Archive
Content Switching instead of Load balancing of XenApp XML brokers? – #XenApp #NetScaler #CS #LB
Ok, I was contacted by another colleague today again about a customer and their setup of XenApp load balancing. They of course had NetScalers and had read the guidelines and best practises from Citrix on how to do load balancing and monitoring of XML brokers. But they had the same issue that many have, they had to contact the network team when they needed to add farms that they should load balance, and they needed an IP for each LB vServer per XenApp farm…
And this is not the first time I’ve seen this… why doesn’t people use Content Switching instead when doing load balancing of their XenApp farms (and other resources as well of course!)?
This is the Citrix picture on how to do it;
But what I’d do instead and recommend is to use Content Switching (CS) instead. Setup a CS vServer with an IP and an A-record in DNS, in the picture below it’s the one with bogus IP 10.10.10.10 and FQDN of cs8080.envokeit.local.
Then what you do is to configure a CNAME alias for each of your farms in DNS, like farm1.envokeit.local that you can see in the picture. Have the CNAME to be an alias of the CS you just created. Then in the NetScaler you setup your LB vServers just like you’ve always done and create the Service Group and add the correct monitors etc. to it. And remember that you in this case don’t have to have an IP set on the LB vServers, these don’t have to be directly addressable from the network, only through your CS that you just setup.
Then on the CS create your policies to do CS on the hostname of the incoming requests to the respective LB vServer. No more requesting IP’s per farm and all of that, one IP and you can support MANY farms…. I just love CS! 🙂
Happy content switching! 😉
//Richard
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
This little blog post is about Citrix SmartAccess. I’ve been a fan of SmartAccess for a long time, and it’s also something that Citrix has been talking a lot about in their story. The way that Citrix technology can provide applications, desktops and information to end-users on any device in a secure and controlled way.
But the purpose of this blog post is to give you my view of this story, and how true the SmartAccess story is. Remember that this is my personal view and that I’ve actually not tested all my theories below so parts of it is purely theoretical at this stage.
So a bit of background first to build my case…
Citrix has been going on about SmartAccess, and it’s been true that the Access Gateway capabilities once added to Web Interface and XenApp/XenDesktop where great in terms of adding another layer of functionality that the IT supplier could use to determine how the XenApp and XenDesktop environments where accessed, and from what type of device. The device detection/classification is done through host checks (Endpoint Analysis Scans, EPA) that the Access Gateway feature provided as a pre- or post-authentication scan. This scan then resulted that either the device met the policies or didn’t, and then this policy could be leveraged by the other internal components (XenApp/XenDesktop) to control/manage which apps, desktops and functionality (virtual channels like printing, drive mapping etc.) that the end-user should get for that specific session.
And this was/is working well for certain scenarios from a technical point of view. But is it really working for the whole story that Citrix and the whole IT-industry is driving now with BYOD etc.? Think about the message that is being pushed out there today, use any device, we can control and deliver according to security policies, we can provide access from anywhere, etc…
And this is where it becomes interesting. All of a sudden then you as an architect are to take this vision that your CIO or IT-board has and realise it into manageable IT services that combined deliver a fully fledged IT delivery of Windows, Internal Web, SaaS, Mobile and Data for this great set of use cases and scenarios. Wow… you’ve got yourself a challenge mate!
This text is from the Citrix homepage about SmartAccess;
SmartAccess allows you to control access to published applications and desktops on a server through the use of Access Gateway session policies. This permits the use of preauthentication and post-authentication checks as a condition for access to published resources, along with other factors. These include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard, client audio, and client printer mapping. Any XenApp or XenDesktop policy can be applied based on whether or not users pass an Access Gateway check.
So let’s start of then with going back to the SmartAccess which is the topic of this blog!
#Netscaler authentication based on nested groups
Ok, I have to thank my colleague Roger Eklund for this great post! Check it out if you want to use nested AD groups for AGEE authentication!
So i needed to create an LDAP authentication policy in the Netscaler where the users are divided into different groups (DEPT1, DEPT2, DEPT3), and those groups are themselves inside a group (MAINGRP). So i want to authenticate the users based on nested membership in MAINGRP.
Normally without nested groups you would use a LDAP filter with something like this:
memberOf=CN=DEPT1,OU=users,OU=subou,OU=ou,DC=domain,DC=com
Which would return a result to the Netscaler if the user…
Continue reading here!
//Richard
#NetScaler Master Class Webinar on December 5, 2:00 – 4:00 PM GMT
New Citrix NetScaler Master Class! Join and make your voice heard! 😉
Come and join us for our latest NetScaler Master Class. Go back to basics as well as find out what’s new and what’s coming up soon.
This webinar event provides you the opportunity to learn about the features of the NetScaler, the tips and tricks of configuration and of course, put your questions to the experts. Don’t miss this opportunity to have your say and find out what’s going on in the world of Application Delivery Control in general and NetScaler in particular.
Date: 5th December 2012
Time: 14:00 Hrs GMT (15:00 Hrs CET)
Agenda
NetScaler “101” – HTTP Callout
“In the Spotlight” – Command Center
What’s new – NetScaler products update
News and Views – What’s going on in the ADC world
Master Class Extra – Have your say
Read more and register here!
//Richard
Command Center 5.1 Beta – A Complete New Face!
Ok, found another good and interesting blog post from Citrix. Even though this is great and I’ll try it out but I’m still awaiting more from Citrix on end-to-end monitoring and reporting… but lets give this beta a go! 🙂
This release, I am thrilled to unveil a new Face of Command Center!
Command Center 5.1 brings a fresh new appeal with an Absolute User Interface revamp. The new UI flaunts more organized and intuitive navigation which has been introduced with the aim to bring consistency across all the Citrix networking products.
Â
The 5.1 release adds to Command Center’s analytics streak by introducing AGEE Syslog analytics. It breaks open the Syslogs into meaningful graphs and pie charts, laying out top 10 parameters of SSLVPN usage. The AGEE Syslog analytics answers questions raised around SSLVPN usage which comes across in day to day administration:
- Which are the top user sessions?
- Which are the top ICA application being used?
- Which users are consuming high bandwidth?
- While accessing VPN, which client type amongst ICA, Clientless or Agent has been used most ?
- Which users didn’t match EPA scan policies?
- Which users have had the most failed login attempts?
On top of these, it also lets you view the.. continue reading here!
//Richard
Access Gateway Licensing Demystified
Ok, this is a good blog post from Prashant Batra and touches an area that I get so many questions about!
Access Gateway Licensing Demystified
Access Gateway discussed in this blog is the Access Gateway based on NetScaler, which is popularly referred to as Access Gateway Enterprise. Citrix has recently announced End of Life for all non-NetScaler based Access Gateway platforms, which then makes Enterprise edition, the de-facto Access Gateway.
In this blog, we will discuss the two license types used on your Access Gateway appliance, the two kinds of vServers you can set up to leverage these licenses to provide standard / advanced functionalities, and an example scenario towards the end, to help illustrate these concepts in a real scenario.
License Types
Access Gateway is licensed at two levels:
- Platform License
- Universal License
Platform Licenses
Every Access Gateway (VPX/MPX) comes with a… Â continue reading here!
//Richard
#NetScaler #SDX design and best practise
Ok, I understand that this is something that I’ve touched upon before as well and received some comments on (NetScaler MPX vs. SDXÂ dilemma). But I’ll still continue the reasoning behind why I think that the NetScaler SDX architecture is great, and that is needs to be offered on all the different platforms/appliance types/sizes!
To kick off the reasoning I recommend that you read this post; #NetScaler #AAA on NS 10.00 Build 70.7 = watch out!. When you’ve read both previous posts I hope that you see where I’m now going with all of this…
Just have a look at this picture where I’m trying to illustrate two design options for how you could build your NetScaler service for a tenant;
And if you then keep in mind about the AAA bug that caused the whole NetScaler engine to crash, what happens in the top scenario if this VPX had been affected? Think about if that NetScaler hosted network connectivity to you public cloud services with workloads, all SSL VPN users connected to the enterprise, all ICA/HDX proxy users into XenApp/XenDesktop, and also provided AAA features to the enterprise web apps used by customers and partners etc.? Wow, that would actually mean that one single 401 basic authentication could have taken down EVERYTHING!
But; if you would have separated your capabilities/features into separate VPX’s then you wouldn’t have had that issue. The “only” thing that would have happened if you ran into an issue that caused the NetScaler to crash then it would only affect that VPX (AAA VPX in the scenario above).
So my personal view is that it’s great that Citrix provides all the features on one appliance/instance. But it also adds quality and test efforts on Citrix to ensure that they perform testing of ALL features and functions before releasing a new build. And that may affect the lead-time to get fixes and new builds released and quality may also be impacted… and that’s what I’m afraid of is happening. So a little word of advice; separate workloads/features when you can and when you don’t want this big of a risk, and prey that Citrix soon delivers the SDX architecture on all appliances! And they would of course perhaps not just sell the larger boxes like they force us into today even if the bandwidth capabilities of that box isn’t required. But they would instead sell more VPX’ on top of the HW, that’s at least what I think.
Comments?
Cheers!
//Richard
#NetScaler #AAA on NS 10.00 Build 70.7 = watch out!
Ok, just received a heads-up from a colleague around a bug on NetScaler for the AAA feature that you should be aware of if thinking of using build 70.7!
AAA Application Traffic
- Issue ID 0319434: If 401 basic authentication is enabled on a load balancing virtual server, and authentication fails either due to invalid credentials or a Kerberos authentication failure, the NetScaler packet engine might crash.
The info received (I’ve not tested it myself but will) is that if you perform just one (1) 401 basic authentication and then the NetScaler engine crashes… so beware and upgrade to 71.6 instead!
Read more of the bug fixes in 71.6 here.
Cheers!
//Richard
#Citrix #XenDesktop Monitoring: Desktop Availability – #EGinnovations #HP #BAC
Ok, this was an interesting blog post from Miguel Contreras. First of all I’d like to thank you Miguel for this post!
You can read the blog post here prior to reading my ramblings… 😉
XenDesktop Monitoring: Desktop Availability
The whole blog post message hits a spot that I know many of our EnvokeIT customers are looking for: AN E2E (END-TO-END) MONITORING CAPABILITY!Â
Citrix has great products and they work from a technical point of view, but I think that most part of the time development and evolvement of the products goes to fast so that the product teams doesn’t have time to synchronise how well they work together or what the service provider will need cross-products in the stack to deliver a managed IT service!
This blog post really proves it as well… Miguel has developed a powershell script that he schedules to run so that he could see in the morning if he could go to work or if everything is ok with his desktop service (or Windows as a Service (WaaS) as Citrix now talks about this type of service). And is that the way to go? I’m still looking for this E2E monitoring solution from Citrix that can provide real and good facts about how the overall WaaS service performs. Is the NetScaler VIP up, StoreFront, AppController, PVS/MCS, XenServer, the VM, File Server that hosts profiles etc. It’s only if yo get this full picture and fact that you can say that the service WaaS is available. It doesn’t matter if the desktop is running if the AGEE vip is down and he/she cannot reach it… or?
If Citrix isn’t getting into the monitoring business then please guide your customers to who of the partners that does the job, for instance EGinnovations, HP BAC etc.
Yeah yeah… my ramblings are over for tonight and this was not my first complaint about this “service readiness” stamp I’d like to see on enterprise products…
But still = I think no one else right now does the WaaS-job like Citrix!! But they can always improve like all of us! 😉
Cheers!
//Richard
#Citrix #XenClient – Securing External-Facing XenClient Synchronizers with #NetScaler
Ok, an interesting blog post for you out there that are thinking of or already are using XenClient!
One of the key value propositions of XenClient is the remote image and device management capabilities of XenClient Synchronizer– the management server for XenClient devices. Synchronizer enables customers to centrally create, manage and update images for delivery to endpoints where the image executes locally.  Synchronizer also enables administrators to specify client side policies and for users to back up their images.
A key use case for these capabilities is centralized image management for mobile users. A common question customers pose when dealing with the issue of mobile users that travel or those that are not located in the office is: what is the best way to expose the Synchronizer to the public Internet? Our response to date has been to offer three options:
Option A:Â Port Forwarding or forward requests (port 443) from the edge (firewall) to the Synchronizer.
Â
 Option B: Put the Synchronizer in the DMZ.
Continue reading here.
//Richard
The IT Melting Pot! 