AGEE Training Q1 2012 v1 - Citrix Synergy Labs Home Page
advertisement
NetScaler Access Gateway
Enterprise Edition Training
May 2011
Training Goals
• Learn AGEE as it pertains to XenApp / XenDesktop
• Implement VPX in small/lab environments
• Provide Hands-on Experience
• Installation Procedures
• Consoles & Initial Admin Tasks
• Integration with XA
• Communicate Consulting Best Practices
• IA Topics
• Design Principles
Citrix Confidential - Do Not Distribute
Agenda (1 of 2)
• Training Goals
• NetScaler Types
• Architecture & Deployment Options
• Administration Overview
• Load Balancing
Citrix Confidential - Do Not Distribute
Agenda (2 of 2)
• Access Gateway & XenApp Integration
• Global Server Load Balancing
• Web Interface on NetScaler
• NS Best Practices
• Access Gateway VPX
Citrix Confidential - Do Not Distribute
NetScaler Hardware and Features
NetScaler Hardware
MPX 5500
MPX 7500 and MPX 9500
MPX 10500/12500/15500
MPX 17500/19500/21500
VPX
Differences Between MPX and VPX
• Three main differences exist between NS MPX and VPX:
• System capacity
• Performance
• Tagged VLAN Configuration
• NetScaler VPX system capacity:
• No hardware SSL acceleration
• Processing not offloaded to dedicated silicon
Citrix Confidential - Do Not Distribute
When to Use Which?
NetScaler Appliances
NetScaler VPX
• Gig+ performance
• Labs/test environments
• High volume SSL Offload
• Development environments
• >100 SSL VPN CCUs
• “Datacenter-in-a-box”
• FIPS requirements
• CPU-intensive workloads
• Physical device security
• Frequently moved apps
• Fast/remote deployment
NetScaler SDX – Announcing at Synergy
• Instances, not partitions
• Complete CPU isolation
• Complete memory isolation
• Version independence
• High availability independence
• Lifecycle independence
Introducing NetScaler SDX
NetScaler MPX 21500
NetScaler SDX 21500
50 Gb/s
50 Gb/s
Single VIP
16 instances
Up to 18Gbps per instance
8M packets/second
NetScaler Features
Citrix Confidential - Do Not Distribute
ICA Proxy for All
• NetScaler MPX
• NetScaler VPX
• Access Gateway Enterprise Edition
• Access Gateway Standard Edition
• Access Gateway VPX
• Secure Gateway
Citrix Confidential - Do Not Distribute
~10 Steps to “Typical” AGEE
1. IP & Routing
2. Licensing
3. HA
4. Authentication
5. Authorization
6. Certificates
7. Web Interface
8. SSL VPN
9. Session Policies
10. Logging & Monitoring
Citrix Confidential - Do Not Distribute
Architecture & Deployment Options
Deployment Options
• AG in a Secure Network
• AG in DMZ with WI
• WI behind AG
• AG parallel to WI
• AG in DMZ with WI internally
• AG in Double-Hop
Citrix Confidential - Do Not Distribute
Physical Deployment Modes
One-Arm
2. User Request
1. User Request
Public/Front
VLAN
3. Response
4. Response
Private/Server
VLAN
• One interface, no risk of bridge loops
• Can utilize LANs with 802.1q tagging
• Can utilize Link Aggregation to satisfy bandwidth requirements
Citrix Confidential - Do Not Distribute
Physical Deployment Modes
Two-Arm
Public/Front
VLAN
1. User Request
2. User Request
4. Response
3. Response
Private/Server
VLAN
• Accommodates topologies in situations where one-armed does not
• Allows layer 3 (routed) deployments with split subnets (as shown)
• Allows layer 2 (bridged) deployments with one subnet on both sides
Citrix Confidential - Do Not Distribute
NetScaler Terms
• NetScaler IP (NSIP) – Management IP
• Mapped IP (MIP) – Used for server-side connection, replaces
Source IP with the MIP
• Subnet IP (SNIP) – Same as a MIP. SNIP were introduced in
newer releases of code.
• Virtual IP (VIP) – IP address associated with a Virtual Server
Citrix Confidential - Do Not Distribute
Administration Overview
GUI / CLI
• Access the GUI by going to NSIP
• Access the CLI through SSH client (PuTTY)
• Access file system through SFTP client (WinSCP)
Citrix Confidential - Do Not Distribute
Key CLI Commands
> show run
> show route
> show ns feature
> show ns mode
> show ha node
> show license
Citrix Confidential - Do Not Distribute
Running Config, Saved Config
• ns.conf loaded on startup
• Changes reflected in running config
• Changes must be commited to saved config
Citrix Confidential - Do Not Distribute
Lab 1 –VPX Initial Configuration
Objectives:
» Import VPX
» Configure IP and Licensing
» Configure HA
» Run basic CLI commands
Lab 1 Discussion
• What items need to be planned in advance for a NS VPX
POC?
Citrix Confidential - Do Not Distribute
Load Balancing
Load Balancing Primer
• Servers, Services, vServers, Monitors
• Load Balancing applies to TCP or UDP and HTTP/HTTPs
• A load balancing virtual server is bound to services –
"listeners" on ports
Citrix Confidential - Do Not Distribute
LB Methods
• Least Connections (default) • URL Hash
• Domain Name Hash
• Round Robin
• Weighted Round Robin
• Source IP Hash
• Least Response Time
• Destination IP Hash
• Least Bandwidth
• Source/Dest IP Hash
• Least Packets
• LB using SNMP
• LRTM
• SASP/Call ID Hash
• Token
Citrix Confidential - Do Not Distribute
Session Persistence
• Source-IP (w/ netmask)
• Cookie Insert (HTTP/SSL only)
• SSL Session-ID
• URL passive
• Custom Server ID
• Destination IP
• Rule
Citrix Confidential - Do Not Distribute
Load Balancing TFTP
• Reverse Network Address Translation & Use Source IP
required
• USIP provides client IP to backend (TFTP) servers
• Default gateway for TFTP (on PVS) needs to point to NS
SNIP
• http://support.citrix.com/article/CTX110459
Citrix Confidential - Do Not Distribute
Lab 2 – Load Balancing
Objectives:
» Manually create LB VIP for WI & XML
» Use wizard for WI & XML
Lab 2 Discussion
• When would you need SSL_BRIDGE type of LB?
• What do you do without a hardware load balancer?
• Who uses XML LB? Advantages/disadvantages?
Citrix Confidential - Do Not Distribute
Access Gateway and XA/XD
Integration
Access Gateway Components
• Access Gateway virtual servers bind with
• Certificates
• Authentication
• Policies
• Profiles
• STA
Citrix Confidential - Do Not Distribute
Access Gateway Configuration Options
• Full SSL VPN – requires client component
• ICA Proxy – WI integration with SSL for ICA
• Clientless Connections – web application proxy
Citrix Confidential - Do Not Distribute
Global Settings
• Default settings applied
to all AG sessions
Citrix Confidential - Do Not Distribute
Session Profile
• Customizes the session behavior
• ICA Proxy ON tells AGEE not to launch the
Secure Access Client
• URL to the Web Interface site
• e.g. http://wiserver/citrix/xenapp
• Embedded Web Interface display format
• Full or Compact
• Single Sign-On Domain
specifies the users domain is logged on to
Citrix Confidential - Do Not Distribute
Session Policies
• Define the conditions to invoke a session profile
Citrix Confidential - Do Not Distribute
Policy + Action + vServer
• add vpn sessionAction prof_smart_phone -sessTimeout 30 -splitTunnel ON defaultAuthorizationAction ALLOW -clientIdleTimeout 30 -SSO ON -icaProxy ON wihome "https://sfdc.com/Citrix/XenApp/PNAgent/config.xml" -ntDomain SFDC
• add vpn sessionPolicy pol_smart_phone "REQ.HTTP.HEADER User-Agent
CONTAINS CitrixReceiver" prof_smart_phone
• bind vpn vserver sfm-cxi-ag1.salesforce.com -policy pol_smart_phone -priority 10
Citrix Confidential - Do Not Distribute
Policy Expressions
• ns_true
• REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
• REQ.HTTP.HEADER Host == access.citrix.com
• CLIENT.FILE('C:\\\\file.dat').TIMESTAMP == 7dy -frequency 5
• CLIENT.SVC('Symantec\\ AntiVirus').VERSION == 10.0 -frequency 5
• CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS
• CLIENT.OS(winxp) EXISTS
Citrix Confidential - Do Not Distribute
Policy Priority
• Results aggregated from all true policies
• Priority determines result in the event of conflict
• Lowest bind point wins with policies bound to different bind
points (Global > Virtual Server > Group > User)
Citrix Confidential - Do Not Distribute
Policy Priority Exercise
Policy A
Priority 100
Home page
www.citrix.com
Split Tunnel
ON
Single Sign-on
-not set-
Home page
www.google.com
Split Tunnel
-not set-
Single Sign-on
OFF
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
ON
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
ON
Global
Policy B
Priority 100
Virtual Server
Policy C
Priority 100
Group
Resulting
Configuration
Citrix Confidential - Do Not Distribute
Policy Priority Exercise
Policy A
Priority 10
Home page
www.citrix.com
Split Tunnel
-not set-
Single Sign-on
-not set-
Home page
www.google.com
Split Tunnel
-not set-
Single Sign-on
OFF
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
ON
Home page
www.citrix.com
Split Tunnel
OFF
Single Sign-on
OFF
Global
Policy B
Priority 20
Virtual Server
Policy C
Priority 30
Group
Resulting
Configuration
Citrix Confidential - Do Not Distribute
Policy Priority Exercise
Policy A
Priority 100
Home page
www.citrix.com
Split Tunnel
ON
Single Sign-on
OFF
Home page
www.google.com
Split Tunnel
-not set-
Single Sign-on
ON
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
-not set-
Home page
www.google.com
Split Tunnel
OFF
Single Sign-on
ON
Global
Policy B
Priority 90
Virtual Server
Policy C
Priority 100
Group
Resulting
Configuration
Citrix Confidential - Do Not Distribute
Authentication Policies
• Define authentication source
• Local
• RADIUS
• LDAP
• TACACS
• NT4
• CERT
Citrix Confidential - Do Not Distribute
Groups
• Define user groups to apply policies and settings
Citrix Confidential - Do Not Distribute
Web Interface Configuration
Citrix Confidential - Do Not Distribute
The Callback
• WI makes a callback to the SSL VPN VIP
• Retrieves information over HTTPS such as farm, vServer
entity name, the session policy used etc
• Values are sent on the XenApp server to generate the Smart
Access control set
Citrix Confidential - Do Not Distribute
SmartAccess Workflow
External
DMZ
Internal
LDAP
389/636
AGEE
443
80/443
Workstation
Post-AuthN
AGEE
Session
policy
EPA
ActiveX
sends
results
back
toEPA
User
accesses
AGEE
VPN
Virtual
User
supplies
credentials
to
logon
Session
policy
EPA
check
results
Access
Gateway
passes
credentials
to
AGEE
Pre-AuthN
EPA
ActiveX
On
Pre-Authentication
EPA
success
checks
done
with the existing EPA
AGEE
Server
page. returns
returned
to
AGEE
Directory
Service
forpage
validation.
download
&
client
scan
AGEE
login
ActiveX
WI
WI makes a XML callback to a
preconfigured-on-WI
AGEE VPN
Web
Interface
Authenticates
credentials
1)
AGEE
does
a HTTP
redirect
to theAccess”
Web
Interface
generates
“Smart
Virtual
Server
URL
with
the
previously
3) Access
Gateway
next
performs
AGEE
returns
EPA
results
to
WI
provided
via
custom
SSO
AGCitrixBasic
website
configured
in ‘-homepage’
application
set
page
and sends
provided
SessionToken
to getthe
theweb
EPA
pass-through
SSO
to Web
Header
option
page
back
to
user.
Results
Interface
a custom & EPA
Web Interface
sendsvia
credentials
AGCitrixBasic
HTTP
Header
2) to Web
Interface
returns
a 401 and
results
Citrix
XML Service
which
AGEE
detects
that
this “smart
is a Web
validates them
and
returns
user’s
4) A SessionToken is also provided
Interface set
server.
access” application
to Web Interface.
XenApp
Citrix Confidential - Do Not Distribute
STA and
XML
STA Configuration
• STA must be configured
on Access Gateway
Citrix Confidential - Do Not Distribute
Published Application Launch Process
External
DMZ
Internal
XenApp
1494/2598
443
AGEE
80/443
WI
Workstation
User
clicks
application
icon.
STA
ICA
Access
WebClient
Interface
Gateway
sends
generates
ICA
contacts
request
ICA
XenApp
toto to
Web Interface contacts
contacts STA
Citrix XML
Request
is sent
toAccess
Web
validate
ticket
and
exchange
the ticket
Access
initiate
file
thatICA
Gateway.
includes
session.
ICA
is
to
exchange
XenApp
IP session
Service
to determine
least
loaded
Interface.
for
the XenApp
IPand
address.
established.
Gateway
FQDN
STA ticket.
address
ticket.
XenApp for
server
hosting application.
ICA file is sent back to client
XML Service returns XenApp IP
device.
address.
80/443
Citrix Confidential - Do Not Distribute
STA and
XML
Lab 3 – Access Gateway
Objectives:
» Configure components for AG
» Launch application using SSL
» Configure EPA and SmartAccess
Lab 3 Discussion
• What other authentication methods are relevant to us?
• What does clientless access really mean?
Citrix Confidential - Do Not Distribute
Global Server Load Balancing
GSLB Overview
• Load balance services between separate locations
• Typical uses include:
• Distribution of network traffic across multiple sites
• Distribution of server load across multiple sites
• Disaster recovery
• Relies on DNS for directing client requests
• Share the state & status of various geographically distributed
servers
Citrix Confidential - Do Not Distribute
DNS & GSLB
• Step 1: Client sends a DNS request to the local DNS (LDNS) server
• Step 2: The LDNS server sends the request to the ADNS
service/DNS vServer on the system
• Step 3: The ADNS service/DNS vServer responds with the IP
address of the LB vServer on the best-performing Site
Citrix Confidential - Do Not Distribute
GSLB Entities
LDNS
Citrix Confidential - Do Not Distribute
Web Interface on NetScaler
Web Interface on NetScaler
• Feature is available on 9.3 (RTW 3/30)
• MPX and nCore VPX – not available on classic
• Web Interface version 5.4
• There are two packages that need to be installed on NS
• 1. Web Interface files
• 2. Java Runtime Environment
Citrix Confidential - Do Not Distribute
WIonNS Licensing
• The feature is only licensed on NetScaler Standard,
Enterprise, and Platinum
• It is not licensed on CAG-EE
• Not visible in the GUI license window yet
Citrix Confidential - Do Not Distribute
Limitations
• JSP with JAVA Servlet support
• Functionally equivalent except for the authentication limitations listed below
• Case sensitive sites
• Manual site customization
• Limited on-box authentication
• Kerberos, Smart Card, RSA Windows Password Integration, or Pass-Through
authentication methods are not supported
• Limited Scale on low-end platforms
Citrix Confidential - Do Not Distribute
WIonNS Firewall Changes
Before
After
Citrix Confidential - Do Not Distribute
Lab 4 – Web Interface on NetScaler
Objectives:
» Configure WI on NS
Lab 4 Discussion
• What are the pros/cons to WI on NS?
Citrix Confidential - Do Not Distribute
Best Practices
IA Top 10
• WI Load Balancing – Cookie insert with timeout of 0
• XML Load Balancing – No persistence
• Use built-in WI/XML monitor
• Disable unused features and modes
• For load balancing, have a Switch license
Citrix Confidential - Do Not Distribute
IA Top 10, continued
• Redirect 80 to 443 for AG vServer
• Use GSLB for multiple data centers across various regions
• EPA used with SmartAccess
• Use split DNS for internal access to AG
• No external access to NSIP and SNIP
Citrix Confidential - Do Not Distribute
Lab 5– Putting It All Together
Referenced Links
• AG Pre-Installation Checklist - http://support.citrix.com/article/CTX109588
• How to Configure a Backup VServer - http://support.citrix.com/article/CTX125511
• Configuring and Monitoring Persistence on NetScaler
• Planning Guide: Load Balancing Web Interface with NetScaler http://support.citrix.com/article/CTX128563
• Does Use Source IP Mode Work in a NetScaler One-arm Mode Deployment? http://support.citrix.com/article/CTX110459
• NetScaler VPX Licensing Guide - http://support.citrix.com/article/CTX122426
• Web Interface 5.3 Reports Error Pertaining to HTTP Header 'User-Agent‘ http://support.citrix.com/article/CTX124858
• Planning Guide: Load Balancing Web Interface with NetScaler
http://support.citrix.com/article/CTX128563
• How to Configure the Redirect URL Feature - http://support.citrix.com/article/CTX108946
Citrix Confidential - Do Not Distribute
