Citrix released the Citrix NetScaler 10.5, in this blog I will show you how to setup this new NetScaler, including creating and installing a SSL certificate and how to create and configure the Gateway feature. I will also show you the steps that needs to be made within Citrix StoreFront 2.5.2 configuration.
Before starting with the installation and configuration make sure there is a license file for the NetScaler and that there are at least three IP address available for the configuration. The Access Gateway function needs a SSL certificate, make sure you can create a SSL certificate by a Certificate Authority (CA) and that there is an external DNS record in place.
For this blog a used NetScaler VPX for XenServer 10.5 Build 50.9 as source. The steps for downloading and uploading the NetScaler to the hypervisor are not covered in this blog, for these steps see my previous NetScaler blog (click here). Also the steps of how to install Citrix StoreFront are not covered, you can find these steps in my StoreFront blog (click here).
Good news, with NetScaler 10.5 you no longer need java, which is a really big improvement! There are a lot more improvements like a SSL certificate chain check (see later in this blog) and a very improved setup wizard. Let’s get started…
Configuring NetScaler 10.5
After downloading the NetScaler sources from the Citrix site and uploading it to the hypervisor it’s time to walk through the console configuration wizard.
Turn on the NetScaler and open the NetScaler console on the hypervisor. Fill in the following information:
– IPv4 address
– Netmask
– Gateway IPv4 address
– Netmask
– Gateway IPv4 address
Choice option 4 to Save and quit. After that the NetScaler will reboot
After rebooting the NetScaler, open a browser and browse to the NSIP address (management interface IP address) you entered in the previous step. Login with User Name; nsroot and Password;nsroot
Citrix NetScaler 10.5 has a very improved First-time Setup Wizard making it possible to setup the NetScaler in a few clicks. Click on step 2, Subnet IP Address
Good explanation about the subnet IP Address within this wizard, even an infographic is displayed, nice! Fill in the Subnet IP Address and click Done
Click on Step 3 to configure Host Name, DNS IP Address, and Time Zone
Fill in the NetScaler Host Name, the DNS IP Address and the correct Time Zone. Click Done
If you have a license file select Upload licenses files from a local computer and click Browse
After uploading the license file, click Reboot
Create a SSL certificate
The next step is the install the SSL certificate. Browse to Traffic Management > SSL and click onCreate RSA Key
Fill in the following information;
Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above
Click on Ok
Click on Create CSR (Certificate Signing Request)
Fill in the following information;
Request File Name: anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Browse to the bottom of the page and fill in the following information;
Country: Your Country
State or Province: You State or Province
Organization Name: The name of your organization
City: Name your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: This is the address the users will type in their browsers
Challenge Password: A password you like
Company Name: Your Company Name
State or Province: You State or Province
Organization Name: The name of your organization
City: Name your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: This is the address the users will type in their browsers
Challenge Password: A password you like
Company Name: Your Company Name
Click OK
To download the request file click on Manage Certificates / Keys / CSRs
Select the request file (in my case this is robinhobocom.txt) and click Download
Open the request file with Notepad and copy all the text. Go to your Certificate Authority (in my case this is Go Daddy) to create the key or re-key an existing certificate by pasting the text from the request file.
After creating the certificate, download it. Select IIS7 as server type
Browse to Traffic Management > SSL > Certificates and click on Install
Fill in a Certificate-Key Pair Name (anything you like). On the right side of the Certificate File Name click the arrow down button and select Local to browse to the downloaded certificate
Browse to the Key File Name (on the appliance), select PEM as Certificate Format. Fill in the password entered when creating the request file and click on Install
After the installation you can see the status and the number of days the certificate expires
Configuring the NetScaler 10.5 Gateway
Under Integrate with Citrix Products, click on XenApp and XenDesktop
The Before you Begin checklist is presented, we have already a server certificate installed, the LDAP authentication server details will be configured during this wizard. Click Get Started
An infographic is displayed with your deployment options, at this point the Single Hop deployment is my only option. Select Storefront as integration point and click Continue
Fill the Virtual Server Name (anything you like), the NetScaler Gateway IP Address, this is the IP address where the outside IP address must point to. Fill in the port number 443 and optionally you can enable the redirect request from port 80 to a secure port. Fill in the address without “https”. Click Continue
Select Use existing certificate, select the certificate that is installed in the previous steps and clickContinue
Citrix NetScaler checks if the certificate chain of the SSL certificate is complete, a really great new feature. In my case the certificate chain is incomplete. NetScaler is displaying the missing parts of the chain that are needed and where to find them!
After installing all the certificates NetScaler displays the Server Certificate including the complete chain.
Scroll down to configure the LDAP configuration. Select Add new server and fill in the following information;
IP Address: The IP Address of a Domain Controller
Port: 389
Base DN: For example DC=RobinHobo,DC=Com
Service account: An account with AD read rights
Server Logon Name Attribute: choose sAMAccountName for XenApp/XenDesktop deployments
Password: The service account password
Confirm Password: same as above
Port: 389
Base DN: For example DC=RobinHobo,DC=Com
Service account: An account with AD read rights
Server Logon Name Attribute: choose sAMAccountName for XenApp/XenDesktop deployments
Password: The service account password
Confirm Password: same as above
Click Continue
An LDAP authentication policy and server are now automatically created
Scroll down to configure the StoreFront server, fill in the following information;
StoreFront FQDN: The FQDN of the StoreFront server
Site Path: The site Path of the Receiver for Web Store URL. For me this is /Citrix/HoboWeb
Single Sign-On Domain: Your internal domain name
StoreName: Your StoreFront storename
Secure Ticket Authority Server: The STA address of your XenApp or XenDesktop controller
Protocol: Protocol used by the server Storefront Server
Storefront Server: IP address of the StoreFront Server
Port: The port number used by StoreFront
Site Path: The site Path of the Receiver for Web Store URL. For me this is /Citrix/HoboWeb
Single Sign-On Domain: Your internal domain name
StoreName: Your StoreFront storename
Secure Ticket Authority Server: The STA address of your XenApp or XenDesktop controller
Protocol: Protocol used by the server Storefront Server
Storefront Server: IP address of the StoreFront Server
Port: The port number used by StoreFront
Optionally you can enable Load Balancing and enter the IP address of the virtual loadbalance server
Click on Continue
To configure your Xen Farm select what you are using, XenApp, XenDesktop or both. Fill in the IP address of the XenApp / XenDesktop Controller server and the used services port. If you want to configure Load Balancing on your controllers select Load Balancing to enter the IP address of the virtual LB server. Click Continue
To apply Optimize TCP Profile Settings, Optimize SSL Quantum Settings, HTTP Caching and HTTP Compression, click Apply
Click OK
To Apply AppFW policies and profiles, click Apply
To apply HDX Insight AppFlow policies, click Apply
Click Done
Optionally you can change the default theme of the NetScaler webinterface, to do so, Browse toNetScaler Gateway > Global Settings and click Change Global Settings
Open the Client Experience tab
Browse to the bottom and select the UI Theme you want. I select the Green Bubble theme because I have the same theme with Storefront. Click OK
Save the configuration and reboot the NetScaler
Configure Storefront 2.5.2 for Remote Access
The final step is to configure Citrix Storefront 2.5.2 for remote access with Citrix NetScaler 10.5. Logon to the Storefront server and open the console.
Browse to Authentication and click on Add/Remove Methods. Make sure you enable Pass-through from NetScaler Gateway and click OK
Go to NetScaler Gateway and click on Add NetScaler Gateway Appliance
Fill in the following information;
Display name: Any name you like
NetScaler Gateway URL: The external URL of the Gateway
Version: 10.0 (Build 69.4) or later
Logon type: Domain
Callback URL: The external URL of the Gateway
NetScaler Gateway URL: The external URL of the Gateway
Version: 10.0 (Build 69.4) or later
Logon type: Domain
Callback URL: The external URL of the Gateway
Click Next
Click Add to add a Secure Ticket Authority (STA)
Add http://<FQDN of XenApp/XenDesktop controller> and click OK
Click Create
Click Finish
Open the Stores page and click on Enable Remote Access
Select No VPN tunnel, select the just created NetScaler Gateway appliance and click OK
At this point everything should be working fine. If you open a browser en browse to the external URL you will see that HTTPS is used and that the certificate icon is displayed
After logon you will see the published Applications and Desktops in the Storefront interface with the same these as the NetScaler Gateway
