Link to home
Start Free TrialLog in
Avatar of Howzatt
Howzatt

asked on

How do you setup Citrix Netscaler Gateway 10.5 to replace Citrix Secure Gateway

We currently run a XenApp 6.5 farm for publishing apps & desktops to our users.

For External Access, we have the (free) Citrix Secure Gateway. It sits in our DMZ and passes on the requests to our Citrix Web Interface in our internal network.

Internally (between all the branch offices in the WAN), we are using Citrix Storefront 2.6.
I did attempt to reconfigure the CSG to pass on traffic to our Storefront web host rather than the Citrix Web Interface host. However Storefront is not compatible with CSG and that I needed the Netscaler before our Storefront will work with external requests also.
(the website launches, but you can't launch apps etc).
So we purchased an Enterprise VPX license.

Netscaler is obviously designed to do a gazillion other things than just perform the CSG role. However that's all I want it for.
Trying to find documentation on just that is difficult as Netscaler 10.5 seems to be only new.

What I would like to know is the best and easiest way to achieve this goal?
Considering the Storefront takes only a few minutes to setup, I am happy if the best solution requires deploying a 2nd Storefront in either the DMZ or internal.

These are the parts that I don't understand during my setup attempts.

When first deploying the VPX (from vSphere). It automatically adds 2 vNICs (one for our internal network and one for our DMZ). How many NICs does it need? 2 NICs = 1 in each network, 2 NICs = both in DMZ, or just 1 NIC = in the DMZ?
The CSG only has 1 NIC (in the DMZ). So if Netscaler needs 2, I will need to adjust the Firewall rules.

It then becomes more confusing later on when setting up the connection to the Storefront & XA Data Collectors.
I don't understand about the relationship between the NIC's we add to the VPX in vSphere as appose to NSIPs, SIPS, SNIPs, MIPs & any others I have missed. Are these more vNICs that the Netscaler creates itself when we assign an IP address?

Also, when initially configuring the VPX, I am asked to enter the DNS IP. This part I am unsure of as there is no DNS running in the DMZ. Should it be our internal DNS or the DNS of the ISP hosting the External public IP?

LDAP authentication. Is this needed? the old CSG just seemed to pass all the roles over to the Citrix Web Interface.

And lastly just some info around connecting the netscaler to the Storefront & XenApp.
Most documention online is for the previous netscaler & XenDesktop.
SOLUTION
Avatar of Dirk Kotte
Dirk Kotte
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Howzatt
Howzatt

ASKER

Much appreciated. I will give that a go today.
Just a few more questions, you said I only need 1 NIC. As mentioned in the initial post, by default, vSphere added a NIC for the DMZ & a NIC for the LAN network. Is it OK for me to remove the LAN NIC now?

Re the storefront, should I try connect it to the current storefront inside the LAN or should I deploy a 2nd one in the DMZ? Which would be easier to configure.

Last one, re LDAP. I would need to create a firewall rule to pass through LDAP requests to our Domain controller in the LAN? & how do you test the connection. It seems once you enter all the fields, you can't test
Avatar of Howzatt

ASKER

Just an update,

I can now see the website when I access externally.
However I am unable to login. Authentication is not working. But there are no LDAP errors on the dashboard.

Would this site be my Storefront in the LAN or is it something the Netscaler has built itself?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Howzatt

ASKER

Thanks for that.

1. Storefront is in the LAN. When you say it needs domain access, does that mean anything else apart from being joined to the domain and using the domain admin account to configure?

2. 2nd NIC has been removed.

3. LDAP firewall rule is in place. (Source - Netscaler Gateway IP in the DMZ. Destination - Domain Controller in the LAN. Port - UDP 389. Is that all I should need? I have a test machine in the DMZ which I have tested the LDAP connection (telnet 389 from the test machine in the DMZ to the Domain controller in the LAN), which seems to work (as it brings up a blank window after hitting OK).

4. Not sure what you mean by tab name.

I don't get any errors after trying to retrieve the attributes. It thinks for 10 seconds and goes back to the same screen.
I also don't see anything in the event log on the domain controller to say that any LDAP connections have been made.

LDAP is definitely working on our DC. We use LDAP on a few services in the LAN.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Howzatt

ASKER

Just an update.
I think the issue now is that the Storefront can't contact the callback URL.

I have updated the host file on the Storefront server for the external Gateway URL to reflect the VIP address of the Netscaler in the DMZ. My understanding is that the SF needs to resolve the external website URL to the DMZ address instead rather than the public IP. Please advise if that is wrong.

If it is right,
If I ping the external URL from the Storefront host, it replies with the new VIP DMZ address as it should. But if I then try browse in IE (eg https://externalURL), it is trying to open via the Public IP rather than the DMZ IP.

Does IE not follow the host file rules? the SF host is Svr 2012 R2.
Avatar of Howzatt

ASKER

Sorry, I turned the proxy settings off & IE resolved the correct URL (in DMZ).
However same issue remains though.

Citrix Delivery Services, Event ID 8
None of the AG callback services responded

Citrix Receiver for Web Event ID 10
A CitrixAGBasic Login request has failed.
Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.6.0.0, Culture=neutral, PublicKeyToken=null
Authenticate encountered an exception.
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The remote server returned an error: (403) Forbidden.
Url: http://StorefrontURL/Citrix/Authentication/CitrixAGBasic/Authenticate
ExceptionStatus: ProtocolError
ResponseStatus: Forbidden
   at System.Net.HttpWebRequest.GetResponse()
   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Howzatt

ASKER

The callback address is correct.
As mentioned my Storefront server has an entry in the hosts file for the External URL to point to the DMZ IP. Is that correct or should it reflect the public IP?

Re Wallet Service, we are using SF 2.6, so it's already set to delayed start.

There was something I noticed with the SSL.
When I generate the CSR from the netscaler & send to our CA for authorisation, they send back 3 files.
* The SSL
* RootCA
* Intermediate CA

According to all of the online instructions for setting up SSL, when the SSL is installed, you can see the CA path of the certificate (SSL Cert > IntermediateCA > RootCA). But when I install my SSL, it only shows the SSL & not the full path.

If I open the website externally and view the certificate, it also does not show the full certificate path. Only the SSL.
In saying that, could my issue be related to this?

If so, how do you install the Intermediate & root CA's on the netscaler? I assume I need to do the whole create keystore process again?

Also re the CSR, when requesting, it is only using the www.gateway.com address. There is no reference to the storefront or NSGateway hostnames. Could this also be an issue? In the previous CSG, it only needed the www.gateway.com name. So all I have done is replace our old cert, but regenerated the CSR from the new NS.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Howzatt

ASKER

Latest problem was due to the STA not having the correct port set on the Storefront.
Changed to port 8080 and it now works. Thanks to all for getting me to the resolution.