Configuring NetScaler Access Gateway VPX and Citrix StoreFront

NOTE: An up-to-date blog with NetScaler 10.5 and Storefront 2.5.2 can be found here! In this blog I will describe step-by-step how to configure the Citrix NetScaler Access Gateway VPX with Citrix StoreFront. Including uploading the VPX to the XenServer, configuring the NetScaler, creating and installing the SSL certificate, creating the Access Gateway and the configuration of it, the redirection to the Citrix StoreFront server and finally the configuration of Citrix StoreFront server itself. Before you begin make sure you have Java Runtime installed and that you have a license file for the NetScaler. The Citrix NetScaler Access Gateway needs a SSL certificate, make sure you can create a key by a CA. For this blog I will use and describe the step for creating the key by Go Daddy. To install and configure Citrix StoreFront 1.2 see my previous blog here. Downloading and Uploading the NetScaler Access Gateway VPX to the XenServer For this installation I will download “Access Gateway VPX for XenSever Build 10.0.73.5002e Enterprise Edition” from the Citrix website. After downloading the VPX, open XenCenter, open the File menu and choose the option Import… Browse to the VDX and click on Next Select your XenServer and click on Next Select the storage you want to upload the Netscaler to and click Import Select the network interface you want to connect to the Netscaler to and click Next Click Finish Configuring the Netscaler Access Gateway VPX Start the NetScaler and go to the Console tab of the virual machine (XenCenter). Enter the desired IP Adress (this will be the management interface IP address a.k.a. NSIP), Netmask and Gateway address. After entering all the network information there should be a menu to appear, but in this version of to the NetScaler it is not the case. From earlier versions I know option 4 is “Save and Quit”, so type in number 4 and hit Enter After rebooting the Netscaler, open Internet Explorer and enter the NSIP address (management interface IP address). Login with User Name; nsroot and Password; nsroot In the Configuration page, click Setup Wizard.. Click Next Enter the Host Name (bearing in mind the license file where the name is case sensitive). In my case the resource servers are on the same subnet, so I choose the option Mapped IP and fill in the IP Address and Netmask. Click on Manage Licenses Click on Add to browse to your license file. Click OK Click on No (!!) Click on Next Click Finish Optionally click on Configure Time Zone Select the correct time zone and press OK Click Exit Click on Reboot Select Save configuration and press OK Installing the SSL Certificate On the Configuration tab go to the SSL menu, on the right side of the screen click on Create RSA Key Fill in the following information; Key Filename: “name”.key, anything you like Key Size (bits): 2048 Public Exponent Value: F4 Key Format: PEM PEM Encoding Algorithm: DES3 PEM Passphrase: A password you like Verify Rassphrase: Same as above Click on Create and then Close The next step is to create a request that needs to send over to the CA. On the right side of the screen click on Create CSR (Certificate Signing Request) Fill in the following information; Request File Name: “name”.REQ, anything you like Key File Name: Browse to the .KEY file you just created Key Format: PEM PEM Passphrase (For Encrypted Key): The password you specified in the previous step Common Name: This is the address the users will type in their browsers Organization Name: The name of your organization Country: Your Country State or Province: You State or Province Challenge Password: A password you like Click on Create and then Close The .REQ file needs to be download for importing it to the CA. Go to “Manage Certificates / Keys / CSRs” Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click on Download and then Close. Open the .REQ file in Notepad and copy all the text. Go to your CA (in my/this case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file. After creating the certificate, download it. Select IIS7 as server type. After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .crt file. Go to the menu SSL > Certificates. On the lower side on the screen click on Install.. Fill in the following information; Certificate-Key Pair Name: Any name you want Certificate File Name: Browse to the .crt file you just uploaded Private Key File Name: Browse to the .KEY file created earlier Password: The password entered when creating the request Certificate Format: PEM Click on Install and Close After the installation you can see the status and the number of days the certificate expires. Create the Access Gateway Virtual Server On the Configuration tab go to VPN and then on the right site click on Access Gateway wizard Click on Next Fill the IP Address, this is the IP address the outside IP address must point to. Fill in port number 443 and the Virtual Server Name (anything you like). After this Wizard configure your router and/or firewall to redirect port 443 (and optionally port 80) from outside to this IP address. By Certificate Options choose Use an installed certificate and private key pair. By Server Certificate choose the certificate installed in the previous step. Fill in the DNS Server IP Address of your DNS server, leave WINS IP Address blank. Choose DNS as Name Lookup Priority and click next. Choose LDAP as authentication type. By Connection Settings fill in the requested information as shown in the screenshot above and click on Retrieve Attributes Click OK Set Configure Authorization to Allow. Optionally you can enable Port 80 redirection. Click Next Select what is applicable and click Next Click Finish Click Exit The next step is to configure the LDAP server and LDAP policy and assign it to the Access Gateway. Go to menu VPN > Policies > Authentication/Authorization > Authentication > LDAP. On the right side of the screen select the Servers tab, on the lower side of the screen click Add Fill in the following information; Name: Any name you want IP Address: The IP address of your AD Domain Controller Base DN (location of users): Distinguished Name of the domain Administrator Bind DN: A domain administrator account name Administrator Password: The password of the domain administrator account Confirm Administrator Pass: Same as above Click on Retrieve Attributes Click OK Click on Create and Close Go the Policies tab and click Add Fill in the following information; Name: Any name you want Server: The LDAP server created in the previous step Select True value and click Add Expression, then click Create and Close Go to menu VPN > Virtual Servers on the right side of the screen, right click the server and click Open Go to the Authentication tab and click on Insert Policy to apply the policy created in the previous step. Click OK At this moment you can already logon to the NetScaler with the external URL (you must configured the router to allow the 443 traffic to the Access Gate IP Address). Configure Access Gateway to redirect to Citrix StoreFront Go to menu VPN and on the right side of the screen click Published application wizard Click Next Select the Virtual Server Name created in previous steps and click Next Enter by “Web Interface Address” the internal web address of the Citrix StoreFront server. By “Single Sign-on Domain” enter your domain name. Click Add to add the STA’s of your XenApp server(s) and/or XenDesktop server(s) in this format: “http(s)://<servername>”. In previous versions it was needed to add “/scripts/ctxsta.dll” to this path, but with this version of the NetScaler it’s not needed (In my case). Click Next Select “SETVPNPARAMS_POL” and click Next Click Finish Click Exit Citrix StoreFront has by default a “Green Bubble” theme. This theme is also available in the NetScaler Access gateway. To configure the same theme on the NetScaler go to menu VPN > Global Settings and on the right side of the screen click Change global settings. Open the Client Experience tab and select the GREENBUBBLE UI Theme. Click OK Go to the Published Applications tab and set ICA Proxy ON. Click OK Configure Citrix StoreFront The final step is to configure the Citrix StoreFront server to work with the NetScaler Access Gateway. Go to the StoreFront server and open the Authentication tab, on the right side, click on Add/Remove Methods Select all the options and click OK Go to the Gateways tab, on the right side of the screen click Add Gateway Server Fill in the Display name (any name you like). In the Gateway URL field fill in the external NetScaler address users will enter in there browsers (https://..) and add “/Citrix/<storename>Web” to the end of it (see screenshot). Click Next. Fill in the Callback URL, this is the external NetScaler address (https://..) click Next. Click Add and enter the STA’s of your XenApp and/or XenDesktop servers and click OK Click Create Click Finish Go to the Stores tab and click Enable Remote Access Select Full VPN tunnel and click OK At this point everything should be working fine. If the NetScaler does not successfully forward to the StoreFront website make sure the NetScaler can find the NetBIOS name of the Citrix Storefront server (or alias). If this is not the case add the DNS Address record of the StoreFront server (or alias) to the DNS of the NetScaler. You can now access the Citrix NetScaler Access Gateway with the https://<server adres> After the logon you will be redirected to the Citrix StoreFront server with the same UI Theme. Troubleshooting Cannot Complete your Request When receiving this error, make sure you applied the following: Edit the Windows Host file and add a new entry with the IP Address of your (internal) Gateway VIP Address pointing to the external address. For example; 192.168.1.5     citrix.robinhobo.com As an alternative you can create a DNS record