Optional Lab - Remote Access With NetScaler VPX
Overview
In this exercise you will deploy a NetScaler virtual appliance and configure NetScaler Gateway to provide remote access capabilities for your XenDesktop Site. Configuring remote access for a Citrix environment requires valid SSL certificates. To support this requirement you will configure the NetScaler VPX to act as a Root Certificate Authority, create and sign a server SSL certificate for the appliance, and configure your client to trust the Root certificate.
Deploying NetScaler Virtual Appliance
Obtain the latest NetScaler Gateway VPX for KVM build from https://www.citrix.com/downloads.
Note
As of writing the current version is 12.0-53.13.
Obtain a 90 day trial license from https://www.citrix.com/lp/try/netscaler-vpx-platinum.html.
Extract the contents of NSVPX*.tgz using a tool such as 7zip, WinRar, or WinZip.
In Prism, click the Settings icon and select Image Configuration.
Click Upload Image and fill out the following fields:
- Name - NetScaler VPX 12
- Annotation - This is an optional field that is helpful for designating additional information about an image, such as version or filename
- Image Type - DISK
- Storage Container - Default
- Image Source - Upload NSVPX-KVM-*.qcow2
Click Save and wait for the image to complete being uploaded.
Click Close.
Using an SSH client, execute the following:
> ssh nutanix@<NUTANIX-CLUSTER-IP>
> acli
<acropolis> vm.create NSVPX num_vcpus=2 num_cores_per_vcpu=1 memory=4G
<acropolis> vm.disk_create NSVPX bus=ide clone_from_image=<NetScaler VPX Disk Image Name>
<acropolis> vm.nic_create NSVPX network=<IPAM Network Name>
<acropolis> vm.serial_port_create NSVPX type=kServer index=0
<acropolis> vm.on NSVPX
In Prism > VM > Table, select the NSVPX VM and click Launch Console.
In the NSVPX VM console, log in with the default credentials (nsroot/nsroot)
Enter the initial configuration wizard:
Enter 1 and specify the NSVPX Management IP address from your Environment Details Worksheet.
Press Return and enter the netmask. Press Return.
Enter 7 and press Return to apply the changes.
Specify Yes to saving the changes and No to rebooting the VM.
Configure the default gateway and restart NSVPX:
> add route 0.0.0.0 0.0.0.0 <IPAM Network Gateway>
> save ns config
> reboot
Open https://<NSVPX-IP> in your browser to access the NetScaler web console. Log in as nsroot.
Click Enable or Skip.
Click Subnet IP Address.
Enter your Subnet IP Address and Netmask according to your Environment Details Worksheet. The Subnet IP is what the NetScaler uses to communicate with other backend services, such as the StoreFront server. In a production environment the Subnet IP would likely be on a separate interface/subnet than the Management IP.
Click Host Name, DNS IP Address, and Time Zone.
Fill out the following fields and click Done:
- Host Name - NSVPX
- DNS IP Address - DC IP address from your Environment Details Worksheet
- Time Zone - Your local timezone
Click Yes to allow the VM to reboot.
Locate your e-mail from Citrix Trials for Your Trial License for NetScaler VPX Platinum Edition. Copy the trial license code to your clipboard.
After the VM reboots you will be returned to the login page. Log in as nsroot.
Click Licenses.
Click Add New License and select Use License Access Code. Paste your trial license code in the License Access Code field and click Get Licenses.
Note
If your environment does not have Internet access, follow the on-screen instructions for manually downloading licenses from http://www.mycitrix.com.
Select the license and enter 1 in the Allocate field. Click Download.
Click Reboot > Yes to complete the license installation.
After the VM reboots you will be returned to the login page. Log in as nsroot.
Configuring Root Certificate Authority
Select Traffic Management > SSL and click Root-CA Certificate Wizard.
Fill out the following fields and click Create:
- Select RSA
- Key Filename - root.key
- Key Size - 2048
- Public Exponent Value - 3
- PEM Encoding Algorithm - DES3
- PEM Passphrase - nutanix/4u
Fill out the following fields and click Create:
- Request File Name - root.csr
- PEM Passphrase - nutanix/4u
- Country - United States
- State - CA
- Organization Name - NutanixWorkshop
- Common Name - NutanixWorkshop-Root-CA
Fill out the following fields and click Create:
- Certificate File Name - root.cer
- PEM Passphrase - nutanix/4u
Enter root as the Certificate Key Pair Name and click Create.
Click Done.
Configuring Server SSL Certificate
Select Traffic Management > SSL and click Server Certificate Wizard.
Fill out the following fields and click Create:
- Select RSA
- Key Filename - mydesktop.key
- Key Size - 2048
- Public Exponent Value - 3
- PEM Encoding Algorithm - DES3
- PEM Passphrase - nutanix/4u
Fill out the following fields and click Create:
- Request File Name - mydesktop.csr
- PEM Passphrase - nutanix/4u
- Country - United States
- State - CA
- Organization Name - NutanixWorkshop
- Common Name - mydesktop.ntnx.local
Fill out the following fields and click Create:
- Certificate File Name - mydesktop.cer
- CA Certificate File Name - root.cer
- CA Key File Name - root.key
- PEM Passphrase - nutanix/4u
- CA Serial File Number - CAserials
Fill out the following fields and click Create:
- Certificate Key Pair Name - mydesktop
- Password - nutanix/4u
Click Done.
Configuring NetScaler for XenDesktop
Select XenApp and XenDesktop from the menu and click Get Started.
Select StoreFront and click Continue.
Fill out the following fields and click Continue:
- Gateway FQDN - mydesktop.ntnx.local
- Gateway IP Address - Refer to your Environment Details Worksheet
- Port - 443
Note that the Gateway FQDN corresponds to the Common Name of our SSL certificate. The Gateway IP Address (also referred to as the Virtual IP Address or VIP) is the IP address used to communicate with external networks. In a production environment the VIP would be on a separate interface/subnet, typically in the DMZ.
Select mydesktop from the Server Certificate drop down menu and click Continue.
Fill out the following fields and click Continue:
- StoreFront URL - http://xd.ntnx.local
- Receiver for Web Path - /Citrix/StoreWeb
.. note:: Clicking Retrieve Stores should populate this value automatically.
- Default Active Directory Domain - NTNX
- Secure Ticket Authority URL (typically your DDC) - http://xd.ntnx.com
Fill out the following fields and click Continue:
- Choose Authentication Type - Domain
- IP Address - DC IP address from your Environment Details Worksheet
- Port - 389
- Base DN - DC=NTNX,DC=local
- Service account - Administrator@ntnx.local
- Password - nutanix/4u
- Server Logon Name Attribute - sAMAccountName
Click Done.
In the NetScaler web console, select NetScaler Gateway > Virtual Servers. Select your vServer and click Edit.
Change Portal Theme to RfWebUI and click OK > Done.
Select XenApp and XenDesktop from the menu and click Download File.
Select Export all the virtual servers and click OK.
In File Explorer, copy GatewayConfig.zip to \<XD-IP-ADDRESS>\c$\.
Importing NetScaler Configuration
In Citrix Studio > Citrix StoreFront, right-click Stores > Manage NetScaler Gateways.
Click Imported from file.
Click Browse and select C:\GatewayConfig.zip. Click Import.
Click Next.
Click Next.
Click Import.
Click Finish > Close > Close.
Note our Store now allows access from both Internal and External networks.
Configuring MyDesktop DNS Record
In order for our SSL certificate for the mydesktop.ntnx.local vServer to be recognized, we’ll have to access StoreFront via the FQDN. You have the option of following the directions below to create a DNS record on your domain controller and ensure the computer you’re accessing StoreFront from is using your DC’s DNS or you can modify your hosts file to add a static entry as shown below. The second method avoids having to reconfigure your DNS settings on the computer you’re using to access StoreFront.
Note
In Windows the hosts file is located in C:WindowsSystem32driversetc, in macOS the hosts file is located in /etc/
In the DC VM console, open Control Panel > Administrative Tools > DNS.
In DNS Manager, open DC > Forward Lookup Zones. Right-click NTNX.local > New Host (A or AAAA)…
Fill out the following fields and click Add Host:
- Name - mydesktop
- IP address - NetScaler Gateway VIP address from your Environment Details Worksheet
Ensure the client used to run Citrix Receiver is using the DC VM for its primary DNS server.
Installing Root Certificate on your Client
In the NetScaler web console, select Configuration > Traffic Management > SSL and click Manage Certificates / Keys / CSRs.
Select root.cer and click Download.
On the client used to run Citrix Receiver, open the downloaded root.cer file and click Install Certificate.
Select Local Machine and click Next.
Note
This may require elevated credentials from a Nutanix resource if performing this workshop within the Nutanix Hosted POC environment.
Select Place all certificates in the following store and click Browse. Select Trusted Root Certification Authorities and click OK. Click Next.
Click Finish > OK > OK.
Connecting to the Desktop
Open https://mydesktop.ntnx.local in your browser. Log in as USER2.
Launch a desktop or application and confirm it logs in successfully.
Enabling HTML5 Access
In Citrix Studio > Citrix StoreFront > Stores, right-click your Store Service and select Manage Receiver for Web Sites > Configure.
Explore this wizard and note this is where basic changes can be made to StoreFront look and feel, timeouts, featured applications, etc.
Select Deploy Citrix Receiver and select Use Receiver for HTML5 if local Receiver is unavailable from the Deployment option drop down menu. Click OK > Close.
Log into StoreFront (via https://mydesktop.ntnx.local) as USER2. Select Change Citrix Receiver from the USER2 drop down menu.
Click Use light version.
Launch a Pooled Windows 10 Desktop and verify that it opens in a new tab in your browser.
Takeaways
- Support for Citrix products on AHV extends beyond core XenDesktop services. In addition to NetScaler, Citrix ShareFile, Director and Provisioning Services (PVS) are also supported on AHV.
