Publish Citrix Applications on WEB

  • Tutorial
We publish Citrix applications in WEB

I want to dwell on a very interesting question in the form of a hardware solution from Citrix NetScaler.
A device with huge functionalities and capabilities. In this article I focus on the issue of publishing applications and vdi in WEB.
Moreover, in addition to the safe delivery of the application, its optimization is also ensured in batches for faster and better transmission.

A little description:

We assume that we already have NetScaler MPX or VPX (mpx is a piece of hardware, vpx is a virtual application). As a test, you can use NetScaler VPX Express. Moreover, it is free with full functionality, only limited in bandwidth.
Before we get started, let's recall some terms. The main thing to know is four different IP addresses that NetScaler uses.
types of IP addresses in NetScaler
NetScaler IP address (NSIP) - control IP address for accessing the system, heartbeat interface for HA, syslog source, etc;
Virtual IP address (VIP) - IP associated with the virtual server. It is often the public IP address that clients connect to;
Mapped IP address (MIP) - MIP address is used to connect to servers. It is often the address looking towards your servers for which you need to balance the load and / or provide access through the Access Gateway and / or protect applications using the Web Application Firewall
Subnet IP address (SNIP) - when Netscaler interacts with many SNIP subnets, they can be configured as MIP to provide access to these subnets. SNIP can be bound to VLANs and interfaces.
We will also assume that the initial tincture of NS is made (IP addresses are configured and licenses are installed).

Caution, there are a lot of pictures under the hood.

Connect to the NS WEB console:

Verify that the IP addresses are configured by clicking on Network -> IPs in the console

We turn to the most interesting:
Configuring the web interface ...

Now we finally get to the parts we care about. Adding a web interface and XML to NetScaler. After this step, we will be able to get to the web interface page through the VIP that we create. We need to create 2 virtual servers.
But before creating the servers, I will create the necessary service groups for balancing.

Balancing Participants
Now, based on this group, we create the LB server. To create a virtual server, let's move on to Load Balancing -> Virtual Servers. Click the Add button at the bottom of the screen. Enter the name of the Virtual Server (I recommend calling the LB server in accordance with its tasks, in my case XenDesktop_WebInterface_serverIPaddress_port_LoadBalancingIP - XD_WI_192.168.x.x_xx_lbvip). Enter the IP address that will be used as the VIP for the two Web Interface servers. Select the HTTP protocol, port 80
On the Services tab, select the check box for the two web-based services that were created earlier. On the Method and Persistence tab and select the Least Connection method. Save.

Now create an LB server for XML.

In order to use these functions, you need to create a new monitor. This new monitor uses XML to send a request to the XenApp / Desktop farm. It should be noted that this only works for XenApp and XenDesktop.
To create a monitor in Load Balancing -> Monitors. Click create. Create a new monitor name and select CITRIX-XD-DDC and XD-WEB-INTERFACE. I propose to use the name of the monitor similarly to LB servers.

Brief summary: We set up 2 load balancer servers, and monitors were created to monitor end servers.
It is easiest to configure using the WEB interface by going to NSIP Netscaler.
A full description of the process is here.
In short: (if I have any questions, I’ll answer, but in my opinion generation should not cause questions if there is a deployed certification authority).
An RSA key is generated (Configuration> SSL> Create RSA key);
Create CSR (Configuration> SSL> Create CSR);
Certificates are installed (Configuration> SSL> Certificates> Install);
The server certificate links with CA and Intermediate Authority, forming a chain (Configuration> SSL> Certificates> Link).
As a result, we should get 2 installed certificates - server and CA.

And only now we are creating an Access Gateway virtual server. To do this, open Access Gateway -> Virtual Servers, click the ADD button. Specify the server name. This name must match the name of the certificate that you previously registered. Assign an IP address that will be used as a VIP for this connection. Finally, add the certificate created earlier.

Now you can check the operation of the AG server. Open a web browser and go to https: // server name (of course, use the FQDN that we created). Make sure you are using HTTPS. The page should show without warning certificate. If there are warnings, you need to check the certificates.

AG server is up, but not configured. Set up LDAP authorization
To configure, we need to create an LDAP server. Go to System -> Authentication -> Server -> Add ...

Name: AD (which is convenient for your soul)
Authentication type: LDAP
IP address: 192.168.x.x (the IP address of one of the domain controllers is used)
Base DN: DC = your DC = domain (DN for your domain)
Administrator Bind DN: CN = DC account = your DC = domain (domain access account).
Administrator password: password (password for the user specified above)
We create.

Having a connection to AD, create a policy for authorization on NS. System -> Authentication -> Policies -> Add

Name: policy_AD (or any name)
Authentication Type: LDAP
Server: AD (this is the server created in the previous step)
Expression: Search for any expression -> General -> True value (click the Create button)
Now we will associate the created LDAP policy with the previously created AG virtual server.

Almost everything is ready.
And only now we are transferring to the settings on the Cirtix XenDesktop / XenApp WEB server.
For cleanliness, create a new site.
Everything is clear here with the settings (site name and file path).

In the next step, select the authentication point. Choose Access Gateway.

To authenticate the service URL, specify: your FQDN / CitrixAuthService / AuthService.asmx

After creating the site, open it for configuration. To configure XML, specify the IP address of the LB server that we created earlier. Those. NS, will itself control the load on web / xml servers.

Once the site is created, we need to set the access type Access Gateway. Right-click on the new site and select Secure Access.

After changing the access method to the gateway from Direct to Gateway direct, click Next. In the Specify field, enter the FQDN address in the gateway parameters. Click on the button to continue.

From the Specify Ticket Administration Security (STA) Settings screen, click Add. Enter the path to the STA as httr: // your citrix XD server / App / scripts / ctxsta.dll. Next is the wonderful Finish button. (Let me remind you who has the XD cluster - you need to do it on all WEB nodes).

Now we have to add the STA to the Access Gateway Virtual Server. Open Access Gateway -> Virtual Servers, open the Access Gateway server and open the Published Applications tab. In the STA section, click Add. Enter in the format http: // ip address (replace your IP specified in the previous step). Save by clicking OK.

It remains to configure session policies Create Access Gateway Session Policy
Name: cag_xd_vser_wi (I adhere to the above rule again) CitrixAccessGateway_XenDesktop_VirtualServer_WebInterfase

Expression (expression): any expression -> General -> True value (click the Add Expression
button ) Click OK and go to the next step.
ICA Proxy: ON
Web Interface Address:Http: //192.168.xx/Citrix/AccessGateway/auth/login.aspx (Specify the IP address of the LB server assigned for WEB balancing) r.
Single Sign-on Domain your.domain (FQDN of your domain)

The final touch - on the Security tab of Default Authorization Action, set ALLOW.

Now you can safely connect from anywhere in the world to your published applications on Citrix Xendesktop / XenApp using the SSS-VPN tunnel.

Thank you for your attention, if you have any questions, please ask comments. The topic is complex, but interesting and necessary.

Original article here

Also popular now: