Archive

Posts Tagged ‘AGEE’

#Citrix #XenMobile 8.5 MAM upgrade! Part 1 – #StoreFront, #AppController, #NetScaler

September 1, 2013 7 comments

In this little blog series series you’ll follow a little upgrade process to XenMobile 8.5 for Mobile Application Management (previously known as CloudGateway).

Ok, I don’t exactly know where to begin. I must first say that Citrix is THE master when it comes to renaming products, updating/changing the architecture, changing consoles (claiming to reducing the number of them like every year but at the same time introduce new ones).

How hard can it be to make crystal clear documentation and upgrade processes that works and are easy? I feel already that my tone in this blog post is “a bit” negative… but I think that Citrix actually deserves it this time.

I must now take a step back and calm down and point out that Citrix is delivering some MAJOR changes and good news/features in the new XenMobile 8.5 release though! It’s great (when you’ve got it up and running) and I must say that I don’t see anyone that is near them in delivering all these capabilities in a nice end-to-end  delivery!! 🙂

Have a look at everything that is new, deployment scenarios etc. here before you even start thinking to upgrade or change your current NetScaler, StoreFront and AppController environment!

Once you’ve started to read the different design scenarios you’ll see that App Controller can be placed in front of StoreFront, in the back of StoreFront or totally without StoreFront… all the options just make your head spin! Because Citrix doesn’t really make it clear on how all of this should work with a Receiver and Worx Home depending if the device is on the internal network, external through NetScaler or what the capabilities that you need are supported in the different scenarios in a simple way, just text that explains it. And I find the pictures and text a bit misleading:

You can include StoreFront in your deployment, which allows users access to published applications from XenApp and virtual desktops from XenDesktop, along with apps configured in App Controller. When users log on with Citrix Receiver, all of their apps appear in the store. The following figure shows how you can deploy NetScaler Gateway, App Controller, and StoreFront in your network.

Deploying App Controller with StoreFront and NetScaler Gateway

As you see above the App Controller is added as a “Farm” just as in 2.6, but is that the truth now in version 2.8 of App Controller?

If you have a look at the text from this page it’s getting even more confusing: Read more…

Choose your #Citrix #NetScaler … wisely… – via @hlouwers

This is a question I get a lot and I must say that Henny Louwers did answer it well in this blog post!

I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.

I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.

The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.

That leads me to the first difficult thing of a Citrix NetScaler project. The adoption of the Citrix NetScaler appliances to the networking guys of an organization. They need to embrace the solution to make this a success. For some reason they too see it as a ‘’Citrix’’ solution. For that reason one of the most important meetings to setup is usually with the networking guys to try to explain the L3-L7 functionality of the Citrix NetScaler solution. When they realize it competes with F5, Juniper, Cisco, etc then we are on the right track.

NetScaler Gateway or NetScaler Standard Edition

Usually the first question of a customer is regarding something simple like replacing the Remote Access solution. Since the NetScaler is going to be the main platform for publishing Citrix publications a NetScaler Gateway can be considered as a valid option. This is when I tell a customer it would be wise to spend a little extra on the NetScaler Standard Edition since this would leverage the solution be having full load balancing capabilities (among others). When you compare prices between the NetScaler Gateway and NetScaler Standard Edition you will see that the Standard Edition will be somewhat more expensive but I for one think that it is worth the difference given the feature set that come with the Standard Edition. Of course the NetScaler Gateway can always be upgraded to a NetScaler Standard Edition (or higher) if you will.

Another feature of Citrix NetScaler Standard Edition is the ability to run Citrix Web Interface on the appliance. Honestly, I do think is not really that important anymore….

Continue reading here

//Richard

Heads Up – issues with Access Gateway Plug-in for Mac OS X Version 2.1.4 – #Citrix, #NetScaler

Well, I guess that you’ve already read all the good things about the new capabilities of the newer Access Gateway plug-in, Receiver and Access Gateway Enterprise that together with StoreFront will add additional features and functions that haven’t existed before. It’s now built to work together with the Receiver on the Windows and Mac OS X platforms and promises a lot by various blog posts from Citrix and others (incl. myself).

Here is an example of what it can (should) do: What’s new with Access Gateway MAC Plug-in release 2.1.4

But is the Access Gateway Plug-in that great? Well, before you plan to implement version 2.1.4 on OS X and especially if you want to leverage the SSL VPN functionality and host checks (EPA) then read the Important notes and Known issues for this release:

Important Notes About This Release:

  1. The Access Gateway Plug-in for Mac OS X Version 2.1.4 supports Citrix Receiver Version 11.7
  2. Import the secure certificate for Access Gateway into the Keychain on the Mac OS X computer.
  3. The Access Gateway Plug-in for Mac OS X Version 2.1.2 and earlier versions are not supported on Mac OS X Version 10.8.
  4. Endpoint analysis scans for antivirus, personal firewalls, antispam, Internet security, and EPAFactory scans are not supported for Mac OS X.
  5. Client certificate authentication is not supported for Mac OS X.

First of all I’d say that these notes are not that great if you ask me! Why do I have to add the cert into the Mac Keychain? Why doesn’t the plug-in support the more “advanced” host checks like personal firewalls, certificates etc.?

Wait, it get even worse!! And before you go to the whole list I’d highlight these top ones that I’m kind of surprised about:

  • It doesn’t support LAN access
  • Upgrading doesn’t work
  • Doesn’t apply proxy settings configured in session profile
  • It doesn’t support SAN certificates
  • Users cannot start the Access Gateway plug-in if the Receiver is already started, you first have to shut down the Receiver

Here you see the full Known Issues list for this release:

  1. When users disable wireless on a Mac OS X computer and connect by using a 3G card, the Access Gateway Plug-in does not upgrade automatically through Citrix Receiver. If users select Check for Updates to upgrade the plug-in, the upgrade fails and users receive the error message “Updates are currently not available.” [#45881]
  2. If you run stress traffic for HTTP, HTTPS, and DNS simultaneously, the Access Gateway Plug-in fails. [#46348]
  3. When users disable wireless on a Mac OS X computer and connect by using a Vodafone Mobile Broadband Model K3570-Z HSDPA USB 3G stick, the Access Gateway plug-in does not tunnel traffic. [#256441]
  4. If you configure an endpoint analysis policy and also enable the client choices page and proxy servers in a session profile, occasionally a blank choices page appears after users log on. When you disable the choices page in the session profile, the choices page appears correctly. [#316331]
  5. If users connect to Access Gateway with the Access Gateway Plug-in for Mac OS X and then run ping with a payload of 1450 bytes, the plug-in fails to receive the ICMP reply. [#321486] Read more…

#Citrix #AppController 2.5 Implementation Tips – #CloudGateway, #BYOD

February 19, 2013 Leave a comment

Great blog post by Matthew Brooks!

AppController is a component of the Citrix CloudGateway Enterprise suite that orchestrates access to Enterprise Cloud applications.  Those applications may take many forms including Mobile Applications, Software-as-a-Service hosted in public clouds, and Web links.  Below I provided some tips to help with the implementation of AppController 2.5 (which is the latest version as of the publishing of this blog).

System Related

Including settings such as the Hostname, SSL certificates, and Restore.

TIPs:

  • Take a hypervisor level snapshot after the initial installation so that you can easily return to that base level if configuration or integrations efforts go awry.
  • The hostname cannot contain special characters in the AppController certificate signing request.
  • The hostname must match SSL certificate.
  • The system cert must be chained to its CA/(s).

Active Directory Related

Including settings such as the Server (Domain Controller), Base DN, and Service Account credentials.

TIPs:

  • The AppController only supports integration with a single domain.  Multiple domains require multiple AppControllers.  The NetScaler Access Gateway may be configured to allow users to access a single fully qualified domain name, yet be directed to their respective domain AppController through the use of Global Groups.  See CTX116169 for more informationhttp://support.citrix.com/article/CTX116169
  • All user accounts must have a first name, last name, and email address configured or they will receive an authorization error when attempting to launch applications.  The bind Administrator account must also have email address configured or directory integration will fail.
  • Only LDAP (TCP 389) may be configured through the wizard that must be completed initially.  Thereafter LDAPS (TCP 636) may be configured through the full administration menu.
  • If the server name domain name is a load balanced DNS entry the initial import may work, yet subsequent bind attempts will fail.  Alternatively you may use the IP address of an LDAPS load balancer on a Netscaler with specific domain controllers configured as services.  See CTX135092 for more information http://support.citrix.com/article/CTX135092

Network Related

Including settings such as the IP address, @Workweb and NTP server.

TIPs:

  • Use IP private addresses as system addresses if possible.  When Trust Settings are configured for NetScaler Access Gateway it does not allow SSO to public addresses.  If public addresses must be used the NetScaler may be configured with an SSL Bridge to access the AppController.  See NetScaler Traffic Management document for more information.
  • NTP must be configured or SAML authentication may fail for SaaS sites if the time difference is significant.
  • When Trust Settings are configured for NetScaler Access…

Continue reading here!

//Richard

SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront

January 31, 2013 3 comments

Single Sign-On from Access Gateway to StoreFront not working in CVPN mode

There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!

It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!

After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!

So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…

The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…

High_Level_Design_overview_SSO_not_working

The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).

But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.

This picture just shows the login to the NetScaler ADC Access Gateway vServer:

NetScaler_Access_Gateway_login

Read more…

Host checks/EPA scans are not for everyone – #Citrix, #NetScaler, #AccessGateway

January 30, 2013 Leave a comment

This is an interesting blog post from Citrix… It captures a scenario that I know one of my previous customers was thinking of, so have a look at it!

The main thing that think of when reading this though is that EPA scans are NOT for everyone, I agree. And please also read my earlier posts on why it cannot be done with todays products from Citrix.

#Citrix #Receiver 3.4 and 11.7 = is the #SmartAccess story more real now? – #CloudGateway, #AGEE, #NetScaler, #StoreFront

#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA

Even though the latest Receiver Receivers changed some scenarios and enables host checks/EPA scans it still doesn’t provide the full picture. But I’ll be publishing a more detailed picture on why later, some late night I’ll be able to complete it! 😉

Here you have the blog post from Tobias Frigger:

A customer of one of my Citrix Consulting colleagues recently came up with an interesting request.

Like many others they are using Citrix NetScaler’s Access Gateway Enterprise Edition module to grant remote secure remote access to applications and desktops.
Additionally, they use a client management and software distribution solution to deploy the EPA plugin to client computers and therefore wanted to suppress Access Gateway offering the EPA scan plugin for download through the browser. This introduces some additional level of control over which client is entitled to connect through Access Gateway.

An approach restricting certain user groups from logging in by using group memberships is a more common scenario, but in this case the customer intended to restrict the end points and not the users. When end users lack administrative permissions to install custom software, preventing the download is indeed an effective measure.

A job for Citrix Consulting!

As you know, Access Gateway Enterprise Edition offers two ways of running Endpoint Analysis (EPA) scans – before and after authentication. Consequently, there are two procedures.

The formal requirements

  • Remove the download button displayed when accessing the AGEE virtual server and the plugin is not detected by the browser or if the plugin is outdated
  • Alter the message text such that it refers user to contact their system administrator if they think the plugin should be installed.
  • When using a post-authentication EPA scan, add a “logout” button.

EPA Scan dialogue

Backup
As a precaution, we want to make backup copies…

Continue reading here!

//Richard

What’s new with Access Gateway MAC Plug-in release 2.1.4 – #Citrix, #AG, #Receiver

January 14, 2013 Leave a comment

Another great blog post from Prashant! You rock! 😉

The new Citrix Access Gateway Appliance release 10.0.71.6014.e brings along with it the new MAC plug-in release 2.1.4. MAC OS, along with Microsoft Windows, are the two main desktop platforms supported by Citrix Access Gateway for full SSL Tunnel. The AG plug-in is most commonly used in tandem with Citrix Receiver, to provide access to your virtual applications and desktops, provided by XenApp & XenDesktop respectively. The Receiver and AG plug-in also work together to provide end users access to intranet web and SaaS resources via Citrix CloudGateway.

The new 2.1.4 plug-in brings the following new enhancements for Citrix Receiver users:

  1. Seamless Desktop Receiver experience: With this release of Access Gateway plug-in, end users will no longer have to sign into the plug-ins as a manual step, to access apps / sites that require a full SSL tunnel. Receivers automatically launch a SSL VPN session via Access Gateway as needed. Result is – end user just deals with Citrix Receiver and Receiver internally (and automatically) deals with Access Gateway on user’s behalf.
  2. EPA with ICAProxy / CVPN: Receivers can now seamlessly launch AG plug-ins to connect to an Access Gateway vServer configured with End Point Analysis policies, in ICAProxy and CVPN modes as well. Earlier, this was supported only for Full Tunnel access.
  3. ….

Continue reading here!

//Richard

Why no Snaphot feat. on NetScaler like on AG? – #Citrix, #NetScaler

January 9, 2013 2 comments

Ok, I had the “pleasure” to be working with an Access Gateway setup a little while ago… and I don’t know if I should actually say that it was a pleasure when I all did was missing the NetScaler.

But there is one feature that Access Gateway has that NetScaler doesn’t that I like and see a need for; Snapshots!

Why hasn’t Citrix build the same EASY way to make a snapshot of a config on NetScaler??? This would simplify things a lot from a change management point of view. You could of course make this happen yourself but need to be savvy and it’s hazzle… It would also ensure that admins that aren’t hardcore NetScaler nerds actually could get some confidence to change stuff and have a back out plan to revert to a previous snapshot if something goes wrong.

And the great thing about a snapshot is that it represents all the Access Gateway settings, licenses, and certificates at a specific time. If you have multiple software versions installed on Access Gateway, you can have snapshots that span the different software versions. Imagine if there was a button you could press to do that done on the NetScaler!

Video of how it works: How To: Take and Restore Snapshots on Citrix Access Gateway 5.0

Creating Snapshots to Manage Access Gateway Configuration Settings

I think that this will be a good thing to add now when more shops will setup Access Gateway Enterprise on NetScaler and only use it for just that…especially now when it’s also going End of Life (EOL).

Citrix: Please  make this happen! 😉

//Richard

#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA

November 29, 2012 3 comments

This little blog post is about Citrix SmartAccess. I’ve been a fan of SmartAccess for a long time, and it’s also something that Citrix has been talking a lot about in their story. The way that Citrix technology can provide applications, desktops and information to end-users on any device in a secure and controlled way.

But the purpose of this blog post is to give you my view of this story, and how true the SmartAccess story is. Remember that this is my personal view and that I’ve actually not tested all my theories below so parts of it is purely theoretical at this stage.

So a bit of background first to build my case…

Citrix has been going on about SmartAccess, and it’s been true that the Access Gateway capabilities once added to Web Interface and XenApp/XenDesktop where great in terms of adding another layer of functionality that the IT supplier could use to determine how the XenApp and XenDesktop environments where accessed, and from what type of device. The device detection/classification is done through host checks (Endpoint Analysis Scans, EPA) that the Access Gateway feature provided as a pre- or post-authentication scan. This scan then resulted that either the device met the policies or didn’t, and then this policy could be leveraged by the other internal components (XenApp/XenDesktop) to control/manage which apps, desktops and functionality (virtual channels like printing, drive mapping etc.) that the end-user should get for that specific session.

And this was/is working well for certain scenarios from a technical point of view. But is it really working for the whole story that Citrix and the whole IT-industry is driving now with BYOD etc.? Think about the message that is being pushed out there today, use any device, we can control and deliver according to security policies, we can provide access from anywhere, etc…

And this is where it becomes interesting. All of a sudden then you as an architect are to take this vision that your CIO or IT-board has and realise it into manageable IT services that combined deliver a fully fledged IT delivery of Windows, Internal Web, SaaS, Mobile and Data for this great set of use cases and scenarios. Wow… you’ve got yourself a challenge mate!

This text is from the Citrix homepage about SmartAccess;

SmartAccess allows you to control access to published applications and desktops on a server through the use of Access Gateway session policies. This permits the use of preauthentication and post-authentication checks as a condition for access to published resources, along with other factors. These include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard, client audio, and client printer mapping. Any XenApp or XenDesktop policy can be applied based on whether or not users pass an Access Gateway check.

So let’s start of then with going back to the SmartAccess which is the topic of this blog!

Read more…

#Netscaler authentication based on nested groups

November 28, 2012 Leave a comment

Ok, I have to thank my colleague Roger Eklund for this great post! Check it out if you want to use nested AD groups for AGEE authentication!

So i needed to create an LDAP authentication policy in the Netscaler where the users are divided into different groups (DEPT1, DEPT2, DEPT3), and those groups are themselves inside a group (MAINGRP). So i want to authenticate the users based on nested membership in MAINGRP.

Normally without nested groups you would use a LDAP filter with something like this:

memberOf=CN=DEPT1,OU=users,OU=subou,OU=ou,DC=domain,DC=com

Which would return a result to the Netscaler if the user…

Continue reading here!

//Richard

%d bloggers like this: