Integrate NetScaler with XenApp, XenDesktop and XenMobile


In part 1, I created certificates for my environment with Microsoft Certification Authority

In part 2, I integrated XenMobile into my XenApp and XenDesktop environment

In part 3, I will provide secure remote access to XenMobile, XenApp and XenDesktop with NetScaler.

NetScaler and XenMobile

  1. In a browser, navigate to http://172.16.0.14.
  2. Go to the Configuration screen
  3. Select XenMobile at the bottom of the left pane


4.
Select XenMobile 10 and Get Started
5.
Select only the following: Access through NetScaler Gateway6. For NetScaler Gateway Settings, enter the following:

a. IP Address: 172.16.0.16
b.
Port: 443
c.
Virtual Server Name: XenMobileGateway

6. For the certificate, choose the file from the appliance: WildcardCert.cer
7.
For the key file name, choose the file from the appliance: Wildcard-snpp-local.key
8.
Enter in the private key password we used when we created the key
9. For Authentication, enter in Active Directory information:

a. Primary authentication method: Active Directory/LDAP
b.
IP Address: 172.16.0.10
c.
Base DN: DC=SNPP,DC=local
d.
Service Account: Administrator@snpp.local
e.
Password: password for service account
f.
Test the connection
g.
Server Logon Name Attribute: sAMAccountName (this matches with the LDAP items we used for XenMobile)

10. For XenMobile App Management Settings, enter the following:

a. XenMobile Server FWDN: xm01.snpp.local
b.
Internal load balancing IP Address: 172.16.0.17 (just an unused IP Address)
c.
Communication with XenMobile Servers: HTTPS

11. XenMobile Server Certificate: Use existing certificate – WildcardCert.cer_CERT_KEY
12.
XenMobile Server: 172.16.0.13


NetScaler and XenDesktop

  1. In the left pane, select NetScaler Gateway – Virtual Servers
  2. Select _XM_XenMobileGateway in the virtual servers screen


3.
Scroll to the STA section and select


4.
Select Add Binding
5.
Enter in the following:

a. Secure Ticket Authority Server: https://ddc01.snpp.local
b.
Secure Ticket Authority Server Address Type: IPv4

6. Once entered, revisit the STA list to verify the XenMobile and XenDesktop STAs are green. If not, you must fix before continuing.


XenMobile

In the XenMobile Console (https://XM01.SNPP.local:4443), we do the following

  1. Select the gear icon in the upper right corner
  2. Select NetScaler Gateway
  3. Select Add
  4. Enter the following:
    a. Name: Gateway

    b. External URL: https://Gateway.snpp.local
    c.
    Logon Type: Domain only
    d.
    Password required: Yes
    e.
    Set as Default: Yes


5.
Enable authentication
6.
Save

StoreFront

In the StoreFront console, we do the following

  1. Navigate to Stores
  2. Select the appropriate store at the top


3.
In the right pane, select Configure Remote Access Settings
4.
Select

a. Enable Remote Access
b.
Allow users to access only resources delivered through StoreFront (no VPN tunnel)
c.
Add

5. Enter the following:

a. Display Name: Gateway
b.
NetScaler Gateway URL: https://gateway.snpp.local
c.
Usage or role: Authentication and HDX routing

6. For Secure Ticket Authority, add the following:

https://ddc01.snpp.local (this should be the same one added in the NetScaler Gateway configuration. You only need the XenApp/XenDesktop STA and not the XenMobile)


7.
For Authentication Settings, leave default options


8. Verify the remote access settings for the store


Test

On the Android phone used earlier, do the following:

  1. While logged into Citrix Secure Hub, select the menu in the upper left
  2. Select Preferences – Account – Delete Account (We need to reconfigure Secure Hub for our Gateway address. You can also uninstall/reinstall the app from the app store)
  3. Enter in the following: gateway.snpp.local


4.
Enter in user ID and password



5.
Select Add apps from Store


6.
Launch a XenApp/XenDesktop resource


With the session running, launch Director from the delivery controller. Look at the detailed information for the session to verify the Connected via address is the SNIP address (172.16.0.15) for the NetScaler.

 

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Advertisements

Integrate XenMobile with XenApp and XenDesktop


I’m integrating XenMobile and NetScaler into my XenApp and XenDesktop lab. This is a multi-part blog focusing on the following topics:

With our certificates created and installed, we can now integrate XenMobile with XenApp and XenDesktop.

Encrypt XenApp, XenDesktop and StoreFront communication

With certificates added to our XenApp and XenDesktop environment, we need to modify a few settings so the communication will be encrypted

Configure StoreFront

In the StoreFront console

  1. Select Server Group
  2. Select Change Base URL
  3. Update the url for HTTPS


3.
Select Stores
4.
A message should say

StoreFront is using HTTPS
No certificate associated with this StoreFront server


We must bind the wildcard certificate to the StoreFront web site.

  1. Within IIS Manager, select Sites – Default Web Sites in the left pane.
  2. Select Bindings in the right pane


3.
If https does NOT exist, select Add. If https does exist, select Edit

a. Set type to be https
b.
Select the wildcard certificate in the SSL Certificate entry.


4.
Return to the StoreFront console and refresh the Store. It should now only say StoreFront using HTTPS

We must also modify our delivery controller setup to use HTTPS

  1. In the StoreFront Console, select Stores
  2. Select Manage Delivery Controllers


3.
Select Edit
4.
Modify the Transport Type to HTTPS


Configure Delivery Controllers

We must bind the wildcard certificate to the IIS service so XML traffic is encrypted.  Most likely, the delivery controller will NOT have IIS Manager installed.  The configuration can be accomplished with PowerShell.

  1. Start PowerShell
  2. Run the following commands, modifying the red text as necessary for the domain name of the wildcard certificate:

New-WebBinding -Name “Default Web Site” -IP “*” -Port 443 -Protocol https

Get-ChildItem cert:\LocalMachine\my | where-object {$_.Subject -like “*snpp.local*”} | Select -first 1 | New-Item IIS:\SslBindings\0.0.0.0!443

Test the connection by going to the StoreFront website URL via HTTPs and launch a resource

Configure XenMobile

First we will integrate XenMobile with StoreFront, which in turns gives us access to XenApp and XenDesktop Resoruces.

  1. In a browser, navigate to https://xm01.snpp.local:4443.
  2. Select the gear icon in the upper right corner
  3. Select XenApp and XenDesktop
  4. Enter in the following

    a. Host: storefront.snpp.local
    b.
    Port: 443
    c.
    Relative Path: /Citrix/SNPP/PNAgent/config.xml (Look in the StoreFront console for this information. It will be the XenApp Services URL for the store).
    d.
    Use HTTPS: On


5.
Test connectivity
6.
Save

We also need to configure LDAP for XenMobile.

  1. In the XenMobile Console, select the gear icon in the upper right
  2. Select LDAP
  3. Select Add
  4. Enter in the following

    a. Directory Type: Active Directory
    b.
    Primary Server: 172.16.0.10 (IP Address of domain controller)
    c.
    Port: 389
    d.
    Domain name: snpp.local
    e.
    User Base DN: Filled in automatically
    f.
    Group Base DN: Filled in automatically
    g.
    User ID: ID of admin account
    h.
    Password: Password of admin account
    i.
    Domain alias: snpp
    j.
    Group Catalog Root Context: dc=snpp,dc=local
    k.
    User search by: sAMACcountName


Test

On my android phone (Note: you will need to install the root CA on the phone to trust the servers. The easiest way to get the cert onto the phone is email. Open the cert and the phone will install it)

  1. Connect to WiFi network hosting my lab
  2. Launch Play Store
  3. Download Secure Hub by Citrix
  4. Launch Secure Hub once download and installation completes
  5. Enter in the XenMobile address: xm01.snpp.local


6.
Select Yes, enroll
7.
Enter in username and password (just the user ID, no domain name or email address)


8.
Select Activate
9.
Select Add apps from Store
10.
The XenApp and XenDestkop resources should be visible.


11.
Select an app and launch (Citrix Receiver must be installed)
12. I
n the XenMobile console, in the Manage section, the user and the device should part of the inventory

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

 

Microsoft Certificate Authority for XenApp, XenDesktop, XenMobile and NetScaler


My lab is very XenApp and XenDesktop focused, but I need to expand the functionality to include secure access with NetScaler Gateway and incorporate mobile device management/mobile app management (MDM/MAM) with XenMobile.

From what I understand, in order to do this, I really need to install certificates. D’oh!

Every time I have to deal with certificates I know I will run into issues. I’m not spending money on certificates for my lab. I want to use Microsoft Certification Authority. Unfortunately, most documentation I read simply states “Get a certificate from your public authority”. That is not very helpful.

And I suspect many XenApp and XenDesktop admins have similar challenges, so I decided to document the process (minus all of the mistakes).

This will be a multi-part blog focusing on the following topics:

  1. Certificates
  2. Integrate XenMobile with XenApp and XenDesktop
  3. Integrate NetScaler with XenMobile, XenApp and XenDesktop

My Environment

First, some details about my starting environment (in case you are using this to guide your buildout).

  1. I have a XenDesktop and StoreFront environment built and operational for local user access
    1. NetScaler Gateway is NOT currently used
    2. All connections are using HTTP
  2. XenMobile Server
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, without configuring any optional settings. I did not configure certificates, LDAP, or NetScaler configs.
  3. NetScaler
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, including licenses

My environment specifics are as follows:

Server Name Roles Version IP Addresses
DDC01.snpp.local XenDesktop Controller 7.14 172.16.0.117
SF01.snpp.local StoreFront Server 3.8 172.16.0.119
XM01.snpp.local XenMobile Server 10.4 172.16.0.13
NG01.snpp.local NetScaler Gateway 12 MIP: 172.16.0.14

SNIP: 172.16.0.15

Gateway: 172.16.0.16

DC1.snpp.local Domain Controller

Certification Authority

DNS

DHCP

2016 172.16.0.10

My DNS:

Add the following addresses to DNS based on the defined IP addresses

  1. XM01.snpp.local
  2. Gateway.snpp.local
  3. StoreFront.snpp.local is an alias for SF01.snpp.local. StoreFront.snpp.local is the base URL for the StoreFront store

My Certificates:

Certificates are often the most confusing part of the configuration, especially when you are trying to use your own Certificate Authority (CA), like I am with Microsoft Certification Authority in Windows Server 2016. In order to successfully create a deployment, we need the following certificates

  1. Wildcard certificate (*.SNPP.local)
  2. Root certificate for my CA

Note: You can opt to use FQDN server certs instead of the wildcard, but you will need one for each server. The process is the same.

Create Certificate
1.
Launch Internet Information Services (IIS) Manager from the StoreFront Server


2.
Within IIS Manager, select the server in the left pane. Then double-click Server Certificates in the middle pane.
3.
Select Create Domain Certificate from the right pane


4.
Fill in the appropriate information with the common name being the wildcard cert name. In my example *.snpp.local


5.
Hit Select to select the CA. Enter in a friendly name. Select Finish

6. The wildcard certificate should now appear in the window

 Export Certificates

The certificate is installed on the local StoreFront server. We need to export the certificate and private key so we can install it on our other servers.

1 Launch MMC
2. Select File – Add/Remove Snapin
3.
Double-click Certificates
4. Select Computer Account
5. Finish the add/remove dialogs
6. Navigate to Personal – Certificates. The wildcard certificate should be visible. Right-click the cert and select Export


7.
Do NOT export the private key
8. Select Base-64 encoded X.509

9. Give the certificate file a name like WildcardCert.cer and save

We need to export the certificate AGAIN

  1. Right-click the wildcard cert and select Export
  2. This time, include the private key
  3. Select the following

    a. Personal Information Exchange PKCS #12
    b.
    Include all certificates in the certification path if possible
    c.
    Export all extended properties


4. Add a password to the key file
5.
Save the file with a name like WildcardCertKey

We need one more certificate, the Root Certificate so all of our devices will trust the certificates from our private CA.

  1. Open a browser and navigate to http://172.16.0.10/certsrv (This is the IP of the domain controller running certification authority)


2.
Select Download a CA Certificate, certificate chain, or CRL
3.
Select Base 64.


4.
Select Download CA Certificate. Give it a name like SNPPRootCA

Install Certificates

We need to install the certs on the StoreFront server, delivery controller, XenMobile server and NetScaler. Because we created a domain certificate request on the StoreFront server, the certificate is already installed. But if you have multiple StoreFront servers, this must be done on the remaining ones.

Install Certificates on StoreFront and Delivery Controller Servers

  1. On the storefront server, double-click on the SNPPRootCA.cer file.
  2. Select Install Certificate


3.
Select Local Machine
4.
Select Place all certificates in the following store, and select Trusted Root Certification Authorities
5.
The Root CA is now installed on the host.

To install the wildcard certificate,

  1. Double-click the certificate containing the private key: WildcardCertKey.pfx
  2. Select Local Machine

3. The file name should be filled in automatically
4. Enter in the certificate’s password
5. Place all certificates in the following store: Personal

Repeat on all remaining Windows-based delivery controllers and StoreFront servers

Install Certificates on XenMobile Server

Install the root certificate

  1. From your browser, navigate to https://172.16.0.13:4443. This is the IP Address of the XenMobile Server
  1. Select the Gear icon in the upper right to go into the configuration menu
  2. Select Certificates
  3. Select Import
  4. Make the following selections

    a. Import: Certificate
    b.
    Use as: Server
    c.
    Certificate Import: SNPPRootCA.cer


5.
Select Import
6.
The Root CA should not be installed

Install the wildcard certificate

  1. Select Import
  2. Make the following selections

    a. Import: keystore
    b.
    Keystore Type: PKCS#12
    c.
    Use as: SSL Listener
    d.
    Keystore file: WildcardCertKey.pfx
    e.
    Password: this is the password used when exporting the wildcard certificate’s private key


3.
Select Import
4.
Select OK in the import message warning
5.
Reboot the XenMobile server for the certificate to take effect

To test the certificate, launch a browser to https://xm01.snpp.local:4443. If the certificate works, there should be no untrusted certificate warning message. Make sure your endpoint has the following the root certificate installed in the local machine store.

If using Firefox (browser I used), you have to add the Root CA cert directly into the browser.
1.
In Firefox, select Options
2.
Select Advanced
3.
Select Certificates


4. Select View Certificates
5.
Under Authorities, select Import.


6.
Select the SNPPRootCA.cer file

 Install Certificates on NetScaler

First, we need to create a PEM file from the PKCS#12 file (certificate export with private key)

  1. Launch a browser to http://172.16.0.14 and log in.
  2. Navigate to Traffic Management – SSL

3. Select Import PKCS#12. Use the following information

a. Output File Name: wildcard-snpp-local.key
b.
Choose File: WildcardCertKey.pfx (This is the local certificate file we exported with the private key)
c.
Input Password: enter in the password used for the export
d.
Encoding Format: 3DES
f.
PEM Passphrase: Enter in a password


Now, we need to upload our certificate

  1. In the Traffic Management – SSL section, select Manage Certificates / Keys / CSRs


2.
Select Upload
3.
Select WildcardCert.cer
4.
Select Upload
5.
Select SNPPRootCA.cer
6.
Select WildcardCertKey.pfx
7.
Select Delete. We don’t need that file anymore as it was used to create our keyfile

We install our server certificate

  1. Navigate to Traffic Management – SSL – Certificates – Server Certificates


  1. Select Install
  2. Enter in the following

    a. Certificate-Key Pair Name: Wildcard-SNPP-Local
    b.
    Certificate File Name: WildcardCert.cer
    c.
    Key File Name: wildcard-snpp-local.key
    d.
    Password: the PEM passphrase used earlier


Finally, we install our root certificate

  1. Navigate to Traffic Management – SSL – Certificates – CA Certificates
  2. Select Install
  3. Enter in the following

    a. Certificate-Key Pair Name: SNPPRootCert
    b.
    Certificate File Name: SNPPRootCA.cer


We are done with Certificates!!!!!!!!!

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

XenApp Best Practice #6: You Will Fail


I love the outdoors. I love being able to completely disconnect from the rest of the digital world.

I want my kids to experience the same thing, which is why I often take them out on hikes. It is why I took my entire family on vacation to the Boundary Waters and Canoe Area in northern Minnesota. If you aren’t familiar with the BWCA, it is over 1,000,000 acres of complete wilderness. By complete wilderness I mean no roads, no electricity, no motors and no cell phone towers!!!

You paddle across a lake, then throw the canoe and your backpack onto your shoulders and portage to the next lake and repeat. As you would expect, you want to limit how much gear you bring in because someone has to carry it.

Taking a trip to the BWCA requires planning. You have to plan your meals. You have to plan your drinking water. You have to plan your shelter.

You also have to plan for potential issues. How will you protect your food from bears? What happens if the weather is bad?

However, no matter how much preparation and planning you do, there is the potential for something unforeseen happening that you didn’t plan for.

What happens if you flip a canoe? What if you can’t find a campsite? What if someone gets injured?

Of course, with enough time you can plan for all of these things and thoroughly prepare by bringing the appropriate gear, but your backpack would weigh hundreds of pounds.

If you plan for every potential issue, you will never succeed because you will spend all of your time planning. And even if you get to actually doing something, all of those contingencies plans will weigh you down and make for a very poor and costly experience, which fits into our latest best practice:

XenApp Best Practice #6: You can’t plan for every potential failure; focus some effort on recovery

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Citrix Visio Stencils (June 2017)


Now that Citrix Synergy is over, I’ve got some new Visio stencils for Citrix architects.

First, I’ve got role-based stencils for NetScaler (based on a request from a Citrix architect and Visio user).

Second, I created a stencil for Citrix Cloud XenMobile Service to align with the Citrix Cloud XenApp and XenDesktop service.

I’m noticing these XenApp and XenDesktop stencils have started to grow beyond XenApp and XenDesktop.  I think it is time to rename these stencils to Citrix Visio Stencils.

And like before, I created a set of Visio stencils in the Visio 2010 format.

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Optimize VDI: Windows 10 User Interface and Runtime (Original, Anniversary and Creator Updates)


This is a multi-part blog series focused on optimizing Windows 10 VDI

As we saw in previous blogs, Microsoft added new default apps, services and scheduled tasks into the base operating system of the Windows 10 Build 1703 (Creator Update). These updates will have an impact on the user experience, especially in a VDI implementation.

Continue reading Optimize VDI: Windows 10 User Interface and Runtime (Original, Anniversary and Creator Updates)

Optimize VDI: Windows 10 Scheduled Tasks (Original, Anniversary and Creator Updates)


This is a multi-part blog series focused on optimizing Windows 10 VDI

As we saw in previous blogs, Microsoft added new default apps and services into the base operating system of the Windows 10 Build 1703 (Creator Update). These updates will have an impact on the user experience, especially in a VDI implementation.

Scheduled Tasks

Many of the new capabilities within the latest builds of Windows 10 also implements new scheduled tasks. Although the tasks do not run continuously, they will impact density when executing and many are irrelevant in a non-persistent VDI environment.

  • Build 1507: 130 Tasks
  • Build 1607: 166 Tasks
  • Build 1703: 165 Tasks

History has shown that optimizing Windows scheduled tasks can improve logon time and server density. It is recommended to review the list of scheduled tasks and disable those that are not necessary for the users.

To see a list of Windows services, run the following PowerShell command:
Get-ScheduledTasks

Color Code:

  • Green: Customer experience program tasks
  • Orange: Maintenance tasks
  • Blue: Tasks for applications
  • Purple: General system tasks
  • Red: Safety and security tasks

Continue reading Optimize VDI: Windows 10 Scheduled Tasks (Original, Anniversary and Creator Updates)

Advertisements

My virtual desktop journey

Advertisements