Citrix XenDesktop, Turbo, Citrix NetScaler and Network Routing Use Case

This post has already been read 19360 times!

I was fortunate enough this week to speak to Rory from turbo.net after speaking to a Citrix CTP from xenappblog.com and was given a chance to test drive the Turbo Application Delivery method.  Firstly, WOW! What an easy and simple way to deliver applications to Citrix workload’s.  I was really taken aback by how easy it really was to deliver apps seamlessly to servers for users to consume, and in no time at all!!  Seriously, it took about 10 minutes from logging in to having my first delivered published app available to my users, amazing!!

So, after the initial amazement I started to think of use cases that this could really bring some value to the IT Pro’s delivering apps day by day, after a couple of twitter chats with Rory i was drawn the the ability to add IP Routing to containerised apps within Turbo.  I started to think, well – we could block rights to administration web portals (NetScalers) from default browsers and provide specific admin browsers with locked routing to ONLY allow the users to administer the NetScalers from those specific Apps.  This open up loads of options around auditing and control of access to the admin portals without having to involve complex firewall rules and networking, its all done within the application itself, and in minutes !!

So, lets get going.

Lets assume we want to publish 2 Google Chrome Browsers, 1 for general internet use (without access to admin the NetScalers) and a specific Admin Browser with Access to the NetScalers Only.

NetScaler IP Address: 192.168.0.101

Local Network: 192.168.0.0/24

First, my CTP Friend has already written an excellent blog on getting started with Turbo.  This can be found here: http://xenappblog.com/2016/getting-started-with-turbo/ and is well worth a read.  I will walk you through downloading and setting up Turbo but Eric will walk you through automating the install!!

From your Citrix Server open up a browser and go to https://turbo.net

Click the Install Turbo Client link

Save the client to your desktop

Search for the command prompt and run it as administrator

Navigate to your downloads and run:

turbo-plugin.exe –all-users

Let the install run though, as you are installing it for all users your server will need to restart

While the install is running lets set up the 2 applications in Turbo.

Switch to an internet browser and navigate to https://turbo.net and log in as your admin account to the portal.  You will be shown a list of published applications, in this case – none!

Click on the Hub tab

Click on Browsers on the right

Click on add next to Chrome

Rename the application to Chrome No Routes (This will be the default browser for the users – NO Administration Access

Click Save – this will default to the latest release and allow all internet access outbound – it WONT have any plugging however – that will be covered in another article

Once added and displayed in your portal click the clone icon.

Give the clone application a name Chrome NetScaler Admin – this will be the application we will restrict to only have access to our NetScalers

Click on Save and once displayed click the settings icon next to your NetScaler Admin application

Click on the Network tab then the Routes option

Add the following routes:

IP://0.0.0.0 – Deny – this will deny ALL outbound IP Traffic from the application

IP://192.168.0.101 – Allow – this will enable access to the NetScaler Admin Portal

Click save to commit the changes to the application

By this time your Turbo client should have installed and your server restarted.  Log back into the server and run a command prompt as an administrator

Run the command:

turbo login

Login as your org account

run the command:

turbo subscribe –all-users bretty (bretty being the name of your user that you use for Turbo)

You will see your applications sync to your server

If you look in the Start Menu you will see your new applications available to run and use

Lets first run up the NetScaler Admin Browser

The first time the app runs it will cache and download the application container

Once it has launched lets test accessing our NetScaler Admin Portal

Excellent!  We can access the portal – thats our network route to 192.168.0.101 being allowed.  Lets try accessing google.com

Denied! Excellent – outbound internet access is being denied.  What about another address on my local network.  My router on 192.168.0.1

Also denied – brilliant!  So thats the Admin browser sorted out – users can ONLY Access out NetScaler Admin portal and nothing else from the published browser.

Lets move onto our default user browser.

First lets try google.com

Excellent – outbound internet access is allowed from the published browser

Lets try out NetScaler Portal

Not good – we only want access to this to be allowed from the Admin Application

how about another address on the local network

OK – allowed.  Not good.  We want to block access to admin portals from the general browser and only allow it from the admin browser.

Switch back to the turbo.net admin portal and open up the Chrome No Routes application for editing.  Navigate to the Network Tab then routes

Add a route to DENY access to the local network.  NOTE: This is a CIDR block address of /24 – this is blocking access to the whole local subnet – you can add individual addresses here rather than a whole subnet.

Save the route and switch back to your server.

Open up the admin command prompt and re-run the subscribe command to update the applications

Relaunch Chrome No Routes

Test Google again

Great – still working.  Now try an address on the local subnet

BLOCKED!  Excellent.

Thats how to publish 2 browsers using Turbo.net one for Admin access to specific portals and one for general access with denied access to admin portals.  A great use case for all those occasions where you need to lock down admin access but don’t have access to complex firewall rules and static IP addresses to restrict access.

Just publish those apps on your existing XenApp or XenDesktop estate and you have some bullet proof browser deployments for your users to consume.

Hope this help some of you out.

Got to say a massive thank you to Rory from Turbo, not only for his assistance with setting up my access to this great product but also for being professional and helpful when i approached him with questions.  A true credit to a massively innovative company.

Check out his blog at : http://www.rorymon.com/blog/

Thats it for now.

Laters,

b@m