Transcription
How to Automatically Configure NetScaler Gateway11.1 with StoreFront 3.6 and XenApp/XenDesktop 7.9IntroductionThe purpose of this document is to provide the automated steps required to configure NetScaler Gateway towork with StoreFront, XenApp, and XenDesktop. This document acts as a companion document to the originaldocument, How to Configure NetScaler Gateway 11.1 with StoreFront 3.6 and XenApp/XenDesktop 7.9, wherethe configuration steps use a manual approach.Throughout this document, each configuration step is the automated equivalent of the steps mentioned in theoriginal document and the intent is to achieve the same configuration.During configuration, you will use the built-in NetScaler tools for creating a server certificate request forNetScaler Gateway and installing the certificate on the NetScaler Gateway virtual server. To create thecertificate, you will use the Microsoft Certificate Server to create the server certificate and provide theassociated CA certificate.The target audience for this document includes developers and testers who want to set up a representativeenvironment for testing external access scenarios, in an automated fashion.While this document shows a single configuration only, you can use the steps as the basis to create similar ormore advanced configurations.
ContentsHow to Automatically Configure NetScaler Gateway 11.1 with StoreFront 3.6 and XenApp/XenDesktop 7.9 . 1Introduction. 1Network Diagram . 4Bootstrapping the NetScaler VPX: XenServer . 4PowerShell Commands. 5PowerShell Snap-in: Registration . 5PowerShell Module: Import . 5PowerShell Snap-in/Module: Configuration . 5Configure NetScaler Gateway: Initial Configuration . 6Connect to the NetScaler Gateway Virtual Appliance . 6Disable the Customer User Experience Improvement Program (CUXIP ) . 6Add a Subnet IP Address . 6Set the NetScaler Gateway Host Name . 7Set the DNS IP Address. 7Set the Time Zone . 7Upload NetScaler Gateway Licenses . 7Save the Current NetScaler Gateway Configuration . 7Restart NetScaler Gateway (Warm) . 8Configure the NetScaler Gateway: Features. 8Enable NetScaler Gateway Feature: NetScaler Gateway . 8Enable NetScaler Gateway Feature: SSL . 8Enable the NetScaler Gateway Feature: AAA . 8Configure the NetScaler Gateway: Administrator Password . 8Change the Administrator Password: . 8Configure the NetScaler Gateway: NTP . 8Add a Network Time Protocol (NTP) Server . 8Enable NTP Synchronization . 9Certificate Authority: Backup . 9Install the Microsoft Certificate Authority . 9Backup Certificate Authority . 9Upload .p12 File to NetScaler Gateway . 9Configure NetScaler Gateway: Certificates . 10Convert the .p12 File to the .PEM format . 10Create an SSL RSA Key . 10Create a Certificate Request . 10Create a Server Certificate . 10Install the Server Certificate Key Pair . 10Install the Domain CA Certificate. 11Configure the NetScaler Gateway: DNS . 11
Add a DNS Suffix . 11Configure the NetScaler Gateway: Default Gateway . 11Add a NetScaler Gateway Virtual Server. 11Create an LDAP Authentication Action . 11Create an LDAP Authentication Policy . 11Bind the LDAP Authentication Policy to NetScaler Gateway . 12Create a NetScaler Gateway Session Action: Native Receiver . 12Create a NetScaler Gateway Session Action: Web Browser . 12Create a NetScaler Gateway Session Policy: Native Receiver . 12Create a NetScaler Gateway Session Policy: Web Browser. 13Bind the NetScaler Gateway Session Policy to the Virtual Server: Native Receiver . 13Bind the NetScaler Gateway Session Policy to the Virtual Server: Web Browser . 13Bind the Secure Ticket Authority (STA) Servers to the NetScaler Gateway Virtual Server . 13Bind the Server Certificate to the NetScaler Gateway Virtual Server . 14Bind the CA Certificate to the NetScaler Gateway Virtual Server . 14Configure the NetScaler Gateway: Backup . 14Save the Current NetScaler Gateway Configuration . 14Backup the Current NetScaler Gateway Configuration . 14StoreFront Configuration . 14Test the deployment from a Windows computer connected to the Internet . 22
Network DiagramThe following diagram shows an example of the components in a NetScaler Gateway, XenApp/XenDesktopand StoreFront deployment.NetScaler Gateway will use the following network IP addresses: NetScaler Gateway: 192.168.18.20 Subnet: 192.168.18.21 Virtual: 192.168.18.22Bootstrapping the NetScaler VPX: XenServerThe NetScaler VPX virtual appliance can be auto-provisioned on several supported hypervisors, by using theinstallation method for each one (see the section "PowerShell Commands"). When the appliance initially starts,the NetScaler VPX determines whether the configuration file exists (found at /nsconfig/ns.conf). If the file doesnot exist, the Netscaler then queries a data store on the hypervisor on which it is running for the NetScaler IPaddress (NSIP), subnet mask and default gateway IP address.The steps in this document use Citrix XenServer to install and configure the settings for NetScaler Gateway,StoreFront, XenApp, and XenDesktop. First, install the NetScaler VPX image on XenServer.1. Download the latest NetScaler VPX virtual appliance from www.citrix.com and import it to XenServer.2. Make sure the NetScaler VPX virtual appliance is turned off.After installing the appliance on XenServer, the NetScaler VPX virtual appliance attempts to retrieve theNetScaler Gateway IP address, subnet mask and default gateway IP address from a data store on XenServernamed XenStore. It is possible to populate XenStore with the initial network configuration for the NetScaler
VPX virtual appliance. Citrix provides PowerShell bindings in the form of both a PowerShell snap-in (forversions earlier than XenServer 6.5) and a PowerShell module (for XenServer 6.5 to the current version), bothof which can be leveraged to configure the NetScaler Gateway network settings.PowerShell CommandsThis section contains the PowerShell commands that are appropriate for the PowerShell snap-in and thePowerShell module. Citrix recommends using the most recent PowerShell module.For information around auto-provisioning the NetScaler Gateway virtual appliance on Microsoft Hyper-V orVMware ESX, see the topics Installing Citrix NetScaler Virtual Appliances on Microsoft Hyper-V Servers andInstalling NetScaler Virtual Appliances on VMware ESX located in the Citrix Product documentation.PowerShell Snap-in: RegistrationDownload the XenServer PowerShell snap-in from:XenServer Development Components SDK (Software Development Kit)Note: The Software Development Kit contains both the latest and the older deprecated snap-ins. Install thelatest snap-in from the folder 'XenServerPSSnapin'.Once installed, open a new 32-bit PowerShell process, and add the now registered XenServer snap-in to thecurrent PowerShell session.Add-PSSnapin XenServerPSSnapIn -ErrorAction StopPowerShell Module: ImportDownload the XenServer PowerShell module from:XenServer Development Components SDK (Software Development Kit)Once downloaded, import the PowerShell module manifest by using the PowerShell Import-Module command.Import-Module “ PathToXenServerModule \XenServerPSModule.psd1”PowerShell Snap-in/Module: ConfigurationWith the snap-in registered or the module loaded, store the plain text hypervisor password in a PowerShellsecure string object. Password ConvertTo-SecureString “ myPassword ” -AsPlainText -ForceUsing the secure string object built above, we can now create a PowerShell PScredential object, which we canthen use to connect to XenServer directly. Username “ hypervisor username ” Credentials New-Object System.Management.Automation.PSCredential( Username, Password)Connect-XenServer -Server " Hypervisor IP " -Creds Credentials NoWarnCertificates -Port 80 -SetDefaultSessionStore the Universally Unique Identifier of the NetScaler VPX VM:
NsVpxVmUuid ( (Get-XenVM ? { .name label -ieq "netscaler virtualappliance" }).uuid)Store the NetScaler VPX VM in a PowerShell object: VPXVM (Get-XenVM ? { .uuid -eq " NsVpxVmUuid" })Clear the current XenStore data values:Set-XenVM -VM VPXVM -XenstoreData nullStore the NetScaler Gateway IP address, default gateway and subnet mask addresses in an object: Dictionary New-Object ng]' Dictionary.Add("vm-data/ip"," NetScaler IP ") Dictionary.Add("vm-data/netmask"," Subnet Mask ") Dictionary.Add("vm-data/gateway"," Gateway Address”)Populate the XenServer XenStore with the NetScaler Gateway initial configuration parameters:Set-XenVM -VM VPXVM -XenstoreData DictionaryNow that the initial NetScaler configuration is complete, start the NetScaler VPX virtual appliance:Invoke-XenVM -VM VPXVM -XenAction "Start" –VerboseFinally, disconnect from XenServer:Disconnect-XenServerWith the NetScaler VPX virtual appliance now bootstrapped, we will proceed with configuring the appliance byusing the NITRO REST API from within our existing PowerShell session.Configure NetScaler Gateway: Initial ConfigurationThese are commands to configure NetScaler Gateway.Connect to the NetScaler Gateway Virtual Appliance login @{"login" @{"username" "nsroot";"password" "nsroot";"timeout" ”900”}} ConvertTo-JsonInvoke-RestMethod -Uri "http://192.168.18.20/nitro/v1/config/login" -Body Login-Method POST -SessionVariable NetScalerSession -ContentType application/jsonDisable the Customer User Experience Improvement Program (CUXIP ) payload @{"systemparameter" @{"doppler" "disabled"}} ConvertTo-JsonInvoke-RestMethod -Method PUT rameter" -WebSession NetScalerSession -Body payload -ContentType "application/json"Add a Subnet IP Address
payload @{"nsip" @{ipaddress "192.168.18.21";netmask "255.255.255.0";type "SNIP";vserver "ENABLED";mgmtaccess "DISABLED"}} ConvertTo-JsonInvoke-RestMethod -Method POST ion add" -WebSession NetScalerSession -Body payload -ContentType "application/json"Set the NetScaler Gateway Host Name payload @{"nshostname" @{"hostname" "NetScaler"}} ConvertTo-JsonInvoke-RestMethod -Method POST me?action set" -WebSession NetScalerSession -Body payload -ContentType "application/json"Set the DNS IP Address payload @{"dnsnameserver" @{"ip" "192.168.80.83"}} ConvertTo-JsonInvoke-RestMethod -Method POST erver?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json"Set the Time Zone payload @{"nsconfig" @{"timezone" "CoordinatedUniversalTime"}} ConvertToJsonInvoke-RestMethod -Method POST ?action set" -WebSession NetScalerSession -Body payload -ContentType "application/json"Upload NetScaler Gateway Licenses netScalerLicenseBase64 [System.Convert]::ToBase64String( (Get-ContentC:\myLicense.lic -Encoding "Byte")) payload @{"systemfile" @{filename "myLicense.lic";filecontent netScalerLicenseBase64;filelocation "/nsconfig/license/";fileencoding "BASE64"}} ConvertTo-JsonInvoke-RestMethod -Method POST le?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json"Save the Current NetScaler Gateway Configuration payload @{"nsconfig" @{}} ConvertTo-JsonInvoke-RestMethod -Method POST ?action save" -WebSession NetScalerSession -Body payload -ContentType "application/json"
Restart NetScaler Gateway (Warm) payload @{"reboot" @{warm "true"}} ConvertTo-JsonInvoke-RestMethod -Method POST ction reboot" -WebSession NetScalerSession -Body payload -ContentType "application/json"Configure the NetScaler Gateway: FeaturesEnable NetScaler Gateway Feature: NetScaler Gateway payload @{"nsfeature" @{"feature" "SSLVPN"}} ConvertTo-JsonInvoke-RestMethod -Method POST e?action enable" -WebSession NetScalerSession -Body payload -ContentType "application/json"Enable NetScaler Gateway Feature: SSL payload @{"nsfeature" @{"feature" "SSL"}} ConvertTo-JsonInvoke-RestMethod -Method POST e?action enable" -WebSession NetScalerSession -Body payload -ContentType "application/json"Enable the NetScaler Gateway Feature: AAA payload @{"nsfeature" @{"feature" "aaa"}} ConvertTo-JsonInvoke-RestMethod -Method POST e?action enable" -WebSession NetScalerSession -Body payload -ContentType "application/json"Configure the NetScaler Gateway: Administrator PasswordChange the Administrator Password: payload @{"systemuser" @{"username" "nsroot";"password" "password"}} ConvertTo-JsonInvoke-RestMethod -Method PUT er?action set" -WebSession NetScalerSession -Body payload -ContentType "application/json"Configure the NetScaler Gateway: NTPAdd a Network Time Protocol (NTP) Server payload
@{"ntpserver" @{servername "0.uk.pool.ntp.org";minpoll "6";maxpoll "10”}} ConvertTo-JsonInvoke-RestMethod -Method POST r?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" payload @{"ntpserver" @{servername "1.uk.pool.ntp.org";minpoll "6";maxpoll "10”}} ConvertTo-JsonInvoke-RestMethod -Method POST r?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" payload @{"ntpserver" @{servername "0.uk.pool.ntp.org";minpoll "6";maxpoll "10”;preferredntpserver ”YES”}} ConvertTo-JsonInvoke-RestMethod -Method POST r?action set" -WebSession NetScalerSession -Body payload -ContentType "application/json"Enable NTP Synchronization payload @{"ntpsync" @{}} ConvertTo-JsonInvoke-RestMethod -Method POST action enable" -WebSession NetScalerSession -Body payload -ContentType "application/json"Certificate Authority: BackupFor this document, we use Microsoft Certificate Authority to create the server certificate.Install the Microsoft Certificate AuthorityAdd-WindowsFeature ity -AllowAdministratorInteraction –Force –KeyLength 4096Backup Certificate Authority Password ConvertTo-SecureString “test123” -AsPlainText -ForceBackup-CARoleService -Path C:\ -KeyOnly –Password passwordUpload .p12 File to NetScaler Gateway myP12 [System.Convert]::ToBase64String( (Get-Content C:\*.p12 -Encoding"Byte")) payload @{"systemfile" @{filename "DomainKeyAndCA.p12";filecontent myP12;filelocation "/nsconfig/ssl/";fileencoding "BASE64"}} ConvertTo-Json
Invoke-RestMethod -Method POST le?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json"Configure NetScaler Gateway: CertificatesConvert the .p12 File to the .PEM format payload @{"sslpkcs12" @{outfile "DomainKeyAndCA.PEM";password "test123";pkcs12File "DomainKeyAndCA.p12";import 'true'}} ConvertTo-JsonInvoke-RestMethod -Method POST 2?action convert" -WebSession NetScalerSession -Body payload -ContentType "application/json"Create an SSL RSA Key payload @{"sslrsakey" @{keyfile "VirtKey.key";bits "4096"}} ConvertTo-JsonInvoke-RestMethod -Method POST y?action create" -WebSession NetScalerSession -Body payload -ContentType "application/json"Create a Certificate Request payload @{"sslcertreq" @{reqfile "TestGW.req";keyfile "VirtKey.key";commonname "testgw.hopto.org";organizationname "CitrixSystems";countryname "UK";statename "Cambridgeshire"}} ConvertTo-JsonInvoke-RestMethod -Method POST eq?action create" -WebSession NetScalerSession -Body payload -ContentType "application/json"Create a Server Certificate payload @{"sslcert" @{certfile "/nsconfig/ssl/serverCert.cer";reqFile "/nsconfig/ssl/TestGW.req";certtype ”SRVR CERT”;cacert "/nsconfig/ssl/DomainKeyAndCA.PEM";CAkey "/nsconfig/ssl/DomainKeyAndCA.PEM";caserial "/nsconfig/ssl/ns-root.srl"}} ConvertTo-JsonInvoke-RestMethod -Method POST action create" -WebSession NetScalerSession -Body payload -ContentType "application/json"Install the Server Certificate Key Pair payload @{“sslcertkey” @{certkey ”testgw.hopto.org”;cert ”serverCert.cer”;key ”VirtKey.key”;inform ”PEM”}} ConvertTo-Json
Invoke-RestMethod -Method POST ey?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json"Install the Domain CA Certificate payload @{“sslcertkey” @{certkey ”DomainCA”;cert ”DomainKeyAndCA.PEM”;key ”DomainKeyAndCA.PEM”;inform ”PEM”}} ConvertTo-JsonInvoke-RestMethod -Method POST ey?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json"Configure the NetScaler Gateway: DNSAdd a DNS Suffix payload @{"dnssuffix" @{dnssuffix "hopto.org"}} ConvertTo-JsonInvoke-RestMethod x?action add" -Body payload Method POST -WebSession NetScalerSession -ContentType application/jsonConfigure the NetScaler Gateway: Default GatewayAdd a NetScaler Gateway Virtual Server payload @{"vpnvserver" @{Name "TestGW";ipv46 "192.168.18.22";port "443";icaonly "YES";servicetype "SSL"}} ConvertTo-JsonInvoke-RestMethod -Method POST er?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" -VerboseCreate an LDAP Authentication Action payload @{“authenticationldapaction” @{name ”ldapAction”;serverip ”192.168.80.83”;ldapbase ”dc hopto,dc org”;ldapbinddn ”administrator@hopto.org”;ldapbinddnpassword ”myAdminPassword”;ldaploginname ”sAMAccountName”;sectype ”SSL”}} ConvertTo-JsonInvoke-RestMethod -Method POST cationldapaction?action add" WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseCreate an LDAP Authentication Policy payload @{“authenticationldappolicy” @{reqaction ”ldapAction”;name ”ldapPolicy”;rule ”nstrue”}} ConvertTo-Json
Invoke-RestMethod -Method POST cationldappolicy?action add" WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseBind the LDAP Authentication Policy to NetScaler Gateway payload @{“vpnvserver authenticationldappolicy binding” @{name ”testGW”;policy ”ldapPolicy”}} ConvertTo-JsonInvoke-RestMethod -Method POST -Uri "http://192.168.18.20/nitro/v1/config/vpnvserver authenticationldappolicy binding?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseCreate a NetScaler Gateway Session Action: Citrix Receiver payload @{"vpnsessionaction" @{"name" "AC OS 192.168.18.22 S ";"transparentinterception" "OFF";"splittunnel" "OFF";"defaultauthorizationaction" "ALLOW";"SSO" "ON";"icaproxy" "ON";"wihome" eweb";"clientchoices" "OFF";"ntdomain" "hopto.org";"clientlessvpnmode" "OFF";"storefronturl" "https://XenStore05.virtdom.chsys3.com"}} ConvertTo-JsonInvoke-RestMethod -Method POST onaction?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseCreate a NetScaler Gateway Session Action: Web Browser payload @{"vpnsessionaction" @{"name" "AC WB 192.168.18.22 S ";"transparentinterception" "OFF";"splittunnel" "OFF";"defaultauthorizationaction" "ALLOW";"SSO" "ON";"icaproxy" "ON";"wihome" eweb";"clientchoices" "OFF";"ntdomain" "hopto.org";"clientlessvpnmode" "OFF";"storefronturl" "https://XenStore05.virtdom.chsys3.com"}} ConvertTo-JsonInvoke-RestMethod -Method POST onaction?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseCreate a NetScaler Gateway Session Policy: Citrix Receiver payload @{"vpnsessionpolicy" @{"name" "PL OS 192.168.18.22";"action" "AC OS 192.168.18.22S ";"rule" "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver REQ.HTTP.HEADER Referer NOTEXISTS"}} ConvertTo-JsonInvoke-RestMethod -Method POST onpolicy?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" –Verbose
Create a NetScaler Gateway Session Policy: Web Browser payload @{"vpnsessionpolicy" @{"name" "PL WB 192.168.18.22";"action" "AC WB 192.168.18.22S ";"rule" "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver &&REQ.HTTP.HEADER Referer EXISTS"}} ConvertTo-JsonInvoke-RestMethod -Method POST onpolicy?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseBind the NetScaler Gateway Session Policy to the Virtual Server: Citrix Receiver payload @{"vpnvserver vpnsessionpolicy binding" @{name "testGW";policy "PL OS 192.168.18.22";priority "100"}} ConvertTo-JsonInvoke-RestMethod -Method POST er vpnsessionpolicy binding?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json"–VerboseBind the NetScaler Gateway Session Policy to the Virtual Server: Web Browser payload @{"vpnvserver vpnsessionpolicy binding" @{name "testGW";policy "PL WB 192.168.18.22";priority "100"}} ConvertTo-JsonInvoke-RestMethod -Method POST er vpnsessionpolicy binding?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json"–VerboseBind the Secure Ticket Authority (STA) Servers to the NetScaler Gateway Virtual Server payload @{“vpnvserver staserver binding” @{name ”TestGW”;staserver ”https://XenDDC23.virtdom.chsys3.com”}} ConvertTo-JsonInvoke-RestMethod -Method POST er staserver binding?action add" WebSession NetScalerSession -Body payload -ContentType "application/json" –Verbose payload @{“vpnvserver staserver binding” @{name ”TestGW”;staserver ”https://Xenapp07.virtdom.chsys3.com”}} ConvertTo-JsonInvoke-RestMethod -Method POST er staserver binding?action add" WebSession NetScalerSession -Body payload -ContentType "application/json" –Verbose
Bind the Server Certificate to the NetScaler Gateway Virtual Server payload @{“sslvserver sslcertkey binding” @{certkeyname ”TestGW.hopto.org”;vservername ”TestGW”}} ConvertTo-JsonInvoke-RestMethod -Method POST -Uri "http://192.168.18.20/nitro/v1/config/sslvserver sslcertkey binding?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseBind the CA Certificate to the NetScaler Gateway Virtual Server payload @{“sslvserver sslcertkey binding” @{certkeyname ”DomainCA”;vservername ”TestGW”;ca ”true”}} ConvertTo-JsonInvoke-RestMethod -Method POST -Uri "http://192.168.18.20/nitro/v1/config/sslvserver sslcertkey binding?action add" -WebSession NetScalerSession -Body payload -ContentType "application/json" –VerboseConfigure the NetScaler Gateway: BackupSave the Current NetScaler Gateway Configuration payload @{"nsconfig" @{}} ConvertTo-JsonInvoke-RestMethod -Method POST ?action save" -WebSession NetScalerSession -Body payload -ContentType "application/json"Backup the Current NetScaler Gateway Configuration payload @{"systembackup" @{"filename" "NS with Network and Certs";"level" "full";"comment" "This is abackup."}} ConvertTo-JsonInvoke-RestMethod -Method POST ckup?action create" -WebSession NetScalerSession -Body payload -ContentType "application/json" -
1. Download the latest NetScaler VPX virtual appliance from www.citrix.com and import it to XenServer. 2. Make sure the NetScaler VPX virtual appliance is turned off. After installing the appliance on XenServer, the NetScaler VPX virtual appliance attempts to retrieve the NetScaler Gateway IP address, subnet mask and default gateway IP address .
