SYN 609: Front-ending and Load Balancing XenDesktop and XenApp with NetScaler Hands-on Lab Exercise Guide Richard Nash April 2014 Contents Contents .................................................................................................................................... 1 Overview .................................................................................................................................... 2 Scenario..................................................................................................................................... 4 Exercise 1 .................................................................................................................................. 5 Initial Configuration and Licensing.............................................................................................. 5 Exercise 2 .................................................................................................................................10 Deploying the NetScalers as a High Availability Pair .................................................................10 Exercise 3 .................................................................................................................................16 Load Balancing StoreFront Servers ..........................................................................................16 Exercise 4 .................................................................................................................................35 Load Balancing XenDesktop Delivery Controllers .....................................................................35 Exercise 5 .................................................................................................................................42 Configuring NetScaler Gateway for Secure Access ..................................................................42 Exercise 6 .................................................................................................................................52 Configuring StoreFront for use with NetScaler Gateway ...........................................................52 Exercise 7 .................................................................................................................................58 Testing Access to XenDesktop .................................................................................................58 Exercise 8 .................................................................................................................................62 Smart Access with NetScaler Gateway .....................................................................................62 Exercise 9 .................................................................................................................................69 Using NetScaler Gateway Filters with XenDesktop ...................................................................69 | 1 | Overview Hands-on Training Module Objective This training will provide hands-on experience with using NetScaler VPX virtual appliances to load balance, monitor, and secure a XenDesktop deployment. Prerequisites This training focuses on using NetScaler to front-end a working XenDesktop deployment. It is assumed that the student already knows how to deploy XenDesktop. Audience Citrix Partners, Customers, Sales Engineers, Consultants, Architects, and Technical Support Lab Environment Details The system diagram of the lab is shown below: The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All windows applications such as XenCenter, (the XenServer GUI management tool), are accessed from the Student Desktop. | 2 | Lab Guide Conventions This symbol indicates particular attention must be paid to this step Start Bold text indicates reference to a button, object, or text to enter. Focuses attention on a particular part of the screen (R:255 G:20 B:147) List of Virtual Machines Used VM Name IP Address Description / OS Student Desktop AD.training.lab DC1 DC2 NS1 NS2 SF1 SF2 SQL1 Win7Client Win8Desktop1 thru 3 192.168.10.10 192.168.10.11 192.168.10.20 192.168.10.21 192.168.10.200 192.168.10.205 192.168.10.24 192.168.10.25 192.168.10.26 DHCP DHCP WIN2012R21 thru 3 DHCP Windows 7 Professional Windows Server 2012 R2, Active Directory Controller Windows Server 2012 R2, XD 7.1 Delivery Controller Windows Server 2012 R2, XD 7.1 Delivery Controller NetScaler VPX 450000 NetScaler VPX 450000 Windows Server 2012 R2, StoreFront 2.1 Server Windows Server 2012 R2, StoreFront 2.1 Server Windows Server 2012 R2, SQL 2012 Express Windows 7 Professional Windows 8.1, Virtual Desktops Window Server 2012 R2, Shared Desktops and Applications Required Lab Credentials The credentials required to connect to the environment and complete the lab exercises. VM Name All Windows VMs All Windows VMs NS1 and 2 | 3 | IP Address Password Description Citrix123 Citrix456 nsroot Password for the Domain Administrator Password for the Local Administrator nsroot is username and password How to Log into the Lab Environment Launch your web browser and go http://spoprod.citrixvirtualclassroom.com/. Enter your information, and then follow the directions to access the lab environment for session 609. Scenario The AnyCo company has deployed a working XenDesktop VDI solution that provides Windows 8.1 virtual desktops to users, as well as shared desktops and applications from Windows 2012 R2 servers. You have been hired to add NetScaler application delivery controllers in a high availability pair to provide load balancing of the critical components, and also to provide necessary security using the NetScaler Gateway feature. Your task is to use the guidelines outlined below to implement a solution that meets the business needs. Guidelines: | 4 | Two NetScaler VPX virtual appliances need to be deployed in a high availability pair and all traffic into the XenDesktop deployment will be routed through them. AnyCo’s XenDesktop deployment has two Delivery Controllers, and two StoreFront servers. These need to be load balanced and monitored for high availability using the NetScaler’s load balancing and monitoring capabilities. AnyCo wants the IT staff alerted via SNMP if a Delivery Controller or StoreFront server fails. AnyCo’s internal deployment needs to be protected from unauthorized access and attack using NetScaler Gateway. AnyCo wants the XenDesktop-delivered resources to be granularly accessed or denied based on various criteria. Users who accidently fail to specify SSL-encrypted HTTPS will be automatically redirected to use the more secure protocol. Exercise 1 Initial Configuration and Licensing Overview To save time in the lab environment, two NetScaler VPX virtual machines have already been imported into the XenServer hypervisor. For more information on how to import NetScaler VPX virtual appliances into your chosen hypervisor, see http://support.citrix.com/proddocs/topic/netscaler-10-1/ns-gen-nsvpx-wrapper-con-10.html. The NetScalers now need to be configured for initial use and licensed. The initial configuration is necessary to establish the management IP address (the NSIP) of each NetScaler. To save time, the appropriate licenses for the NetScalers have been copied to a backup directory on each NetScaler. The license file will need to be placed into the correct directory on the NetScaler and then the NetScaler will need to be rebooted. This exercise will introduce you to the Command Line Interface (CLI) of the NetScaler and the BSD shell. It will also introduce you to using the PuTTY utility to get to the CLI of the NetScaler from a remote machine. Step by step guidance The lab environment virtual machines required for this exercise are: NetScaler VPX appliance NS1 NetScaler VPX appliance NS2 Win7Client Estimated time to complete this lab: 20 minutes. Step 1. | 5 | Action Start the virtual machines NS1, NS2, and Win7Client if they are not already running. The AD.training.lab virtual machine should already be running. If not, start it. 2. Go to the console of NS1. Since there is no ns.conf file, the appliance prompts you to set its NSIP. Enter the following when prompted: IPv4 address: 192.168.10.200 Netmask: 255.255.255.0 Gateway IPv4 address: 192.168.10.1 Select choice 4, “Save and quit” by pressing Enter. The NetScaler will restart. 3. Go to the console of NS2. Again, since there is no ns.conf file, the appliance prompts you to set its NSIP. Enter the following when prompted: IPv4 address: 192.168.10.205 Netmask: 255.255.255.0 Gateway IPv4 address: 192.168.10.1 Select choice 4, “Save and quit” by pressing Enter. The NetScaler will restart. | 6 | 4. After giving the NetScalers time restart, go to the Win7Client virtual machine and log in as Administrator in the Training domain using the password Citrix123. 5. On the desktop, double-click putty.exe. Enter 192.168.10.200 for the Host Name and click Open. In the PuTTY Security Alert dialog box, click Yes. Login as nsroot and use nsroot as the Password. You are now logged into the Command Line Interface (CLI) of the NS1 NetScaler. 6. Type show license to reveal that the NetScaler is not yet licensed. No features will work at this time. 7. Type shell and press Enter to get into the NetScaler’s BSD shell. This gives you access to the NetScaler’s file system. The prompt will change and show a pound sign at the end. 8. We will now copy a license file to the proper location for the NetScaler. Type the following case sensitive command, then press Enter: cp /var/license_backup/NetScaler_VPX1_PLT.lic /nsconfig/license Note: There is a space after cp and a space after .lic. There are no other spaces. Remember to use tab completion to make the typing easier. If you get no error messages, the copy was successful. 9. Type exit to exit the BSD shell back to the NetScaler prompt. The prompt changes back to a simple greater than (>) sign. Let’s change the prompt to give us more information. Type set prompt NS1 and press Enter. 10. When licenses are added to a NetScaler, it must be restarted. Type reboot and Enter, followed by y and Enter, to reboot the NetScaler. | 7 | 11. On the Win7Client, desktop, double-click putty.exe again. Enter 192.168.10.205 for the Host Name and click Open. In the PuTTY Security Alert dialog box, click Yes. Login as nsroot and use nsroot as the Password. You are now logged into the Command Line Interface (CLI) of the NS2 NetScaler. 12. Type show license to reveal that the second NetScaler is not yet licensed. No features will work at this time. 13. Type shell and press Enter to get into the NetScaler’s BSD shell. The prompt will change and show a pound sign at the end. 14. Type the following case sensitive command, then press Enter: cp /var/license_backup/NetScaler_VPX2_PLT.lic /nsconfig/license Note: There is a space after cp and a space after .lic. There are no other spaces. If you get no error messages, the copy was successful. 15. Type exit to exit the BSD shell back to the NetScaler prompt. Type set prompt NS2 and press Enter. Then, type reboot and Enter, followed by y and Enter, to reboot the second NetScaler. 16. From the Win7Client desktop, using Putty, login to each NetScaler’s CLI and type: show license and press Enter. The result should look like the following: | 8 | Exercise Summary In this exercise, you learned how to do the initial configuration of a NetScaler VPX appliance, setting the NSIP, and how to license the appliance. You also learned how to connect to the CLI of the NetScaler from a remote machine using PuTTY, and how to set the NetScaler prompt. | 9 | Exercise 2 Deploying the NetScalers as a High Availability Pair Overview In this exercise, you will configure the two NetScaler appliances as a High Availability (HA) pair. You will also be introduced to the NetScaler Configuration Utility (the Graphical User Interface or GUI). Step by step guidance Estimated time to complete this lab: 30 minutes. Step 1. Action On the Win7Client virtual machine, launch Internet Explorer. Type http://192.168.10.200 for the URL address. This will open the login page of the Configuration Utility. Click the Show Options link on the login page to see the options available. | 10 | 2. One useful option is to extend the time allowed before the Configuration Utility times out. Another may be to increase the Java Memory the application is allowed to use. Enter nsroot for the User Name and nsroot for the Password and click Login. 3. The Welcome configuration wizard starts automatically. The previously set NSIP and Netmask are already entered. Enter 192.168.10.220 for the Subnet IP address and 255.255.255.0 for the Subnet Netmask. Enter NS1 for the Hostname, and 192.168.10.11 for the DNS address. Click Continue. Ordinarily it would be a good idea to check Change Administrator Password. For the purposes of the lab environment however, leave the password as the default, nsroot. 4. | 11 | This wizard could have been used to license the NetScaler. Since our NetScalers are already licensed, click Continue in the next screen of the wizard and then click Done on the last screen. 5. The Configuration Utility now shows its main screen: Click the Disk icon in the top right corner and confirm that you want to save the changes you have made to the NetScaler’s configuration. | 12 | 6. Open another tab or another instance of Internet Explorer and connect to http://192.168.10.205. Repeat steps 1 – 4 above, except make the Hostname NS2. Be sure to save the running configuration. 7. In the instance of Internet Explorer that is connected to NS1 (192.168.10.200), expand the System node on the left. Then, select High Availability. On the right, under the Nodes tab, click Add… 8. If you get the following Security Information dialog, make sure that “Always trust content from this publisher” is checked, and click Run. Click Allow, Run, or OK on any other security warnings you may get. 9. Enter NS2’s NSIP and click OK. 10. Click OK on the Information message. We won’t be using the RPC communication in this lab. For more information on RPC communication on the NetScaler, see http://support.citrix.com/proddocs/topic/netscaler/netscaler-gslb-gen-wrapper-92con.html. | 13 | 11. To confirm that HA is established between the two NetScalers, putty to 192.168.10.205. At the NetScaler prompt, type show ha node (this can be abbreviated all the way down to sh node). Note the information shown. 12. At the command line, type force failover and confirm with a y. Then, type show ha node again. Notice that NS2 is now the Primary of the pair. 13. Type force failover and confirm again. Use show node to confirm that 192.168.10.200 is now the primary. For the rest of the lab, we will want NS1 to be the Primary of the HA pair. Important! All configuration must be done on the Primary node of the HA pair. | 14 | 14. On the Win7Client virtual machine, using Internet Explorer, connect to 192.168.10.200. Using the Configuration Utililty, login as nsroot. Expand the System node on the left, then select Settings. On the right, click Configure basic features. 15. Select SSL Offloading, Load Balancing, NetScaler Gateway, and Authentication Authorization and Auditing. Then click OK. 16. Click the disk icon in the upper right corner of the GUI and save the running configuration. Exercise Summary In this exercise we configured NS1 and NS2 to be an HA pair. We used the NetScaler Configuration Utility (the GUI) to make the configuration. We also learned how to check on the HA status of the pair with the CLI and how to force a failover to ensure that HA is working. Finally, we turned on a selection of basic features we will be using in this lab. | 15 | Exercise 3 Load Balancing StoreFront Servers Overview AnyCo currently has a working XenDesktop deployment. However there is no load balancing being done across the two StoreFront servers. If the StoreFront server they use primarily went down, they would have to manually point users to the second server. This is not acceptable because there would be an interruption in service. They want the NetScaler to load balance and monitor the two StoreFront servers so that there will be no interruption of service if one StoreFront server goes down. Currently, the StoreFront servers only accept HTTPS traffic from clients, although the traffic from StoreFront to the Delivery Controllers is clear text. AnyCo wants the NetScalers to accept only HTTPS traffic from clients and to use HTTPS to the StoreFront servers. They also want the NetScalers to redirect any request using HTTP to HTTPS. Step by step guidance Estimated time to complete this lab: 55 minutes. Step | 16 | Action 1. Using the Win7Client virtual machine, open Internet Explorer and point it to 192.168.10.200 (NS1). Log on as nsroot. 2. When the AnyCo StoreFront servers were deployed, a wildcard SSL certificate was requested from a Certificate Authority for any server named *.training.lab. This certificate was exported in a PKCS#12 format. We would like to import this certificate to be used on the NetScaler. Expand Traffic Management on the left side of the Configuration Utility, then click on SSL. On the right side, click Import PKCS#12. 3. Enter wccert.pem for the Output File Name. On the PKCS12 File line, use the pull-down arrow to select Local, then choose Browse. This will allow you to browse the file system on the Win7Client machine. Browse to C:\ and choose WildcardCert.pfx and click Open. When the certificate was exported originally, a password was placed upon it of Citrix123. Enter that into the Import Password field and click OK. 4. | 17 | On the left side, expand SSL and click on Certificates. On the right side, click Install… 5. For the Certificate-Key Pair Name, enter WildcardCert. For the Certificate File Name, click the down-arrow and choose Appliance, then click Browse. Select wccert.pem and click Open. Do the same for the Key File Name. The Certificate Format will be PEM and the Password is Citrix123. Notify When Expires should be checked and set the Notification Period for 30 days. Click Create. The WildcardCert certificate is now ready to use on the NetScaler and will work for any address that ends with training.lab. 6. Don’t click Close yet. While we are here, let’s install another certificate that we will be using in a later lab. When we configure the NetScaler Gateway for external access, we will need a wildcard certificate for any address that ends with mycitrixtraining.net. The files for this are already on the NetScaler, but they need to be installed. Change the Certificate-Key Pair Name to MCTWildcardCert. For the Certificate File Name, browse on the appliance to MCTWildcard.cer. For the Key File Name, browse the appliance for MyCitrixTraining.key. No password is needed. Click Create. | 18 | 7. Don’t click Close yet. This certificate needs an intermediate CA certificate. We need to install the intermediate cert and then link it to this one. Change the Certificate-Key Pair Name to MCTIntermediateCert. For the Certificate File Name, browse on the appliance to MCTIntermediate.cer. No Key File Name or Password is necessary. Click Create. Now click Close. 8. | 19 | Right-click on the MCTWildcardCert and choose Link… MCTIntermediateCert should be already selected. Click OK. Now the MCTWildcardCert is ready for us to use later. 9. Load balancing requires a number of things: Servers that actually do some kind of work to balance Services that tell us what the work is and what port and protocol is used A virtual server using a virtual IP address to receive incoming client requests A monitoring mechanism so the load balancer knows when a service is down A persistence method if necessary One way to keep all this straight is to use the NetScaler Load Balancing Wizard. On the left side, under Traffic Management, click on Load Balancing. On the right, choose Load Balancing wizard. 10. If you encounter a message like the following at any time while using the Configuration Utility, click Yes. | 20 | 11. Click Next on the Introduction dialog box. Type SFService1 for the new service’s Name. Then, click New… on the right side to create a new Server instance. 12. Name this first server sf1. Click the Domain Name button and enter sf1.training.lab for the Domain Name. Click Create. | 21 | 13. Choose SSL for the Protocol and the Port will change to 443 for you. Click Add to place this service in the list. 14. The dialog box stays open so that we can create another service. Change the name to SFService2 and click the New… button again. | 22 | 15. Name the new server instance sf2. Click the Domain Name button and enter sf2.training.lab into the Domain Name field. Click Create. 16. Click the Add button to enter the new service into the list. These are all the services we’re going to load balance, so click Next. | 23 | 17. Type SF_vServer for the virtual server name. Enter 192.168.10.225 for the IP address. This will automatically be a VIP on the NetScaler. Choose SSL for the Protocol and the Port will automatically change to 443. The LB Method can remain the default, Least Connection. Select both the Available Services and then click Add> to move them into the Configured Services list. Click the pull-down arrow beside Certificate and choose the WildcardCert certificate we created earlier. Click Next. 18. Click Finish, then Exit to end the wizard. | 24 | 19. In the Configuration Utility, under Traffic Management, then under Load Balancing, click on Servers to see the list of StoreFront servers that we created. 20. Click on Services to see the StoreFront services we created. 21. Click on Virtual Servers to see the virtual server we created. | 25 | 22. Click on the SF_vServer virtual server, then click on Open… You can also just doubleclick on it. This will expose the virtual server’s properties. 23. Click the Method and Persistence tab. Change the Persistence type to CookieInsert and the Time-out to 0. Change the Backup Persistance to SourceIP and the Time-out to 30. Set the IPv4 Netmask to 255.255.255.255. Click OK. | 26 | 24. When monitoring services, NetScaler uses TCP as a default. This is not the most intelligent choice for StoreFront services. NetScaler 10.1 now has a monitor type specifically for StoreFront. Let’s use it. In the Configuration Utility, under Traffic Management, choose Load Balancing, then choose Monitors. StoreFront is not in the list of already configured monitor types, so click Add... 25. Type StoreFront for the Name and pull down the list to the right of Type. Select STOREFRONT at the bottom of the list. On the Standard Parameters tab, check the Secure box since StoreFront expects outside traffic to be https. | 27 | 26. Click the Special Parameters tab and enter CorporateStore for the Store Name. (CorporateStore is the StoreFront store name created when the StoreFront servers were configured.) Click Create, then click Close. 27. In the Configuration Utility, under Traffic Management, then under Load Balancing, select Services. On the right side, you will see the two services we configured. Doubleclick on SFService1 to open its properties. Click the Monitors tab and scroll down to find the new monitor we just created, StoreFront. Click the Add> button to move StoreFront into the Configured list. Click OK. 28. Using the same steps as above, apply the StoreFront monitor to SFService2. | 28 | 29. In the top right corner of the Configuration Utility, click the disk icon and confirm to save the running configuration. 30. Go to the AD.training.lab virtual machine. Logon as Administrator with the password of Citrix123. From Administrative Tools, double-click on DNS to open the DNS Manager. In the left pane, click on the training.lab zone. | 29 | 31. In the right pane, double-click on the connect host to open its properties. Change the address from 192.168.10.24 which was the SF1 server, to 192.168.10.225 which is the NetScaler VIP for load balancing both StoreFront servers. Click OK. 32. On the Win7Client machine, open a browser and connect to https://connect.training.lab. Log in as training\administrator with a password of Citrix123. StoreFront should present the XenDesktop resources. Log off StoreFront. 33. AnyCo wants any user who points their browser to StoreFront to use HTTPS even if the user doesn’t think to type https:// into their browser. We will use the NetScaler to make this redirect for us. In the NetScaler Configuration Utility, under Traffic Management, then under Load Balancing, choose Virtual Servers. On the right side, choose Add… to create a new virtual server. | 30 | 34. Enter SF_vServer-Redirect for the name. Set the protocol to HTTP. Enter 192.168.10.225 as the IP Address, then click the Advanced tab. Enter https://connect.training.lab for the Redirect URL. Click Create, then Close. 35. The new SF_vServer-Redirect virtual server shows as Down because we did not bind any services to it. When a user makes a request for a down vserver, the NetScaler sends the user to the redirect URL. Right-click on it and choose Disable. This will show that it is purposely out of service. 36. Point the browser to http://connect.training.lab to verify that it gets redirected to https://connect.training.lab. | 31 | 37. One advantage of using NetScaler for load balancing is its ability to report when a service goes down. AnyCo wants to use SNMP for this. On Win7Client, in the Configuration Utility, on the left, expand System, then expand SNMP, and click on Community. Click Add… 38. Enter public for the Community String and click create, then Close. 39. Under SNMP, choose Traps. Click Add… Enter 192.168.10.101 for the Destination IP Address. (We don’t have an SNMP console in the lab, so it doesn’t really matter what address is used here. In a production environment, you would want an SNMP management console installed, such as Citrix Command Center.) Use the pull-down arrow to choose 192.168.10.220 as the Source IP Address. This is the NetScaler’s SNIP. Click Create, but don’t click Close yet. | 32 | 40. Click the Specific button and fill in 192.168.10.101, for Source IP Address. Choose 192.168.10.220, for the Source IP Address. Choose Critical for Minimum Severity. Click Create, then click Close. 41. From the Win7Client desktop, start Putty and type in 192.168.10.200 as the Host Name and click Open. Login as nsroot with nsroot as the password. At the prompt, type shell and press Enter. Then type tail –f /var/log/ns.log . (There is a space after tail and a space after the f.) Press Enter. This shows the end of the NetScaler’s syslog in real time. Anything that happens on the NetScaler will show here. 42. From XenCenter, in the far left pane, right-click on the SF2 server and choose Shut Down and confirm the action. | 33 | 43. Switch to the Win7Client machine and watch the Putty window showing the syslog. Notice the EVENT MONITORDOWN and EVENTDEVICEDOWN alerts. Also you can see that the NetScaler sent an SNMP trap with the entitydown message. 44. Right-click on SF2 and choose Start. Switch back to Win7Client and watch for the alerts and SNMP trap. When you are done, in the Putty window, press Ctrl-C to return to the BSD shell. Type exit and press Enter to return to the NetScaler prompt. Type save config and press Enter to save the running configuration. When you see Done, close the Putty window. Exercise Summary In this exercise, we learned how to import and install an SSL certificate to use for the NetScaler. We then created server objects that pointed to the two StoreFront servers, services that specified the protocol and port the services on the servers used, and a virtual server object for client access to the services, and assigned the certificate to the virtual server. We used the Load Balancing wizard to create these. We also saw how to set persistence and backup persistence and how to replace the default TCP monitor with a custom StoreFront monitor. We configured a virtual server on the NetScaler that will automatically redirect users from http to https when they type in the URL to access StoreFront. Finally, we configured SNMP to send traps when a load balanced service goes down. | 34 | Exercise 4 Load Balancing XenDesktop Delivery Controllers Overview Currently, the XenDesktop deployment has StoreFront sending all requests to DC1. This works, because DC2 is listed as a failover server, but it would be more efficient for the NetScaler to balance the load between DC1 and DC2. In this exercise, we will see how to load balance the delivery controllers and how to monitor them. Step by step guidance Estimated time to complete this lab: 30 minutes. Step 1. | 35 | Action If the Configuration Utility isn’t already pointed to NS1, open Internet Explorer on Win7Client and enter 192.168.10.200 for the URL. Login as nsroot. In the left pane of the Configuration Utility, under Traffic Management, click on Load Balancing. On the right side, choose Load Balancing wizard for Citrix XenDesktop. 2. Click Next on the Introduction. We are using StoreFront not Web Interface, so click Skip at the Load Balance WI servers page. 3. In the Load Balance DDC servers page, enter 192.168.10.230 for the virtual IP address for the new virtual server we are making. Change the port to 80 and the protocol to HTTP. Under DDC Servers, enter the first DC address, 192.168.10.20 and the port of 80 and click Add. Do the same for the second DC, which has the address of 192.168.10.21. Click Next. Then Finish on the next screen, then Exit. | 36 | | 37 | 4. Under Load Balancing, click on Virtual Servers to see the new virtual server you created, named XD-DDC_192.168.10.230_80_lbvip. Right-click on it and choose Rename and name it XD71_vServer. 5. Double-click on the XD71_vServer to see its properties. Click on the Service Groups tab to see that the wizard made a service group instead of two separate services. Click on the Method and Persistence tab. The default load balancing method of Least Connection is fine, and no persistence is necessary for load balancing DCs. Click Close. 6. Under Load Balancing, click on Service Groups to see the new service group consisting of the two DCs you specified. Right-click on it and choose Rename, and rename it to XD71_ServiceGroup. | 38 | 7. Double-click on the service group to open its properties. Click on the Monitors tab to see that a custom monitor has been configured for you. Click Close. 8. Under Load Balancing, choose Monitors. Scroll down the list until you see the XD_DDC_192.168.10.230_80_mn monitor. Notice that it’s of the CITRIX-XD-DDC type. Double-click it to see its properties. Click Close. 9. Under Load Balancing, choose Servers. Notice the two new servers, which are the XenDesktop delivery controllers, listed by their IP addresses. Right-click on 192.168.10.20 and rename it to dc1. Change 192.168.10.21 to dc2. 10. Click on the disk icon in the top right corner of the Configuration Utility to save the NetScaler running configuration. 11. Go to the SF1 virtual machine and log in as training\administrator with the password of Citrix123. From the Start screen, launch Citrix StoreFront. On the left side, click on Stores. In the center pane, make sure that Corporate Store is selected. On the right side, choose Manage Delivery Controllers. | 39 | 12. Click on Controller and choose Edit… 13. Remove the two delivery controllers in the list, dc1.training.lab and dc2.training.lab. | 40 | 14. Click Add… and put in the address of the XD71_vServer, 192.168.10.230. Click OK, OK, and click OK again to close the dialog boxes. 15. In the left pane, choose Server Group. In the right pane, click Propagate Changes, and confirm by clicking OK. Click OK at the success message. Now, all the StoreFront to delivery controller traffic will be load balanced and monitored by the NetScaler. SNMP traps will be sent in case of delivery controller failure. 16. Let’s test to make sure that we’ve done everything right. From the Win7Client virtual machine, open a browser and go to http://connect.training.lab. Log in as training\user1. All the XenDesktop resources should be available. Log off. Exercise Summary In this exercise, we used the XenDesktop load balancing wizard to create servers, a service group, and a load balancing vServer for the two XenDesktop Delivery Controllers. We also saw that the wizard created a custom monitor of the CITRIX-XD-DDC type. We then reconfigured StoreFront to use the NetScaler’s vServer to load balance all traffic from StoreFront to the DCs. | 41 | Exercise 5 Configuring NetScaler Gateway for Secure Access Overview Protecting your XenDesktop deployment from unauthorized access is very important. The NetScaler Gateway is the state of the art product for secure front-ending of XenDesktop. In this exercise you will learn how to configure NetScaler Gateway for secure external access. Step by step guidance Estimated time to complete this lab: 25 minutes. Step | 42 | Action 1. In the portal information you were given is the external public address for your lab environment. You will need this information for this lab. 2. On the Win7Client virtual machine, use Internet Explorer and point to http://192.168.10.200. Log into the Configuration Utility as nsroot. On the left side, click on NetScaler Gateway. On the right side, click on the Configure NetScaler Gateway for Enterprise Store wizard. 3. Click on the Get Started button on the Welcome screen. 4. Enter RemoteAccess for the Name. Type 192.168.10.235 in the IP Address field. Check the box Redirect requests from port 80 to secure port. For the Gateway FQDN, enter the public address for your lab, but with dashes instead of dots, followed by .mycitrixtraining.net. For example: if your public address is 75.126.81.3, then the Gateway FQDN would be 75-126-81-3.mycitrixtraining.net. This is being done because when we wish to access the lab environment from the outside, your external address will be translated to 192.168.10.235. Click Continue. 5. Click the button for Choose Certificate. This is where we will use the certificate we installed in a previous exercise. On the Certificate line, click the down arrow and choose MCTWildcardCert. Click Continue. Click Continue. | 43 | 6. We are using Active Directory (LDAP) for authentication, so choose LDAP for Primary Authentication. Click Configure New. Enter 192.168.10.11 for the IP Address. Enter cn=Users, dc=training, dc=lab for the Base DN, and cn=Administrator, cn=Users, dc=training, dc=lab for the Admin Base DN. Type sAMAccountName for the Server Logon Name Attribute, and enter Citrix123 for both Password fields. Important! Double-check your typing. Click Continue. 7. Click the button for XenApp / XenDesktop. Change the Deployment Type to StoreFront. Enter connect.training.lab for the StoreFront FQDN. The Receiver for Web Path is /Citrix/CorporateStoreWeb. The Single Sign-on Domain is training.lab. Enter http://dc1.training.lab for the STA URL. Click Done. | 44 | 8. Close the NetScaler Gateway monitor window. 9. In the Configuration Utility, under NetScaler Gateway, click on Virtual Servers to see the virtual server you just created. On the right side, double-click on the RemoteAccess virtual server. Here you can see, change, or add to the properties that were configured in the wizard. Click the Published Applications tab. In the Secure Ticket Authority section, click Add. 10. Enter http://dc2.training.lab and click Create. This adds a second STA for redundancy. | 45 | 11. Click the Policies tab. Here you can see the session policies and profiles made for you by the wizard. Double-click the first profile entry. 12. This shows the settings that will be applied to the traffic through the Gateway. Click on the Client Experience tab and review the settings. | 46 | 13. Click on the Security tab and review the settings. Then click on the Published Applications tab. 14. Make sure that the URLs for Web Interface Address and Account Services Address both start with https. Click OK. | 47 | 15. Double-click the second profile entry. 16. As before, explore the different settings. Under the Published Applications tab, make sure that the Web Interface Address starts with https://. Click OK. 17. Double-click on the first policy. | 48 | 18. This shows the expressions that govern what traffic the profile will apply to. The expressions allow for a very wide allowance of client methods for remote access through the Gateway. Click Close. For more information on Gateway expressions see: http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-xmob-wizard-sessionpolicy-examples-con.html. 19. Click the Authentication tab. Then double-click on the Profile. | 49 | 20. This shows the LDAP configuration. Click the Retrieve Attributes link. 21. You should receive the success message. If not, check your setting for typos or wrong information. Click OK to close the Information dialog box. Click OK to close the Configure Authentication Server dialog box. 22. Remember checking the box saying “Redirect requests from port 80 to secure port”? Let’s see what the wizard did to make that happen. On the left side of the Configuration Utility, choose Traffic Management > Load Balancing > Virtual Servers. On the right side, right-click on 192.168.10.235http_redirect and choose Rename. | 50 | 23. Change the name to RemoteAccess-Redirect. Click OK. 24. Double-click on the RemoteAccess-Redirect virtual server to see its properties. Click on the Advanced tab. Notice the Redirect URL that was filled in for you by the wizard. Click Close. 25. Right-click on the RemoteAccess-Redirect virtual server and choose Disable, and confirm. This way, everyone will know that this vServer is down on purpose. Exercise Summary In this exercise, you learned how to configure the NetScaler Gateway using the Enterprise Store wizard. The wizard led you through the process of setting an IP address, choosing a certificate, configuring LDAP authentication, and setting StoreFront information which included the Secure Ticket Authority. After running the wizard, you went back and looked at all the components the wizard created. We added another STA and we examined the session policies and profiles, along with the Authentication profile. We also tested the authentication settings for accuracy. | 51 | Exercise 6 Configuring StoreFront for use with NetScaler Gateway Overview Now that NetScaler Gateway is configured, we will make changes to StoreFront to be able to receive the traffic through the Gateway. Step by step guidance Estimated time to complete this lab: 15 minutes. Step | 52 | Action 1. On the SF1 virtual machine, log in as Training\Administrator with a password of Citrix123. From the Start screen, launch Citrix StoreFront. 2. In the StoreFront configuration snap-in, click on Authentication on the left side. On the right side, click Add/Remove Methods. 3. Check the Pass-through from NetScaler Gateway box and click OK. 4. On the left side, select NetScaler Gateway. On the right side, click Add NetScaler Gateway. 5. Fill in the Display name as Primary Gateway. Enter the NetScaler Gateway URL as https://xxx-xxx-xxx-xxx.mycitrixtraining.net where the xxx-xxx-xxx-xxx is your lab’s public IP with the octets separated by dashes instead of dots. For example, if your lab’s public IP was 75.126.81.3, then your URL would be https://75-126-81-3.mycitrixtraining.net. Enter the Logon type as Domain and the Callback URL is the same as the Gateway URL. Click Next. | 53 | 6. Click the Add button to add the following Secure Ticket Authority URLs: http://dc1.training.lab http://dc2.training.lab Click Create. Then, click Finish on the last screen. 7. | 54 | On the left side, click Stores. On the right side, click Enable Remote Access. | 55 | 8. Click the button for No VPN tunnel. Check Primary Gateway. Click OK. 9. On the left side, click on Beacons. The middle pane shows the default settings based on our previous configuration choices. These choices work fine for our lab. On the right side, click on Manage Beacons. 10. Here we can set different Beacon points if desired. Click Cancel. 11. On the left side, click Server Group. On the right side, click Propagate Changes. | 56 | 12. Confirm that you wish to propagate the changes, and then click OK at the success message. Exercise Summary In this exercise, you learned how to configure StoreFront to allow traffic from the NetScaler Gateway. We added Pass-through from NetScaler Gateway to the Authentication methods and then specified the settings for the NetScaler Gateway. We specified the two STAs, enabled the Store for remote access, and propagated the changes from SF1 to SF2. | 57 | Exercise 7 Testing Access to XenDesktop Overview In this exercise we will test access to the XenDesktop Deployment. Internal access has already been tested, but we will test again to make sure that setting up the NetScaler Gateway has not caused any unwelcome changes. We will then test external access which comes through the NetScaler Gateway. Step by step guidance Estimated time to complete this lab: 30 minutes. Step 1. | 58 | Action From the Win7Client virtual machine, launch a new instance of Internet Explorer and enter http://connect.training.lab for the URL. It should redirect to https://connect.training.lab/Citrix/CorporateStoreWeb. Log on as training\User1 with the password of Citrix123. 2. Test to see that XenDesktop resources are available to User1. 3. Close any apps, sign off of any desktops, and log off Citrix Receiver. 4. From your local workstation (external to your lab environment), launch a browser. Navigate to http://xxx-xxx-xxx-xxx.mycitrixtraining.net where the xxx-xxx-xxx-xxx represents your lab’s external IP address. It should redirect to https://. Log on as User1 with the password of Citrix123. | 59 | | 60 | 5. If you don’t already have the Citrix Receiver installed, you will be prompted to install it. Check the box I agree with the Citrix license agreement and click Install. 6. Click Run or Allow or Yes at any security warnings or UAC prompts you may see. 7. The Citrix Receiver will take some time to download. Click Install when prompted. 8. When the installation is finished, click Finish. 9. All the XenDesktop resources available to User1 should now be able to be accessed. 10. After testing to make sure that your access is working, log off User1 and close the browser. Exercise Summary In this exercise we tested access, both internal access without using the NetScaler Gateway, and external access using the Gateway. We also installed the Citrix Receiver. | 61 | Exercise 8 Smart Access with NetScaler Gateway Overview AnyCo knows that when users access XenDesktop resources internally, they are using IT managed client devices that have adequate security software installed. However, when AnyCo employees log in from home or other external locations, they may be using unmanaged devices that don’t have the required security. AnyCo has asked you to configure the NetScaler Gateway to check that a necessary process is running on each external client before allowing access. Note: In this exercise we will use a simple process, notepad.exe, as our required “security” software. In a real production environment, this can be a commercial anti-virus program, a firewall, anti-spam software, a required file, a necessary registry entry, or a combination of these. Step by step guidance Estimated time to complete this lab: 25 minutes. Step 1. | 62 | Action On the Win7Client virtual machine, use the Configuration Utility and navigate on the left side to NetScaler Gateway > Virtual Servers. On the right side, double-click RemoteAccess to open its properties. | 63 | 2. Click the button SmartAccess Mode, then click OK. 3. On the left side, navigate to NetScaler Gateway > Policies > Pre-Authentication. On the right side, click Add… | 64 | 4. Type PreAuthPol_EPAnotepad for the Name. On the Request Profile line, click the New… button. 5. Type PreAuthProfile_EPAallow for the Name. Make sure the Action is ALLOW. Click Create. 6. Below the Expression field, click Add… | 65 | 7. For Expression Type, use the pull-down and choose Client Security. Under Component, use the pull-down and choose Process. Type notepad.exe in the Name field. The operator should be EXISTS. Click OK. 8. In the Create Pre-authentication Policy dialog box, click Create. Then, click Close. 9. Return to NetScaler Gateway > Virtual Servers and double-click on RemoteAccess. Click the Policies tab, then click Pre-authentication. Click Insert Policy. 10. Use the pull-down to choose PreAuthPol_EPAnotepad. Then click OK. 11. On your local workstation (external to your lab environment), make sure that Notepad is not running. Launch a browser. Navigate to http://xxx-xxx-xxxxxx.mycitrixtraining.net where the xxx-xxx-xxx-xxx represents your lab’s external IP address. It should redirect to https://. You should be prompted to download and install the Citrix Endpoint Analysis Plug-in. Click Download. 12. Choose Run, Allow, or Yes on any security warnings or UAC messages you may get. | 66 | 13. Click Install. Click Finish when the installation is done. 14. Click Always to grant Citrix Endpoint Analysis permission to scan your system. 15. Since Notepad was not running, you should get the Access Denied message. | 67 | 16. Start Notepad on your workstation. Once Notepad is running, click the Back button in the Access Denied message to rescan. Endpoint Analysis reruns the scan. This time you should be able to log in as User1 and have access to all the resources. After testing, log off as User1 and close the browser. Exercise Summary In this exercise, we turned on SmartAccess mode and created a Pre-Authentication policy that checked for a necessary process to be running. We also created a Pre-Authentication profile that is used when the policy evaluates as true. The profile simply gives Allow permission to be authenticated. We then bound the policy to the RemoteAccess NetScaler Gateway virtual server. On the external client machine, we installed the Citrix Endpoint Analysis plug-in. We then tested access without and then with, our necessary process running. | 68 | Exercise 9 Using NetScaler Gateway Filters with XenDesktop Overview Now we’re going to get more granular with SmartAccess and show how it interacts with XenDesktop. The AnyCo Company has decided that certain people with extra-secure devices should get access to all the resources via XenDesktop, but the others should only get Windows 8 desktops. The extra-secure devices are identified by the fact that they have a special file located in their file systems. Step by step guidance Estimated time to complete this lab: 30 minutes. Step | 69 | Action 1. Before XenDesktop can benefit from NetScaler Gateway’s SmartAccess, The XenDesktop farm must be set to trust requests sent to the XML port. By default, this trust is turned off. To change this, go to the DC1 virtual machine and log in as training\administrator. Then, launch Citrix Studio from the Start screen. 2. When Citrix Studio opens, on the left side, click at the very top on Citrix Studio (XD71Site). In the middle pane, click the PowerShell tab. Down at the bottom, click the Launch PowerShell button. 3. In the PowerShell window that opens, type Get-Brokersite and press Enter. 4. Notice at the bottom that TrustRequestsSentToTheXmlServicePort is set to False. To change this, in the PowerShell window, type: Set-Brokersite –TrustRequestsSentToTheXmlServicePort $true and press Enter. 5. | 70 | Type Get-Brokersite again to see that the setting has changed. | 71 | 6. Go to the Win7Client virtual machine. In the Configuration Utility, Navigate to NetScaler Gateway > Policies > Session, then click the Add… button on the right side. 7. Name the policy SmartAccess_Policy. To the right of the Request Profile line, click New… | 72 | 8. The Create NetScaler Gateway Session Profile dialog opens up. Name the profile SmartAccess_Profile. Click the Client Experience tab. To the right of Single Sign-on to Web Applications, check the Overide Global box. Then, check the Single Sign-on to Web Applications box. 9. Click the Security tab. Check the Override Global box to the right of Default Authorization Action. Change the Action to Allow. 10. Click the Published Applications tab. Override Global on the ICA Proxy line and set it to ON. Overide for Web Interface Address and set it to https://connect.training.lab/Citrix/CorporateStoreWeb. Override for Single-Sign-on Domain and set to training.lab. Then, click Create. 11. Under the Expression area, click Add… | 73 | 12. Change the Expression Type to Client Security, change the Component to File. Type the name as c:\\fullaccess.txt (notice the two backslashes). No Qualifier is necessary, and leave the Operator as EXISTS. Click OK. 13. In the Create NetScaler Gateway Session Policy dialog box, we are finally ready to click Create, then Close. 14. Notice after the SmartAccess_Policy has been created, NetScaler added two more backslashes to the file path. This is normal and necessary and has to do with how Unixbased systems handle backslashes. | 74 | 15. Under NetScaler Gateway go to Virtual Servers and double-click on RemoteAccess. Click on the Policies tab. Toward the bottom left, click on Insert Policy. Use the pulldown arrow to choose SmartAccess_Policy. 16. Double-click on the SmartAccess_Policy Priority number and change it to 90. This will give it a higher priority. Click OK. Save the running configuration. 17. Return to the DC1 virtual machine. Open Citrix Studio. In the left pane, click on Delivery Groups. In the middle pane, click on the Win 2012 R2 Servers group and then right-click on it and choose Edit Delivery Group. | 75 | 18. On the left, click on Access Policy. On the right, click Add… 19. Enter RemoteAccess as the Farm name. This must match the name of the NetScaler Gateway virtual server we are using. Enter SmartAccess_Policy as the Filter. This must match the name of the session policy we just created. Click OK, then OK again. 20. Now, let’s test it. On your local workstation, create a text file at the root of the C: drive. Name it fullaccess.txt. Make sure that Notepad is running. | 76 | 21. Open your browser and go to http://xxx-xxx-xxx-xxx.mycitrixtraining.net where the xxx-xxx-xxx-xxx is your lab’s external address separated by dashes. Endpoint analysis will run and then you can log on as User1 with the password of Citrix123. After logging on, you should see the Windows 2012r2 Desktop available as well as the Apps. 22. Log off as User1 and close your browser. Delete (or just rename) the c:\fullaccess file. Open your browser and go to http://xxx-xxx-xxx-xxx.mycitrixtraining.net again, and log in as User1 again. This time, you should not see the Win 2012r2 Desktop or the Apps. Exercise Summary In this exercise we tested the SmartAccess, granular capabilities of the NetScaler Gateway. We set the XenDesktop farm to trust requests sent to the XML port, we created a session policy along with a session profile. We created an expression for the policy to look for a certain file on the client workstation. If that file exists, the user gets all resources, but if it doesn’t the user only gets partial resources. We set the NetScaler Gateway’s virtual server as the Farm name on the XenDesktop Delivery group and set the session policy as the Filter name. | 77 | Revision: Change Description Updated By Date 1.1 Original version Richard Nash 04/05/2014 About Citrix Citrix Systems, Inc. designs, develops and markets technology solutions that enable information technology (IT) services. The Enterprise division and the Online Services division constitute its two segments. Its revenues are derived from sales of Enterprise division products, which include its Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related technical services and from its Online Services division's Web collaboration, remote access and support services. It markets and licenses its products directly to enterprise customers, over the Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers (VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July 2012, the Company acquired Bytemobile, provider of data and video optimization solutions for mobile network operators. http://www.citrix.com | 78 |