Archive

Posts Tagged ‘Web Interface’

Choose your #Citrix #NetScaler … wisely… – via @hlouwers

This is a question I get a lot and I must say that Henny Louwers did answer it well in this blog post!

I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.

I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.

The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.

That leads me to the first difficult thing of a Citrix NetScaler project. The adoption of the Citrix NetScaler appliances to the networking guys of an organization. They need to embrace the solution to make this a success. For some reason they too see it as a ‘’Citrix’’ solution. For that reason one of the most important meetings to setup is usually with the networking guys to try to explain the L3-L7 functionality of the Citrix NetScaler solution. When they realize it competes with F5, Juniper, Cisco, etc then we are on the right track.

NetScaler Gateway or NetScaler Standard Edition

Usually the first question of a customer is regarding something simple like replacing the Remote Access solution. Since the NetScaler is going to be the main platform for publishing Citrix publications a NetScaler Gateway can be considered as a valid option. This is when I tell a customer it would be wise to spend a little extra on the NetScaler Standard Edition since this would leverage the solution be having full load balancing capabilities (among others). When you compare prices between the NetScaler Gateway and NetScaler Standard Edition you will see that the Standard Edition will be somewhat more expensive but I for one think that it is worth the difference given the feature set that come with the Standard Edition. Of course the NetScaler Gateway can always be upgraded to a NetScaler Standard Edition (or higher) if you will.

Another feature of Citrix NetScaler Standard Edition is the ability to run Citrix Web Interface on the appliance. Honestly, I do think is not really that important anymore….

Continue reading here

//Richard

Top 10 #CitrixSynergy sessions…watch them today!

Have a look at the 10 most popular Citrix synergy sessions! They are now uploaded and ready for you to see:

  • SYN501: Geek Speak Tonight! (Desktop Virtualization panel) & SYN501 (Mobility panel)
  • SYN415: Advanced best practices for migrating from Web Interface to StoreFront
  • SYN321: Next-generation desktop and app delivery with XenDesktop 7, Microsoft System Center 2012
  • SYN334: What’s new in XenDesktop and XenApp Platinum
  • SYN320: XenDesktop 7: what you should know about FlexCast management architecture and XenApp migration
  • SYN299: One Step Beyond – An audience with the Citrix CTO’s
  • SYN322: XenDesktop 7: reinventing HDX for mobile, 3D graphics and beyond
  • SYN222: Architecting a global XenApp farm with regional users using NetScaler and StoreFront
  • SYN404: Introducing the Citrix Diagnostic Toolkit
  • SYN206: What’s new in ShareFile Enterprise

Continue reading here!

//Richard

Demystifying Citrix Excalibur Architecture – via @kbaggerman

A great blog post by Kees Baggerman! 🙂

For all XenApp admins and consultants out there Project Avalon will bring a big change as we are used to having XenApp servers running on the (what seemed to be) everlasting Citrix Independent Management Architecture and we’re heading to Citrix FlexCast Management Architecture (already included in XenDesktop at this moment) and will be included in the Citrix Excalibur Architecture.

IMA

When looking up IMA in the eDocs you’ll find:

Independent Management Architecture (IMA) is the underlying architecture used in XenApp for configuring, monitoring, and operating all XenApp functions. The IMA data store stores all XenApp configurations.

Basically IMA exists to manage the XenApp or Presentation Server farms by enabling the communications between servers. As stated it transfers information about all XenApp functions like licenses, policies, sessions and server loads. All management tooling within these versions of Citrix’s PS/XA rely on this service for information.

According to Communication ports used by Citrix Technologies IMA uses the following ports:

Ports Source Prot. Comment
2512 Common Citrix Communication Ports TCP Independent Management Architecture (IMA)
2513 Access Gateway 5.0 Controller administration TCP IMA-based Communication

As we can see IMA uses 2512 (by default) to communicate with other servers and the Access Gateway Controller uses 2513 (by default) for IMA-based communication. The port IMA uses can be changed or queried via the commandline tool IMAPORT.

Brian Madden did a blogpost way back in 2007 but it’s definition of IMA is still current:

Independent Management Architecture is:

  • A data store, which is a database for storing MetaFrame XP server configuration information, such as published applications, total licenses, load balancing configuration, MetaFrame XP security rights, and printer configuration.
  • A protocol for transferring the ever-changing background information between MetaFrame XP servers, including server load, current users and connections, and licenses in use
FMA

With the introduction of XenDesktop we got a new architecture called Flexcast Management Architecture. This new architecture has got an agent-based setup where we can install the operating system including the basic applications that need to be installed and after that we can install an agent. This agent registers itself to a controller and is offered through StoreFront to the end user.

This will be delivered by two different types of agents, one to support Windows Server OS’s and one for Windows Desktop OS’s.

Andrew Wood did an article on Excalibur and used this diagram to explain the architecture:

Citrix FlexCast Management ArchitectureCitrix FlexCast Management Architecture

  • Receiver provides users with self-service access to published resources.
  • StoreFront authenticates users to site(s) hosting resources and manages stores of desktops and applications that users access – Web Interface as a platform is essentially resting, but it will cease to be.
  • Studio is a single management console that enables you to configure and manage your deployment, a dramatic reduction over the 23 consoles you could well have today. Studio provides various wizards to guide you through the process of setting up an environment, creating workloads to host applications and desktops, and assigning applications and desktops to users.
  • Delivery Controller distributes applications and desktops, manages user access, and optimizes…

Continue reading here!

//Richard

Explaining #Citrix Pass-through Authentication

Check out this great blog post from Joel Bejar:

Introduction

Pass-through authentication is a simple concept. User credentials are passed to a Web Interface site and then to the XenApp/XenDesktop servers, preventing users from having to explicitly authenticate at any point during the Citrix application launch process. While this authentication method seems straightforward, there are some moving pieces, and this article aims to break these down to provide a more detailed understanding of how this process truly works within Citrix.

Pass-Through Authentication – Web Interface Site

The first step to the pass-through process occurs at the Web Interface site. Users are able to navigate to the web interface site, and their credentials are passed through and they are presented with their Citrix delivered resources. Web Interface is built on Internet Information Services (IIS). For pass-through authentication to work, IIS Integrated Windows Authentication must be leveraged.  Formerly called NTLM, this authentication method hashes the user credentials before they are sent over the network. When this type of authentication is enabled, the client browser proves its is authenticated through a cryptographic exchange with the Web Interface server, involving hashing. Because of this, the web browser is responsible for authenticating with the Web Interface Server (IIS).  It is important to note, though, that credentials are actually never exchanged. Instead, the signed hash is provided to IIS, proving that said user had already been authenticated at the Windows desktop.  The web interface user uses the user’s AD context (sometimes referred to as a token) to retrieve the user’s AD group membership and pass this list of groups directly to the XML service for authentication.  At this point, the user has successfully passed through to the Web Interface site, and can now view his/her Citrix resources.

  • The WI server must be in the same domain as the user, or in a domain that has a trust relationship with domain of the user.
  • If the WI server and user are in different domains, and resources are published using Domain Local AD groups in the user domain, then the WI will not be able to enumerate these, even with a proper AD trust relationship (due to the very nature of Domain Local groups).
  • The WI site should be added as a Trusted Site or Intranet Zone site in Internet Explorer. In addition, the security settings should be modified so that User Authentication\Logon is set to ‘Automatic Logon with Username and Password’.
  • Pass-through authentication is not supported on Web Interface for NetScalerPlease Note: Pass-through authentication and Kerberos authentication are not interchangeable and they have different requirements.

Pass-Through Authentication – XenApp/XenDesktop Session

One of the biggest misconceptions with Pass-Through authentication in Citrix is that it only occurs when a user navigates to the Web Interface site and he/she is automatically passed through. As mentioned above, this IIS authentication method that is being used does not actually exchange the user password. In other words, Web Interface is never in control of the user credentials. This brings up the question: How are users passed through to the actual XenApp/XenDesktop ICA session?

While the web browser has a role in authenticating the user to the web site, the Citrix client (Citrix Receiver) plays an integral role in making sure the user is fully passed through to the application or desktop. Citrix Receiver installs a process called SSONSVR.exe, which is the single sign-on component of the client (no, not password manager SSO, but rather desktop credential pass-through authentication SSO.) This process is fully responsible for passing the user credentials to XenApp or XenDesktop. Without this piece, pass-authentication will not function.

Continue reading here!

//Richard

#Citrix #StoreFront Planning Guide

February 6, 2013 2 comments

Ok, this product has caused some headache since it was released. And I must say that this guide is something that Citrix should have release a long time ago… there are so many companies out there struggling with how to deal with Web Interface being faced out and how/what to do with StoreFront!

So enjoy!

Download StoreFront Planning Guide!

//Richard

Great UI Theme improvement setting – #AccessGateway, #NetScaler, #Citrix

January 14, 2013 1 comment

I must say finally! It’s not a 100% yet for everyone out there but it’s a step in the right direction. The NetScaler, Access Gateway, Web Interface, StoreFront and Receiver has not really been in synch when it comes to UI and end-user experience…. But now Citrix has improved it!

Access Gateway is a secure remote access product and hence tends to be the entry point for corporate users, wanting to access their enterprise applications and desktops. Given this, it makes sense for corporates, to try and customize the logon experience on Access Gateway, to match their corporate look and feel.

Access Gateway has always allowed for this customization, though, it’s been somewhat of a tedious process. With the new 10.0.71.6014.e release, we are making an attempt to simplify this experience.

UI Customization on Access Gateway is a multi-step process:

  1. Access the built in theme web pages and customize them, to match the corporate requirements
  2. Apply the modified theme (collection of web pages) at the right location
  3. Modify certain scripts to make this change persistent
  4. Every time the firmware has to be upgraded, take a backup of the customized pages and scripts and re-apply the same after the upgrade.

A quick Google search will give you a number of helpful and very accurate blogs/articles, on how to tweak the web pages to customize and create your corporate look and feel. Some of my favorites are:

With this new release, we have automated all the other steps (i.e. 2-4) for you. Instead of having to worry about how to apply this theme, or having to take backups every time you upgrade, the new release will automatically handle this for you.

To see the new offering in this r…
UI Theme configuration screenshot

Continue reading here!

//Richard

#Citrix #Receiver 3.4 and 11.7 = is the #SmartAccess story more real now? – #CloudGateway, #AGEE, #NetScaler, #StoreFront

January 2, 2013 3 comments

Citrix has now released version 3.4 of the Receiver for Mac and Windows, but what is the main added value with this release?

First of I’d like to ask you to review my previous post where I questioned the Citrix SmartAccess story that I believe is not there end-to-end and that really is a lacking feature for scenarios where you’d for instance want to support more BYOD models etc. You need to determine the person accessing the service and also what what type of device it is, trusted or not etc. And I in the previous post I argued that Citrix doesn’t deliver according to their SmartAccess story;

#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA

And for you that haven’t read about the new Receiver 11.7 or OS X and 3.4 for Windows check these posts:

Receiver for Windows 3.4 released

Receiver for Mac 11.7 Released

The table below is from the previous SmartAccess post and my theoretical review right now is that the SmartAccess story for Windows and Mac OS X clients have improved. As you can see in the two rows for Receiver 3.3 and 11.6 where you would access through a Receiver through an AGEE you would NOT be able to perform host checks using the EPA scans.

This was just not possible though the native Receiver didn’t have that capability to trigger the EPA scans. And the EPA plugin itself was not available in the native Receiver on the OS X, it was bundled into the Access Gateway plugin.

Client Access method EPA/Host-check possible on AGEE Comment
Windows with Citrix Receiver for Windows 3.3 Receiver 3.3 NO You’ll never be able to do host-checks on this device if Receiver access is used due to that the Receiver does not have EPA scan capabilities.
Windows with Citrix Receiver for Windows 3.4 Receiver 3.4 YES Now when the Receiver is communicating with the Access Gateway plugin and shares login credentials then you can leverage the AGEE plugin to perform EPA scans and then allow different session policies and profiles depending on the EPA scan result, and at the same time of course also pass that through to StoreFront/WI and into XenApp/XenDesktop.It does however then require that you get the AGEE plugin installed on the devices, which may be another dilemma…
OS X with Citrix Receiver for Mac 11.6 Receiver 11.6 NO You’ll never be able to do host-checks on this device if Receiver access is used due to that the Receiver does not have EPA scan capabilities.
OS X with Citrix Receiver for Mac 11.7 Receiver 11.7 YES Now when the Receiver is communicating with the Access Gateway plugin and shares login credentials then you can leverage the AGEE plugin to perform EPA scans and then allow different session policies and profiles depending on the EPA scan result, and at the same time of course also pass that through to StoreFront/WI and into XenApp/XenDesktop.It does however then require that you get the AGEE plugin installed on the devices, which may be another dilemma…

Read more…

%d bloggers like this: