Archive

Posts Tagged ‘gateway’

#Citrix #NetScaler Traffic Domains ins and outs – via @barryschiffer

January 23, 2014 Leave a comment

Another great blog post by Barry!!! Keep up the great work!!

Citrix NetScaler Traffic Domains are a way of segmenting network traffic for different applications or even tenants. You are able to use a traffic domain to create fully isolated network environments on a single NetScaler instance. An instance is a single appliance or a HA setup of two appliances.

Citrix NetScaler Traffic Domains were introduced with NetScaler 10.0. At first NetScaler Traffic Domains started as a somewhat hidden feature which you could only configure by CLI. As of version 10.1 Traffic Domains are fully configurable in the NetScaler GUI which makes it a lot simpler to use.

In a way NetScaler Traffic Domains could compete with the NetScaler SDX platform. With Traffic Domains we segment networks on a single NetScaler instance instead of the SDX where we create a virtual appliance per network segment. 

A downside of using NetScaler Traffic Domains is the fact that some features are only supported for usage inside of Traffic Domain 0. Traffic Domain 0 is the default Traffic Domain, all services run inside Traffic Domain 0 unless explicitly specified.
An example of non supported features are NetScaler Management and NetScaler Gateway. For a complete list of supported features follow this link.
For non supported features for which you need isolation you have two options, NetScaler SDX or additional NetScaler appliances  (virtual or physical).

My expectations are that we will see more and more  features being supported on NetScaler Traffic Domains. An amazing feature would be to enable management functionality on Traffic Domains where you would only be able to manage or create services assigned to that Traffic Domain. This would be especially useful for multi-tenancy or multi management in situations where for example one team manages Mobility and one team managing a web application.

A few use cases Citrix describes for NetScaler Traffic Domains:

  • Use of duplicate IP addresses
  • Use of duplicate NetScaler entities
  • Multi Tenancy

A use case I’m actually using NetScaler Traffic Domains for is the ability to deliver services in a DMZ as well as an internal network.
Internal Network services like Microsoft Exchange Client Access Services and Microsoft App-V are heavy on traffic and I don’t like those services traversing the firewall in the DMZ. This also works great combined with Direct Server Return (DSR) which is blocked by most firewalls. Check out more on DSR combined with App-V on this article by Ingmar Verheij.

Read more…

#Microsoft Desktop Hosting Reference Architecture Guides

October 28, 2013 Leave a comment

Wow, these are some compelling guides that Microsoft delivered!! Have a look at them! But of course there’s always something more U want! Let Service Providers provide DaaS services based on client OS’s as well!!!

Microsoft has released two papers related to Desktop Hosting. The first is called: “Desktop Hosting Reference Architecture Guide” and the second is called: “Windows Azure Desktop Hosting Reference Architecture Guide“. Both documents provide a blueprint for creating secure, scalable, multi-tenant desktop hosting solutions using Windows Server 2012 and System Center 2012 SP1 Virtual Machine Manager or using Windows Azure Infrastructure Services.

The documents are targeted to hosting providers which deliver desktop hosting via the Microsoft Service Provider Licensing Agreement (SPLA). Desktop hosting in this case is based on Windows Server with the Windows Desktop Experience feature enabled, and not Microsoft’s client Operating Systems like Windows 7 or Windows 8.

For some reason, Microsoft still doesn’t want service providers to provide Desktops as a Service (DaaS) running on top of a Microsoft Client OS, as outlined in the “Decoding Microsoft’s VDI Licensing Arcanum” paper which virtualization.info covered in September this year.

The Desktop Hosting Reference Architecture Guide provides the following sections:

  • Desktop Hosting Service Logical Architecture
  • Service Layer
    • Tenant Environment
    • Provider Management and Perimeter Environments
  • Virtualization Layer
    • Hyper-V and Virtual Machine Manager
    • Scale-Out File Server
  • Physical Layer
    • Servers
    • Network
  • Tenant On-Premises Components
    • Clients
    • Active Directory Domain Services

clip_image001

The Windows Azure Desktop Hosting Reference Architecture covers the following topics:

How to: #Citrix #XenMobile 8.5 MAM upgrade! Part 2 – #StoreFront, #AppController, #NetScaler

September 9, 2013 1 comment

Hi again!

If you haven’t read Part 1 then I highly recommend doing so prior to going directly to the upgrade that we’re covering in this post!

Prepare for a journey in this post about Citrix StoreFront upgrade, uninstallation, console and how messy it could be! NOT all the time, sometimes it “just works”! 😉

My little NetScaler is already upgraded to 10.1 so unfortunately I couldn’t take you on that journey as well, so we’ll start with the StoreFront upgrade from 1.2 to 2.0 in this post. These are the steps that we need to cover as highlighted in the migration guide that seems very short and straight forward:

Upgrade StoreFront 1.2 to 2.0.

  1. Logon to the StoreFront server console.
  2. Upgrade StoreFront by running the StoreFront 2.0 installer as an administrator.
  3. When the upgrade is completed, open StoreFront administration snap-in, remove CloudGateway controller from each store as this will be moved in the migration solution.
  4. Open NetScaler Gateway Properties and for each gateway defined and change the version field in settings from 9.x to 10.0.x or later.
  5. Test the configuration by logging on through web browser or Citrix Receiver.
  6. Verify if the users are able to login and authenticate to StoreFront defined stores configured.

Is it this easy?

Ok, I’ve downloaded the 2.0 installer, and I’m logged on to the server.

Before we even start the upgrade there are things that could go wrong in removal or upgrades of StoreFront. And one that I’ve seen cause a lot of headache for a lot of people out there is that they have the Windows Firewall service disabled. Though the installation and removal wants to delete or add these rules the installation will fail unless this service is running. As you can see in this picture below you see the FW rule added in StoreFront 1.2:

Windows_FW_Rules_SF1

So let’s verify that the Windows FW service is started, and it is!

Windows_FW_SVC_started

I’ll now start the installation by double-clicking the StoreFront 2.0 installer!

StoreFront_2_0_Installer

What is this popup that came directly after starting the installer?

Receiver_HTML5_popup_installation

Wait, ok so you guys at Citrix couldn’t ask me whether you could do this for me? My plan is to upgrade, so please just add a little step in your upgrade program that does this for me… change request #1 for the next SF release and it’s upgrade process! Verify pre-requisites or deal with them!

Read more…

Choose your #Citrix #NetScaler … wisely… – via @hlouwers

This is a question I get a lot and I must say that Henny Louwers did answer it well in this blog post!

I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.

I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.

The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.

That leads me to the first difficult thing of a Citrix NetScaler project. The adoption of the Citrix NetScaler appliances to the networking guys of an organization. They need to embrace the solution to make this a success. For some reason they too see it as a ‘’Citrix’’ solution. For that reason one of the most important meetings to setup is usually with the networking guys to try to explain the L3-L7 functionality of the Citrix NetScaler solution. When they realize it competes with F5, Juniper, Cisco, etc then we are on the right track.

NetScaler Gateway or NetScaler Standard Edition

Usually the first question of a customer is regarding something simple like replacing the Remote Access solution. Since the NetScaler is going to be the main platform for publishing Citrix publications a NetScaler Gateway can be considered as a valid option. This is when I tell a customer it would be wise to spend a little extra on the NetScaler Standard Edition since this would leverage the solution be having full load balancing capabilities (among others). When you compare prices between the NetScaler Gateway and NetScaler Standard Edition you will see that the Standard Edition will be somewhat more expensive but I for one think that it is worth the difference given the feature set that come with the Standard Edition. Of course the NetScaler Gateway can always be upgraded to a NetScaler Standard Edition (or higher) if you will.

Another feature of Citrix NetScaler Standard Edition is the ability to run Citrix Web Interface on the appliance. Honestly, I do think is not really that important anymore….

Continue reading here

//Richard

#Citrix Knowledge Center Top 10 – March 2013

Citrix Support is focused on ensuring Customer and Partner satisfaction with our products.

One of our initiatives is to increase the ability of our Partners and Customers to leverage self-service avenues via our Knowledge Center.

Find below the Citrix Knowledge Center Top 10 for March 2013.

Top 10 Technical Articles

Article Number Article Title
CTX129229 Recommended Hotfixes for XenApp 6.0 and Later on Windows Server 2008 R2
CTX129082 Application Launch Fails with Web Interface using Internet Explorer 9
CTX804493 Users Prompted to Download ICA File, Launch.ica, Instead of Launching the Connection
CTX132875 Citrix Receiver Error 2320
CTX105793 Error: Cannot connect to the Citrix server. Protocol Driver Error
CTX127030 Citrix Guidelines for Antivirus Software Configuration
CTX115637 Citrix Multi-Monitor Configuration Settings and Reference
CTX133997 Citrix Receiver 3.x – Issues Fixed in This Release
CTX325140 Manually and Safely Removing Files after Uninstalling the Receiver for Windows
CTX101644 Seamless Configuration Settings

 

Top 10 Whitepapers

Article Number Article Title
CTX131577 XenApp 6.x (Windows 2008 R2) – Optimization Guide
CTX132799 XenDesktop and XenApp Best Practices
CTX101997 Citrix Secure Gateway Secure Ticket Authority Frequently Asked Questions
CTX136546 Citrix Virtual Desktop Handbook 5.x
CTX136547 StoreFront Planning Guide
CTX133185 Citrix CloudGateway Express 2.0 – Implementation Guide
CTX129761 XenApp Planning Guide – Virtualization Best Practices
CTX134081 Planning Guide – Citrix XenApp and XenDesktop Policies
CTX130888 Technical Guide for Upgrading/Migrating to XenApp 6.5
CTX122978 XenServer: Understanding Snapshots

 

Top 10 Hotfixes

Article Number Article Title
CTX136714 Hotfix XS61E016 – For XenServer 6.1.0
CTX132122 Hotfix Rollup Pack 1 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2
CTX126653 Citrix Online Plug-in 12.1.44 for Windows with Internet Explorer 9 Support
CTX136483 Hotfix XS61E014 – For XenServer 6.1.0
CTX133882 Hotfix Rollup Pack 2 for Citrix XenApp 6 for Microsoft Windows Server 2008 R2
CTX133066 12.3 Online Plug-In – Issues Fixed in This Release
CTX136253 Hotfix XS61E010 – For XenServer 6.1.0
CTX136482 Hotfix XS61E013 – For XenServer 6.1.0
CTX136085 Hotfix XA650R01W2K8R2X64061 – For Citrix XenApp 6.5
CTX136674 Hotfix XS61E012 – For XenServer 6.1.0

 

Top 10 Presentations

Article Number Article Title
CTX135521 TechEdge Barcelona 2012 PowerPoint and Video Presentations – Reference List
CTX129669 TechEdge 2011 – Overview of XenServer Distributed Virtual Switch/Controller
CTX121090 Planning and implementing a Provisioning Server high availability (HA) solution
CTX133375 TechEdge 2012 PowerPoint and Video Presentations – Reference List
CTX135356 TechEdge Barcelona 2012 – Understanding and Troubleshooting ICA Session Initialisation
CTX135358 TechEdge Barcelona 2012 – XenDesktop Advanced Troubleshooting
CTX133374 TechEdge 2012 – Monitoring your NetScaler Traffic with AppFlow
CTX135361 Troubleshooting Tools: How to Isolate and Resolve Issues in your XA and XD Env Rapidly
CTX135360 TechEdge Barcelona 2012 – Planning, Implementing and Troubleshooting PVS 6.x
CTX135357 TechEdge Barcelona 2012 – Implementing and Troubleshooting SF and Rec for Windows

Top 10 Tools

Article Number Article Title
CTX122536 Citrix Quick Launch
CTX135075 Citrix Diagnostics Toolkit – 64bit Edition
CTX130147 Citrix Scout
CTX111961 CDFControl
CTX106226 Repair Clipboard Chain 2.0.1
CTX109374 StressPrinters 1.3.2 for 32-bit and 64-bit Platforms
CTX124406 StressPrinters 1.3.2 for 32-bit and 64-bit Platforms
CTX113472 Citrix ICA File Creator
CTX123278 XDPing Tool

Continue reading here!

//Richard

How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?

April 18, 2013 1 comment

Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:

How do you know which policy that is hit when your different Receivers are logging in?

Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:

AG_vServer_VIP

But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?

First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:

cat /tmp/aaad.debug

When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:

aaad_debug_output

At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.

Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:

nsconmsg -d current -g pol_hits

This is the output when I access using my Receiver on OS X:

nsconmsg_policy_hit

Read more…

Configuring Email-Based Account Discovery for #Citrix #Receiver

Check out this great blog post from Avinash Golusula:

Configuring Email-Based Account Discovery

1     Add DNS Service Location (SRV) record to enable email based discovery

During initial configuration, Citrix Receiver can contact Active Directory Domain Name System (DNS) servers to obtain details of the stores available for users. This means that users do not need to know the access details for their stores when they install and configure Citrix Receiver. Instead, users enter their email addresses and Citrix Receiver contacts the DNS server for the domain specified in the email address to obtain the required information.

To enable Citrix Receiver to locate available stores on the basis of users’ email addresses, configure Service Location (SRV) locator resource records for Access Gateway or StoreFront/AppController connections on your DNS server. If no SRV record is found, Citrix Receiver searches the specified domain for a machine named “discoverReceiver” to identify a StoreFront/AppController server.

You must install a valid server certificate on the Access Gateway appliance and StoreFront/AppController server to enable email-based account discovery. The full chain to the root certificate must also be valid. For the best user experience, install either a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain, or a wildcard certificate for the domain containing your users’ email accounts.

To allow users to configure Citrix Receiver by using an email address, you need to add a SRV record to your DNS zone.

  • Log in to your DNS server
  • In DNS > Right-click your Forward Lookup Zone
  • Click on Other New Records
  • Scroll down to Service Location (SRV)
  • Configuring Email-Based Account Discovery
  • Choose Create Record
%d bloggers like this: