I think you get the point. When implementing a Citrix NetScaler certain firewall ports will need to be opened. Always check the Citrix product documentation before implementing. Chapter index. My books. Before commenting, read the introduction blog post here Multiple books have been written on each of these subjects independently. From a high-level perspective, when purchasing a Citrix NetScaler follow these steps: First, you need to decide which physical or virtual model to go with: think about the amount of network throughput you may need, SSL offloading capabilities, that sort of thing.
Next, depending on specific features or functions you would like to use, you choose your edition platform license. So if it is the Gateway functionality you are looking for, go with the Gateway license.
Finally, you may want to purchase a maintenance contract with Citrix: they come in gold, silver or bronze, representing three, two or one year s of support. Contact your Citrix representative for more information. Universal Next to the Access Gateway Edition, or platform license, you might also need an Access Gateway universal license, a. Basic NetScaler terminology NetScalers can be hard to get: if it is not the licensing that will get your head spinning, then it will be the terminology used within NetScaler configurations to get things up and running.
Virtual servers The NetScaler uses vServers virtual servers to deliver different kinds of services and they come in several different tastes; for example, you can have a virtual server for secure gateway purposes, handling secure remote access for your users. Service and server objects Once a virtual server has been configured, one of the next steps will include the set-up and configuration of a so-called service object.
Enter monitors… Made possible with the support of my sponsor IGEL A monitor is another logical object that sits in between the service and the server object note that it is bound to the service object and constantly monitors the overall health and availability of the physical or virtual back-end systems the services on it handling the actual HTTP requests.
NetScaler internals NetScaler Default route When configuring a NetScaler from scratch it will also ask you for a default route, which will function as the default gateway for the NetScaler. Static routes Let me give you an example to try and explain what a static route might look like. Freeing up the need for additional IP addresses. SSL Labs online security check External CAs have a very extensive and intensive authentication and verification programme you will need to go through before they give out one of their certificates.
Different types of certificates When creating or requesting a digital SSL certificate you have a few options. Wild cars certificates We could make use of a wild card certificate. All NetScalers are almost equal with regard to the functionality and features that they can deliver. Pay as you Grow. The main differences between the physical appliances can be found in the compute resources and the type of Cavium SSL accelerator card that they hold. This card is used to decrypt and encrypt SSL traffic.
The more powerful the card, the more SSL transactions it will be able to handle. While not mentioned earlier except for the license type there is also a NetScaler Express edition. However, there are a few limitations to keep in mind like:no SSL Offload capabilities, max 5 Mbps throughput, licensed per year.
Other than that it is definitely worth having a look at. If you need to temporarily increase your network bandwidth think about purchasing and applying a Burst P Remember the one is none rule? Well, it applies to NetScalers as well. NetScaler HA 2 nodes is always set up as active-passive, with one NetScaler being the primary node of the two, and thus the active one.
The secondary node s will send a continuous stream of heartbeat messages interval is configurable , checking to see if the primary device is active and accepting connections. If it fails to respond, and after multiple retries, a secondary node will take over, which is referred to as a failover.
Sign in to follow this Followers 0. Posted November 26, Share this post Link to post. Recommended Posts. Mark this reply as best answer, if it answered your question. Upvote if you found this answer helpful or interesting. Sam Jacobs 7, I use email based discovery with multiple email suffixes.
The Storefront servers are load balanced on the Netscaler. Just as your write-up suggests. Or is this not possible? Furthermore do you have a really strong argument why I should use the load balancing from Netscaler as opposed to NLB? Great stuff. Invaluable site. If StoreFront 3. This is a new feature of NetScaler An example configuration that uses this feature can be found in the StoreFrontAuth page. In the General Settings page, enter a display name. This name appears in Citrix Receiver or Citrix Workspace app, so make it descriptive.
The URL entered here must match what users enter into their browser address bars. Click Next. In the Secure Ticket Authority page, click Add. This can be http or https. STA is installed automatically on Delivery Controllers.
There is no relationship between STA and farms. Any farm can use any STA server. StoreFront chooses the STA server. Click OK. You only use this field if you have multiple Gateways on separate appliance pairs connecting to one StoreFront server. See below for details. If you need SmartAccess or non-password authentication e. Otherwise leave it set to Domain only.
Click Create. Then click Finish. You can add more Gateways depending on your design. Multiple datacenters typically requires multiple Gateways. Click Close when done. To enable the store to use Citrix Gateway, in the middle, right-click your store, and click Configure Remote Access Settings. Check the box next to Enable Remote Access.
Leave it set to No VPN tunnel. Check the box next to the Citrix Gateway object you just created. This binds the Gateway to the Store. If you have multiple Gateways, select one of them as the Default appliance. In other words, Receiver ignores the Gateway you entered during discovery. In the top half of the window, make sure the Internal beacon is set to a URL that is only reachable internally.
The Internal beacon must never go down. Right-click the Server Group node, and click Propagate Changes. Or upgrade to Workspace app. Receiver for Mac Mobile Receivers StoreFront 2. Internal Beacon URL can be http instead of https. Or, you can create a new Gateway VIP on the same appliance that authenticated the users. Or you can create a separate internal Gateway VIP on the same appliance.
Note: if the internal beacon is down, then internal Receiver Self-service will not work correctly. Make sure the Internal Beacon is not resolvable externally. It must be different. If the internal beacon is https, then the certificate must match the internal beacon DNS name. However, http URLs also work. If you made changes to an existing StoreFront deployment, then you might have to remove accounts from Receiver, and re-add the account.
Internal DNS: citrix. For the internal beacon, FQDN of any internal web server. Make sure this name is not resolvable externally. Assumes email suffix is also corp.
If you more than one email suffix, then wildcard will not work. Another option is the following Subject Alternative Names: citrix. Only accessed from internal. Or you can create a separate internally-facing Gateway vServer for callback with a separate certificate.
If email-based discovery, discoverReceiver. Internal certificate for StoreFront Load Balancing: Publicly-signed certificate is recommended, especially for mobile devices and thin clients.
Since you have the same DNS name for internal and external, you can use the external certificate for internal StoreFront. If you have more than one email suffix, then wildcard will not work. If you have multiple email suffixes, then you will have multiple SAN names. But you can optionally enable one of the Proximity GSLB load balancing algorithms so the closest datacenter is selected. Connection Proxy is the easiest to configure.
If the user is internal, then the. Thus you typically want to control which datacenter is used for the ICA connection. The idea here is that back haul WAN connections are faster than Internet connection to a remote datacenter. Different Citrix Virtual Apps and Desktops zone per datacenter. I have been read this docs, and configure it as same this docs.
But it not working when I test it. I am looking for some information about the EPA analysis settings. Can you recommend it? Thank you very much for having deployed the EPA strategy and it has taken effect.
I now have a new question 1: Can the Preauthentication Policy be bound to a user or user group? You can check each Policy in turn. As long as one Policy is met, the Client can log in normally.
Preauth means before it knows who the groups are. Please tell me How configure multiple Preauth Policy with vs. This works fine if connecting through StoreFront I can even block the ports and , but this connection does not work if I am using a NetScaler. The Citrix SSL server you have selected is not accepting connections. What am I forgetting for it feels asif the certificate is not being accepted by the NetScaler.
And is there a log file that has more detailed info on this? If you do a network trace, you can see SSL Handshake. Any errors? NetScaler Thank you for your swift reply. I have performed a telnet from the Netscaler to the vda on port I can see the snip address on the session host and that the traffic has been accepted. I now started a nstrace, but need to check the file later on when I am at a machine with wireshark. I will keep you posted. Thanks again.
Frame 89 bytes on wire bits , 89 bytes captured bits Encapsulation type: NetScaler Encapsulation 3. To the VDA it shows that it wants to contact using And this off course fails. ICA only is not configured on the Virtual Server. For example the Web Apps tab shows by default.
Can you change this to the Applications tab in the X1 theme? Thanks, Daniel. Do you know if it is possible to skip EPA analysis preauthentication policies if a user belongs to a particular AD security group?
Or only is possible to do that with post-authentication policies? In my lab, netscaler was assigned , but it stuck at starting tunneling. Quick question if you know, Can be EPA scans be configured conditionally to allow 2 different authentication methods, based on pass or fail. I added a note about this to the Native OTP article. Or is it also working, because of downward compatibility? Depends on your Session Policy configuration for plug-in upgrades. Minor firmware upgrades might not require a plug-in upgrade.
But major upgrades e. Been a great help but stuck on one item and out of ideas, we have SSL VPN and plugin configured fine, can rdp, ping servers on remote end no problem. Cannot create a mapped drive however , can connect to ports on telnet but unable to create a mapped drive to the windows file server. Any hints would be great. Hi Carl, great article. We need this, so we can remotely manager these clients.
We use latest Netscaler version. Citrix Gateway prompts the user for authentication. The website links can be proxied through Citrix Gateway.
Citrix Gateway can optionally Single Sign-on to the websites. After the tunnel is established, a portal page is displayed. It only needs Citrix Workspace app.
This is typically the StoreFront Receiver for Web page, but technically it can be any internal website. Setting it to OFF allows the other connection methods to function. If VPN is launched, then the portal page shown to the user after the tunnel is established can contain the StoreFront published applications.
The VPN Client is not launched. The internal websites are rewritten so they are proxied through Citrix Gateway. Or Bookmarks can be configured for Clientless Access.
Client Choices — checked or unchecked If Client Choices is checked , then it displays a page containing up to three buttons allowing the user to choose between VPN, Clientless, or StoreFront. You cannot mix the two types. This could eliminate AAA Groups in some circumstances. In this case, the Profile settings are merged. Priority number — When you bind a Session Policy to a bind point, you specify a priority number. This priority number usually defaults to Lowest priority number wins — The Session Policy binding that has the lowest priority number, wins.
Session Policies bound with a priority of 80 will win over Session Policies bound with a priority of You might think that AAA-bound policies always override Virtual Server-bound policies, but that is not the case. However, Default Syntax does not support Endpoint Analysis.
If a conflict, then the policy with the lowest priority number wins. Bookmarks, Intranet Applications, and Authorization Policies are merged. When users are authenticated with a particular authentication server, the authentication server can be configured to place users into a Default Authentication Group.
See nFactor EPA for details. If the EPA Scan fails , then the user is not allowed to login. Use nFactor instead. Other Session Policies expressions are still evaluated. A limitation of this EPA method is that nothing negative happens. Instead, you typically design higher priority number lower priority Session Policies with restrictive settings so that if the EPA Scans fail, then users still get something. Other methods of connecting Clientless, StoreFront , still work.
If Endpoint Analysis is configured anywhere, then an Endpoint Analysis plug-in is downloaded to the Windows or Mac client. To try only the secure DNS update, you can set the value to 2.
On the right, click Add. Enter a case sensitive group name that matches the group name in Active Directory. Click OK. These objects are detailed later in this post. On the right, switch to the Session Profiles tab, and click Add.
Name the profile VPN or similar. In Session Profiles, every field has an Override Global checkbox to the right of it.
On the Client Experience tab, override Split Tunnel and make your choice. Setting it to OFF will force all traffic to use the tunnel. Setting it to ON will require you to create Intranet Applications so the Citrix Gateway Plug-in will know which traffic goes through the tunnel, and which traffic goes directly out the client NIC e.
On the Client Experience tab, there are timers that can be configured. Global Settings contains default timers, so you might want to configure this Session Profile to override the defaults and increase the timeouts. Client Idle Time-out is a Citrix Gateway Plug-in timer that disconnects the session if there is no user activity mouse, keyboard on the client machine. Session Time-out is a Citrix Gateway timer that disconnects the session if there is no network activity for this duration.
An example of the portal page in the RfWebUI theme is shown below: The X1 theme is shown below: On the Client Experience tab, the Home Page field lets you override the the default portal page, and instead display a different webpage e.
This homepage is displayed after the VPN tunnel is established or immediately if connecting using Clientless Access.
Citrix Gateway can automatically start the VPN tunnel whenever the user is remote.
0コメント