Home » KBArticles

How to find an AWS AppStream 2.0 users homedrive path

Scenario

AWS AppStream 2.0 generates a SHA-256 hash of the users NameID for their Home Drive – when using SAML (aka Federated) authentication. This can potentially make it difficult to find the users home share if browsing from AWS S3 or for support teams when supporting users or uploading documents to the users ‘home drive’.

Example

In this document is an example of a federated users home drive autocreated in S3 after the user has accessed AppStream 2.0 for the first time.

This script will simply create a function in Windows powershell and allow you to generate the SHA256 hash based on the NameID and so you can discover the users homepath.

Function Get-StringHash([String] $String,$HashName = "MD5")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}

$myvar = Read-Host –Prompt 'Enter string to hash'
Get-StringHash $myvar "SHA256"

Result

As we know the users NameID being passed into the AppStream session (in this instance its actually my email address)

AWS IAM CERTIFICATE_VERIFY_FAILED

Situation

When attempting to call AWS CLI commands we were receiving a CERTIFICATE_VERIFY_FAILED error message. We were using a proxy service. In this specific instance we were connecting to AWS IAM via zScaler Internet Access (ZIA)

Example

we were running a simple

aws iam get-role --role-name vmimport

 

Workaround

include–no-verifyssl to by pass the ssl verification

aws iam get-role --role-name vmimport --no-verify-ssl

Solution

Drop or whitelist the iam.amazonaws.com from SSL inspection on the proxy server

Create a NetScaler Gateway Preauthentication Policy

Step Description Screenshot
1 Expand >NetScaler Gateway > Policies > Preauthentication
2 Click Add
3 Name the policy something like PreAuthPol_Notepad-is-running

Click the + next to Request Action

Note: you can call it whatever you want, I like to keep a standard format when creating policies and profiles so they are distinguishable in the various screens and in the ns.conf file as well

 4 Click Create
5 Click Expression Editor

Select Expression Type of: Client Security

Component: Process

Name*: notepad.exe

Operator: EXISTS

Then click Done

 6 Note the expression is automatically created for you now as CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

 7 Click Create
 8 Bind the new policy globally

Select NetScaler Gateway > NetScaler Gateway Policy Manager

 9 Click the + on AAA Global
 10 Click Add Binding
11 Click in the Click to Select
12 Select the only PreAuthPolicy available

Click Select

 13 Click Bind
 14 Click Done
15 Click Done
16 Browse to the gateway and check that before you type in any authentication credentials that the EPA scan is invoked

Click Yes

 17 EPA Scan with notepad not running
18 EPA Scan with notepad Running

Your users can now authenticate

 19 Authenticate against the NetScaler page again and then confirm you can access all NetScaler resources

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

Deploy the OVA File to Hypervisor – VMWare ESXi 6

In this section we are going to deploy the downloaded NetScaler firmware onto our hypervisor (VMWare).

Step Description Screenshot
Connect and authenticate to your VMWare ESX web console

Note: In this example we are connecting to VMWare ESXi 6.0 with a private IP of 192.168.1.1. The default URL is http://192.168.1.1/ui

Click Virtual Machines

Click Create / Register VM

Select Deploy a virtual machine from an OVF or OVA File

Click the section labelled ‘Click to select files or drag/drop’

Select both the OVF and the VMDK files from the firmware file downloaded from citrix, then click Next
Select an appropriate storage location for your hypervisor to deploy the NetScaler VM
Choose the network mappings and disk provisioning best for you

Note: Disk provisioning is set to thin in this example only to save on local hypervisor disk space.

Click Finish on summary page
Click on the VM in the VMWare list
Authenticate to the VMWare console prompt with your VMware username and password
Click on the Console button to get access to the VM console
Success!

The NetScaler has booted and is operational

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Create Authorization Policies for NetScaler Gateway

Step Description Screenshot
1 Expand >NetScaler Gateway > Global Settings > Change Global Settings
2 Click Security tab

Change Default Authorization Action to DENY

Note: This change will affect all Gateways configured on the NetScaler that do not specifically reverse.

3 Expand NetScaler Gateway > Policies > Authorization Policies

Click Add

4 Create a new policy

In this example we will call it AuthPol_VPN_192.168.1.1 as the only ‘destination’ this policy will allow is to 192.168.1.1

5 Click Switch to Classic Syntax

Click Expression Editor

6 Enter the IP address details into the Expression Editor of the destination IP you want to allow access to
7 Click Create

Note: the Reg Expression has been ‘built for you by the editor’ you can type these manually if you know the commands (or find them online!)

8 Bind this new policy to a NetScaler User

NetScaler Gateway > User Administration >AAA Users

Select the user + Edit

Click + Authorization Policies

Select the Authorization policy

Click Bind

Tip: to bind this to LDAP users you must have username locally that matches

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

Configure Citrix NetScaler Gateway – ICA Proxy

In this guide we will connect the Citrix NetScaler to our Citrix XA/XD Environment for ICA proxy (Citrix Sessions without VPN).

Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Gateway.

NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps.

Overview Diagram

 Prerequisites

Item Description
 * DNS is configured on the NetScaler correctly to resolve inside DNS addresses
 * The internal or private IP Address of the VIP assigned to the NetScaler Gateway *
 * Know the details of your Citrix Server STA (our Citrix DDC(s))
 * Firewall ports are open between the NetScaler and the StoreFront server
 * XenAPp / XenDesktop and StoreFront already configured and setup (otherwise retrieve attributes won’t work)
 * A Certificate for your NetScaler Gateway FQDN  is already installed on the NetScaler

 

Configure the NetScaler Gateway for XA/XD – Wizard

Step Description Screenshot
 1 Log into NetScaler GUI
2 Under Integrate with Citrix Products – Click XenApp and XenDesktop

Click Get Started

3 Ensure StoreFront Is selected and Click Continue on the Prerequisites

NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved.

4 Provide the details that are relevant to your StoreFront and Citrix XenApp setup

Gateway FQDN: gateway.jsconsulting.services

Gateway IP Address: Inside private IP address for the Virtual Server. (aka VIP)

Port: 443 (SSL)

Redirect: Tick this option if you are also forwarding http traffic to this VIP so the NetScaler will redirect the users to https.

Then click Continue

Note: In this guide we are using the following specific details as working examples – you should use the appropriate settings for your environment

 5 Because we enabled port 80 redirection the wizard will enable the LoadBalancing Feature on the NetScaler – Click Yes
 6 Select the certificate you have previously installed on the NetScaler.

Note: you should have the complete certificate chain installed on the NetScaler – a later video will go through these steps to ensure the complete Certificate chain is installed.

Click Continue

7 Keep Authentication as Domain

Select Use Existing Server

Select the server that has the ‘NSUsers’ profile associated (will be listed in order of creation so usually the second server in the list if you have followed our other guides)

8 Click Continue
 9 Enter the details of your StoreFront server

The retrieve stores button will not work if the StoreFront server is not configured. You will not be able to proceed with this wizard if you can’t ‘retrieve store’ as the wizard will not let you proceed manually

 

In this example our StoreFront and Citrix XenApp are installed on the same box so the URLs can point to the same server

 10 Click Continue
 11 On the summary pages, now all the basic settings have been entered you can click Done

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

Configure NetScaler Gateway SSL VPN

Prerequisites

Item Description
 * NetScaler configured with IP Address, Certificates and accessible from the clients either internally or remotely over the internet.
 * Ensure Split Tunnelling is Off
 * Port 443 forwarded from firewall / router to the NetScaler VIP
 * Ensure the Default Authorization on the global configuration is set to allow

Step Description Screenshot
1 Check NetScaler gateway feature is enabled System > Settings > Configure Basic Features

 2 Ensure Global settings for NS Gateway is set to Allow
3 Expand NetScaler Gateway

Click NetScaler Gateway Wizard

4 A Separate Wizard page will open

Click Get Started

5 Provide the details of your new gateway

Note: my details are provided as an example only

6 Select the existing Certificate already installed on your NetScaler

Click Continue

7 Select the default authentication of Local and Don’t select a secondary auth method

Once the wizard has completed create a user called nsgw-localuser

password: <yourpassword>

User Administration> AAA Users > Add Button

Click Continue

 8 You may close the dashboard that is opened by default after creation of the new Gateway
 9 Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from)

Open a web browser to the NetScaler VIP

Login

 10 Success!

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

Modify Default Storefront website for Citrix NetScaler Access

In newer versions of Citrix XenApp and XenDesktop (7.6+) if you selected to install Storefront, then the website will be preconfigured by the XA/XD Setup wizard. In order for this to function for Citrix NetScaler access there are some settings we need to set up in order for NetScaler to be able to connect to the StoreFront server and launch sessions.

Prerequisites

Item Description
 * You will need to know the FQDN of your NetScaler Gateway
* The internal or private IP Address of the VIP assigned to the NetScaler Gateway*
 * Know the details of your Citrix Server STA (your Citrix DDC(s))

* The StoreFront server must be able directly communicate with the VIP of the NetScaler Gateway, otherwise when the StoreFront server resolves the FQDN it will resolve the internet IP address and potentially will not work.

Modify the Default Store

Step Description Screenshot
1 Log into Citrix Studio

Expand Citrix StoreFront

Select the Existing Store ‘Store Service’

Click Manage NetScaler Gateways

2 Click Add

Enter the Display name and the FQDN of the external Gateway URL

(In this example my gateway FQDN is called ‘gateway.jsconsulting.services’

Click Next

 3 Click Add

Enter the Name of your DDC

In our example we only have one server – which is the http://citrixserver.home.local/scripts/ctxsta.dll

Click Next

4 Enter the callback URL of the NetScaler Gateway ensuring your StoreFront server is able to resolve the FQDN to an internal/private ip address.

Click Create

 5 Close the Manage NetScaler gateways screen
6 Ensure the StoreFront / Citrix server can resolve the FQDN to the inside IP Address of the NetScaler Gateway

Use locally managed DNS if you have the Zone configured on your local DNS server(s)

Or use the Windows host file to add a private entry.

Remember if you have multiple storefront servers and multiple sites, host file management can quickly become time consuming and error prone. Ideally use internal DNS.

Note: Windows host file is located in c:\windows\system32\drivers\etc\hosts and has no extension. You may need to copy it to the users desktop first, manipulate the file, and copy it back due to Windows User Account Control (UAC)

7 Ensure the StoreFront server resolves the FQDN to the NetScaler inside VIP address

Note: In production environments ping may not be allowed between the NetScaler network and the StoreFront network(s) – you need to ensure that 443 TCP is opened and allowed through the Firewall from the StoreFront servers to the NetScaler VIP

8 Back in the Studio expand Manage Authentication Methods
9 Ensure Pass-through from NetScaler Gateway is ticked
10 Back in Studio Select your store and click Configure Remote Access Settings

Ensure you Enable remote access

Select No VPN Tunnel

Tick the NetScaler Gateway appliance listed

Click OK

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

Citrix NetScaler Certificates – Certificate Linking

Sometimes there can be some certificates that exist between the newly created NetScaler cert and the Root CA Certificate. These certificates ‘in the middle’ are known as intermediary or subordinate certificates and form a link or ‘chain’ between the root CA certificate and our newly created NetScaler certificate.

For example:

When some operating systems don’t have the full chain of intermediary certificates installed (and trusted) they will display a ‘certificate invalid’ message even when the certificate itself is valid. This is because the operating system is unable to verify your server certificate all the way up the certificate chain to the root certificate. These certificates can be installed and provide to the end users to greater enhance the user’s ability to connect to the NetScalers regardless of their endpoint or client device.

Step Description Screenshot
1 Example: Connecting to a service or VIP on the NetScaler interface where we have bound the new Certificate shows an error in Chrome on Mac OSX

Note: This will vary between operating system and between CA certificate providers

2 Log into the NetScaler web interface

http://192.168.1.50

 3 Expand SSL > SSL Files

Click SSL > Certificates > CA Certificates

Click Install

 4 Upload the bundled certificate from your 3rd party CA

Click Install

 5 Expand SSL > SSL Files

Click SSL > Certificates > Server Certificates

Tick your newly created server certificate

Select Action – ‘Link’

6 Select the CA Certificate uploaded in step 3

Tip: The NetScaler will automatically select the correct / valid certificate (if it is installed correctly and exists)

 7 Repeat this step for every certificate in the certificate chain including the root certificate

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

Citrix NetScaler Certificates – Submit to 3rd Party CA

Submitting the CSR to a 3rd party CA – Comodo Free SSL

We now need to take our CSR created in the previous section and submit that to a 3rd Party Certificate Authority or CA to verify our CSR and provide us with a certificate response we can combine with our CSR and generate the SSL certificate. For the purposes of this demonstration we will use Comodo as our 3rd Party CA, however there are many vendors you can choose from some are free (with restictions) others you must pay for your certificate(s).

Step Description Screenshot
 1 First we need to download our CSR for easy access from the NetScaler

Expand Traffic Management > SSL > SSL Files > CSRs tab

Tick the newly created .csr file and click Download

 2 We are going to browse to comodo and apply for a FREE SSL Certificate https://ssl.comodo.com/free-ssl-certificate.php
 3 Click the big Free Trial SSL button
4 Open the downloaded CSR file from step 1 and copy and paste the entire contents into the Comodo SSL site

Select Citrix as the Server software

Click Next

5 Comodo will then perform a domain ownership verification

In the example shown to keep it simple I will select the registered email address for jsconsulting.services from (WHOIS)

6 Enter your details for registration of the Certificate and for access to the COMODO SSL Site

7 Read the terms thoroughly and Accept if you are ready to continue
 8 Validate the email sent to your WHOIS registered email

 9 Download the CSR Files as a zip

 

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!