Hello readers, I back to writing my technical blog, mostly on Citrix issues I’ll cover other topics of interest as well. over the past 2 years I’ve embarked on a Global Citirx deployment of Netscalers, XenDesktop 7.x and XenServer VDI solutions. To be honest I haven’t had the time or energy to write, but now most of the work is done I can enlighten my readers to some interesting ways to troubleshoot and use Citrix products. There is a lot of useful information and guides already out there so I’ll highlight useful reads and news from Citrix as well as share my own experiences.
Im working in an environment where there is no direct access to the StoreFront servers. All users connect to the Netscaler VIP wherever internal or external. This is the save the headache of applying ACLs to multiple VLANs across multiple global sites. It’s simple TCP 443 and your have access to your Citrix Apps./Desktops.
I’ve come across an issue where the Receiver kept prompting users for the password after about 30 minutes and they were getting frustrated.
The Netscaler’s Default Session timeout is 30 minutes and you can change this something else. In my case we changed this to 600 minutes for internal users and 60 minutes for external users. This is defined in your session policies.
So heres the issue:
After 2 Hours the timeout stops working and users are no longer prompted for the password, this means we can’t offer say a 4 hour timeout.
Netscaler VPX Firmware: 10.5.57.7
The next stop will be test on another firmware level.
Its been a while since I last updated my blog, but during the last 18 months I’ve deployed a global Xendesktop and Netscaler infrastructure. This has been a really interesting and exciting time where demand for Citrix is rocketing and now we have a solid platform for the future.
The project includes building 12 netscalers VPX in HA pairs, 12 StoreFront servers and 6 DDC Controllers.
The goals for this project are as follows:
– GEO Services hosted in the cloud
– Single URL for all clients all over the world
– Regional based URLs UK, EU, Asia
– Dual factor authentication with RADIUS, RSA, Google Auth
– IP Authentication for internal users
– Support for Receiver both internally and externally
– Support for ChromeBook, HTML5
– Support for Apple, Macbooks, iPADs
– Restricted access for certain client to only access the netscaler if they are coming from their office Network.
– Support for VDIs hosted on XenServer
– Deployment of Applications for private clients
– Support for remote access to physical machines
– Deployment of Citrix Director for helpdesk support and stats
– Monitoring of the whole platform from Netscalers, Storefront, DDC and hardware.
There have been many challanges along the way and I’ll have happy to share how they were resolved.
Hi All and thanks for checking back in, Since my last post about ICA files, I’ve been working on a project to deploy XenDesktop 7.6 and Netscaler 10.5 VPX and its so far been an interesting and head scratching journey. For those using Citrix Access Gateway 5.0.4 this is a big step up and much more for you to understand. Over the next couple of weeks I’ll go through the process or preparing the Netscaler for Citrix XenApp and Citrix XenDesktop access for both 6.5 and 7.6.
Now there are a number of reasons why you might need to use a Netscaler, creating VPN connections, accessing Citrix XenApp, DNS load balancing websites, OWA and monitoring sites. From a design prepresive you need to know where you netscaler will sit on your network, you will need at least 2 NIC interfaces and 3 IPs. Your Netscaler IP, Your VIP for External Access and Your Subnet IP for internal access.
There is no limit to what you can do, but before you jump in you need to look at the 5 basic steps:
- Configure your NSIP, SNIP, DNS Servers on the inital login page.
- Licensing > Install your licenses
- Settings> Modes and Features> Basic Features, turn on what you need
- Same for Advanced features.
- You will need to assign a certificate and root CA to the Netscaler, its hightly recommend you use an Global External CA, like digicert, verisign, godaddy.
Once you have done that you can start using SSL offloading, create virtual gateways etc..
I’ll create a short video on how you can get started in the next week.
DNS Issue: For those who are already in the process of deploying a Netscaler might find setting up DNS name servers a bit of a pain in the ass. For instance adding it as a name server shows the status as down when as it using UDP. And if your in an environment where ICMP is blocked by the firewalls you will have to target the TCP port instead. There is a workaround and better practice for monitoring DNS as its targets the service port. Depending on your network, I would suggust this routes out your NSIP or MIP address on your management network. This is what I needed to do in a tight DMZ.
SLDAP Monitoring: If your hoping use SLDAP, like most of us do any monitoring your domain controllers for queires then the default LDAP monitor will not work. You need to create a custom monitor. Please see this Citrix Artcle on step how to do it. http://support.citrix.com/article/CTX117943
Back to ICA Files!
I’ve been working on a project in a very complexed network configuration where a client is connecting to our hosted Citrix XenApp service via 4 different possible network router, none over the Internet. To add to the complexed double natted network they can’t resolved DNS, so out goes any ideas of using a CAG or Netscaler or even a Web Interface as it has to be based on IP. So its back to creating ICA files for each application and each connection, Fun!
Citrix eDocs are a good place to look for detailed information on the ICA protocol and session reliability but I want to share with you how the basics work.
ICA files are good if you need to use IP address instead of DNS and how a very limited number of applications to use. You need to create the ICA files right first time before distributing them to other users, so plenty of testing is required.
If you can resolve DNS then I can’t see an advantages of using ICA files as the Web Interface or storefront with a CAG or Netscaler offer a better more flexible solution. Many ICA files can get messy and hard to maintain! In my case its the only option.
First you want to download quicklaunch which will allow you to create ICA files the easy way and test them before rolling them out. You also have many options you can include in your ICA file, such as session options and session reliability and dont forget encryption!
You can download quicklaunch from the Citrix Website: http://support.citrix.com/article/CTX122536
With quicklaunch you can decide if you want to launch an application or full desktop or connection to Xendesktop.
A typical ICA file for a full desktop with encryption at 128Bit may look like this:
InputEncoding = ISO8859_1
KeyboardTimer = 0
MouseTimer = 0
Note the encryption level and CPG address port, when you launch your application your session will be on 2598.
But is my session Encrypted?
One of the big questions I’ve been asked is where the session is encrypted, well indeed it is, although a basic level of encryption exists by default you can use up to 128Bit RC-5 without too much trouble. Initially I assumed certificates would be requested and that means DNS, but I was surprised how it just works. so the encryption negotiations must be done between the receiver and XML service.
To enable encryption for SecureICA:
Using the quicklaunch application select the session options tab and from there you can select the level of encryption you require, you may want to select session reliability as well. once your finished go back to the General tab and select ICA File and one will be generated.
If the ICA File option is greyed out then you need to remove your username and password.
If you can’t retrieve a list of applications, then try changing the XML port to 8080 or to whatever you maybe have configured it to.
If you need more information about ICA traffic or files and how they work then have a look at these Citrix links:
Information provided is based on real world scenarios and issues I have resolved as described but there are no guarantees or warranties.