Академический Документы
Профессиональный Документы
Культура Документы
Training Goals
Learn AGEE as it pertains to XenApp / XenDesktop
Implement VPX in small/lab environments
Provide Hands-on Experience
Installation Procedures
Consoles & Initial Admin Tasks
Integration with XA
Agenda (1 of 2)
Training Goals
NetScaler Types
Architecture & Deployment Options
Administration Overview
Load Balancing
Agenda (2 of 2)
Access Gateway & XenApp Integration
Global Server Load Balancing
Web Interface on NetScaler
NS Best Practices
Access Gateway VPX
NetScaler Hardware
MPX 5500
MPX 7500 and MPX 9500
MPX 10500/12500/15500
MPX 17500/19500/21500
VPX
NetScaler VPX
Gig+ performance
Labs/test environments
Development environments
Datacenter-in-a-box
FIPS requirements
CPU-intensive workloads
50 Gb/s
Single VIP
50 Gb/s
16 instances
Up to 18Gbps per instance
8M packets/second
NetScaler Features
Deployment Options
AG in a Secure Network
AG in DMZ with WI
WI behind AG
AG parallel to WI
AG in DMZ with WI internally
AG in Double-Hop
NetScaler Terms
NetScaler IP (NSIP) Management IP
Mapped IP (MIP) Used for server-side connection, replaces
Source IP with the MIP
Subnet IP (SNIP) Same as a MIP. SNIP were introduced in
newer releases of code.
Virtual IP (VIP) IP address associated with a Virtual Server
Administration Overview
GUI / CLI
Access the GUI by going to NSIP
Access the CLI through SSH client (PuTTY)
Access file system through SFTP client (WinSCP)
Lab 1 Discussion
What items need to be planned in advance for a NS VPX
POC?
Load Balancing
LB Methods
Least Connections (default) URL Hash
Round Robin
Source IP Hash
Destination IP Hash
Least Bandwidth
Source/Dest IP Hash
Least Packets
LB using SNMP
LRTM
SASP/Call ID Hash
Session Persistence
Source-IP (w/ netmask)
Cookie Insert (HTTP/SSL only)
SSL Session-ID
URL passive
Custom Server ID
Destination IP
Rule
Citrix Confidential - Do Not Distribute
Lab 2 Discussion
When would you need SSL_BRIDGE type of LB?
What do you do without a hardware load balancer?
Who uses XML LB? Advantages/disadvantages?
Global Settings
Default settings applied
to all AG sessions
Session Profile
Customizes the session behavior
ICA Proxy ON tells AGEE not to launch the
Secure Access Client
URL to the Web Interface site
e.g. http://wiserver/citrix/xenapp
Embedded Web Interface display format
Full or Compact
Single Sign-On Domain
specifies the users domain is logged on to
Citrix Confidential - Do Not Distribute
Session Policies
Define the conditions to invoke a session profile
Policy Expressions
ns_true
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
REQ.HTTP.HEADER Host == access.citrix.com
CLIENT.FILE('C:\\\\file.dat').TIMESTAMP == 7dy -frequency 5
CLIENT.SVC('Symantec\\ AntiVirus').VERSION == 10.0 -frequency 5
CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS
CLIENT.OS(winxp) EXISTS
Policy Priority
Results aggregated from all true policies
Priority determines result in the event of conflict
Lowest bind point wins with policies bound to different bind
points (Global > Virtual Server > Group > User)
Home page
www.citrix.com
Split Tunnel
ON
Single Sign-on
-not set-
Home page
www.google.com
Split Tunnel
-not set-
Single Sign-on
OFF
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
ON
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
ON
Global
Policy B
Priority 100
Virtual Server
Policy C
Priority 100
Group
Resulting
Configuration
Home page
www.citrix.com
Split Tunnel
-not set-
Single Sign-on
-not set-
Home page
www.google.com
Split Tunnel
-not set-
Single Sign-on
OFF
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
ON
Home page
www.citrix.com
Split Tunnel
OFF
Single Sign-on
OFF
Global
Policy B
Priority 20
Virtual Server
Policy C
Priority 30
Group
Resulting
Configuration
Home page
www.citrix.com
Split Tunnel
ON
Single Sign-on
OFF
Home page
www.google.com
Split Tunnel
-not set-
Single Sign-on
ON
Home page
www.sales.com
Split Tunnel
OFF
Single Sign-on
-not set-
Home page
www.google.com
Split Tunnel
OFF
Single Sign-on
ON
Global
Policy B
Priority 90
Virtual Server
Policy C
Priority 100
Group
Resulting
Configuration
Authentication Policies
Define authentication source
Local
RADIUS
LDAP
TACACS
NT4
CERT
Groups
Define user groups to apply policies and settings
The Callback
WI makes a callback to the SSL VPN VIP
Retrieves information over HTTPS such as farm, vServer
entity name, the session policy used etc
Values are sent on the XenApp server to generate the Smart
Access control set
SmartAccess Workflow
External
DMZ
Internal
LDAP
389/636
443
AGEE
80/443
Workstation
Post-AuthN
AGEE
Session
policy
EPA
ActiveX
sends
results
back
toEPA
User
accesses
AGEE
VPN
Virtual
User
supplies
credentials
to
logon
Session
policy
EPA
check
results
Access
Gateway
passes
credentials
to
AGEE
Pre-AuthN
EPA
ActiveX
On
Pre-Authentication
EPA
success
checks
done
with the existing EPA
AGEE
Server
page. returns
returned
to
AGEE
Directory
Service
forpage
validation.
download
&
client
scan
AGEE
login
ActiveX
WI
WI makes a XML callback to a
preconfigured-on-WI
AGEE VPN
Web
Authenticates
credentials
1)
AGEE
doesInterface
a HTTP
redirect
to theAccess
Web
Interface
generates
Smart
Virtual
Server
URL
with
the
previously
3) Access
Gateway
next
performs
AGEE
returns
EPA
results
to
WI
provided
via
custom
SSO
AGCitrixBasic
website
configured
in -homepage
application
set
page
and sends
provided
SessionToken
to getthe
theweb
EPA
pass-through
SSO
to Web
Header
option
page
back
to
user.
Results
Interface
a custom & EPA
Web Interface
sendsvia
credentials
2) to Web
Interface
returns
a 401 and
AGCitrixBasic
HTTP
Header
results
Citrix
XML Service
which
AGEE
detects
that
this
is a Web
validates
and returns
users
smart
4) A them
SessionToken
is also
provided
Interface
server.
access application set to Web Interface.
XenApp
Citrix Confidential - Do Not Distribute
STA and
XML
STA Configuration
STA must be configured
on Access Gateway
DMZ
Internal
XenApp
1494/2598
443
AGEE
80/443
WI
Workstation
User
clicks
application
icon.
STA to to
ICA
Access
WebClient
Interface
Gateway
sends
generates
ICA
contacts
request
ICA
XenApp
Web Interface contacts
contacts STA
Citrix XML
Request
isGateway.
sent
to
Web
validate
ticket
and
exchange
the is
to
initiate
file
Access
thatICA
includes
session.
Access
ICA
to
exchange
XenApp
IP session
Service
to determine
least
loaded
Interface.
ticket
for the
XenApp
IP address.
established.
Gateway
FQDN
and STA
ticket.
address
ticket.
XenApp for
server
hosting application.
ICA file is sent back to client
XML Service returns XenApp IP
device.
address.
80/443
STA and
XML
Lab 3 Discussion
What other authentication methods are relevant to us?
What does clientless access really mean?
GSLB Overview
Load balance services between separate locations
Typical uses include:
Distribution of network traffic across multiple sites
Distribution of server load across multiple sites
Disaster recovery
GSLB Entities
LDNS
WIonNS Licensing
The feature is only licensed on NetScaler Standard,
Enterprise, and Platinum
It is not licensed on CAG-EE
Not visible in the GUI license window yet
Limitations
Before
After
Lab 4 Discussion
What are the pros/cons to WI on NS?
Best Practices
IA Top 10
WI Load Balancing Cookie insert with timeout of 0
XML Load Balancing No persistence
Use built-in WI/XML monitor
Disable unused features and modes
For load balancing, have a Switch license
Referenced Links
AG Pre-Installation Checklist - http://support.citrix.com/article/CTX109588
How to Configure a Backup VServer - http://support.citrix.com/article/CTX125511
Configuring and Monitoring Persistence on NetScaler
Planning Guide: Load Balancing Web Interface with NetScaler - http://
support.citrix.com/article/CTX128563
Does Use Source IP Mode Work in a NetScaler One-arm Mode Deployment? - http://
support.citrix.com/article/CTX110459
NetScaler VPX Licensing Guide - http://support.citrix.com/article/CTX122426
Web Interface 5.3 Reports Error Pertaining to HTTP Header 'User-Agent - http://
support.citrix.com/article/CTX124858
Planning Guide: Load Balancing Web Interface with NetScaler http://
support.citrix.com/article/CTX128563
How to Configure the Redirect URL Feature - http://support.citrix.com/article/CTX108946
Citrix Confidential - Do Not Distribute