XenDesktop 5.6 with Receiver StoreFront and Access Gateway

XenDesktop 5.6 with Receiver StoreFront and Access Gateway

book

Article ID: CTX132787

calendar_today

Updated On:

Description

This article is intended for Citrix administrators and technical teams only.
Non-admin users must contact their company's Help Desk/IT support team and can refer to CTX297149 for more information.


The following are the various sections in this article:This article describes how to set up an Access Gateway Enterprise Edition VPX and Receiver StoreFront for use with XenDesktop 5.6. The purpose of this article is to record the configuration of the Citrix Access Gateway Enterprise Edition appliance and Receiver StoreFront for use with Citrix XenDesktop 5.6. This article only attempts to record a single configuration, however it is expected that this environment can also act as a stepping-stone for creating alternative or more advanced configurations if required.

Glossary

The following are the recent name changes for the terms used in this article:

  • Access Gateway Enterprise Edition appliance = A NetScaler VPX or physical appliance which is licensed to function with the Access Gateway feature

  • Receiver StoreFront = A Windows 2008 R2 Server Virtual Machine running StoreFront software

  • Delivery Services = An earlier name for Receiver StoreFront

  • StoreFront = Receiver StoreFront

  • XenDesktop = A Citrix XenDesktop farm, or its components

  • Cloud Gateway Express = Receiver StoreFront + Access Gateway Enterprise Edition appliance

Example Environment

The following diagram shows the network layout of the sample environment and the typical components:

Deskside Lab - Network Diagram

Setting up the Access Gateway Enterprise Edition VPX Virtual Machine

  1. Download the latest VPX appliance from www.citrix.com.

    Note: Access Gateway Enterprise Edition VPX is based on the NetScaler platform. Currently choose a NetScaler VPX as the download.

  1. Import the VPX appliance into the XenServer and connect it to the DMZ virtual LAN.

  2. Start the VPX appliance, and log on to it from the XenCenter console:
    (nsroot/nsroot)

  1. Follow the text based wizard to establish the following network settings:

    IP Address:          192.168.2.20

    Netmask:             255.255.255.0

    Gateway:             192.168.2.1

  1. Allow the VPX appliance to restart when you get a prompt to restart.
    If you want to re-run this Wizard, then log on to the VPX appliance from the XenCenter console and run the configns command.

Access Gateway Enterprise Edition Configuration Utility

  1. From a suitable host within the DeskSide Lab, for example the Desktop Delivery Controller (DDC), use a browser to connect to http://192.168.2.20 and log on with the following credentials:

    User Name:       nsroot

    Password:         nsroot

    Start in:              Configuration

    Other:                defaults, or as required

  1. Use the Configuration Utility to establish the following settings:

    NetScaler VPX

  1. Add a Mapped IP of 192.168.2.21 (add Virtual IP later):

    NetScaler VPX

    It is recommended to use the NTP server.

    NetScaler VPX

  1. Add a DNS server (local=No). In this scenario, it is a pointer to the domain controller at 192.168.1.83.

    You can also add some DNS suffixes on the next tab so that the Network Routing is similar to the following screen shot:

    NetScaler VPX

Access Gateway Enterprise Edition Licensing

Details of Access Gateway Enterprise Edition VPX Licensing is available in the Knowledge Center article CTX122426 - Citrix NetScaler VPX and CloudBridge VPX Licensing Guide.

Note: NetScaler VPX Express License should be sufficient for five concurrent users.

  1. Obtain an Access Gateway Enterprise Edition VPX license, and use the NetScaler Configuration Utility to upload the license file to the VPX appliance.

  2. After you have licensed and restarted the VPX appliance, the license page should look as displayed in the following screen shot:

    NetScaler VPX

Enabling Features

  • Right-click the SSL node in the left pane and enable the SSL feature.

  • Right-click the Access Gateway node in the left pane and enable the Access Gateway feature.

Installing a Certificate on the Access Gateway Enterprise Edition Appliance

Within Development and Test environments, a possible source for a security certificate for a web service is from a private Windows Certificate Server. In this sample environment, XenDC83 is a Windows Certificate Server.

The following outlines the steps necessary to install a new certificate on an Access Gateway Enterprise Edition appliance.

NetScaler VPX

  1. Create the RSA key, and name it other than the one in the preceding screen shot.

  2. The Create RSA Key tool is moved directly under the SSL node in later builds.

  3. Click Close.

    NetScaler VPX

  1. Create a Certificate Signing Request and provide a Common Name other than the one used in the preceding procedure.

    Note: The Common Name should be the FQDN of the router. You can use a passphrase.

    NetScaler VPX

  1. Copy the certificate request from the /flash/nsconfig/ssl directory on the Access Gateway Enterprise Edition appliance, to a Windows computer such as XenDC83. The preceding screen shot uses WinSCP to copy the certificate. You can download WinSCP from http://winscp.net.

  2. Use Microsoft Active Directory Certificate Services to request a Certificate and Advanced certificate, as displayed in the following screen shots:

    Microsoft Active Directory Certificate Services

    Microsoft Active Directory Certificate Services

  1. Submit a certificate request by using a base 64 encoded file, as displayed in the following screen shot:

    Microsoft Active Directory Certificate Services

  1. Use Notepad to copy the contents of the certificate request, and paste it in the Microsoft Certificate Request page.

  2. Set Certificate Template to Web Server as shown in the following screen shot:

    Microsoft Active Directory Certificate Services

  1. Download the Base 64 certificate, and use WinSCP to copy it to the /flash/nsconfig/ssl directory on the Access Gateway Enterprise Edition appliance.

    Microsoft Active Directory Certificate Services

  1. Restart the certificate request page and Download a CA certificate request, in Base 64 format, and use WinSCP to copy it to the /flash/nsconfig/ssl directory on the Access Gateway Enterprise Edition appliance:

    NetScaler VPX

  1. Install the Certificate on the Access Gateway Enterprise Edition appliance.

    Note: If you get an error “Certificate with key size greater than RSA512 or DSA512 bits not supported”, then you might not have installed a valid (VPX) license on the Access Gateway Enterprise Edition appliance.

    NetScaler VPX

  1. Use the same form to install the CA certificate.

    Certificate-Key Pair Name = myCA

    Certificate File Name = Your CA certificate file

    Private Key File Name = blank

Creating and Configuring Authentication Server and Policy

  1. Create an Authentication Server, as shown in the following screen shot:

    NetScaler VPX

  1. Create an Authentication Policy, as shown in the following screen shot:

    NetScaler VPX

Creating and Configuring a Session Profile and Policy

  1. Create Access Gateway Session Profile from the Network Configuration tab, as shown in the following screen shot:

    NetScaler VPX

  1. Create Session Profile from the Client Experience tab, as shown in the following screen shot:

    Access Gateway Session Profile

  1. Create Session Profile from the Security tab, as shown in the following screen shot:

    Access Gateway Session Profile

  1. Create Session Profile from the Published Applications tab, as shown in the following screen shot:

    Access Gateway Session Profile

  1. After the Session Profile is in place, you can create a Session Policy, as shown in the following screen shot:

    NetScaler VPX

Creating and Configuring a Virtual Server

  1. Create Virtual Server from the Certificates tab, as shown in the following screen shot:

    NetScaler VPX

  1. Add the Server and CA certificates.

  2. Select SmartAccess Mode, as shown in the following screen shot:

    Access Gateway Virtual Server

  1. Create Virtual Server from the Authentication tab.

  2. Insert the Authentication policy, as shown in the following screen shot:

    Access Gateway Virtual Server

  1. Create Virtual Server from the Policies tab.

  2. Insert the Session policy, as shown in the following screen shot:

    Access Gateway Virtual Server

  1. Create Virtual Server from the Published Applications tab.

  2. Add the Secure Ticket Authority (point to the Desktop Delivery Controller).

  3. Click Save.

    NetScaler VPX

Preparing the Citrix Receiver StoreFront Server

  1. Confirm that a CA certificate exists in the Trusted Root Certificate Authorities store of the StoreFront server. If it does not, then add the CA certificates, and ensure that it goes into the local machine store and not into the user store:

    Server Manage

  1. Add a Web Server certificate to the StoreFront server, by navigating to, Server Manager > Roles > Web Server (IIS) > Internet Information Service > STOREFRONT89 > Server Certificates.

    Server Manage

  1. Select Create Domain Certificate.

  2. Complete the form (Page 1) and click Next.

    Server Manage

  1. Complete the form (Page 2) and click Finish.

    Server Manage

  1. Bind the certificate to https on the default web site. The path is Server Manager > Roles > Web Server (IIS) > Internet Information Service > STOREFRONT89 > Sites > Default Web Site > Bindings.

    Server Manage

  1. Install SQL Server 2008 R2 Express on the StoreFront server. Choose Windows Authentication mode.
    Note: SQL Express is only suitable for small test environments.

  1. Add the following line to the hosts file on the StoreFront server:
    192.168.2.2 FQDN of the Router (Common Name in Access Gateway Enterprise Edition certificate)

  1. Ensure that all Microsoft updates are installed.

Installing Citrix Receiver StoreFront on the StoreFront Server

When documenting this article, the executable is called CitrixReceiverStorefront-x64.exe and it can be downloaded from www.citrix.com.

  1. After completing the installation, start Citrix Receiver StoreFront Management and follow the wizard to deploy a single server:

    CitrixReceiverStorefront

  1. Create an Authentication Service.

    CitrixReceiverStorefront

  1. Create Store, as shown in the following screen shots:

    CitrixReceiverStorefront

    CitrixReceiverStorefront

  1. Create Store Receiver for Web.

    Create Store Receiver for Web.

  1. After the initial Wizards are complete, the StoreFront looks similar to the following screen shots:

    CitrixReceiverStorefront

    Citrix Receiver Storefront

    Manage Server Farms

    CitrixReceiverStorefront

    CitrixReceiverStorefront

    CitrixReceiverStorefront

    Note: In this example, the Mapped IP address of one of the Access Gateway Enterprise Edition appliance is used for the Internal IP address:

    Gateway Server

    Gateway Server

    Citrix Receiver Storefront

    Citrix Receiver Storefront

    Citrix Receiver Storefront

Testing StoreFront Services

From the Citrix corporate LAN, browse to the external address of the Deskside Lab router.
Example: https://myrouter.citrite.net

Note: Currently this web address must be a “Trusted Site” in Internet Explorer.

You should also install the CA certificate on the client machine.

FAQ

Q: My environment is on a private network and I am using this environment for testing only. Do I still have to set up certificates and use https?

A: Yes.

Troubleshooting

  • Examine the Access Gateway Enterprise Edition console and ensure that there is no outstanding Save or Refresh All warnings.

  • Examine the Virtual Server on the Access Gateway Enterprise Edition appliance and confirm that the STA Identifier is displayed, and that the status of STA is UP.

  • Confirm that all systems are in an appropriate time zone, and their clocks are synchronized.

  • Examine the eventlog of the DDC and StoreFront servers.

  • Use normal XenDesktop testing techniques.

  • Verify the router Virtual Machine to ensure that necessary communication between the Access Gateway Enterprise Edition appliance and the internal LAN is not blocked.

  • You can use Wireshark, in non-promiscuous mode, on the StorerFont and/or DDC to verify if the Access Gateway Enterprise Edition appliance is able to communicate to it.

Additional Resources

CTX200287 - How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6
CTX202097 - How to Configure NetScaler 11 to use with Web Interface 5.4 and XenApp​
 

Issue/Introduction

The purpose of this article is to record one configuration of a Citrix Access Gateway Enterprise Edition (Netscaler/AGEE), and Receiver StoreFront for use with Citrix XenDesktop 5.6.