Deploying Citrix NetScaler in Microsoft Azure and Configuring with XenDesktop 7.7

Deploying Citrix NetScaler in Microsoft Azure and Configuring with XenDesktop 7.7

Deploying Citrix NetScaler in Microsoft Azure and Configuring with XenDesktop 7.7

This post has already been read 3480 times!

With the release of Citrix XenDesktop 7.7 we have now been given the ability to use Microsoft Azure as a hosting platform, this in itself is a massive leap forward for the product and the method for deploying workloads to Azure has already been well documented by @msandbu here:

https://msandbu.wordpress.com/2016/01/02/setting-up-xendesktop-7-7-against-microsoft-azure/

The purpose of this article is to describe the process for deploying and configuring a Citrix NetScaler VPX into the Microsoft Azure cloud to provide secure access to your Citrix XenDesktop 7.7 Site hosted in Microsoft Azure

The Scenario

I have a full XenDesktop 7.7 site set up in Azure (a simple site granted, but fully working) and NO Site to Site VPN set-up between the cloud and my on-premises network.

bmuk-dc

  • Domain Controller
  • Citrix Licensing

bmuk-xd

  • XenDesktop 7.7 Controller and Database host
  • StoreFront (Store and Receiver for Web configured to point to the XenDesktop 7.7 controller in Azure)
  • Director

bmuk-2012

  • XenDesktop 7.7 Server worker with the VDA and Office 2016 installed and published to Citrix Studio.

I have also set up a Cloud Service for the 3 machines bmuk.cloudapp.net as well as a network with a single subnet defined bmuk-net.  You must have these set up before you attempt to deploy your NetScaler.

01 - machines pre build

So lets get on with building our Citrix NetScaler.

Part 1 – Deploying the Citrix NetScaler VPX Appliance into Microsoft Azure

First you will need to log into your Microsoft Azure Portal at https://portal.azure.com/

Click on New and search the marketplace for “Citrix NetScaler VPX Bring Your Own”

02 - bring your own

Wait for the search results to come back and select the NetScaler from the list on the right.

02 - select netscaler

Change the deployment model to “Classic” and click create

 

03 - deployment model

Add a host name, root username, select “password” for the authentication type and enter a root password.

05 - basic config

For the pricing tier you can leave it at Standard A2 unless you are doing a larger deployment where you may want to up scale the size of the NetScaler.

Click on “Optional Configuration” to set-up the networking and storage.

06 - optional config

Leave Availability Set as Not Configured and click on “Network”

07 - network

For the Virtual Network click and select your existing vNet you have configured in Azure and make sure that the portal has selected your subnet assigned to the vNet.

Click on “Domain Name” and add a new domain name for the NetScaler.  Please note that this cloudapp domain name will be separate from the rest of your machines in Azure.  This is so that we can split the endpoint rules out for the NetScaler and keep them away from the existing machines.

With all that configured click on OK.

08 - network configured

Click on “Storage Account” to configure where the appliance will be created.

09 - storage

Select the storage account that you want the appliance to be placed and click OK.

Click on Endpoints to add the relevant endpoints to the appliance.

10 - endpoints

There should be an endpoint created for port 22 already.

Add the following ports to the list:

  • 80
  • 443
  • 3008 / 3010 (Optional if you are going to use Java for management – yes – its not completely gone yet!!)

11 - ports

Click on OK to save the endpoints, and OK again to save the optional configuration.

Finally you need to accept the legal terms and deploy.  Click on Legal terms at the bottom, click purchase and then click Create.

You will now see the NetScaler being deployed to you cloud.

12 - creating

OPTIONAL

If you are deploying for a production system you are not going to want to give out the cloudapp dns name for the NetScaler for access to your remote apps, so at this point whilst the NetScaler is being created I would hop onto your dns admin for your domain and create a CNAME record for your chosen domain and point it to your cloudapp dns name.

In this case I have created netscaler.bretty.me.uk as the cname record.

13 - cname

Part 2 – Configuring the Citrix NetScaler Appliance – Basic Settings

Once the NetScaler has been deployed you will need to log in and configure the VPX and the NetScaler Gateway to allow user access.

Navigate to your cname record your created earlier (or your cloudapp name for the NetScaler and you should see the NetScaler Login page.

01 - login

Log in with the credentials you specified during the deployment.

The first step is to configure and license the NetScaler basic options.  Click on “Subnet IP Address”

02 - subnet

Click “Do It Later”.  This is because the NetScaler will be running in Single IP Mode and you are going to set-up the Gateway on the same address as the NSIP.

03 - do it later

Click on “Host Name, DNS IP Address and Time Zone”

04 - host name

Add a host name for the NetScaler, the DNS IP Address (In this case its the DC hosted in Azure [192.168.1.4]) and set the time zone.

05 - configure host name

Click on Licenses, upload a valid license to the NetScaler and let it reboot.  Once restarted log back into the appliance, close the welcome screen and we are ready to start to configure the gateway.

06 - licenses

Part 3 – Configuring the Citrix NetScaler Gateway

You can now configure the NetScaler Gateway that will allow secure remote access to your XenDesktop 7.7 site hosted in Microsoft Azure.

First Navigate to “Traffic Management – DNS – DNS Suffix” and add the suffix for your domain in Azure.

07 - dns suffix

Next you need to enable SSL and upload your certificate for the domain name (CNAME) you created earlier.  I am not going to walk through all the options of adding a certificate to a NetScaler as there are many ways that you can do that.  In this case I am going to upload a PFX file to the NetScaler converting it to a PEM and then install the certificate from that PEM file.

Enable SSL

08 - enable ssl

Click on Import PKCS#12

09 - import PKCS#12

Specify an output PEM file and the location for the input file as well as the import password for the certificate.

10 - import pem detail

Expand “SSL – Certificates” and click install.

11 - install cert

Give the Certificate Key Pair a name, select the uploaded PEM file for both the Certificate and Key file name and specify the import password.

12 - install cert detail

Your certificate should now be installed.

13 - cert installed

Right click and enable the NetScaler Gateway feature.

14 - enable ns gateway

We now need to set up the authentication method to authenticate our users against the LDAP directory in Azure.

Navigate to LDAP Policies and click Add.

15 - ldap initial

Give the Policy a name, type ns_true in the expression box and click the + next to Server to add a new LDAP server.

ldap policy

Give the LDAP server profile a name, enter your domain controller in Azure, port 389 (yes I know its insecure – that’s coming in the next blog post!), put the base DN for the users and a account to bind to the active directory with in the format username@domain.com (don’t forget to put in the password!)

16 - ldap server profile

Click create twice to add the ldap policy

17 - ldap created

Next is to create the session policy for Receiver.

Open the Session Policy tab and click Add.

18 - session policies

give the policy a name and type “ns_true” in the expression field and click the + sign next to the Action.

NOTE: I know that ns_true is NOT the best expression to use here however the focus of this is to configure the NetScaler Gateway for XenDesktop 7.7 integration and not to cover off all the endpoints access the NetScaler Gateway.  I will cover setting up multiple session policies and priority in another blog post.  For the purpose of this article ns_true will allow you to use receiver for web to access the NetScaler Gateway.

19 - receiver web

Give the profile a name and click the “Published Applications” tab.

Turn ICA Proxy “ON”, Add the Web Interface Address to point to your StoreFront Receiver for Web Site, add your single sign on domain for your Azure LDAP directory and set the account services address to your FQDN for StoreFront.

20 - session profile

Switch back to the Security tab and select Default Authorization Action and set it to “Allow”

On the Client Experience tab enable Display Home Page and point it to your StoreFront Web Site, Allow Client-less Access, Change the plugin Type to Java and Enable Single Sign on to Web Applications.

client settings

Click create twice and your session profile should be created for you.

21 - session profile created

Finally you need to create the NetScaler Gateway and assign the policies to it.

Open Virtual Servers and click “Add”

22 - create gateway

Give the gateway a name, IP Address (This needs to be the same as your NetScaler VPX Device) and change the port to something other than 443, I will use 8443.

22 - step 1

Click on “No Server Certificate” and then select your certificate you uploaded earlier.

23 - select certificate

Next click the + sign to assign an authentication policy to the NetScaler Gateway

24 - authentication

Change the policy to LDAP and Primary and click continue.

25 - ldap primary

Bind the LDAP policy you created earlier and select Bind

ldap - bound

Finally select the + sign next to policies to assign your session policy.

26 - session policy

Change the Policy to Session and Request for the type and click continue

27 - session policy

Select the policy you created earlier and click on Bind.

28 - session bound

Click Done and you should have your NetScaler Gateway showing as UP.

29 - gateway up

Double click the NetScaler Gateway to open it up and click the + sign on the right next to published applications.

01 - published apps

Now click where it says “No STA Server”

02 - no sta

Add the STA Server and point it to one or more of your XenDesktop 7.7 Controllers hosted in Azure.

02 - add sta

Click bind and ok to add your STA.

If you test the NetScaler Gateway using your dns name you created earlier now you will see that its not working as expected.  This is because you have not added the endpoint 8443 to the Azure NetScaler VPX Appliance.

30 - page unavailable

Switch to your Azure Portal, click on the NetScaler VPX Appliance, then select Endpoints and click Add at the top of the screen.

31 - endpoints

Give the Endpoint a name and enter 8443 as the public and private port.

32 - add endpoint

Click Create and wait for the new Endpoint to be created.  Once done switch back to your NetScaler Gateway page and hit refresh.  You should now see that you are prompted with a NetScaler Gateway login screen.

33 - ns gateway

Part 4 – Integrating the NetScaler Gateway with XenDesktop 7.7 and StoreFront

All that remains to do is add the NetScaler Gateway to your XenDesktop 7.7 deployment in Azure.  First log into the controller in Azure and open up Citrix Studio.  You will see here that I have a site configured in the Azure Cloud and StoreFront set up with a single Store for the Internal Network only.

First you need to add the NetScaler Gateway as an available authentication method to StoreFront.

Open Authentication and select “Add Method from the right.  Enable Pass-through from NetScaler Gateway.

01 - authentication

Next you need to add the NetScaler Gateway to StoreFront.  Select NetScaler Gateway and click Add NetScaler Gateway.

02 - add gateway

Give the NetScaler a name, enter the External NetScaler Gateway URL and INCLUDE the port.  Select Domain and enter the NetScaler Gateway URL and Port for the callback URL.

netscaler storefront

Click next to add a Secure Ticket Authority to the gateway.  Click add and enter the path to one or more of your XenDesktop 7.7 controllers hosted in Azure.

04 - sta

Click create to add the NetScaler Gateway to StoreFront.

05 - gateway added

All that’s left to do is to tell the XenDesktop 7.7 StoreFront that you want to allow remote access.

Click on Stores, select your store and click Enable Remote Access.  Select No VPN Tunnel and select your NetScaler Gateway from the list.  Click ok.

06 - enable remote access

That’s it!  You should be good to test your new NetScaler Gateway and XenDesktop 7.7 install in Azure.

Open up a web page and navigate to your NetScaler Gateway URL.

33 - ns gateway

Log in as a domain user in your Azure Domain

logged in

Run up one of your applications.

word xendesktop 7.7

Finished, that was the guide on how to integrate Citrix NetScaler, Microsoft Azure and Citrix XenDesktop 7.7

Hope you find this useful, as always please comment and share.

Laters,

b@m

3 thoughts on “Deploying Citrix NetScaler in Microsoft Azure and Configuring with XenDesktop 7.7

  1. Ben the Builder

    I’m hoping you can help a fellow techie out.. I’m setting up a POC of XenApp 7.6 in AzureRM and was using your site as a guide. I’m hitting a wall trying to authenticate to the Netscaler.

    Regards,
    Ben the Builder

    1. Bretty Post author

      What’s the issue that you are having authenticating?
      Assume you can see the bind on the NetScaler back to LDAP as good. Or are you struggling getting onto the NetScaler GUI?

  2. Rabie SHILI

    Hi,
    Thank you very much for your article ! it is very helpful !
    I just started Learning Azure and Netsclaer :)
    My question is about designing the lab: should the netscaler and other servers ( DC, XD, SF) be on the same network or they can be in diffrent networks ? and why ?
    Thank you so much

    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *