Home » KBArticles

Create a NetScaler Gateway Preauthentication Policy

Step Description Screenshot
1 Expand >NetScaler Gateway > Policies > Preauthentication
2 Click Add
3 Name the policy something like PreAuthPol_Notepad-is-running

Click the + next to Request Action

Note: you can call it whatever you want, I like to keep a standard format when creating policies and profiles so they are distinguishable in the various screens and in the ns.conf file as well

 4 Click Create
5 Click Expression Editor

Select Expression Type of: Client Security

Component: Process

Name*: notepad.exe

Operator: EXISTS

Then click Done

 6 Note the expression is automatically created for you now as CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

 7 Click Create
 8 Bind the new policy globally

Select NetScaler Gateway > NetScaler Gateway Policy Manager

 9 Click the + on AAA Global
 10 Click Add Binding
11 Click in the Click to Select
12 Select the only PreAuthPolicy available

Click Select

 13 Click Bind
 14 Click Done
15 Click Done
16 Browse to the gateway and check that before you type in any authentication credentials that the EPA scan is invoked

Click Yes

 17 EPA Scan with notepad not running
18 EPA Scan with notepad Running

Your users can now authenticate

 19 Authenticate against the NetScaler page again and then confirm you can access all NetScaler resources

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

Deploy the OVA File to Hypervisor – VMWare ESXi 6

In this section we are going to deploy the downloaded NetScaler firmware onto our hypervisor (VMWare).

Step Description Screenshot
Connect and authenticate to your VMWare ESX web console

Note: In this example we are connecting to VMWare ESXi 6.0 with a private IP of 192.168.1.1. The default URL is http://192.168.1.1/ui

Click Virtual Machines

Click Create / Register VM

Select Deploy a virtual machine from an OVF or OVA File

Click the section labelled ‘Click to select files or drag/drop’

Select both the OVF and the VMDK files from the firmware file downloaded from citrix, then click Next
Select an appropriate storage location for your hypervisor to deploy the NetScaler VM
Choose the network mappings and disk provisioning best for you

Note: Disk provisioning is set to thin in this example only to save on local hypervisor disk space.

Click Finish on summary page
Click on the VM in the VMWare list
Authenticate to the VMWare console prompt with your VMware username and password
Click on the Console button to get access to the VM console
Success!

The NetScaler has booted and is operational

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Create Authorization Policies for NetScaler Gateway

Step Description Screenshot
1 Expand >NetScaler Gateway > Global Settings > Change Global Settings
2 Click Security tab

Change Default Authorization Action to DENY

Note: This change will affect all Gateways configured on the NetScaler that do not specifically reverse.

3 Expand NetScaler Gateway > Policies > Authorization Policies

Click Add

4 Create a new policy

In this example we will call it AuthPol_VPN_192.168.1.1 as the only ‘destination’ this policy will allow is to 192.168.1.1

5 Click Switch to Classic Syntax

Click Expression Editor

6 Enter the IP address details into the Expression Editor of the destination IP you want to allow access to
7 Click Create

Note: the Reg Expression has been ‘built for you by the editor’ you can type these manually if you know the commands (or find them online!)

8 Bind this new policy to a NetScaler User

NetScaler Gateway > User Administration >AAA Users

Select the user + Edit

Click + Authorization Policies

Select the Authorization policy

Click Bind

Tip: to bind this to LDAP users you must have username locally that matches

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

Configure Citrix NetScaler Gateway – ICA Proxy

In this guide we will connect the Citrix NetScaler to our Citrix XA/XD Environment for ICA proxy (Citrix Sessions without VPN).

Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Gateway.

NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps.

Overview Diagram

 Prerequisites

Item Description
 * DNS is configured on the NetScaler correctly to resolve inside DNS addresses
 * The internal or private IP Address of the VIP assigned to the NetScaler Gateway *
 * Know the details of your Citrix Server STA (our Citrix DDC(s))
 * Firewall ports are open between the NetScaler and the StoreFront server
 * XenAPp / XenDesktop and StoreFront already configured and setup (otherwise retrieve attributes won’t work)
 * A Certificate for your NetScaler Gateway FQDN  is already installed on the NetScaler

 

Configure the NetScaler Gateway for XA/XD – Wizard

Step Description Screenshot
 1 Log into NetScaler GUI
2 Under Integrate with Citrix Products – Click XenApp and XenDesktop

Click Get Started

3 Ensure StoreFront Is selected and Click Continue on the Prerequisites

NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved.

4 Provide the details that are relevant to your StoreFront and Citrix XenApp setup

Gateway FQDN: gateway.jsconsulting.services

Gateway IP Address: Inside private IP address for the Virtual Server. (aka VIP)

Port: 443 (SSL)

Redirect: Tick this option if you are also forwarding http traffic to this VIP so the NetScaler will redirect the users to https.

Then click Continue

Note: In this guide we are using the following specific details as working examples – you should use the appropriate settings for your environment

 5 Because we enabled port 80 redirection the wizard will enable the LoadBalancing Feature on the NetScaler – Click Yes
 6 Select the certificate you have previously installed on the NetScaler.

Note: you should have the complete certificate chain installed on the NetScaler – a later video will go through these steps to ensure the complete Certificate chain is installed.

Click Continue

7 Keep Authentication as Domain

Select Use Existing Server

Select the server that has the ‘NSUsers’ profile associated (will be listed in order of creation so usually the second server in the list if you have followed our other guides)

8 Click Continue
 9 Enter the details of your StoreFront server

The retrieve stores button will not work if the StoreFront server is not configured. You will not be able to proceed with this wizard if you can’t ‘retrieve store’ as the wizard will not let you proceed manually

 

In this example our StoreFront and Citrix XenApp are installed on the same box so the URLs can point to the same server

 10 Click Continue
 11 On the summary pages, now all the basic settings have been entered you can click Done

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

Configure NetScaler Gateway SSL VPN

Prerequisites

Item Description
 * NetScaler configured with IP Address, Certificates and accessible from the clients either internally or remotely over the internet.
 * Ensure Split Tunnelling is Off
 * Port 443 forwarded from firewall / router to the NetScaler VIP
 * Ensure the Default Authorization on the global configuration is set to allow

Step Description Screenshot
1 Check NetScaler gateway feature is enabled System > Settings > Configure Basic Features

 2 Ensure Global settings for NS Gateway is set to Allow
3 Expand NetScaler Gateway

Click NetScaler Gateway Wizard

4 A Separate Wizard page will open

Click Get Started

5 Provide the details of your new gateway

Note: my details are provided as an example only

6 Select the existing Certificate already installed on your NetScaler

Click Continue

7 Select the default authentication of Local and Don’t select a secondary auth method

Once the wizard has completed create a user called nsgw-localuser

password: <yourpassword>

User Administration> AAA Users > Add Button

Click Continue

 8 You may close the dashboard that is opened by default after creation of the new Gateway
 9 Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from)

Open a web browser to the NetScaler VIP

Login

 10 Success!

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

Modify Default Storefront website for Citrix NetScaler Access

In newer versions of Citrix XenApp and XenDesktop (7.6+) if you selected to install Storefront, then the website will be preconfigured by the XA/XD Setup wizard. In order for this to function for Citrix NetScaler access there are some settings we need to set up in order for NetScaler to be able to connect to the StoreFront server and launch sessions.

Prerequisites

Item Description
 * You will need to know the FQDN of your NetScaler Gateway
* The internal or private IP Address of the VIP assigned to the NetScaler Gateway*
 * Know the details of your Citrix Server STA (your Citrix DDC(s))

* The StoreFront server must be able directly communicate with the VIP of the NetScaler Gateway, otherwise when the StoreFront server resolves the FQDN it will resolve the internet IP address and potentially will not work.

Modify the Default Store

Step Description Screenshot
1 Log into Citrix Studio

Expand Citrix StoreFront

Select the Existing Store ‘Store Service’

Click Manage NetScaler Gateways

2 Click Add

Enter the Display name and the FQDN of the external Gateway URL

(In this example my gateway FQDN is called ‘gateway.jsconsulting.services’

Click Next

 3 Click Add

Enter the Name of your DDC

In our example we only have one server – which is the http://citrixserver.home.local/scripts/ctxsta.dll

Click Next

4 Enter the callback URL of the NetScaler Gateway ensuring your StoreFront server is able to resolve the FQDN to an internal/private ip address.

Click Create

 5 Close the Manage NetScaler gateways screen
6 Ensure the StoreFront / Citrix server can resolve the FQDN to the inside IP Address of the NetScaler Gateway

Use locally managed DNS if you have the Zone configured on your local DNS server(s)

Or use the Windows host file to add a private entry.

Remember if you have multiple storefront servers and multiple sites, host file management can quickly become time consuming and error prone. Ideally use internal DNS.

Note: Windows host file is located in c:\windows\system32\drivers\etc\hosts and has no extension. You may need to copy it to the users desktop first, manipulate the file, and copy it back due to Windows User Account Control (UAC)

7 Ensure the StoreFront server resolves the FQDN to the NetScaler inside VIP address

Note: In production environments ping may not be allowed between the NetScaler network and the StoreFront network(s) – you need to ensure that 443 TCP is opened and allowed through the Firewall from the StoreFront servers to the NetScaler VIP

8 Back in the Studio expand Manage Authentication Methods
9 Ensure Pass-through from NetScaler Gateway is ticked
10 Back in Studio Select your store and click Configure Remote Access Settings

Ensure you Enable remote access

Select No VPN Tunnel

Tick the NetScaler Gateway appliance listed

Click OK

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

Citrix NetScaler Certificates – Certificate Linking

Sometimes there can be some certificates that exist between the newly created NetScaler cert and the Root CA Certificate. These certificates ‘in the middle’ are known as intermediary or subordinate certificates and form a link or ‘chain’ between the root CA certificate and our newly created NetScaler certificate.

For example:

When some operating systems don’t have the full chain of intermediary certificates installed (and trusted) they will display a ‘certificate invalid’ message even when the certificate itself is valid. This is because the operating system is unable to verify your server certificate all the way up the certificate chain to the root certificate. These certificates can be installed and provide to the end users to greater enhance the user’s ability to connect to the NetScalers regardless of their endpoint or client device.

Step Description Screenshot
1 Example: Connecting to a service or VIP on the NetScaler interface where we have bound the new Certificate shows an error in Chrome on Mac OSX

Note: This will vary between operating system and between CA certificate providers

2 Log into the NetScaler web interface

http://192.168.1.50

 3 Expand SSL > SSL Files

Click SSL > Certificates > CA Certificates

Click Install

 4 Upload the bundled certificate from your 3rd party CA

Click Install

 5 Expand SSL > SSL Files

Click SSL > Certificates > Server Certificates

Tick your newly created server certificate

Select Action – ‘Link’

6 Select the CA Certificate uploaded in step 3

Tip: The NetScaler will automatically select the correct / valid certificate (if it is installed correctly and exists)

 7 Repeat this step for every certificate in the certificate chain including the root certificate

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

Citrix NetScaler Certificates – Submit to 3rd Party CA

Submitting the CSR to a 3rd party CA – Comodo Free SSL

We now need to take our CSR created in the previous section and submit that to a 3rd Party Certificate Authority or CA to verify our CSR and provide us with a certificate response we can combine with our CSR and generate the SSL certificate. For the purposes of this demonstration we will use Comodo as our 3rd Party CA, however there are many vendors you can choose from some are free (with restictions) others you must pay for your certificate(s).

Step Description Screenshot
 1 First we need to download our CSR for easy access from the NetScaler

Expand Traffic Management > SSL > SSL Files > CSRs tab

Tick the newly created .csr file and click Download

 2 We are going to browse to comodo and apply for a FREE SSL Certificate https://ssl.comodo.com/free-ssl-certificate.php
 3 Click the big Free Trial SSL button
4 Open the downloaded CSR file from step 1 and copy and paste the entire contents into the Comodo SSL site

Select Citrix as the Server software

Click Next

5 Comodo will then perform a domain ownership verification

In the example shown to keep it simple I will select the registered email address for jsconsulting.services from (WHOIS)

6 Enter your details for registration of the Certificate and for access to the COMODO SSL Site

7 Read the terms thoroughly and Accept if you are ready to continue
 8 Validate the email sent to your WHOIS registered email

 9 Download the CSR Files as a zip

 

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

Citrix NetScaler Certificates – Install your CA Response Cert

We will now take the Certificate response file (CRT file) from our 3rd party Certificate Authority (CA) and install it onto the NetScaler device, then using both the CRT and Private key to combine and finally create a fully functional NetScaler certificate.

Step Description Screenshot
 1 Expand Traffic Management > SSL > SSL Files

Click Upload

2 Browse for your Certificate file (provided by your 3rd Party CA)

Click Open

Note: The file is uploaded to the NetScaler but not yet usable!

3 Browse to Traffic Management > SSL > Server Certificates

Click Install

4 Give the new ‘Server Certificate’ a unique easily identifiable name

Certificate File: Choose the Certificate you just uploaded in step 2

Key File Name: select your private key file that is on the NetScaler

Provide the private key password

Click Install

5 Your certificate is now installed and ready to be used on NetScaler services, VIPs, NetScaler gateway etc.

Enabling SAML Authentication for AWS AppStream 2.0 with OKTA

OKTA – Create Application

Step Description Screenshot
PRQ Generate metadata from Okta
 1 Be sure to be accessing the ‘Classic UI’ and not the developer console

2 Click Add Applications
3 Search for ‘appstream’

Click Add

4 Provide Application label

Click Done

 5 Click Sign On tab
6 Click Identity Provider metadata

Save the metadata file locally (you will upload this to AWS configuration)

AWS – Create SAML Provider

Step Description Screenshot
PRQ Generate metadata from Okta (above steps)
 1 Open AWS Console

Click IAM

2 Click Identity Providers

Click Create Provider

 3 Choose Provider Type: SAML

Give Provider a Name: <Name>

Upload your okta_metadata.xml file

4 Click Create

Note your ProviderARN

5 You will be taken back to the identity providers screen
6 Click on the provider name ‘Okta’

Take note of your Provider ARN

AWS – Create Policy and Role

Step Description Screenshot
7 In IAM Click Policies

Click Create Policy

8 Click Create Your Own Policy
 9 Give your policy a recognisable Name, Description and paste the policy details as provided

This will give users access to all published stacks

You can change the resource from* to your specific stacks like this:

“Resource”: “arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME“,

10 Policy Details:

This gives users access to stream AppStream apps and to access all Stacks and resources within.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “appstream:Stream”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“appstream:userId”: “${saml:sub}”,
“saml:sub_type”: “persistent”
}
}
}
]
}
11 Click Roles

Click Create Role

 12 Click Saml 2.0 federation
13 Select your SAML Provider created previously

Tick ‘Allow programmatic access only’

Type in Attribute ‘SAML:aud’

Value: https://signin.aws.amazon.com/saml

Click Next: Permissions

 14 Select the Previously created AppStream Policy

Click Next: Review

 15 Click Create Role
16 Click onto the Role Name and take note of the ARN

 

OKTA – Configure Application

Step Description Screenshot
17 Take your ARN from both steps 12 and 22

And combine them separated with a comma

I.e. roleARN,providerARN

 

For example if your Role ARN is:

arn:aws:iam::123456789012:role/OktaAppStreamUsers and your IDP ARN is arn:aws:iam::123456789012:saml-provider/OKTA, enter (no white spaces):

arn:aws:iam::123456789012:role/OktaAppStreamUsers,arn:aws:iam::123456789012:saml-provider/OKTA

18 In the Okta Console under your Application

Click the Sign On tab

19 Click Edit
20 Provide the Default Relay State for your appstream sessions

Example

Appstream infrastructure is based in Ireland eu-west-1

AppStream stack is called Appstream

Account id is 123456789123

Our Relay State URL example

https://appstream2.eu-west-1.aws.amazon.com/saml?stack=Appstream&accountId=123456789123

See AWS Documentation

21 Provide the Role ARN and Idp ARN

roleARN,providerARN

Select Application username format: Okta username

 22 Click Save
 23 Assign this application to your Okta users

Click Assignments Tab

Click Assign to People/groups

Click Assign button against each Okta user you want to have access to this new app.

References

Okta Guide –

http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-AppStream-2-0.html

AWS Guide – http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms