Deploying Citrix NetScaler in Microsoft Azure and Configuring with XenDesktop 7.7

This post has already been read 6708 times!

With the release of Citrix XenDesktop 7.7 we have now been given the ability to use Microsoft Azure as a hosting platform, this in itself is a massive leap forward for the product and the method for deploying workloads to Azure has already been well documented by @msandbu here:

https://msandbu.wordpress.com/2016/01/02/setting-up-xendesktop-7-7-against-microsoft-azure/

The purpose of this article is to describe the process for deploying and configuring a Citrix NetScaler VPX into the Microsoft Azure cloud to provide secure access to your Citrix XenDesktop 7.7 Site hosted in Microsoft Azure

The Scenario

I have a full XenDesktop 7.7 site set up in Azure (a simple site granted, but fully working) and NO Site to Site VPN set-up between the cloud and my on-premises network.

bmuk-dc

• Domain Controller
• Citrix Licensing

bmuk-xd

• XenDesktop 7.7 Controller and Database host
• StoreFront (Store and Receiver for Web configured to point to the XenDesktop 7.7 controller in Azure)
• Director

bmuk-2012

• XenDesktop 7.7 Server worker with the VDA and Office 2016 installed and published to Citrix Studio.

I have also set up a Cloud Service for the 3 machines bmuk.cloudapp.net as well as a network with a single subnet defined bmuk-net.  You must have these set up before you attempt to deploy your NetScaler.

So lets get on with building our Citrix NetScaler.

Part 1 – Deploying the Citrix NetScaler VPX Appliance into Microsoft Azure

First you will need to log into your Microsoft Azure Portal at https://portal.azure.com/

Click on New and search the marketplace for “Citrix NetScaler VPX Bring Your Own”

Wait for the search results to come back and select the NetScaler from the list on the right.

Change the deployment model to “Classic” and click create

 

Add a host name, root username, select “password” for the authentication type and enter a root password.

For the pricing tier you can leave it at Standard A2 unless you are doing a larger deployment where you may want to up scale the size of the NetScaler.

Click on “Optional Configuration” to set-up the networking and storage.

Leave Availability Set as Not Configured and click on “Network”

For the Virtual Network click and select your existing vNet you have configured in Azure and make sure that the portal has selected your subnet assigned to the vNet.

Click on “Domain Name” and add a new domain name for the NetScaler.  Please note that this cloudapp domain name will be separate from the rest of your machines in Azure.  This is so that we can split the endpoint rules out for the NetScaler and keep them away from the existing machines.

With all that configured click on OK.

Click on “Storage Account” to configure where the appliance will be created.

Select the storage account that you want the appliance to be placed and click OK.

Click on Endpoints to add the relevant endpoints to the appliance.

There should be an endpoint created for port 22 already.

Add the following ports to the list:

• 80
• 443
• 3008 / 3010 (Optional if you are going to use Java for management – yes – its not completely gone yet!!)

Click on OK to save the endpoints, and OK again to save the optional configuration.

Finally you need to accept the legal terms and deploy.  Click on Legal terms at the bottom, click purchase and then click Create.

You will now see the NetScaler being deployed to you cloud.

OPTIONAL

If you are deploying for a production system you are not going to want to give out the cloudapp dns name for the NetScaler for access to your remote apps, so at this point whilst the NetScaler is being created I would hop onto your dns admin for your domain and create a CNAME record for your chosen domain and point it to your cloudapp dns name.

In this case I have created netscaler.bretty.me.uk as the cname record.

Part 2 – Configuring the Citrix NetScaler Appliance – Basic Settings

Once the NetScaler has been deployed you will need to log in and configure the VPX and the NetScaler Gateway to allow user access.

Navigate to your cname record your created earlier (or your cloudapp name for the NetScaler and you should see the NetScaler Login page.

Log in with the credentials you specified during the deployment.

The first step is to configure and license the NetScaler basic options.  Click on “Subnet IP Address”

Click “Do It Later”.  This is because the NetScaler will be running in Single IP Mode and you are going to set-up the Gateway on the same address as the NSIP.

Click on “Host Name, DNS IP Address and Time Zone”

Add a host name for the NetScaler, the DNS IP Address (In this case its the DC hosted in Azure [192.168.1.4]) and set the time zone.

Click on Licenses, upload a valid license to the NetScaler and let it reboot.  Once restarted log back into the appliance, close the welcome screen and we are ready to start to configure the gateway.

Part 3 – Configuring the Citrix NetScaler Gateway

You can now configure the NetScaler Gateway that will allow secure remote access to your XenDesktop 7.7 site hosted in Microsoft Azure.

First Navigate to “Traffic Management – DNS – DNS Suffix” and add the suffix for your domain in Azure.

Next you need to enable SSL and upload your certificate for the domain name (CNAME) you created earlier.  I am not going to walk through all the options of adding a certificate to a NetScaler as there are many ways that you can do that.  In this case I am going to upload a PFX file to the NetScaler converting it to a PEM and then install the certificate from that PEM file.

Enable SSL

Click on Import PKCS#12

Specify an output PEM file and the location for the input file as well as the import password for the certificate.

Expand “SSL – Certificates” and click install.

Give the Certificate Key Pair a name, select the uploaded PEM file for both the Certificate and Key file name and specify the import password.

Your certificate should now be installed.

Right click and enable the NetScaler Gateway feature.

We now need to set up the authentication method to authenticate our users against the LDAP directory in Azure.

Navigate to LDAP Policies and click Add.

Give the Policy a name, type ns_true in the expression box and click the + next to Server to add a new LDAP server.

Give the LDAP server profile a name, enter your domain controller in Azure, port 389 (yes I know its insecure – that’s coming in the next blog post!), put the base DN for the users and a account to bind to the active directory with in the format username@domain.com (don’t forget to put in the password!)

Click create twice to add the ldap policy

Next is to create the session policy for Receiver.

Open the Session Policy tab and click Add.

give the policy a name and type “ns_true” in the expression field and click the + sign next to the Action.

NOTE: I know that ns_true is NOT the best expression to use here however the focus of this is to configure the NetScaler Gateway for XenDesktop 7.7 integration and not to cover off all the endpoints access the NetScaler Gateway.  I will cover setting up multiple session policies and priority in another blog post.  For the purpose of this article ns_true will allow you to use receiver for web to access the NetScaler Gateway.

Give the profile a name and click the “Published Applications” tab.

Turn ICA Proxy “ON”, Add the Web Interface Address to point to your StoreFront Receiver for Web Site, add your single sign on domain for your Azure LDAP directory and set the account services address to your FQDN for StoreFront.

Switch back to the Security tab and select Default Authorization Action and set it to “Allow”

On the Client Experience tab enable Display Home Page and point it to your StoreFront Web Site, Allow Client-less Access, Change the plugin Type to Java and Enable Single Sign on to Web Applications.

Click create twice and your session profile should be created for you.

Finally you need to create the NetScaler Gateway and assign the policies to it.

Open Virtual Servers and click “Add”

Give the gateway a name, IP Address (This needs to be the same as your NetScaler VPX Device) and change the port to something other than 443, I will use 8443.

Click on “No Server Certificate” and then select your certificate you uploaded earlier.

Next click the + sign to assign an authentication policy to the NetScaler Gateway

Change the policy to LDAP and Primary and click continue.

Bind the LDAP policy you created earlier and select Bind

Finally select the + sign next to policies to assign your session policy.

Change the Policy to Session and Request for the type and click continue

Select the policy you created earlier and click on Bind.

Click Done and you should have your NetScaler Gateway showing as UP.

Double click the NetScaler Gateway to open it up and click the + sign on the right next to published applications.

Now click where it says “No STA Server”

Add the STA Server and point it to one or more of your XenDesktop 7.7 Controllers hosted in Azure.

Click bind and ok to add your STA.

If you test the NetScaler Gateway using your dns name you created earlier now you will see that its not working as expected.  This is because you have not added the endpoint 8443 to the Azure NetScaler VPX Appliance.

Switch to your Azure Portal, click on the NetScaler VPX Appliance, then select Endpoints and click Add at the top of the screen.

Give the Endpoint a name and enter 8443 as the public and private port.

Click Create and wait for the new Endpoint to be created.  Once done switch back to your NetScaler Gateway page and hit refresh.  You should now see that you are prompted with a NetScaler Gateway login screen.

Part 4 – Integrating the NetScaler Gateway with XenDesktop 7.7 and StoreFront

All that remains to do is add the NetScaler Gateway to your XenDesktop 7.7 deployment in Azure.  First log into the controller in Azure and open up Citrix Studio.  You will see here that I have a site configured in the Azure Cloud and StoreFront set up with a single Store for the Internal Network only.

First you need to add the NetScaler Gateway as an available authentication method to StoreFront.

Open Authentication and select “Add Method from the right.  Enable Pass-through from NetScaler Gateway.

Next you need to add the NetScaler Gateway to StoreFront.  Select NetScaler Gateway and click Add NetScaler Gateway.

Give the NetScaler a name, enter the External NetScaler Gateway URL and INCLUDE the port.  Select Domain and enter the NetScaler Gateway URL and Port for the callback URL.

Click next to add a Secure Ticket Authority to the gateway.  Click add and enter the path to one or more of your XenDesktop 7.7 controllers hosted in Azure.

Click create to add the NetScaler Gateway to StoreFront.

All that’s left to do is to tell the XenDesktop 7.7 StoreFront that you want to allow remote access.

Click on Stores, select your store and click Enable Remote Access.  Select No VPN Tunnel and select your NetScaler Gateway from the list.  Click ok.

That’s it!  You should be good to test your new NetScaler Gateway and XenDesktop 7.7 install in Azure.

Open up a web page and navigate to your NetScaler Gateway URL.

Log in as a domain user in your Azure Domain

Run up one of your applications.

Finished, that was the guide on how to integrate Citrix NetScaler, Microsoft Azure and Citrix XenDesktop 7.7

Hope you find this useful, as always please comment and share.

Laters,

b@m