Archive

Archive for the ‘Access Gateway’ Category

#Netscaler Insight and Integration with #XenDesktop Director – via @msandbu

November 15, 2013 Leave a comment

Great blog post by Marius! 🙂

This is another one of Citrix hidden gems, Netscaler Insight. This product has been available from Citrix some time now, but with the latest update in became alot more useful. Insight is an virtual applance from Citrix which gathers AppFlow data and statistics from Netscaler to show performance data, kinda like old Edgesight. (NOTE: In order to use this functionality against Netscaler it requires atleast Netscaler Enterprise or Platinum)

Insight has two specific functions, called Web Insight and HDX insight.
Web Insight shows traffic related to web-traffic, for instance how many users, what ip-adresses, what kind of content etc. 
HDX Insight is related to Access Gateway functionality of Citrix to show for instance how many users have accessed the solution, what kind of applications have they used, what kind of latency did the clients have to the netscaler etc.

You can download this VPX from mycitrix under Netscaler downloads, important to note as of now it is only supported on Vmware and XenServer (They haven’t mentioned any support coming for Hyper-V but I’m guessing its coming.

The setup is pretty simple like a regular Netscaler we need to define an IP-address and subnet mask (Note that the VPX does not require an license since it will only gather data from Netscaler appliances that have a platform license and it does not work on regular Netscaler gateways)

After we have setup the Insight VPX we can access it via web-gui, the username and password here is the same as Netscaler nsroot & nsroot

image

After this is setup we need to enable the insight features, we can start by setting up HDX insight, here we need to define a expression that allows all Gateway traffic to be gathered. 
Here we just need to enable VPN equals true. We can also add mulitple Netscalers here, if you have a cluster or HA setup we need to add both nodes.

image

After we have added the node, just choose configure on the node and choose VPN from the list and choose expression true.

Read more…

Choose your #Citrix #NetScaler … wisely… – via @hlouwers

This is a question I get a lot and I must say that Henny Louwers did answer it well in this blog post!

I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.

I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.

The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.

That leads me to the first difficult thing of a Citrix NetScaler project. The adoption of the Citrix NetScaler appliances to the networking guys of an organization. They need to embrace the solution to make this a success. For some reason they too see it as a ‘’Citrix’’ solution. For that reason one of the most important meetings to setup is usually with the networking guys to try to explain the L3-L7 functionality of the Citrix NetScaler solution. When they realize it competes with F5, Juniper, Cisco, etc then we are on the right track.

NetScaler Gateway or NetScaler Standard Edition

Usually the first question of a customer is regarding something simple like replacing the Remote Access solution. Since the NetScaler is going to be the main platform for publishing Citrix publications a NetScaler Gateway can be considered as a valid option. This is when I tell a customer it would be wise to spend a little extra on the NetScaler Standard Edition since this would leverage the solution be having full load balancing capabilities (among others). When you compare prices between the NetScaler Gateway and NetScaler Standard Edition you will see that the Standard Edition will be somewhat more expensive but I for one think that it is worth the difference given the feature set that come with the Standard Edition. Of course the NetScaler Gateway can always be upgraded to a NetScaler Standard Edition (or higher) if you will.

Another feature of Citrix NetScaler Standard Edition is the ability to run Citrix Web Interface on the appliance. Honestly, I do think is not really that important anymore….

Continue reading here

//Richard

#Citrix Knowledge Center Top 10 – March 2013

Citrix Support is focused on ensuring Customer and Partner satisfaction with our products.

One of our initiatives is to increase the ability of our Partners and Customers to leverage self-service avenues via our Knowledge Center.

Find below the Citrix Knowledge Center Top 10 for March 2013.

Top 10 Technical Articles

Article Number Article Title
CTX129229 Recommended Hotfixes for XenApp 6.0 and Later on Windows Server 2008 R2
CTX129082 Application Launch Fails with Web Interface using Internet Explorer 9
CTX804493 Users Prompted to Download ICA File, Launch.ica, Instead of Launching the Connection
CTX132875 Citrix Receiver Error 2320
CTX105793 Error: Cannot connect to the Citrix server. Protocol Driver Error
CTX127030 Citrix Guidelines for Antivirus Software Configuration
CTX115637 Citrix Multi-Monitor Configuration Settings and Reference
CTX133997 Citrix Receiver 3.x – Issues Fixed in This Release
CTX325140 Manually and Safely Removing Files after Uninstalling the Receiver for Windows
CTX101644 Seamless Configuration Settings

 

Top 10 Whitepapers

Article Number Article Title
CTX131577 XenApp 6.x (Windows 2008 R2) – Optimization Guide
CTX132799 XenDesktop and XenApp Best Practices
CTX101997 Citrix Secure Gateway Secure Ticket Authority Frequently Asked Questions
CTX136546 Citrix Virtual Desktop Handbook 5.x
CTX136547 StoreFront Planning Guide
CTX133185 Citrix CloudGateway Express 2.0 – Implementation Guide
CTX129761 XenApp Planning Guide – Virtualization Best Practices
CTX134081 Planning Guide – Citrix XenApp and XenDesktop Policies
CTX130888 Technical Guide for Upgrading/Migrating to XenApp 6.5
CTX122978 XenServer: Understanding Snapshots

 

Top 10 Hotfixes

Article Number Article Title
CTX136714 Hotfix XS61E016 – For XenServer 6.1.0
CTX132122 Hotfix Rollup Pack 1 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2
CTX126653 Citrix Online Plug-in 12.1.44 for Windows with Internet Explorer 9 Support
CTX136483 Hotfix XS61E014 – For XenServer 6.1.0
CTX133882 Hotfix Rollup Pack 2 for Citrix XenApp 6 for Microsoft Windows Server 2008 R2
CTX133066 12.3 Online Plug-In – Issues Fixed in This Release
CTX136253 Hotfix XS61E010 – For XenServer 6.1.0
CTX136482 Hotfix XS61E013 – For XenServer 6.1.0
CTX136085 Hotfix XA650R01W2K8R2X64061 – For Citrix XenApp 6.5
CTX136674 Hotfix XS61E012 – For XenServer 6.1.0

 

Top 10 Presentations

Article Number Article Title
CTX135521 TechEdge Barcelona 2012 PowerPoint and Video Presentations – Reference List
CTX129669 TechEdge 2011 – Overview of XenServer Distributed Virtual Switch/Controller
CTX121090 Planning and implementing a Provisioning Server high availability (HA) solution
CTX133375 TechEdge 2012 PowerPoint and Video Presentations – Reference List
CTX135356 TechEdge Barcelona 2012 – Understanding and Troubleshooting ICA Session Initialisation
CTX135358 TechEdge Barcelona 2012 – XenDesktop Advanced Troubleshooting
CTX133374 TechEdge 2012 – Monitoring your NetScaler Traffic with AppFlow
CTX135361 Troubleshooting Tools: How to Isolate and Resolve Issues in your XA and XD Env Rapidly
CTX135360 TechEdge Barcelona 2012 – Planning, Implementing and Troubleshooting PVS 6.x
CTX135357 TechEdge Barcelona 2012 – Implementing and Troubleshooting SF and Rec for Windows

Top 10 Tools

Article Number Article Title
CTX122536 Citrix Quick Launch
CTX135075 Citrix Diagnostics Toolkit – 64bit Edition
CTX130147 Citrix Scout
CTX111961 CDFControl
CTX106226 Repair Clipboard Chain 2.0.1
CTX109374 StressPrinters 1.3.2 for 32-bit and 64-bit Platforms
CTX124406 StressPrinters 1.3.2 for 32-bit and 64-bit Platforms
CTX113472 Citrix ICA File Creator
CTX123278 XDPing Tool

Continue reading here!

//Richard

How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?

April 18, 2013 1 comment

Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:

How do you know which policy that is hit when your different Receivers are logging in?

Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:

AG_vServer_VIP

But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?

First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:

cat /tmp/aaad.debug

When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:

aaad_debug_output

At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.

Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:

nsconmsg -d current -g pol_hits

This is the output when I access using my Receiver on OS X:

nsconmsg_policy_hit

Read more…

Heads Up – issues with Access Gateway Plug-in for Mac OS X Version 2.1.4 – #Citrix, #NetScaler

Well, I guess that you’ve already read all the good things about the new capabilities of the newer Access Gateway plug-in, Receiver and Access Gateway Enterprise that together with StoreFront will add additional features and functions that haven’t existed before. It’s now built to work together with the Receiver on the Windows and Mac OS X platforms and promises a lot by various blog posts from Citrix and others (incl. myself).

Here is an example of what it can (should) do: What’s new with Access Gateway MAC Plug-in release 2.1.4

But is the Access Gateway Plug-in that great? Well, before you plan to implement version 2.1.4 on OS X and especially if you want to leverage the SSL VPN functionality and host checks (EPA) then read the Important notes and Known issues for this release:

Important Notes About This Release:

  1. The Access Gateway Plug-in for Mac OS X Version 2.1.4 supports Citrix Receiver Version 11.7
  2. Import the secure certificate for Access Gateway into the Keychain on the Mac OS X computer.
  3. The Access Gateway Plug-in for Mac OS X Version 2.1.2 and earlier versions are not supported on Mac OS X Version 10.8.
  4. Endpoint analysis scans for antivirus, personal firewalls, antispam, Internet security, and EPAFactory scans are not supported for Mac OS X.
  5. Client certificate authentication is not supported for Mac OS X.

First of all I’d say that these notes are not that great if you ask me! Why do I have to add the cert into the Mac Keychain? Why doesn’t the plug-in support the more “advanced” host checks like personal firewalls, certificates etc.?

Wait, it get even worse!! And before you go to the whole list I’d highlight these top ones that I’m kind of surprised about:

  • It doesn’t support LAN access
  • Upgrading doesn’t work
  • Doesn’t apply proxy settings configured in session profile
  • It doesn’t support SAN certificates
  • Users cannot start the Access Gateway plug-in if the Receiver is already started, you first have to shut down the Receiver

Here you see the full Known Issues list for this release:

  1. When users disable wireless on a Mac OS X computer and connect by using a 3G card, the Access Gateway Plug-in does not upgrade automatically through Citrix Receiver. If users select Check for Updates to upgrade the plug-in, the upgrade fails and users receive the error message “Updates are currently not available.” [#45881]
  2. If you run stress traffic for HTTP, HTTPS, and DNS simultaneously, the Access Gateway Plug-in fails. [#46348]
  3. When users disable wireless on a Mac OS X computer and connect by using a Vodafone Mobile Broadband Model K3570-Z HSDPA USB 3G stick, the Access Gateway plug-in does not tunnel traffic. [#256441]
  4. If you configure an endpoint analysis policy and also enable the client choices page and proxy servers in a session profile, occasionally a blank choices page appears after users log on. When you disable the choices page in the session profile, the choices page appears correctly. [#316331]
  5. If users connect to Access Gateway with the Access Gateway Plug-in for Mac OS X and then run ping with a payload of 1450 bytes, the plug-in fails to receive the ICMP reply. [#321486] Read more…

Vulnerability in #Citrix Access Gateway Standard Edition 5.0 – #AG

March 6, 2013 1 comment

Vulnerability in Citrix Access Gateway Standard Edition 5.0 Could Result in Unauthorized Access to Network Resources

Document ID: CTX136623   /   Created On: Mar 5, 2013   /   Updated On: Mar 5, 2013

Average Rating: 1 (1 ratings)
Severity: Critical

Description of Problem

A vulnerability has been identified in Citrix Access Gateway Standard Edition that could allow an unauthenticated user to gain access to network resources.

This vulnerability has been assigned the following CVE number:

• CVE-2013-2263

This vulnerability affects all 5.0.x versions of the Citrix Access Gateway Standard Edition appliance firmware earlier than 5.0.4.223524.

Citrix Access Gateway Standard Edition versions 4.5.x and 4.6.x are not affected by this vulnerability.

What Customers Should Do

A patch for version 5.0.4 of the Citrix Access Gateway Standard Edition firmware has been released to address this vulnerability. Citrix strongly recommends that all customers using affected versions of Citrix Access Gateway Standard Edition apply this patch to their appliances as soon as possible.

This patch can be found at the following location under the Appliance Firmware section (you will need to login with your MyCitrix ID):

http://www.citrix.com/downloads/netscaler-access-gateway/product-software/access-gateway-504.html

Acknowledgements

Citrix thanks Ben Williams, David Middlehurst and James Eaton-Lee of NCCGroup (http://www.nccgroup.com) for working with us to protect Citrix customers.

What Citrix Is Doing

Citrix is notifying customers and channel partners…

Continue reading here!

//Richard

SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront

January 31, 2013 3 comments

Single Sign-On from Access Gateway to StoreFront not working in CVPN mode

There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!

It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!

After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!

So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…

The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…

High_Level_Design_overview_SSO_not_working

The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).

But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.

This picture just shows the login to the NetScaler ADC Access Gateway vServer:

NetScaler_Access_Gateway_login

Read more…

%d bloggers like this: