Exercise Summary - Citrix Synergy Labs Home Page

advertisement
SYN 609: Front-ending and Load Balancing
XenDesktop and XenApp with NetScaler
Hands-on Lab Exercise Guide
Richard Nash
April 2014
Contents
Contents .................................................................................................................................... 1
Overview .................................................................................................................................... 2
Scenario..................................................................................................................................... 4
Exercise 1 .................................................................................................................................. 5
Initial Configuration and Licensing.............................................................................................. 5
Exercise 2 .................................................................................................................................10
Deploying the NetScalers as a High Availability Pair .................................................................10
Exercise 3 .................................................................................................................................16
Load Balancing StoreFront Servers ..........................................................................................16
Exercise 4 .................................................................................................................................35
Load Balancing XenDesktop Delivery Controllers .....................................................................35
Exercise 5 .................................................................................................................................42
Configuring NetScaler Gateway for Secure Access ..................................................................42
Exercise 6 .................................................................................................................................52
Configuring StoreFront for use with NetScaler Gateway ...........................................................52
Exercise 7 .................................................................................................................................58
Testing Access to XenDesktop .................................................................................................58
Exercise 8 .................................................................................................................................62
Smart Access with NetScaler Gateway .....................................................................................62
Exercise 9 .................................................................................................................................69
Using NetScaler Gateway Filters with XenDesktop ...................................................................69
| 1 |
Overview
Hands-on Training Module
Objective
This training will provide hands-on experience with using NetScaler VPX virtual appliances to load
balance, monitor, and secure a XenDesktop deployment.
Prerequisites
This training focuses on using NetScaler to front-end a working XenDesktop deployment. It is
assumed that the student already knows how to deploy XenDesktop.
Audience
Citrix Partners, Customers, Sales Engineers, Consultants, Architects, and Technical Support
Lab Environment Details
The system diagram of the lab is shown below:
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop.
| 2 |
Lab Guide Conventions
This symbol indicates particular attention must be paid to this step
Start
Bold text indicates reference to a button, object, or text to enter.
Focuses attention on a particular part of the screen (R:255 G:20 B:147)
List of Virtual Machines Used
VM Name
IP Address
Description / OS
Student Desktop
AD.training.lab
DC1
DC2
NS1
NS2
SF1
SF2
SQL1
Win7Client
Win8Desktop1 thru 3
192.168.10.10
192.168.10.11
192.168.10.20
192.168.10.21
192.168.10.200
192.168.10.205
192.168.10.24
192.168.10.25
192.168.10.26
DHCP
DHCP
WIN2012R21 thru 3
DHCP
Windows 7 Professional
Windows Server 2012 R2, Active Directory Controller
Windows Server 2012 R2, XD 7.1 Delivery Controller
Windows Server 2012 R2, XD 7.1 Delivery Controller
NetScaler VPX 450000
NetScaler VPX 450000
Windows Server 2012 R2, StoreFront 2.1 Server
Windows Server 2012 R2, StoreFront 2.1 Server
Windows Server 2012 R2, SQL 2012 Express
Windows 7 Professional
Windows 8.1, Virtual Desktops
Window Server 2012 R2, Shared Desktops and
Applications
Required Lab Credentials
The credentials required to connect to the environment and complete the lab exercises.
VM Name
All Windows VMs
All Windows VMs
NS1 and 2
| 3 |
IP Address
Password
Description
Citrix123
Citrix456
nsroot
Password for the Domain Administrator
Password for the Local Administrator
nsroot is username and password
How to Log into the Lab Environment
Launch your web browser and go http://spoprod.citrixvirtualclassroom.com/. Enter your information,
and then follow the directions to access the lab environment for session 609.
Scenario
The AnyCo company has deployed a working XenDesktop VDI solution that provides Windows 8.1
virtual desktops to users, as well as shared desktops and applications from Windows 2012 R2
servers. You have been hired to add NetScaler application delivery controllers in a high availability
pair to provide load balancing of the critical components, and also to provide necessary security
using the NetScaler Gateway feature. Your task is to use the guidelines outlined below to
implement a solution that meets the business needs.
Guidelines:
| 4 |

Two NetScaler VPX virtual appliances need to be deployed in a high availability pair and all
traffic into the XenDesktop deployment will be routed through them.

AnyCo’s XenDesktop deployment has two Delivery Controllers, and two StoreFront servers.
These need to be load balanced and monitored for high availability using the NetScaler’s
load balancing and monitoring capabilities.

AnyCo wants the IT staff alerted via SNMP if a Delivery Controller or StoreFront server fails.

AnyCo’s internal deployment needs to be protected from unauthorized access and attack
using NetScaler Gateway.

AnyCo wants the XenDesktop-delivered resources to be granularly accessed or denied
based on various criteria.

Users who accidently fail to specify SSL-encrypted HTTPS will be automatically redirected
to use the more secure protocol.
Exercise 1
Initial Configuration and Licensing
Overview
To save time in the lab environment, two NetScaler VPX virtual machines have already been
imported into the XenServer hypervisor. For more information on how to import NetScaler VPX
virtual appliances into your chosen hypervisor, see
http://support.citrix.com/proddocs/topic/netscaler-10-1/ns-gen-nsvpx-wrapper-con-10.html.
The NetScalers now need to be configured for initial use and licensed. The initial configuration is
necessary to establish the management IP address (the NSIP) of each NetScaler.
To save time, the appropriate licenses for the NetScalers have been copied to a backup directory
on each NetScaler. The license file will need to be placed into the correct directory on the NetScaler
and then the NetScaler will need to be rebooted.
This exercise will introduce you to the Command Line Interface (CLI) of the NetScaler and the BSD
shell. It will also introduce you to using the PuTTY utility to get to the CLI of the NetScaler from a
remote machine.
Step by step guidance
The lab environment virtual machines required for this exercise are:



NetScaler VPX appliance NS1
NetScaler VPX appliance NS2
Win7Client
Estimated time to complete this lab: 20 minutes.
Step
1.
| 5 |
Action
Start the virtual machines NS1, NS2, and Win7Client if they are not already running. The
AD.training.lab virtual machine should already be running. If not, start it.
2.
Go to the console of NS1. Since there is no ns.conf file, the appliance prompts you to set
its NSIP.
Enter the following when prompted:
IPv4 address: 192.168.10.200
Netmask: 255.255.255.0
Gateway IPv4 address: 192.168.10.1
Select choice 4, “Save and quit” by pressing Enter. The NetScaler will restart.
3.
Go to the console of NS2. Again, since there is no ns.conf file, the appliance prompts
you to set its NSIP. Enter the following when prompted:
IPv4 address: 192.168.10.205
Netmask: 255.255.255.0
Gateway IPv4 address: 192.168.10.1
Select choice 4, “Save and quit” by pressing Enter. The NetScaler will restart.
| 6 |
4.
After giving the NetScalers time restart, go to the Win7Client virtual machine and log in
as Administrator in the Training domain using the password Citrix123.
5.
On the desktop, double-click putty.exe. Enter 192.168.10.200 for the Host Name and
click Open. In the PuTTY Security Alert dialog box, click Yes. Login as nsroot and use
nsroot as the Password. You are now logged into the Command Line Interface (CLI) of
the NS1 NetScaler.
6.
Type show license to reveal that the NetScaler is not yet licensed. No features will work
at this time.
7.
Type shell and press Enter to get into the NetScaler’s BSD shell. This gives you access
to the NetScaler’s file system. The prompt will change and show a pound sign at the
end.
8.
We will now copy a license file to the proper location for the NetScaler. Type the
following case sensitive command, then press Enter:
cp /var/license_backup/NetScaler_VPX1_PLT.lic /nsconfig/license
Note: There is a space after cp and a space after .lic. There are no other spaces.
Remember to use tab completion to make the typing easier. If you get no error
messages, the copy was successful.
9.
Type exit to exit the BSD shell back to the NetScaler prompt. The prompt changes back
to a simple greater than (>) sign. Let’s change the prompt to give us more information.
Type set prompt NS1 and press Enter.
10. When licenses are added to a NetScaler, it must be restarted. Type reboot and Enter,
followed by y and Enter, to reboot the NetScaler.
| 7 |
11. On the Win7Client, desktop, double-click putty.exe again. Enter 192.168.10.205 for the
Host Name and click Open. In the PuTTY Security Alert dialog box, click Yes. Login as
nsroot and use nsroot as the Password. You are now logged into the Command Line
Interface (CLI) of the NS2 NetScaler.
12. Type show license to reveal that the second NetScaler is not yet licensed. No features
will work at this time.
13. Type shell and press Enter to get into the NetScaler’s BSD shell. The prompt will
change and show a pound sign at the end.
14. Type the following case sensitive command, then press Enter:
cp /var/license_backup/NetScaler_VPX2_PLT.lic /nsconfig/license
Note: There is a space after cp and a space after .lic. There are no other spaces. If you
get no error messages, the copy was successful.
15. Type exit to exit the BSD shell back to the NetScaler prompt. Type set prompt NS2 and
press Enter. Then, type reboot and Enter, followed by y and Enter, to reboot the
second NetScaler.
16. From the Win7Client desktop, using Putty, login to each NetScaler’s CLI and type:
show license and press Enter. The result should look like the following:
| 8 |
Exercise Summary
In this exercise, you learned how to do the initial configuration of a NetScaler VPX appliance,
setting the NSIP, and how to license the appliance. You also learned how to connect to the CLI of
the NetScaler from a remote machine using PuTTY, and how to set the NetScaler prompt.
| 9 |
Exercise 2
Deploying the NetScalers as a High Availability Pair
Overview
In this exercise, you will configure the two NetScaler appliances as a High Availability (HA) pair.
You will also be introduced to the NetScaler Configuration Utility (the Graphical User Interface or
GUI).
Step by step guidance
Estimated time to complete this lab: 30 minutes.
Step
1.
Action
On the Win7Client virtual machine, launch Internet Explorer. Type
http://192.168.10.200 for the URL address. This will open the login page of the
Configuration Utility.
Click the Show Options link on the login page to see the options available.
| 10 |
2.
One useful option is to extend the time allowed before the Configuration Utility times out.
Another may be to increase the Java Memory the application is allowed to use.
Enter nsroot for the User Name and nsroot for the Password and click Login.
3.
The Welcome configuration wizard starts automatically. The previously set NSIP and
Netmask are already entered. Enter 192.168.10.220 for the Subnet IP address and
255.255.255.0 for the Subnet Netmask. Enter NS1 for the Hostname, and 192.168.10.11
for the DNS address. Click Continue.
Ordinarily it would be a good idea to check Change Administrator Password. For the
purposes of the lab environment however, leave the password as the default, nsroot.
4.
| 11 |
This wizard could have been used to license the NetScaler. Since our NetScalers are
already licensed, click Continue in the next screen of the wizard and then click Done on
the last screen.
5.
The Configuration Utility now shows its main screen:
Click the Disk icon in the top right corner and confirm that you want to save the
changes you have made to the NetScaler’s configuration.
| 12 |
6.
Open another tab or another instance of Internet Explorer and connect to
http://192.168.10.205. Repeat steps 1 – 4 above, except make the Hostname NS2. Be
sure to save the running configuration.
7.
In the instance of Internet Explorer that is connected to NS1 (192.168.10.200), expand
the System node on the left. Then, select High Availability. On the right, under the
Nodes tab, click Add…
8.
If you get the following Security Information dialog, make sure that “Always trust
content from this publisher” is checked, and click Run.
Click Allow, Run, or OK on any other security warnings you may get.
9.
Enter NS2’s NSIP and click OK.
10. Click OK on the Information message.
We won’t be using the RPC communication in this lab. For more information on RPC
communication on the NetScaler, see
http://support.citrix.com/proddocs/topic/netscaler/netscaler-gslb-gen-wrapper-92con.html.
| 13 |
11. To confirm that HA is established between the two NetScalers, putty to 192.168.10.205.
At the NetScaler prompt, type show ha node (this can be abbreviated all the way down
to sh node). Note the information shown.
12. At the command line, type force failover and confirm with a y. Then, type show ha
node again. Notice that NS2 is now the Primary of the pair.
13. Type force failover and confirm again. Use show node to confirm that 192.168.10.200
is now the primary. For the rest of the lab, we will want NS1 to be the Primary of the HA
pair.
Important! All configuration must be
done on the Primary node of the HA pair.
| 14 |
14. On the Win7Client virtual machine, using Internet Explorer, connect to 192.168.10.200.
Using the Configuration Utililty, login as nsroot. Expand the System node on the left,
then select Settings. On the right, click Configure basic features.
15. Select SSL Offloading, Load Balancing, NetScaler Gateway, and Authentication
Authorization and Auditing. Then click OK.
16. Click the disk icon in the upper right corner of the GUI and save the running
configuration.
Exercise Summary
In this exercise we configured NS1 and NS2 to be an HA pair. We used the NetScaler Configuration
Utility (the GUI) to make the configuration. We also learned how to check on the HA status of the
pair with the CLI and how to force a failover to ensure that HA is working. Finally, we turned on a
selection of basic features we will be using in this lab.
| 15 |
Exercise 3
Load Balancing StoreFront Servers
Overview
AnyCo currently has a working XenDesktop deployment. However there is no load balancing being
done across the two StoreFront servers. If the StoreFront server they use primarily went down, they
would have to manually point users to the second server. This is not acceptable because there
would be an interruption in service. They want the NetScaler to load balance and monitor the two
StoreFront servers so that there will be no interruption of service if one StoreFront server goes
down.
Currently, the StoreFront servers only accept HTTPS traffic from clients, although the traffic from
StoreFront to the Delivery Controllers is clear text. AnyCo wants the NetScalers to accept only
HTTPS traffic from clients and to use HTTPS to the StoreFront servers. They also want the
NetScalers to redirect any request using HTTP to HTTPS.
Step by step guidance
Estimated time to complete this lab: 55 minutes.
Step
| 16 |
Action
1.
Using the Win7Client virtual machine, open Internet Explorer and point it to
192.168.10.200 (NS1). Log on as nsroot.
2.
When the AnyCo StoreFront servers were deployed, a wildcard SSL certificate was
requested from a Certificate Authority for any server named *.training.lab. This certificate
was exported in a PKCS#12 format. We would like to import this certificate to be used on
the NetScaler. Expand Traffic Management on the left side of the Configuration Utility,
then click on SSL. On the right side, click Import PKCS#12.
3.
Enter wccert.pem for the Output File Name. On the PKCS12 File line, use the pull-down
arrow to select Local, then choose Browse. This will allow you to browse the file system
on the Win7Client machine. Browse to C:\ and choose WildcardCert.pfx and click
Open.
When the certificate was exported originally, a password was placed upon it of
Citrix123. Enter that into the Import Password field and click OK.
4.
| 17 |
On the left side, expand SSL and click on Certificates. On the right side, click Install…
5.
For the Certificate-Key Pair Name, enter WildcardCert. For the Certificate File Name,
click the down-arrow and choose Appliance, then click Browse. Select wccert.pem
and click Open. Do the same for the Key File Name. The Certificate Format will be PEM
and the Password is Citrix123. Notify When Expires should be checked and set the
Notification Period for 30 days. Click Create.
The WildcardCert certificate is now ready to use on the NetScaler and will work for any
address that ends with training.lab.
6.
Don’t click Close yet. While we are here, let’s install another certificate that we will be
using in a later lab. When we configure the NetScaler Gateway for external access, we
will need a wildcard certificate for any address that ends with mycitrixtraining.net. The
files for this are already on the NetScaler, but they need to be installed.
Change the Certificate-Key Pair Name to MCTWildcardCert. For the Certificate File
Name, browse on the appliance to MCTWildcard.cer. For the Key File Name, browse
the appliance for MyCitrixTraining.key. No password is needed. Click Create.
| 18 |
7.
Don’t click Close yet. This certificate needs an intermediate CA certificate. We need to
install the intermediate cert and then link it to this one.
Change the Certificate-Key Pair Name to MCTIntermediateCert. For the Certificate File
Name, browse on the appliance to MCTIntermediate.cer. No Key File Name or
Password is necessary. Click Create.
Now click Close.
8.
| 19 |
Right-click on the MCTWildcardCert and choose Link… MCTIntermediateCert should
be already selected. Click OK. Now the MCTWildcardCert is ready for us to use later.
9.
Load balancing requires a number of things:





Servers that actually do some kind of work to balance
Services that tell us what the work is and what port and protocol is used
A virtual server using a virtual IP address to receive incoming client requests
A monitoring mechanism so the load balancer knows when a service is down
A persistence method if necessary
One way to keep all this straight is to use the NetScaler Load Balancing Wizard. On
the left side, under Traffic Management, click on Load Balancing. On the right, choose
Load Balancing wizard.
10. If you encounter a message like the following at any time while using the Configuration
Utility, click Yes.
| 20 |
11. Click Next on the Introduction dialog box. Type SFService1 for the new service’s Name.
Then, click New… on the right side to create a new Server instance.
12. Name this first server sf1. Click the Domain Name button and enter sf1.training.lab for
the Domain Name. Click Create.
| 21 |
13. Choose SSL for the Protocol and the Port will change to 443 for you.
Click Add to place this service in the list.
14. The dialog box stays open so that we can create another service. Change the name to
SFService2 and click the New… button again.
| 22 |
15. Name the new server instance sf2. Click the Domain Name button and enter
sf2.training.lab into the Domain Name field. Click Create.
16. Click the Add button to enter the new service into the list. These are all the services
we’re going to load balance, so click Next.
| 23 |
17. Type SF_vServer for the virtual server name. Enter 192.168.10.225 for the IP address.
This will automatically be a VIP on the NetScaler. Choose SSL for the Protocol and the
Port will automatically change to 443. The LB Method can remain the default, Least
Connection. Select both the Available Services and then click Add> to move them into
the Configured Services list. Click the pull-down arrow beside Certificate and choose
the WildcardCert certificate we created earlier. Click Next.
18. Click Finish, then Exit to end the wizard.
| 24 |
19. In the Configuration Utility, under Traffic Management, then under Load Balancing,
click on Servers to see the list of StoreFront servers that we created.
20. Click on Services to see the StoreFront services we created.
21. Click on Virtual Servers to see the virtual server we created.
| 25 |
22. Click on the SF_vServer virtual server, then click on Open… You can also just doubleclick on it. This will expose the virtual server’s properties.
23. Click the Method and Persistence tab. Change the Persistence type to CookieInsert
and the Time-out to 0. Change the Backup Persistance to SourceIP and the Time-out to
30. Set the IPv4 Netmask to 255.255.255.255. Click OK.
| 26 |
24. When monitoring services, NetScaler uses TCP as a default. This is not the most
intelligent choice for StoreFront services. NetScaler 10.1 now has a monitor type
specifically for StoreFront. Let’s use it. In the Configuration Utility, under Traffic
Management, choose Load Balancing, then choose Monitors. StoreFront is not in the
list of already configured monitor types, so click Add...
25. Type StoreFront for the Name and pull down the list to the right of Type. Select
STOREFRONT at the bottom of the list. On the Standard Parameters tab, check the
Secure box since StoreFront expects outside traffic to be https.
| 27 |
26. Click the Special Parameters tab and enter CorporateStore for the Store Name.
(CorporateStore is the StoreFront store name created when the StoreFront servers were
configured.) Click Create, then click Close.
27. In the Configuration Utility, under Traffic Management, then under Load Balancing,
select Services. On the right side, you will see the two services we configured. Doubleclick on SFService1 to open its properties. Click the Monitors tab and scroll down to
find the new monitor we just created, StoreFront. Click the Add> button to move
StoreFront into the Configured list. Click OK.
28. Using the same steps as above, apply the StoreFront monitor to SFService2.
| 28 |
29. In the top right corner of the Configuration Utility, click the disk icon and confirm to
save the running configuration.
30. Go to the AD.training.lab virtual machine. Logon as Administrator with the password
of Citrix123. From Administrative Tools, double-click on DNS to open the DNS
Manager. In the left pane, click on the training.lab zone.
| 29 |
31. In the right pane, double-click on the connect host to open its properties. Change the
address from 192.168.10.24 which was the SF1 server, to 192.168.10.225 which is the
NetScaler VIP for load balancing both StoreFront servers. Click OK.
32. On the Win7Client machine, open a browser and connect to
https://connect.training.lab. Log in as training\administrator with a password of
Citrix123. StoreFront should present the XenDesktop resources. Log off StoreFront.
33. AnyCo wants any user who points their browser to StoreFront to use HTTPS even if the
user doesn’t think to type https:// into their browser. We will use the NetScaler to make
this redirect for us. In the NetScaler Configuration Utility, under Traffic Management,
then under Load Balancing, choose Virtual Servers. On the right side, choose Add…
to create a new virtual server.
| 30 |
34. Enter SF_vServer-Redirect for the name. Set the protocol to HTTP. Enter
192.168.10.225 as the IP Address, then click the Advanced tab. Enter
https://connect.training.lab for the Redirect URL. Click Create, then Close.
35. The new SF_vServer-Redirect virtual server shows as Down because we did not bind
any services to it. When a user makes a request for a down vserver, the NetScaler
sends the user to the redirect URL. Right-click on it and choose Disable. This will show
that it is purposely out of service.
36. Point the browser to http://connect.training.lab to verify that it gets redirected to
https://connect.training.lab.
| 31 |
37. One advantage of using NetScaler for load balancing is its ability to report when a
service goes down. AnyCo wants to use SNMP for this. On Win7Client, in the
Configuration Utility, on the left, expand System, then expand SNMP, and click on
Community. Click Add…
38. Enter public for the Community String and click create, then Close.
39. Under SNMP, choose Traps. Click Add…
Enter 192.168.10.101 for the Destination IP Address. (We don’t have an SNMP console
in the lab, so it doesn’t really matter what address is used here. In a production
environment, you would want an SNMP management console installed, such as Citrix
Command Center.)
Use the pull-down arrow to choose 192.168.10.220 as the Source IP Address. This is
the NetScaler’s SNIP.
Click Create, but don’t click Close yet.
| 32 |
40. Click the Specific button and fill in 192.168.10.101, for Source IP Address.
Choose 192.168.10.220, for the Source IP Address.
Choose Critical for Minimum Severity.
Click Create, then click Close.
41. From the Win7Client desktop, start Putty and type in 192.168.10.200 as the Host Name
and click Open. Login as nsroot with nsroot as the password. At the prompt, type shell
and press Enter. Then type tail –f /var/log/ns.log . (There is a space after tail and a
space after the f.) Press Enter.
This shows the end of the NetScaler’s syslog in real time. Anything that happens on the
NetScaler will show here.
42. From XenCenter, in the far left pane, right-click on the SF2 server and choose Shut
Down and confirm the action.
| 33 |
43. Switch to the Win7Client machine and watch the Putty window showing the syslog.
Notice the EVENT MONITORDOWN and EVENTDEVICEDOWN alerts. Also you can
see that the NetScaler sent an SNMP trap with the entitydown message.
44. Right-click on SF2 and choose Start. Switch back to Win7Client and watch for the alerts
and SNMP trap. When you are done, in the Putty window, press Ctrl-C to return to the
BSD shell. Type exit and press Enter to return to the NetScaler prompt. Type save
config and press Enter to save the running configuration. When you see Done, close
the Putty window.
Exercise Summary
In this exercise, we learned how to import and install an SSL certificate to use for the NetScaler. We
then created server objects that pointed to the two StoreFront servers, services that specified the
protocol and port the services on the servers used, and a virtual server object for client access to
the services, and assigned the certificate to the virtual server. We used the Load Balancing wizard
to create these.
We also saw how to set persistence and backup persistence and how to replace the default TCP
monitor with a custom StoreFront monitor.
We configured a virtual server on the NetScaler that will automatically redirect users from http to
https when they type in the URL to access StoreFront. Finally, we configured SNMP to send traps
when a load balanced service goes down.
| 34 |
Exercise 4
Load Balancing XenDesktop Delivery Controllers
Overview
Currently, the XenDesktop deployment has StoreFront sending all requests to DC1. This works,
because DC2 is listed as a failover server, but it would be more efficient for the NetScaler to
balance the load between DC1 and DC2. In this exercise, we will see how to load balance the
delivery controllers and how to monitor them.
Step by step guidance
Estimated time to complete this lab: 30 minutes.
Step
1.
| 35 |
Action
If the Configuration Utility isn’t already pointed to NS1, open Internet Explorer on
Win7Client and enter 192.168.10.200 for the URL. Login as nsroot. In the left pane of
the Configuration Utility, under Traffic Management, click on Load Balancing. On the
right side, choose Load Balancing wizard for Citrix XenDesktop.
2.
Click Next on the Introduction. We are using StoreFront not Web Interface, so click Skip
at the Load Balance WI servers page.
3.
In the Load Balance DDC servers page, enter 192.168.10.230 for the virtual IP address
for the new virtual server we are making. Change the port to 80 and the protocol to
HTTP. Under DDC Servers, enter the first DC address, 192.168.10.20 and the port of 80
and click Add. Do the same for the second DC, which has the address of 192.168.10.21.
Click Next. Then Finish on the next screen, then Exit.
| 36 |
| 37 |
4.
Under Load Balancing, click on Virtual Servers to see the new virtual server you
created, named XD-DDC_192.168.10.230_80_lbvip. Right-click on it and choose
Rename and name it XD71_vServer.
5.
Double-click on the XD71_vServer to see its properties. Click on the Service Groups
tab to see that the wizard made a service group instead of two separate services. Click
on the Method and Persistence tab. The default load balancing method of Least
Connection is fine, and no persistence is necessary for load balancing DCs. Click Close.
6.
Under Load Balancing, click on Service Groups to see the new service group
consisting of the two DCs you specified. Right-click on it and choose Rename, and
rename it to XD71_ServiceGroup.
| 38 |
7.
Double-click on the service group to open its properties. Click on the Monitors tab to
see that a custom monitor has been configured for you. Click Close.
8.
Under Load Balancing, choose Monitors. Scroll down the list until you see the
XD_DDC_192.168.10.230_80_mn monitor. Notice that it’s of the CITRIX-XD-DDC type.
Double-click it to see its properties. Click Close.
9.
Under Load Balancing, choose Servers. Notice the two new servers, which are the
XenDesktop delivery controllers, listed by their IP addresses. Right-click on
192.168.10.20 and rename it to dc1. Change 192.168.10.21 to dc2.
10. Click on the disk icon in the top right corner of the Configuration Utility to save the
NetScaler running configuration.
11. Go to the SF1 virtual machine and log in as training\administrator with the password of
Citrix123. From the Start screen, launch Citrix StoreFront. On the left side, click on
Stores. In the center pane, make sure that Corporate Store is selected. On the right
side, choose Manage Delivery Controllers.
| 39 |
12. Click on Controller and choose Edit…
13. Remove the two delivery controllers in the list, dc1.training.lab and dc2.training.lab.
| 40 |
14. Click Add… and put in the address of the XD71_vServer, 192.168.10.230.
Click OK, OK, and click OK again to close the dialog boxes.
15. In the left pane, choose Server Group. In the right pane, click Propagate Changes, and
confirm by clicking OK. Click OK at the success message. Now, all the StoreFront to
delivery controller traffic will be load balanced and monitored by the NetScaler. SNMP
traps will be sent in case of delivery controller failure.
16. Let’s test to make sure that we’ve done everything right. From the Win7Client virtual
machine, open a browser and go to http://connect.training.lab. Log in as
training\user1. All the XenDesktop resources should be available. Log off.
Exercise Summary
In this exercise, we used the XenDesktop load balancing wizard to create servers, a service group,
and a load balancing vServer for the two XenDesktop Delivery Controllers. We also saw that the
wizard created a custom monitor of the CITRIX-XD-DDC type. We then reconfigured StoreFront to
use the NetScaler’s vServer to load balance all traffic from StoreFront to the DCs.
| 41 |
Exercise 5
Configuring NetScaler Gateway for Secure Access
Overview
Protecting your XenDesktop deployment from unauthorized access is very important. The
NetScaler Gateway is the state of the art product for secure front-ending of XenDesktop. In this
exercise you will learn how to configure NetScaler Gateway for secure external access.
Step by step guidance
Estimated time to complete this lab: 25 minutes.
Step
| 42 |
Action
1.
In the portal information you were given is the external public address for your lab
environment. You will need this information for this lab.
2.
On the Win7Client virtual machine, use Internet Explorer and point to
http://192.168.10.200. Log into the Configuration Utility as nsroot. On the left side, click
on NetScaler Gateway. On the right side, click on the Configure NetScaler Gateway
for Enterprise Store wizard.
3.
Click on the Get Started button on the Welcome screen.
4.
Enter RemoteAccess for the Name. Type 192.168.10.235 in the IP Address field.
Check the box Redirect requests from port 80 to secure port.
For the Gateway FQDN, enter the public address for your lab, but with dashes instead
of dots, followed by .mycitrixtraining.net. For example: if your public address is
75.126.81.3, then the Gateway FQDN would be 75-126-81-3.mycitrixtraining.net.
This is being done because when we wish to access the lab environment from the
outside, your external address will be translated to 192.168.10.235.
Click Continue.
5.
Click the button for Choose Certificate. This is where we will use the certificate we
installed in a previous exercise. On the Certificate line, click the down arrow and choose
MCTWildcardCert. Click Continue.
Click Continue.
| 43 |
6.
We are using Active Directory (LDAP) for authentication, so choose LDAP for Primary
Authentication. Click Configure New. Enter 192.168.10.11 for the IP Address. Enter
cn=Users, dc=training, dc=lab for the Base DN, and cn=Administrator, cn=Users,
dc=training, dc=lab for the Admin Base DN. Type sAMAccountName for the Server
Logon Name Attribute, and enter Citrix123 for both Password fields.
Important! Double-check your typing. Click Continue.
7.
Click the button for XenApp / XenDesktop. Change the Deployment Type to
StoreFront. Enter connect.training.lab for the StoreFront FQDN. The Receiver for
Web Path is /Citrix/CorporateStoreWeb. The Single Sign-on Domain is training.lab.
Enter http://dc1.training.lab for the STA URL.
Click Done.
| 44 |
8.
Close the NetScaler Gateway monitor window.
9.
In the Configuration Utility, under NetScaler Gateway, click on Virtual Servers to see
the virtual server you just created. On the right side, double-click on the RemoteAccess
virtual server. Here you can see, change, or add to the properties that were configured in
the wizard. Click the Published Applications tab. In the Secure Ticket Authority
section, click Add.
10. Enter http://dc2.training.lab and click Create.
This adds a second STA for redundancy.
| 45 |
11. Click the Policies tab. Here you can see the session policies and profiles made for you
by the wizard.
Double-click the first profile entry.
12. This shows the settings that will be applied to the traffic through the Gateway. Click on
the Client Experience tab and review the settings.
| 46 |
13. Click on the Security tab and review the settings. Then click on the Published
Applications tab.
14. Make sure that the URLs for Web Interface Address and Account Services Address both
start with https. Click OK.
| 47 |
15. Double-click the second profile entry.
16. As before, explore the different settings. Under the Published Applications tab, make
sure that the Web Interface Address starts with https://. Click OK.
17. Double-click on the first policy.
| 48 |
18. This shows the expressions that govern what traffic the profile will apply to. The
expressions allow for a very wide allowance of client methods for remote access through
the Gateway. Click Close.
For more information on Gateway expressions see:
http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-xmob-wizard-sessionpolicy-examples-con.html.
19. Click the Authentication tab. Then double-click on the Profile.
| 49 |
20. This shows the LDAP configuration. Click the Retrieve Attributes link.
21. You should receive the success message. If not, check your setting for typos or wrong
information. Click OK to close the Information dialog box.
Click OK to close the Configure Authentication Server dialog box.
22. Remember checking the box saying “Redirect requests from port 80 to secure port”?
Let’s see what the wizard did to make that happen. On the left side of the Configuration
Utility, choose Traffic Management > Load Balancing > Virtual Servers. On the right
side, right-click on 192.168.10.235http_redirect and choose Rename.
| 50 |
23. Change the name to RemoteAccess-Redirect. Click OK.
24. Double-click on the RemoteAccess-Redirect virtual server to see its properties. Click on
the Advanced tab. Notice the Redirect URL that was filled in for you by the wizard. Click
Close.
25. Right-click on the RemoteAccess-Redirect virtual server and choose Disable, and
confirm. This way, everyone will know that this vServer is down on purpose.
Exercise Summary
In this exercise, you learned how to configure the NetScaler Gateway using the Enterprise Store
wizard. The wizard led you through the process of setting an IP address, choosing a certificate,
configuring LDAP authentication, and setting StoreFront information which included the Secure
Ticket Authority.
After running the wizard, you went back and looked at all the components the wizard created. We
added another STA and we examined the session policies and profiles, along with the
Authentication profile. We also tested the authentication settings for accuracy.
| 51 |
Exercise 6
Configuring StoreFront for use with NetScaler
Gateway
Overview
Now that NetScaler Gateway is configured, we will make changes to StoreFront to be able to
receive the traffic through the Gateway.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step
| 52 |
Action
1.
On the SF1 virtual machine, log in as Training\Administrator with a password of
Citrix123. From the Start screen, launch Citrix StoreFront.
2.
In the StoreFront configuration snap-in, click on Authentication on the left side. On the
right side, click Add/Remove Methods.
3.
Check the Pass-through from NetScaler Gateway box and click OK.
4.
On the left side, select NetScaler Gateway. On the right side, click Add NetScaler
Gateway.
5.
Fill in the Display name as Primary Gateway. Enter the NetScaler Gateway URL as
https://xxx-xxx-xxx-xxx.mycitrixtraining.net where the xxx-xxx-xxx-xxx is your lab’s
public IP with the octets separated by dashes instead of dots. For example, if your lab’s
public IP was 75.126.81.3, then your URL would be
https://75-126-81-3.mycitrixtraining.net.
Enter the Logon type as Domain and the Callback URL is the same as the Gateway
URL. Click Next.
| 53 |
6.
Click the Add button to add the following Secure Ticket Authority URLs:
http://dc1.training.lab
http://dc2.training.lab
Click Create. Then, click Finish on the last screen.
7.
| 54 |
On the left side, click Stores. On the right side, click Enable Remote Access.
| 55 |
8.
Click the button for No VPN tunnel. Check Primary Gateway. Click OK.
9.
On the left side, click on Beacons. The middle pane shows the default settings based on
our previous configuration choices. These choices work fine for our lab. On the right
side, click on Manage Beacons.
10. Here we can set different Beacon points if desired. Click Cancel.
11. On the left side, click Server Group. On the right side, click Propagate Changes.
| 56 |
12. Confirm that you wish to propagate the changes, and then click OK at the success
message.
Exercise Summary
In this exercise, you learned how to configure StoreFront to allow traffic from the NetScaler
Gateway. We added Pass-through from NetScaler Gateway to the Authentication methods and then
specified the settings for the NetScaler Gateway. We specified the two STAs, enabled the Store for
remote access, and propagated the changes from SF1 to SF2.
| 57 |
Exercise 7
Testing Access to XenDesktop
Overview
In this exercise we will test access to the XenDesktop Deployment. Internal access has already
been tested, but we will test again to make sure that setting up the NetScaler Gateway has not
caused any unwelcome changes. We will then test external access which comes through the
NetScaler Gateway.
Step by step guidance
Estimated time to complete this lab: 30 minutes.
Step
1.
| 58 |
Action
From the Win7Client virtual machine, launch a new instance of Internet Explorer and
enter http://connect.training.lab for the URL. It should redirect to
https://connect.training.lab/Citrix/CorporateStoreWeb. Log on as training\User1 with the
password of Citrix123.
2.
Test to see that XenDesktop resources are available to User1.
3.
Close any apps, sign off of any desktops, and log off Citrix Receiver.
4.
From your local workstation (external to your lab environment), launch a browser.
Navigate to http://xxx-xxx-xxx-xxx.mycitrixtraining.net where the xxx-xxx-xxx-xxx
represents your lab’s external IP address. It should redirect to https://.
Log on as User1 with the password of Citrix123.
| 59 |
| 60 |
5.
If you don’t already have the Citrix Receiver installed, you will be prompted to install it.
Check the box I agree with the Citrix license agreement and click Install.
6.
Click Run or Allow or Yes at any security warnings or UAC prompts you may see.
7.
The Citrix Receiver will take some time to download. Click Install when prompted.
8.
When the installation is finished, click Finish.
9.
All the XenDesktop resources available to User1 should now be able to be accessed.
10. After testing to make sure that your access is working, log off User1 and close the
browser.
Exercise Summary
In this exercise we tested access, both internal access without using the NetScaler Gateway, and
external access using the Gateway. We also installed the Citrix Receiver.
| 61 |
Exercise 8
Smart Access with NetScaler Gateway
Overview
AnyCo knows that when users access XenDesktop resources internally, they are using IT managed
client devices that have adequate security software installed. However, when AnyCo employees log
in from home or other external locations, they may be using unmanaged devices that don’t have the
required security. AnyCo has asked you to configure the NetScaler Gateway to check that a
necessary process is running on each external client before allowing access.
Note: In this exercise we will use a simple process, notepad.exe, as our required “security”
software. In a real production environment, this can be a commercial anti-virus program, a firewall,
anti-spam software, a required file, a necessary registry entry, or a combination of these.
Step by step guidance
Estimated time to complete this lab: 25 minutes.
Step
1.
| 62 |
Action
On the Win7Client virtual machine, use the Configuration Utility and navigate on the
left side to NetScaler Gateway > Virtual Servers. On the right side, double-click
RemoteAccess to open its properties.
| 63 |
2.
Click the button SmartAccess Mode, then click OK.
3.
On the left side, navigate to NetScaler Gateway > Policies > Pre-Authentication. On
the right side, click Add…
| 64 |
4.
Type PreAuthPol_EPAnotepad for the Name. On the Request Profile line, click the
New… button.
5.
Type PreAuthProfile_EPAallow for the Name. Make sure the Action is ALLOW. Click
Create.
6.
Below the Expression field, click Add…
| 65 |
7.
For Expression Type, use the pull-down and choose Client Security. Under
Component, use the pull-down and choose Process. Type notepad.exe in the Name
field. The operator should be EXISTS. Click OK.
8.
In the Create Pre-authentication Policy dialog box, click Create. Then, click Close.
9.
Return to NetScaler Gateway > Virtual Servers and double-click on RemoteAccess.
Click the Policies tab, then click Pre-authentication. Click Insert Policy.
10. Use the pull-down to choose PreAuthPol_EPAnotepad. Then click OK.
11. On your local workstation (external to your lab environment), make sure that Notepad is
not running. Launch a browser. Navigate to http://xxx-xxx-xxxxxx.mycitrixtraining.net where the xxx-xxx-xxx-xxx represents your lab’s external IP
address. It should redirect to https://. You should be prompted to download and install
the Citrix Endpoint Analysis Plug-in. Click Download.
12. Choose Run, Allow, or Yes on any security warnings or UAC messages you may get.
| 66 |
13. Click Install.
Click Finish when the installation is done.
14. Click Always to grant Citrix Endpoint Analysis permission to scan your system.
15. Since Notepad was not running, you should get the Access Denied message.
| 67 |
16. Start Notepad on your workstation. Once Notepad is running, click the Back button in
the Access Denied message to rescan. Endpoint Analysis reruns the scan. This time you
should be able to log in as User1 and have access to all the resources.
After testing, log off as User1 and close the browser.
Exercise Summary
In this exercise, we turned on SmartAccess mode and created a Pre-Authentication policy that
checked for a necessary process to be running. We also created a Pre-Authentication profile that is
used when the policy evaluates as true. The profile simply gives Allow permission to be
authenticated. We then bound the policy to the RemoteAccess NetScaler Gateway virtual server.
On the external client machine, we installed the Citrix Endpoint Analysis plug-in. We then tested
access without and then with, our necessary process running.
| 68 |
Exercise 9
Using NetScaler Gateway Filters with XenDesktop
Overview
Now we’re going to get more granular with SmartAccess and show how it interacts with
XenDesktop. The AnyCo Company has decided that certain people with extra-secure devices
should get access to all the resources via XenDesktop, but the others should only get Windows 8
desktops. The extra-secure devices are identified by the fact that they have a special file located in
their file systems.
Step by step guidance
Estimated time to complete this lab: 30 minutes.
Step
| 69 |
Action
1.
Before XenDesktop can benefit from NetScaler Gateway’s SmartAccess, The
XenDesktop farm must be set to trust requests sent to the XML port. By default, this trust
is turned off. To change this, go to the DC1 virtual machine and log in as
training\administrator. Then, launch Citrix Studio from the Start screen.
2.
When Citrix Studio opens, on the left side, click at the very top on Citrix Studio
(XD71Site). In the middle pane, click the PowerShell tab. Down at the bottom, click the
Launch PowerShell button.
3.
In the PowerShell window that opens, type Get-Brokersite and press Enter.
4.
Notice at the bottom that TrustRequestsSentToTheXmlServicePort is set to False. To
change this, in the PowerShell window, type:
Set-Brokersite –TrustRequestsSentToTheXmlServicePort $true and press Enter.
5.
| 70 |
Type Get-Brokersite again to see that the setting has changed.
| 71 |
6.
Go to the Win7Client virtual machine. In the Configuration Utility, Navigate to NetScaler
Gateway > Policies > Session, then click the Add… button on the right side.
7.
Name the policy SmartAccess_Policy. To the right of the Request Profile line, click
New…
| 72 |
8.
The Create NetScaler Gateway Session Profile dialog opens up. Name the profile
SmartAccess_Profile. Click the Client Experience tab. To the right of Single Sign-on
to Web Applications, check the Overide Global box. Then, check the Single Sign-on
to Web Applications box.
9.
Click the Security tab. Check the Override Global box to the right of Default
Authorization Action. Change the Action to Allow.
10. Click the Published Applications tab. Override Global on the ICA Proxy line and set it
to ON. Overide for Web Interface Address and set it to
https://connect.training.lab/Citrix/CorporateStoreWeb. Override for Single-Sign-on
Domain and set to training.lab. Then, click Create.
11. Under the Expression area, click Add…
| 73 |
12. Change the Expression Type to Client Security, change the Component to File. Type
the name as c:\\fullaccess.txt (notice the two backslashes). No Qualifier is necessary,
and leave the Operator as EXISTS. Click OK.
13. In the Create NetScaler Gateway Session Policy dialog box, we are finally ready to click
Create, then Close.
14. Notice after the SmartAccess_Policy has been created, NetScaler added two more
backslashes to the file path. This is normal and necessary and has to do with how Unixbased systems handle backslashes.
| 74 |
15. Under NetScaler Gateway go to Virtual Servers and double-click on RemoteAccess.
Click on the Policies tab. Toward the bottom left, click on Insert Policy. Use the pulldown arrow to choose SmartAccess_Policy.
16. Double-click on the SmartAccess_Policy Priority number and change it to 90. This will
give it a higher priority. Click OK. Save the running configuration.
17. Return to the DC1 virtual machine. Open Citrix Studio. In the left pane, click on
Delivery Groups. In the middle pane, click on the Win 2012 R2 Servers group and then
right-click on it and choose Edit Delivery Group.
| 75 |
18. On the left, click on Access Policy. On the right, click Add…
19. Enter RemoteAccess as the Farm name. This must match the name of the NetScaler
Gateway virtual server we are using. Enter SmartAccess_Policy as the Filter. This
must match the name of the session policy we just created. Click OK, then OK again.
20. Now, let’s test it. On your local workstation, create a text file at the root of the C: drive.
Name it fullaccess.txt. Make sure that Notepad is running.
| 76 |
21. Open your browser and go to http://xxx-xxx-xxx-xxx.mycitrixtraining.net where the
xxx-xxx-xxx-xxx is your lab’s external address separated by dashes. Endpoint analysis
will run and then you can log on as User1 with the password of Citrix123. After logging
on, you should see the Windows 2012r2 Desktop available as well as the Apps.
22. Log off as User1 and close your browser. Delete (or just rename) the c:\fullaccess file.
Open your browser and go to http://xxx-xxx-xxx-xxx.mycitrixtraining.net again, and log in
as User1 again. This time, you should not see the Win 2012r2 Desktop or the Apps.
Exercise Summary
In this exercise we tested the SmartAccess, granular capabilities of the NetScaler Gateway. We set
the XenDesktop farm to trust requests sent to the XML port, we created a session policy along with
a session profile. We created an expression for the policy to look for a certain file on the client
workstation. If that file exists, the user gets all resources, but if it doesn’t the user only gets partial
resources. We set the NetScaler Gateway’s virtual server as the Farm name on the XenDesktop
Delivery group and set the session policy as the Filter name.
| 77 |
Revision:
Change Description
Updated By
Date
1.1
Original version
Richard Nash
04/05/2014
About Citrix
Citrix Systems, Inc. designs, develops and markets technology solutions that enable information
technology (IT) services. The Enterprise division and the Online Services division constitute its two
segments. Its revenues are derived from sales of Enterprise division products, which include its
Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related
technical services and from its Online Services division's Web collaboration, remote access and
support services. It markets and licenses its products directly to enterprise customers, over the
Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers
(VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July
2012, the Company acquired Bytemobile, provider of data and video optimization solutions for
mobile network operators.
http://www.citrix.com
| 78 |
Download