XenDesktop 5 with Access Gateway How to set up an Access Gateway Enterprise Edition VPX for use with XenDesktop 5 www.citrix.com
Contents Introduction... 2 Example environment... 2 Set up the VPX VM... 3 Netscaler Configuration Utility... 3 Licensing... 7 Install a Certificate... 8 Create/Configure Authentication Policy and Server... 19 Create/Configure an SG Session Policy and Server... 22 Create/Configure a Virtual Server... 27 Configure your XenDesktop DDC and Web Interface... 32 Router / Firewall... 41 Test your connection... 41 Smart Access Access Gateway settings... 42 Smart Access XenDesktop DDC... 44 Testing SmartAccess... 50 FAQ... 51 Troubleshooting... 51 Acknowledgments... 51 1
Introduction The purpose of this document is to record the configuration of a Citrix Access Gateway Enterprise Edition for use with Citrix XenDesktop 5. While this document only attempts to record a single Access Gateway Enterprise Edition configuration, it also acts as a guide for anyone who wishes to create similar configurations. Example environment The following diagram shows the network layout of my example environment, and its typical components. 2
Set up the VPX VM 1. Download the latest VPX appliance from Citrix.com. A point to note is that the Access Gateway Enterprise Edition VPX is based on the NetScaler platform, and currently the download to choose is a NetScaler VPX. 2. Import the VPX appliance into your XenServer and connect it to your DMZ virtual LAN. 3. Start the VPX appliance, and log in to it from the XenCenter console. (nsroot/nsroot) 4. Follow the text based wizard to establish the following network settings: IP Address 192.168.2.20 Netmask 255.255.255.0 Gateway 192.168.2.1 5. Allow the VPX appliance to reboot when asked. If you want to re-run this wizard, then log in to the VPX appliance from the XenCenter console and run configns Note A small number of the following screen shots show the VPX appliance with a network address of 192.168.20.n (incorrect), whereas the text uses a network address of 192.168.2.n (correct) That is: Any references to 192.168.20.2 should read 192.168.2.2 Netscaler Configuration Utility 1. From a suitable host within your DeskSide Lab (such as your DDC), use a browser to connect to http://192.168.2.20 and log in with the following credentials: User Name nsroot Password nsroot Start in Configuration Other defaults, or as required 2. Use the configuration Utility to establish the following settings: 3
3. Add a Mapped IP address of 192.168.2.21 4. The Virtual IP address is added later. 4
5. Add a DNS server (local=no). In this case it is a pointer to the domain controller at 192.168.1.83. 6. You might also wish to add some DNS Suffices on the next tab down. 5
6 Network Routing should look like this
Licensing Details of NetScaler VPX Licensing can be found in CTX122426, and NetScaler VPX Express License should be sufficient for five concurrent users. Obtain an Access Gateway Enterprise Edition VPX license, and use the NetScaler Configuration Utility to upload the license file to the VPX appliance. Once you have licensed your VPX appliance and rebooted it, your licence page should look something like this: Enable Features 1. Right click on the SSL node in the left-hand pane and Enable the SSL feature. 2. Right click on the Access Gateway node in the left-hand pane and Enable the Access gateway feature. 7
Install a Certificate Within Development and Test environments, a possible source for a security certificate for a Web service is from a private Windows Certificate Server. In this example environment, XenDC83 is a Windows Certificate Server. The following outlines the steps necessary to install a new certificate on to a NetScaler/Access Gateway Enterprise Edition. 1 Create an RSA key, and give it a name other than that in the above screenshot. 2 The Create RSA Key tool has been moved to directly under the SSL folder in later builds. Note: You do not get very much feedback. 3 Click Close. 8
3. Create a Certificate Request and give it a Common Name other than the one used above. The Common Name should be the Fully Qualified Domain Name (FQDN) of your router. Use a passphrase that you can remember. 9
10 4. Copy the certificate request from /flash/nsconfig/ssl on the NetScaler / Access Gateway Enterprise Edition, to a windows PC (for example: XenDC83). The screenshot above is using WinSCP to copy the certificate. WinSCP is available from http://winscp.net.
11 5. Use Microsoft Certificate Services to Request a Certificate.
12 6. Click Advanced certificate request.
13 7. Click Submit a certificate request by using a base-64-encoded... file.
8. Use Notepad to cut the contents of the certificate request, and paste it into your Microsoft Certificate Request page. 9. Set Certificate Template to Web Server. 14
1. Download the Base 64 certificate, and use WinSCP to copy it to the /flash/nsconfig/ssl directory on the NetScaler / Access Gateway Enterprise Edition. 15
16 2. Restart the certificate request page and Download a CA certificate request.., in Base 64 format, and use WinSCP to copy it to the /flash/nsconfig/ssl directory NetScaler / Access Gateway Enterprise Edition.
3. Install the Certificate into the NetScaler. Note: If you get the error message Certificate with key size greater than RSA512 or DSA512 bits not supported, you might not have installed a valid (VPX) licence onto the NetScaler. 17
4. Use the same form to install the CA certificate: Certificate-Key Pair Name = myca Certificate File Name = Your CA certificate file Private Key File Name = blank 18
Create/Configure Authentication Policy and Server 19
20 1. Create an Authentication Server.
21 2. Create an Authentication Policy.
Create/Configure an SG Session Policy and Server 22
23 1. Create Access Gateway Session Policy.
24 2. Create Access Gateway Session Profile.
25 3. Choose to use http or https.
26
Create/Configure a Virtual Server 27
1. Add your Server and CA certificates. 2. Select the SmartAccess button. 28
29 3. Insert your authentication policy.
30 4. Insert your SG session policy.
31 5. Add your Secure Ticket Authority (point to the DDC).
Configure your XenDesktop DDC and Web Interface 1. Add a CA certificate to the Trusted Root Certificate Authorities store of your Web Interface server. 2. You might also wish to add a Web Server certificate to your Web Interface server, but this is optional for the purposes of this document. 3. Add the following line to the hosts file on your DDC 192.168.2.2 FQDN of your Router(Common Name in AGEE certificate) 4. Set up a Web interface site with Authentication at the Access Gateway: 32
33
5. Because you must use https here, the Authentication service URL must be the name used in the certificate installed above. 6. Click Next, and confirm settings. 34
35
7. Click Next. 36
8. Click Next, and confirm settings 37
9. Specify a Default Secure Access Method of Gateway direct. 38
39
40
Router / Firewall This example configuration uses a 3-egged router/firewall to connect the three networks together, and this is the minimum configuration necessary to establish a dev/test environment for testing with an access gateway. The devices used in this configuration are a router/firewall based on a Debian XenServer VM and the Shorewall (www.shorewall.net) package to handle the routing and firewalling configuration. Another option might be to use the Vyatta open source firewall/router. A pre-built XenServer template is available from www.vyatta.com Citrix Knowledge Base article CTX114355 gives details about which ports need to be open on your firewall/router. Test your connection 1. Install a CA certificate on to any PC that you wish to use to access this XenDesktop farm. 2. To connect to your XenDesktop farm, from a client PC on the corporate network, browse to https://fqdn_of_your_router. 41
Smart Access Access Gateway settings 1. Create a new Session Policy and bind it to the SG Access Profile. The Expression is testing for a file on the client called C:\valid.txt. Note how the resulting expression indicates that it is looking for C:\\\\valid.txt. This is correct. 42
2. Insert the new Policy into the Virtual Server. Note that Down state flush is enabled and set to SmartAccess. 43
Smart Access XenDesktop DDC 1. On the Desktop Delivery Controller, enable Trust requests sent to the XML Service by issuing the following PowerShell command: set-brokersite -trustrequestssenttothexmlserviceport $true This is most easily done from Desktop Studio using the Launch PowerShell button. 44
2. From the Desktop Studio (on the DDC), Create an HDX Policy of type User for users connecting through the Access Gateway from a valid endpoint. For example, call it ValidEndpointYES. 3. Enter a name and click Next. 45
4. Set Client drive redirection to Allowed. 5. You might also wish to Allow Client fixed drives, Client floppy drives, Client network drives, client optical drives, and Client removable drives. 6. Click OK and Next. 46
1. Add an Access Control Filter. Note that AG Farm Name and Access condition are case sensitive and must match the Virtual Server name, and Policy name in the Access Gateway 2. Click OK, OK again, and Next. 47
3. Click Create. 48
4. Modify the existing Unfiltered User policy to Prohibit Client drive redirection. 5. You might also wish to Prohibit Client fixed drives, Client floppy drives, Client network drives, client optical drives, and Client removable drives. 6. Click OK then OK again, to update the policy. 49
7. Adjust the priorities so that ValidEndpointYES has a higher priority than Unfiltered. Settings for Unfiltered should catch everyone who has not been caught by ValidEndpointYES Testing SmartAccess If you connect to this XenDesktop farm and your client does not have a file called c:\valid.txt, you should not see any of your client drives mapped through to the XenDesktop session. If you create a file called c:\valid.txt on your client PC, and then connect to this XenDesktop farm, you should see your client drives mapped through to the XenDesktop session. 50
FAQ Q. My environment is on a private network and just for testing. Do I need to set up certificates and use https? A. Yes Troubleshooting Check the event log of your DDC. Use normal XenDesktop testing techniques. Check your router VM to make sure that necessary communication between the Access Gateway and the internal LAN is not being blocked. Maybe use Wireshark, in non-promiscuous mode, on your DDC to see if the Access Gateway Enterprise Edition is talking to your DDC. Acknowledgments This document is based in part on a number of earlier documents written by Jay Tomlin. 51