NetScaler : Configuring Access Gateway for Storefront 1.1

SFInst1

Following the XenApp 6.5 deployment in my previous article I thought I’d detail how to configure Access Gateway for Storefront 1.1, I’ll also leverage the Load Balancer I configured in a previous article so essentially users will be able to login remotely using Access Gateway, then be Load Balanced by the NetScaler to an appropriate StoreFront Server on your internal network.

This article assumes you have deployed the NetScaler Appliance (instructions here) and configured basic Network Settings including a DNS Nameserver.

Contents

1. Deployment Environent

1.1 NetScaler Deployment

1.2 XenApp Deployment

1.3 SSL Certificates

1.4 Active Directory Domain Information

2. Deployment Considerations

3. StoreFront 1.1 Setup

3.1 Basic Setup for Internal-only use (i.e. no access Gateway)

3.2 StoreFront Access Gateway Configuration

4. Access Gateway / NetScaler Configuration

4.1 Enable Access Gateway Feature

4.2 Import / Install SSL Certificate(s)

4.3 Create Authentication Policy / Server

4.4 Create Session Policies and Profiles

4.4.1 Receiver Web Session Policy / Profile

4.4.2 Storefront_Services Policy / Profile

4.4.3 PNA_Services Policy / Profile

4.5 Create Access Gateway Virtual Server(s)

5. Testing Access Gateway

6. Problems? 

1. Deployment Environent

1.1 NetScaler Deployment

Two node HA-pair of NetScaler VPX devices configured in a two-arm topology;

    • NS1 – 192.168.0.230/24
    • NS1 – 192.168.0.231/24

Internal network on NetScaler devices is 192.168.0.0/24, ‘External’ network is 192.168.209.0/24.

NetScaler MIP is 192.168.0.235.

Virtual Server IP Addresses and required DNS records (internally managed for LAB):

    • 192.168.0.247 – ctx.domlocal.net (Load Balancer)
    • 192.168.0.248 – ag.domlocal.net – Internal Access Gateway
    • 192.168.209.248 – ctx.cb-net.co.uk (managed using split-DNS) – External Access Gateway

More info on the two-Access Gateway configuration below.

 

1.2 XenApp Deployment

Single XenApp 6.5 Server running Storefront 1.1 (in a production environment I’d separate these roles and have multiples of each!)

    • CTX1.domlocal.net – 192.168.0.102/24

The Citrix XML service on the XenApp server is set to run on port 8081.

External URL for Access Gateway will be configured to https://ctx.cb-net.co.uk

 

1.3 SSL Certificates

Finally, SSL certificates;

    • Use a third-party SSL certificate on the Access Gateway Virtual Server – the whole idea of Access Gateway is to facilitate easy access to internal Citrix systems, with a certificate from you internal PKI you’ll reduce functionality as the Receiver Client wont work without being hacked and slashed.
    • If you opt for the two Access Gateway setup then an internal PKI certificate is fine for the intranet facing Access Gateway, alternatively add the SAN of the internal access gateway to your third-party SSL cert.

Both of these certificates should be SAN certificates, I used the following certificates:

    • External Access Gateway certificate SANs – ctx.cb-net.co.uk 
    • Internal Access Gateway certificate SANs – ctx.cb-net.co.uk, ctx, ctx.domlocal.net, ctx1.domlocal.net, ctx1

I used the Internal Access Gateway Certificate on the StoreFront Server’s IIS Default Website.

 

1.4 Active Directory Domain Information

Domain Name: domlocal.net

Domain Controller: DC1.domlocal.net

 

2. Deployment Considerations 

There are two ways you can approach this deployment;

  1. Configue the Access Gateway on an ‘External’ IP address (in this example 192.168.209.x/24)
  2. Configure the ACcess Gateway on an Internal IP address (in this example 192.168.0.x/24)

The first option appears to be the most logical, however there is a caveat; the Storefront Server will attempt to perform an authentication request with Access Gateway, the Access Gateway will not respond to authentication requests on an external interface, therefore an INTERNAL interface must have Access Gateway configured as well, for use in Authentication. In a single-arm, or internally addressed Access Gateway setup this is not an issue – more details (a little more!) here.

I’ll detail how to configure both simply because it took me a while to figure out how to get it working, but question the sanctity of deploying two essentially identical Access Gateway’s!

Additionally, I would avoid installing StoreFront on a Web interface Server.

 

3. StoreFront 1.1 Setup

3.1 Basic Setup for Internal-only use (i.e. no access Gateway)

Download StoreFront 1.1 from My Citrix > Downloads, so long as you have an active trial license or commercial XenApp license this should be available.

Important note here, if you want to use SSL then Install IIS and assign an SSL certificate to the default website before proceeding any further.

Install StoreFront 1.1, this is really simple:

SFInst1

SFInst2

SFInst3

When completed the MMC Snap-In will load and prompt for the deployment scenario you wish to use. For the purposes of this lab select a single-server deployment:

SFInst4

You’ll now be prompted for URL you wish StoreFront to be accessible on. If you have assigned an SSL certificate with a Common Name that represents the URL of choice as the Subject Name the prompt should be populated with the correct URL already.

For this deployment the internal FQDN is correct; https://ctx.domlocal.net

SF1

You’ll now be presented with a step-by-step configuration wizard of sorts.

SFInst5

First on the hitlist is authentication, click ‘Create Service’ and then tick all three authentication types, then click Create:

SF2

Now we’ll create a store, click ‘Create Store’ from the main window; enter a Store Name – for this example I used CB-Net XenApp Store;

SF3

Add the Data Collector Citrix XenApp server from one of your Citrix farms, esnure you set the correct port for the XML service. Importantly, unless you are sharing the XML service with IIS ports, make sure you select HTTP as the protocol!

SF4

The store has now been created, and for Internal Clients can now be accessed using the Receiver Client (not Receiver Web Site as we haven’t made that yet).

Now we can create the Receiver for Web IIS Website, form the main snap-in window select ‘Create Site’

SFInst6

 

3.2 StoreFront Access Gateway Configuration

 We have already enabled the required Authentication tyoe for Access Gateway in step 3.1 (Pass-through form Citrix access Gateway)

From the StoreFront snap-in select Gateways and then, in the action pane, select ‘Add Gateway Server’

SFInst7

In this example I entered the following configuration details for the Access Gateway:

      • Display Name: NetScaler MIP
      • Gateway URL: https://ctx.cb-net.co.uk
      • Deployment mode: Appliance
      • Tick ‘Set server as Access Gateway Enterprise Edition’
      • Subnet IP Address: 192.168.0.235 (this is the NetScaler MIP)
      • Logon Type: Domain Only 

SF7

You’ll then be prompted to enter a silent authentication URL. This comes back to my earlier point – this must resolve to an ‘Internal’ Access Gateway Virtual Server, i.e an IP address that would be accessible through the NetScaler’s management interface.

  • If you opted for a single Access Gateway Virtual Server on the Internal Interface then enter your external FQDN as the address (use your internal DNS to point this at the INternal NetScaler IP) – in this example I would use https://ctx.cb-net.co.uk
  • If you opted to go for the multi-Access Gateway deployment then this should be set to the internal FQDN of the internal Access Gateway Virtual Server (again use internal DNS servers) – in this example I would use  https://ag.domlocal.net 

SF8

Next is the Secure Ticket Authority definition. Importantly the list you use here MUST match the list you later use on the NetScaler/Access Gateway configuration. In this example I defined a single STA – https://ctx1.domlocal.net:8081

Ensure you enter the correct port number – this is the XML service port.

SF9

Next, on the Storefront configuration, define your external beacons. Essentially beacons are used by the Receiver Client to identify if it is on the Internal Network, and therefore not to use the Access Gateway, or on an external network, and therefore to use the AG.

Click on beacons form the Storefront snap-in, then from the action pane select ‘Manage beacons’ – I then used two external beacons, the first being the external Access Gateway URL, the second being the corporate website:

SFInst8 

OK, so were nearly there on the StoreFront configuration, there are two remaining actions;

  1. Enable Legacy Support (required by iOS, Android and Mac devices
  2. Enable Remote Access

To enable Legacy Support browse to Stores and select the Store you created earlier, then form the action pane select ‘Configure Legacy Support’

Select the ‘Enable Legacy Support’ tick-box, change the Default Store to your new store then click OK:

SFInst9

Now form the action pane select ‘Enable Remote Access’

Tick the NetScaler MIP Access Gateway you created earlier and then select the Netscaler MIP as the default gateway:

SF11

StoreFront is now configured to support Access Gateway, we just have to configure the Access Gateway now!

 

4. Access Gateway / NetScaler Configuration

4.1 Enable Access Gateway Feature

First you’ll need to enable the NetScaler Access Gateway feature, browse to System > Settings > Configure Basic Features:

AG

 

4.2 Import / Install SSL Certificate(s)

Now you need to import and install the SSL Certificate you’ll use on the Access Gateway Virtual Server(s).

Export the certificate you are using on the storefornt server using the Certificates MMC snap-in, ensure you export both the Public and Private Key.

Next, browse to the SSL folder in the left-hand menu and click on Import PKCS#12;

    • Browse your local file system for the exported certificates
    • Use an Output File Name of ‘Storefront_SSL’
    • Enter the password you used when exporting it

AG2a

Next, browse to SSL > Certificates and select ‘Install..’ from the bottom of the window:

    • Enter a name of Storefront_SSL
    • Browse the APPLICANCE for the certificate you just imported
    • Enter the correct password
    • Set a notification window of your choice

AG2b

 

4.3 Create Authentication Policy / Server 

Now we need to create an Authentication Policy and Server

Browse to Access Gateway > Policies > Authentication and click ‘Add…’ at the bottom of the window.

AG4

I named the policy ‘LDAP domlocal.net,’ selected an authentication type of LDAP and then clicked ‘New…’ next to Server:

AG5

Enter the following configuration details:

    • Name: DC2.domlocal.net
    • IP Address: 192.168.0.190
    • Port: 636 (LDAPS)
    • BaseDN: DC=domlocal,DC=net
    • Administrative Bind DN: use the distinguishedName of a normal user account in AD DS – there is no need ot use an administrative account.
    • Password: Password of above account

Click Retrieve Attributes to ensure the connection is working then click ‘Create’.

AG6

Under Expression in the Authentication Policy window click the ‘Advanced Free-Form’ button and then enter ‘ns_true’ into the expression field. Then click ‘Create:’

 AG7

4.4 Create Session Policies and Profiles

Browse to Access Gateway > Policies > Session and click ‘Add…’ at the bottom of the window:

AG (8)

One important thing to note here is that the DNS names used in the Session Profiles point to a Load Balancer Virtual Server IP address; 192.168.0.247, this can also be configured ot point to a Storefront Server directly.

 We need to create 3 session policies, one for Receiver, one for Storefront and one for Legacy Connections to PNAgent.xml to support iOS, Android and Macintosh devices.

4.4.1 Receiver Web Session Policy / Profile

Enter the following details:

    • Name: Receiver_Web
    • Expression: Click the ‘Match any expression’ button and then select Advanced Free-Form; enter REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Then click New next to ‘Request Profile’

SessionPol (1)

Under the Client Experience tab configure:

    • Clientless Access: Allow
    • Single Sign-On to Web applicance: Enabled

SessionPol (3)

Under Published Applications configure the following, then click Create:

SessionPol (4) 

4.4.2 Storefront_Services Policy / Profile

Create a new Session Policy under Access Gateway > Policies > Session – click ‘Add…’ at the bottom of the window.

Enter the following details:

    • Name: Storefront_Services
    • Expression: Click the ‘Match any expression’ button and then select Advanced Free-Form; enter REQ.HTTP.HEADER X-Citrix-Gateway EXISTS

SessionPol (5) 

Then click New next to ‘Request Profile’

Under Client Experience:

    • Clientless Access: Allow
    • Single Sign-On to Web appliance: Enabled

 SessionPol (7)

Under Published Applications configure:

      • ICA Proxy: ON
      • Single Sign-On Domain: DOMLOCAL

SessionPol (8)

4.4.3 PNA_Services Policy / Profile

 

Create a new Session Policy under Access Gateway > Policies > Session – click ‘Add…’ at the bottom of the window.

Enter the following details:

    • Name: PNA_Services
    • Expression: Click the ‘Match any expression’ button and then select Advanced Free-Form; enter REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS

PNA-SessionPol

Then click New next to ‘Request Profile’

Under Client Experience:

    • Single Sign-On to Web applicance: Enabled

SessionPol (15)

Under Published Applications configre:

SessionPol (16)

 

4.5 Create Access Gateway Virtual Server(s)

Browse to Access Gateway > Virtual Servers and click ‘Add…’ at the bottom of the window.

    • Enter an IP address (if you use an external IP on this VS remember you;ll have to duplicate the steps below using an INTERNAL IP address as well so that Storefront Authenticatoin requests are processed correctly)
    • Bind the correct SSL Certificate to the VS

AGvs1

Under Authentication add the LDAP Authentication policy you created earlier:

AGvs2 

Under Policies add the three Session Policies you created earlier, in the following order:

    • Priority 80 PNA_Service
    • Priority 90: Storefront_Services
    • Priority 100: Receiver Web

 AGvs3

Now click the Clientless button in the policies window. We need to create a rule to ensure that Storefront traffic is not subject to any rewriting.

Click ‘Insert Policy…’ at the bottom of this window:

NoRW1

Name the policy CVPN_NoRW, enter an expression of true ahen click ‘New…’ next to Profile:

NoRW2

 Name the new Profile CVPN_NoRw and click OK (there are no additional settings required):

NoRW3

Close the remaining Clientliess Access Policy Window to return to the Access Gateway Virtual Server configuration.

Finally, under Published Applications add the same STA(s) that you added to the Storefront configuration earlier:

AGvs4

If you just created your Access Gateway VS on an Internal IP then proceed ot the next step, if it’s configured on an External IP address perform the exact same setup as above using an internla IP address as well.

 

5. Testing Access Gateway

Once you have configured your external DNS and NAT (if applicable) to allow external access to the Access Gateway Virtual Server you are then ready to test. You could also use your internal DNS/host file to perform a mock test 🙂

I configure my Access Gateway to be accessible at https://ctx.cb-net.co.uk 

Login with a user that has access to applications in the store:

Test (1)

You’ll then be redirected to the Storefront webpage:

Test (2)

You will not have to enter any other credentials, they get passed through via the Access Gateway:

Test (3)

Proceed to add an application:

Test (4)

Test (5) 

Finally, test the application works:

 Test (8)

And that’s it… not the shortest of configuration articles, but the process is fairly logical.

Problems?

Using Storefront 1.2 you may encounter an issue when you add the Access Gateway to the Storefront configuration and you are also load balancing Storefront IIS servers – for internal-only access for example . This happens because the source of the load balancer will be the same as your Access Gateway, so Storefront expects the traffic to be handled in a specific way and it is not. Perform the following steps to use a specific IP for Access Gateway related traffic, this way standrad load balanced traffic will still work:

1) Create a secondary SNIP
2) Create an additional Load Balancer for the Store Front Servers (not AGEE)
3) Finally, create NetProfiles for Internal and External traffic. Use one SNIP for the Internal, and the other for the External Load Balancer. Details on how to do this here: http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-lb-clienttraffic-usespecifiedsrcip-tsk.html