Section 1: Assessing infrastructure needs for the NetScaler implementation
1.1
Task Description: Verify the objectives of the NetScaler implementation
Testing Aspect: What
A Web Interface deployment involves the interaction of three network components:
One or more server farms
A web server
A user device with a web browser
A Citrix client
A group of servers that are managed as a single entity and operate together to serve resources to users are collectively known as a server farm.
A server farm is composed of a number of servers all running either XenApp or XenDesktop.
NOT a mixture of both XenApp and XenDesktop.
Using a Web Interface site:
Users can log on to a server farm.
Receive a customized list of resources published for their individual user name.
To ensure that users are able to change passwords when they have expired:
In Group Attribute:
Leave the default 'memberOf' for Active Directory.
OR
Change the attribute to the attribute of the LDAP server type being used.
This attribute enables NetScaler Gateway to obtain the groups associated with a user during authorization.
In Security Type:
Select the security type
Click Create.
To allow users to change their LDAP password:
Select Allow Password Change.
Note: If PLAINTEXT is selected as the security type, allowing users to change their passwords is not supported.
1.2
Task Description: Determine the services to be provided including the resources to be accessed (i.e. XenDesktop, XenApp, custom websites, cover CAG, VIPs for web services, vpn, etc.)
Testing Aspect: What
vIn a XenDesktop or XenApp deployment, while configuring settings in NetScaler for Web Interface, two of the configurations are:
Enter the FQDN of Web Interface.
Enter the complete IP address or FQDN of the STA to allow NetScaler Gateway to communicate with both.
To provide remote users with SSL VPN access,
Users should access a Web Interface site by using a NetScaler Gateway URL.
SmartAccess is automatically enabled but the administrator should verify it is enabled.
A Web Interface site is created and a farm is bound to it.
A NetScaler Gateway VPN virtual server (vServer) is also configured.
The client uses the NetScaler Gateway URL of the NetScaler Gateway VPN vServer to access the Web Interface site.
Configure SSL while configuring Access Methods.
1.3
Task Description: Scope the user access needs
Testing Aspect: What
If users need to access resources in the internal network, such as Exchange, file shares, or internal web sites:
They can log on with the NetScaler Gateway Plug-in.
For example, if users want to connect to a Microsoft Exchange server in the network:
They start Microsoft Outlook on their computer.
A secure connection is made with the NetScaler Gateway Plug-in which connects to NetScaler Gateway.
An SSL VPN tunnel is created to the Exchange Server and users can access their email.
When NetScaler Gateway installs the Endpoint Analysis Plug-in on the user device the plug-in scans the user device for the endpoint security requirements configured on NetScaler Gateway.
Security requirements include information, such as:
Operating system type
Antivirus installed
Web browser version
If a user does not install the Endpoint Analysis Plug-in on the user device or chooses to skip the scan:
The user cannot log on with the NetScaler Gateway Plug-in.
The user can access resources for which a scan is not required by using either clientless access or by using Receiver.
1.5
Task Description: Determine the type of user devices in the environment
Testing Aspect: Why
When Secure Browse is configured:
Clientless access must be enabled.
Clientless access does not require Secure Browse to be enabled.
When clientless access is configured, Clientless Access URL Encoding should be set to Clear.
vThe command-line interface (CLI) command The CLI command add aaa preauthenticationpolicy <name> <rule> [<reqAction>] defines expressions to be evaluated by the endpoint analysis (EPA) tool. add aaa preauthentication uses the parameters:
Name is the name for the preauthentication policy.
The name must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore characters.
It cannot be changed after the preauthentication policy is created.
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my policy" or 'my policy').
Applies only to the NetScaler CLI.
Rule is the name of the NetScaler named rule, or a default syntax expression.
Defines connections that match the policy.
reqAction is the name of the action that the policy is to invoke when a connection matches the policy.
1.6
Task Description: Identify connection types
Testing Aspect: How
In a NetScaler Gateway in a double-hop DMZ configuration:
Users access published applications and desktops:
Through NetScaler Gateway
With a web browser and Receiver
The NetScaler rate limiting feature:
Allows a definable maximum load for a given network entity or virtual entity on a NetScaler appliance.
Enables configuration of the appliance to monitor the rate of traffic associated with the entity and take preventive action, in real time, based on the traffic rate.
Mitigates the risks that affect the availability of resources to clients and improves the reliability of the network and the resources that the appliance manages.
1.7
Task Description: Identify which servers/services require load balancing
Testing Aspect: What
A load balancing algorithm:
Defines the criteria that a NetScaler appliance uses to select a service to which to redirect each client request.
Different load balancing algorithms use different criteria.
One of the algorithms is ROUNDROBIN, which selects a server based on which service is at the top of a list of services.
After that service is selected for a connection, it moves to the bottom of the list.
SSL Offload is a bind point for TCP compression.
Before configuring SSL Offload on a NetScaler:
An SSL certificate must be received.
A private key MUST be exported to the web server for SSL Offload to work on NetScaler.
Section 2: Designing the NetScaler implementation
2.1
Task Description: Develop the implementation plan
Testing Aspect: What (things to consider)
Syslog events generated by NetScaler appliances can be monitored in the NetScaler Insight Center inventory if the NetScaler Insight Center virtual appliance is configured to redirect all syslog messages to the syslog servers.
To monitor syslog events:
A dedicated syslog server must exist.
A syslog server is an external server that displays the log events generated by NetScaler Insight Center.
When designating a syslog server, the port at which the system sends and receives data when the operation is performed is port 514 by default.
¨ Port 514 should be open on the firewall between the NetScaler appliance and syslog server.
When deploying NetScaler Gateway to provide secure remote access to XenApp or XenDesktop:
NetScaler Gateway works with the Web Interface and the Secure Ticket Authority (STA).
To provide access to published applications and desktops hosted in a server farm.
NetScaler Gateway, which is located in the DMZ, authenticates user requests before relaying the request to the Web Interface in the secure network.
The Web Interface does not perform authentication,
The Web Interface interacts with the STA and generates an ICA file to ensure that ICA traffic is routed through NetScaler Gateway to the server farm.
2.2
Task Description: Given the authentication methods you have, determine how to authenticate (authentication method) in that environment
Testing Aspect: What (method(s) to use)
To require users to authenticate directly against Windows Server 2012 AD servers, part of the process is enabling support for the SAML 2.0 WebSSO protocol.
The purpose of SAML is to enable Single Sign-On for web applications across various domains.
LDAP is the method of authentication.
Configure the values for LDAP attributes by using Issuance Transform Rules and use the template Send LDAP Attributes as Claims.
Then configure LDAP settings, which include User Principle Name (UPN).
Many companies restrict web site access to valid users only and control the level of access permitted to each user.
The AAA feature allows a site administrator to manage access controls with the NetScaler appliance instead of managing these controls separately for each application.
Doing authentication on the appliance also permits sharing this information across all web sites within the same domain that are protected by the appliance.
NetScaler can act as a SAML IDP.
When configuring SAML authentication:
In IdP Certificate Name, select a certificate or click Install.
¨ This is the certificate installed on the SAML or IDP server.
In Redirect URL, enter the URL of the authentication Identity Provider (IdP).
¨ This is the URL for user logon to the SAML server and the server to which NetScaler Gateway redirects the initial request.
2.3
Task Description: Identify the access requirements for the environment that impact how NetScaler will get implemented
Testing Aspect: What (are the access requirements)
Two NetScaler appliances can be deployed in a High Availability (HA) configuration.
One unit actively accepts connections and manages servers.
The second unit monitors the first.
The NetScaler that is actively accepting connections and managing the servers is called a primary unit and the other one is called a secondary
If there is a failure in the primary unit, the secondary unit becomes the primary and begins actively accepting connections.
A node is a logical representation of a peer NetScaler appliance.
It identifies the peer unit by ID and NSIP.
A NetScaler appliance uses these parameters to communicate with the peer and track its state.
When a node is added, the primary and secondary units exchange heartbeat messages asynchronously.
For initial configuration of NetScaler, use nsroot as both the administrative user name and the password.
For subsequent access, use the password assigned during initial configuration.
To access the NetScaler configuration utility:
Open TCP port 3010 for HTTP.
Open TCP port 3008 for HTTPS.
For the GUI, open TCP port 80.
For SSH, open port 22.
2.4
Task Description: Identify pre-requisites for implementing certain features, such as global server load balancing, firewall port considerations (which TCP ports are used?), etc
Testing Aspect: What (to consider)
Every NetScaler appliance to be added to a cluster must:
Be NetScaler nCore appliances
Clustering of NetScaler Classic appliances is not supported.
Be of the same platform type
Physical appliances or virtual appliances or SDX NetScaler instances.
Be of the same platform model type
For physical appliances
Be on the same subnet
Have the cluster license file
Have the same licenses
Does not have to be Platinum license
Be of the same software version and build
Be initially configured and connected to a common client-side and server-side network
NetScaler appliances configured for global server load balancing (GSLB):
Protect against points of failure in a wide area network (WAN) by:
Providing disaster recovery
Ensuring continuous availability of applications
GSLB can balance the load across datacenters by directing client requests:
To the closest datacenter
To the best performing datacenter
To surviving datacenters in case of an outage.
An active-active datacenter setup consists of multiple active datacenters.
Client requests are load balanced across active datacenters.
One NetScaler located in each site fulfills the requirement of keeping the number of appliances to a minimum.
Section 3: Building the solution to enable remote access
3.1
Task Description: Obtain and install licenses
Testing Aspect: How
Obtain Platform or Universal license files from Citrix after installing NetScaler Gateway.
Log on to the Citrix web site to access available licenses and generate a license file.
After the license file is generated, download it to a computer.
When the license file is on the computer, upload it to NetScaler Gateway.
Note: Before obtaining license files, configure the host name of the appliance by using the Setup Wizard and then restart the appliance.
To install a license on a NetScaler appliance using the command line:
Open an SSH connection to the NetScaler by using an SSH client, such as PuTTY.
Log on to the NetScaler by using administrator credentials.
Switch to the shell prompt and create the directory: /nsconfig/license if it does not exist.
Copy the new license file(s) to /nsconfig/license.
To install a license on a NetScaler appliance using the configuration utility:
In a web browser, type the IP address of the NetScaler.
In User Name and Password, type the administrator credentials.
In Start in, select Configuration and click Login.
In the navigation pane, expand System and click Licenses.
In the Licenses pane, click Manage Licenses.
If the /nsconfig/license directory does not exist, create it.
In the Manage Licenses dialog box, click Add.
In the Select License Files dialog box, navigate to the location of the license files and select the file to upload.
Click Select.
After the file is uploaded to the license directory, click OK.
Optionally, restart the NetScaler appliance.
3.3
Task Description: Determine when to use NetScaler IP (NSIP), Mapped IP (MIP) and Subnet IP (SNIP)
Testing Aspect: What/Which
A virtual IP address (VIP) is used to load balance a web site through a NetScaler appliance.
In most cases, virtual servers work in tandem with services.
Multiple services can be bound to a virtual server.
These services represent the applications running on physical servers in a server farm.
After the appliance processes requests received at a VIP address, it forwards them to the servers as determined by the load balancing algorithm configured on the virtual server.
For communication with physical servers or other peer devices, a NetScaler appliance uses an IP address owned by it as the source IP address.
NetScaler maintains a pool of subnet IP addresses (SNIPs).
NetScaler maintains a pool of mapped IP addresses (MIPs)
NetScaler dynamically selects an IP address while connecting with a server.
Depending on the subnet in which the physical server is placed, NetScaler decides whether a MIP should be used or SNIP.
This address pool is used for sending traffic as well as monitor probes.
There are many situations to use a specific IP address on NetScaler for backend communication.
A few examples include:
A server can distinguish monitor probes from traffic if the source IP address used for monitor probes belongs to a specific set.
To improve server security, a server may be configured to respond to requests from a specific set of IP addresses or, sometimes, from a single specific IP address.
The NetScaler can manage its internal connections efficiently if it can distribute the MIPs or SNIPs into IP sets and use an address from a set only for connecting to a specific service.
3.4
Task Description: Bind services/ service groups to Virtual Servers (vServers)
Testing Aspect: How
Adding services to a service group enables the service group to manage the servers.
An administrator can add the servers to a service group by specifying the IP addresses or the names of the servers.
To add a member to a service group by using the configuration utility:
Navigate to Traffic Management > Load Balancing > Service Groups tab.
In the details pane, select the service group to which a member will be bound and click Open.
In the Configure Service Group dialog box, under Specify Member(s), do one of the following:
¨ To add a new IP based service group member, select IP Based.
¨ To add a server-name based service group member, select Server Based.
Before configuring a NetScaler load balancing setup:
Enable the load balancing feature.
Create at least one service for each server in the load balancing group.
With the services configured, create a load balancing virtual server (vServer) and bind each service to the vServer.
That completes the initial setup.
In most cases, services are bound to vServers of the same type, but certain types of services can be bound to different types of vServers, such as:
An SSL service to an HTTP vServer to do encryption.
OR
An HTTP service to an SSL vServer to do SSL offloading.
3.5
Task Description: Create custom monitors or modify existing monitors
Testing Aspect: How
NetScaler has a built-in monitor type, CITRIX-XML-SERVICE, with which monitors can be created to monitor the XML Broker services, such as STA.
The monitor opens a connection to the service and periodically probes the XML services to which it is bound.
If the server responds as expected within the configured time period, the monitor marks the service UP.
If the service does not respond, or responds incorrectly, the monitor marks the service DOWN.
NetScaler has one built-in monitor that can be used to monitor SMNP services: the SNMP monitor.
It periodically checks the SNMP agent on the service to which it is bound by sending a query for the enterprise identification ID (OID) that is configured for monitoring.
If the SNMP service finds the OID, the query succeeds and the SNMP monitor marks the service UP.
If it does not find the OID, the query fails and the SNMP monitor marks service DOWN.
3.7
Task Description: Install SSL Certificates
Testing Aspect: How
When a server certificate and intermediate certificate are installed on a NetScaler, the intermediate certificate should be linked to the server certificate.
To link the certificates, on the SSL Certificates page of the configuration utility:
Select the server certificate to which the intermediate certificate will be linked.
Click Link.
On a NetScaler virtual appliance, a maximum of two certificates generated from a Trusted Certificate Authority can be bound to an SSL VIP or an SSL service.
3.8
Task Description: Create policies by binding policies for services/service groups
Testing Aspect: How/What
Using HTTP profiles, specify HTTP parameters for services and virtual servers.
The first task is to define an HTTP profile (or use a built-in HTTP profile) and associate the profile with the appropriate service and virtual server.
vAn administrator can add servers to a service group by specifying the IP addresses or the names of the servers.
When the administrator creates a service group, the default monitor of the type appropriate for the group is automatically bound to it.
Monitors periodically probe the servers in the service group to which they are bound and update the state of the service groups.
A different monitor of the administrator's choice can be bound to the service group.
A net profile contains an IP address or an IP set.
A net profile can be bound to load balancing or content switching service groups and more.
A server can be bound to a service group.
Service groups are bound to virtual servers (vServers).
Note: vServers are not bound to service groups.
3.9
Task Description: Configure LDAP or Smart Card
Testing Aspect: What
To configure a smart card to work with NetScaler Gateway:
Create a certificate authentication policy.
Bind the authentication policy to a virtual server.
Add the root certificate of the Certificate Authority (CA) issuing the client certificates to NetScaler Gateway.
When configuring LDAP to authenticate users on a NetScaler device, in the configuration utility, an administrator will need to enter, among other settings:
The server IP address
The port number
The base DN
The administrator bind DN
3.10
Task Description: Create Virtual Servers (vServers)
Testing Aspect: How
Content switching enables the NetScaler appliance to direct requests sent to the same Web host to different servers with different content.
For example, an administrator can configure the appliance to direct requests for dynamic content (such as URLs with a suffix of .asp, .dll, or .exe) to one server and requests for static content to another server.
vTo create a virtual server by using the configuration utility:
Navigate to Traffic Management > Load Balancing > Virtual Servers.
In the details pane, click Add.
In the Create Virtual Server (Load Balancing) dialog box, specify values for the following parameters:
Name—name
IP Address—IPAddress
Protocol—serviceType
Port—port
Click Create and click Close.
3.12
Task Description: Configure policies pre/post authentication as part of configuring NetScaler Gateway settings
Testing Aspect: When
To implement two-factor authentication using RSA and LDAP when RSA will be used first to log on to Access Gateway:
With the Access Gateway wizard, use the chosen authentication type (use a RADIUS server to configure RSA authentication) to configure authentication.
To configure additional authentication policies (LDAP, in this case) after running the wizard, use the Access Gateway Policy Manager.
vWhen NetScaler Gateway is deployed in a double-hop DMZ:
Configure NetScaler Gateway in the first DMZ to handle communications with the Secure Ticket Authority (STA) and ICA traffic appropriately.
The server running the STA can be bound either globally or to a virtual server.
In the configuration utility, on the Configuration tab, expand NetScaler Gateway and click either Global Settings or Virtual Servers and configure STA.
3.13
Task Description: Configure NetScaler Gateway settings including setting up ICA proxy, configuring smart access and NetScaler Gateway mode basic, or configuring max authentication users
Testing Aspect: How
To configure NetScaler Gateway to allow users to connect to XenDesktop only through ICA connections:
In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and click Virtual Servers.
In the details pane, click Add.
In Name, type a name for the virtual server.
In IP Address and Port, type the IP address and port number for the virtual server.
To allow ICA connections only, click Basic Mode.
Click Create and Close.
The above error is caused in Web Interface 5.2 because there is an STA mismatch between Access Gateway and Web Interface.
If the XenApp farm also has XML Service DNS Resolution enabled, then the address returned in the ICA file contains a DNS name rather than an IP address.
This is by design.
SSL error 29 can occur when Access Gateway (Standard or Advanced) has an ICA Access Control list (ACL) configured.
An ICA ACL can only contain IP addresses.
When the ICA connection attempt is made, the hostname cannot be evaluated against an IP address based ACL and the connection attempt fails.
3.14
Task Description: Customizing the User Experience including deploying the client, client options, customizing the Portal Page, location of important files (ns.conf, SSL certs, Licensing, web pages).
Testing Aspect: How
When using NetScaler Gateway and Web Interface to securely access a XenApp or XenDesktop environment, customize the header image URL in Web Interface.
Rebrand the user interface with a customized look and feel by displaying different images and colors throughout the site.
Use customized site branding images for the full graphics and low graphics layouts and, optionally, hyperlink the images.
To prevent users from making changes to the Access Gateway plug-in, verify that Configuration is unchecked in Client Experience > Advanced > Client Options.