Access Gateway 5.0 – a deeper look – Part 2

November 19, 2011 Leave a comment

 

Meanwhile Citrix released Access Gateway 5.0.3 you can find the download here. A mycitrix account is necessary.

So, in “Access Gateway 5.0 – a deeper look – Part 1” I gave you an overview and demonstrated how to install and configure the appliance, now let’s take a look at the basic configuration. This is a sample configuration, of course there are other ways, especially regarding the network configuration.

This is only about the basic logonpoint to grant access to your XenApp/XenDesktop farm via ICA/HDX. Smart access is coming next in part 3.

The first thing you have to think about is: How do I reach my Access Gateway via browser after setting an IP address in the DMZ. The CAG has two interfaces, you can use one or both. I always prefer both NIC’s, it’s more secure. The first NIC is for external communication only on port 443. The second NIC is used for management and internal communication (also VPN traffic). This doesn’t mean that this interface is connected to your LAN, don’t do that, because you will bypass the firewall. In our environments we often have a “private DMZ” , it’s a transfer net for traffic that has to be passed from the DMZ in the LAN. So the first NIC has a public internet IP address or you use NAT on your firewall and the second interface is in a private DMZ and communicates with the LAN. Of course both interfaces can also be in the same DMZ.
You can only define one standard gateway, this is used for the external interface, you have to define one or more static routes for your internal interface if you operate in two networks.

First you have to change the management NIC of the CAG in the console:

image

After changing the management interface to eth1 you can connect to this IP address with a client in the same subnet. You can’t connect with a client on the secure LAN because you have to static route configured yet and the default gateway is configured for the external interface! I use a Windows 2003 or XP VM on the same Hypervisor and connect an additional NIC to the DMZ network. This VM gets a static temporary IP address, just for the initial setup of the appliance.

Your CAG should look similar to this on your XenServer or ESX host. Alternatively you have both NIC’s connected in the same DMZ network.

image

After you configured a Windows VM you can use for administration, use your browser on this server and navigate to https://172.26.3.12/lp/adminlogonpoint (use your IP instead, of course). Remember you need flash installed! Login with admin, admin and go to Networking.

 image

Make sure you set the proper hostname, this is the fully qualified domain name, that your users enter in the browser to access the logon page, also keep in mind that the certificate for your Access Gateway must match with this hostname. The first NIC should be external and the second NIC is for internal traffic and management. The default gateway is used for the external NIC eth0.

Here is my network setup:

Internal IP address (management): 172.26.3.12/24
External IP address: 172.26.11.12/24
Default Gateway: 172.26.11.1
   
Static routes: 10.0.0.0/8 via 172.26.3.1
  172.16.0.0/12 via 172.26.3.1
  192.168.0.0/16 via 172.26.3.1
   
DNS: 172.27.10.1
  172.27.10.2
 

 
  Next we configure one or more static routes for the internal communication. Navigate to “Static Routes” and show the CAG the way to you secure LAN’s.

image

 

The deployment mode is “Appliance only”, we don’t use an Access Controller

Make sure the date and time settings are correct, use a NTP server if possible (Port 123).

For the Access Gateway you need at least a platform license, you can use the appliance as the license server or your Windows server with Citrix License Server 11.9. If you want to use the windows server you have to open port 27000 and 7279 (Vendor Daemon Port) on your firewall. If you want to use SSL VPN (Smart Access LP) you also need an Access Gateway Universal License.

image

Next we need authentication profiles. Let’s start with a profile for MS Active Directory (LDAP).
Type your profile name, NETBIOS domain name for single sign on and select Active Directory. I recommend to secure the connection to your domain controllers (port 639) and open it on the firewall. The DC needs a certificate. Add at least one domain controller with fully qualified domain name (must match the certificate). The administrator DN must be user@domain.com. For Base DN (location of users) you can take your entire domain (DC=domain,DC=com) or define a specific organization unit. Leave the rest as default.

image

Network resources, device profiles and smart groups are not necessary for a basic logonpoint.

Always make sure you configure an ICA access control list. You have to define all XenApp /XenDesktop servers the Access Gateway has to access. Define a list for ICA (port 1494) and or CGP (port 2598). Make sure to open these ports on your firewall.

Also define one or two Secure Ticket Authorities and use secure connections if possible. Open port 443 (80) on your firewall.

