In this part 4 in my 5 part series of basic NetScaler configuration I will show you how to make your XenApp/XenDesktop environment securely available to your external users with Access Gateway Enterprise Edition (AGEE). In addition, your LDAP authentication queries will be load balanced (bonus!) and we’ll modify the theme to match StoreFront’s green bubble UI. As a prerequisite you need to have the certificate already loaded onto the NetScaler that you want to use for your external access. I’ve got to say I really like the new AGEE setup wizard, it really simplifies setup here over past releases.
If you would like to read the other parts in this article series please go to:
- How To: NetScaler 10.1 Deployment Part 1: Initial Config
- How To: NetScaler 10.1 Deployment Part 2: Load Balancing
- How To: NetScaler 10.1 Deployment Part 3: Load Balancing Cont’d
- How To: NetScaler 10.1 Deployment Part 5: VPN
Configuring Access Gateway
Step 1. Right-Click on “NetScaler Gateway” and click “Enable Feature”.
Step 2. Click “Configure NetScaler Gateway for Enterprise Store”
Step 3. The following wizard (screenshow below) will open in a separate window. Click “Get Started”.
Step 4. Enter in a name for your NetScaler Gateway vServer, an IP, and the port. I recommend of course using 443 for SSL and check the “Redirect requests from port 80 to secure port”. This will automatically create an entry in the load balancing vServers on 80 with a redirect to your secure site so if someone forgets to enter HTTPS:// they will still end up in the right place. Finally, enter in the FQDN of your external gateway. (i.e., citrix.company.com, access.company.com, myapps.company.com, etc). Click Continue.
Step 5. Choose the corresponding certificate you want to use for securing access. You should have already preloaded this and just select it from the drop down. Click Continue.
Step 6. Configure LDAP. Enter in the IP of your LDAP vServer from the Load Balancing section of the NetScaler that we configured in part 2. Enter your Base DN, an Admin Base DN, use sAMAccountName, and then the password for the service account. Click Continue
Step 7. Select XenApp/XenDesktop and then “StoreFront” from the drop down. Enter your internal StoreFront VIP (this would be the load balanced name, i.e. sf.company.com). Check use HTTPS if your internal SF site is secure (it should be), and then the Receiver for Web Path, single sign on domain, and finally a secure ticket authority. Unlike prior versions of NetScaler you do not have to enter the full path here. Just http://FQDN:port. (Note: Once complete, edit the access gateway vServer properties and enter in the remaining STA’s in your environment as a single STA here is a single point of failure).
Step 8. Congratulations! You now have a Access Gateway vServer.
Step 9: (NOTE: As of this writing this is an issue I found, it may not be present in future builds so you need to check) Navigate to NetScaler Gateway -> Policies -> Session, then select the “Profiles” tab. Select a profile and click “Open”.
Step 10. Open the “Published Applications” tab and double check that your “Web Interface Address” and “Account Services Address” are using https. In my lab, even with “Use HTTPS” checked in the wizard I ended up with http addresses here. Repeat this for both session policies.
Modify Access Gateway Theme
Step 1. Navigate to NetScaler Gateway -> Global Settings. Click “Change Global Settings”.
Step 2. Navigate to the “Client Experience” tab, towards the bottom find “UI Theme”. Select “Green Bubble” from the drop down. Click “OK”.
Congratulations! Your login should now match the StoreFront theme with the green bubble theme.
Ok..thats it for part 4. We now have a NetScaler 10.1 configured with DNS and LDAP, load balanced, our internal XenApp/XenDesktop XML traffic is load balanced, our internal StoreFront servers are load balanced securely via SSL, we have configured secure external access via Access Gateway (AGEE) and SSL, and changed our theme. In the final article in the series I will hit on some bonus areas for configuring Policies & Profiles to allow VPN access and client choices, etc so stay tuned!
- If you would like to read the other parts in this article series please go to: