I some cases you want users to have the option to choose between a regular VPN connection when connecting to your solution or they just want to access their applications and desktops using receiver, of course you can create multiple session policies for users or based on something else but there is also another option which displayes the different options in the web GUI.
If you have a Netscaler Gateway vServer setup with a session policy we can do a change here, open the session policy and go into “request policy” and choose modify –>
Under Client Experience choose Advanced –>
Here you have a setting called “Client Choices”
When users now login they will be presented with this screen
Which allows them to choose between Network Access, XenApp or Clientless Access.
If I disallowed Clientless Access here it would not appear on the menu.
ill come back in detail later on how to setup Access Gateway for users with plugin or java client.
And there are three options regarding clientless access.
- On. Enables clientless access. If client choices are disabled and the Web Interface is not configured or disabled, users log on using clientless access.
- Allow. Clientless access is not enabled by default. If client choices are disabled, and the Web Interface is not configured or disabled, users log on using the Access Gateway Plug-in. If endpoint analysis fails when users log on, users receive the choices page with clientless access available.
- Off. Clientless access is turned off. When this setting is selected, users cannot log on using clientless access and the icon for clientless access does not appear on the choices page.
This is another one of Citrix hidden gems, Netscaler Insight. This product has been available from Citrix some time now, but with the latest update in became alot more useful. Insight is an virtual applance from Citrix which gathers AppFlow data and statistics from Netscaler to show performance data, kinda like old Edgesight. (NOTE: In order to use this functionality against Netscaler it requires atleast Netscaler Enterprise or Platinum)
Insight has two specific functions, called Web Insight and HDX insight.
Web Insight shows traffic related to web-traffic, for instance how many users, what ip-adresses, what kind of content etc.
HDX Insight is related to Access Gateway functionality of Citrix to show for instance how many users have accessed the solution, what kind of applications have they used, what kind of latency did the clients have to the netscaler etc.
You can download this VPX from mycitrix under Netscaler downloads, important to note as of now it is only supported on Vmware and XenServer (They haven’t mentioned any support coming for Hyper-V but I’m guessing its coming.
The setup is pretty simple like a regular Netscaler we need to define an IP-address and subnet mask (Note that the VPX does not require an license since it will only gather data from Netscaler appliances that have a platform license and it does not work on regular Netscaler gateways)
After we have setup the Insight VPX we can access it via web-gui, the username and password here is the same as Netscaler nsroot & nsroot
After this is setup we need to enable the insight features, we can start by setting up HDX insight, here we need to define a expression that allows all Gateway traffic to be gathered.
Here we just need to enable VPN equals true. We can also add mulitple Netscalers here, if you have a cluster or HA setup we need to add both nodes.
After we have added the node, just choose configure on the node and choose VPN from the list and choose expression true.
Now for Web insight we need to define an expression for instnace I can use an hostname expression and define a website that I have using DNS. This will start gathering appflow data when clients are accessing websites having the hostname web in it.
After a while now we can see that info is starting to appear in Insight, we can “drill” down in the data to show different metrics.
I can go into a user and show his sessions
And I can show what kind of applications the user has been running
For web insight we can see what kind of URLs that are accessed
And I can see what clients have accessed the URL
Now that is the first part, the Insight will not just sit there and gather data. The next part is to integrate this with Director to allow helpdesk users to user this data together with the Edgesight feature which is now a part of XenDesktop 7.
To integrate this we need to install Director on a server, next we need to run a command C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler
After this is done do an IIS reset and log into Director again.
We can now go into the Network pane and see the data that is collected.
Note: There are some requirements that need to be in place in order for it to function properly.
- NetScaler HDX Insight must be v10.1 or above.
- XenDesktop VDA version 7.0 and above are supported by HDX Insight and NetScaler.
- Storefront from the XenDesktop 7.0 installer or above versions can be used to launch the user sessions.
- Receiver for Mac v11.8 and Windows Receiver 14.0 (4.0) and above are required for accurate ICA RTT metrics.
Citrix released yesterday a tech preview of their Service Template for XenDesktop 7.1 for System Center Virtual Machine Manager.
This template allows for rapid and easy deployment of an entire XenDesktop 7 infrastructure, including setup of Director, License Server, Desktop Delivery Controller and Storefront.
It does not by default include Netscaler as part of the that template but that is something we can add to the “mix” later.
the Techpreview of the template can be downloaded from mycitrix here –> https://www.citrix.com/downloads/xendesktop/betas-and-tech-previews/system-center-service-template-tech-preview.html (This requires a valid mycitrix account) it has a template for XenDesktop and for PVS.
ill continue on with the XenDesktop template and show how it is deployed.
The template contains a bunch of PowerShell scripts, XenDesktop 7.1 ISO file and the template file itself, in order to fully setup the template it needs to VMM ISO file and a generalized 2012 VHD file.
After we have downloaded the template file open VMM –>
Then go into Library and Import Template –>
Then point to the extracted XenDesktop folder.
Then choose next, now we need to point the template to the different ISO files and generalized 2012 template.
After that is done and the mappings are correct we can contine on with the importing.
This will take some time since it needs to import the XenDesktop to the library. When we now go into Service Templates we can see XenDesktop listed as an option there. If we right click and choose “Open Designer” we can see how the layout will look like.
Now if we wanted to we could use the Netscaler integration as well to deploy multiple DCC and Storefronts and automatically setup a load balancing of these services as part of the deployment. Lets see how that can be done using the Service Template. (Note that this integration is still not support in 2012 R2) (UPDATED: IT WORKS) but for the purpose of demonstrating how it CAN be done ill show it anyways. So after we have installed the addon and created a VIP template for DCC and one for Storefront we can open the designer again.
Next we can connect the VIP profiles to the different components, one DCC VIP template for DCC and one for Storefront which has different load balancing mechanisms setup.
Now If I where to configure a deployment of this. I can configure the amount of each server I want in order to ensure scailability and redudancy.
When I start the deploy wizard I get a question to define what is my management network.
Here I can define what is the backend of the netscaler and what the VIP addres of the load balancing solution is going to be.
But since the integration between Netscaler and VMM is not functioning in R2 ill need to get back on that in a later post (UPDATE IT WORKS). But if I go into one of the servers I can see the application scripts that are run in order to setup a functional site.
If I for instance have ComTrade installed on Operations Manager in order to have monitoring of my Citrix enviroment I can add this as a Application Configuration in the last step to have a complete, XenDesktop 7 setup with load balanced Netscaler solution and have complete monitoring using Operations Manager.
This is the power of Citrix and Microsoft!
So the purpose of this post is to post different tips and tricks with Netscaler, so this is going to be updated from time to time. So it’s what I call a dynamic post
Now there are a tons of different areas to explore here, but im going to start easy.
1: Password reset Netscaler MPX / VPX
Now from time to time you might come by this, you have a customer which has a Netscaler setup and they have forgotten the password for the device. What do you do ?
If you have a MPX you need to connect to the device using a serial cable and use for instance Putty to connect to the serial port. If you have an VPX you just need to open the console. Now when the device boots you need to press CTRL + C now on the VPX it is simple the boot menu appears
Then you just press 4 and go into single user mode. On the MPX we have to press CTRL + C simultaneously as well when the following appears in the console
Press [Ctrl-C] for command prompt, or any other key to boot immediately.
Booting [kernel] in 2 seconds…
Now to start the MPX in single-user mode you have to type either boot –s or reboot — -s to restart in single user mode. When you are in single user mode the console will look like this.
Next we have to mount the flash device since this is where the config file resides. Now on different devices this flash device has different names http://support.citrix.com/article/CTX121853
For VPX this device is called /dev/ad0s1a
So first we have to check disk consistency first before we can mount the device.
fsck /dev/ad0s1a (This checks disk consistency)
mount/dev/ad0s1a/flash (This mounts the drive under the folder /flash )
df –l (List the devices and where they are mounted)
Next we use a grep command to create a new config file but without the line which contains the passoword string.
grep –v “set system user nsroot” ns.conf > new.conf
Next we need to rename the current config to another name
mv ns.conf old.ns.conf
mv new.conf ns.conf
After this is done we have a new config file without the password for nsroot and we can reboot.
2: Use of profiles
A feature that I don’t see so commonly used and I think that is because of its not a obvious known feature, so let’s change that. When setting up virtual services you have the option to define a network profile attached to this service.
For instance the netscaler has many built-in TCP profiles which can help with improving the perfomane on a service either over LAN or WAN. These profiles tune different settings on the TCP stack and a desricption for each TCP profile can be found here –> http://support.citrix.com/proddocs/topic/ns-system-10-map/ns-ac-confg-tcp-profl-tsk.html
For instance on virtual services you have an profile pane where we can define which Profile to use.
If for instance you are using this only in a LAN you should use the nstcp_lan_profile. By changing this you will note the performance increase it has.
3: Change GUI on Gateway portal
Now in many cases you want to customize the GUI of the default Netscaler Gateway Vserver.
Now this is possible but not as easy as with Storefront…
First of we need to do some changes within the Netscaler Gateway GUI.
Change setting to Green Bubble under global settings on a Access Gateway vServer (if you want to use it as an template)
Then we can make customizations, we can do this by opening for instance a FTP connection to the netscaler (with for instance winSCP) The gui is located under /netsacler/ns_gui
Changes which are done here can be viewed in real-time.
For instance if we wish to change the background image we can add a new image to the folder /var/netscaler/gui/vpn/media by added a new image by the name bg_bubbles.jpg to replace the old background. (Now I’ve changed it with a picture from the familiy album.
If we wish to change the text that appears in the portal we can change this under /vpn/resources/en.xml (This file contains most of the text that appears in the portal.
So after a few changes here we can get this.
Now if we want to same this custom theme, we first need to create a folder called ns_gui_custom under the /var/ folder.
This can in shell by writing mkdir /var/ns_gui_custom
Next change directory to /netscaler by typing: cd /netscaler
Now we to archive the ns_gui folder: tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/* This is because when the netscaler boots it exports the tar file to the nsgui folder.
After this is done we need to change the vServer global settings to custom theme and reboot to make sure it applies properly
4: Trouble with VIP in a DMZ site
So you have a two armed Netscaler solution where you have a SNIP, NSIP in the LAN network which talk to your backend servers and AD and DNS as such, and then you setup a VIP in the DMZ sone where you host your Access Gateway vServer, you reckon it should work.
But you are unable to ping the VIP address and you are uanble to open the vServer HTTPS.
You can see that the Default Gateway is going trough the LAN interface and when you want to change the gateway you get this error
The solution you need to have a SNIP address in the DMZ sone with the VIP address, this is because a VIP address is not “fully” features network IP unless it has a SNIP on the same network.
So something happend with the latest Netscaler GUI after the last Java Updates. When we tried to open any config changes in the GUI the java applet just wouldn’t load.
Then I discovered that something has changed in the java version, since it containes new parameters. In order to allow the netscaler to load the applet from the browser we have to do some changes to the java gui applet in the control panel.
So we have to remove the keep temporary files on my computer and then restart the browser and voila!
So alot is happening on the Netscaler front from Citrix this day!
Citrix just released a new build version for all of their platforms.
The latest build is 120.13
Which can be downloaded from here –> http://bit.ly/1eMoKFP (Requires mycitrix)
This includes some new features in the wizard for XenDesktop and the setup wizard and alot of bug fixes.
Citrix also released a new version of Insight Center (Still not for hyper-v) but this comes in version 120.13 as well (so it looks like Citrix is releasing Insight at the same time a new build for Netscaler is released)
But Citrix hasen’t released the release notes for 120.13 yet so hard to know what is new
There is some of the new features in the download page.
With this release we extend the Insight visibility offering from Web traffic (Web Insight) to HDX traffic (HDX Insight) analytics.
It will now collect ICA AppFlow records generated by NetScaler ADC appliances and populate analytical graphs over Layer 3 to Layer 7 statistics. The HDX Insightwill provide in-depth analysis over real time and historical data across last 5min (real time) and last one hour, one day, one week, one month as historic data.
You can download it here –> http://bit.ly/1aIumfa
Citrix as well! released a new management pack for Netscaler 10.1 which also supports 2012 SP1 but they haven’t released a new documentation for it but still it offers a lot of new options. You can download it here –>
Anyways interesting times ahead! still waiting for Insight center to be released for hyper-V !
Something I’ve been wanting to write for a long time since I always get some questions regarding licensing on either Access Gateway / Netscaler Gateway or Netscaler I thought I would write a post so others stumbling in the dark might benefit from it as well.
Now Netscaler Platform licenses (This depending on what Netscaler you have, gives you features inside the Netscaler appliance (for instance Standard, Enterprise or Platiunm)
The physical appliance (MPX or SDX) and VPX (virtual) on the Netscaler is licended pr Mac address this can be obtained from the CLI by running the command lmutil lmhostid –ether
(So for the sake of it, when you buy a platform license of Netscaler which is Standard or higher) you will get a Netscaler Gateway Platform license as well.
root@ns1# lmutil lmhostid –ether
lmutil – Copyright (c) 1989-2006 Macrovision Europe Ltd. and/or Macrovision
Corporation. All Rights Reserved.
The FLEXlm host ID of this machine is «00d068107316″
This info has to be entered in mycitrix.com license site and allocated to.
If you get any error messages these can be viewed under the /var/log/license.log file.
Access Gateway Platform license on the other hand are licensed on the hostname of the appliance. You must upload this license to increase the Independent Computing Architecture (ICA) connections up to 10000.
root@ns# grep hostname /nsconfig/rc.conf
Netscaler Gateway platform license also uses the hostname to generate a license file.
The same goes for Universal licenses for both Netscaler and Access Gateway editions.
Import note thou that Citrix Receiver DOES NOT USE a Universal license (they only need platform license) This is only needed for Smart Access and endpoint scan etc.
Another import note is that with version 10.1 it will say 0 ICA users, this is because of with version 10.1 it is unlimited ICA connections http://support.citrix.com/article/CTX138561
You can view this by using show license
Now for older solutions like CAG 5.0 (You can either use a license server or a license on the same host) http://support.citrix.com/article/CTX128869 for Standard edition
If you wish to install the license on a CAG 5.0 appliance you need the MAC address of the appliance if you wish to install it on a license server you need to specify the host name of the licensing server.
Access Gateway VPX Express gives you rights for 5 concurrent users on a 12-month plan.
This is going to be a long one
Always wanted to document this myself but never had the time, so I figured why not knock two birds with one stone and blog it as well since many are probably wondering about the same thing.
This is a typical deployment for many right? You have your internal XA/XD which are tied to a StoreFront web server and for remote access you have Netscaler Gateway/AG
And depending on the setup you might have a Netscaler in DMZ behind a NAT firewall, or directly connected to the internet from the DMZ or you might have a double hop network where you have multiple DMZ sones and firewalls.
So how to tie them together ?
First I suggest you read my previous post regarding XenDesktop 7 with StoreFront and Appcontroller deployment.
Lets head over to our Netscaler deployment. We can start by cheching our network connection.
We have different types of networking within the NS, we have VIP( Virtual IP) which are typically tied to load balanced service. We have SNIP (Subnet IP) which are used to initiate a connection to the back-end servers (XenDesktop Servers, Storefront etc) and you have a NSIP (Netscaler IP which is used for management)
So for a user the connection will look like this.
User –> VIP –> SNIP –> XenDesktop (Servers)
Next we can add authentication.
Go into Netscaler Gateway –> Policies –> Authentication –> LDAP –> Add
For named expression I choose General and True and choose Add.
((What does this do ? specifies that IF the traffic is going trough the NS appliance then this policy should be applied)
Then give it a name and choose new server and enter the information to the AD server. After you have entered the info “Press Retrieve Attributes”
Remember that this command uses the IP address of the server you are using the browser on.
If you are having trouble with authentication fire up console to the Netscaler Appliance type in shell then cd /tmp then type the command cat aaad.debug
This will display in real time information regarding the authentication tries.
After that is done, add a DNS server.
Now lets add a certificate (for this purpose I have a Enterprise Root CA on Windows Server 2012 which I used to create a web server certificate which contained the host name of the access gateway) nsgw.msandbu.local in my case and I choose to export it as a PFX file including the private key (You will need the private key!!) In production you should use a third party CA to isse a certificate to you.
You can upload the PFX file under Traffic Management –> SSL –> Manage Certificates –> then you can upload the PFX.
After this is done open Netscaler console and extract the certificate and the key from the PFX.
This can be done by running openssl from the Netscaler Console
openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem (Extract keys)
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem (Extract Certs)
Next we create a virtual server under Netscaler Gateway and assosiate it with an IP-address.
Since we just want ICA-proxy and no VPN (Smart Access solution) we can choose Basic Mode.
Under Protocol choose SSL (After this is done the service will go down unless you have a valid ceritificate installed)
If you go into the Authentication Tab (mark the Enable Authentication)
and under Primary Authentication Policiess choose insert policy. (By default the one we created earlier will appear)
Now if you wish to have two-factor authentication you can add another Primary authentication policy.
After this is done head over to policies. We need to add a Session Policy, here as well we use ns_true as an expression. Give it a name and press create New Request Profile.
Here we enter the information about the backend storefront servers. (NOTE I already have one stored there this is because I have created this earlier
Now there are a couple of options here we need to define.
First under Published Applications.
1: We have to define ICA-proxy, this will tunnel ICA traffic via port 443 back to the user.
2: Web Interface address this has to be Storefront web address.
3: Single sign-on domain should be your local AD domain. (Don’t enter anything here in case you have multiple domains)
Next is under Client Experience –>
Define Single Sign-ON to web applications using Primary Credentials, this allows the Netscaler gateway to authenticate to the Storefront site.
We have to define at the NS should use SSO to the storefront web adress using the Primary authentication mechanism which is AD in my case.
Last but not least, Security so we can allow users to actually enter.
You should also enable TCP profile for this virtual server set to nstcp_default_xa_xd_profile (This profile works best for internal usage and high bandwidth networks)
Then we also have to add STA (Of the XD controllers in my case) Go back to Published Applications.
Click Add and enter the URL of the XD controller. After you save and refresh the page it will show up like mine did now.
Remember to save the config!
After that is done we have head over to Storefront
Now there are a couple of things we need to fix there. First we need to add an authentication option from Netscaler.
This will allow the Storefront to authenticate users coming from Netscaler. (To pass the credentials forward)
Next we have to go to Stores –> Enable Remote Access –> Choose Add netscaler appliance –>
Here enter the info regarding your netscaler.
SNIP here is the one that you entered inn earlier on the Netscaler, StoreFront uses this to validate that any incoming connections comes from a trusted host.
The CallBack URL is the Internal IP-address of the Netscaler.
Then you setup it as a NO VPN Tunnel and choose the Gateway appliance to use.
You also have to add the STA’s here as well.
And last but not least, Beacons.
Beacons are used to identify if the end-user comes from an internal or external connection.
For instance you can put an external beacon for a public accessable website and internal for a website that is ONLY available for internal users.
This is what decides if the ICA-file the end-user receives is going to be used via ICA-proxy or a plain ICA-connection straight to the server.
In this case since it’s a demo enviroment all are on the same network. But I could remove the nsgw as an external beacon. And just have www.citrix.com and another external site.
Now since the AppController connected to the Storefront service we don’t need to anything else inorder to view Apps deployed from AppController.
NOTE: There is a couple of things if you are doing to deploy for instnace WorX apps from appcontroller and going to use mVPN solution to iOS and Andriod.
You will need to enable a couple of things here.
* Clientless Access URL Encoding = Clear
You also need to enable Secure Browsing
After this is done, we can open up our virtual IP URL.
In my case it is https://nsgw.msandbu.local
Login with my username and password and start a desktop connection (For the purpose of this demonstration I have also added a weblink from AppController that points to yammer.com
A customer asked me recently can I configure load balancing for my Application Catalog service on Configuration Manager, since It runs on Silverlight im unsure how it will work…
Sure you can!
The Application Catalog in Configuration Manager consist of two components, the Application Catalog Web Service Point and the website point.
Now when you install these you have the option to configure what ports they should run on. In my case I choose port 80 (Since I want my load balancer to handle the SSL traffic)
First I make sure that the catalog is working
Open a web browser to http://applicationcatalogserver/CMApplicationCatalog
From here I have to enter my username and password (Since im using Chrome)
The Application catalog server is the one that has the Silverlight XAP module that runs on the web server, the Silverlight module again contacts the Web Service point in order to generate the software that the user has access to.
The silverlight module is located in “ClientBin”
Content folder contains images and css files and JS and can be targeted for caching (If you have that option on your load-balancer)
Now in my case I have a Netscaler VPX that Im going to use.
So a quick runtrough there.
1: Add Servers (Which have the applicationcatalog role intalled)
2: Add the service you want to setup (And add a monitor, HTTP in this case)
3: Create a Virtual Server and choose SSL and add a certificate (Note if you choose SSL and don’t add a certificate the service will go down)
4: Add persistency (For my case I choose client-ip) and choose LB method
After this is done check the virtual server and open the same url with https:
And it worked.
One last thing is to change the default URL in the Client Agent settings.
Here you have to specify a URL and enter the whole path for the Application Catalog.
After that is done you have to update the policy on a client and check for yourself.
You can open Software Center to see that the policy is active.
NOTE: It is important that the Value for the HTTP is
https://servername:port/CMApplicationCatalog/ or else the url won’t redirect.
Or you can do a redirect at the load balancer
I recently took the A28 exam from Citrix and wish to share my tips and my experience with this exam.
Now to compare with the 9.2 exam this was A LOT more difficult. Have to say that Citrix has really created a challenging exam which focused a lot on most of the different functions within Netscaler.
There werent so many CLI commands (Which I felt the 9.2 exam was) but more about how to think “when do I use this function over that function”
For my part I have worked with the product some time now and I have taken a traning course on the older version. The best part is the study guide that Citrix offers on their web site.
Which can be found here –> training.citrix.com/mod/ctxcatalog/course.php?id=511
The study guide shows on what areas you will be tested, and on what area you need to know “HOW” which is the most typical case for CLI commands
and “WHEN” is mostly when to use one function or another.
But you should remember most of the cli commands assosiated with each of the focus areas in the study guide.
So my top tips!
* Troubleshooting commands
* SSL (ciphers, converting, importing, binding)
* Load balancing (monitoring, persistency)
* VLANs, IP config and interface configuration
* Link-load balancing
* Use the study guide! and eDocs!
Here are the other points from the study guide how to configure the different parts can be found on eDocs
? Forcing the Primary Node to Stay Primary
? Forcing the Secondary Node to Stay
? Configuring High Availability Nodes in
? Configuring the Communication Intervals
? Configuring Fail-Safe Mode
? Configuring Users and Groups
? Creating or Modifying a VLAN
? Configuring VLANs on a Single Subnet
? Configuring Multiple Untagged VLANS
? across Multiple Subnets
? Synchronizing Configuration Files in a
High Availability Setup
? Monitoring the Extended ACL
? Renumbering the priority of Extended
? Choosing and Configuring Persistence
? Viewing Persistence Sessions
? Configuring Persistence Groups
? Configuring Load Balancing in Direct
Server Return Mode
? Configuring a Backup Load Balancing
? Redirecting Client Requests to an Alternate
? Configuring Access Gateway Settings with
the Remote Access Wizard
? Converting the Format of SSL Certificates
for Import or Export
? Specifying a TCP Buffer Size
? Configuring TCP Window Scaling
? Configuring TCP Profiles
? How the Integrated Cache Works
? Improving Cache Performance
? Monitoring TCP-based Applications
? Configuring Call Home
? Generating the Tar Archive of
Configuration Data of NetScaler Devices