Tag Archives: NetScaler

Integrate NetScaler with XenApp, XenDesktop and XenMobile


In part 1, I created certificates for my environment with Microsoft Certification Authority

In part 2, I integrated XenMobile into my XenApp and XenDesktop environment

In part 3, I will provide secure remote access to XenMobile, XenApp and XenDesktop with NetScaler.

NetScaler and XenMobile

  1. In a browser, navigate to http://172.16.0.14.
  2. Go to the Configuration screen
  3. Select XenMobile at the bottom of the left pane


4.
Select XenMobile 10 and Get Started
5.
Select only the following: Access through NetScaler Gateway6. For NetScaler Gateway Settings, enter the following:

a. IP Address: 172.16.0.16
b.
Port: 443
c.
Virtual Server Name: XenMobileGateway

6. For the certificate, choose the file from the appliance: WildcardCert.cer
7.
For the key file name, choose the file from the appliance: Wildcard-snpp-local.key
8.
Enter in the private key password we used when we created the key
9. For Authentication, enter in Active Directory information:

a. Primary authentication method: Active Directory/LDAP
b.
IP Address: 172.16.0.10
c.
Base DN: DC=SNPP,DC=local
d.
Service Account: Administrator@snpp.local
e.
Password: password for service account
f.
Test the connection
g.
Server Logon Name Attribute: sAMAccountName (this matches with the LDAP items we used for XenMobile)

10. For XenMobile App Management Settings, enter the following:

a. XenMobile Server FWDN: xm01.snpp.local
b.
Internal load balancing IP Address: 172.16.0.17 (just an unused IP Address)
c.
Communication with XenMobile Servers: HTTPS

11. XenMobile Server Certificate: Use existing certificate – WildcardCert.cer_CERT_KEY
12.
XenMobile Server: 172.16.0.13


NetScaler and XenDesktop

  1. In the left pane, select NetScaler Gateway – Virtual Servers
  2. Select _XM_XenMobileGateway in the virtual servers screen


3.
Scroll to the STA section and select


4.
Select Add Binding
5.
Enter in the following:

a. Secure Ticket Authority Server: https://ddc01.snpp.local
b.
Secure Ticket Authority Server Address Type: IPv4

6. Once entered, revisit the STA list to verify the XenMobile and XenDesktop STAs are green. If not, you must fix before continuing.


XenMobile

In the XenMobile Console (https://XM01.SNPP.local:4443), we do the following

  1. Select the gear icon in the upper right corner
  2. Select NetScaler Gateway
  3. Select Add
  4. Enter the following:
    a. Name: Gateway

    b. External URL: https://Gateway.snpp.local
    c.
    Logon Type: Domain only
    d.
    Password required: Yes
    e.
    Set as Default: Yes


5.
Enable authentication
6.
Save

StoreFront

In the StoreFront console, we do the following

  1. Navigate to Stores
  2. Select the appropriate store at the top


3.
In the right pane, select Configure Remote Access Settings
4.
Select

a. Enable Remote Access
b.
Allow users to access only resources delivered through StoreFront (no VPN tunnel)
c.
Add

5. Enter the following:

a. Display Name: Gateway
b.
NetScaler Gateway URL: https://gateway.snpp.local
c.
Usage or role: Authentication and HDX routing

6. For Secure Ticket Authority, add the following:

https://ddc01.snpp.local (this should be the same one added in the NetScaler Gateway configuration. You only need the XenApp/XenDesktop STA and not the XenMobile)


7.
For Authentication Settings, leave default options


8. Verify the remote access settings for the store


Test

On the Android phone used earlier, do the following:

  1. While logged into Citrix Secure Hub, select the menu in the upper left
  2. Select Preferences – Account – Delete Account (We need to reconfigure Secure Hub for our Gateway address. You can also uninstall/reinstall the app from the app store)
  3. Enter in the following: gateway.snpp.local


4.
Enter in user ID and password



5.
Select Add apps from Store


6.
Launch a XenApp/XenDesktop resource


With the session running, launch Director from the delivery controller. Look at the detailed information for the session to verify the Connected via address is the SNIP address (172.16.0.15) for the NetScaler.

 

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Advertisements

Microsoft Certificate Authority for XenApp, XenDesktop, XenMobile and NetScaler


My lab is very XenApp and XenDesktop focused, but I need to expand the functionality to include secure access with NetScaler Gateway and incorporate mobile device management/mobile app management (MDM/MAM) with XenMobile.

From what I understand, in order to do this, I really need to install certificates. D’oh!

Every time I have to deal with certificates I know I will run into issues. I’m not spending money on certificates for my lab. I want to use Microsoft Certification Authority. Unfortunately, most documentation I read simply states “Get a certificate from your public authority”. That is not very helpful.

And I suspect many XenApp and XenDesktop admins have similar challenges, so I decided to document the process (minus all of the mistakes).

This will be a multi-part blog focusing on the following topics:

  1. Certificates
  2. Integrate XenMobile with XenApp and XenDesktop
  3. Integrate NetScaler with XenMobile, XenApp and XenDesktop

My Environment

First, some details about my starting environment (in case you are using this to guide your buildout).

  1. I have a XenDesktop and StoreFront environment built and operational for local user access
    1. NetScaler Gateway is NOT currently used
    2. All connections are using HTTP
  2. XenMobile Server
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, without configuring any optional settings. I did not configure certificates, LDAP, or NetScaler configs.
  3. NetScaler
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, including licenses

My environment specifics are as follows:

Server Name Roles Version IP Addresses
DDC01.snpp.local XenDesktop Controller 7.14 172.16.0.117
SF01.snpp.local StoreFront Server 3.8 172.16.0.119
XM01.snpp.local XenMobile Server 10.4 172.16.0.13
NG01.snpp.local NetScaler Gateway 12 MIP: 172.16.0.14

SNIP: 172.16.0.15

Gateway: 172.16.0.16

DC1.snpp.local Domain Controller

Certification Authority

DNS

DHCP

2016 172.16.0.10

My DNS:

Add the following addresses to DNS based on the defined IP addresses

  1. XM01.snpp.local
  2. Gateway.snpp.local
  3. StoreFront.snpp.local is an alias for SF01.snpp.local. StoreFront.snpp.local is the base URL for the StoreFront store

My Certificates:

Certificates are often the most confusing part of the configuration, especially when you are trying to use your own Certificate Authority (CA), like I am with Microsoft Certification Authority in Windows Server 2016. In order to successfully create a deployment, we need the following certificates

  1. Wildcard certificate (*.SNPP.local)
  2. Root certificate for my CA

Note: You can opt to use FQDN server certs instead of the wildcard, but you will need one for each server. The process is the same.

Create Certificate
1.
Launch Internet Information Services (IIS) Manager from the StoreFront Server


2.
Within IIS Manager, select the server in the left pane. Then double-click Server Certificates in the middle pane.
3.
Select Create Domain Certificate from the right pane


4.
Fill in the appropriate information with the common name being the wildcard cert name. In my example *.snpp.local


5.
Hit Select to select the CA. Enter in a friendly name. Select Finish

6. The wildcard certificate should now appear in the window

 Export Certificates

The certificate is installed on the local StoreFront server. We need to export the certificate and private key so we can install it on our other servers.

1 Launch MMC
2. Select File – Add/Remove Snapin
3.
Double-click Certificates
4. Select Computer Account
5. Finish the add/remove dialogs
6. Navigate to Personal – Certificates. The wildcard certificate should be visible. Right-click the cert and select Export


7.
Do NOT export the private key
8. Select Base-64 encoded X.509

9. Give the certificate file a name like WildcardCert.cer and save

We need to export the certificate AGAIN

  1. Right-click the wildcard cert and select Export
  2. This time, include the private key
  3. Select the following

    a. Personal Information Exchange PKCS #12
    b.
    Include all certificates in the certification path if possible
    c.
    Export all extended properties


4. Add a password to the key file
5.
Save the file with a name like WildcardCertKey

We need one more certificate, the Root Certificate so all of our devices will trust the certificates from our private CA.

  1. Open a browser and navigate to http://172.16.0.10/certsrv (This is the IP of the domain controller running certification authority)


2.
Select Download a CA Certificate, certificate chain, or CRL
3.
Select Base 64.


4.
Select Download CA Certificate. Give it a name like SNPPRootCA

Install Certificates

We need to install the certs on the StoreFront server, delivery controller, XenMobile server and NetScaler. Because we created a domain certificate request on the StoreFront server, the certificate is already installed. But if you have multiple StoreFront servers, this must be done on the remaining ones.

Install Certificates on StoreFront and Delivery Controller Servers

  1. On the storefront server, double-click on the SNPPRootCA.cer file.
  2. Select Install Certificate


3.
Select Local Machine
4.
Select Place all certificates in the following store, and select Trusted Root Certification Authorities
5.
The Root CA is now installed on the host.

To install the wildcard certificate,

  1. Double-click the certificate containing the private key: WildcardCertKey.pfx
  2. Select Local Machine

3. The file name should be filled in automatically
4. Enter in the certificate’s password
5. Place all certificates in the following store: Personal

Repeat on all remaining Windows-based delivery controllers and StoreFront servers

Install Certificates on XenMobile Server

Install the root certificate

  1. From your browser, navigate to https://172.16.0.13:4443. This is the IP Address of the XenMobile Server
  1. Select the Gear icon in the upper right to go into the configuration menu
  2. Select Certificates
  3. Select Import
  4. Make the following selections

    a. Import: Certificate
    b.
    Use as: Server
    c.
    Certificate Import: SNPPRootCA.cer


5.
Select Import
6.
The Root CA should not be installed

Install the wildcard certificate

  1. Select Import
  2. Make the following selections

    a. Import: keystore
    b.
    Keystore Type: PKCS#12
    c.
    Use as: SSL Listener
    d.
    Keystore file: WildcardCertKey.pfx
    e.
    Password: this is the password used when exporting the wildcard certificate’s private key


3.
Select Import
4.
Select OK in the import message warning
5.
Reboot the XenMobile server for the certificate to take effect

To test the certificate, launch a browser to https://xm01.snpp.local:4443. If the certificate works, there should be no untrusted certificate warning message. Make sure your endpoint has the following the root certificate installed in the local machine store.

If using Firefox (browser I used), you have to add the Root CA cert directly into the browser.
1.
In Firefox, select Options
2.
Select Advanced
3.
Select Certificates


4. Select View Certificates
5.
Under Authorities, select Import.


6.
Select the SNPPRootCA.cer file

 Install Certificates on NetScaler

First, we need to create a PEM file from the PKCS#12 file (certificate export with private key)

  1. Launch a browser to http://172.16.0.14 and log in.
  2. Navigate to Traffic Management – SSL

3. Select Import PKCS#12. Use the following information

a. Output File Name: wildcard-snpp-local.key
b.
Choose File: WildcardCertKey.pfx (This is the local certificate file we exported with the private key)
c.
Input Password: enter in the password used for the export
d.
Encoding Format: 3DES
f.
PEM Passphrase: Enter in a password


Now, we need to upload our certificate

  1. In the Traffic Management – SSL section, select Manage Certificates / Keys / CSRs


2.
Select Upload
3.
Select WildcardCert.cer
4.
Select Upload
5.
Select SNPPRootCA.cer
6.
Select WildcardCertKey.pfx
7.
Select Delete. We don’t need that file anymore as it was used to create our keyfile

We install our server certificate

  1. Navigate to Traffic Management – SSL – Certificates – Server Certificates


  1. Select Install
  2. Enter in the following

    a. Certificate-Key Pair Name: Wildcard-SNPP-Local
    b.
    Certificate File Name: WildcardCert.cer
    c.
    Key File Name: wildcard-snpp-local.key
    d.
    Password: the PEM passphrase used earlier


Finally, we install our root certificate

  1. Navigate to Traffic Management – SSL – Certificates – CA Certificates
  2. Select Install
  3. Enter in the following

    a. Certificate-Key Pair Name: SNPPRootCert
    b.
    Certificate File Name: SNPPRootCA.cer


We are done with Certificates!!!!!!!!!

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

More to Availability than Live Migration


Anytime I’m in a discussion that deals with server or desktop virtualization, the topic usually heads to high availability. I usually get asked about live migration features like XenMotion. Honestly, there are many scenarios where it doesn’t make sense, but that is a discussion for later. What does matter is that your implementation continues to operate even if something has failed.

Let me give you an example of what I mean. When I design a XenDesktop environment, I typically recommend, at a minimum, two Provisioning Services server even if the environment is capable of running with a single server. We typically refer to this as N+1. The reason is that if one server fails, the other can take over the load. I’m hoping this isn’t a new idea for you as this is how many people deal with fault tolerance. However, how do we take this to the next level? How do we make our XenDesktop environment as bullet-proof as possible? Where do we need to focus our attention on?

Another example… I’ve seen many people do N+1 on their Web Interface servers. Again, this is a good practice. But now the question is how are those servers being load balanced? Are you using intelligent monitoring that checks not only availability but also that the service is functioning appropriately?

These are just two areas that will be covered in the Synergy Session “SYN208 Guaranteeing availability and scale for XenApp and XenDesktop deployments“.

  • When is this session? October 6, 17:30
  • Where is the session? Synergy Berlin
  • Why attend? Because it will be good

Looking forward to seeing you there

Daniel – Lead Architect

SAN, VDI and SMB


One of the big questions regarding virtual desktops is storage. In fact, I’ve discussed this numerous times (here and here and here). This has mostly been with a focus on IOPS. This time I want to focus on the high-availability aspect you get with shared storage, but with the focus of being on the SMB/SME space (small to medium business/enterprise). If you want to do live migration, you must have shared storage. So, let me get straight to the point… You don’t need it. You don’t need XenMotion, vMotion or live migration in a SMB hosted VM-based desktop model. Look at the XenDesktop architecture and let’s focus at the component-level.

  1. Virtual desktops: Desktops are not servers. They aren’t as critical and shouldn’t reflect a higher cost. If the physical server fails, users simply make a new desktop connection.
  2. XenDesktop controller: Always, always, always implement redundant controllers. XenDesktop is smart enough to use a second controller if the primary fails. Is also worthwhile to put intelligent load balancing in front to catch other types of issues that don’t result in complete failure.
  3. Web Interface: Again, use redundant servers, but you need to provide intelligent load balancing so if one fails or goes off into La La Land, you won’t be directed to a bad server.
  4. NetScaler VPX: This is providing our intelligent load balancing mentioned for XenDesktop controllers and Web Interface. Again, implement redundant VPX’s. If you configure these in HA mode, a failure in one means the other one takes over automatically.
  5. Data Store: You can function without the data store, but you can’t make changes. Why not simply create snapshots and revert if needed. Or backup the database and restore if needed. You can even automate this if you want.
  6. License Server: You can function without a license server for 30 days (grace period). If the server is blown up, just rebuild the server and download your licenses (I’d also suggest you figure out why your server is blowing up).
  7. Provisioning Services: If one server fails, the other one takes over the streams automatically. The target desktops might experience a delay during the failover, but they won’t lose anything.

So I ask you, why spend money on SAN storage for virtual desktops in the SMB world if it is just going to cost you more money? Keep it simple

Danger, Danger My Server Crashed


We all know the impact a server failure can have on a group of users, but what if that server was a core component of a desktop virtualization solution?  That’s a lot of unhappy users.  Before desktop virtualization, nobody gave a second thought about desktop availability. If a desktop failed, it only impacted a single user and chances are you wouldn’t hear much. However, if a certain server fails in a desktop virtualization environment, that one server could impact 50, 100 or 1,000 users.  I can guarantee one thing, you will hear that many users.
Continue reading Danger, Danger My Server Crashed