Tag: citrix

November 12, 2017

Configure NetScaler Gateway SAML to Google with Citrix Federated Authentication

Prerequisites

	Description
*	Citrix FAS Service installation
*	XA/XD 7.6 or newer
*	StoreFront 3.6 or newer (I’ve tested with 3.9)
*	SAML Provider acting as the iDP (Google in this instance)
*	NetScaler Gateway configured as the SAML Service Provider (SP)
*	Active Directory Certificate Services
*	Access to edit Windows GPOS and OUs to assign the CFAS service its service location

Install The Citrix Federated Authentication Service (CFAS)

Step	Description	Screenshot
	Mount the XA/XD ISO on your server and select the Federated Authentication Service
	Read the license agreement and make your choice
	Click Next
	Click Next
	Click Install
	Click Finish
	Create the GPO to point the FAS server to itself (see step 9) When the GPO exists the ‘address’ field will be filled in for you automatically
	Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory c:\windows\policydefinitions Service\PolicyDefinitions	to
	Edit group policy to have the server point to itself for FAS open gpmc.msc browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication Enter the DNS server address of the server hosting the FAS service (as per screenshot) Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied
	run gpupdate /force
	Right click the CFAS Administration console and always Run As Administrator
	You should now have the CFAS server listed Click OK
	Click on Step 1 – Start Button
	Click OK
	You can verify the creation of the templates in ADCS
	Once this is completed without errors click Start on Step 2
	Click OK
	Finally click Start on Step 3
	Click OK
	The console is waiting for the request to be approved (issued) from the AD Certificate Services
	Log into the ADCS and Approve the pending Certificate request Right click the Pending request Select All Tasks Select Issue
	Step 3 will go green
	Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate
	Click Edit and Add the StoreFront Server to be able to use the ‘rule’ Remove domain computers as they will be set to ‘deny’
	Click Apply

Create NetScaler SAML Policy to 3rd Party iDP (Google)

In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP.

Note: this cannot currently be bound to a Gateway when using the NetScaler RFWebUI ‘theme’.

Step	Description	Screenshot
	Connect to admin.google.com
	Click Apps
	Click SAML Apps
	Click the + to add a new SAML Application
	Select Setup my own custom app
	Take note of the IDP data you are provided and copy and paste your URL Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later.
	Describe your new app
	Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth
	Click Finish
	Summary of the App SSO Setup in the Google admin panel
	Be sure to enable the new Application click the three dots … Select ON for everyone Note: this new configuration will take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message.
	Note: users will have access to a shortcut to this new app in their Google Console
	Upload the Google IDP Certificate to the NetScaler
	Install the CA Certificate
	Here you can see the certificate installed as another CA Certificate
	Expand NetScaler > Security>AAA – Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers Enter appropriate details for your new SAML profile Note: the redirect URL and Single Logout URL will be unique to your Google account
	Create a new SAML Authentication Policy set the expression of this policy to ns_true Link that to the newly created Google SAML Server
	Bind this policy to your NetScaler Gateway Click the + against Basic Authentication Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method.
	Choose SAML Choose Primary Click Continue
	Select the SAML binding
	Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field NetScaler Gateway > Click Session Policies
	Select the policy and edit the profile
	Ensure Single Sign-on Domain is empty
	Ensure your google email matches your AD User Logon Name
	If not you can add a new UPN for the domain from Active Directory Domains and Trusts
	Add any Additional UPN suffix you may require to match your google email sign-in

Configure StoreFront to Delegate Authentication to NetScaler

Step	Description	Screenshot
	Open Citrix Studio or StoreFront management
	Select your Store and left click Manage Authentication Methods
	Click Passthrough from NetScaler Gateway > Configure Delegated Authentication
	Click OK
	Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers. RDP to each Delivery Controller as a Citrix or local administrator Open Powershell type *‘asnp Citrix’ type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true**’	Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
	Note: You can verify if this was successful by running get-brokersite

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Setup NetScaler Gateway VPN to use an LDAP Authentication Policy

Step	Description	Screenshot
1	Let’s Bind the LDAP_NetScaler_Users policy now to this VPN / Gateway (see previous posts on the creation of a LDAP policy, the one listed above is an example name based on our other posts)
2	Browse to the gateway and click Edit
3	Click the + on Basic Authentication Choose LDAP as policy Choose Primary Authentication Click Continue
4	Select the LDAP policy you have created for NetScaler Users (and not administrators)
5	Click Done
6	Test and confirm
7	We must create an AAA Group and bind an authorisation policy to this group Expand NetScaler Gateway > User Administration > AAA Groups Click Add
8	Create a group name that MATCHES (Case sensitive) the AD group specified in the LDAP Policy/Profile Click OK
9	Attach the Authorization Policy to this group Click + Authorization Policies on the right
10	Click the > to bring up the policy selection window
11	Select the Authorization Policy previously created
12	Click Bind
13	Click Done

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Configure NetScaler Gateway with Split Tunnelling

Step	Description	Screenshot
1	In order that our users devices know which network is ‘local’ and which network is remote we need to define our remote network resources
2	First we ensure that split tunnelling is enabled NetScaler gateway > Global Settings > Change Global Settings Click the Client experience tab Change Split Tunnel* to ON Click OK
3	Expand NetScaler gateway > Resources > Intranet Applications Click Add
4	Here we add the remote networks we want the users / VPN tunnel to have access to when the Gateway client is logged on In this example we will use the full home.local network Click Create
5	Browse back to NetScaler gateway > Global Settings tab Click Define intranet applications…
6	Click Add
7	Click the Right Arrow (or the + symbol next to the Resource) to include the new Intranet Resources for our Split Tunnel
8	Click OK
9	Save your NetScaler configuration
10	Test your VPN connectivity

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Install the NetScaler Gateway Plugin for Microsoft Windows

Prerequisites

Item	Description
*	You should be a local administrator of the device where you are install the gateway plug-in

Step	Description	Screenshot
1	Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from) Open a web browser to the NetScaler VIP Login
2	Select Network Access
3	Click Download
4	Click Run
5	Click Install Note: You must be a local administrator to install this Software
6	Click Yes to any Windows UAC prompts
7	Click Finish
8	The Gateway VPN will connect automatically and the web page will display the NetScaler VPN Home Page.

November 12, 2017

Configure Citrix NetScaler Unified Gateway – ICA Proxy

Prerequisites

Item	Description
*	DNS is configured on the NetScaler correctly
*	The internal or private IP Address of the VIP assigned to the NetScaler Gateway *
*	Know the details of your Citrix Server STA (our Citrix DDC(s))
*	Firewall ports are open between the NetScaler and the StoreFront server
*	StoreFront already configured and setup (otherwise retrieve attributes doesn’t work)

In this section of the course we will connect the NetScaler Unified Gateway to our Citrix XA/XD Environment for ICA Proxy (Citrix sessions, no VPN).

Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Unified Gateway.

NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps

Create the NetScaler Unified Gateway – Wizard

Step	Description	Screenshot
1	Log into NetScaler Click Unified Gateway in the Left Pane under ‘Integrate with Citrix Products’
2	Click Get Started
3	Click Continue
4	Enter the following details as appropriate for your configuration
	Use the existing certificate already installed Click Continue
5	Select the appropriate LDAP server Click Continue
6	Change Portal Theme to the New RFWebUI (note RFWebUI does not currently work with SAML)
7	Click the + Icon
8	Select XenApp & XenDesktop Select Integration point as StoreFront
9	Enter the Details of your XA&XD STA and StoreFront server URLs then click Retrieve Stores Receiver for Web Path will appear and be validated providing it can contact your Storefront server Click Continue
	Click Done
10	You will be returned to the Applications Page and a StoreFront application will appear
11	Click Continue
12	On the summary page click Done
13	Access the Unified Gateway Page and check you can log into the NetScaler page
14	Select Clientless Access Click Desktops and ensure you can see your XA&XD Desktops Load the desktop to ensure a full end to end test is performed

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Deploy a Citrix StoreFront Server for Citrix NetScaler Access

In the following steps we will detail how to configure a stand alone installation of Citrix Storefront and give examples of how to connect this to your Citrix NetScaler

Step	Description	Screenshot
1	Open the Citrix StoreFront Console Expand Citrix StoreFront Click Stores Click Create Store
2	Click Next
3	Give the store a name Select Set this receiver for Web site as IIS Default Click Next
4	Click Add On the Add Delivery Controller screen click Add Add Delivery Controllers FQDN Untick Servers are load balanced Select Transport type as HTTP (you should use HTTPS if the SF server is in a DMZ or for extra security) Click OK
5	Click Next
6	Enable Remote Access Ensure Allow Users to access resources only delivered through StoreFront (No VPN Tunnel) is selected Click Add
7	Enter details for the new gateway Example: my gateway is called gateway.jsconsulting.services and the URL is https://gateway.jsconsulting.services Click Next
8	On the STA Screen Click Add Enter the FQDN of the Citrix XA/XD server
9	Enter the FQDN of the STA server Click OK
10	Untick Load balance multiple sta servers Tick Enable session reliability Untick request tickets from two stas, where available Click Next
11	Enter the NetScaler details – Leave logon type as domain Enter Callback URL as the same entered in step 6 https://gateway.jsconsulting.services Click Create
12	Click Finish
13	Ensure default appliance is the NetScaler appliance created / added in steps 1 through 12 Click Next
14	Ensure that both methods of Authentication are selected – Username and password and Pass through from NetScaler Gateway Click Next
15	Leave both options ticked Click Create
16	Click Finish
17	Back in the StoreFront console click Receiver for Web Sites tab and copy your StoreFront URL Open your internet browser and test this URL	& https://gateway.jsconsulting.services

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Citrix NetScaler Certficates – Creating a CSR Request

Step	Description	Screenshot
1	Log into the NetScaler web interface http://192.168.1.50
2	Now that our private key has been created we need to create a Certificate Signing Request and sign it with our private key Expand SSL > SSL Files Click CSRs Then click Create Certificate Signing Request (CSR)
3	In our example we will enter these details shown: Then click Create	Request File name: gateway.jsconsulting.services.csr Key Filename: gateway.jsconsulting.services.privatekey Key Format: PEM PEM Passphrase: <private key password here> Digest Method: SHA256 Common Name: gateway.jsconsulting.services Organisation Name: JS Consulting Services Organisational Unit: Technologies Email Address: <your email address> City: London State or Province: London Country: UNITED KINGDOM
4	CSR is created and signed with the private key all stored on the NetScaler in /nsconfig/ssl

November 12, 2017

Citrix NetScaler Certficates – Creating a Private RSA

Step	Description	Screenshot
1	Log into the NetScaler web interface http://192.168.1.50
2	Expand traffic management Right Click SSL And select Enable Feature Note: The yellow exclamation will disappear when the feature is enabled	Disabled Enabled
3	Expand SSL > SSL Files > and click the button Create RSA Key
4	In this example we will enter the details shown: Then click Create	Key filename: gateway.jsconsulting.services.privatekey Key Size(bits): 2048 Public Exponent Value: F4 Key Format: PEM PEM Encoding Algorithm: DES3 PEM & Confirm Password: <mypassword> Note*: the larger the key size the more CPU will be used encrypting and decrypting the certificates DES3 is simply DES applied 3 times (so in theory it’s more secure)
5	Note: The private key should be downloaded and stored away from the NetScaler device (especially if the NetScaler is stored in a DMZ). This is in case the NetScaler device is compromised in any way. If your private keys are lost or compromised you would have to revoke your existing certificates and new certificates should be generated.

November 12, 2017

Creating a Citrix NetScaler LDAP Authentication Policy for Users

In this walkthrough we will create an LDAP policy for basic users of the NetScaler to authenticate against things like a new Virtual NetScaler Gateway.

This profile however will be identical to the previous administrators policy, only we will be looking for another AD group. Instead of ‘Domain Admins’ we will look for users who are members of the LDAP group called ‘NetScaler Users’.

Step	Description	Screenshot
	Log into your NetScaler Expand System > Authentication > LDAP Click the Servers Tab Tick the already existing AUTHServer_LDAP Click the Add button Tip: Because we selected the already created server profile the configuration details of that profile will be automatically copied into this new policy as ‘defaults’ Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test
	Give the LDAP server profile a Name e.g. AUTHSERVER_LDAP_NSUsers Provide the following details of your LDAP server: IP Address / or Name Base DN Admin Bind DN Admin Password: Be Sure to RETYPE YOUR PASSWORD and click TEST Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Note: In this guide we are using the following specific details as working examples IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: admin@home.local Admin Password: <password> Search Filter: memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local	*Note*: You should use appropriate LDAP details for your environment. If you are unsure consult with your AD/LDAP/Authentication team.
	Tip: You can connect to your AD controller or any Windows machine with the Remote Server Administration Tools (RSAT) installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group	Examples: If you need to obtain the Group details for the ‘Search Filter’
	Click Test Connection and ensure your LDAP server is reachable	*Note*: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test
	Click Create at the bottom of the ‘Create Authentication LDAP Server’
	Create another LDAP Policy to bind this new server profile to Click the Policies tab Tick the existing policy Click Add Note: Because we selected the already created server profile the configuration details of that profile will be copied freshly as a new Server Profile
	Simply rename the policy to something new like AUTHPOL_LDAP_NSUsers Link this new policy to the previously created server profile in steps 1-5 by selecting AUTHSERVER_LDAP_NSUsers from the drop down Leave the Expression as is: ns_true Click Create
	Two LDAP Authentication policies now exist and can be used for authenticating users on the NetScaler Note: The Administrators policy is the only policy presently bound to the NetScaler

NetScaler SSH Command References:

	Create LDAP Server	add authentication ldapAction AUTHSERVER_LDAP_NSUsers -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234123412341234123412341234123412341234123412341234123412341234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter “memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local” -groupAttrName memberOf -subAttributeName cn
	Create LDAP Policy	add authentication ldapPolicy AUTHPOL_LDAP_NSUsers ns_true AUTHSERVER_LDAP_NSUsers

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Binding a Citrix NetScaler Global LDAP Authentication Policy for Admins

In this walkthrough we will create a LDAP policy for administrators of the NetScaler and bind it globally to the NetScaler

Step	Description		Screenshot
1		Log into your NetScaler Expand System > Authentication > LDAP Tick the newly created policy and click Global Bindings
2		Click the > button to choose your newly created LDAP policy Then click Select Click Bind on the System Global Authentication LDAP Policy Binding Window Click Done
3		Note: The LDAP Policy will have a green tick in the Globally Bound column, which means all members of the LDAP group you added in the ‘Search Field’ of the server policy will now be able to authenticate against the NetScaler as NetScaler system users

Granting AD Group Permissions to the NetScaler

In the previous step we created an LDAP policy and bound it globally to the NetScaler so that all users who are members of the Active Directory group Domain Admins would be able to authenticate against the NetScaler and access the WebGUI. However these users will not have permission on the NetScaler itself to perform any administrative tasks, so we must link the AD group to appropriate permissions on the NetScaler.

Step	Description	Screenshot
1	Example of error message when logging in as user ‘admin@home.local’ Not authorized to execute this command [show ns license] [show ns feature] Note: a user name of just ‘admin’ would also work	Here you can see that the user is able to authenticate, but not perform any tasks on the NetScaler.
2	Log into the NetScaler as nsroot Browse to > System > User Administration > Groups Click the add button
3	Type in Group Name: ‘Domain Admins’ Note: The NetScaler group name must match the LDAP group name and is Case SeNsiTiVE
4	Under Command Policies Click Bind Tick Sysadmin Click Insert
5	Click Create
6	Users who are members of Domain Admins group in Active Directory will now have the sysadmin role on the NetScaler
7	A list of other roles on the NetScaler and what can be assigned are listed here on the Citrix Website	http://docs.citrix.com/en-us/NetScaler/10-1/ns-system-wrapper-10-con/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]