Following the XenApp 6.5 deployment in my previous article I thought I’d detail how to configure Access Gateway for Storefront 1.1, I’ll also leverage the Load Balancer I configured in a previous article so essentially users will be able to login remotely using Access Gateway, then be Load Balanced by the NetScaler to an appropriate StoreFront Server on your internal network.
This article assumes you have deployed the NetScaler Appliance (instructions here) and configured basic Network Settings including a DNS Nameserver.
Contents
1.4 Active Directory Domain Information
3.1 Basic Setup for Internal-only use (i.e. no access Gateway)
3.2 StoreFront Access Gateway Configuration
4. Access Gateway / NetScaler Configuration
4.1 Enable Access Gateway Feature
4.2 Import / Install SSL Certificate(s)
4.3 Create Authentication Policy / Server
4.4 Create Session Policies and Profiles
4.4.1 Receiver Web Session Policy / Profile
4.4.2 Storefront_Services Policy / Profile
4.4.3 PNA_Services Policy / Profile
4.5 Create Access Gateway Virtual Server(s)
1. Deployment Environent
1.1 NetScaler Deployment
Two node HA-pair of NetScaler VPX devices configured in a two-arm topology;
-
- NS1 – 192.168.0.230/24
- NS1 – 192.168.0.231/24
Internal network on NetScaler devices is 192.168.0.0/24, ‘External’ network is 192.168.209.0/24.
NetScaler MIP is 192.168.0.235.
Virtual Server IP Addresses and required DNS records (internally managed for LAB):
-
- 192.168.0.247 – ctx.domlocal.net (Load Balancer)
- 192.168.0.248 – ag.domlocal.net – Internal Access Gateway
- 192.168.209.248 – ctx.cb-net.co.uk (managed using split-DNS) – External Access Gateway
More info on the two-Access Gateway configuration below.
1.2 XenApp Deployment
Single XenApp 6.5 Server running Storefront 1.1 (in a production environment I’d separate these roles and have multiples of each!)
-
- CTX1.domlocal.net – 192.168.0.102/24
The Citrix XML service on the XenApp server is set to run on port 8081.
External URL for Access Gateway will be configured to https://ctx.cb-net.co.uk
1.3 SSL Certificates
Finally, SSL certificates;
-
- Use a third-party SSL certificate on the Access Gateway Virtual Server – the whole idea of Access Gateway is to facilitate easy access to internal Citrix systems, with a certificate from you internal PKI you’ll reduce functionality as the Receiver Client wont work without being hacked and slashed.
- If you opt for the two Access Gateway setup then an internal PKI certificate is fine for the intranet facing Access Gateway, alternatively add the SAN of the internal access gateway to your third-party SSL cert.
Both of these certificates should be SAN certificates, I used the following certificates:
-
- External Access Gateway certificate SANs – ctx.cb-net.co.uk
- Internal Access Gateway certificate SANs – ctx.cb-net.co.uk, ctx, ctx.domlocal.net, ctx1.domlocal.net, ctx1
I used the Internal Access Gateway Certificate on the StoreFront Server’s IIS Default Website.
1.4 Active Directory Domain Information
Domain Name: domlocal.net
Domain Controller: DC1.domlocal.net
2. Deployment Considerations
There are two ways you can approach this deployment;
- Configue the Access Gateway on an ‘External’ IP address (in this example 192.168.209.x/24)
- Configure the ACcess Gateway on an Internal IP address (in this example 192.168.0.x/24)
The first option appears to be the most logical, however there is a caveat; the Storefront Server will attempt to perform an authentication request with Access Gateway, the Access Gateway will not respond to authentication requests on an external interface, therefore an INTERNAL interface must have Access Gateway configured as well, for use in Authentication. In a single-arm, or internally addressed Access Gateway setup this is not an issue – more details (a little more!) here.
I’ll detail how to configure both simply because it took me a while to figure out how to get it working, but question the sanctity of deploying two essentially identical Access Gateway’s!
Additionally, I would avoid installing StoreFront on a Web interface Server.
3. StoreFront 1.1 Setup
3.1 Basic Setup for Internal-only use (i.e. no access Gateway)
Download StoreFront 1.1 from My Citrix > Downloads, so long as you have an active trial license or commercial XenApp license this should be available.
Important note here, if you want to use SSL then Install IIS and assign an SSL certificate to the default website before proceeding any further.
Install StoreFront 1.1, this is really simple:
When completed the MMC Snap-In will load and prompt for the deployment scenario you wish to use. For the purposes of this lab select a single-server deployment:
You’ll now be prompted for URL you wish StoreFront to be accessible on. If you have assigned an SSL certificate with a Common Name that represents the URL of choice as the Subject Name the prompt should be populated with the correct URL already.
For this deployment the internal FQDN is correct; https://ctx.domlocal.net
You’ll now be presented with a step-by-step configuration wizard of sorts.
First on the hitlist is authentication, click ‘Create Service’ and then tick all three authentication types, then click Create:
Now we’ll create a store, click ‘Create Store’ from the main window; enter a Store Name – for this example I used CB-Net XenApp Store;
Add the Data Collector Citrix XenApp server from one of your Citrix farms, esnure you set the correct port for the XML service. Importantly, unless you are sharing the XML service with IIS ports, make sure you select HTTP as the protocol!
The store has now been created, and for Internal Clients can now be accessed using the Receiver Client (not Receiver Web Site as we haven’t made that yet).
Now we can create the Receiver for Web IIS Website, form the main snap-in window select ‘Create Site’
3.2 StoreFront Access Gateway Configuration
We have already enabled the required Authentication tyoe for Access Gateway in step 3.1 (Pass-through form Citrix access Gateway)
From the StoreFront snap-in select Gateways and then, in the action pane, select ‘Add Gateway Server’
In this example I entered the following configuration details for the Access Gateway:
-
-
- Display Name: NetScaler MIP
- Gateway URL: https://ctx.cb-net.co.uk
- Deployment mode: Appliance
- Tick ‘Set server as Access Gateway Enterprise Edition’
- Subnet IP Address: 192.168.0.235 (this is the NetScaler MIP)
- Logon Type: Domain Only
-
You’ll then be prompted to enter a silent authentication URL. This comes back to my earlier point – this must resolve to an ‘Internal’ Access Gateway Virtual Server, i.e an IP address that would be accessible through the NetScaler’s management interface.
- If you opted for a single Access Gateway Virtual Server on the Internal Interface then enter your external FQDN as the address (use your internal DNS to point this at the INternal NetScaler IP) – in this example I would use https://ctx.cb-net.co.uk
- If you opted to go for the multi-Access Gateway deployment then this should be set to the internal FQDN of the internal Access Gateway Virtual Server (again use internal DNS servers) – in this example I would use https://ag.domlocal.net
Next is the Secure Ticket Authority definition. Importantly the list you use here MUST match the list you later use on the NetScaler/Access Gateway configuration. In this example I defined a single STA – https://ctx1.domlocal.net:8081
Ensure you enter the correct port number – this is the XML service port.
Next, on the Storefront configuration, define your external beacons. Essentially beacons are used by the Receiver Client to identify if it is on the Internal Network, and therefore not to use the Access Gateway, or on an external network, and therefore to use the AG.
Click on beacons form the Storefront snap-in, then from the action pane select ‘Manage beacons’ – I then used two external beacons, the first being the external Access Gateway URL, the second being the corporate website:
OK, so were nearly there on the StoreFront configuration, there are two remaining actions;
- Enable Legacy Support (required by iOS, Android and Mac devices
- Enable Remote Access
To enable Legacy Support browse to Stores and select the Store you created earlier, then form the action pane select ‘Configure Legacy Support’
Select the ‘Enable Legacy Support’ tick-box, change the Default Store to your new store then click OK:
Now form the action pane select ‘Enable Remote Access’
Tick the NetScaler MIP Access Gateway you created earlier and then select the Netscaler MIP as the default gateway:
StoreFront is now configured to support Access Gateway, we just have to configure the Access Gateway now!
4. Access Gateway / NetScaler Configuration
4.1 Enable Access Gateway Feature
First you’ll need to enable the NetScaler Access Gateway feature, browse to System > Settings > Configure Basic Features:
4.2 Import / Install SSL Certificate(s)
Now you need to import and install the SSL Certificate you’ll use on the Access Gateway Virtual Server(s).
Export the certificate you are using on the storefornt server using the Certificates MMC snap-in, ensure you export both the Public and Private Key.
Next, browse to the SSL folder in the left-hand menu and click on Import PKCS#12;
-
- Browse your local file system for the exported certificates
- Use an Output File Name of ‘Storefront_SSL’
- Enter the password you used when exporting it
Next, browse to SSL > Certificates and select ‘Install..’ from the bottom of the window:
-
- Enter a name of Storefront_SSL
- Browse the APPLICANCE for the certificate you just imported
- Enter the correct password
- Set a notification window of your choice
4.3 Create Authentication Policy / Server
Now we need to create an Authentication Policy and Server
Browse to Access Gateway > Policies > Authentication and click ‘Add…’ at the bottom of the window.
I named the policy ‘LDAP domlocal.net,’ selected an authentication type of LDAP and then clicked ‘New…’ next to Server:
Enter the following configuration details:
-
- Name: DC2.domlocal.net
- IP Address: 192.168.0.190
- Port: 636 (LDAPS)
- BaseDN: DC=domlocal,DC=net
- Administrative Bind DN: use the distinguishedName of a normal user account in AD DS – there is no need ot use an administrative account.
- Password: Password of above account
Click Retrieve Attributes to ensure the connection is working then click ‘Create’.
Under Expression in the Authentication Policy window click the ‘Advanced Free-Form’ button and then enter ‘ns_true’ into the expression field. Then click ‘Create:’
4.4 Create Session Policies and Profiles
Browse to Access Gateway > Policies > Session and click ‘Add…’ at the bottom of the window:
One important thing to note here is that the DNS names used in the Session Profiles point to a Load Balancer Virtual Server IP address; 192.168.0.247, this can also be configured ot point to a Storefront Server directly.
We need to create 3 session policies, one for Receiver, one for Storefront and one for Legacy Connections to PNAgent.xml to support iOS, Android and Macintosh devices.
4.4.1 Receiver Web Session Policy / Profile
Enter the following details:
-
- Name: Receiver_Web
- Expression: Click the ‘Match any expression’ button and then select Advanced Free-Form; enter REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
Then click New next to ‘Request Profile’
Under the Client Experience tab configure:
-
- Clientless Access: Allow
- Single Sign-On to Web applicance: Enabled
Under Published Applications configure the following, then click Create:
-
- ICA Proxy: ON
- Web Interface Address: https://ctx.domlocal.net/Citrix/CB-NetXenAppStoreWeb
- Single Sign-On Domain: DOMLOCAL
4.4.2 Storefront_Services Policy / Profile
Create a new Session Policy under Access Gateway > Policies > Session – click ‘Add…’ at the bottom of the window.
Enter the following details:
-
- Name: Storefront_Services
- Expression: Click the ‘Match any expression’ button and then select Advanced Free-Form; enter REQ.HTTP.HEADER X-Citrix-Gateway EXISTS
Then click New next to ‘Request Profile’
Under Client Experience:
-
- Clientless Access: Allow
- Single Sign-On to Web appliance: Enabled
Under Published Applications configure:
-
- ICA Proxy: ON
- Single Sign-On Domain: DOMLOCAL
4.4.3 PNA_Services Policy / Profile
Create a new Session Policy under Access Gateway > Policies > Session – click ‘Add…’ at the bottom of the window.
Enter the following details:
-
- Name: PNA_Services
- Expression: Click the ‘Match any expression’ button and then select Advanced Free-Form; enter REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS
Then click New next to ‘Request Profile’
Under Client Experience:
-
- Single Sign-On to Web applicance: Enabled
Under Published Applications configre:
-
- ICA Proxy: ON
- Web Interface Address – use the URL that was generated when you enabled legacy mode on the store: https://ctx.domlocal.net/Citrix/CB-NetXenAppStore/PNAgent/config.xml
4.5 Create Access Gateway Virtual Server(s)
Browse to Access Gateway > Virtual Servers and click ‘Add…’ at the bottom of the window.
-
- Enter an IP address (if you use an external IP on this VS remember you;ll have to duplicate the steps below using an INTERNAL IP address as well so that Storefront Authenticatoin requests are processed correctly)
- Bind the correct SSL Certificate to the VS
Under Authentication add the LDAP Authentication policy you created earlier:
Under Policies add the three Session Policies you created earlier, in the following order:
-
- Priority 80 PNA_Service
- Priority 90: Storefront_Services
- Priority 100: Receiver Web
Now click the Clientless button in the policies window. We need to create a rule to ensure that Storefront traffic is not subject to any rewriting.
Click ‘Insert Policy…’ at the bottom of this window:
Name the policy CVPN_NoRW, enter an expression of true ahen click ‘New…’ next to Profile:
Name the new Profile CVPN_NoRw and click OK (there are no additional settings required):
Close the remaining Clientliess Access Policy Window to return to the Access Gateway Virtual Server configuration.
Finally, under Published Applications add the same STA(s) that you added to the Storefront configuration earlier:
If you just created your Access Gateway VS on an Internal IP then proceed ot the next step, if it’s configured on an External IP address perform the exact same setup as above using an internla IP address as well.
5. Testing Access Gateway
Once you have configured your external DNS and NAT (if applicable) to allow external access to the Access Gateway Virtual Server you are then ready to test. You could also use your internal DNS/host file to perform a mock test 🙂
I configure my Access Gateway to be accessible at https://ctx.cb-net.co.uk
Login with a user that has access to applications in the store:
You’ll then be redirected to the Storefront webpage:
You will not have to enter any other credentials, they get passed through via the Access Gateway:
Proceed to add an application:
Finally, test the application works:
And that’s it… not the shortest of configuration articles, but the process is fairly logical.
Problems?
Using Storefront 1.2 you may encounter an issue when you add the Access Gateway to the Storefront configuration and you are also load balancing Storefront IIS servers – for internal-only access for example . This happens because the source of the load balancer will be the same as your Access Gateway, so Storefront expects the traffic to be handled in a specific way and it is not. Perform the following steps to use a specific IP for Access Gateway related traffic, this way standrad load balanced traffic will still work:
1) Create a secondary SNIP
2) Create an additional Load Balancer for the Store Front Servers (not AGEE)
3) Finally, create NetProfiles for Internal and External traffic. Use one SNIP for the Internal, and the other for the External Load Balancer. Details on how to do this here: http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-lb-clienttraffic-usespecifiedsrcip-tsk.html