So this is part two of my securing XenApp enviroment, this time I’ve moved my focus to Storefront. Now how does Storefront need to be secured ?
In most cases, Storefront is the aggregator that allows clients to connect to a citrix infrastructure. Im most cases the Storefront is located on the internal network and the Netscaler is placed in DMZ. Even if Storefront is located on the internal network and the firewall and Netscaler does alot of the security work, there are still things that need to be take care of on the Storefront.
In many cases many users also connect to the Storefront directly if they are connected to the internal network. Then they are just bypassing the Netscaler. But since Storefront is a Windows Server there are alot of things to think about.
So where to begin.
1: Setting up a base URL with a HTTPS certificate (if you are using a internal signed certificate make sure that you have a proper set up Root CA which in most cases should be offline. Or that you have a public signed third party CA. Which also in many cases is useful because if users are connecting directly to Storefront their computers might not regonize the internally signed CA.
2: Remove the HTTP binding on the IIS site. To avoid HTTP requests.
Use a tool like IIS crypto to disable the use of older SSL protocols on IIS server and older RC ciphers
You can also define ICA file signing. This allows for Citrix Receiver clients which support signed ICA files to verify that the ICA fiels they get comes from a verified source. http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-configure-conf-ica.html
3: We can also setup so that Citrix Receiver is unable to caching password, this can be done by changing authenticate.aspx under C:\inetpub\wwwroot\Citrix\Authentication\Views\ExplicitForms\
and you change the following parameter
4: Force ICA connections to go trough Netscaler using Optimal Gateway feature of Storefront –> http://support.citrix.com/article/CTX200129 using this option will also allow you to use Insight to monitor clients connection to Citrix as well, and depending on the Netscaler version give you some historical data.
And with using Windows pass-trough you can have Kerberos authenticating to the Storefront and then have ICA sessions go trough the Netscaler –> http://support.citrix.com/article/CTX133982
5: Use SSL in communication with the delivery controllers –> http://support.citrix.com/proddocs/topic/xendesktop-7/cds-mng-cntrlr-ssl.html
6: Install Dynamic IP restrictions on the IIS server, this stops DDoS happning against Storefront from the same IP-address
7: Windows updated! and Antivirus software running (Note that having Windows updated, having some sort of antivirus running with limited access to the server) also let the Windows Firewall keep runnign and only open the necessery ports to allow communication with AD, Delivery Controllers and with Netscaler.
8: Define audit policies to log (Credential validation, Remote Desktop connections, terminal logons and so on) https://technet.microsoft.com/en-us/library/dn319056.aspx
9: Use the Storefront Web Config GUI from Citrix to define lockout and session timeout values
10: Use a tool like Operations Manager with for instance ComTrade to monitor the Storefront Instances. Or just the IIS management pack for IIS, this gives some good insight on how the IIS server is operating.
11: Make sure that full logging is enabled on the IIS server site.
Stay tuned for more, next part is the delivery controllers and the VDA agents.
Now I had the pleasure of talking PCI-DSS compliant XenApp enviroment for a customer. Now after working with it for the last couple of days there are lot of usefull information that I thought I would share.
Now PCI-DSS compliance is needed for any merchant who accepts credit cards for instance an e-commerce size. Or using some sort of application. So this includes all sorts of
* Different procedures for data shredding and logging
* Access control
* Logging and authorization
Now the current PCI-DSS standard is in version 3 –> https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
The different requirements and assesment procedures can be found in this document. Now Citrix has also created a document for how to setup a compliant XenApp enviroment https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/pci-dss-success-achieving-compliance-and-increasing-web-application-availability.pdf you can also find some more information here –> http://www.citrix.com/about/legal/security-compliance/security-standards.html
Now instead of making this post a pure PCI-DSS post I decided to do a more “howto secure yout XenApp enviroment” and what kind of options we have and where a weakness might be.
Now a typical enviroment might looks like this.
So let’s start by exploring the first part of the Citrix infrastructure which is the Netscaler, in a typical enviroment it might be located in the DMZ. Where the front-end firewall has statefull packet inspection to see what traffic goes back and forth. The best way to do a secure setup of Netscaler is one-armed mode and use routing to backend resources and then have another Firewall in between to do deep packet inspection.
First thing we need to do with Netscaler when setting up Netscaler Gateway for instance is to disable SSL 3.0 and default (We should have MPX do to TLS 1.1 and TLS 1.2 but with VPX we are limited to TLS 1.0
Also important to remember th use TRUSTED third party certificates from known vendors, without any known history. Try to avoid SHA-1 based certificates, Citrix now supports SHA256.
Important to setup secure access to management only (since it by default uses http)
This can be done by using SSL profiles which can be attached to the Netscaler Gateway
Also define NONSECURE SSL renegotiation. Also we need to define some TCP parameters. Firstly make sure that TCP SYN Cookie is enabled, this allows for protection against SYN flood attacks and that SYN Spoof Protection is enabled to protect against spoofed SYN packets.
Under HTTP profiles make sure that the Netscaler drops invalid HTTP requests
Make sure that ICA proxy migration is enabled, this makes sure that there is only 1 session at a time established for a user via the Netscaler
Double hop can also be an option if we have multiple DMZ sones or a private and internal zone.
Specify a max login attempts and a timeout value, to make sure that your services aren’t being hammered by a dictonary attack
Change the password for the nsuser!!!
Use an encrypted NTP source which allows for timestamping when logging. (Running at version 4 and above) and also verify that the timezones are running correctly.
Sett up a SNMP monitoring based solution or Command Center to get monitoring information from Netscaler, or use a Syslog as well to get more detailed information. Note that you should use SNMP v3 which gives both Authentication and encryption.
Use LDAPS based authetication against the local active directory server, since LDAP is pure-text based, and use TLS not SSL, and make sure that the Netscaler verifies the server certificate on the LDAP server
It also helps to setup two-factor authentication to provide better protection against user thefts. Make sure that if you are using a two factor authentication vendor that it uses CHAP authentication protocol instead of PAP. Since CHAP is much more secure authentication protocol then PAP
Use NetProfiles to control traffic flow from a particular SNIP to backend resources (This allows for easier management when setting up firewall rules for Access.
Enable ARP spoof validation, so we don’t have any forging ARP requests where the Netscaler is placed (DMZ Zone)
Use a DNSSEC based DNS server, this allows for signed and validated responses. This way you cannot its difficult to hijack a DNS or do MITM on DNS queries. Note that this requires that you add a nameserver with both TCP and UDP enabled. (Netscaler can function as both a DNSSEC enabled authoritative DNS server and proxy mode for DNSSEC)
If you wish to use Netscaler as an VPN access towards the first DMZ zone, first things you need to do is
1: Update the SWOT library
Create a preauthetnication policy to check for updated antivirus software
Same goes for Patch updates
In most cases try to use the latest firmware, Citrix does release a new Netscaler firmware atleast one every three months which contains bug fixes and security patches as well.
Do not activate enhanced authentication feedback, this enabled hackers to learn more about lockout policies and or if the user is non existant or locked out, disabled and so on.
Set up STA communication using HTTPS (Which requires a valid certificate and that Netscaler trusts the root CA) You also need to setup Storefront using a valid certificate from a trusted Root CA. This should not be a internal PKI root CA since third party vendors have a much higher form a physical security.
If you for some reason cannot use SSL/TLS based communication with backend resources you can use MACSec which is a layer 2 feature which allows for encrypted traffic between nodes on ethernet.
Earlier today, Citrix released their updated System Center Configuration Manager connector to XenDesktop 7.5. It can be downloaded from here –> http://www.citrix.com/downloads/xendesktop/product-software/xendesktop-and-xenapp-75-connector-for-sccm.html note that it requires an mycitrix account in order to download it.
So what does it do ? well a couple of things. Mostly it’s about pushing software out to regular clients and servers including XenApp/XenDesktop servers where the clients might get the XD/XA version of an application. You can also use it to publish applications directly to XD/XA from Configuration Manager which makes it easy to maintain a consistant software library.
Now there are a couple of components here that are needed.
* Citrix Connector Service (This does the syncing, publishing and orchestration jobs between Configuration Manager site and the XA/XD site)
* Citrix DT handler (This component is needed on VDA servers/clients and on managed clients which you want to use the integration between) NOTE: There are different DT handlers for clients and VDA agents
So in my case I installed the Citrix Connector Service on my site server since it is a demo-enviroment. Now the installation is pretty straight forward.
Install both the service and the console extension
Enter a service account for the connector serivce
New in this release is the ability to define maintance windows, in case you want automated deployment to VDA agents.
Now after the installation is finished there are a few things which should be done first.
Make sure that Configuration Manager client is installed on the VDA agents you want to use with this deployment. Now you should create an application of the DT handler and deploy out to all VDA agents.
- Using the following installation paramters msiexec /i «CitrixDTHandler_x64.msi» /q
- Also all applications you want to publish should be pre-created and added to Configuration manager.
Now in my case, I have installed the DThandler on 1 VDA server, and have created 7-zip as an application in Configuration Manager. When we open Configuration Manager Console we have some new options. First of under Assets and Complliance we have the machine catalogs listed up
First of we need to deploy 7-zip to the machine catalog and VDA agents. After that Configuration Manager has gotten the info that the application has been installed
We can go ahead and do a publication action. Go into Software library and into Citrix Applications Publications andchoose Create Publication.
Then we run trough the wizard
Now the connector has been added a nifty new feature which check if all the prerequistes are in place.
So after we have done the wizard and the syncronization is complete the application will appear in the XenDesktop studio.
So now we have successfully installed 7-zip on a VDA agent and successfully published it from Configuration Manager. So this means that the application is available as an resource if the user starts up Citrix Receiver or logs into StoreFront.
Now onto the next option, what if we want users to get applications from Software Center or the Application Catalog (But they can start a citrix session if we want them to?) this is part of the DT handler on the managed clients.
Now let’s deploy 7-zip from Configuration Manager to some managed clients, first of we need to create a new deployment type which references the newly published applications. in the the deployment type choose XenApp
Under publishing you need to choose the existing Citrix deployment that was published earlier.
NOTE: Citrix DT handler needs to be installed on the clients.
Now go trough the wizard and after you are done with the wizard you need to give the XenApp deployment type a lower priority then the other option.
Now after you have created the deployment type and you want to deploy the appliaction you need to choose the clients or the users which are defined in the delivery groups
Now if you head over to the application portal on a managed client with a valid user, the application will appear.
Now if you click this application the configuration manager agent and the DT components will interact and publish the application in the receiver. If you have a valid single-sign-on deployment working on your Xendesktop enviroment you can see that 7-zip is published on the managed clients desktop
this is a quick walkthrough but it gives you the quick overview of what you can use this connector with. You can also integrate it with MCS and PVS, also we can integrate App-V applications. Also important to remember that with XenDesktop 7.5 you can integrate with Configuration Manager for Wake on lan functionality.
Having been involved in a case for a long time now where a partner wanted to use SCVMM with XenApp 6.5 and PVS 7.1 for a customer and it has not been quite as successfull.
Now I wanted to share some notes with PVS and Hyper-V and what the limitations are there at the moment.
- First of it is important to note that PVS 7.1 is the only version of provisioning that supports SCVMM 2012 R2, as the support matrix lists.
- Using PVS with Hyper-V is now functional with PVS 7.1 this requires Legacy adapters in Hyper-V since Legacy adapters are the only NICs in Hyper-V that support PXE boot
- Citrix has implemented a failover mechanism between Legacy and Synthetic which means that the streaming traffic can start from the Legacy adapter and then switch to the synthetic.
- Hyper-V 2012 R2 does support PXE with Sythentic devices with Generation 2 Virtual Machines, but THIS IS NOT SUPPORTED BY CITRIX YET.
- If we for instance are using a VM with two Legacy adapters, Hyper-V will always boot from the last legacy NIC added to the virtual machine, if we are using “Stream VM wizard” in PXE it will add the first NIC in the virtual machine meaning that we get the wrong MAC address in the PVS database
- Hyper-V creates a new NIC GUID when creating a machine from a tempalte unlike Vmware or XenServer which does not.
- Stream VM wizard in PVS creates virtual machines from templates which means that NIC’s on the PVS virtual machines get reinitialized when booting and therefore service stop responding since it delays the network start.
- The only solution to this is to clone machines and then add them manually to PVS like in this CTX article –> http://support.citrix.com/article/CTX128750
- XenDestkop setup wizard in PVS DOES NOT create virtual machines from template, but clones the virtual machine using a set of PowerShell cmdlets.
Hopefully 7.5 has support for Generation 2 Virtual Machines!
This is huge news! Microsoft Azure has for some time now had a solid IaaS platform with suppor for most of the different Windows Server roles and features, except the most importent one RDS.
Since Microsoft until recently didn’t allow for use of RDS or other options like Citrix to run against Azure, (because of the licensing) people would have to use on-premise solutions until that was allowed / fixed
But now with the latest changes on the Volume Licensing agreement http://www.microsoft.com/licensing/about-licensing/product-licensing.aspx#tab=2 you can now bring SPLA based RDS sal usage in the cloud.
Now this brings two options for a service provider in Azure.
* Session Shared Terminal Servers
* Server VDI Workers (VM/Server Isolation)
So first of, this makes ALL of the different Citrix components supported in Azure not just XenDesktop 7, of course this restricts itself such as RemotePC cannot be used there.
And Citrix has also created two design guides for how you can setup Citric XenApp / XenDesktop in Microsoft Azure. This also requires that users enter to the citrix servers trough a Netscaler gateway on-premise.
http://bit.ly/12podxp XenDesktop 7
http://bit.ly/185lKOv XenApp 6.5
And im guessing with the next release of XenDesktop 7 (Project Merlin) will include provisioning options against Azure but until that arrives we will have to manually provision and use PowerShell. Since also Citrix and Microsoft has a strong relationship im guessing that more options on how to host Citrix in Azure will appear.
Citrix has released a number of training videos regarding Project Excalibur, you can find them in the links below.
Part 1, Excalibur introduction
Part 2, Excalibur installation
Part 3, Citrix Studio
Part 4, Master Image
Part 5, Citrix Storefront
Part 6, Machine Catalog
Part 7, Deliver Groups
Part 8, Delivering Applications
Part 9, Citrix Receiver
Part 10, Citrix Director
For those that have been living under a rock for the last month or so (or hasn’t been to much involved in Citrix in a while) Citrix has just released a tech preview of their new solution (Which is at the
moment called Project Excalibur) Project Excalibur is the merging of XenDesktop and XenApp also with other components such as Storefront, the DDC and Citrix Studio(Desktop Studio)
And now with the merging of these products, the whole XenApp architecture is gone, there is no more IMA just FMA so no more Zones, Data Stores and so on.. It is much more reliant on the SQL database.
Now for those that aren’t so familiar with the Citrix terms and product names ill give a brief intro:
Receiver provides users with self-service access to resources published on
XenApp or XenDesktop servers. Receiver combines ease of deployment and use, and
offers quick, secure access to hosted applications, desktops, and data. Receiver also
provides on-demand access to Windows, Web, and Software as a Service (SaaS)
StoreFront authenticates users to XenDesktop sites and manages stores
of desktops and applications that users access.
Studio enables you to configure and manage your XenDesktop deployment.
Studio provides various wizards to guide you through the process of setting up your
environment, creating your desktops, and assigning desktops to users.
The Delivery Controller is responsible for distributing
applications and desktops, managing user access, and optimizing connections to
applications. Each site has one or more delivery controllers.
Server OS Machines. (XenApp)
VMs or physical machines based on Windows Server operating
system used for delivering applications or hosted shared desktops to users.
Desktop OS Machines. (XenDesktop)
VMs or physical machines based on Windows Desktop
operating system used for delivering personalized desktops to users, or applications
from desktop operating systems.
This is a quick overview of how the topology is:
Also for those that are familiar with XenApp the term farm is now gone, it is now called a site
The Zone master function is also gone, in this release the function is distributed evenly across all controllers in a site.
Now lets take a walkthrough of the installation.
BTW: All of this was installed on one virtual server.
Now as you see there are basically two components here, Delivery Controller and you have the Deliver Agent.
The Studio can be installed as part of the delivery controller.
So since this is my first setup I’m going to install the Delivery Controller.With all the components!
This setup will also install a local SQL Express 2008 R2 if you choose it, (Which I only recommend for test / labs etc )
The Setup will also configure the firewall for incoming connections. After the setup is completed, you can have auto launch of the Studio where we can configure everything.
And now remember that farms are now switched out with Sites. So we are going to start with creating an empty site.
So here we just defined a name for the Site, and assigned a license to that site. After that is done we can start the “real” configuration.
Search: says itself
Machine Catalog: A group of VMs or physical machines (For earlier XA people think of it as Worker Groups
Deliver Groups: This is where you assign applications and desktops to users.
Applications: This is where to publish applications you wish to use.
HDX policy: Old Group Policy management
Logging: Configuration logging.
Administration: Here you set site administrator
Controllers: Here you have an overview of the site controllers
Hosting: Here you have the overview of what hosting environment you have, vSphere, SCVMM or XenServer.
Licensing: Overview of the license server.
Profile Management: Here you can define policy settings such as folder redirection etc (You can see how it is defined in the picture below)
Now Citrix has also implemented a lot of other nice to have features in the GUI for instance the PowerShell pane, shows all the commands that have been run as PowerShell commands.
And you also have a nice overview of the license usage.
Now part 1 of Excalibur post is complete, more will follow. Stay tuned
But for System Center people like me there are new possibilities to get here.
Citrix recently released Project Thor which allows for an integration for XenApp into Configuration Manager. I’m exited to see what kind of integrations you can get here.
So something missing here, session lingering and session prelaunch where did it go?!!?
Wow! The last couple of days there has been a storm of Twitter activity around the Synergy conference in Barcelona (and for those that weren’t able to attend, including myself) There is a lot of new stuff happening around Citrix these days, so therefore I thought it would be a good idea to try to summarize what’s new on the Citrix front (Note that I can’t cover everything so if someone has more info regarding certain subjects or news that flew straight passed me, please send me some feedback either by adding a comment on the post or sending me an e-mail firstname.lastname@example.org or pref twitter https//twitter.com/msandbu
Now I want to start first with (what I think is a huge deal)
Citrix and Cisco have now made an “alliance” what that means is still yet to come, but you can read more about it at this news article here –> http://www.citrix.com/news/announcements/oct-2012/cisco-and-citrix-expand-partnership/_jcr_content.html
But there will be focused on integrating Netscaler and ASA appliances, V1000 coming to XenServer, integrating Cisco Jabber client with Receiver
And since Cisco has stopped down further production of their load-balancing module ACE (Which will be EoL in 2015)Citrix has now announced a campaign to convert from ACE to Netscaler and get 20% of regular MPX prices –> http://blogs.citrix.com/2012/10/17/introducing_amp/ So this is indeed going to be interesting to see what happens further into the future.
Second thing is the Citrix and NetApp alliance, where NetApp is coming with own components which integrates with for instance XenServer.
You can read more about it here –> http://www.citrix.com/news/announcements/oct-2012/citrix-and-netapp-collaborate-to-simplify-cloud-storage/_jcr_content.html
And a couple of days before that, Citrix also announced a partnership with Palo Alto (Which is firewall provider) You can read more about it here –> http://researchcenter.paloaltonetworks.com/2012/10/perspective-on-the-citrix-and-palo-alto-networks-partnership/
So what is Citrix doing with all these partnerships?
Well what is Citrix good at? on the networking front they have one of the best load-balancing solution (Of course Netscaler can do more then just that) but by joining forces with Cisco and Palo Alto they can get the best of three worlds within Networking. And with the alliance with NetApp they have more storage integration. So with this they will cover all of the components within an infrastructure.
Now with partners like Windows, Cisco, NetApp, Palo Alto it is indeed going to be interesting.
Windows 8 Welcome!
Citrix has embraced Windows 8 and will therefore come with support Windows 8 very soon.
And there is already a Citrix Receiver client out in the Windows Store for Windows 8. But more will come later.and
New version of HDX Optimization pack for Microsoft Lync 1.1
This new feature includes featuring PBX/PSTN integration (Enterprise Voice), conformance to Microsoft Call Admission Control specifications, Enhanced Emergency Services support, and other valuable enhancements that truly round out this important new capability for customers planning to embrace Lync video chat at scale.
New VDI-IN-A-BOX 5.2 review will demonstrate optimizations for Microsoft Lync, support for the latest hypervisor technologies including Microsoft Windows 2012 HyperV, Citrix XenServer® 6.1 and VMware vSphere 5.1. The tech preview will support the Citrix Storefront for unified access to any Citrix CloudGateway delivered service.
Mobile Desktop Virtualization
Xenclient Enterprise 4.5 XenClient extends Citrix XenDesktop® FlexCast to include the management of physical PCs and secures mobile laptops for disconnected operation. The tech preview includes support for third-generation Intel® Core™ processors, Microsoft Windows 8, and ultrabooks. You can read more about it here –> http://www.citrix.com/news/announcements/oct-2012/citrix-extends-xenclient-to-windows-8-and-ultrabooks
Speeding Migration to Windows 7 and Beyond – Supporting the upcoming general availability of new Microsoft technologies, the next release of Citrix AppDNA application lifecycle management software includes early access features for application testing on Windows 8, Internet Explorer 10 and Windows Server 2012.http://blogs.citrix.com/2012/10/16/expanded-no-charge-application-compatibility-trial-for-application-migration-initiatives-even-windows-8/
GotoAssist to deliver “one-stop” shop for IT Support
This will provide the tools to monitor servers, and with helpdesk support tools that follows ITIL. (Much like SCOM and SCSM from MIcrosoft)
On-premise storage available! It allows you to make existing folders available for the users so you don’t have to create new folders for the users. There are also loads of more features available
- ShareFile with StorageZones – Organizations now have the flexibility to manage their data on-premises in customer-managed StorageZones or choose Citrix-managed StorageZones (secure cloud options available in seven locations around the world) or a mix of both. With customer-managed StorageZones, IT can place data in their organization’s own datacenter to help meet unique data sovereignty and compliance requirements while optimizing performance by storing data in close proximity to the user. By defining where data should be stored, IT is able to build the most cost-effective and customized solution for their organization. Customer-managed StorageZones can be easily integrated with an organization’s existing infrastructure as it is designed to support any Common Internet File System (CIFS)-based network share.
- ShareFile StorageZones MPX Appliance – To further simplify deployment of customer-managed StorageZones in a customer’s private datacenter, Citrix will deliver a new purpose-built StorageZones MPX appliance powered by Citrix NetScaler®. The device will add value to customer-managed StorageZones deployments by offering integrated security and optimizing networks and will work effortlessly with existing storage environments.
- StorageZone Connectors – The company’s follow-me data strategy now extends beyond the data stored in ShareFile. Working in conjunction with customer-managed StorageZones, StorageZone Connectors let IT create a secure connection between the ShareFile service and user data stored in existing network shares. This innovative capability makes it easy for end users to securely access their work documents on mobile devices through ShareFile apps for iPad and iPhone (support for other devices coming soon), regardless of where the data is actually stored. This approach extends all the simplicity and mobile access benefits of ShareFile to existing data storage platforms, without the need for data migration. Using the new ShareFile StorageZone Connectors, it is now possible to securely view and share documents from network file shares, which otherwise cannot be accessed outside of corporate networks or on mobile devices.
- On-demand Sync – The new on-demand sync capability of ShareFile for Windows is designed for pooled and hosted shared virtual desktop environments, including those powered by Citrix XenDesktop® and Citrix XenApp®. Typically in such environments, users sync all their data every time they log into their virtual desktops, putting substantial load on the network, bandwidth and storage. With on-demand sync, users will continue to view all their files and folders within their virtual desktop just like they do today. However, files download and sync only when the user views, edits, saves or shares, resulting in huge reductions in Input/Output Operations Per Second (IOPS) and slashing storage requirements.
- Windows 8 Compatibility – Citrix announced availability of compatible versions of ShareFile Sync for Windows and Microsoft Outlook Plug-in.
- ShareFile for Microsoft Azure – To provide more cloud storage options to customers, Citrix announced plans to deliver Citrix-managed StorageZones onMicrosoft Azure in 2013. This integration will allow ShareFile customers to leverage all the reliable and powerful capabilities of Microsoft Azure by letting them designate data across a seamless global network of Microsoft-managed datacenters. These additional locations will also allow IT to place data close to users to enhance performance.
Present content from the IPad with Citrix GoToMeeting
- Launch a meeting and invite attendees with just a few taps.
- Change presenter so another person can show their screen.
- Present your content by simply browsing to it or opening email attachments (iPad only).
- Easily share content from ShareFile or Dropbox during a meeting (iPad only).
- Brainstorm with the onscreen highlighter and whiteboard (iPad only).
Secure E-mail and Web on mobile with @WorkMail @WorkWeb apps
Which allows secure e-mail reading and surfing from iOS and Android.
Excalibur and Merlin releases, which is the next release of Avalon
Access to remote PC from Kindle Fire and Android Phones or Tablets.
The last couple of days I’ve seen a lot of traffic on my blog regarding the posts on Netscaler ( And I don’t have so many of them!) And with the recent events regarding Cisco ACE and Microsoft Forefront TMG, I’m guessing that a lot of people are looking into the option to switch over to Citrix.
Cisco has always been huge in the networking market, but in the ADC (Application Delivery Controller) market they have never gotten the huge market share that they were hoping for, therefore a couple of weeks ago they decided to stop further development of their ACE product. And in similar events Microsoft decided to stop further development on their TMG product. TMG is not the same product like Netscaler/ACE/BIG-IP thou it has a lot of the same functions and features.
So back to Netscaler what can it offer:
* Advanced load balancing
* Content and app caching
* Database load balancing
* Application Firewall
* Secure Remote Access
* Advanced server offload
* Application acceleration
* Integration with Citrix
* Access Gateway features
* Web interface
* Scale up and Scale Out features
You can read more about the different features here –>
Now the Netscaler product comes in 3 Different versions.
MPX: Which is the hardware appliance, is again split up into different models,
As you can see most of the models here have a “pay-as-you-grow” options, so for instance if you buy a MPX 7500 and your company is growing and you need more throughput you can upgrade your 7500 to a 9500. So it’s the same hardware as before you just “unlock” more features.
You can see all the different models and features here –> http://www.citrix.com/content/dam/citrix/en_us/documents/products/netscalerdatasheetaugust2012.pdf
VPX: Is a software based virtual appliance, which is available for Hyper-V, VMware and XenServer.
Here as well you have a “pay-as-you-grow” solution so you can upgrade it if you need more throughput, the downside to using a VPX is that it does not have hardware based SSL acceleration (which the MPX has), which allows for a lot less SSL connections.
SDX: Is the best of both worlds. It is a hardware appliance like the MPX but in also has capabilities of running VPX. So it’s a piece of hardware which basically runs a stripped down XenServer which allows to run multiple VPX inside. And since this piece of hardware has SSL acceleration capabilities it does not have downside of a regular VPX. It allows for up to 40 VPX’s and that will allow for true multi-tenancy.
You also have the “pay-as-you-grow” option here.
Also Netscaler comes in 3 Different editions (Like most of Citrix products)
You can see the different editions and their limitations in this datasheet
Standard = Use for Load-balancing (Web and DB) also has Citrix Web interface and TCP optimization
Enterprise = For more advanced features – cloud bridge, edgesight for netscaler, branch repeater client.
Platinum = Includes all the features.
So what do I need for my organization ?
Well first of you need to figure out what your needs are.
1: Do I need just the load balancing for my Web-servers?
2: SSL VPN solution and/or SSL offloading?
3: Advanced Web load-balancing and caching and optimization?
4: Multi-tenancy solution ?
5: DDos defenses ? Or do I have a firewall in front which is fully capable ?
6: Just for my Citrix pieces (Access Gateway and Web interface)?
7: SQL load-balancing?
8: How many users do I have?
You also need to calculate the bandwidth usage the service you are going to load-balance, most of the products (for instance Lync) has well documented traffic usage for each feature.
Let’s take an example if I am a small business that just needs to load-balance my 2 webservers for my internal users (and I have 100 of them) the smallest VPX would suffice.
If I am a enterprise service provider and I offer fully multitenancy solution where customers can setup LB for all their services I would recommend a SDX (The best solution regarding version is to start with the lowest system you think you need and upgrade when you need to grow)
So after you have chosen the model (remember that you always need two of them, since if you only have 1 you have a single point of failure). The next part is setting up the device.
Remember that a Netscaler operating system consists of two parts.
1: Part is FreeBSD (The Appliance uses this part for booting and for logging)
2: Part is the core os (NSOS NetscalerOS) Which controls the traffic in / out of the appliance.
When a appliance boots, it will get system image from the flash and decompress and put it into the ram. The config file is also fetched from the flash and put into the ram. (Which is know as the running-config)
(You can show the running-config from CLI by running the command, show ns runningconfig if you want to see the saved config you can run the command show ns.conf )
You can access it either via a console (serial cable or console via the hypervisor )
And remember that you can save at anytime by running the command save ns config, if you screwed up you can restart the Netscaler (if you didn’t save your config)
But when you start the NS appliance the first thing you see is that it asks for an IP (Which is known as the NSIP Netscaler IP) Which is used for management purposes and clustering. You also enter a subnet mask and a gateway.
After that you can save and quit the config menu and you can now access the appliance via a webconsole. You can also see more info regarding the interface by running the command show ns ip 10.0.0.2
As you can see here it says that “Management Access is enabled” and FTP, Telnet, SSH and GUI is enabled.
So we should disable the insecure access methods before we continue. By running the commands set ns ip 10.0.0.2 –telnet disabled and same for FTP
And there are other things we should configure as well, change the default password for the user “nsroot”
You can do this by running the command config system user nsroot PASSWORD (something very very safe)
Also you SHOULD enable NTP sync with a authorized ntp server.
add ntp server IP –minpool integer –maxpool integer
enable ntp sync
Now we can log onto the Web GUI. (Im using version 10 of the Netscaler VPX you can get a free trial for your hypervisor from citrix.com and might add that the web gui is much improved in V10)
Its split up into 3 panes (Dashboard, Configuration and Reporting) and what you see here is the configuration pane.
If I go to the Dashboard, you see a lot of read-time information regarding well.. everything you want to see
I can choose if I wish to view SSL connections, TCP handshakes, HTTP traffic etc..
The reporting pane is just that, you can create reports and there are a bunch out of the box that we can view as well.
But most of the time we are going to be in the configuration pane.
Now what other things do we need to do in order to load balance a service?
First of we have to design how the netscaler should be placed in our infrastructure, most of the designs are based on
one-arm-mode or two-armed-mode.
In one-arm-mode the netscaler has ONE interface, and on that interface external traffic comes in and the inside traffic out on the same interface (traffic is split by using VLAN’s)
In two-arm-mode the netscaler has TWO interfaces, 1 for external traffic comes in and comes out and 1 for internal traffic. So this is the much more common deployment.
Now in both scenarios the traffic to the back-end servers are flowing as the following.
Now when the client connects to the web service as the virtual IP (126.96.36.199) The Netscaler (depending on the LB rules) make a connection to one of the servers which are connected to that virtual service with the Netscaler SNIP(Subnet IP)
The Subnet IP is an address that connects the netscaler to the servers in the backend, so you should have an SNIP address for each subnet you want to have services in.
So SOURCE IP —> VIRTUAL IP (NS) SNIP —-> WEB SERVER 10.0.0.4 (BASED ON LB) so for the web servers it will appear that the connections come from the same IP. And the same will go back to the clients
WEB SERVER –> SNIP (NS) VIRTUAL IP —> SOURCE IP, so for the clients all they see is that one IP address which may house loads of web servers.
Now is there a problem with this ?
Well yeah.. if you have a web server you probably want to have logging in place for the IP address of the client, now you have the Netscaler option which known as use “Source IP mode”(USIP) which will allow for clients to do a direct connection with the backend servers. But what is the downfall of this ?
1: TCP Multiplexing which allows for the netscaler appliance to have one connection to the webserver will be disabled when you use Source IP mode.
2: When backend servers see the source IP they will look at their default routing table instead of returning the traffic to the netscaler, so therefore the servers with go with the local gateway instead of the netscaler. When the backend servers try to connect to a TCP connection with the client, the client will drop connection since it is awaiting its response from the Netscaler VIP.
So in the case you use Source IP mode you need to set the default GW on the backend servers to point to the NS.
You can set USIP mode in modes.
Configuration –> Settings –> Configure Modes –> Use Source IP
Alternative enable ns mode usip
In case of logging we have another choice( inject HTTP header option which allows the Netscaler to inject the source IP header into the http request which again allows logs on the webserver to contain the IP-address of the client. )
But in general I would recommend that you don’t use USIP.
Now lets setup a load-balancing configuration.
Before we continue remember that you need to setup at least 3 addresses on the NetScaler
3: SNIP or MIP
There are a few things we need to find out before we can setup LB, what kind of service to we need to load-balance and what servers are hosting this service. And we need to setup a monitor towards that service as well, this monitor check is the service in the backend is responding on that server, if one server is not responding for a particular service it is taken out of the LB queue. So we need.
1: Servers (The list of servers that have a particular service running
2: Service (What kind of service is it ? Webhosting port 80?
3: Monitors (Checks if the service on the server is responding if not it is taken out of the LB-queue until it start responding again)
4: Virtual IP (a virtual IP address which the Netscaler will respond to)
All this is added together and it creates a load balanced service on a virtual Ip address which consists of the servers in the server list.
So lets go ahead and create a LB service. First we add a VIP and a SNIP
Go to configuration pane –> IPs and add a IP address. Remember that a VIP is the ip address that the end users are going to connect to, the SNIP is a ip which the netscaler uses to connect to the servers in the backend.
After that go to the load-balancing pane further down below.
Go to servers and add the servers that has a service.
(Remember that this is just a list of servers, you don’t define the services here)
After that go to monitors –>
As you can see the HTTP monitor is enabled by default
This does a HTTP HEAD command, and if it is working as it should you should get a code 200 response.
You can see this by opening the http monitor
After that we add the service,
We add a service that runs on port 80 on one server and add the HTTP monitor. (Remember to add this for both servers) And have a very descript full name each service on each server.)
Now that we have both services on both servers it should look like this
(In my case I don’t have any hosts on these IP addresses yet so therefore they are stated as Down) because the monitor is trying to do http request on them.
Remember to add both of the services on those servers (If you wish to load balance differently for instance it you have a more power on one of the server you can alter the weight on that server to 2, then this server will take twice the load)
You can also go to method and persistence to change how the service is load balanced. By default it is set to “least connection” that server with least connections will get the next connection, this will happen until they are even. You can also specify persistence (This will define if a client should talk with the same server it spoke with earlier) the most typical choice here is cookie insert for web services. But we will leave it at the default.
You can see that is responds to http request if I open a browser to IP 10.0.0.26
And if you are like me and would like to do it via the CLI you can do this.
Run the command add service servername ip http portname
Next we need to add the services to a virtual IP. (that will do the load balancing )
first we do a add lb vs servicename http ip 80
then we bind the services to that virtual ip
bind lb vs servicename serviceserver
After that you can do a
sh lb vs v1 to show that if the load balancing is active
Phuh! long post, next one will be regarding setting up a cluster on Netscaler, since you would always need 2 x Netscalers so you don’t have a single point of failure. And we are going to integrate authentication with LDAP.
Now I would also recommend that some user look at the command reference sheet from Citrix eDocs
So with the latest version of Citrix Receiver you need to enter a URL with the prefix of https when setting up an connection.
For a lab environment you won’t normally have an certificate installed for the service, so then you need to change some keys in the registry to allow the receiver to connect via http
1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\AuthManager (for 64-bit machines, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\AuthManager)
2. Create a new String value called ConnectionSecurityMode.
3. Set the value to Any.
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Dazzle (for 64-bit machines, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\DazzleB)
5. Modify the String value called AllowAddStore to A. same for Modify “AllowSavePwd” value to “a” This allows the receiver to store account password
NOTE: I Would never recommend these settings for a production environment!
You could also script this with the installer, you can see more info about it here –>