How to Set up VDI-in-a-Box with NetScaler Gateway and StoreFront 2.x for HTML5 Access

How to Set up VDI-in-a-Box with NetScaler Gateway and StoreFront 2.x for HTML5 Access

book

Article ID: CTX139187

calendar_today

Updated On:

Description

This article describes how to set up VDI-in-a-Box with NetScaler Gateway and StoreFront 2.0 for HTML5 Access.

Requirements

  • VDI-in-a-Box 5.3 or later

  • StoreFront 2.0 or later

  • NetScaler Access Gateway 10.0 (VPX, MPX, SDX)

  • NetScaler Gateway 10.1 or later (VPX, MPX, SDX)

  • NetScaler Platform License

Background

Some organizations might be in an environment where the Citrix Receiver cannot be installed such as high security, locked down environment or a school deploying Chromebooks. These users can access their VDI-in-a-Box desktops by leveraging the capabilities of NetScaler Gateway and StoreFront 2.0.

Instructions

StoreFront 2.0 Setup

  1. Download StoreFront 2.0 from www.citrix.com.

  2. Install StoreFront 2.0 with the instructions found in the Citrix Documentation - Install StoreFront.

  3. If the StoreFront management console is not already open after installation of StoreFront, click Start > All Programs > Citrix > Citrix StoreFront.

  4. In the results pane of the Citrix StoreFront management console, click Create a new deployment.

  5. Specify the base URL to be used to access the StoreFront services and then click Next.

    The users use this URL for authenticating.

  1. On the Store Name page, specify a name for your store and click Next.

  2. On the Delivery Controllers page, click Add.

  3. In the Add Delivery Controller dialog box, specify a name that will help you to identify the deployment (for example, VIAB Grid) and select VDI-in-a-Box.

  4. Click Add, then type in the IP addresses of your VDI-in-a-Box servers.

Fault Tolerance

If you are using the VDI-in-a-Box grid-wide virtual IP address feature, type in only the grid virtual address. If you are not using this feature, type at least two vdiManager IP addresses to enable fault tolerance through StoreFront, listing the entries in order of priority to set the failover sequence.

For more information regarding the Grid IP address, refer to Citrix Documentation - Manage a Grid.

  1. From the Transport type list, select the type of connections for StoreFront to use for communications with the servers:

  • To send data over unencrypted connections, select HTTP.

    Note: If you select this option, you must make your own arrangements to secure connections between StoreFront and VDI-in-a-Box.

    User connections to StoreFront are encrypted if StoreFront’s site is configured with HTTPS.

  • To send data over secure HTTP connections using SSL or Transport Layer Security (TLS), select HTTPS.

    StoreFront validates SSL certificates, so you must have installed trusted certificates on all VDI-in-a-Box servers to use HTTPS.

    Note: If you are using HTTPS, ensure that the server names you specify in the Servers list match exactly (including the case) the names on the certificates for the servers.

  1. Specify the port for StoreFront to use for connections to VDI-in-a-Box. The default port is 80 for connections using HTTP, and 443 for HTTPS connections.

  2. Click OK.

  3. Repeat Steps 6 to 11, as required to list additional deployments on the Delivery Controllers page.

  4. Click Next.

  5. On the Remote Access page, select No VPN tunnel.

  • To make only resources available through the store available to users on public networks through Access Gateway, select No VPN tunnel. Users log on directly to Access Gateway and do not need to use the Access Gateway Plug-in.

  • The pass-through from the Access Gateway authentication method is automatically enabled. Users authenticate to Access Gateway and are automatically logged into StoreFront when they access their stores.

  1. Click Add.

  2. On the General Settings page, specify a name for the NetScaler Gateway deployment that will help users to identify it.

    Note: Users see the Display Name you specify in Citrix Receiver, so you should include relevant information in the name to help users decide whether to use the deployment. For example, you could include the geographical location in the display names for your Access Gateway deployments so that users can easily identify the most convenient deployment for their location.

  1. Type the FQDN of the user logon point or virtual server for your Access Gateway deployment in the Gateway URL box.

    Note: The “NetScaler Gateway URL” is the external FQDN accessed by the users.

  1. Select the version of NetScaler Gateway you are using.

  2. Optional: Specify the subnet IP address of the Access Gateway appliance.

    Note: The subnet address is the IP address that Access Gateway Enterprise Edition uses to represent the user device when communicating with servers on the internal network. This can also be the Mapped IP (MIP) address of the Access Gateway appliance. StoreFront uses the subnet IP address to verify that incoming requests originate from a trusted device.

  1. From the Logon type list, select the authentication method used for Citrix Receiver users accessing their desktops and applications through Access Gateway Enterprise Edition:

  • If users are required to enter their domain credentials, select Domain.

  • If users are required to enter a tokencode obtained from a security token, select Security token.

  • If users are required to enter both their domain credentials and a token code obtained from a security token, select Domain and security token.

  • If users are required to enter a one-time password sent by text message, select SMS authentication.

  • If users are required to use smart cards, select Smart card.

  1. For Callback URL, type the FQDN of the NetScaler Gateway.

  2. Click Next.

  3. On the Secure Ticket Authority (STA) page, specify the URL for a server running the STA.

    Type URLs for multiple STA servers to enable fault tolerance, listing the servers in order of priority to set the failover sequence.

    If you are using the VDI-in-a-Box grid-wide virtual IP address feature, you must specify only the FQDN that is mapped to the grid virtual address to enable fault tolerance.
     
    Important: The STA must be added by FQDN over https and not IP address. The paths for VDI-in-a-Box servers must include /dt/sta after the FQDN.

    For example: https://esx.example.com/dt/sta

    User-added image

    The STA issues session tickets in response to requests for connections to VDI-in-a-Box servers. These session tickets form the basis of authentication and authorization for access to resources. The VDI-in-a-Box grid should have an SSL certificate installed that corresponds to the FQDN used on the STA settings.

  1. If you want to keep disconnected sessions open while Citrix Receiver attempts to reconnect automatically, select Enable session reliability. If you have configured multiple STAs and want to ensure that session reliability is always available, select Request tickets from two STAs, where available.

    When Request tickets from two STAs, where available is selected, StoreFront obtains session tickets from two different STAs so that user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.

  1. Click Create to configure remote user access to the store through your Access Gateway deployment.

  2. Repeat Steps 15 to 24, as required, to list additional Access Gateway deployments on the Remote Access page. If you add multiple deployments, specify a default Access Gateway appliance to be used to access the store.

  3. On the Remote Access page, click Create and then, when the store has been created, click Finish.

Notes:

  • StoreFront automatically establishes a trust relationship between the new store and the authentication service.

  • The URL for users to access the Receiver for Web site for the new store is displayed. The Receiver for Web site enables users to access their desktops through a Web page.

  • Your store is now available for users to access with Citrix Receiver and through the Receiver for Web site. After creating the store, further options become available in the Citrix StoreFront management console.

  • By default, the store is configured to specify that Citrix Receiver Updater for Windows and Citrix Receiver Updater for Mac users accessing the store receive plug-in updates directly from the Citrix Update Service on the Citrix website. The specific plug-ins included depend on the configuration of the store.

Enable HTML5 Receiver in StoreFront

  1. Open the StoreFront management console.

  2. On the left, click Receiver for Web.

  3. On the right, click Deploy Citrix Receiver.

  4. Under Choose how to deploy Citrix Receiver, choose the option that is most appropriate for your environment:

  • Install Locally: Choose this option to disable HTML5 Receiver.

  • Use Receiver for HTML5 if local install fails first: Choose this option for maximum support where native receiver and HTML5 receiver are both in use.

  • Always use Receiver for HTML5: Choose this option if Citrix Receiver will not be installed on any access devices.

    User-added image

VDI-in-a-Box 5.3 Specific

Without the use of Group Policies, users must connect through NetScaler Gateway and not through StoreFront 2.0 directly in order to use the HTML5 receiver.

Users might connect through StoreFront 2.0 to use the HTML5 receiver if the proper group policy is applied. See CTX134948 - How to Configure Local Access for HTML5x Using Receiver for more information.

NetScaler Gateway 10.1 Setup

Complete the following procedure to configure the NetScaler Gateway 10.1 appliance:

  1. Import the appliance to a supported hypervisor if using the NetScaler Gateway VPX (virtual appliance).

  2. Configure NetScaler IP Address (NSIP) through the Console and restart.

  3. Login to the NetScaler Gateway web console with default credentials: nsroot/nsroot.

    For Deployment Type, choose NetScaler Gateway.

    1. Provide a Host Name, Subnet IP address, and one or more DNS addresses. The Subnet IP address is the internal IP of the NetScaler Gateway.

      Note: For production environments, the DNS should be an external-facing DNS server that will be used to redirect http to https requests based on the FQDN, if enabled in the NetScaler Gateway Settings section.
      You can change the NetScaler Gateway administrator password from here, as shown in the following screen shot:

      User-added image

    1. Complete the Setup Wizard using default values.

    2. Under Update Licenses, click Browse to choose and upload a NetScaler Gateway Platform License:

      User-added image

    1. Click Continue > Done.

    2. Save the configuration when prompted and restart the NetScaler Gateway.

    Complete the following procedure to configure NetScaler Gateway virtual server:

    1. Log back into the NetScaler Gateway web console.

    2. Click Get Started to open the NetScaler Gateway Setup page.

      User-added image

    1. Type/select the details in the NetScaler Gateway Settings section.

      The IP address is typically in a perimeter network or a public IP address that users connect to.

      Optionally, enable https redirection so the gateway will accept (and redirect) http requests to https. (An SSL gateway is required). Click Continue.

      User-added image  

    1. Select one of the options from the Certificate section.

    • Choose Certificate: Select this option if your SSL Certificate is already installed on the NetScaler Gateway.

    • Install Certificate: Select this option to upload the server certificate and private key that has already been generated (valid or self-signed). Certificates can be generated using the SSL feature of the NetScaler Gateway or any other certificate utility, such as OpenSSL or Java KeyTool.

    • Use Test Certificate: Select this option if a self-signed test certificate is required. Provide a name and FQDN for the certificate.

    1. When done, click Continue.

      User-added image

    1. Type/select the details in the LDAP Authentication section.

      This is required when configuring the wizard, but the authentication policy can be disabled later.

    • IP Address: Active Directory domain controller

    • Port: Usually 389 or 636

    • Base DN: Provide the Distinguished Name for the users in AD, such as OU=Users,OU=VDI,DC=domain,DC=com

    • Admin Base DN: Provide the Distinguished Name for a domain administrator, such as CN=Administrator,CN=Users,DC=domain,DC=com

    • Server Logon Name Attribute: This should be samAccountName

    • Password: Provide the domain administrator’s password

    1. Click Continue.

      User-added image  

    1. Select XenApp/XenDesktop in the Enterprise Store Settings section:

    • For Deployment Type, choose StoreFront.

    • StoreFront FQDN: Provide the FQDN of the StoreFront server.

    • Receiver for Web Path: Provide the path to the StoreFront Store.

    • Single Sign-on Domain: Provide the Active Directory domain. This will be used for SSO with PNAgent used by the Citrix Receiver.

    • STA URL: Provide the STA URL. It should be in the format of https://VIABGridIP/dt/sta.

      User-added image

    1. Click Done.

      This creates the NetScaler Gateway virtual server using the settings and polices defined in this setup page.

    1. Return to the NetScaler Gateway web console, click Configuration, then click Save to ensure the running configuration is saved to disk in the event the NetScaler requires a restart.

      User-added image

      Important: After completion of this wizard, you must export the test certificate and the root certificate from the NetScaler and install it on the client devices. This is found in Configuration > SSL > Manage Certificates / Keys / CSRs section.

      User-added image

    Adding Additional Secure Ticket Authorities (STAs) to the NetScaler Gateway

    If additional STAs were added in StoreFront, they must also be added to the NetScaler Gateway. It is important that StoreFront and NetScaler Gateway have matching lists of STAs.

    1. Login to the NetScaler Gateway.

    2. Click Configuration at the top.

    3. On the left, expand NetScaler Gateway.

    4. Click Virtual Servers.

    5. Click on the Virtual Server and click Open.

      User-added image

    1. Click the Published Applications tab.

    2. Under Secure Ticket Authority, click Add.

      User-added image

    1. Add the URL of a Secure Ticket Authority then click OK.

    2. Repeat steps 8 and 9 to add additonal STAs.

    3. Click OK > Save.

    VDI-in-a-Box Configuration

    1. Login to the VDI-in-a-Box web console as an administrator.

    2. Open Admin > Advanced Properties menu.

    3. Scroll down to the Gateways section.

    4. In External HDX gateway addresses, for each NetScaler Gateway virtual server, type the following:

      virtual server IP address,fully qualified domain name:portnumber

      Separate the entries with semicolons.

      For example: 192.0.2.14,www.gw2.com:443;192.0.2.1,www.gw1.com:443

      Note: To enable single sign-on, you must ensure that you enter the virtual server IP address. If you enter only the FQDN and port number, remote access without single-sign on is configured.

    1. Type the NetScaler MIP or SNIP to be used by VDI-in-a-Box in the Internal HDX gateway IP addresses field:

      User-added image

    • If a self-signed or test certificate is used on the NetScaler Gateway, import the certificate into the StoreFront server’s Trusted Root Certification Authorities store.

    • If a self-signed certificate is used for the VDI-in-a-Box Grid, this certificate must also be imported into the StoreFront server’s Trusted Root Certification Authorities store.

    • There must also be DNS entries to map the FQDN of the NetScaler Gateway and VDI-in-a-Box grid to their respective IP addresses.

    Testing

    1. Open an HTML5 compatible browser such as Google Chrome.

    2. Navigate to the FQDN of the NetScaler Gateway.

      User-added image

    1. When presented with the Citrix Receiver installation message, click Log On:

      User-added image

    1. Pass-through authentication will automatically log the user into StoreFront and the user will be presented with all of their templates.

      User-added image

    1. Click on the template to start the desktop.

    2. The Desktop will start in the HTML5 enabled browser without the need to install Citrix Receiver.

      User-added image

    Issue/Introduction

    This article describes how to set up VDI-in-a-Box with NetScaler Gateway and StoreFront 2.0 for HTML5 Access.

    Additional Information

    The following browsers are currently HTML5 enabled and supported:

    • Internet Explorer 10 (http connections only)

    • Safari 6 (not including Safari for iOS or Windows)

    • Google Chrome 27 and higher

    • Mozilla Firefox 21 and higher

    Access through Google Chromebooks requires Chrome OS 27 or higher.

    Refer to Citrix Documentation for the latest supported browsers: User device requirements.

    Powered by Wolken Software