Citrix Access Gateway Vpx Citrix Access Gateway VPX Essentials takes you through the complete process of configuring the appliance. Providing. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www. You may be about alleviated this download Citrix Access Gateway VPX Essentials: A practical step by step guide to. Please do Ok if you would represent to.
|Language:||English, Spanish, Portuguese|
|Genre:||Children & Youth|
|ePub File Size:||18.70 MB|
|PDF File Size:||8.61 MB|
|Distribution:||Free* [*Regsitration Required]|
Citrix Access Gateway VPX Essentials. Copyright your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub. [PDF] Citrix Access Gateway VPX Essentials (Paperback). Citrix Access Gateway VPX Essentials (Paperback). Book Review. A must buy book if you . To get Citrix Access Gateway VPX Essentials (Paperback) PDF, make sure you follow the hyperlink below and download the document or get access to.
How to do it… In this section, we will deploy and configure the Citrix Merchandising Server virtual appliance: The application firewall might experience a transient low-memory condition during a traffic surge if advanced security check protections such as Form Field consistency, CSRF, form tagging and so on, which require rewriting the HTML forms in the response are enabled for the profiles. You can use the new Traffic Domain TD parameter to specify or identify a traffic domain in commands and GUI elements related to these features. In rare scenarios, a NetScaler appliance becomes unresponsive when both nodes of a high availability HA setup claim to be the primary node. In this section, we are going to perform the operations required for the Citrix license server installation and configuration, based on the Windows Server operating system platform:
If you want, you can launch System Configuration Checker from the Planning section to perform a pre-installation test and verify that all the requirements are met. Click on the Installation tab, which you can see in the left-hand side menu, and select New SQL Server stand-alone installation or add features to an existing installation. In this book, we won't execute all the steps required to complete the database installation: On the database server, create a database on the desired instance preferably having a dedicated instance for Citrix, as seen previously with the following parameters: Configure the authentication method as only Windows authentication.
Configure the Permissions settings, as shown in the following table: This permission will be granted to the operating system user, who will perform configuration activities through XenDesktop. Using a separate instance is not mandatory, but it is better more isolation, more security.
We've configured the most common format for the collation sequences the same used by Citrix and also restricted the way to log on to the database at Windows authentication because XenDesktop does not support SQL or Mixed mode. For the collation, you are free to use the indicated version.
You must be careful when increasing the size of database logging. Despite the normal data component you should expect to have a database size of MB with some thousands of clients , logs could unexpectedly increase in 24 hours in the case of thousands of desktops.
Based on the following table for MCS architectures, we'll be able to calculate the database log and data files occupation: In case it is necessary to redeploy one or more Desktop Delivery Controller servers configured in your VDI infrastructure, the first step is to clean the Citrix XenDesktop-configured database.
To perform this task, you have to set all the Citrix components' database connection to null by using the custom Citrix PowerShell and running the following commands: The advantage of this agent is that it allows the customers to naturally convert their existing licenses to the XenDesktop 7 platforms without any additional effort in terms of money and work.
In this recipe, we will discuss how to allocate licenses in this latest License Server version. Citrix permits the users to buy XenDesktop in different versions, as given in the following list: In this book, when we refer to XenDesktop 7, it will be the Platinum Edition. It has the ability to show and implement the full functionality of the platform. Getting ready The associated version of the license server for XenDesktop 7 is Version System requirements for the latest version of the License Server are as follows: In this section, we are going to perform the operations required for the Citrix license server installation and configuration, based on the Windows Server operating system platform: Accept the Citrix License Agreement and click on the Next button.
Select a destination folder's path for the program as default; we selected: Then, click on the Install button. Click on the Finish button when the license server is successfully installed.
Then, click on the OK button. You can decide to leave default ports for these three options, or change them. In any case, the ports you decide to use must be opened on the Windows Server's personal firewall. To generate the license file that will be imported to our license server, run a Web browser installed on your client machine, connect to www. Go to Activate and Allocate Licenses. Click on Allocate licenses. Generate the license file by clicking on the Allocate button.
Now, you'll be able to save the file. When prompted for the location, select the path on which the license manager will read the file with the. The XenDesktop license server is case sensitive. Be careful when you insert the server FQDN. You've got to respect all uppercase and lowercase characters. You'll see the summary dashboard. Click on the Administration button and insert the administrative credentials for your machine domain or local admin account. After a quick look in the Summary tab, click on the User Configuration button on the left-hand side menu.
Add a new user account to differentiate from the standard administrative machine credentials. After these operations, click on Save. Now it's time to configure the alerts.
Depending on our needs, we can set up the critical and important alerts. It's preferable to leave them as default settings, and click on Save to archive the options. You should take care of the following licensing alerts: Out of activatable licenses, Out of concurrent license, and Concurrent license expired.
In the Server Configuration menu, configure the port for the web server default is and session timeout period default is 30 minutes, but you should try to reduce this value so that you can avoid inactive sessions that are locking unused resources. For security reasons, it's a good practice to enable SSL port and eventually use a personal certificate for strong authentication as shown in next screenshot. The available port range on which configuring the License Server is from to ; the default port is The most important part is at the end—Vendor Daemon Configuration.
After that the license file has been generated; click on Import License, browse for the file location, and upload it by clicking on the Import License button. If everything is OK, you'll receive a confirmation message about the success of the loading operation.
Click on Vendor Daemon in our case, the default daemon is called Citrix and click on Reread license file to make sure that everything's correct. Never manually edit the license file! If vendor daemon configuration returns an error, probably you have to reallocate licenses and regenerate files, but don't correct it with any text editor. When you generate a. This means that if you need to reinstall the server or change its name, you must reallocate the license currently assigned and reassign it to the new server, always referring to its FQDN.
The license file must be regenerated and reimported, as seen previously. If using XenDesktop for test purposes, or in the case of a License Server's fault, Citrix gives you a grace period of 30 days.
It's also possible to install the License Server from the command line by using the Windows command msiexec with the following parameters: This is the installation option.
This is for a silent installation.
This is used to specify the path of the installation folder if not specified, the default one for a bit system is C: The License Server will listen to this port for connections default is This is the administrative password for the user admin on the licensing console. In the presence of an active directory, you have to use the administrative domain credentials. This is the port of the vendor daemon component default is This is the administrative license console port default is Getting ready In order to install all the necessary components, you need to have domain administrative credentials on the server machine s on which you are going to implement your infrastructure.
The following are the steps by which we will perform the installation of the core components of the XenDesktop platform, including the Desktop Delivery Controller: Then, launch the XenDesktop installation by clicking on the Start button in the welcome screen, as shown in the following screenshot: In the installation menu screen, click on the Get Started section button to proceed with the setup procedure. After the setup initialization, accept the licensing agreement, then click on the Next button.
At this point, select the components that we need to install Delivery Controller, Studio, and Director. It's also possible to change the installation folder by clicking on the Change button on the top-right of the screen.
If the path is correct, click on the Next button to proceed with the installation. Don't check both the License Server and StoreFront options.
The first has already been installed on a separate server, and the second will be explained and configured in the next recipe. Click on Next to proceed. After this, click on Next to continue. You'll be presented with the Summary window. If you agree with the summary details, click on the Install button to proceed.
At the end of installation, leave the Launch Studio checkbox checked in order to verify the correct execution of the installed platform: XenDesktop 7 can be considered the most complete and advanced version of this software.
In fact, it combines the consolidated XenDesktop 5. Users access their resources by using the Citrix Receiver that is installed on the device from which they have established the connection.
The Receiver points to the configured store within the StoreFront platform, which can be considered a stronger evolution of the Citrix Web Interface—an infrastructural component that has been deprecated in this release. The delivery of all the resources is managed by the Delivery Controller component, also known as Broker, which regulates the association between the users and their resources. Once this task has been accomplished, the broker stops its intermediary channel activities, and a direct communication is established between the user's physical workstation and the requested desktop or application.
With the release of the Citrix XenDesktop 7 platform, the software activation procedure interacts with KMS, thanks to the ability to use a Microsoft KMS Server to release licenses for the operating systems and the Microsoft Office suites installed on the virtual desktops. This permits a better management of the licensing, especially for those environments that are configured in a nonpersistent way, that is, any deployed desktop asks for a license activation code in a unique way, allowing the Microsoft KMS Server to identify any instance as a separate object.
This historical component has been now substituted by the StoreFront platform, which with the 2. In this recipe we will discuss how to install and configure it, to allow the users to be able to access their published resources.
The following ports need to be opened on the firewalls within your network: Be sure that you are installing the software on a domain-joined machine within the same forest of XenDesktop components that were installed earlier, and check that the Windows Firewall is up and running. Otherwise, StoreFront won't function. The Windows Firewall requirement is a StoreFront 2.
This has been fixed in the StoreFront Version 2. The steps required to install and configure the StoreFront 2. After downloading the software from your personal Citrix account, run the CitrixStoreFront-x In the case of a Windows R2 environment, you will be prompted to install the.
NET 3. After all the required components have been installed, click on the Install button on the Ready to Install screen to proceed. After the installation is completed, click on Finish to automatically start the StoreFront administration console. After the console has been opened, click on the Create a new deployment button in the StoreFront main menu.
Then, click on Next and wait till the end of the deployment. In the Store Name field inside the Store Name category, enter a name for the store you are going to create. Then, click on Next. In the Add Delivery Controller menu, perform the following configuration steps: Then click on Next to continue with the procedure.
In this case, you can select the None option. We will configure the secure gateway later in this book. To complete the configuration process, click on the Create button. At the end of the store creation, click on Finish. To check the configuration of your StoreFront platform, type the configured address in a compatible browser, in the form of https: Before using the web platform, you have to install the Citrix Receiver on the machine from which you want to use the web store.
In the left-side menu, click on the Server Group link. In this section, you will have the option to add a server to the configured StoreFront infrastructure Add server link on the right-hand side menu.
Click on the Authentication link in the left-hand side menu, and configure the following options: Select the authentication methods you want to configure for the login on your infrastructure. To satisfy the general security practices, you can regenerate the security keys before their expiration date by clicking on the Generate Keys button. With this option, it is possible to restrict the domains from which users can perform the login phase.
Click on the OK button to complete the configuration. This section permits users to change their password based on the configured option. Click on the Stores link in the left-hand side menu, and configure the following options: This options permits you to create a new store in the StoreFront infrastructure.
This section permits you to export all the configured stores to the store configuration file to be used by end user devices on which you have installed the Citrix Receiver.
The file will be saved with the. This option is used to configure the external remote access by using a NetScaler Gateway appliance. Using this option, you can decide the way you want to manage the Citrix Receiver updates, that is, by using the Citrix Citrix. This option permits you to include the three main Citrix online applications in your configured store. This option is similar to the multistore export we saw earlier, with the difference that this is related only to the current used store.
This option activates the retro compatibility access for old Citrix clients. As previously seen, this option permits the regeneration of security access keys before their natural expiration date.
With this option, customers have the ability to remove configured stores. Click on the Receiver for Web link in the left-hand side menu, and configure the following options: In this section, it's possible to add one or more websites to the StoreFront configured platform. This interesting option permits you to add a StoreFront shortcut to specified websites to provide a quicker access to your published resources.
By clicking on this link, you can change the store to which the configured Web Receiver is assigned. In this section, you can choose how to deploy the Citrix Receiver to end users. This option must be used only if you want to remove a configured Receiver Website. It's in the form of a catalog, which is able to deploy resources like desktops and applications from heterogeneous Citrix software XenDesktop, XenApp, XenMobile, and so on.
StoreFront offers the same login methodologies used by the web interface. Customers can access their contents by using simple authentication, smart card, or smart card pass through. In addition, it's also possible to access the Citrix farm with the pass through from the NetScaler Gateway.
The great step forward in this platform is its new features, which are given as follows: Now, it can use its local repository for user subscriptions. When using the Citrix Receiver to access your StoreFront server, you can use a configured e-mail address to directly access your store. This is the e-mail-based account discovery feature. Also, in Multi-Store mode, this means that it's possible to export and configure on a client device all the available stores configured in the infrastructure.
StoreFront is a more flexible platform than its predecessor. Also, in case of the StoreFront installation, users can perform this task using the command line.
You have to execute, from a command prompt shell, the same executable file used for the graphical installation CitrixStoreFront-x This is followed by one or more of these options: This option executes all the required steps in silently. This option specifies the destination folder on which StoreFront 2. This option will make the Citrix Receiver installation files for Windows available on the StoreFront server.
This option will make the Citrix Receiver installation files for Mac available on the StoreFront server. In this recipe, we will explain step-by-step how to install and configure the Provisioning Services 7 platform. Citrix Provisioning Services 7. Getting ready The Provisioning Services 7 platform can be implemented on the following platforms: Operating Systems: In this recipe, we are going to execute all the steps required to install and configure the Citrix Provisioning Services platform.
It's necessary to install. Run Autorun. From the Provisioning Services installation screen, select Server installation, and then click on Install Server.
In the missing prerequisites screen, click on Install to add all the pending components to the system. In the welcome screen, click on Next to proceed. Accept the Citrix License Agreement, and click on the Next button. Insert valid User Name and Organization values, choose whether you want to install the application for Anyone who uses this computer all users or Only for me Windows User , and then click on Next.
In the Destination Folder screen, accept the proposed installation path default path is C: After completion, click on the Next button to proceed. In the Ready to Install the program screen, click on the Install button to start the installation process.
After completion, click on the Finish button, and then proceed with the configuration operations. In the welcome screen, click on the Next button to proceed. You should always separate components for better performance and roles isolation.
In the Farm Configuration section, select the Create farm radio button, and then click on the Next button. To better convey the differences between the MCS and PVS architectures, we'll always use two different farms to accomplish tasks for both architectures.
In the Database Server section, populate all the required fields to give the PVS server the ability to connect to the database server. After completion, click on Next. Separating roles will ensure you separation, isolation, and better load balancing and security.
In the New Farm screen, populate all the required fields, then choose the configured Active Directory groups for security radio button. After completion, click on the Next button.
In the New Store screen, assign a name to the store, select a Default path, and click on the Next button to continue with the installation process. Then, click on Next to proceed. To check and validate the validity of your License Server with the PVS 7 platform, flag the Validate license server version and communication option. In the User account screen, specify a valid account for the Stream and Soap Services. You can choose between the Network service account or Specified user account.
After configuration, the user should click on the Next button. In the Active Directory Computer Account Password, you can automate the computer account password updates by enabling this option, configuring the interval in days after which the passwords will be updated. The Network Communications screen allows users to be able to configure the network components in the PVS console component in terms of streaming NICs and communication ports. Click on Next to continue after completed.
Click on the Next button to continue. In the Stream Servers Boot List, users can configure up to four boot servers, specifying their network configurations. By clicking on the Advanced After completion, click on the OK button; and then, click on Next to continue. Consider this a PVS debug mode. At the end of this procedure, flag the Automatically Start Services option and click on the Finish button. Then, click on Done after all the configurations have been completed.
Remember that active Windows Firewall might be a problem for your installation process. You have to open the required ports, or turn it off.
On the Installation media menu, select the Console Installation link. Click on the Next button on the welcome screen, to proceed with the console installation. In the Customer Information section, populate the User Name and Organization fields with valid data, specifying if the installation is for the entire machine's users Anyone who uses this computer or only for the current user Only for me.
After this choice, click on the Next button. Select a valid path in the Destination Folder screen, and click on Next to continue the installation. To change the default path C: In the Setup Type screen, select the Custom option and click on the Next button. In the Custom Setup screen, select all the proposed components, maintain the previously chosen path, and click on Next. In the Ready to Install the Program screen, click on Install to complete the setup procedure. At the end of this setup, click on the Finish button.
The Provisioning Services Console will be executed. Right-click on this link in the left-hand side menu and select the Connect to Farm option. In the Connect to Farm screen, populate all the fields with the correct values and specify a valid domain username.
After this, click on the Connect button. After verifying the connection parameters, you will be able to use the PVS 7 platform. PVS is one of the two deployable architecture types for desktop and application deployments. Provisioning Services 7 is the latest release of the software used to implement this kind of architecture. The structure is quite simple.
A server component, which is managed by a PVS console, delivers operating systems images to the end users. This process permits having high elevated network performance, dramatically reducing the impact on storage activities. In fact, even if it starts with only 20 MB of data, its dimension has a growth of 10 MB. This means that in the case of hundreds or thousands of objects, the database size could become higher than your expectations.
Provisioning Services use the Kerberos authentication to allow its components communicate with each other, register the components against the Active Directory through the Service Principal Name SPN , and permit the Domain Controller to identify the accounts that manage the running services. In the case of registration problems, your PVS service could fail.
To avoid this situation, you have to use the setspn command in order to give the right permissions to the account that manages the earlier described services such as the PVS Soap Service by applying the following syntax: After this, the second, and maybe the most important, step is deploying virtual desktop instances. To accomplish this task, you need to interface Citrix servers with a hypervisor, a bare- metal operating system, which is able to create, configure, and manage virtual machines.
XenDesktop is able to communicate with three important hypervisor systems on the market: The After you've created a template of a virtual machine with a Microsoft desktop or server operating system on board, XenDesktop is able to deploy OS instances to the end users starting from the virtual machine image through the use of different deployment techniques.
At the end of a desktop session, Delivery Controller will send a request to the hypervisor to restart or shutdown the virtual desktop instance. In this chapter, we're going to implement the communication between hypervisors and Citrix servers. Getting ready In order to complete all the required steps for this recipe and perform a standard Site Deploy, you need to be assigned the administrator role for all the machines involved in the Site configuration Delivery Controller and the database server.
In the following steps, we will describe how to create a site for a XenDesktop 7 infrastructure: Create a Site option to start the XenDesktop Site creation. In the Introduction section, click on the second radio button option to create an empty site; assign a name to it by populating the Name your Site field, and click on Next to continue. Then assign a name to the site database, and click on the Test connection button to check that you are able to contact the database machine.
When prompted for the automatic database creation, click on the OK button to let Studio create the database. As an alternative, if you want, you can create the Citrix database manually by clicking on the Generate database script button; you'll get back a set of instructions in the form of two. After the database configuration, in the Licensing section enter your license server name and the port number, in the form of hostname: If you already have a configured license file, click on the Use an existing license radio button; otherwise, you will have to click on the Use the free day trial option, inserting a correct license file later.
At the end of these configurations, click on Next. You can verify the validity of your License Server certificate by clicking on the View Certificate link—Connected to trusted server area. In the Summary screen, after you have verified all the configured options, click on the Finish button to complete the procedure.
After the configuration has been completed, in the Citrix Studio main menu, you will find information about the created Site. If you want, you can check your current implementation by clicking on the Test Site button. Configuring a site lets you assemble together all the components previously configured; the main operations to complete during the generic Site configuration procedure are: This task can be accomplished in two ways: If you want, at the end of the procedure, you can check the validity of your configuration by using the Test Site button in the Studio Host main menu section.
In case you decide to use a database port other than the default SQL Server port value , you will have to insert the connection string in the following form: The XenServer 6.
Getting ready The preliminary work required to perform all the operations of this recipe is to install one or more XenServer hosts. XenServer is a bare-metal hypervisor, a kind of virtualizator, which directly manages the hardware; for this reason, you have to install it as a normal operating system you need no other operating system installed on the server.
Please refer to the following Citrix document to install the XenServer hypervisor: In this section, we will perform the operations required to configure XenDesktop to use the Citrix XenServer hypervisor: On the left-hand side menu, expand the Configuration section, and select the Hosting link. Then click on the Add Connection and Resources link on the right-hand side menu. In the Create Virtual machine using: In the Host section on the Resources screen, choose a configured network depending on your XenServer host configuration, you could have one or more available networks on which you are assigning the generated virtual desktop instances, and then click on the Next button.
In the Storage section, flag the available storage on which to create virtual machines, and select the desired radio button for personal vDisk location Use same storage for virtual machines and personal vDisk Normal paragraph style.
To continue, click on the Next button. Separating the storage for the Personal vDisk will improve the global performances and make easier the backup procedure for the user data disk. Separating these areas could make it easier to locate user disk zones, especially for backup operations or troubleshooting activities.
In the Summary screen, after you've verified all the information, assign a name to the XenServer connection in the space provided for the Resource Name field, and click on Finish to complete the procedure. In the main menu of the Hosting section, we can now find the configured connection to the XenServer host. If necessary, there is the possibility of changing the connection parameters by selecting the Edit Connection link on the right-hand side menu.
In the Connection Properties section, we can modify the credentials to access the XenServer host Host address, username, and password fields by clicking on the Edit settings Upon selecting the Advanced section, administrators get the capability to configure the following options: Maximum active actions, Maximum new actions per minute, Maximum power actions as percentage of desktops, and Maximum Personal vDisk power action as percentage.
On finishing, click on OK to complete the configuration. To perform any modification activity on the host and the connection, you must put them in Maintenance mode. XenServer is the hypervisor included in the Citrix Virtualization platform; starting from this discussed version 6.
The way in which XenDesktop interfaces with XenServer is simpler than that of the other hypervisors: One of the advantages of using this hypervisor is the capability to use the XenServer information caching feature also known as IntelliCache. The IntelliCache technique drastically reduces the read and write activities of your storage.
The XenServer IntelliCache feature has to be enabled during the installation procedure of this hypervisor. In the presence of tens of hundreds of virtual machines, the XenServer hypervisor could have performance issues in terms of lack of physical resources for Dom0, the most privileged domain in a XenServer installation, which is the only domain that is able to directly interface with the hardware or start non-privileged domains, for instance.
To solve this problem, it should be necessary to assign more physical resources to Dom0. The default memory value assigned to Dom0 is megabytes. To apply the memory changes, you have to restart the XenServer node. After the reboot operations, run the following commands from XenServer CLI in order to let XenServer understand how to use all the newly assigned memory size: VMWare is currently the virtualization solution that better permits you to manage the resource over commitment and assignment for your virtual environments.
You have to execute the following procedures in order to activate the communication between the XenDesktop Controller machine and the VMware vSphere infrastructure: Launch your chosen Web browser, and insert the hostname of the Virtual Center server in the address bar using the https connection.
When prompted for security risk, accept to continue with the site navigation. On the certificate status bar, click on the Status error, and select the View certificates link VMware Virtual Center certificate is currently untrusted for XenDesktop. After the certificate presentation, click on the Install Certificate… button to proceed. Be sure that the hostname associated with the certificate matches the assigned name to the Virtual Center server. In the case of mismatching, XenDesktop won't be able to connect with VMware.
To avoid this, you could consider adding a record to the local file hosts of the XenDesktop server to match the IP address and hostname in the certificate. In the Certificate Store section, select the Place all certificates in the following store option, and then click on the Browse button to specify the location in which you are installing the certificate.
Enable the Show physical stores option by flagging it, and then select the Trusted People Registry subsection. After you are done, click on the OK button, and then click on Next to continue. To complete the certificate import activities click on Finish. To verify that the certificate import was successful, you must reconnect to the SSL Virtual Center address https: If you receive no more prompts about unsecure connections as previously seen , the import has been successfully completed.
Connect to the Citrix Studio console; expand the Configuration section in the left- hand side menu; select the Hosting link; and click on the Add Connection and Resources link on the right-hand side menu.
The specified username and password for the connection must be valid domain credentials with elevated privileges within the Virtual Center. Please refer to the following Citrix document to configure the right user permissions: On the Cluster screen, click on the Browse button to select a vSphere Cluster on which to deploy virtual machines.
After this operation, select a Network from the presented list on which you are deploying the virtual machine instances. Reboot the NetScaler appliance to bring back to the consistent state. For customers upgrading their Mac clients from version older than 2. Workaround - quit the mac client and start the client again. DeviceCert will work as expected. Currently, users can bind different VPN virtual servers to only one node group.
Binding a VPN virtual server across multiple node group is not supported. The strict node group is not being backed up and the virtual server only binds to one mode.
Users can log on from a web browser and then select Network Access, which starts the upgrade to the latest version of the NetScaler Gateway Plug-in and the Endpoint Analysis Plug-in. In addition to the logon page with the user name and password fields, the NetScaler ADC now offers an advanced logon page with support for dynamic form providers for interactive authentication. The dynamic form providers on the advanced logon page can be invoked if you use the Citrix default syntax to configure authentication policies.
If you enable the Green Bubble theme and then clear the entire NetScaler configuration, the Green Bubble theme remains instead of reverting back to the Default theme. By changing the name with the correct prefix, you can see the virtual server in the wizard.
Documentation includes the config changes related to the DNS refactoring changes as part of Tagma release. After an upgrade from NetScaler If manual customizations are made using the older build's, GUI files might lead to the absence of the password field on the NetScaler Gateway logon page. The "kevent: The failure is due to the system limit is reached with respect to timers.
When there is a multiplexing proxy in the path between the client and Gateway, users will see errors while accessing the Gateway login page. If FIPS mode is enabled and a SAML operation involving certificate-key structure is performed, the NetScaler appliance dumps core memory and restarts because it references inaccessible memory in the certificate-key structure. If you assign read-only permission to a NetScaler appliance when you add it to NetScaler Insight Center, the AppFlow configuration on that appliance cannot be changed.
The hop diagram for current session applications does not show the link between the CloudBridge device and the server. If you have configured the ICA session timeout value to a high value, say 10 minutes or more, and there is no traffic flow from the NetScaler appliances, neither the timeline chart nor the tabular chart displays any data. Instead, it reports the destination IP addresses on that page. The default setting for auto-negotiation is OFF, which causes an error if you configure the interface from the Management Service.
In rare cases, the link aggregation LA channels might flap if both of the following conditions are met:. If such flapping occurs, the appliance disables the interface and renegotiates LACP with the peer device.
This might result in the LA channel being disabled. In an HA setup, this could cause a failover if the channel is connected to a critical interface and the node is primary. If the issue still persists, restart the appliance. The newly created VPX instance MUST be configured with a minimum of 2GB memory and with 2 vcpus; setting the vcpus is done by changing the virtual machine settings after the instance is created, but before booting.
If a NetScaler appliance on which the cache redirection feature is enabled supports jumbo frames on the client-side connection but not supported on the server-side connection, the client-side connection behaves as a regular connection. When the NetScaler appliance forwards packets that are larger than the interface's MTU value, the appliance fragments the packets into byte packets, regardless of the MTU value configured. For example, if the appliance forwards a byte packet on an interface that you have configured with an MTU of , the appliance fragments the byte packets into byte packets.
As a result, the optimal interface MTU is not set for the connection. High availability HA synchronization does not work properly after you upgrade an HA setup from a release Disable HA propagation and HA synchronization before upgrading the HA setup, and enable them after the upgrade process is complete.
Configuring a Link Load Balancing virtual server as backup to a Load Balancing virtual server is not supported. If you add an NTP time server by specifying the server name host name , and the ns. This results in setting an offset time for an hour. For example, the default expression! In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears.
This is only a display issue. If you try to add a certificate bundle with the complete path to a certificate-bundle file, an error message appears. For example,. A "certificate mismatch" error message appears if the order of certificates in the. Deprecated commands might be lost from the configuration ns. If you use the add crl command in release 9. Unlike 9. Use the NetScaler command line. At the NetScaler command prompt, type:.
These protocols are not supported on a backend SSL service or profile. The output of the "show SSLlogProfile" command does not display the entities to which the log profile is bound. Client authentication is enabled, root CA certificate is not bound to the SSL virtual server, and a request with a valid client certificate is sent to the virtual server. Client authentication is enabled, root CA certificate is bound to the SSL virtual server, and a request with a wrong certificate is sent to the virtual server.
The error message that appears is "Handshake failure-Internal Error" instead of "No client certificate received. In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
The SSL entities to which a policy is bound do not appear in the output of the "show ssl policy" command if it is run on the cluster IP address.
A few extra messages appear in the output if you run the show command for the back-end SSL service, service groups, or internal services on a cluster IP address. The description string of a cipher in the output of the "show ssl service" command differs if the command is run on the NetScaler IP address and on the cluster IP address.
When you log web transactions on a web server and on a NSWL server, the cs user name is properly logged in the web server while the user name is logged as a hypen - instead of a user name.
Virtual servers to which a listen policy is bound accept connections from the first subflow only. For NetScaler Therefore, auditlog servers that are deployed on FreeBSD 6. The NetScaler appliance may display messages that are a result of file system compatibility checks that are performed when booting up. These messages are informational only, and do not have any adverse impact on the functioning of the NetScaler. When configuring Web Interface sites through the wizard, when the "Trust ssl certificate" option is checked, certificates bound to the VPN virtual server are not imported to the JVM.
You must import the certificates manually by executing the following command from the shell prompt:. The "unset authentication localPolicy" command is removed from this version onwards. A NetScaler appliance might not honor persistence for a load balancing virtual server with a wildcard configuration if information about the back-end server is not available.
The updated host name for a NetScaler appliance does not appear on the LCD panel until after the appliance is restarted. If, when you reboot a NetScaler appliance, the SNMP agent starts before the system monitoring application, the agent reads the Voltage and Fan Speed counter values as zero and sends low-threshold traps.
Then, when the system monitoring application starts and updates the counter values, if the values are still less than the threshold values, the SMNP agent does not send traps to clear the low-threshold traps. Set the alarm threshold value as described at https: If you use an unsupported expression as a filter, the NetScaler GUI does not display a warning message, and using the unsupported expression leads to an appliance failure.
You can type the show connectiontable command to view the list of supportable expressions. When you run the set command on a NetScaler appliance, the ns. Random packets on loopback interface are found missing if you capture nstrace on a NetScaler appliance.
The request body is truncated only if the appliance receives an HTTP request after an incomplete header assembly request header spanning more than one packet and the request body is received when the appliance awaits a TCP acknowledgment for the request header sent to the server. The truncation results in TCP retransmission and latency issues.
Connections might hang if the size of processing data is more than the configured default TCP buffer size. Set the TCP buffer size to maximum size of data that needs to be processed. When you upgrade the NetScaler firmware by using the NetScaler GUI, the appliance restarts in the background as soon as the upgrade is complete, but the GUI does not show that the upgrade has been completed. Log off and log back on to the NetScaler appliance to check the firmware version.
The names of GSLB entities are case sensitive. If you have entities with the same name in different cases uppercase or lowercase on different nodes in your GSLB deployment, GSLB synchronization fails. Change the entity names so that the same name is always in same case either uppercase or lowercase. If the NetScaler appliance is upgraded from version The enhancements and changes that were available in NetScaler The build number provided below the issue description indicates the build in which this enhancement or change was provided.
With previous versions of the NetScaler ADC, OWA connections did not timeout because OWA sends repeated keepalive requests to the server to prevent timeouts, which interfered with single sign-n and posed a security risk. AAA-tm now supports forced timeouts that ensure that OWA sessions timeout after the specified period of inactivity.
Previously, users could not bookmark the authentication sign-on page. This limitation no longer exists. If a great many users attempt to authenticate simultaneously, the DNS lookups might slow the authentication process. To configure authentication by using a server's FQDN instead of IP, follow the normal configuration process except when creating the authentication action, where you substitute the serverName parameter for the serverIP parameter, as shown below:.
When a primary server is unavailable, this feature prevents delays while the ADC waits for the first server to time out before resending the request to the second server. For example, assume that you have AAA configured on your ADC with three authentication policies--authpol1, authpol2, and authpolwith priorities set to 10, 20, and 30 respectively.
A user requests authentication, and the ADC discovers that the authentication server behind authpol1 does not respond to authentication requests. The ADC then tries authpol2, which responds. When other users attempt to authenticate after this situation occurs, the ADC skips authpol1 and proceeds directly to authpol2. The AAA Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually.
You can configure this feature at the NetScaler command line, or by using the configuration utility. To configure AAA to extract user information from a keytab file at the command line, type the appropriate command:.
To configure AAA to extract user information from a keytab file by using the configuration utility, do the following steps:. If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it. After the user authenticates, the ADC generates a SAML assertion that grants access to the protected resource and redirects the user to it.
When the user logs out or is logged out by any SP, the ADC sends logout requests to all other SPs that the user accessed during the current session and terminates the session. You can use default syntax expressions as Authentication policy rules.
The default syntax expression editor now appears in the configuration utility when you create or configure an authentication policy, From the command line, you can simply use default syntax to create the rule for your policy and AAA-TM will recognize and implement it. Authentication policies, when bound, can each be associated with the "nextFactor" policyset.
The nextFactor policyset is evaluated if the policy to which it is associated succeeds. There is no upper limit to the number of policies that can be chained in this manner. All policies bound to a single authentication server must be either NetScaler default syntax policies or NetScaler classic syntax policies. You cannot mix both types of policy on a single authentication server. AAA-TM now prompts for the client certificate only when it requires the certificate to authenticate a user, not every time that a protected application requests authentication.
It retrieves the certificate if two factor authentication is not enabled, or if it is configured to extract the user name from the certificate. If the system administrator had restricted use of weak encryption algorithms on the Kerberos server, the Kerberos server would respond with an error instead of the requested ticket, causing KCD to fail. AAA now uses aessha1 to encrypt timestamps for delegated user credentials.
AAA-TM is now able to authenticate a user to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful. To set up web-based authentication with a specific web server, first you create a web authentication action. Since authentication to web servers does not use a rigid format, you must specify exactly which information the web server requires and in which format when creating the action.
To do this, you create an expression in NetScaler default syntax. Next you create a policy associated with that action. You can now unlock a user account that was locked out after too many failed logon attempts or after repeated violations of logon attempt time slice limits.
In the data pane, select the user account to unlock, and then in the Actions drop-down list, choose Unlock. To unlock a locked-out user account from the command line, type the following command:. The NetScaler implementation of SAML allows signing certificates of less than bits, but displays a warning message.
It also supports the SHA hash algorithm for signatures and digests. Citrix recommends that all signing certificates be of at least bits, and that you use SHA as SHA-1 is no longer considered secure. When sending SAML Authentication request to external identity provider, the NetScaler ADC now offers an option to send the thumbprint of the certificate that was used to sign the message instead of sending the complete certificate.
The "sendThumbprint" option is off by default. The Responder feature is flexible; you can create as many error responses as you wish, and respond to as many different error conditions.
For example, if your users log on to different authentication servers in different geographic areas, you can customize responses to each region.
A user in the United States can receive an error message that is appropriate to his or her authentication server, and be directed to a customer service telephone number in the United States. A user in Japan can receive the same for his or her different authentication server and customer service telephone number. Briefly, to create a Responder configuration for this scenario, first create each error message and place that error message on a web server.
The web server should not be located on the same physical server as the authentication server, and preferably not on the same subnet. If you have multiple regional data centers that host separate authentication servers, it is advisable to locate each error response in a different data center than hosts the authentication server that it is used for, so that local power outages or Internet connectivity problems do not affect the web server that hosts the error messages.
Then, on the ADC, do the following steps:. You must craft a rule for the responder policy that selects connections that meet the appropriate criteria. For example, if you want connections that originate in the USA and that fail authentication to receive this error message, the rule could identify the region by source IP, and the authentication failure by error message. For detailed instructions on how to set up a responder configuration of this type by using the command line, see the following article on the Citrix Customer Support web site:.
A transaction flag now indicates, to external collectors, whether the transaction was successfully completed or was aborted. This feature keeps sessions active even if network connectivity is interrupted, and to indicate that connectivity is lost, the user's device display freezes and the cursor changes to a spinning hourglass until connectivity resumes.
The user can resume interacting with the application once the network connection is restored. The process of collecting the load time and render time of web pages has been simplified by including the clientSideMeasurements parameter as part of the add appflow action command. For details about configuring an AppFlow action, see http: This combination offers layered network services, including robust application delivery capabilities that accelerate application performance for all users.
With a RISE based implementation, the NetScaler functionality is available as a centralized resource that can be leveraged across the application infrastructure supported by the Cisco Nexus series switch. The key functionalities of the RISE architecture include:. RISE provides a plug and play auto-provisioning feature. The NetScaler ADC uses its health monitoring feature to track and support server health by sending health probes to verify server responses.
The automatic policy based routes are defined on the Cisco Nexus series switch. When the return traffic from the server reaches the Cisco Nexus series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client. Global server load balancing can now be configured on a NetScaler cluster.
To do this, you must log on to the cluster IP address to define the GSLB entities and then bind these entities to a a single member cluster node group. For detailed information, see http: To do this, while creating a cluster instance, you must set the "quorumType" parameter to none as shown here:.
For more information, see http: Net profiles are now supported on a NetScaler cluster. You can bind spotted IP addresses to a net profile which can then be bound to spotted load balancing virtual server or service defined using a node group with the following recommendations:.
You must make sure that the cluster LA channel has a local interface as a member interface. You can now use the Layer2 mode in a NetScaler cluster. From NetScaler In earlier releases, the cluster feature was licensed by a separate cluster license file.
No changes are required. When using HTTP compression, you can explicitly specify a "vary" header value for compressed responses. Prior to this enhancement, the vary header was implied to be "Accept-Encoding, User-Agent". The NetScaler graphical user interface GUI has been enhanced to provide a better user interaction experience. It now provides you with a workflow-based experience, which guides you through the entire configuration. The configuration settings have been classified as basic and advanced for some features.
The NetScaler now keeps track of the interfaces through which operations are executed. This saves bandwidth and provides faster response times, because the NetScaler does not have to connect to the server for repeated requests of the same data. This feature is especially useful if you want to base a content switching decision on a part of the URL and other L7 parameters.
As a result, the configuration size is also reduced.
A number of expressions have been added, and you can use them to examine the header and the attribute-value pairs AVPs in a Diameter packet. On the basis of that information, you can forward the request to the selected load balancing virtual server.
The behavior has been enhanced with current release. NetScaler will respond with the AA bit for negative cached responses just as it does for positive cache responses. The option by default has a value of NO. When you use the load balancing virtual server to load balance recursive resolvers, you can turn this option to YES. This will cause NetScaler to respond with RA bit set on all responses. They therefore enable clients to discover which server the request should go to for a particular service and which protocol to use to connect to the server.
ADNS mode and proxy mode. NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache.
You can now configure the NetScaler ADC to operate transparently between MySQL clients and servers, and to only log or analyze details of all client-server transactions. Transparent mode is designed so that the ADC only forwards MySQL requests to the server, and then relays the server's responses to the clients.
As the requests and responses pass through the ADC, the ADC logs information gathered from them, as specified by the audit logging or AppFlow configuration, or collects statistics, as specified by the Action Analytics configuration. You do not have to add database users to the ADC. Database specific load balancing is now supported for MySQL databases.
If a database is available on multiple servers but is online on only some of these servers, the client request is forwarded to the server on which the database is online.
When autosync is triggered on the master site, first the static proximity database is synchronized followed by the synchronization of configuration. For more information see, http: You can now view the configuration details of the entities bound to a GSLB domain.
The details include the configuration of the virtual servers, services, and the monitors bound to the GSLB domain. To view the details, you can use either the command line or the configuration utility. When integrated caching is used in a high availability setup, in addition to storing the cached objects on the primary appliance, the objects are also stored on the secondary appliance. This reduces bandwidth usage as cached objects are not lost during failover and the request can then be served directly from the cache of the secondary appliance.
You can now configure rate limiting for diameter messages. The citrix-xdm monitor is used to monitor the XDM server while the citrix-xnc-ecv monitor is used to monitor the XNC server. You can add these monitors by using the add lb monitor command from the command-line interface or by using the GUI. You can now configure up to 8K service groups on a NetScaler appliance. The earlier limit was 4K service groups. For more information on jumbo frames, see http: You can now view the statistics of services and service groups that are bound to a load balancing virtual server by using the following URL:.
You cannot view these details by using the "http: NetScaler operations such as configuring SSL certificates requires the input files to be available locally on the NetScaler appliance. NITRO allows you to perform file operations such as uploading file to the NetScaler, retrieving a list of files and the file content from the NetScaler, and also delete files from the NetScaler.
These operations can be performed for files of type: The SDKs can be downloaded from the Downloads page of the appliance's configuration utility. Additionally, the expression editor for advanced endpoint analysis has been implemented in HTML within the configuration utility. If you configure a SmartAccess virtual server, when users log on from multiple devices, you can transfer the ICA Proxy session to another device and restrict users to one Universal license.
For example, if users log on by using Citrix Receiver on their computer and then log on again from a mobile device, this consumes two NetScaler Gateway Universal licenses and creates two sessions for one user.
When you enable this setting, the user session transfers to the new device and uses one Universal license. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
NetScaler Gateway supports network traffic through a forward proxy between the appliance and servers in the internal network when users log on by using clientless access and when Secure Browse is enabled on the Security tab in a session profile. The Endpoint Analysis feature enables administrators to analyze and make client connection choices based on client endpoint settings for plug-in sessions connecting through the NetScaler Gateway. This task required administrators to manually extract the file on the NetScaler and then copy the extracted files to appropriate directories.
NetScaler Gateway NetScaler Gateway does not support single sign-on SSO to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.
You can also schedule the export of the reports to specified email addresses at various intervals. The NetScaler Insight Center geo maps feature displays the usage of web applications across different geographical locations on a map. Administrators can use this. NetScaler Insight Center adaptive threshold functionality dynamically sets the threshold value for the maximum number of hits on each URL.
HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions. NetScaler Insight Center now saves the following data for a specific time period before it is purged:. NetScaler Insight Center now analyzes the traffic flowing through NetScaler ADC to cache servers and origin servers, and provides useful information about the cache performance, such as:.
For details on Cache Redirection Insight, see http: Authentication with the NetScaler Insight Center virtual appliance can be local or external. With external authentication, NetScaler Insight Center grants user access on the basis of the response from an external server. It supports the following external authentication protocols:.
Authorization through the NetScaler Insight Center virtual appliance is local. The virtual appliance supports two levels of authorization. Users with superuser privileges are allowed to perform any action. Users with readonly privileges are allowed to perform only read operations.
The authorization of SSH users requires superuser privileges. Users with readonly privileges cannot log on through SSH. On the dashboard, if you move the columns in a table and refresh the page, the column ordering is sometimes reset to default. The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.
In the dashboard, you can now select and rearrange the columns displayed in the tables. These changes persist across user sessions.
This counter indicates how many times the client advertised a zero TCP window. This counter indicates how many times the server advertised a zero TCP window. This counter indicates how many times the retransmit timeout was invoked on the client-side connection. This counter indicates how many times the retransmit timeout was invoked on the server-side connection. You can now customize NetScaler Insight Center reports to display the metrics that you want, and you can specify bar graphs or line graphs.
To make these changes, open the drop-down list next to the percentage icon in the top-right corner of the dashboard. NetScaler Insight Center now supports monitoring of CloudBridge , , , and appliances. For details, see http: You can now configure the timeout period for how long a user or a group can remain in an idle state before being terminated.
For more details on configuring a user account or a group account, see http: The database cache functionality of NetScaler Insight Center stores database content locally in the cache and serves the content to users without accessing the database server. For details about configuring this functionality, see http: For debugging an issue, the technical support bundle that you generate to send to the technical support team now automatically includes NetScaler ADC data along with the NetScaler Insight Center data.
All statistics that are maintained and reported for single-stream ICA connections are also displayed for multi-stream ICA connections. For details on enabling this functionality, see http: You can now enable NetScaler Insight Center to periodically remove the out-of-date content from its database.
The dashboard now displays the following user access types, depending on the NetScaler deployment:. User connected to XenApp or XenDesktop server directly, with no intervening virtual server. These values are displayed only if the session reliability feature is enabled on XenApp or XenDesktop.
You can now limit the number of days for which the generated reports can persist in the database, after which the reports are permanently deleted. To change the value, on the Configuration tab, click System and in the right-pane from the System Settings group, click Limit Data Duration Persistency. This is particularly helpful in debugging and troubleshooting the instances hosted on the NetScaler SDX appliance when the instance is not reachable over the network.
The Events feature to monitor and manage the events generated on the NetScaler instances. The Management Service identifies events in real time, thereby helping you address issues immediately and keep the NetScaler instances running effectively. You can also configure event rules to filter the events generated and get notified to take actions on the filtered list of events. You can monitor values, such as the health of a virtual server and the time elapsed since the last state change of a service or service group.
This gives you visibility into the real-time status of the entities and makes management of these entities easy when you have a large number of entities configured on your NetScaler devices.
You can now use the command line interface to perform operations on the Management Service. Add, Set, Delete, Do and Save commands are supported through command-line interface. NetScaler SDX appliance now supports a configuring a password policy and a user-lockout policy to provide security against hackers and password-cracking software.
The password policy enforces a user-specified minimum length and a minimum level of complexity. The password must have at least one uppercase, one lowercase, one numeric, and one special character.
The user-lockout policy disables a user-account if an incorrect password is entered a specified number of times. You can specify the time period user lockout interval for how long the user account remains disabled, after which the user account is enabled automatically. The total number of instances that you can provision on an SDX appliance depends on the license installed on the appliance. You can use the Setup Wizard to complete all the first time configurations in a single flow.
The wizard helps you in configuring network configuration details, system settings, changing the default administrative password, and manage and update licenses. New inline wizard for provisioning NetScaler instances with simplified networking configuration steps. You can now use the new inline wizard to provision NetScaler instances from the Management Service. The networking configuration portion of the provisioning workflow has been simplified and streamlined for ease of use.
With this release, the following authentication and authorization capabilities are supported for the Management Service on NetScaler SDX appliance:. You can now schedule Management Service to run NeSclaer configuration difference against a template and show appropriate reporting. Further, you can use the report on the Change Management page of Management Service to view whether there is any difference between the saved configuration and the running configuration of any instance.
Test-Driven Infrastructure with Chef demonstrates a radical approach to developing web infrastructure that combines the powerful Chef configuration management framework with Cucumber, the leading Behavior-driven development BDD tool. Learn how to deliver real business value by developing infrastructure code test-first. Infrastructure consultant Stephen Nelson-Smith shows you how this….
AutoIt is becoming increasingly popular in the system administration field as a tool for automating administrative tasks. Although this is one of its more popular uses, you can use AutoIt to automate anything in a Windows environment. This powerful scripting language can run any program and manipulate keyboard….