com Split Tunnel OFF Single Sign-on ON Global Policy B Priority 90 Virtual Server Policy C Priority 100 Group Resulting Configuration Citrix Confidential - Do Not Distribute Authentication Policies • Define authentication source • Local • RADIUS • LDAP • TACACS • NT4 • CERT Citrix Confidential - Do Not Distribute Groups • Define user groups to apply policies and settings Citrix Confidential - Do Not Distribute Web Interface Configuration Citrix Confidential - Do Not Distribute The Callback • WI makes a callback to the SSL VPN VIP • Retrieves information over HTTPS such as farm, vServer entity name, the session policy used etc • Values are sent on the XenApp server to generate the Smart Access control set Citrix Confidential - Do Not Distribute SmartAccess Workflow External DMZ Internal LDAP 389/636 AGEE 443 80/443 Workstation Post-AuthN AGEE Session policy EPA ActiveX sends results back toEPA User accesses AGEE VPN Virtual User supplies credentials to logon Session policy EPA check results Access Gateway passes credentials to AGEE Pre-AuthN EPA ActiveX On Pre-Authentication EPA success checks done with the existing EPA AGEE Server page. returns returned to AGEE Directory Service forpage validation. download & client scan AGEE login ActiveX WI WI makes a XML callback to a preconfigured-on-WI AGEE VPN Web Interface Authenticates credentials 1) AGEE does a HTTP redirect to theAccess” Web Interface generates “Smart Virtual Server URL with the previously 3) Access Gateway next performs AGEE returns EPA results to WI provided via custom SSO AGCitrixBasic website configured in ‘-homepage’ application set page and sends provided SessionToken to getthe theweb EPA pass-through SSO to Web Header option page back to user. Results Interface a custom & EPA Web Interface sendsvia credentials AGCitrixBasic HTTP Header 2) to Web Interface returns a 401 and results Citrix XML Service which AGEE detects that this “smart is a Web validates them and returns user’s 4) A SessionToken is also provided Interface set server. access” application to Web Interface. XenApp Citrix Confidential - Do Not Distribute STA and XML STA Configuration • STA must be configured on Access Gateway Citrix Confidential - Do Not Distribute Published Application Launch Process External DMZ Internal XenApp 1494/2598 443 AGEE 80/443 WI Workstation User clicks application icon. STA ICA Access WebClient Interface Gateway sends generates ICA contacts request ICA XenApp toto to Web Interface contacts contacts STA Citrix XML Request is sent toAccess Web validate ticket and exchange the ticket Access initiate file thatICA Gateway. includes session. ICA is to exchange XenApp IP session Service to determine least loaded Interface. for the XenApp IPand address. established. Gateway FQDN STA ticket. address ticket. XenApp for server hosting application. ICA file is sent back to client XML Service returns XenApp IP device. address. 80/443 Citrix Confidential - Do Not Distribute STA and XML Lab 3 – Access Gateway Objectives: » Configure components for AG » Launch application using SSL » Configure EPA and SmartAccess Lab 3 Discussion • What other authentication methods are relevant to us? • What does clientless access really mean? Citrix Confidential - Do Not Distribute Global Server Load Balancing GSLB Overview • Load balance services between separate locations • Typical uses include: • Distribution of network traffic across multiple sites • Distribution of server load across multiple sites • Disaster recovery • Relies on DNS for directing client requests • Share the state & status of various geographically distributed servers Citrix Confidential - Do Not Distribute DNS & GSLB • Step 1: Client sends a DNS request to the local DNS (LDNS) server • Step 2: The LDNS server sends the request to the ADNS service/DNS vServer on the system • Step 3: The ADNS service/DNS vServer responds with the IP address of the LB vServer on the best-performing Site Citrix Confidential - Do Not Distribute GSLB Entities LDNS Citrix Confidential - Do Not Distribute Web Interface on NetScaler Web Interface on NetScaler • Feature is available on 9.3 (RTW 3/30) • MPX and nCore VPX – not available on classic • Web Interface version 5.4 • There are two packages that need to be installed on NS • 1. Web Interface files • 2. Java Runtime Environment Citrix Confidential - Do Not Distribute WIonNS Licensing • The feature is only licensed on NetScaler Standard, Enterprise, and Platinum • It is not licensed on CAG-EE • Not visible in the GUI license window yet Citrix Confidential - Do Not Distribute Limitations • JSP with JAVA Servlet support • Functionally equivalent except for the authentication limitations listed below • Case sensitive sites • Manual site customization • Limited on-box authentication • Kerberos, Smart Card, RSA Windows Password Integration, or Pass-Through authentication methods are not supported • Limited Scale on low-end platforms Citrix Confidential - Do Not Distribute WIonNS Firewall Changes Before After Citrix Confidential - Do Not Distribute Lab 4 – Web Interface on NetScaler Objectives: » Configure WI on NS Lab 4 Discussion • What are the pros/cons to WI on NS? Citrix Confidential - Do Not Distribute Best Practices IA Top 10 • WI Load Balancing – Cookie insert with timeout of 0 • XML Load Balancing – No persistence • Use built-in WI/XML monitor • Disable unused features and modes • For load balancing, have a Switch license Citrix Confidential - Do Not Distribute IA Top 10, continued • Redirect 80 to 443 for AG vServer • Use GSLB for multiple data centers across various regions • EPA used with SmartAccess • Use split DNS for internal access to AG • No external access to NSIP and SNIP Citrix Confidential - Do Not Distribute Lab 5– Putting It All Together Referenced Links • AG Pre-Installation Checklist - http://support.citrix.com/article/CTX109588 • How to Configure a Backup VServer - http://support.citrix.com/article/CTX125511 • Configuring and Monitoring Persistence on NetScaler • Planning Guide: Load Balancing Web Interface with NetScaler http://support.citrix.com/article/CTX128563 • Does Use Source IP Mode Work in a NetScaler One-arm Mode Deployment? http://support.citrix.com/article/CTX110459 • NetScaler VPX Licensing Guide - http://support.citrix.com/article/CTX122426 • Web Interface 5.3 Reports Error Pertaining to HTTP Header 'User-Agent‘ http://support.citrix.com/article/CTX124858 • Planning Guide: Load Balancing Web Interface with NetScaler http://support.citrix.com/article/CTX128563 • How to Configure the Redirect URL Feature - http://support.citrix.com/article/CTX108946 Citrix Confidential - Do Not Distribute