The following are the recent name changes for the terms used in this article:
Access Gateway Enterprise Edition appliance = A NetScaler VPX or physical appliance which is licensed to function with the Access Gateway feature
Receiver StoreFront = A Windows 2008 R2 Server Virtual Machine running StoreFront software
Delivery Services = An earlier name for Receiver StoreFront
StoreFront = Receiver StoreFront
XenDesktop = A Citrix XenDesktop farm, or its components
Cloud Gateway Express = Receiver StoreFront + Access Gateway Enterprise Edition appliance
The following diagram shows the network layout of the sample environment and the typical components:
Download the latest VPX appliance from www.citrix.com.
Note: Access Gateway Enterprise Edition VPX is based on the NetScaler platform. Currently choose a NetScaler VPX as the download.
Import the VPX appliance into the XenServer and connect it to the DMZ virtual LAN.
Start the VPX appliance, and log on to it from the XenCenter console:
(nsroot/nsroot)
Follow the text based wizard to establish the following network settings:
IP Address: 192.168.2.20
Netmask: 255.255.255.0
Gateway: 192.168.2.1
Allow the VPX appliance to restart when you get a prompt to restart.
If you want to re-run this Wizard, then log on to the VPX appliance from the XenCenter console and run the configns command.
From a suitable host within the DeskSide Lab, for example the Desktop Delivery Controller (DDC), use a browser to connect to http://192.168.2.20 and log on with the following credentials:
User Name: nsroot
Password: nsroot
Start in: Configuration
Other: defaults, or as required
Use the Configuration Utility to establish the following settings:
Add a Mapped IP of 192.168.2.21 (add Virtual IP later):
It is recommended to use the NTP server.
Add a DNS server (local=No). In this scenario, it is a pointer to the domain controller at 192.168.1.83.
You can also add some DNS suffixes on the next tab so that the Network Routing is similar to the following screen shot:
Details of Access Gateway Enterprise Edition VPX Licensing is available in the Knowledge Center article CTX122426 - Citrix NetScaler VPX and CloudBridge VPX Licensing Guide.
Note: NetScaler VPX Express License should be sufficient for five concurrent users.
Obtain an Access Gateway Enterprise Edition VPX license, and use the NetScaler Configuration Utility to upload the license file to the VPX appliance.
After you have licensed and restarted the VPX appliance, the license page should look as displayed in the following screen shot:
Right-click the SSL node in the left pane and enable the SSL feature.
Right-click the Access Gateway node in the left pane and enable the Access Gateway feature.
Within Development and Test environments, a possible source for a security certificate for a web service is from a private Windows Certificate Server. In this sample environment, XenDC83 is a Windows Certificate Server.
The following outlines the steps necessary to install a new certificate on an Access Gateway Enterprise Edition appliance.
Create the RSA key, and name it other than the one in the preceding screen shot.
The Create RSA Key tool is moved directly under the SSL node in later builds.
Click Close.
Create a Certificate Signing Request and provide a Common Name other than the one used in the preceding procedure.
Note: The Common Name should be the FQDN of the router. You can use a passphrase.
Copy the certificate request from the /flash/nsconfig/ssl directory on the Access Gateway Enterprise Edition appliance, to a Windows computer such as XenDC83. The preceding screen shot uses WinSCP to copy the certificate. You can download WinSCP from http://winscp.net.
Use Microsoft Active Directory Certificate Services to request a Certificate and Advanced certificate, as displayed in the following screen shots:
Submit a certificate request by using a base 64 encoded file, as displayed in the following screen shot:
Use Notepad to copy the contents of the certificate request, and paste it in the Microsoft Certificate Request page.
Set Certificate Template to Web Server as shown in the following screen shot:
Download the Base 64 certificate, and use WinSCP to copy it to the /flash/nsconfig/ssl directory on the Access Gateway Enterprise Edition appliance.
Restart the certificate request page and Download a CA certificate request, in Base 64 format, and use WinSCP to copy it to the /flash/nsconfig/ssl directory on the Access Gateway Enterprise Edition appliance:
Install the Certificate on the Access Gateway Enterprise Edition appliance.
Note: If you get an error “Certificate with key size greater than RSA512 or DSA512 bits not supported”, then you might not have installed a valid (VPX) license on the Access Gateway Enterprise Edition appliance.
Use the same form to install the CA certificate.
Certificate-Key Pair Name = myCA
Certificate File Name = Your CA certificate file
Private Key File Name = blank
Create an Authentication Server, as shown in the following screen shot:
Create an Authentication Policy, as shown in the following screen shot:
Create Access Gateway Session Profile from the Network Configuration tab, as shown in the following screen shot:
Create Session Profile from the Client Experience tab, as shown in the following screen shot:
Create Session Profile from the Security tab, as shown in the following screen shot:
Create Session Profile from the Published Applications tab, as shown in the following screen shot:
After the Session Profile is in place, you can create a Session Policy, as shown in the following screen shot:
Create Virtual Server from the Certificates tab, as shown in the following screen shot:
Add the Server and CA certificates.
Select SmartAccess Mode, as shown in the following screen shot:
Create Virtual Server from the Authentication tab.
Insert the Authentication policy, as shown in the following screen shot:
Create Virtual Server from the Policies tab.
Insert the Session policy, as shown in the following screen shot:
Create Virtual Server from the Published Applications tab.
Add the Secure Ticket Authority (point to the Desktop Delivery Controller).
Click Save.
Confirm that a CA certificate exists in the Trusted Root Certificate Authorities store of the StoreFront server. If it does not, then add the CA certificates, and ensure that it goes into the local machine store and not into the user store:
Add a Web Server certificate to the StoreFront server, by navigating to, Server Manager > Roles > Web Server (IIS) > Internet Information Service > STOREFRONT89 > Server Certificates.
Select Create Domain Certificate.
Complete the form (Page 1) and click Next.
Complete the form (Page 2) and click Finish.
Bind the certificate to https on the default web site. The path is Server Manager > Roles > Web Server (IIS) > Internet Information Service > STOREFRONT89 > Sites > Default Web Site > Bindings.
Install SQL Server 2008 R2 Express on the StoreFront server. Choose Windows Authentication mode.
Note: SQL Express is only suitable for small test environments.
Add the following line to the hosts file on the StoreFront server:
192.168.2.2 FQDN of the Router (Common Name in Access Gateway Enterprise Edition certificate)
Ensure that all Microsoft updates are installed.
When documenting this article, the executable is called CitrixReceiverStorefront-x64.exe and it can be downloaded from www.citrix.com.
After completing the installation, start Citrix Receiver StoreFront Management and follow the wizard to deploy a single server:
Create an Authentication Service.
Create Store, as shown in the following screen shots:
Create Store Receiver for Web.
After the initial Wizards are complete, the StoreFront looks similar to the following screen shots:
Note: In this example, the Mapped IP address of one of the Access Gateway Enterprise Edition appliance is used for the Internal IP address:
From the Citrix corporate LAN, browse to the external address of the Deskside Lab router.
Example: https://myrouter.citrite.net
Note: Currently this web address must be a “Trusted Site” in Internet Explorer.
You should also install the CA certificate on the client machine.
A: Yes.
Examine the Access Gateway Enterprise Edition console and ensure that there is no outstanding Save or Refresh All warnings.
Examine the Virtual Server on the Access Gateway Enterprise Edition appliance and confirm that the STA Identifier is displayed, and that the status of STA is UP.
Confirm that all systems are in an appropriate time zone, and their clocks are synchronized.
Examine the eventlog of the DDC and StoreFront servers.
Use normal XenDesktop testing techniques.
Verify the router Virtual Machine to ensure that necessary communication between the Access Gateway Enterprise Edition appliance and the internal LAN is not blocked.
You can use Wireshark, in non-promiscuous mode, on the StorerFont and/or DDC to verify if the Access Gateway Enterprise Edition appliance is able to communicate to it.
CTX200287 - How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6
CTX202097 - How to Configure NetScaler 11 to use with Web Interface 5.4 and XenApp