Home » citrix » Page 3

Tag: citrix

Creating a Citrix NetScaler LDAP Authentication Policy for Administrators

Creating a NetScaler LDAP Authentication Policy for Administrators

In this walkthrough we will create an LDAP policy for administrators of the NetScaler and point this new policy to our singular, private, internal Microsoft AD LDAP server.

This will involve creating a server to bind to (i.e. telling the NetScaler what server to communicate with for LDAP services) and we will create a policy that will be bound to this newly created server record. Finally the policy and its associated server profile must be bound to the NetScaler so it knows where and when to use this LDAP policy. We will bind this policy globally to the NetScaler which means all users in the LDAP group as specified in the policy will be able to administer the NetScaler device.

Step Description Screenshot
 1 Log into your NetScaler

Expand System > Authentication > LDAP

And click the Add button

2 Give the policy a Name

e.g.

‘AUTHPOL_LDAP_Administrators’

Set the Expression as ‘ns_true

Click the + to add a new LDAP Server to authenticate against

Tip: If you keep the naming of the policies, servers and profile creations consistent it is much easier to find them when you have many multiple policies created on the NetScaler

3 Give the LDAP server profile a Name.

I usually give it the imaginative name of something like:

‘AUTHSERVER_LDAP’

Fill out the essential information for this server profile

Note: In this guide we are using the following recommended minimum examples:

IP Address / or Name: 192.168.1.11

Base DN: CN=Users,DC=Home,DC=Local

Admin Bind DN: admin@home.local (domain administrator account)

Admin Password: <password>

Search Filter: memberof= CN=Domain Admins,CN=Users,DC=home,DC=local

Server Logon Name Attribute: sAMAccountName

Group Attribute: memberof

Sub Attribute Name: cn

Tip: be sure to click the test connection button once you have finished the setup of this LDAP server profile to ensure it connects to your LDAP server successfully

Note: You should use appropriate LDAP details. If you are unsure consult with your AD/LDAP/Authentication team.

4 Tip: You can connect to a Domain Controller or any Windows machine with the RSAT tools installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group Examples:

If I want the NetScaler to search the Users OU in AD I could query a user name in that OU to get their Base DN

If you need to obtain the Group details for the ‘Search Filter’

 5 Click Test Connection and ensure your LDAP server is reachable

Note: the Admin Password is not copied when you duplicate these settings at a later stage so always be sure to re-enter them when creating additional AUTHSERVERS

 6 Click Create at the bottom of the ‘Create Authentication LDAP Server’
7 Click Create on the ‘Create Authentication LDAP Policy’ Window
8 Save the NetScaler Configuration

Click YES to the ‘Are you sure’ message

NetScaler SSH Command References:

Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234561234561234561234561234561234561234561234561234561234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn
Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_Administrators ns_true AUTHSERVER_LDAP

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Initial NetScaler Setup – NSIP

Step Description Screenshot
Click on the Console button to get access to the VM console
Your NetScaler should be finished initializing and prompting for an IPv4 Address as part of the first run wizard

Provide an appropriate free IP address, subnet and default gateway from your local network

Once the details are entered type ‘4’ to save and quit and press enter to execute

The NetScaler will perform a quick, warm reboot

Note: In this guide we will use the following details for the NSIP

IP address: 192.168.1.50

Subnet Mask: 255.255.255.0 (also known as /24)

Default Gateway (internet router): 192.168.1.254

However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team.

After reboot it will return to the login: prompt

Enter ‘nsroot’ as the username

Enter ‘nsroot’ as the password

These are the default NetScaler username and password

Once successfully authenticated

type ‘show ip’ and press return

Note: This command will show you all IP addresses registered on the active NetScaler

Tip: the NetScaler recognises short versions of the same command (provided it’s unique) for example the command ‘sh ip’ will also work

Type ‘shell’ and press return

Type ‘ifconfig’ and press return

Note: you can use the shell to perform more traditional BSD based Linux commands like ifconfig, route, ping, traceroute

Open your internet browser and point to the newly added NSIP of your NetScaler

Enter ‘nsroot’ as the username

Enter ‘nsroot’ as the password

Click enable or skip on the Citrix User Experience Improvement Program window
Welcome to the first time setup config page of the NetScaler GUI

Note: This page shows you that you have already set a NetScaler IP address (NSIP) which can be used for management of the NetScaler device, however you still need to set your DNS, Time Zone, Hostname, SNIP and to add licenses

Click on the Subnet IP Address section of the NetScaler GUI
Enter a Subnet IP as appropriate for your environment

Then click Done

Note: In this guide we will use the following details for the SNIP

IP address: 192.168.1.51

Subnet mask: 255.255.255.0 (also known as /24)

Default gateway (internet router): 192.168.1.254

However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team

Note: A NetScaler will use its NSIP as a management IP address. It will utilise the Subnet IP address (SNIP) to communicate with back end servers etc on that specific assigned subnet

Click Host Name, DNS IP Address and Time Zone section of the NetScaler GUI
Enter the following details as appropriate for your configuration

Hostname

DNS IP Address

Time Zone

Then click Done

Note: In this guide we will use the following details for the Hostname, DNS and TimeZone

Hostname: ns1

DNS IP Address: 192.168.1.11 & 192.168.1.12 (the IP addresses of my singular Active Directory LDAP servers)

Time Zone: GMT+ 00:00-GMT-Europe/London

However you should use an appropriate IP address, netmask and gateway for your network and specific configuration. If you are unsure consult with your network administration team

Click Yes
The Initial Configuration of the NetScaler is complete

 

Install the NetScaler Trial License

Install the NetScaler Trial License

Only start this section once you have deployed your NetScaler on your chosen hypervisor platform.

Step Description Screenshot
When you access your NetScaler, and if you haven’t yet set a SNIP or a license you may be presented with the first run wizard

You can click the ‘Licenses’ section to upload your license file

Go to step 3 below

You can also access this from the NetScaler > System > Licenses menu and click Add New License
Select the option to Upload license files

Click Browse

Browse for the NetScaler license file you downloaded previously to select for upload

Restart your NetScaler

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

 

Download the NetScaler Trial License

Download the NetScaler Trial License

Only start this section once you have deployed your NetScaler on your chosen hypervisor platform.

Step Description Screenshot
Expand Step 2, click on License Management System to register your temporary license key
Sign in with the details you registered your trial license with

Tick the Citrix Store NetScaler VPX 1000... license key

Click Continue

Deploy your NetScaler and obtain its Host ID (MAC Address)

Log into the NetScaler console (user: ‘nsroot’, pass: ‘nsroot’)

Type ‘shell’ then press enter

Type ‘lmutil lmhostid –ether’ then press enter

Take the Host ID and enter that into the Citrix licensing console

Click continue

Click confirm
Click OK to download the license file(s)
Save the file for later use in these Labs

Download the NetScaler Firmware – mycitrix.com

 

Step Description Screenshot
1 Connect to http://www.mycitrix.com https://lh5.googleusercontent.com/A2sl2ICO5vWNFE5-Q4XbL5DRiD7XDefpkcYHgWRwliaIh2pJvvggcnWXwftUqg00UmZwhqeR1kEgazvipZ_9gQP-4m8ApsNn8RoTYuvTfotEAoapAYGN5gwvaqWuMKC4seo2xv-7
2 Click Downloads

Select NetScaler ADC as the product

https://lh4.googleusercontent.com/dSL_ZHl5YxPnr74bZ8SKfOAUFSG3qe-tsItYcbgEVDykwOtA5LSgpAqCbF01_la8chiQ42HfHpeTDNLuNHHjDW6hgr_t8w79dJMvTKxV-a9l9zdZtjptRY6rECDOCPVGk8b4kCEB
 3 Select the latest release Virtual Appliance (VPX) available to you

Note: At the time of writing the latest is 11.1-48.10

https://lh3.googleusercontent.com/Tsc7F9Nh8-Nl9W52nxYiu69M3-d4arLGWLlEXMtRc93WYec_9iWg44bPnmd4QfhW8eAglNXlGmaL6JQDT-NyMyO3ZFce7D9Czp-x7I6UqKDBIf-v-iyOKcq5yrktrdpJ39wW9ljB
4 Select VPX Package for New Installation

Select the right package for your hypervisor

Note: In the example we are downloading the NetScaler VPX Software for VMWare ESX

https://lh6.googleusercontent.com/Zs-nobrpvMDqDiYJGFWlh19AeoNsolvQEVxtSwCL0XFO36SHcGAKiXtOV5-NyFH6b_0SylK1eP7JySfo7cCl6KSBBnXRHeQgWrLo-a49OjX_YkV--3qA17OhQ39ckWu0bmy00GCj
5 Read the End-User license agreement carefully https://lh4.googleusercontent.com/xlOTQqaUFVu3Jn_mgeuIAT0oemgCMwwV8MoAhmhLP7G34D0q4cCdwzAu-NhnrPeqttpSDaI5Ww7jYvNI-JuP9a5DaMdZ4J_wzoF1-_j1yKz22cjYh32SxHHKiYVejQQN2fiuUbRf
6 If you choose to accept the EULA, tick ‘I have read…’ and click Accept

You should read the download agreement

Be sure you and your country comply with the Export Control laws

Finally save the file somewhere easily accessible later

https://lh3.googleusercontent.com/bPUHwtdg7rb-yNRafORPTtRaOSkUH2lU0AoSDJOhukEekYuKjhBE_hlFL-ANLp7nUpSNTitFOEH6FJopBE5DPNKizvi1gnaa242zyHvrM8TlLeYDJDVsAY-tErqEkyJzbGt5nIie

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Online NetScaler Course Update and Discount

Hey Everyone, Our “Masters of Cloud – Citrix NetScaler Introduction” course has recently been updated with a series of new videos, check it out now and as an added bonus there is a 50% discount link if you sign up before end of September!

https://www.udemy.com/citrix-netscaler-introduction/?couponCode=SEPTLINKEDIN

We hope you enjoy the updates and all the best on your learning journey!

JS Consulting and Masters of Cloud

Citrix Storefront 3.9 passthrough authentication issues

Situation:

After a customer recently upgraded to Storefront 3.9 some users complained of having to authenticate twice when using various browsers. Once in Storefront and once again in a Windows Login prompt when they launch their selected application.

This seems to be related to the way Storefront runs the receiver detection, if a compatible receiver is detected the users are prompted and asked if they want to ‘Log On’ with their local computer credentials. (see screenshot from Workaround 1 below).

Previously we have only ever used ‘username and password’ authentication, but this process seems to negate / bypass the authentication configured in Storefront.

Workaround #1:

The users should be prompted each time to ‘passthrough’ their windows local windows credentials by clicking ‘Log On’.

The users can skip the passthrough and simply click ‘switch to user name and password’

To use the account you used to sign on the computer, click Log On.

Workaround #2

If you have more than one Store in Storefront separate the authentication methods in Storefront so they are not shared between the stores (as pass through detection continued to happen regardless of the authentication method selected when shared between stores)

(note the storename has been obscured for customer anonymity)

Resolution:

In relation to the references section for setting up a good receiver configuration this customer had broken the majority of the rules for good reason. So there was no adhering to the Citrix best practises, so workaround 2 became their resolution based on other requirements (like not all users are domain joined, not all devices that connect are manager by the customer, rather 3rd parties to which they have no control, the users have no / little access locally to upgrade or install or modify receiver configurations – the list goes on)

Post the upgrade the Authentication method between two different stores were merged, and shared authentication was enabled. Regardless of the settings we were selecting / applying in the Browser, the pass through continued to haunt users and attempt to log them in with their local credentials.

Once we split the authentication, so it could be controlled separately between the two stores, the issues went away and we had more granular control.

There were are number of things the customer was not doing like configuring the receiver clients locally, and configuring the local receivers to support http:// as they have a large number of non domain joined users and this prevented a ‘one size fits all’ approach to deploying receiver and Storefront internally. Our final suggestion was to look to replace this entirely with NetScaler and HTML5 instead.

References

https://docs.citrix.com/en-us/receiver/windows/4-7/secure-connections/receiver-windows-configure-passthrough.html

Citrix Storefront Upgrade Failure 2.x to 3.9

Situation:

When trying to Upgrade our Citrix storefront servers from a 2.x version to 3.9 of storefront we encountered the following error: This meant the installation failed with the previous storefront version removed completely, and all configuration lost, and we were then unable to install any further version of Citrix Storefront.

Application Log Error, Source: Citrix Extensible Meta-Installer EVENTID: 0
Timestamp: 05/07/2017 19:04:43
Category:Error, WinError
Message:Unexpected exception. Message: Exception has been thrown by the target of an invocation.. Stack Trace =    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
  at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Citrix.Cxmi.CustomSandbox.ManagedDllLoader.CallStaticMethod(String typeName, String methodName, Dictionary`2 methodParams)
   at Citrix.Cxmi.Workflow.ExecuteTask.Execute()
   at Citrix.Cxmi.Workflow.WorkflowSequence.Execute()
   at Citrix.Cxmi.Workflow.WorkflowSequence.Execute()
   at Citrix.Cxmi.Workflow.WorkflowExtension.Run()
   at Citrix.Cxmi.Core.Engine.Run()
   at Citrix.Cxmi.Core.Program.Main(String[] args).

Things Tried:

Deletion of all local temp files – Failed

Complete uninstall and reinstall of Storefront versions – Failed

Reinstall of old version 2.x – Failed

Install of new 3.x  version as different user – failed

We had no choice but to revert the VM snapshot to recover the production Web server.

Solution:

Upgrade to Storefront 3.0 First, then attempt to upgrade to a higher version.

Citrix Cloud Connector Installation Unsuccessful on Windows Server 2016

Scenario

After multiple attempts to install the Citrix Cloud Connector software we continued to receive even after mutiple reboots.

Installation was unsuccessful. See below for details.
A system restart is pending. The system must be restarted before any products can be installed.

Solution

Simple delete / clear the windows registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

 

Citrix Cloud – Secure Browser Service

Summary

Citrix Have a cloud based secure browser service unsurprisingly called ‘Secure Browser Service‘. Here is a quick summary of the features / notes taken during a PoC for a customer.

Review

Basically this is an Azure hosted cloud delivery of URLS you specify to publish to users (either anonymously or via your own authentication methods) combined with a browser that is ‘locked down’. You can have Firefox, Chrome, IE11 or IE11 (64bit). Even for a quick test. It’s awesome. Quick, Simple and reliable.

Flash and Video support (youtube) are native, albeit it noticeably slow (but still worked even for a UK based user while the resources were Azure West US region!) Signing up for trial was simple and very quick via my mycitrix.com account (5 minutes after requesting the, trial was ready to go)

From a customisation perspective there is little that is changeable – and possibly will stay this way to keep the service offering simple – you can always deploy your own secure browser service via XA/XD for further customisations. Well done Citrix.

 

Initial Overview Page

Clicking Get started

Enter a Name, URL and select the browser and region

Browser and Region Options

 

I selected IE11 and West US as the region

Clicking Launch Application launched very quickly, but because its published initially in Kiosk mode my native response was to click ‘refresh’ which reloaded the entire published app – not the webpage (including back buttons etc)

Secure Browser service supports on prem apps / backends
Change Settings

Manage >

Enable non-kiosk mode

Launching with non-kiosk

Other sites were accessible

(But I didn’t push my luck)

youtube.com was noticeably slow but still worked, sound and all! Pretty good by default.
Where is it hosted and did it match the region published in – YES

 

Flash is available and the Internet speed was very fast

Flash quality was low and jittery – but was absolutely usable even with approx 150ms from my device to West US Azure

Statistics on usage
Summary Even for a PoC / Demo this is fantastic. Quick and simple and no obvious major issues. Well Done Citrix!