Archive
#Citrix #GSLB blog post – GeoLite City as NetScaler location database
This was a good blog post! And I really like GSLB, of course there may be functionalities that you’d like to advance etc but it’s great! And this post addresses one topic of it;
You may know this problem: Your boss made you build several data centers around the globe with a bunch of NetScalers in the mix to load balance services across the various locations using GSLB (Global Server Load Balancing). But when it comes to configuring a static proximity geo IP database to help with that not too easy to understand dynamic proximity feature you notice most of these databases are commercial and you are out of budget. Luckily though, there are several free versions of geo IP databases out there, which reportedly work quite well. Before using one of those, you should carefully review the license terms. Some aren’t necessarily free for commercial use…
Moreover, these free versions are very popular, well maintained and were frequently updated (I say were because with the assignment of the last IP block by RIPE earlier in 2012 there shouldn’t be too many changes to the databases anymore) . So it’s fair to say that many of our clients who are using these databases are very satisfied with them.
Why is a database with IP addresses and address blocks necessary for such a setup? GSLB responds to DNS requests for a domain name with an IP address of a member service. Which service IP is returned is dependent on the load-balancing algorithm used, for example least connection, simple round robin or more commonly used, proximity to the client (or the clients local DNS to be precise). For proximity based GSLB, when a client sends a DNS request, the system determines the best suitable site…
Continue reading here!
//Richard
HEADS UP!!! No #Citrix #Receiver in App Store – Where is Receiver for iOS?
Wow!! Not that good!
See this Citrix Blog for additional info and hopefully they’ll post updates on the issue there as well…
Receiver for iOS version 5.6.3 was released on November 28th into the App Store. On release, several customers reported an issue found only in the published release. The Citrix engineering team is researching the issue, working with the Apple team.
To limit the exposure to the customer base, the Receiver for iOS is temporarily removed from the App Store.
Please watch here for updated information.
Thank you for your feedback and patience while we resolve this issue and repost to the App Store.
Continue reading here!
//Richard
Content Switching instead of Load balancing of XenApp XML brokers? – #XenApp #NetScaler #CS #LB
Ok, I was contacted by another colleague today again about a customer and their setup of XenApp load balancing. They of course had NetScalers and had read the guidelines and best practises from Citrix on how to do load balancing and monitoring of XML brokers. But they had the same issue that many have, they had to contact the network team when they needed to add farms that they should load balance, and they needed an IP for each LB vServer per XenApp farm…
And this is not the first time I’ve seen this… why doesn’t people use Content Switching instead when doing load balancing of their XenApp farms (and other resources as well of course!)?
This is the Citrix picture on how to do it;
But what I’d do instead and recommend is to use Content Switching (CS) instead. Setup a CS vServer with an IP and an A-record in DNS, in the picture below it’s the one with bogus IP 10.10.10.10 and FQDN of cs8080.envokeit.local.
Then what you do is to configure a CNAME alias for each of your farms in DNS, like farm1.envokeit.local that you can see in the picture. Have the CNAME to be an alias of the CS you just created. Then in the NetScaler you setup your LB vServers just like you’ve always done and create the Service Group and add the correct monitors etc. to it. And remember that you in this case don’t have to have an IP set on the LB vServers, these don’t have to be directly addressable from the network, only through your CS that you just setup.
Then on the CS create your policies to do CS on the hostname of the incoming requests to the respective LB vServer. No more requesting IP’s per farm and all of that, one IP and you can support MANY farms…. I just love CS! 🙂
Happy content switching! 😉
//Richard
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
This little blog post is about Citrix SmartAccess. I’ve been a fan of SmartAccess for a long time, and it’s also something that Citrix has been talking a lot about in their story. The way that Citrix technology can provide applications, desktops and information to end-users on any device in a secure and controlled way.
But the purpose of this blog post is to give you my view of this story, and how true the SmartAccess story is. Remember that this is my personal view and that I’ve actually not tested all my theories below so parts of it is purely theoretical at this stage.
So a bit of background first to build my case…
Citrix has been going on about SmartAccess, and it’s been true that the Access Gateway capabilities once added to Web Interface and XenApp/XenDesktop where great in terms of adding another layer of functionality that the IT supplier could use to determine how the XenApp and XenDesktop environments where accessed, and from what type of device. The device detection/classification is done through host checks (Endpoint Analysis Scans, EPA) that the Access Gateway feature provided as a pre- or post-authentication scan. This scan then resulted that either the device met the policies or didn’t, and then this policy could be leveraged by the other internal components (XenApp/XenDesktop) to control/manage which apps, desktops and functionality (virtual channels like printing, drive mapping etc.) that the end-user should get for that specific session.
And this was/is working well for certain scenarios from a technical point of view. But is it really working for the whole story that Citrix and the whole IT-industry is driving now with BYOD etc.? Think about the message that is being pushed out there today, use any device, we can control and deliver according to security policies, we can provide access from anywhere, etc…
And this is where it becomes interesting. All of a sudden then you as an architect are to take this vision that your CIO or IT-board has and realise it into manageable IT services that combined deliver a fully fledged IT delivery of Windows, Internal Web, SaaS, Mobile and Data for this great set of use cases and scenarios. Wow… you’ve got yourself a challenge mate!
This text is from the Citrix homepage about SmartAccess;
SmartAccess allows you to control access to published applications and desktops on a server through the use of Access Gateway session policies. This permits the use of preauthentication and post-authentication checks as a condition for access to published resources, along with other factors. These include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard, client audio, and client printer mapping. Any XenApp or XenDesktop policy can be applied based on whether or not users pass an Access Gateway check.
So let’s start of then with going back to the SmartAccess which is the topic of this blog!
#Netscaler authentication based on nested groups
Ok, I have to thank my colleague Roger Eklund for this great post! Check it out if you want to use nested AD groups for AGEE authentication!
So i needed to create an LDAP authentication policy in the Netscaler where the users are divided into different groups (DEPT1, DEPT2, DEPT3), and those groups are themselves inside a group (MAINGRP). So i want to authenticate the users based on nested membership in MAINGRP.
Normally without nested groups you would use a LDAP filter with something like this:
memberOf=CN=DEPT1,OU=users,OU=subou,OU=ou,DC=domain,DC=com
Which would return a result to the Netscaler if the user…
Continue reading here!
//Richard
Heads up – Potential #StoreFront and .NET Security update KB2729452 issue – #Citrix, #StoreFront, #CloudGateway
Heads up out there! I’ve not verified this myself but it’s worth ensuring that you plan for an uninstallation in the event it’s true!
Command Center 5.1 Beta – A Complete New Face!
Ok, found another good and interesting blog post from Citrix. Even though this is great and I’ll try it out but I’m still awaiting more from Citrix on end-to-end monitoring and reporting… but lets give this beta a go! 🙂
This release, I am thrilled to unveil a new Face of Command Center!
Command Center 5.1 brings a fresh new appeal with an Absolute User Interface revamp. The new UI flaunts more organized and intuitive navigation which has been introduced with the aim to bring consistency across all the Citrix networking products.
The 5.1 release adds to Command Center’s analytics streak by introducing AGEE Syslog analytics. It breaks open the Syslogs into meaningful graphs and pie charts, laying out top 10 parameters of SSLVPN usage. The AGEE Syslog analytics answers questions raised around SSLVPN usage which comes across in day to day administration:
- Which are the top user sessions?
- Which are the top ICA application being used?
- Which users are consuming high bandwidth?
- While accessing VPN, which client type amongst ICA, Clientless or Agent has been used most ?
- Which users didn’t match EPA scan policies?
- Which users have had the most failed login attempts?
On top of these, it also lets you view the.. continue reading here!
//Richard
Access Gateway Licensing Demystified
Ok, this is a good blog post from Prashant Batra and touches an area that I get so many questions about!
Access Gateway Licensing Demystified
Access Gateway discussed in this blog is the Access Gateway based on NetScaler, which is popularly referred to as Access Gateway Enterprise. Citrix has recently announced End of Life for all non-NetScaler based Access Gateway platforms, which then makes Enterprise edition, the de-facto Access Gateway.
In this blog, we will discuss the two license types used on your Access Gateway appliance, the two kinds of vServers you can set up to leverage these licenses to provide standard / advanced functionalities, and an example scenario towards the end, to help illustrate these concepts in a real scenario.
License Types
Access Gateway is licensed at two levels:
- Platform License
- Universal License
Platform Licenses
Every Access Gateway (VPX/MPX) comes with a… continue reading here!
//Richard
#NetScaler #SDX design and best practise
Ok, I understand that this is something that I’ve touched upon before as well and received some comments on (NetScaler MPX vs. SDX dilemma). But I’ll still continue the reasoning behind why I think that the NetScaler SDX architecture is great, and that is needs to be offered on all the different platforms/appliance types/sizes!
To kick off the reasoning I recommend that you read this post; #NetScaler #AAA on NS 10.00 Build 70.7 = watch out!. When you’ve read both previous posts I hope that you see where I’m now going with all of this…
Just have a look at this picture where I’m trying to illustrate two design options for how you could build your NetScaler service for a tenant;
And if you then keep in mind about the AAA bug that caused the whole NetScaler engine to crash, what happens in the top scenario if this VPX had been affected? Think about if that NetScaler hosted network connectivity to you public cloud services with workloads, all SSL VPN users connected to the enterprise, all ICA/HDX proxy users into XenApp/XenDesktop, and also provided AAA features to the enterprise web apps used by customers and partners etc.? Wow, that would actually mean that one single 401 basic authentication could have taken down EVERYTHING!
But; if you would have separated your capabilities/features into separate VPX’s then you wouldn’t have had that issue. The “only” thing that would have happened if you ran into an issue that caused the NetScaler to crash then it would only affect that VPX (AAA VPX in the scenario above).
So my personal view is that it’s great that Citrix provides all the features on one appliance/instance. But it also adds quality and test efforts on Citrix to ensure that they perform testing of ALL features and functions before releasing a new build. And that may affect the lead-time to get fixes and new builds released and quality may also be impacted… and that’s what I’m afraid of is happening. So a little word of advice; separate workloads/features when you can and when you don’t want this big of a risk, and prey that Citrix soon delivers the SDX architecture on all appliances! And they would of course perhaps not just sell the larger boxes like they force us into today even if the bandwidth capabilities of that box isn’t required. But they would instead sell more VPX’ on top of the HW, that’s at least what I think.
Comments?
Cheers!
//Richard
#NetScaler #AAA on NS 10.00 Build 70.7 = watch out!
Ok, just received a heads-up from a colleague around a bug on NetScaler for the AAA feature that you should be aware of if thinking of using build 70.7!
AAA Application Traffic
- Issue ID 0319434: If 401 basic authentication is enabled on a load balancing virtual server, and authentication fails either due to invalid credentials or a Kerberos authentication failure, the NetScaler packet engine might crash.
The info received (I’ve not tested it myself but will) is that if you perform just one (1) 401 basic authentication and then the NetScaler engine crashes… so beware and upgrade to 71.6 instead!
Read more of the bug fixes in 71.6 here.
Cheers!
//Richard
The IT Melting Pot! 