How do you setup Citrix Netscaler Gateway 10.5 to replace Citrix Secure Gateway

We currently run a XenApp 6.5 farm for publishing apps & desktops to our users.

For External Access, we have the (free) Citrix Secure Gateway. It sits in our DMZ and passes on the requests to our Citrix Web Interface in our internal network.

Internally (between all the branch offices in the WAN), we are using Citrix Storefront 2.6.
I did attempt to reconfigure the CSG to pass on traffic to our Storefront web host rather than the Citrix Web Interface host. However Storefront is not compatible with CSG and that I needed the Netscaler before our Storefront will work with external requests also.
(the website launches, but you can't launch apps etc).
So we purchased an Enterprise VPX license.

Netscaler is obviously designed to do a gazillion other things than just perform the CSG role. However that's all I want it for.
Trying to find documentation on just that is difficult as Netscaler 10.5 seems to be only new.

What I would like to know is the best and easiest way to achieve this goal?
Considering the Storefront takes only a few minutes to setup, I am happy if the best solution requires deploying a 2nd Storefront in either the DMZ or internal.

These are the parts that I don't understand during my setup attempts.

When first deploying the VPX (from vSphere). It automatically adds 2 vNICs (one for our internal network and one for our DMZ). How many NICs does it need? 2 NICs = 1 in each network, 2 NICs = both in DMZ, or just 1 NIC = in the DMZ?
The CSG only has 1 NIC (in the DMZ). So if Netscaler needs 2, I will need to adjust the Firewall rules.

It then becomes more confusing later on when setting up the connection to the Storefront & XA Data Collectors.
I don't understand about the relationship between the NIC's we add to the VPX in vSphere as appose to NSIPs, SIPS, SNIPs, MIPs & any others I have missed. Are these more vNICs that the Netscaler creates itself when we assign an IP address?

Also, when initially configuring the VPX, I am asked to enter the DNS IP. This part I am unsure of as there is no DNS running in the DMZ. Should it be our internal DNS or the DNS of the ISP hosting the External public IP?

LDAP authentication. Is this needed? the old CSG just seemed to pass all the roles over to the Citrix Web Interface.

And lastly just some info around connecting the netscaler to the Storefront & XenApp.
Most documention online is for the previous netscaler & XenDesktop.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dirk KotteSECommented:
first: you need the simple netScale gateway license only.
next. there are a great wizzart within NS to complete the most configuration tasks for you.
10.5 uses the new html5 design, the gui is a little bit different from 10.1.
here are some good guides for mnual configuration:
îf you need the CSG functionality, you need only one NIC, but some IP's within the DMZ.
NSIP==Management-IP- here you configure the NS
SNIP (Subnet-IP) - these ip is used for communication from NS to your resources (LDAP-Authentication; StoreFront)
MIP - nearly the same like SNIP (mostly i don#t use this)
VIP - the IP the virtual Access-gateway uses. These IP is used for external access to your system. Created and activated with the Virtual server.

DNS is necessary for certificat checks and many other things.
i use external dns-SERVERS and create a-records at the NS for internal hosts.

i would suggest to authenticate at NS. here LDAP is the best way.  
But authenticate at StoreFront is possible also.

10.5 is the same like 10.1. you can use the guides ... but the GUI is resorted ... i don't see guides for the new GUI at the moment.

if you have more questions, please provide us with more details about your problem.
HowzattAuthor Commented:
Much appreciated. I will give that a go today.
Just a few more questions, you said I only need 1 NIC. As mentioned in the initial post, by default, vSphere added a NIC for the DMZ & a NIC for the LAN network. Is it OK for me to remove the LAN NIC now?

Re the storefront, should I try connect it to the current storefront inside the LAN or should I deploy a 2nd one in the DMZ? Which would be easier to configure.

Last one, re LDAP. I would need to create a firewall rule to pass through LDAP requests to our Domain controller in the LAN? & how do you test the connection. It seems once you enter all the fields, you can't test
HowzattAuthor Commented:
Just an update,

I can now see the website when I access externally.
However I am unable to login. Authentication is not working. But there are no LDAP errors on the dashboard.

Would this site be my Storefront in the LAN or is it something the Netscaler has built itself?
Dirk KotteSECommented:
1. i deploy Sf at the LAN. SF need domain-access, so Sf at the DMZ is not the default way.

2. yes, remove the second NIC (or disconnect the vLink)

3. LDAP: Firewall rule is needed. if you have entered the basic connection details, there is a button like "get fields". if connection is OK some fields bellow this button are filled.

4. at the webbrowser check the TAB-name:
- citrix receiver = Storefront
- citrix access gateway = NetScaler

what error you get if you try to authenticate?
HowzattAuthor Commented:
Thanks for that.

1. Storefront is in the LAN. When you say it needs domain access, does that mean anything else apart from being joined to the domain and using the domain admin account to configure?

2. 2nd NIC has been removed.

3. LDAP firewall rule is in place. (Source - Netscaler Gateway IP in the DMZ. Destination - Domain Controller in the LAN. Port - UDP 389. Is that all I should need? I have a test machine in the DMZ which I have tested the LDAP connection (telnet 389 from the test machine in the DMZ to the Domain controller in the LAN), which seems to work (as it brings up a blank window after hitting OK).

4. Not sure what you mean by tab name.

I don't get any errors after trying to retrieve the attributes. It thinks for 10 seconds and goes back to the same screen.
I also don't see anything in the event log on the domain controller to say that any LDAP connections have been made.

LDAP is definitely working on our DC. We use LDAP on a few services in the LAN.
Dirk KotteSECommented:
1. no, that's enough
3. ok
4. most browser use tab's these tab's mostly display a page description (see attaced pic)
CAG browser TABdo you check the "authenticate" checkbox at the virtual server? With box unchecked the authentication is delegated to the Sf server.

there are no entries added below the "retrieve attributes" button?

possible you have to enable LDAP debugging at the shell-console. (i have to check how)
HowzattAuthor Commented:
Just an update.
I think the issue now is that the Storefront can't contact the callback URL.

I have updated the host file on the Storefront server for the external Gateway URL to reflect the VIP address of the Netscaler in the DMZ. My understanding is that the SF needs to resolve the external website URL to the DMZ address instead rather than the public IP. Please advise if that is wrong.

If it is right,
If I ping the external URL from the Storefront host, it replies with the new VIP DMZ address as it should. But if I then try browse in IE (eg https://externalURL), it is trying to open via the Public IP rather than the DMZ IP.

Does IE not follow the host file rules? the SF host is Svr 2012 R2.
HowzattAuthor Commented:
Sorry, I turned the proxy settings off & IE resolved the correct URL (in DMZ).
However same issue remains though.

Citrix Delivery Services, Event ID 8
None of the AG callback services responded

Citrix Receiver for Web Event ID 10
A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: http://StorefrontURL/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
Dirk KotteSECommented:
what do you configure for callback-url?
should be similar to: ...
if you use your URL ( within IE you should get no SSL-Error.

another hin from a citrix employee:
"Also this issue can be caused by the Credential Wallet Service not being set to delayed start. Make sure when you install Storefront that the Credential Wallet Service is set to delayed start (I believe Storefront 2.0 does this by default but 1.2 does not)"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HowzattAuthor Commented:
The callback address is correct.
As mentioned my Storefront server has an entry in the hosts file for the External URL to point to the DMZ IP. Is that correct or should it reflect the public IP?

Re Wallet Service, we are using SF 2.6, so it's already set to delayed start.

There was something I noticed with the SSL.
When I generate the CSR from the netscaler & send to our CA for authorisation, they send back 3 files.
* The SSL
* RootCA
* Intermediate CA

According to all of the online instructions for setting up SSL, when the SSL is installed, you can see the CA path of the certificate (SSL Cert > IntermediateCA > RootCA). But when I install my SSL, it only shows the SSL & not the full path.

If I open the website externally and view the certificate, it also does not show the full certificate path. Only the SSL.
In saying that, could my issue be related to this?

If so, how do you install the Intermediate & root CA's on the netscaler? I assume I need to do the whole create keystore process again?

Also re the CSR, when requesting, it is only using the address. There is no reference to the storefront or NSGateway hostnames. Could this also be an issue? In the previous CSG, it only needed the name. So all I have done is replace our old cert, but regenerated the CSR from the new NS.
Dirk KotteSECommented:
do you install all three certificates (SSL Cert > IntermediateCA > RootCA) and linked one to the next?
you create the request and upload and process the signed returned part.
than you upload the sub-ca and the root-ca certificated and build the key-chain.

check the SF event-logs. There are many usefull messages.
HowzattAuthor Commented:
Latest problem was due to the STA not having the correct port set on the Storefront.
Changed to port 8080 and it now works. Thanks to all for getting me to the resolution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.