Citrix Access Gateway and StoreFront configuration

~ Joseph Khalil

Citrix Access Gateway is a secure application access solution that allows users to access applications from anywhere. I will illustrate how I configure end-to-end ICA communication to back-end Citrix resources via the NetScaler Access Gateway.

Citrix Components required:

  • NetScaler Gateway
  • NetScaler Load balancer
  • Delivery Controller
  • StoreFront server
  • Resources
  • Public SSL certificate
  • Internal SSL certificate

Configuration

  • A public DNS entry should be configured for devgw.mycompany.com which maps to a public IP.
  • A NAT will then be configured to map the Public IP to the Access Gateway IP on the Firewall.

 

Single DMZ ports configuration (Access gateway in DMZ between firewalls) – Note that the load balancing server is on same appliance as the Access gateway. For logical illustration and traffic flow I have separated them.

211

Citrix component configuration

Citrix StoreFront server

We need to configure and prepare Citrix Storefront server for External access.

To use a single FQDN for external use and internal use, create an internal DNS entry devgw.mycompany.com to point to an IP address for the load balancer which is load balancing the StoreFront servers and change the base URL to match the chosen FQDN. (if you are not load balancing storeFront servers, then still create a DNS entry internally to the StoreFront server)

Note – You would also have a public DNS pointing to Devgw.mycompany.com (hence the single FQDN)

Still on the StoreFront server,  Go to the NetScaler Gateway settings on the left and add a new NetScaler on the right.

2017-07-21 17_13_33-Greenshot image editor

Give it a name in the “Display name”

NetScaler Gateway URL: this is the FQDN of the URL already chosen above.

Callback URL: This is optional if you want to use Smart Access features or End Point Analysis. This will point back to the Access gateway server.

In 2 arm modes or when the Access gateway is in the DMZ it will not be accessible from the internal network (StoreFront server). The work around is to create another 2nd Netscaler Gateway VIP called a “Callback VIP” on the SNIP (same IP range)  that is connected to the internal network with just the SSL certificate bound to it. (No need for other policies) and then a host file on the SF server that will be used to point the FQDN URL to the 2nd VIP (CTX137385)

Further firewall rules might need to be configured from the StoreFront servers to the callback VIP you have created in addition to the other ports we mentioned earlier. Ensure port 443 is talking from StoreFront server to callback VIP if using the above work around.

Under the Stores node, create a new store and enable remote access for this store and select “No VPN Tunnel”

noVPN

select the default appliance which we created in the previous step.

Still under Store node, go to manage delivery controllers and define the Citrix Delivery controllers that will broker your VDI resources.

2017-07-21 17_22_47-Citrix Access Gateway.docx - Microsoft Word

Under NetScaler Gateway node, click on Secure Ticket Authority

 

2017-07-21 17_25_11-Citrix Access Gateway.docx - Microsoft Word

The secure ticket authority is responsible for issuing session tickets in response to connection requests for published applications and desktops. These tickets form the authentication and authorization for access. The Access gateway talks to the STA server (XenDesktop controller or XenApp controller) for which server IP, port number, hostname, resource the user should access.

IMPORTANT – The STA servers defined here must also match the STA servers that we will define at a later stage in the Access Gateway Virtual server late.

You can also enable session reliability in the step (I will not discuss session reliability is this article, but if you wish to use it ensure port 2598 is allowed as mentioned earlier)

 

Beacons Node

Beacons are sites that tell receiver which way it is talking to the Store (internal or external) by seeing which site it can access. By default it will try the internal first. – You don’t need to configure anything here.

Citrix Access Gateway

We will now configure the Citrix Access gateway component on the Netscaler.

The below explains how to create an ICA proxy access gateway

First we need to create an Access Gateway VIP

1

Public DNS and NAT

The IP address you use above will have a firewall NAT from the public IP address to the VIP IP.  A public DNS entry will be created which maps to the public IP address to the chosen URL

Certificates

Once the VIP is created we need to bind a public facing server SSL certificate

2

Authentication

Under Authentication we need to configure the Authentication methods. In my case I am using RADIUS as Primary authentication and LDAP as secondary authentication (I will go through the steps to configure LDAP and RADIUS in another post)

 

Profiles

I also recommend using the NSTCP_DEFAULT_XA_XD_PROFILE (prior to using this profile, you need to test and ensure your environment will not be effected with the TCP parameters within the profile)

3

 

STA servers

For XenDesktop, this will be the Delivery Controller’s in the site. For XenApp 6.x this will be the Zone Data collector in the farm. The list of STA’s must match the list configured on the site settings in Storefront.

Note – if the STA shows as DOWN when using the hostname, try using the IP address instead.

 

Session Policies

You need to create session policies for web browser based access (receiver for web) and a policy for receiver.

Go to NetScaler Gateway > Policies > NetScaler Gateway session policies and profiles > session policies.

Click Add

Name: Give the policy a name

Action: To be created (I did one earlier)

Expression:  REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

4

Click the + under Action

Click on Client Experience and modify the settings depending on your corporate requirements.

Split Tunnel – OFF

Clientless Access – Allow

Plug-in Type – windows/MAC OS X

Credential Index –  depending on what order you have set authentication (this is used for SSO)

click Security tab

Enable default authorization action

5

Click on Published Applications

Enable ICA proxy (No SSL VPN)

6

In “web interface address” enter the load balancer IP address if you have configured a load balancer or enter the single StoreFront server (I hope you have configured a load balancer!)

Note – you can verify if the load balancer functions by going straight to it. You will likely get a SSL certificate error because the SSL certificate on the StoreFront server will not match the IP address in the HTTP header in the browser

 Define the  domain to use when users go to the Access gateway page under “single sign-on Domain”

Note – “Account services Address” is only used for email discovery for Citrix Receiver plugin

7

You now need to go ahead and create the session policy for  receiver

The properties above will likely work (you need to test) with the receiver session policy, you may want to enable the “account services address” for email discovery on citrix receiver

11

You also need to change the policy expression to

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

10

Once you have all that done, you should now be ready to test access to your Citrix Xendesktop/XenApp environment.

Good Luck!

Published by Joseph Khalil

Leave a comment