This post has already been read 25192 times!
I was recently asked about building a NetScaler Gateway from scratch for ICA only connections. I know this can be done using a wizard but if you want to know a little more about how it all hangs together or to name things how you want instead of the names given by the wizards then a manual build is the way to go. The following article will walk you through building your NetScaler Gateway from the ground up and ending with a secure, working remote access solution.
This article assumes that you have LDAP Bind Credentials, All your SSL Certificates to hand and also have the appropriate firewall / NAT rules in place to access your gateway from the outside world.
The way I like to build a NetScaler Gateway is a similar approach to how I like to cook. Get everything ready first then put it all together at the end. I may seem that things are a little weird at first but not creating the gateway and building it out from there but trust me – it will all work in the end !
To have a working NetScaler thats secure you will need the following
- LDAP Methods (I know you should use 2Fa but in this case i am only binding LDAP)
- A Diffie Hellman Key
- Certificates
- A Custom Cipher Group
- Session Policies and Profiles for Web and Receiver access
- A Secure Transport Session Rewrite Policy
- Custom SSL Settings for SSL3
- TCP Profile for XenDesktop
- Secure Renegotiation only enabled for Secure Connections
- Secure Ticketing in place
So, lets get going.
LDAP
First log into your NetScaler and Navigate to the LDAP Policies shown below
Create a new policy and fill out the server and bind details. Click on test connection to ensure that the connection is working correctly
Once connected fill out the Other Settings. This is where you define what the user will log into the NetScaler Gateway with. I have used SAMAccountName below but you could easily use UPN by defining it here.
Click on ok and you will see the LDAP Server Policy Created.
Next create an Authentication Policy with the value of ns_true and bind it to the LDAP server you have just defined
Thats it for LDAP – you “should” have a working LDAP server now. To test this head over to the Authentication Dashboard
You should see your server shown there with a status of Up
Diffie Hellman
Navigate to the SSL section of the NetScaler shown below
On the right under Tools click on Create Diffie Hellman Key
Give the DH key a file name located on the NetScaler and set the parameter size to 2048
Click on Create to create the key
Certificates
Navigate to Server Certificates shown below
Click to Install a new certificate. Provide your Cert and Key File and import it into the NetScaler
You should see your external certificate listed and valid
Next install the Root and Intemediary Certificates for your external certificate and your internal CA if applicable
In my case I have imported my Start SSL int and root as well as my internal root CA
If you look at my external certificate you can see that there is an intermediary certificate in-between the public cert and the root.
Navigate to the public certificate and right click to link it to the intermediary.
NOTE: Do not link the intermediary to the root as this will cause SSL Labs to see a anchor in the certificate chain
Custom Cipher Group
Next you will need to create a custom cipher group to apply to your gateway. This will ensure that there are no insecure ciphers available externally from your gateway.
These ciphers were taken from Anton’s blog post about securing your SSL VIPS on NetScaler. This can be found here.
Navigate to the Cipher Groups
Click to add a cipher group and assign the following ciphers for a VPX
- TLS1-ECDHE-RSA-AES256-SHA
TLS1-ECDHE-RSA-AES128-SHA
TLS1-DHE-RSA-AES-256-CBC-SHA
TLS1-DHE-RSA-AES-128-CBC-SHA
TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
SSL3-DES-CBC3-SHA
Session Policies
Next you have to create the Session Policies that you will assign to the NetScaler Gateway. A session policy are the settings that are applied to the client based on the method they are connecting to the gateway. In this case I am going to provide settings for Native Citrix Receiver and the Web Client.
Navigate to Session Policies
First I will create 2 profiles – one for Native and one for Web
Click to create a Native Client Session Profile and follow the settings shown below
NOTE: On this section change the StoreFront service to match the StoreFront service you are providing internally
Click on create then add another Session Profile for the Web Client following the settings below
NOTE: On this section change the StoreFront service to match the StoreFront service you are providing internally, also note that you do not need the Account Services Address
Click Create and you will see 2 new session profiles created
Next you need to define the Session Policies and bind then to the profile. The Session Policy is where you check the HTTP Header and determine what client the user is using and apply the relevant session profile
Create a Policy for Native using the following as the expression
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
and bind this to your native profile
Next create a policy for web using the following as the expression
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS
and bind this to your web profile
Secure Transport Session Header
You will now create the Secure Transport Session header to be put into your NetScaler Gateway sessions to abide by SSL Labs best practice
Navigate to Rewrite Actions and create a new action
Fill out the details as shown below
Then create a Rewrite Policy
and fill out as shown below binding it to your new Rewrite Action
So thats the basic elements done to make your NetScaler Gateway, lets put it all together
NetScaler Gateway
First navigate to NetScaler Gateway and add a new Virtual Server
Give it a name, IP Address in your DMZ and a Port you want to run the NetScaler Gateway on then click to expand More Settings
Select ICA Only from the settings displayed and click OK
Next you need to bind your Certificates you imported earlier
Click on the Server Certificate and bind your public SSL Cert and also on CA Certificates and bind the intermediarys and root CA’s for the public and internal CA’s
Next comes Authentication. Click to add an authentication method to the NetScaler
Select LDAP and Primary
Bind your LDAP Policy you created earlier and click ok
Done
Nothing in this case for advanced authentication
Next click to edit the SSL Parameters as we need to enable Diffie Hellman and disable SSL 3
Enable Diffie Hellman and select the key file from the NetScaler you created earlier as well as setting the refresh time, also disable SSL 3
Next click to edit the Ciphers and remove the Default Group
Bind your new custom Cipher Group and click ok
NOTE: You can ignore this error from the GUI if you receive it
Next you will specify the TCP Profile to use ont he gateway, click to edit the profiles
Select the XA_XD profile from the list provided
Now you will bind the 2 session policies to the NetScaler Gateway
Click to add a policy
Select Session
Bind one of your profiles with a priority of 100
Then click to bind the other profile also as priority 100. Once done you should see both profiles on the gateway
Next you will add the STS Rewrite policy to the Gateway. Click to add another policy but select Rewrite from the drop down list
Select your SES Header Policy you created earlier
Click Bind
Next you need to specify a Secure Ticketing Authority for the Gateway
Click the + next to Published Applications on the right
Click on No STA Server to add your STA Server
Specify the HTTP or HTTPS path to the Secure Ticketing Authority
Click Bind
To check the STA is working click on the 1 STA Server link and it should show the STA as green
Finally navigate to Traffic Management and SSL and click on Advanced SSL Settings on the right
Change Deny SSL Renegotitation to NONSECURE
Don your NetScaler Gateway should show as UP and should be ready to test!
Lets Access the NetScaler Gateway!
Run a SSL Labs Test against the URL
Log into the Gateway – NOTE I am using SAMAccountName as this is what i specified in my LDAP policy
Display the StoreFront Apps
Launch a Desktop via the NetScaler Gateway
Thats it, all the details on how to build a basic NetScaler Gateway for ICA Connections. Hope this helps some of you out especially the guy who asked me to write this article – you know who you are.
Have Fun Building!
b@m #NetScalerRocks
very cool article, perfect
is it possible to have a second article with a auth factor with client user certificates using?
regards
frank
Can always work on that one yes! I have a busy coupld of weeks lined up so may take me a while to get it up and running
Pingback: Building a NetScaler Gateway from Scratch - Part 2 - The CLI ! | bretty.me.uk
Great old skool approach. Back in the day before wizards…eat your heart out Potter!
Pingback: Building a Citrix NetScaler Gateway from Scratch (SSL Labs A Grade)
Are there other IP addresses associated with the NetScaler in this lab?
In the lab I have 4 NetScalers running.
Pingback: How to take your NetScaler Gateway (Wizard Built) to the Next Level | bretty.me.uk
Pingback: Creating a NetScaler in Azure Resource Location for your Citrix Cloud by CUGC Expert Insights – Christian T. Drieling
Pingback: Creating a NetScaler in Azure Resource Location for your Citrix Cloud | CITXEN BLOG