NetScaler Access Gateway

Enterprise Edition Training

May 2011

Training Goals
Learn AGEE as it pertains to XenApp / XenDesktop
Implement VPX in small/lab environments
Provide Hands-on Experience
Installation Procedures
Consoles & Initial Admin Tasks
Integration with XA

Communicate Consulting Best Practices

IA Topics
Design Principles
Citrix Confidential - Do Not Distribute

Agenda (1 of 2)
Training Goals
NetScaler Types
Architecture & Deployment Options
Administration Overview
Load Balancing

Citrix Confidential - Do Not Distribute

Agenda (2 of 2)
Access Gateway & XenApp Integration
Global Server Load Balancing
Web Interface on NetScaler
NS Best Practices
Access Gateway VPX

Citrix Confidential - Do Not Distribute

NetScaler Hardware and Features

NetScaler Hardware
MPX 5500
MPX 7500 and MPX 9500
MPX 10500/12500/15500

MPX 17500/19500/21500

VPX

Differences Between MPX and VPX

Three main differences exist between NS MPX and VPX:
System capacity
Performance
Tagged VLAN Configuration

NetScaler VPX system capacity:

No hardware SSL acceleration
Processing not offloaded to dedicated silicon

Citrix Confidential - Do Not Distribute

When to Use Which?

NetScaler Appliances

NetScaler VPX

Gig+ performance

Labs/test environments

High volume SSL Offload

Development environments

>100 SSL VPN CCUs

Datacenter-in-a-box

FIPS requirements

CPU-intensive workloads

Physical device security

Frequently moved apps

Fast/remote deployment

NetScaler SDX Announcing at Synergy

Instances, not partitions
Complete CPU isolation
Complete memory isolation
Version independence
High availability independence
Lifecycle independence

Introducing NetScaler SDX

NetScaler MPX 21500

50 Gb/s
Single VIP

NetScaler SDX 21500

50 Gb/s
16 instances
Up to 18Gbps per instance
8M packets/second

NetScaler Features

Citrix Confidential - Do Not Distribute

ICA Proxy for All

NetScaler MPX
NetScaler VPX
Access Gateway Enterprise Edition
Access Gateway Standard Edition
Access Gateway VPX
Secure Gateway
Citrix Confidential - Do Not Distribute

~10 Steps to Typical AGEE

1. IP & Routing
2. Licensing
3. HA
4. Authentication
5. Authorization
6. Certificates
7. Web Interface
8. SSL VPN
9. Session Policies
10. Logging & Monitoring
Citrix Confidential - Do Not Distribute

Architecture & Deployment Options

Deployment Options
AG in a Secure Network
AG in DMZ with WI
WI behind AG
AG parallel to WI
AG in DMZ with WI internally

AG in Double-Hop

Citrix Confidential - Do Not Distribute

Physical Deployment Modes

One-Arm

One interface, no risk of bridge loops

Can utilize LANs with 802.1q tagging
Can utilize Link Aggregation to satisfy bandwidth requirements

Citrix Confidential - Do Not Distribute

Physical Deployment Modes

Two-Arm

Accommodates topologies in situations where one-armed does not

Allows layer 3 (routed) deployments with split subnets (as shown)
Allows layer 2 (bridged) deployments with one subnet on both sides

Citrix Confidential - Do Not Distribute

NetScaler Terms
NetScaler IP (NSIP) Management IP
Mapped IP (MIP) Used for server-side connection, replaces
Source IP with the MIP
Subnet IP (SNIP) Same as a MIP. SNIP were introduced in
newer releases of code.
Virtual IP (VIP) IP address associated with a Virtual Server

Citrix Confidential - Do Not Distribute

Administration Overview

GUI / CLI
Access the GUI by going to NSIP
Access the CLI through SSH client (PuTTY)
Access file system through SFTP client (WinSCP)

Citrix Confidential - Do Not Distribute

Key CLI Commands

> show run
> show route
> show ns feature
> show ns mode
> show ha node
> show license
Citrix Confidential - Do Not Distribute

Running Config, Saved Config

ns.conf loaded on startup
Changes reflected in running config
Changes must be commited to saved config

Citrix Confidential - Do Not Distribute

Lab 1 VPX Initial Configuration

Objectives:
Import VPX
Configure IP and Licensing
Configure HA
Run basic CLI commands

Lab 1 Discussion
What items need to be planned in advance for a NS VPX
POC?

Citrix Confidential - Do Not Distribute

Load Balancing

Load Balancing Primer

Servers, Services, vServers, Monitors
Load Balancing applies to TCP or UDP and HTTP/HTTPs
A load balancing virtual server is bound to services
"listeners" on ports

Citrix Confidential - Do Not Distribute

LB Methods
Least Connections (default) URL Hash
Round Robin

Domain Name Hash

Weighted Round Robin

Source IP Hash

Least Response Time

Destination IP Hash

Least Bandwidth

Source/Dest IP Hash

Least Packets

LB using SNMP

LRTM

SASP/Call ID Hash

Citrix Confidential - Do Not Distribute

Session Persistence
Source-IP (w/ netmask)
Cookie Insert (HTTP/SSL only)
SSL Session-ID
URL passive
Custom Server ID
Destination IP
Rule
Citrix Confidential - Do Not Distribute

Load Balancing TFTP

Reverse Network Address Translation & Use Source IP
required
USIP provides client IP to backend (TFTP) servers
Default gateway for TFTP (on PVS) needs to point to NS
SNIP
http://support.citrix.com/article/CTX110459

Citrix Confidential - Do Not Distribute

Lab 2 Load Balancing

Objectives:
Manually create LB VIP for WI & XML
Use wizard for WI & XML

Lab 2 Discussion
When would you need SSL_BRIDGE type of LB?
What do you do without a hardware load balancer?
Who uses XML LB? Advantages/disadvantages?

Citrix Confidential - Do Not Distribute

Access Gateway and XA/XD

Integration

Access Gateway Components

Access Gateway virtual servers bind with
Certificates
Authentication
Policies
Profiles
STA

Citrix Confidential - Do Not Distribute

Access Gateway Configuration Options

Full SSL VPN requires client component
ICA Proxy WI integration with SSL for ICA
Clientless Connections web application proxy

Citrix Confidential - Do Not Distribute

Global Settings
Default settings applied
to all AG sessions

Citrix Confidential - Do Not Distribute

Session Profile
Customizes the session behavior
ICA Proxy ON tells AGEE not to launch the
Secure Access Client
URL to the Web Interface site
e.g. http://wiserver/citrix/xenapp
Embedded Web Interface display format
Full or Compact
Single Sign-On Domain
specifies the users domain is logged on to
Citrix Confidential - Do Not Distribute

Session Policies
Define the conditions to invoke a session profile

Citrix Confidential - Do Not Distribute

Policy + Action + vServer

add vpn sessionAction prof_smart_phone -sessTimeout 30 -splitTunnel ON
-defaultAuthorizationAction ALLOW -clientIdleTimeout 30 -SSO ON -icaProxy ON
-wihome "https://sfdc.com/Citrix/XenApp/PNAgent/config.xml" -ntDomain SFDC
add vpn sessionPolicy pol_smart_phone "REQ.HTTP.HEADER User-Agent
CONTAINS CitrixReceiver" prof_smart_phone
bind vpn vserver sfm-cxi-ag1.salesforce.com -policy pol_smart_phone -priority 10

Citrix Confidential - Do Not Distribute

Policy Expressions
ns_true
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
REQ.HTTP.HEADER Host == access.citrix.com
CLIENT.FILE('C:\\\\file.dat').TIMESTAMP == 7dy -frequency 5
CLIENT.SVC('Symantec\\ AntiVirus').VERSION == 10.0 -frequency 5
CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS
CLIENT.OS(winxp) EXISTS

Citrix Confidential - Do Not Distribute

Policy Priority
Results aggregated from all true policies
Priority determines result in the event of conflict
Lowest bind point wins with policies bound to different bind
points (Global > Virtual Server > Group > User)

Citrix Confidential - Do Not Distribute

Policy Priority Exercise

Policy A
Priority 100

Home page
www.citrix.com

Split Tunnel
ON

Single Sign-on
-not set-

Home page
www.google.com

Split Tunnel
-not set-

Single Sign-on
OFF

Home page
www.sales.com

Split Tunnel
OFF

Single Sign-on
ON

Home page
www.sales.com

Split Tunnel
OFF

Single Sign-on
ON

Global
Policy B
Priority 100
Virtual Server
Policy C
Priority 100
Group
Resulting
Configuration

Citrix Confidential - Do Not Distribute

Policy Priority Exercise

Policy A
Priority 10

Home page
www.citrix.com

Split Tunnel
-not set-

Single Sign-on
-not set-

Home page
www.google.com

Split Tunnel
-not set-

Single Sign-on
OFF

Home page
www.sales.com

Split Tunnel
OFF

Single Sign-on
ON

Home page
www.citrix.com

Split Tunnel
OFF

Single Sign-on
OFF

Global
Policy B
Priority 20
Virtual Server
Policy C
Priority 30
Group
Resulting
Configuration

Citrix Confidential - Do Not Distribute

Policy Priority Exercise

Policy A
Priority 100

Home page
www.citrix.com

Split Tunnel
ON

Single Sign-on
OFF

Home page
www.google.com

Split Tunnel
-not set-

Single Sign-on
ON

Home page
www.sales.com

Split Tunnel
OFF

Single Sign-on
-not set-

Home page
www.google.com

Split Tunnel
OFF

Single Sign-on
ON

Global
Policy B
Priority 90
Virtual Server
Policy C
Priority 100
Group
Resulting
Configuration

Citrix Confidential - Do Not Distribute

Authentication Policies
Define authentication source
Local
RADIUS
LDAP
TACACS
NT4
CERT

Citrix Confidential - Do Not Distribute

Groups
Define user groups to apply policies and settings

Citrix Confidential - Do Not Distribute

Web Interface Configuration

Citrix Confidential - Do Not Distribute

The Callback
WI makes a callback to the SSL VPN VIP
Retrieves information over HTTPS such as farm, vServer
entity name, the session policy used etc
Values are sent on the XenApp server to generate the Smart
Access control set

Citrix Confidential - Do Not Distribute

SmartAccess Workflow
External

DMZ

Internal

LDAP
389/636

443

AGEE
80/443

Workstation

Post-AuthN
AGEE
Session
policy
EPA
ActiveX
sends
results
back
toEPA
User
accesses
AGEE
VPN
Virtual
User
supplies
credentials
to
logon
Session
policy
EPA
check
results
Access
Gateway
passes
credentials
to
AGEE
Pre-AuthN
EPA
ActiveX
On
Pre-Authentication
EPA
success
checks
done
with the existing EPA
AGEE
Server
page. returns
returned
to
AGEE
Directory
Service
forpage
validation.
download
&
client
scan
AGEE
login
ActiveX

WI
WI makes a XML callback to a
preconfigured-on-WI
AGEE VPN
Web
Authenticates
credentials
1)
AGEE
doesInterface
a HTTP
redirect
to theAccess
Web
Interface
generates
Smart
Virtual
Server
URL
with
the
previously
3) Access
Gateway
next
performs
AGEE
returns
EPA
results
to
WI
provided
via
custom
SSO
AGCitrixBasic
website
configured
in -homepage
application
set
page
and sends
provided
SessionToken
to getthe
theweb
EPA
pass-through
SSO
to Web
Header
option
page
back
to
user.
Results
Interface
a custom & EPA
Web Interface
sendsvia
credentials
2) to Web
Interface
returns
a 401 and
AGCitrixBasic
HTTP
Header
results
Citrix
XML Service
which
AGEE
detects
that
this
is a Web
validates
and returns
users
smart
4) A them
SessionToken
is also
provided
Interface
server.
access application set to Web Interface.

XenApp
Citrix Confidential - Do Not Distribute

STA and
XML

STA Configuration
STA must be configured
on Access Gateway

Citrix Confidential - Do Not Distribute

Published Application Launch Process

External

DMZ

Internal

XenApp
1494/2598
443

AGEE
80/443

WI

Workstation

User
clicks
application
icon.
STA to to
ICA
Access
WebClient
Interface
Gateway
sends
generates
ICA
contacts
request
ICA
XenApp
Web Interface contacts
contacts STA
Citrix XML
Request
isGateway.
sent
to
Web
validate
ticket
and
exchange
the is
to
initiate
file
Access
thatICA
includes
session.
Access
ICA
to
exchange
XenApp
IP session
Service
to determine
least
loaded
Interface.
ticket
for the
XenApp
IP address.
established.
Gateway
FQDN
and STA
ticket.
address
ticket.
XenApp for
server
hosting application.
ICA file is sent back to client
XML Service returns XenApp IP
device.
address.

80/443

Citrix Confidential - Do Not Distribute

STA and
XML

Lab 3 Access Gateway

Objectives:
Configure components for AG
Launch application using SSL
Configure EPA and SmartAccess

Lab 3 Discussion
What other authentication methods are relevant to us?
What does clientless access really mean?

Citrix Confidential - Do Not Distribute

Global Server Load Balancing

GSLB Overview
Load balance services between separate locations
Typical uses include:
Distribution of network traffic across multiple sites
Distribution of server load across multiple sites
Disaster recovery

Relies on DNS for directing client requests

Share the state & status of various geographically distributed
servers

Citrix Confidential - Do Not Distribute

DNS & GSLB

Step 1: Client sends a DNS request to the local DNS (LDNS) server
Step 2: The LDNS server sends the request to the ADNS
service/DNS vServer on the system
Step 3: The ADNS service/DNS vServer responds with the IP
address of the LB vServer on the best-performing Site

Citrix Confidential - Do Not Distribute

GSLB Entities
LDNS

Citrix Confidential - Do Not Distribute

Web Interface on NetScaler

Web Interface on NetScaler

Feature is available on 9.3 (RTW 3/30)
MPX and nCore VPX not available on classic
Web Interface version 5.4
There are two packages that need to be installed on NS
1. Web Interface files
2. Java Runtime Environment

Citrix Confidential - Do Not Distribute

WIonNS Licensing
The feature is only licensed on NetScaler Standard,
Enterprise, and Platinum
It is not licensed on CAG-EE
Not visible in the GUI license window yet

Citrix Confidential - Do Not Distribute

Limitations

JSP with JAVA Servlet support

Functionally equivalent except for the authentication limitations listed below
Case sensitive sites

Manual site customization

Limited on-box authentication
Kerberos, Smart Card, RSA Windows Password Integration, or Pass-Through
authentication methods are not supported

Limited Scale on low-end platforms

Citrix Confidential - Do Not Distribute

WIonNS Firewall Changes

Before
After

Citrix Confidential - Do Not Distribute

Lab 4 Web Interface on NetScaler

Objectives:
Configure WI on NS

Lab 4 Discussion
What are the pros/cons to WI on NS?

Citrix Confidential - Do Not Distribute

Best Practices

IA Top 10
WI Load Balancing Cookie insert with timeout of 0
XML Load Balancing No persistence
Use built-in WI/XML monitor
Disable unused features and modes
For load balancing, have a Switch license

Citrix Confidential - Do Not Distribute

IA Top 10, continued

Redirect 80 to 443 for AG vServer
Use GSLB for multiple data centers across various regions
EPA used with SmartAccess
Use split DNS for internal access to AG
No external access to NSIP and SNIP

Citrix Confidential - Do Not Distribute

Lab 5 Putting It All Together

Referenced Links
AG Pre-Installation Checklist - http://support.citrix.com/article/CTX109588
How to Configure a Backup VServer - http://support.citrix.com/article/CTX125511
Configuring and Monitoring Persistence on NetScaler
Planning Guide: Load Balancing Web Interface with NetScaler - http://
support.citrix.com/article/CTX128563
Does Use Source IP Mode Work in a NetScaler One-arm Mode Deployment? - http://
support.citrix.com/article/CTX110459
NetScaler VPX Licensing Guide - http://support.citrix.com/article/CTX122426
Web Interface 5.3 Reports Error Pertaining to HTTP Header 'User-Agent - http://
support.citrix.com/article/CTX124858
Planning Guide: Load Balancing Web Interface with NetScaler http://
support.citrix.com/article/CTX128563
How to Configure the Redirect URL Feature - http://support.citrix.com/article/CTX108946
Citrix Confidential - Do Not Distribute