Tuesday, October 23, 2012

Configuring for ICA Proxy with Citrix NetScaler VPX (1000) 10 and XenApp 6.5

This post will serve as more of an update to one of my previous posts for the Citrix NetScaler 9.3:

Configuring Citrix NetScaler VPX (1000) 9.3 for publishing Web Interface server access by authenticating against Active Directory
http://terenceluk.blogspot.com/2012/02/configuring-citrix-netscaler-vpx-1000.html

… to demonstrate a similar configuration on a NetScaler VPX (1000) 10.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

The environment for this example consists of a NetScaler VPX appliance with 2 network interfaces. 1 interface is sitting in the DMZ (172.16.x.x) network and the other leg is sitting in the internal server network (192.168.x.x). A CheckPoint firewall is configured to allow port 443 traffic to be directed to the NetScaler’s 172.16.x.x IP via a public IP. The XML broker is the XenApp servers and the port they’re using is port 8080. Finally, the NetScaler has a certificate issued by a public Certificate Authority and is a virtual machine on an ESXi 5.0 host with dvSwitches configured.

Start by configuring your NetScaler’s MIP, SNIP and VIP IPs:

image

As important as the NetScaler IP, Mapped IP and Subnet IP are, I would like to note that I’ve configured 2 Virtual IPs.  The one sitting out on the DMZ leg will be used to respond to traffic coming in from the internet while the second one sitting on the internal LAN will be used to respond to the call back from the Web Interface server during authentication.

Proceed with navigating to Access Gateway –> Virtual Servers:

image

Right click on the right hand pane and select Add then in the Create Access Gateway Virtual Server window’s Certificates tab, select the public certificate you’ve installed and click on the Add button:

image

Next, give this virtual server a name and enter the DMZ IP address:

image

Proceed with clicking on the Authentication tab:

image

Click on the Insert Policy button at the bottom to create a new policy then click on the small drop down box under Policy Name and click on New Policy:

image

The Create Authentication Policy window is where you select the Authentication Type (i.e. LDAP, RADIUS, etc) and set up Expressions (i.e. TrendMicro installed?) which act as rules you have to check against the client that tries to authenticate against the NetScaler:

clip_image002

Enter a name for the policy and select LDAP as the Authentication Type and click on the New button:

image

The Create Authentication Server window is where you specify the settings for your LDAP server which will be your Active Directory domain controller:

clip_image002[6]

The following is an example of what you might enter into the settings:

clip_image002[8]

Once you’ve completed entering the information for your LDAP server and exit out, you’ll be brought back to the Create Authentication Policy window. Proceed with adding an Expression by clicking on the drop down menu beside the Add Expression button:

image

For the purpose of this example, we’re not going to add any special expressions in so we’ll be adding the expression True value which just means all or any client:

image

Once you’ve added in the expression, proceed with clicking the Create button and Close:

imageimage

Once you’ve exited out of the previous window, you’ll then be brought back out to the Create Authentication Policy window with the policy you’ve just created shown in the Authentication Policies window:

image

Note that you should be creating a secondary entry or multiple policies with different priorities to build in some redundancy in case your configured LDAP server becomes unavailable.

With the authentication policy created, proceed with navigating to the Policies tab to create a new Access Gateway Session Policy:

image

image

image

The configuration options here are pretty much the same as the Authentication Policy settings only in a different context. Here is where we’ll be entering the information for the access gateway to contact the back end web interface servers:

clip_image002[10]

As with the authentication policy, we won’t be putting any special expressions into this policy so we’ll use the True value again:

image

Once we’ve added the expression, proceed with clicking on the New button to bring up the Access Gateway Session Profile settings which will allow us to enter our web interface server settings:

clip_image002[12]

clip_image002[14]

The first tab we’ll be changing is the Security tab where we’ll be setting the Default Authorization Action to ALLOW:

clip_image002[16]clip_image002[18]

The next tab we’ll need to configure is the Published Applications tab which is where we’ll be entering our web interface servers’ information:

clip_image002[20]image

Note that the Web Interface Address should point to a load balanced VIP or virtual name that spreads across multiple web interface servers to provide redundancy.

Once you’ve completed the configuration of the Publish Applications tab, proceed with clicking on the Create and Close button to exit out returning to the Create Access Gateway Session Policy window:

clip_image002[22]

Continue with clicking on the Create and Close button to exit back to the Access Gateway Virtual Server window:

image

With the access gateway virtual server set up, the next step is to click on the Published Applications tab to list the Secure Ticket Authority (STA) servers. For this example, my STAs are the XenApp servers:

imageimage

Note that the STA uses port 8080:

image

Once you’ve completed entering the STA information, proceed with clicking on Create and then Close.

If you’ve configured everything properly, you should see your newly configured virtual server with the State as up:

image

With the public facing Virtual Server configured, repeat the steps for configuring a virtual server and configure a second one mapped to an IP on the internal network.  This web interface will be used for the call back from the Web Interface server during the authentication process.  I won’t be including screenshots with instructions as it would look exactly the same as the public facing one.  Once the second virtual server is configured, your list of should look something similar to the following:

image

Now that we have our NetScaler set up, we should proceed with configuring an additional site on the web interface server for the NetScaler to access so log onto your web interface server and open up the Citrix Web Interface Management console.  I won’t be including instructions for this but you can see it in my previous NetScaler 9.3 post (URL is at the beginning of this post).

7 comments:

Anonymous said...

Excellent piece - very useful.

Free Antivirus Download said...

you give information with interesting facts thru this article. free antivirus download

Julia David said...

If you wanna access blocked site then check this short method to access without any long methods.
access Torrent Downloads in UK

runa laila said...

Excellent blog you’ve got here.It’s difficult to find high-quality writing like yours nowadays. I really appreciate individuals like you! Take care!! Please check out my site.
unblock web proxy

Ross McCarthy said...

Great article. I was struggling to get AG and storefront up in 2arm Netscaler. thanks for taking the time.

Phillip Mengel said...

Sadly I completed my setup prior to finding this excellent tutorial. But I was thinking...wouldn't it be wise to Load Balance DNS and LDAP/AD both with load balanced vips and setup monitors on those vservers.

Squidblacklist said...

We are the worlds leading publisher of Squid 'Native ACL' formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

We hope to serve you,

--
Signed,

Benjamin E. Nichols
http://www.squidblacklist.org