How to Configure VDI-in-a-Box 5.x Remote Access with NetScaler Access Gateway 10

How to Configure VDI-in-a-Box 5.x Remote Access with NetScaler Access Gateway 10

book

Article ID: CTX134315

calendar_today

Updated On:

Description

This article describes how to configure VDI-in-a-Box 5.x Remote Access with NetScaler Access Gateway 10.

Requirements

  • VDI-in-a-Box 5.x

  • NetScaler 10.0 build 69.4 or later (VPX, MPX, SDX)

  • NetScaler Gateway 10.1 or later (VPX, MPX, SDX)

  • NetScaler Platform License

Background

This article provides instructions to configuring remote access to VDI-in-a-Box virtual desktops. The latest NetScaler and NetScaler Gateway versions (build 69.4 or later) now include an Access Gateway wizard to allow for quick remote access setup. Configuring the VDI-in-a-Box requires adding HDX gateway information and adding a Grid IP address.

Instructions

Complete the following procedure to configure the VDI-in-a-Box Grid IP Address:

  1. Log on to the VDI-in-a-Box web console as an administrator.

  2. Open Admin > Advanced Properties menu.

  3. Scroll down to the Grid section.

  4. Enter an IP address to use in the Grid IP address:

    User-added image

Complete the following procedure to configure the VDI-in-a-Box HDX Gateway:

  1. Log on to the VDI-in-a-Box web console as an administrator.

  2. Open Admin > Advanced Properties menu.

  3. Scroll down to the Gateways section.

  4. In External HDX gateway addresses, for each NetScaler Gateway virtual server, type the following:

    virtual server IP address, fully qualified domain name:portnumber

    Separate the entries with semicolons.

    For example: 192.0.2.14,www.gw2.com:443;192.0.2.1,www.gw1.com:443

    Note: To enable Single Sign-on, you must ensure that you enter the virtual server IP address. If you enter only the FQDN and port number, remote access without Single Sign-on is configured.

  5. Enter the NetScaler MIP or SNIP to be used by VDI-in-a-Box in the Internal HDX Gateway field:

    User-added image

Complete the following procedure to configure the NetScaler appliance:

For NetScaler Access Gateway 10.0

  1. Import to support hypervisor if using the NetScaler VPX (virtual appliance).

  2. Configure NetScaler IP Address (NSIP) through the Console and restart.

  3. Log on to the NetScaler web console with default credentials: nsroot/nsroot

  4. Provide a Host Name and configure the type of IP address to use for communication with the VDI-in-a-Box servers and desktops.

    User-added image

For more information about SNIPs and MIPs, see the following links:

Citrix Documentation -  Configuring Subnet IP Addresses (SNIPs)

Citrix Documentation -  Configuring Mapped IP Addresses (MIPs)

  1. Complete the Setup Wizard using default values.

  2. Click the Manage License link to upload a NetScaler Platform License.

  3. Click Finish.

  4. Save the configuration when prompted and restart the NetScaler.

Complete the following procedure to configure Access Gateway virtual server:

  1. Log back into the NetScaler web console

  2. Select Access Gateway feature and then Create/Monitor Access Gateway to open the Access Gateway 10 Home page.

    User-added image

  3. Click Get Started to open the Access Gateway Setup page.

    User-added image

  4. Fill the Access Gateway Setting section.

    The IP address is typically in a perimeter network or a public IP address that users connect to. Optionally, enable https redirection so the gateway will accept (and redirect) http requests to https.

    User-added image

  5. Fill the LDAP Authentication section. This is required when configuring the wizard, but the authentication policy can be disabled later.

    • IP Address: Active Directory domain controller

    • Port: Usually 389 or 636

    • Base DN: Provide the Distinguished Name for the users in AD, such as OU=Users,OU=VDI,DC=domain,DC=com

    • Admin Base DN: Provide the Distinguished Name for a domain admin, such as CN=Administrator,CN=Users,DC=domain,DC=com

    • Logon Name: This should be SAMAccountName

    • Password: Provide the domain admin’s password

      User-added image

  6. Select one of the options from the Certificate section.

    • Install Certificate: Select this option to upload the server certificate and private key that has already been generated (valid or self-signed). Certificates can be generated using the SSL feature of the NetScaler or any other certificate utility, such as OpenSSL or Java KeyTool.

    • Use Test Certificate: Select this option if a self-signed test certificate is required. Provide a name and FQDN for the certificate.

      User-added image

      User-added image

      Important: Upon completion of this wizard, the test certificate and root certificate must be exported from the NetScaler and installed on the client devices. This is found in Configuration > SSL > Manage Certificates / Keys / CSRs section.

  7. Select DNS and type the IP address of the DNS server to be used, as displayed in the following screen shot:

    Note: For production environments, this should be an external-facing DNS server that will be used to redirect http to https requests based on the FQDN, if enabled in the Access Gateway Settings section.

    User-added image

  8. Select Web Interface in the CloudGateway/Web Interface section.

    The Web Interface and STA fields must use https instead of http.

    Note: VDI-in-a-Box 5.1 does not support CloudGateway.

    User-added image

    • Web Interface Address: Provide the URL for the VDI-in-a-Box Grid IP Address, such as https://vdiGridIP.

    • Single Sign-on Domain: Provide the Active Directory domain. This will be used for SSO with PNAgent used by the Citrix Receiver.

    • Secure Ticket Authority: Provide the STA URL using the VDI-in-a-Box Grid IP, such as https://vdiGridIP/dt/sta.

    • Leave both Single Sign-on domain and ICA Proxy enabled.

  9. Click Done.

    This creates the Access Gateway virtual server using the settings and polices defined in this setup page.

  10. Return to the NetScaler web console and click Save to ensure the running configuration is saved to disk in the event the NetScaler requires a restart.

    User-added image

For NetScaler Gateway 10.1 

  1. Import to support hypervisor if using the NetScaler Gateway VPX (virtual appliance)

  2. Configure NetScaler IP Address (NSIP) through the Console and restart.

  3. Log on to the NetScaler Gateway web console with default credentials: nsroot/nsroot. For Deployment Type choose NetScaler Gateway.

    Provide a Host Name, Subnet IP address, and one or more DNS addresses.

    The Subnet IP address is the internal IP of the NetScaler Gateway.

    Note: For production environments, the DNS should be an external-facing DNS server that will be used to redirect http to https requests based on the FQDN, if enabled in the NetScaler Gateway Settings section.

    NetScaler Gateway administrator password might be changed from here.

    User-added image

  4. Complete the Setup Wizard using default values.

  5. Under Update Licenses, click Browse to choose and upload a NetScaler Gateway Platform License.

    User-added image

  6. Click Continue then Done.

  7. Save the configuration when prompted and restart the NetScaler Gateway.

Complete the following procedure to configure NetScaler Gateway virtual server:

  1. Log back into the NetScaler Gateway web console.

  2. Click Get Started to open the NetScaler Gateway Setup page.

    User-added image

  3. Fill the NetScaler Gateway Settings section. The IP address is typically in a perimeter network or a public IP address that users connect to. Optionally, enable https redirection so the gateway will accept (and redirect) http requests to https. (An SSL gateway is required). Click Continue.

    User-added image

  4. Select one of the options from the Certificate section.

    • Choose Certificate: Select this option if your SSL Certificate is already installed on the NetScaler Gateway.

    • Install Certificate: Select this option to upload the server certificate and private key that has already been generated (valid or self-signed). Certificates can be generated using the SSL feature of the NetScaler Gateway or any other certificate utility, such as OpenSSL or Java KeyTool.

    • Use Test Certificate: Select this option if a self-signed test certificate is required. Provide a name and FQDN for the certificate.

  5. Click Continue.

    User-added image

  6. Fill the LDAP Authentication section. This is required when configuring the wizard, but the authentication policy can be disabled later.

    • IP Address: Active Directory domain controller

    • Port: Usually 389 or 636

    • Base DN: Provide the Distinguished Name for the users in AD, such as OU=Users,OU=VDI,DC=domain,DC=com

    • Admin Base DN: Provide the Distinguished Name for a domain administrator, such as CN=Administrator,CN=Users,DC=domain,DC=com

    • Server Logon Name Attribute: This should be SAMAccountName

    • Password: Provide the domain administrator’s password

  7. Click Continue.

    User-added image

  8. Select XenApp / XenDesktop in the Enterprise Store Settings section. The Web Interface and STA fields must use https instead of http.

    Note: VDI-in-a-Box 5.1 does not support CloudGateway.

    • Deployment Type: Web Interface

    • XenApp Site URL: Provide the URL for the VDI-in-a-Box Grid IP Address, such as https://vdiGridIP.

    • XenApp Services Site URL: https://vdiGridIP/dt/PNAgent/config.xml

    • Single Sign-on Domain: Provide the Active Directory domain. This will be used for SSO with PNAgent used by the Citrix Receiver.

    • STA URL (Secure Ticket Authority): Provide the STA URL using the VDI-in-a-Box Grid IP, such as https://vdiGridIP/dt/sta.

      User-added image

  1. Click Done.

    This creates the NetScaler Gateway virtual server using the settings and polices defined in this setup page.

  2. Return to the NetScaler Gateway web console, click on Configuration, then click Save to ensure the running configuration is saved to disk in the event the NetScaler requires a restart.

    User-added image

Important: Upon completion of this wizard the test certificate and root certificate must be exported from the NetScaler and installed on client devices. This is found in Configuration > SSL > Manage Certificates / Keys / CSRs section.

User-added image

Issue/Introduction

This article explains how to configure VDI-in-a-Box 5.3 Remote Access with NetScaler Access Gateway 10.

Additional Information

Advanced Citrix Receiver Session Policy

To create advanced session policies, follow the instructions in Citrix Documentation - Creating a Session Policy and Profile for the NetScaler Gateway Plug-in.

The policy that is created using the Access Gateway wizard allows iOS and Android devices to connect to VDI-in-a-Box desktops through the web interface without any further configuration.

To allow iOS and Android devices to connect directly without going through the web interface, a separate session policy must be manually added using the following settings:

User-added image

  • For the Web Interface Address field, use the VDI-in-a-Box Grid IP address in the following format (path is case-sensitive):

    https://vdiGridIP/dt/PNAgent/config.xml

  • Type the AD domain into the Single Sign-On Domain field.

  • No additional authentication policy must be created.

Do the following to configure NetScalar to allow the users to connect to the VDI-in-a-Box directly through the Receiver:

On the session policy profile, configure the following settings:

  • Clientless Access: Allow

  • Clientless Access URL encoding: Clear

  • Plugin Type: Java

Powered by Wolken Software