The last step is the configuration of the basic logonpoint. Select new, define the name and use basic as type. Type the URL of your web interface site that is configured for Gateway Direct connections. The primary authentication profile is LDAP. Select single sign on to web interface.

image

On your web interface server, make sure you create a web interface site and select Access Gateway for authentication. Type the authentication service URL of the Access Gateway (https://cag.domain.com/CitrixAuthService/AuthService.asmx). The web interface server must have access to port 443 of the CAG and must be able to resolve the FQDN (entry in the hosts file, use the internal CAG IP). Open port 443 from LAN to DMZ.

image 

Specify Gateway direct as access method and configure the CAG and STA.

image

The network configuration is finished, we only need a server certificate for the Access Gateway. Simply change to “Certificates” and make a signing request. Make sure the certificate matches the FQDN of the CAG. Install the issued certificate and make it active.

That’s it, you should be able to connect to your CAG now!

I’m back after a long brake

April 4, 2011 1 comment

Hi everyone out there… it has been a long while since my last post. Many things have changed in my life now, because I’m father of a little cute boy. So my family had priority, but things have become regular and I have time and plans for upcoming posts. In the next weeks you will read about:

  • Access Gateway 5.0.1 – a deeper look – Part 2
  • Secure LDAP access to a Windows Domain Controller (for CAG or Netscaler configurations) – thanks to my colleague Jimmy (Hartwig Christ)
  • XenApp 5 and Provisioning Services – important things to consider
    There are still some other topics, but first I have to find time to write…
    So stay tuned and look forward to some interesting blogging!
      cheers
      Dennis
    Categories: Uncategorized

    XenServer 5.6 Feature Pack 1 Beta – storage consumption problem solved

    October 27, 2010 2 comments

    You remember my posts about XenServer storage consumption? The problem is, that after deleting a snapshot the space on the storage is still in use, this is really annoying and you have to reclaim the space manually by typing a command in the XenServer console or use my Powershell script.

    Now the game has changed, XenServer 5.6 FP1 Beta is finally able to reclaim the space after deleting a snaphot! Feel free to test the FP 1 Beta and try it yourself! I’m glad Citrix has finally solved this problem, many XenServer customers had massive problems with this “issue”, let’s hope the final Feature Pack becomes available soon.

    Categories: Virtualization, XenServer

    Citrix Access Gateway 5.0 and Access Controller available for download

    October 27, 2010 1 comment

    Today Citrix released CAG 5.0 and the new Access Controller Software (formerly known as Advanced Access Control). You can download the VPX for XenServer/VMWare, the Access Controller for Windows 2008/2008 R2 and an ISO image/upgrade image for the model 2010 hardware appliance here (MyCitrix account required).

    In my post “Access Gateway 5.0 a deeper look Part 1” I already informed you about the new features and the basic configuration of the CAG, part 2 is coming soon, it’s about configuring the CAG for remote access. Part 3 will concentrate on the Access Controller, so stay tuned…

    Access Gateway 5.0 – a deeper look – Part 1

    October 25, 2010 1 comment

    In my post Access Gateway 5.0 on the way I gave you a quick overview of the new CAG 5.0. This new release will be available soon at the end of October.

    So now is the time to look more closely… First here are the new features of Access Gateway 5.0:

    Read more…

    Citrix Provisioning Services 5.6 Service Pack 1

    October 25, 2010 Leave a comment

    Citrix released PVS 5.6 SP1, all the known hotfixes for PVS 5.6 are now part of the Service Pack.

    Changes

    New in this release:
    – Both KMS and MAK models for Operating Systems are supported, as well as Office 2010 KMS licensing.

    Deprecated in this Release
    – MarkDown command for Server parameter as well as the “Mark Server Down…” selection in the Provisioning Services Console.
    – Support for Windows 2000 Domain

    Removed in this Release
    – XenConvert is no longer shipping as part of the PVS Target Device installer. It is available as a separate download.

    Update

    As always you have to uninstall any previous Provisioning Services software from a Provisioning Server in the farm, then reboot and install the new release.

    Download

    You can download the PVS 5.6 SP1 release here in your MyCitrix portal, you also find the Installation Guide and Release Notes there.

    Categories: Provisioning Server, VDI

    Install a customized Adobe Reader 9.4

    October 13, 2010 2 comments

    Here is a little “How To” about installing Adobe Reader 9.4 in a Terminal Server/Remote Desktop environment. You can also use this procedure to install the Reader on Desktops.

    1. Download and install the Adobe Customization Wizard 9 on your client or server
    2. Download Adobe Reader 9.4 in German or English
    3. Run the following command to extract the exe file: “AdbeRdr940_en_US.exe -nos_o”Reader9″ -nos_ne”, you find the files in the folder “Reader9”
    4. Start the Adobe Customization Wizard and open the file “AcroRead.msi” from the “Rader9” folder
    5. Now you can make your customizations, I prefer the following:
      Read more…
    Follow

    Get every new post delivered to your Inbox.

    %d bloggers like this: