Omnissa Horizon Clients 2412

Last Modified: Dec 24, 2024 @ 6:19 am

Navigation

This article applies to all versions of Horizon Client for Windows.

💡 = Recently Updated

Change Log

Horizon Client Versions

Starting August 2020, the client versioning changed to a YYMM format. Horizon Client 2412 is the latest release.

  • Horizon 8.x no longer supports Horizon Client 5.x and older.
  • Features, like ThinPrint, were removed from Horizon Client 2006 and newer, so don’t use the 2xxx (8.x) clients with Horizon 7.13 and older.
  • Microsoft Teams optimization features depend on Horizon Client version and Horizon Agent version. See Omnissa Knowledgebase Article 86475 MS Teams Optimization Feature Compatibility Matrix for Horizon 7 and Horizon 8 Recent Releases.
  • Windows 21H2 and Windows 11 are supported with Horizon Client 2111 and newer.
  • Horizon Client 2006 and newer no longer support Windows 7, Windows 8.1, or Windows 10 1809.

Connection Server can be configured to prevent older clients from connecting. Find it in the Global Settings node in Horizon Console.

Windows 10 / Windows 11 Support

  • Windows 11 24H2 is supported with Horizon Client 2412 (8.14) and newer.
  • Windows 10 22H2 and Windows 11 22H2 are supported with Horizon Client 2209 (8.7) and newer.
  • Windows 10 21H2 and Windows 11 are supported with Horizon Client 2111 (8.4) and newer.
  • Windows 10 21H1 is supported with Horizon Client 2103 (8.2) and newer.
  • Windows 10 20H2 is supported with Horizon Client 2012 (8.1) and newer.
  • Windows 10 2004 is supported with Horizon Client 2006 (8.0) and newer
  • Windows 10 1909 is supported with Horizon Client 5.3 and newer
  • Windows 10 1803 is supported with Horizon Client 4.8 and newer

Manual Installation of Horizon Client

The Horizon Clients can be downloaded from https://customerconnect.omnissa.com/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/horizon_8.

  1. Logon to the client machine as an administrator. Administrative rights are required for the Horizon Client installation. You can also push the client silently as described in the next section.
  2. Open a browser and enter the name of your Horizon Connection Server in the address bar (e.g. https://view.corp.local). Use https://.
  3. Click the Install VMware Horizon Client link. If the Horizon Clients are installed on the Connection Server, the client will download immediately. Or you’ll be taken to omnissa.com to download the client.
  4. If you are redirected to the Clients download page (https://customerconnect.omnissa.com/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/horizon_8), then find the VMware Horizon Client for Windows, and click Go to Downloads.

  5. Then click Download Now.
  6. On the client machine, run the downloaded VMware-Horizon-Client-2412-8.14.exe.

    • If you want to use the URL Content Redirection feature in Horizon 7 and newer, run the installer with the following switch: /v URL_FILTERING_ENABLED=1.
    • If you want the UNC Path Redirection feature in 2209 (8.7) and newer, then you run the Client installer with the following switches: /v ENABLE_UNC_REDIRECTION=1. You can combine the two switches.
  7. Click Agree & Install. Or you can click Customize Installation. Horizon Client 2203 and newer has an option to Enable Keylogger Blocking, but only in Custom installation. Or Horizon Client 2309 and later let you enable Keylogger Blocking in the Settings interface.

    1. If you selected Customize Installation, you can enter a Default connection server, install Teams Optimization, etc.
    2. Horizon Client 2203 and newer has an option to Enable Keylogger Blocking.
    3. Click Agree & Install when done.
  8. In the Success page, click Finish.
  9. Click Restart Now when prompted to restart.
  10. Note: Horizon Client 2412 and newer have Omnissa branding.

Verify URL Redirection

  1. In 2412 and newer, verify the presence of the file C:\Program Files\Omnissa\Omnissa Horizon Client\omnissa-url-protocol-launch-helper.exe.

    1. In older than 2412, to verify that URL Content Redirection is installed, verify the presence of the file C:\Program Files\VMware\VMware Horizon View Client\vmware-url-protocol-launch-helper.exe.
  2. There’s also an IE add-on.
  3. URL Content Redirection is configured using group policy.

Software Updates

  1. In the Horizon Client, click the hamburger icon on the top right, and click Software Updates. It will be green if there is an update available. Note: Horizon Client 5.5 will not offer an upgrade to Horizon Client 2006 or newer.
  2. There is an option to Show pop-up message when there is an update.
  3. The Horizon GPO Templates for Horizon Client have GPO settings to control the pop-up message. The settings are Update message pop-up and Allow user to skip Horizon Client update.

Install – Horizon Client Silent

Installing Horizon Client From the Command Line at Omnissa Docs has instructions on how to install the Horizon Client silently. Common methods for installing the client silently include: SCCM and Active Directory Group Policy Computer Startup Script.

Keylogger Blocking

Horizon Client 2309 and newer let you enable Keylogger Blocking if you did not select it during installation.

  1. In Horizon Client, before you open a server, click the Settings button.
  2. On the Security page, set Keylogger Blocking to On. Then restart the Horizon Client.

Launch Horizon Client

To launch a View Desktop or application manually:

  1. From the Start Menu run VMware Horizon Client.

    1. Horizon Client 4.7 and newer has a GPO setting to prevent the Client from being launched multiple times.
    2. Install the Horizon GPO templates if you haven’t already.
    3. Create or edit a GPO that is linked to an OU containing the Horizon Client machines. These are the end-user PCs, not the virtual desktops.
    4. The Block multiple Horizon Client instances per Windows session setting is at Computer Configuration | Policies | Administrative Templates | VMware Horizon Client Configuration.

  2. To change SSL certificate verification:
    • In Horizon Clients version 2106 and newer, click the Settings button on the top right. Switch to the SSL Configuration page. Then make a selection. This is also configurable using Group Policy as detailed at Certificate Validation below.


    • In Horizon Clients older than version 2106, open the Options (hamburger) menu, and click Configure SSL. This is also configurable using Group Policy as detailed at Certificate Validation below.

  3. If there is no server in the list, then use the New Server button on the top left or click Add Server on the top right.

  4. Enter the load balanced FQDN for the Connection Server and click Connect.

  5. You can click the Options menu to Hide the selector after launching an item.

  6. If you want to perform pass-through authentication, click the hamburger icon, and select Log in as current user. This option is only available if selected during installation, the client machine was rebooted, and is not prohibited using group policy. Also, the Connection Server must allow Log on as current user.

  7. Horizon 7.2 and newer have Recursive Unlock, which is enabled by default. See Using the Log In as Current User Feature Available with Windows-Based Horizon Client at Omnissa Docs.
  8. If you have apps published to an Unauthenticated User, click the hamburger icon, and select Unauthenticated access or Log in anonymously using Unauthenticated Access.

  9. Before connecting to the server, click Settings and then switch to the VMware Blast page. Or click the hamburger icon and then click Configure VMware Blast.

  10. In Horizon Client 4.8 and newer, network condition is determined automatically and no longer configurable in the client.
    1. If your Horizon Client is older than 4.8, then adjust the network condition and click OK. This affects TCP vs UDP for Blast connectivity. Excellent = TCP only. Typical = UDP if the ports are open. Poor = UDP plus packet duplication, which is best for 20% packet loss networks. More info in Omnissa Tech Zone VMware Blast Extreme Display Protocol in Horizon.
  11. You can optionally enable Allow High Color Accuracy.

  12. In Horizon Client 2106 and Horizon Agent 2106 and newer, High Efficiency Video Decoding (HEVC) is enabled by default.
  13. Horizon Client 5.2 and newer have an option to Allow Blast connections to use operating system proxy settings, which is deselected by default. You can configure a client-side group policy to enable proxy. Or users can manually enable it.
  14. Double-click the server.

  15. If the certificate is not trusted, click Show Certificate, and then click Continue. To disable this prompt, see Certificate Validation below.

  16. Enter your username and password, and then click Login.

    • Horizon 7.8 and newer no longer send the domain list by default but you can enable it in Horizon Console. Or, instruct users to login using their userPrincipalNames.

  17. If you see too many domains in the Domain list:
    1. You can filter them by running the vdmadmin -N command. See Configuring Domain Filters Using the ‑N Option at Omnissa Docs.
    2. Horizon 7.1 and newer have an option to Hide domain list in client user interface. If you enable this in Global Settings, then users must enter UPN, or Domain\Username. This is the same place you can configure Horizon to send the Domain List to the client.

  18. If any of your published applications or desktops are configured with a Category Folder, click Yes when asked for shortcuts to appear in your Start Menu or desktop.


    • Horizon Client 5.1 and newer have an interesting command line switch -installShortcutsThenQuit that connects to a Connection Server, creates the shortcuts on Start Menu and Desktop, and then quits. Here is sample syntax:
      vmware-view.exe -serverURL serverurl -loginAsCurrentUser true -installShortcutsThenQuit
  19. If any of your published application icons have Pre-launch enabled, then a session will be started on one of the Horizon Agents that hosts the icon. All it does is create a session; the icon that Pre-launch was enabled on is not launched until the user double-clicks the icon. When the user launches any icon published from the Horizon Agent, it will launch quickly.

    • After the user closes the Horizon Client, the Pre-launch session remains disconnected for the duration specified in the RDS Farm.
  20. Horizon Client 2406 and newer let users organize icons into folders.

    • The Folders feature can be in disabled in Horizon Console 2406 and newer at Settings > Global Settings. It’s enabled by default.
  21. If you have a bunch of icons, click one of the icons and then start typing in the name of the icon and it will highlight.
  22. If the pool settings allow it, you can right-click an icon and then select a protocol. VMware Blast is the recommended protocol.


    1. When editing a pool, you can force users to use a particular protocol by setting Allow Users to Choose Protocol = No.
    2. In Horizon Console, at Monitor > Sessions, if you scroll to the right, you can see which Protocol the clients are using.
  23. You can synchronize num lock and cap lock status.
    1. Right-click a desktop icon and click Settings.

    2. The left side of the screen shows all published desktops. On the right, enable the option to Automatically synchronize the keypad, scroll, and cap lock keys.

    3. You can also automatically enable this setting by configuring a client-side group policy setting.
  24. Either double-click an icon, or right-click an icon, and click Launch.

  25. When connecting, you might be prompted to access your local files.

    • You can change your file sharing options by clicking the Settings button (or gear icon) and switching to the Data Sharing (or Sharing page.

  26. If you are connected to a remote desktop, you can use the menu at the top of the screen, click the three dots, and then click Settings.. An interesting option is Autoconnect to this Desktop. This setting is stored on the Horizon Connection Server in LDAP and there doesn’t appear to be any way to automate enabling it.


  27. In Horizon Client 4.4 and newer, administrators can enable a Desktop Pool Setting that allows users to Restart the remote desktop gracefully.

  28. Horizon can show the client’s battery status in the remote desktop. The user will have to click the up arrow in the system tray to see the battery icon. The battery icon is shown in both single-user Virtual Desktops and multi-user RDS Desktops.
  29. There are client-side group policy settings to define a hotkey combination for grabbing and releasing input focus.
  30. The Horizon Client also has a taskbar jump list showing recently launched applications and desktops.
  31. Some of the menu items in Horizon Client can be hidden by configuring Group Policy using the Horizon GPO Templates.

Shortcuts and Favorites

In the Horizon Client, once you are connected to a server, you can right-click an icon and click Create Shortcut to Desktop or Add to Start Menu.

In the Horizon Client, each desktop/app icon has a star icon you can click, or right-click an icon and Mark as Favorite. Favorites are stored in the LDAP database on the Horizon Connection Server.


  1. On the top right of the Horizon Client, you can switch to the Favorite view so that only icons selected as Favorites are displayed.

  2. Or switch back to the All View by deselecting the Favorite button.

Support information

  1. In Horizon Client 2106 and newer, in the menu is About VMware Horizon Client.

    1. Or on the Question Mark menu is Support Information.
  2. Users can click this to find the client name, client operating system, Horizon Client version, the Horizon Connection Server name, and entitled desktops.

Certificate Validation

When you connect to a Horizon Connection Server, and if the certificate is not trusted or valid, then the user is prompted to accept the certificate. You can disable this prompt for any client machine that can be controlled using group policy.

  1. Copy the Horizon .admx files to PolicyDefinitions if you haven’t already.
  2. Create a GPO that is linked to an OU containing the Horizon Client machines. These are the end-user PCs, not the virtual desktops.
  3. Edit the GPO.
  4. Go to Computer Configuration | Policies | Administrative Templates | VMware Horizon Client Configuration | Scripting Definitions.
  5. On the right, double-click Server URL.
  6. Set the URL to your Horizon View URL and click OK.
  7. On the left, click Security Settings. On the right, open the setting Certificate verification mode.
  8. Enable the setting and make your choice. No Security will disable the certificate prompt. Then click OK.

Horizon 2306 (8.10) and newer with Horizon Client 2306 (8.10) and newer can enforce certificate checking on the client.

  1. Go to Settings > Global Settings > Client Desired Configuration and click Edit.
  2. Make your choices and click OK.

Device Redirection

Client Drive Redirection

  1. When you connect to a Horizon Agent that has Client Drive Redirection enabled, you are prompted to allow file redirection.

  2. By default, only the user’s local profile is redirected.
  3. You can redirect more folders or drives by opening Settings, or click the Options menu, and click Share Folders.

  4. In the Drive & Folder Sharing tab (or Sharing tab), on the Global Sharing sub-tab, add drives or folders.

    • Horizon Client 2206 and newer with Horizon Agent 2206 and newer have an Exclusive Sharing tab that lets you share a client drive exclusively with the remote desktop for faster file transfer performance. The Storage Drive Redirection feature is installed by default on Horizon Agent 2206 and newer.
  5. The folders or drives you added are now visible within Explorer in the Horizon Desktop.
  6. Client Drive Redirection also works in published applications.
  7. Horizon Agent 7.7 and newer with Horizon Client 4.10 and newer let you drag files from the local machine into the remote machine. This is drag only. You can’t copy/paste. If you drag the file onto a remote application, then then application opens the file.

    1. This feature can be disabled and/or controlled in a GPO that applies to the Horizon Agent. Make sure the Horizon 7.7 or newer GPO templates are installed. In the Computer half of the GPO, go to Administrative Templates > VMware Blast and edit the setting Configure drag and drop direction.
    2. The Configure drag and drop direction setting is also configurable for PCoIP under the Computer-half node named PCoIP Session Variables > Overridable Administrative Defaults.
  8. The client drive redirection prompt configuration is stored in %appdata%\VMware\VMware Horizon View Client\prefs.txt. You can edit this file to disable the prompt.

  9. Horizon has some GPO settings for Client Drive Redirection that let you control drive letters for client drives in the remote session. Install the Horizon GPO Templates if you haven’t already. Edit a GPO that applies to the Horizon Agents. Then find the settings under VMware View Agent Configuration > VMware Horizon Client Drive Redirection.

Serial Port Redirection

  1. If you connect to a Horizon Agent that has Serial Port Redirection enabled, then a new icon will appear in the system tray.
  2. Right-click the icon to map the remote COM port to the local COM port.

Scanner Redirection

From VMware Blogs Scanner Redirection in Horizon with View: we have added scanner redirection to Horizon with View for use with both VDI desktops and Remote Desktop Session Host (RDSH) applications and desktops. The new scanner redirection functionality in View works by capturing the entire image at the client with the scanning device, compressing the image, and sending that compressed image to the guest in the data center, where the image is presented by a “virtual scanner device” to the application that requested the image capture. The scanner redirection functionality supports both TWAIN and WIA scanning modes and allows images to be captured from both scanners and other imaging devices (such as webcams).

The scanner redirection functionality requires the Horizon Agent version 6.0.2 or later, and the Windows Horizon Client 3.2 or later.

When you install the Horizon Agent component, be sure to select the scanner redirection feature if you want to use it; it is disabled by default. If you are installing the feature onto a server-based OS (Windows Server 2008 R2 or Windows Server 2012 R2) for either VDI desktops or RDSH desktops or applications, then be sure that the Desktop Experience feature (a Microsoft operating system feature) is installed on the server OS first. (This is a prerequisite for installing scanners in a server-based OS.)

After a user makes a connection from a compatible Windows Horizon Client to the new Horizon Agent, a new tool-tray application icon appears. The user clicks the icon to reveal the compatible image acquisition devices available for scanning.

The default mode of operation is, however, that “it should just work,” and the seamless hosted application should be able to acquire an image without needing manual intervention. The user may need to adjust the preferences if more than one imaging device is connected to the client machine, and the user wants to select a specific scanner, or if the user wants to adjust the scan resolution, and so on.

Scanner Redirection Preferences, available by clicking Preferences from the tool-tray icon, allows further configuration of the scanning process, for example, adjusting the default compression applied to the scanning. This can greatly reduce the bandwidth needed to transmit the image (the compression is applied on the client side before the image is transmitted to the guest), but, of course, the more an image is compressed, the lower the image quality. In addition, in the Scanner Redirection Preferences, options are available to adjust the default image capture device (for example, automatic mode, last-used, or an absolute specified device).

These preferences can also be adjusted by way of Group Policy options in the guest OS. A new GPO file (available in the Horizon with View GPO Bundle) allows this configuration. See Configuring Scanner Redirection in Setting Up Desktop and Application Pools in View for more information

Scanner Redirection Caveats

From VMware Communities:

  • Scanner redirection does not create a device on your virtual desktop that matches the name of the actual scanner.  It creates a generic scanner in Device Manager called VMWare Virtual WIA Scanner (or VMWare Virtual TWAIN Scanner I am assuming).  For us this stinks because the image capture software our client uses (Vertex by Jack Henry), has a prepopulated list of scanners you can select.  So if we plug in a Canon-CR50 and select Canon CR50/80 in the application, it does not recognize that this scanner is attached to the virtual desktop.
    1. There is a tick box option in the scanner preferences dialog box titled “Use vendor defined names for TWAIN scanners”. This should solve the issue you mention, and we added it specifically to cover the problematic use case you mention.
    2. This only applies to TWAIN scans, WIA can’t use the vendor name.
  • You must install a TWAIN or WIA driver on your thin client.  If you can’t find a TWAIN or WIA driver, you are out of luck.  For teller check image scanners, we have found no TWAIN or WIA drivers for the TellerScan TS-230, TS-240, or the Canon CR-55.  We have found a TWAIN driver for the Canon CR-50 (from the Canon Europe site no less), but issue #1 above means we are out of luck.

Client Printers

Horizon 7.7 and newer with Horizon Client 4.10 and newer have a new VMware Integrated Printing (aka VMware Advanced Printing) feature that replaces the older ThinPrint technology. ThinPrint is no longer available in Horizon Agent 2006 and newer.

When printing from an application, if you highlight a printer and click Preferences, the VMware Horizon icon on the Layout tab shows you that this printer is using VMware Integrated Printing.

If you open the client printer Properties as an administrator, on the Advanced tab, you will see the VMware Universal EMF Driver.

If older ThinPrint:

  • Inside the virtual desktop, if you go to Devices and Printers, it will look a little weird. To see all of the client printers, right-click on a TP printer and use the expandable menus.
  • But when you print from an application, all printers appear normally.

File Type Association

Some published applications might have file types associated with them. When you double-click a file with the configured extension, you might be prompted to open the file using the remote application.

In Horizon Client, if you right-click an icon and click Settings:

  • On the Applications page (or Sharing page), you can disable this functionality.

It’s also configurable in the client-side registry at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client by creating a String value at named AllowFileRedirection and setting it to false. See VMware Communities for more information.

Session Collaboration

Horizon 7.4 and newer have an Allow Session Collaboration checkbox in Pool Settings and RDS Farm Settings.

This setting enables a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.

The invite is a URL that you can run (or click) on the collaborator’s machine that has Horizon Client 4.7 or newer installed.

To give control to the collaborator, double-click the green icon to open the Session Collaboration window. Or open the icon in the system tray.

Performance Tracker

Horizon Agent 7.5 and newer have an optional component called Performance Tracker.

When installing Horizon Agent, the last option is Horizon Performance Tracker. It is deselected by default.

After it’s installed in an RDS farm, you can publish the Performance Tracker as an Application Pool

Or connect to a Desktop and launch it from the Desktop icon.

It can display protocol performance information in graphical or tabular form. The overview UI also shows the name of the Horizon Agent machine.

There’s also a Floating Bar option.

Performance Tracker can be configured to launch automatically:

  1. Install the Horizon GPO templates if you haven’t already.
  2. Edit a GPO that applies to the Horizon Agents. These are Computer settings.
  3. Go to Computer Configuration | Policies | Administrative Templates | VMware Horizon Performance Tracker.
  4. On the right, you’ll see two options for auto starting the Performance Tracker.
  5. Both settings let you Show or Hide the overview UI.
  6. If Hide is selected, then users can open the Tracker from the systray icon.

HTML Blast

From the Horizon Connection Server webpage, you can click the VMware Horizon View HTML Access link to launch a desktop or application inside your browser. While Internet Explorer 9 is supported, some functionality, like clipboard and audio, is only available in Internet Explorer 10 and newer, Chrome and Firefox.

In Horizon 6.2 and later, you can launch applications as well as desktops from HTML Blast.

If you click the star icon then you can Mark the icon as a Favorite. Favorites are stored in the LDAP database on the Horizon Connection Server.

Applications and desktops are launched within the browser window. You can click the vertical lines on the left to switch to a different application or desktop.

You can open the Copy & Paste panel to copy between the local machine and the remote machine.

Thin Clients

Omnissa EUC Technology Partner Hub – Thin Client Device and Model Information. It shows thin client models and the version of Horizon that is supported with the model.

Repurposed PCs

From Chris Halstead VMware Horizon View AutoConnection Utility: I decided to write an app in .NET that is essentially a wrapper for the View Client.  It creates the command line variables based on what the user configures in the GUI and automatically connects to the specified desktop or application pool.  All of the user configured information is stored in the registry under the current user hive.

The application silently and automatically connects into either a desktop or application pool each time a user logs in by placing it in the startup folder.

Once you have tested your connection, you are ready to enable AutoConnection.  You enable AutoConnection by checking the “Enable AutoConnection” box.   A common use case would be to place the .exe in the Windows startup folder so that every time a user logs in it will automatically connect to the Virtual Desktop.

This will run the application with the GUI hidden and will automatically connect to the specified pool.   The application will minimize to the system tray and a balloon will indicate the connection process is occurring.

Horizon Client Group Policy – Security Settings

The Horizon GPO Bundle includes policy templates for the Horizon Client. See https://www.carlstalhood.com/horizon-group-policy-and-profiles/#viewtemplates to install the ADMX files.

Here are some security GPO settings recommended (VMware Horizon with View Security Hardening Overview) by VMware:

GPO Setting

Computer Config | Policies | Administrative Templates | VMware Horizon Client Configuration | Scripting definitions

Disable 3rd-party Terminal Server plugins = enabled

Computer Config | Policies | Administrative Templates | VMware Horizon Client Configuration | Security Settings

Allow command line credentials  = disabled

Certificate verification mode = enabled, Full Security

Default value of the ‘Log in as current user’ checkbox = disabled

Display option to Log in as current user = disabled

Servers Trusted for Delegation = enabled

 

VMware Horizon 6 – Master RDS Host

Last Modified: Sep 2, 2018 @ 7:52 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post.

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • For 2012 R2, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine and click Edit Settings.
  4. On the VM Options tab, expand Advanced and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

User Account Control and SmartScreen

This section is optional.

  1. Right-click the flag icon by the clock and click Open Action Center. Or launch it from the Start Menu.
  2. On the left click Change User Account Control settings.
  3. To disable UAC, move the slider down to Never Notify and click OK. Or you can leave it enabled if your security standards require it.
  4. Back in Action Center, on the left, click Change Windows SmartScreen settings.
  5. Make your selection regarding SmartScreen and click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right click the link for Last checked for updates.
  2. On the left, click Change settings.
  3. Check the box next to Give me updates for other Microsoft products when I update Windows and click OK.
  4. Windows Update will automatically start checking for updates.
  5. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

If this is a Windows Server 2008 R2 session host, at a minimum, request and install the Windows hotfixes listed at Citrix CTX129229 Recommended Hotfixes for XenApp 6.x on Windows Server 2008 R2. Scroll down to the Microsoft Hotfixes section.

Microsoft 2483177 You cannot play back an H.264 video file or an AAC audio file on a computer that is running Windows Server 2008 R2 with the Desktop Experience feature enabled. From the hotfix description: the Desktop Experience feature in Windows Server 2008 R2 does not include decoders for the H.264 and AAC formats.

The following file is available for download from the Microsoft Download Center:

Download the Desktop Experience Decoder Update for Windows Server 2008 R2 package now.

File Sharing

By default on Windows 2012, if Windows Firewall is enabled, then all file shares are blocked. You can’t even connect to C$ from a different machine. To facilitate remote management, consider enabling file sharing.

  1. To enable sharing, by the clock, right-click the network icon and click Open Network and Sharing Center.
  2. On the left, click Change advanced sharing settings.
  3. Select Turn on file and printer sharing.
  4. Select Tun on network discovery.

Windows Firewall – Remote Management

By default, Windows Server 2012 blocks remote management tools. For example, you can’t use Event Viewer on server 1 to access the event logs on server 2.

  1. Run Windows Firewall with Advanced Security.
  2. On the left, click Inbound Rules.
  3. On the right, right-click COM+ Network Access (DCOM-In) and click Enable Rule.
  4. Highlight all three Remove Event Log rules, right-click, and click Enable Rule.

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

Remote Desktop Session Host

Role and Features – Windows Server 2012

If this session host is Windows Server 2008 R2 then skip to the next section.

  1. In Server Manager, open the Manage menu and click Add Roles and Features.
  2. Click Next until you get to the Server Roles page.
  3. Check the box next to Remote Desktop Services and click Next.
  4. Check the box next to Group Policy Management and scroll down.
  5. Expand User Interfaces and Infrastructure and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc.
  6. Check the box next to Telnet Client and scroll up.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD Delivery Services and AD LDS Tools > AD DS Tools. Check the box next to Active Directory Administrative Center.
  8. To verify Remote Desktop Services licensing, expand Remote Desktop Services Tools and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
  9. In the Select role services page, check the box next to Remote Desktop Session Host and click Next.
  10. If desired, click the Restart box, then click Install. Restart is required.

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2 then the instructions are slightly different.

  1. In Server Manager, right-click Roles and click Add Roles.
  2. In the Before You Begin page, click Next.
  3. In the Select Server Roles page, check the box next to Remote Desktop Services and click Next.
  4. In the Introduction to Remote Desktop Services page, click Next.
  5. In the Select Role Services page, check the box next to Remote Desktop Session Host and click Next.
  6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
  7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication and click Next.
  8. In the Specify Licensing Mode page, select Per User and click Next.
  9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine) and click Next.
  10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
  11. In the Confirm Installation Selections page, click Install.
  12. In the Installation Results page, click Close.
  13. Click Yes when you are prompted to restart now.
  14. Login to the server. Then click Close.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 is using group policy (local or domain). This also works for Windows Server 2008 R2.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled and enter the names of the RD Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users and Create Folders and click Remove.
  4. Highlight the line containing Users and Special and click Remove. Click OK

  5. Click Yes to confirm the permissions change.
  6. If you see any of these Error Applying Security windows, click Continue.
  7. Click OK to close the C: drive properties.

Installs

VMware Horizon 6 Agent 6.2.2

View Agent for RDS Hosted Apps Desktops is missing a few features:

  • No Generic USB Redirection. USB Flash Drives and hard drives are supported.
  • No Real-Time Audio Video
  • No serial port redirection
  • No Persona. Instead use VMware User Environment Manager (Horizon Enterprise) or Microsoft’s roaming profiles

To install View Agent on Remote Desktop Services, do the following:

  1. Go to the downloaded Horizon 6 Agent x64 6.2.2 and run VMware-viewagent-x86_64-6.2.2.exe.
  2. In the Welcome to the Installation Wizard for VMware Horizon 6 Agent page, click Next.
  3. In the License Agreement page, select I accept the terms and click Next.
  4. If you see a message about Desktop OS Configuration then you need to cancel the installer and install the Remote Desktop Session Host role.
  5. In the Network protocol configuration page, select IPv4 and click Next.
  6. In the Custom Setup page, enable Scanner Redirection if desired. Same for USB Redirection.
  7. Client Drive Redirection is a new feature in Horizon 6 Agent 6.1. The description indicates that the file transfers are not encrypted.
  8. VMware Horizon View Composer Agent is a new feature of Horizon 6 Agent 6.2. If you are building a pool of Remote Desktop Session Hosts then install this feature. Note: if you are not building linked clones then don’t select this option or else you won’t be able to select the machine in a Manual RDS Farm in View Administrator.
  9. Click Next when done making selections.
  10. Click OK to acknowledge the USB redirection message.
  11. If you see the Register with Horizon 6 Connection Server page, enter the name of a Horizon 6 Connection Server and click Next. You only see this page if not installing the View Composer Agent.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes to restart the server.

User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. In Server Manager, open the Manage menu and click Add Roles and Features.
  3. In the Features page, select .NET Framework 3.5 and click Next.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server 2012 R2 ISO.
  6. Enter the path to the sources folder on the Windows Server 2012 R2 ISO and click OK. Then click Install.
  7. Go to the extracted User Environment Manager 9.0 files and run VMware User Environment Manager 9.0 x64.msi.
  8. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  9. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  10. In the Destination Folder page, click Next.
  11. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.

  12. In the Choose License File page, if installing on a View Agent then no license file is needed. Click Next.
  13. Otherwise, Browse to the license file and then click Next.
  14. In the Ready to install VMware User Environment Manager page, click Install.
  15. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm. You can change this to performance-based Load Balancing by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at pubs.vmware.com.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

  1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
  2. Open Services and configure the VMware Horizon View Script Host service to run automatically.

  3. Then start the service.
  4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
  5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
  6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
  7. After setting the registry value, restart the VMware Horizon View Agent service.
  8. After you later add this RDS Host to a farm, in View Administrator, click the Dashboard view.
  9. Expand RDS Farms, expand the farm and click the RDS Host.
  10. Make sure the Server load is reported.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Symantec

Symantec has a document at http://www.symantec.com/business/support/index?page=content&id=TECH91070 detailing best practices when deploying Symantec Endpoint Protection to session hosts.

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1  – http://www.symantec.com/docs/TECH173650

Install Applications

Install applications that will be executed on these machines.

VMware OS Optimization Tool

  1. Download the VMware OS Optimization Tool VMware fling.
  2. Run the downloaded VMwareOSOptimizationTool_1050.msi.
  3. On the Analyze tab, on the bottom left, click Analyze.
  4. Check both boxes and click Continue to Analyze.
  5. Review the optimizations and make changes as desired. Then on the bottom left click Optimize.
  6. Click the FAILED links for more information.
  7. The History tab lets you rollback the optimizations.
  8. The Templates tab lets you edit the optimizations. You can create your own template or edit an existing template.

Citrix has published a document with several registry modifications that are supposed to improve server performance. You can access it at http://support.citrix.com/article/CTX131577.

Another list of optimizations can be found at http://www.citrixtools.net/Resources/Articles/articleType/ArticleView/articleId/5610/Windows-2008-R2-Remote-Desktop-and-XenApp-6-Tuning-Tips-Update.aspx.

Seal and Snapshot

  1. Go to the properties of the C: drive and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Shutdown the master session host.
  9. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  10. Take a snapshot of the master session host. View Composer requires a snapshot.

  11. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon 6 Composer, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon 6 Agent – uninstall the Horizon 6 Agent and reinstall it so it registers with a Horizon 6 Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon 6 Security Server and Horizon 6 Agents.
  8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

 

VMware Horizon 6 – RDS Farms/Pools

Last Modified: Nov 6, 2020 @ 7:28 am

Navigation

Overview

Before following this procedure, build a master RDS Session Host.

This post details VMware Horizon configuration for Remote Desktop Session Host Horizon View Agents. Virtual Desktops are detailed elsewhere.

Before you can publish applications or desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts then these are different RDS Farms.

Horizon 6 supports up to 200 RDS farms, each with up to 200 RDS hosts.

Once the RDS Farms are created, you publish resources from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

RDS Farms – Linked Clones

You can use View Composer to create RDS linked clones. Here are some missing features and other notes:

  • No QuickPrep. Uses SysPrep with Customization Specifications instead. SysPrep is slower than QuickPrep. SysPrep is also performed during Recompose operations.
  • No View Storage Accelerator.
  • No Rebalance.
  • No Refresh. The machines are persistent until you Recompose the farm.
    • The delta disks continue to grow until you Recompose the farm.
    • You can enable Space Reclamation to shrink the delta disks as files are deleted.
  • DHCP is required.

Customization Specification

If you want to use View Composer then SysPrep requires a Customization Specification in vCenter. QuickPrep is not supported with RDS farms.

  1. In vCenter, from the Home page, click Customization Specification Manager.
  2. Click the icon to create a new Customization Specification.
  3. In the Specify Properties page, give the spec a name and click Next.
  4. In the Set Registration Information page, enter your normal settings and click Next.
  5. In the Set Computer Name page, select Use the virtual machine name and click Next.
  6. In the Enter Windows License page, select Per seat and click Next.
  7. In the Set Administrator Password page, enter the local administrator password and click Next.
  8. In the Time Zone page, select the time zone and click Next.
  9. In the Run Once page, click Next.
  10. In the Configure Network page, leave it set to Use standard network settings. Horizon 6 requires the VMs to be configured for DHCP. Click Next.
  11. In the Set Workgroup or Domain page, enter credentials that can join the machines to the domain and click Next.
  12. In the Set Operating System Options page, leave the box checked and click Next.
  13. In the Ready to complete page, click Finish.

Create an Automatic Farm

To create a farm of linked clones, do the following:

  1. Make sure your RDS View Agents have the VMware Horizon View Composer Agent feature installed.
  2. In View Administrator, on the left, expand Resources and click Farms.
  3. On the right, click Add.
  4. In the Type page, select Automated Farm and click Next.
  5. In the vCenter Server page, select the vCenter Server and View Composer and click Next.
  6. In the Identification and Settings page, enter a name for the Farm. A folder with the same name will be created in vCenter.
  7. Allow users to choose protocol should be set to No.
  8. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  9. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  10. Check the box next to Allow HTML Access and click Next.
  11. In the Provisioning Settings page, enter a naming pattern. Make sure the name includes {n:fixed=3} or something like that.
  12. Enter the number of machines to create and click Next.
  13. In the Storage Optimization page, click Next.
  14. In the vCenter Settings page, click Browse next to each option and make a selection.
  15. When selecting a datastore, set the Storage Overcommit to Unbounded. Click OK and then click Next.
  16. In the Advanced Storage Options page, decide if you want space reclamation or not. Space reclamation does reduce disk space but increases IOPS while the operation is occurring. If space reclamation is enabled, also configure a Blackout window so the increased IOPS does not affect production usage. Scroll down.
  17. If you scroll down you’ll see an option for Transparent Page Sharing. By default it is disabled. You can enable it by setting it to Global. This should reduce some memory consumption. Click Next.
  18. In the Guest Customization page, select an OU.
  19. Select a customization specification and click Next.
  20. In the Ready to Complete page, click Finish.
  21. On the RDS Hosts tab you can see the progress of the farm creation operation.
  22. Since RDS Farms use SysPrep, it will take some time before they become available.
  23. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool or an Application Pool or both.

Add RDS Host to Automatic Farm

  1. On the left, expand Resources and click Farms.
  2. On the right, highlight an existing Farm and click Edit.
  3. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  4. Since this is based on SysPrep, it will take a while to add the virtual machine. The new VMs reboot several times during the provisioning and customization process.
  5. The farm now has new RDS host(s).

Update an Automatic Farm

  1. Power on the master session host.
  2. After making your changes, shut down the master session host.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. Name the snapshot and click OK.
  5. You’ll need to periodically delete the older snapshots. Right-click the master VM and click Manage Snapshots.
  6. Delete one or more of the snapshots.
  7. In View Administrator, go to Resources > Farms.
  8. Double-click a farm name.
  9. Before beginning the Recompose operation, edit the Farm and on the Provisioning Settings tab consider specifying a minimum number of ready machines during View Composer maintenance operations. If you leave this set to 0 then all machines will be in maintenance mode and nobody can connect until Recompose is complete.
  10. On the Summary tab, click Recompose.
  11. In the Image page, select the new snapshot and click Next.
  12. In the Scheduling page, decide when to apply this new image and then click Next.
  13. In the Ready to Complete page, click Finish.
  14. On the RDS Hosts tab, you can check on the status of the recompose task. Since RDS Farms use SysPrep, this will take a while.

RDS Farms – Manual

To create a manual RDS Farm, do the following:

  1. Make sure the View Composer Agent is not installed on your RDS servers and make sure you saw the screen to register the Agent with a Horizon 6 Connection Server.
  2. In View Administrator, expand View Configuration and click Registered Machines. Make sure your manually built RDS Host is registered and listed on the RDS Hosts tab.

  3. In View Administrator, on the left, expand Resources and click Farms.
  4. On the right, click Add.
  5. In the Identification and Settings page, enter a name for the Farm.
  6. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  7. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  8. Check the box next to Allow HTML Access and click Next.
  9. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
  10. In the Ready to Complete page, click Finish.

Add RDS Host to Manual Farm

  1. On the left, expand Resources and click Farms.
  2. On the right, double-click an existing Farm.
  3. On the right, switch to the RDS Hosts tab and click Add.
  4. Select the new RDS host and click OK.
  5. The farm now has a new RDS host.

Published Desktop

To publish a desktop from an RDS farm, do the following:

  1. In View Administrator, on the left, expand Catalog and click Desktop Pools.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool and click Next.
  4. In the Desktop Pool Identification page, enter an ID and name. They can be different. Click Next.
  5. In the Desktop Pool Settings page, click Next.
  6. In the Select an RDS farm page, select a farm and click Next.
  7. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes and click Finish.
  8. In the Entitlements window, click Add.
  9. Browse to an Active Directory group and click OK.
  10. Then click Close.
  11. If you go to Resources > Farms, double-click your farm and switch to the RDS Pools tab, you can see which Desktop Pool is associated with this farm.

Published Applications

  1. In View Administrator, on the left, expand Catalog and click Application Pools.
  2. On the right, click Add.
  3. The purpose of this wizard is to publish applications from an RDS Farm and entitle them. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually. Click Next after selecting one or more applications.
  4. Or you can add an application manually by changing the radio button to Add application pool manually. Notice that Explorer is not one of the listed applications so that one will need to be done manually.
  5. Notice the Entitle users box is checked by default. All of the applications in this list will receive the same entitlements. Click Finish.
  6. Then click Add to select a group that can see these icons. Click OK when done.
  7. You can run the wizard again to publish more applications with different entitlements.
  8. If you double-click one of the application pools, on the Entitlements page you can change the entitlements.
  9. If you go to Resources > Farms, double-click your farm, and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. Notice you can’t really do anything from here.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool at pubs.vmware.com.

Do the following to configure Anti-Affinity:

  1. On the left, expand Catalog and click Application Pools.
  2. On the right, edit an existing app/pool.
  3. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of matches that can run on a single RDS Host.

NetScaler Gateway 11 – RDP Proxy

Last Modified: Nov 7, 2020 @ 6:35 am

RDP Proxy

NetScaler 10.5.e and NetScaler 11 support RDP Proxy through NetScaler Gateway. No VPN required. There are two ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.

You can have one Gateway vServer that authenticates the user and a different Gateway vServer to proxy the RDP connection. The Gateways use Secure Ticket Authority (STA) for mutual authentication. See Stateless RDP Proxy at docs.citrix.com for more information.  💡

Links:

Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition or Platinum Edition.
  • NetScaler Gateway Universal Licenses for each user.
  • TCP 443 and TCP 3389 opened to the NetScaler Gateway Virtual Server.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Do the following to configure RDP Proxy:

  1. Expand NetScaler Gateway, expand Policies, right-click RDP and click Enable Feature.
  2. Click RDP on the left. On the right, switch to the Client Profiles tab and click Add.
  3. Give the Client Profile a name and configure it as desired. Scroll down.
  4. In the RDP Host field, enter the FQDN that resolves to the RDP Proxy listener, which is typically the same FQDN as NetScaler Gateway.
  5. Near the bottom is a Pre Shared Key. Enter a password and click OK. You’ll need this later.
  6. On the right, switch to the Server Profiles tab and click Add.
  7. Give the Server Profile a name.
  8. Enter the IP of the Gateway Virtual Server you’re going to bind this to.
  9. Enter the same Pre Shared Key you configured for the RDP Client Profile. Click Create.
  10. If you want to  put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
  11. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.  💡
  12. On the right, click Add.
  13. Give the Bookmark a name.
  14. For the URL, enter rdp://MyRDPServer using IP or DNS.
  15. Check the box next to Use NetScaler Gateway As a Reverse Proxy and click Create.
  16. Create more bookmarks as desired.
  17. Create or edit a session profile/policy.
  18. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
  19. On the Remote Desktop tab, select the RDP Client Profile you created earlier.
  20. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  21. On the Published Applications tab, make sure ICA Proxy is OFF.
  22. Edit or Create your Gateway Virtual Server.
  23. In the Basic Settings section, click More.
  24. Use the RDP Server Profile drop-down to select the RDP Server Profile you created earlier.
  25. Scroll down. Make sure ICA Only is not checked.
  26. Bind a certificate.
  27. Bind authentication policies.
  28. Bind the session policy/profile that has the RDP Client Profile configured.
  29. You can bind Bookmarks to either the NetScaler Gateway Virtual Server or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  30. On the left, in the Published Applications section, click where it says No Url.
  31. Bind your Bookmarks.
  32. Since this NetScaler Gateway Virtual Server has ICA Only unchecked, make sure your NetScaler Gateway Universal licenses are configured correctly. On the left, expand NetScaler Gateway and click Global Settings.
  33. On the right, click Change authentication AAA settings.
  34. Change the Maximum Number of Users to your licensed limit.
  35. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  36. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).
  37. Connect to your Gateway and login.
  38. If you configured Bookmarks, simply click the Bookmark.
  39. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter IP address (e.g. rdpproxy/192.168.1.50) or DNS names (/rdpproxy/myserver).
  40. Then open the downloaded .rdp file.
  41. You can view the currently connected users by going to NetScaler Gateway > Policies > RDP and on the right is the Connections tab.

NetScaler SDX 11

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

LOM IP Configuration

There are two ways to set the IP address of the Lights Out Module (LOM):

  • Crossover Ethernet cable from a laptop with an IP address in the 192.168.1.0 network.
  • ipmitool from the NetScaler SDX XenServer command line

Ipmitool Method:

  1. On NetScaler SDX appliance, SSH to the XenServer IP address (this is not the Service VM IP). On NetScaler MPX appliance, SSH to the NetScaler NSIP.
  2. Default XenServer credentials are root/nsroot. Default MPX credentials are nsroot/nsroot.
  3. If MPX, run shell. XenServer is already in the shell.
  4. Run the following:
    ipmitool lan set 1 ipaddr x.x.x.x
    ipmitool lan set 1 netmask 255.255.255.0
    ipmitool lan set 1 defgw ipaddr x.x.x.x

  5. You should now be able to connect to the LOM using a browser.

Laptop method:

  1. Configure a laptop with static IP address 192.168.1.10 and connect it to the Lights Out Module port.
  2. In a Web browser, type the IP address of the LOM port. For initial configuration, type the port’s default address: http://192.168.1.3
  3. In the User Name and Password boxes, type the administrator credentials. The default username and password are nsroot/nsroot.
  4. In the Menu bar, click Configuration and then click Network.
  5. Under Options, click Network and type values for the following parameters:
    1. IP Address—The IP address of the LOM port.
    2. Subnet Mask—The mask used to define the subnet of the LOM port.
    3. Default Gateway—The IP address of the router that connects the appliance to the network.
  6. Click Save.
  7. Disconnect the laptop and instead connect a cable from a switch to the Lights Out Module.

LOM Firmware Upgrade

The LOM firmware at https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade differs depending on the hardware platform. The LOM firmware for the 8000 series is different than the 11000 series. Do not mix them up.

Note: the SDX Update Bundle does not include LOM firmware update so you must update it separately.

  1. Determine which firmware level you are currently running. You can point your browser to the LOM and login to the see the firmware level. Or you can run ipmitool mc info from the XenServer shell.
  2. If your LOM firmware is older than 3.0.2, follow the instructions at http://support.citrix.com/article/CTX137970 to upgrade the firmware.
  3. If your LOM firmware is version 3.02 or later, follow the instructions at http://support.citrix.com/article/CTX140270 to upgrade the firmware. This procedure is shown below.
  4. Now that the firmware is version 3.0.2 or later, you can upgrade to 3.39. Click the Maintenance menu and then click Firmware Update.
  5. On the right, click Enter Update Mode.
  6. Click OK when prompted to enter update mode.
  7. Click Choose File and browse to the extracted bin file.
  8. After the file is uploaded, click Upload Firmware.
  9. Click Start Upgrade.
  10. The Upgrade progress will be displayed.
  11. After upgrade is complete, click OK to acknowledge the 1 minute message.
  12. The LOM will reboot.
  13. After the reboot, login and notice that the LOM firmware is now 3.39.

SDX IP Configuration

Default IP for Management Service is 192.168.100.1/16 bound to interface 0/1. Use laptop with crossover cable to reconfigure. Point browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Note: XenServer IP and Management Service IP must be on the same subnet.

There should be no need to connect to XenServer directly. Instead, all XenServer configuration (e.g. create new VM) is performed through the Management Service (SVM). To change the XenServer IP, make the change through the Management Service as detailed below:

  1. Point a browser to http://192.168.100.1 and login as nsroot/nsroot.
  2. When you first login to the SDX Management Service, the Welcome! Wizard appears. Click Management Network.
  3. Configure the IP addresses. Management Service IP Address and XenServer IP Address must be different but on the same subnet.
  4. You can change the password at this time or later. Click Done.
  5. Click the System Settings box.
  6. Enter a Host Name.
  7. Select the time zone and click Continue.
  8. Click the Licenses box.
  9. Click Add New License.
  10. In the Manage Licenses section, allocate licenses normally.

  11. Then click Continue.

Another way to login to the Management Service virtual machine is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label="Management Service VM"

Then run /usr/lib/xen/bin/xenconsole <dom-id>

Or if 11.0 build 64 or newer, run /usr/lib64/xen/bin/xenconsole <dom-id>

Management Service Firmware – Upgrade to 11.0

NetScaler SDX 11.0 and newer now bundle all updates in a single package. To take advantage of this improved installation experience, you must first upgrade the Service VM to 11.0. Once it’s 11.0 you no longer need to upgrade the Service VM separately from the rest of the appliance.

  1. If your SDX SVM (Management Service) is running 10.5 build 57 or newer then you can skip this section and proceed with installing the SDX Bundle.
  2. NetScaler SDX 11.0 build 55 contains a separate installer for just the Management Service (SVM Upgrade Package).  The newer builds of NetScaler SDX 11.0 don’t seem to have a separate SVM Upgrade Package so you’ll need to upgrade SVM to 11.0 build 55 first. Then use the Software Bundle method to upgrade beyond build 55 as detailed in the next section.
  3. If the webpage says NetScaler SDX on top then you are connected to the Service VM.
  4. Switch to the Configuration tab.
  5. In the navigation pane, expand Management Service, and then click Software Images.
  6. In the right pane, click Upload.
  7. In the Upload Management Service Software Image dialog box, click Browse, navigate to the folder that contains the build-svm file, and then double-click the build file.
  8. Click Upload.

To upgrade the Management Service:

  1. In the navigation pane, click System.
  2. In the System pane, under System Administration, click Upgrade Management Service.
  3. In the Upgrade Management Service dialog box, in Build File, select the file of the build to which you want to upgrade the Management Service.
  4. If you see a Documentation File field, ignore it.
  5. Click OK.
  6. Click Yes if asked to continue.
  7. If desired, go back to the Software Images node and delete older firmware files.

SDX Platform Software Bundle

Starting with SDX 11.0, all updates are bundled together and installed at once.

  1. Make sure your Management Service (SVM) is running SDX 11.0 or newer. If not, see the separate SVM upgrade procedure in the previous section.
  2. Download the latest SDX Platform Software bundle from Downloads > NetScaler ADC > Service Delivery Appliances.

  3. Login to the SDX Management Service, go to Configuration > System.
  4. On the right, in the right column, click Upgrade Appliance.
  5. Browse to the build-sdx-11.0.tgz software bundle and click OK.

  6. It should show you the estimated installation time. Check boxes next to the instances that need configs saved. Click Upgrade.
  7. Click Yes to continue with the upgrade.
  8. The Management Service displays installation progress.

    Once the upgrade is complete, click Login.
  9. The Information page will be displayed showing the version of XenServer, Management Service (Build), etc.

Management Service NTP

  1. On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
  2. To add a new NTP server, in the right pane, click Add.
  3. In the Create NTP Server dialog box enter the NTP server name (e.g. pool.ntp.org) and click Create.
  4. In the right pane click NTP Synchronization.
  5. In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.

Management Service Alerting

Syslog

  1. On the Configuration tab, expand System > Auditing and click Syslog Servers.
  2. In the right pane click the Add button.
  3. Enter a name for the server.
  4. Enter the IP address of the Syslog server.
  5. Select log levels and click Create.
  6. On the right is Syslog Parameters.
  7. You can configure the Date Format and Time Zone. Click OK.

Mail Notification

  1. On the Configuration tab, expand System > Notifications and click Email.
  2. In the right pane, on the Email Servers tab, click Add.
  3. Enter the DNS name of the mail server and click Create.
  4. In the right pane, switch to the Email Distribution List tab and click Add.
  5. Enter a name for the mail profile.
  6. Enter the destination email address and click Create.

System SNMP

  1. Go to System > SNMP.
  2. On the right, click Configure SNMP MIB.
  3. Enter information as desired and click OK. Your SNMP management software will read this information.
  4. Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.

  5. MIBs can be downloaded from the Downloads tab.

Instance SNMP

  1. The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
  2. On the right, click Add.
  3. Give the rule a name.
  4. Select the Major and Critical severities and move them to the right. Scroll down.
  5. For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them then only the configured entities will be alerted. Scroll down.
  6. Click Save.
  7. Select an Email Distribution List and click Done.

Management Service nsroot Password and AAA

To change the password of the default user account

  1. On the Configuration tab, in the navigation pane, expand System, and then click Users.
  2. In the Users pane, click the default user account, and then click Edit.
  3. In the Configure System User dialog box, in Password and Confirm Password, enter the password of your choice. Click OK.

To create a user account

  1. In the navigation pane, expand System, and then click Users. The Users pane displays a list of existing user accounts, with their permissions.
  2. To create a user account, click Add.
  3. In the Create System User or Modify System User dialog box, set the following parameters:
    • Name*—The user name of the account. The following characters are allowed in the name: letters a through z and A through Z, numbers 0 through 9, period (.), space, and underscore (_). Maximum length: 128. You cannot change the name.
    • Password*—The password for logging on to the appliance.
    • Confirm Password*—The password.
    • Session Timeout
    • Groups —The user’s privileges on the appliance. Possible values:
      • owner—The user can perform all administration tasks related to the Management Service.
      • readonly—The user can only monitor the system and change the password of the account.
  4. Click Create. The user that you created is listed in the Users pane.

AAA Authentication

  1. If you would like to enable LDAP authentication for the Service VM, do that under Configuration > System > Authentication > LDAP.
  2. In the right pane, click Add.
  3. This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP. Change the Security Type to SSL and Port to 636. Scroll down.
  4. Enter the Base DN in LDAP format.
  5. Enter the bind account.
  6. Check the box for Enable Change Password.
  7. Click Retrieve Attributes and scroll down.
  8. For Server Logon Attribute select sAMAccountName.
  9. For Group Attribute select memberOf.
  10. For Sub Attribute Name select cn.
  11. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
  12. If desired configure Nested Group Extraction
  13. Click Create.
  14. Expand System, expand User Administration and click Groups.
  15. Click Add.
  16. Enter the case sensitive name of the Active Directory group.
  17. Select the admin permission.
  18. Configure the Session Timeout. Click Create.
  19. On the left, under System, click User Administration.
  20. On the right click User Lockout Configuration.
  21. If desired, check the box next to Enable User Lockout and configure the maximum logon attempts. Click OK.
  22. On the left, under System, click Authentication.
  23. On the right, click Authentication Configuration.
  24. Change the Server Type to LDAP.
  25. Select the LDAP server you created and click OK.

SSL Certificate and Encryption

Replace SDX Management Service Certificate

Before enabling secure access to the Management Service web console, you probably want to replace the Management Service certificate.

  1. PEM format: The certificate must be in PEM format. The Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
  2. On the left, click System.
  3. On the right, click Install SSL Certificate.
  4. Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK. The Management Service will restart so there will be an interruption.


  5. After the Management Service restarts, connect to it using HTTPS. You can’t make this change if you are connected using HTTP.
  6. On the Configuration tab, click System.
  7. On the right, click Change System Settings.
  8. Check the box next to Secure Access Only and click OK. This forces you to use HTTPS to connect to the Management Service.

SSL Encrypt Management Service to NetScaler Communication

From http://support.citrix.com/article/CTX134973: Communication from the Management Service to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Management Service and NetScaler VPX instances. If you do not secure the network traffic from the Management Service configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

  1. Log on to the Management Service .
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Change Communication with NetScaler Instance to https, as shown in the following screen shot:
  5. Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:

set ns ip ipaddress -netmask netmask -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet ENABLED -ftp ENABLED -gui SECUREONLY -ssh ENABLED -snmp ENABLED - mgmtAccess ENABLED -restrictAccess DISABLED -dynamicRouting ENABLED -ospf DISABLED -bgp DISABLED -rip DISABLED -hostRoute DISABLED -vrID 0

Or in the NetScaler instance management GUI go to Network > IPs, open the NSIP and then check the box next to Secure access only.

SDX/XenServer LACP Channels

To use LACP, configure Channels in the Management Service, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel.

  1. In the Management Service, on the Configuration tab, expand System and click Channels.
  2. On the right, click Add.
  3. Select a Channel ID.
  4. For Type, select LACP or STATIC. If using Cisco vPC then LACP is required. The other two options are for switch independent load balancing.
  5. In the Interfaces tab, click Add.
  6. Move the Channel Member interfaces to the right by clicking the plus icon.
  7. On the Settings tab, for LACP you can select Long or Short, depending on switch configuration. Short is the default.
  8. Click Create when done.
  9. Click Yes when asked to proceed.
  10. The channel will then be created on XenServer.

VPX Instances – Provision

To create an admin profile

Admin profiles specify the user credentials that are used by the Management Service when provisioning the NetScaler instances, and later when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the NetScaler instances through the CLI or the configuration utility.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. This profile cannot be modified or deleted. However, you should override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any NetScaler instance.

Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.
  2. In the Admin Profiles pane, click Add.
  3. In the Create Admin Profile dialog box, set the following parameters:
    • Profile Name*—Name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
    • User Name—User name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
    • Password*—The password used to log on to the NetScaler instance. Maximum length: 31 characters.
    • Confirm Password*—The password used to log on to the NetScaler instance.
  4. Click Create. The admin profile you created appears in the Admin Profiles pane.

To upload a NetScaler VPX .xva file

You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances.

  1. Download the Virtual Appliance XVA from the SDX Software Bundle Download Page.
  2. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Software Images.
  3. On the right, switch to the XVA Files tab and then click Upload.
  4. In the Upload NetScaler Instance XVA dialog box, click Browse and select the XVA image file that you want to upload. Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.

To provision a NetScaler instance

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Instances.
  2. In the NetScaler Instances pane, click Add.
  3. In the Provision NetScaler Wizard follow the instructions in the wizard.
  4. Click Create. The NetScaler instance you provisioned appears in the NetScaler Instances pane.

The wizard will ask for the following info:

  • Name* – The host name assigned to the NetScaler instance.
  • IP Address* – The NetScaler IP (NSIP) address at which you access a NetScaler instance for management purposes. A NetScaler instance can have only one NSIP. You cannot remove an NSIP address.
  • Netmask* – The subnet mask associated with the NSIP address.
  • Gateway* – The default gateway that you must add on the NetScaler instance if you want access through SSH or the configuration utility from an administrative workstation or laptop that is on a different network.
  • Nexthop to Management Service (11.0 build 64 and newer) – Adds a static route on the NSIP network so SDX Management Service can communicate with the instance NSIP. Only needed if instance default gateway and instance NSIP are on separate networks.  💡
  • XVA File* – The .xva image file that you need to provision. This file is required only when you add a NetScaler instance.
  • Feature License* – Specifies the license you have procured for the NetScaler. The license could be Standard, Enterprise, and Platinum.
  • Admin Profile* – The profile you want to attach to the NetScaler instance. This profile specifies the user credentials that are used by the Management Service to provision the NetScaler instance and later, to communicate with the instance to retrieve configuration data. The user credentials used in this profile are also used while logging on to the NetScaler instance by using the GUI or the CLI. It is recommended that you change the default password of the admin profile. This is done by creating a new profile with a user-defined password. For more information, see Configuring Admin Profiles.
  • Total Memory (MB)* – The total memory allocated to the NetScaler instance.
  • #SSL Cores* – Number of SSL cores assigned to the NetScaler instance. SSL cores cannot be shared. The instance is restarted if you modify this value.
  • Throughput (Mbps)* – The total throughput allocated to the NetScaler instance. The total used throughput should be less than or equal to the maximum throughput allocated in the SDX license. If the administrator has already allocated full throughput to multiple instances, no further throughput can be assigned to any new instance.
  • Packets per second* – The total number of packets received on the interface every second.
  • CPU – Assign a dedicated core or cores to the instance or the instance shares a core with other instance(s).
  • User Name* – The root user name for the NetScaler instance administrator. This user has superuser access, but does not have access to networking commands to configure VLANs and interfaces. (List of non-accessible commands will be listed here in later versions of this document)
  • Password* – The password for the root user.
  • Shell/Sftp/Scp Access* – The access allowed to the NetScaler instance administrator.
  • Interface Settings – This specifies the network interfaces assigned to a NetScaler instance. You can assign interfaces to an instance. For each interface, if you select Tagged, specify a VLAN ID.
    • Important:The interface ID numbers of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. For example, if the first interface that you associate with instance 1 is SDX interface 1/4, it appears as interface 1/1 when you log on to the instance and view the interface settings, because it is the first interface that you associated with instance 1.
    • If a non-zero VLAN ID is specified for a NetScaler instance interface, all the packets transmitted from the NetScaler instance through that interface will be tagged with the specified VLAN ID. If you want incoming packets meant for the NetScaler instance that you are configuring to be forwarded to the instance through a particular interface, you must tag that interface with the VLAN ID you want and ensure that the incoming packets specify the same VLAN ID.
    • For an interface to receive packets with several VLAN tags, you must specify a VLAN ID of 0 for the interface, and you must specify the required VLAN IDs for the NetScaler instance interface.
  • NSVLAN ID – An integer that uniquely identifies the NSVLAN. Minimum value: 2. Maximum value: 4095.
  • Tagged – Designate all interfaces associated with the NSVLAN as 802.1q tagged interfaces.
  • Interfaces – Bind the selected interfaces to the NSVLAN.

 

Here are screenshots from the wizard:

  1. In the Provision NetScaler section, enter a name for the instance.
  2. Enter the NSIP, mask, and Gateway.
  3. Nexthop to Management Service is new in 11.0 build 64 and newer. If the default gateway is on a different network than the NSIP, then enter a next hop router address on the NSIP network so the SDX Management Service can communicate with the NSIP.  💡
  4. In the XVA File field, you can Browse > Local to select an XVA file on your file system. Or you can Browse > Appliance and select an XVA file that has already been uploaded.

  5. Change the Feature License to Platinum.
  6. Select an Admin Profile created earlier.
  7. Enter a Description. Scroll down.
  8. In the Resource Allocation section, change the Total Memory to 4096.
  9. For SSL Chips, specify between 1 and 16.
  10. For Throughput, partition your licensed bandwidth. If you are licensed for 8 Gbps, make sure the total of all VPX instances does not exceed that number.
  11. Burstable is also an option. Fixed bandwidth can’t be shared with other instances. Burstable can be shared. See Bandwidth Metering in NetScaler SDX at docs.citrix.com
  12. For CPU, select one of the Dedicated options. Then scroll down.
  13. In the Instance Administration section, enter a new local account that will be created on the VPX. This is in addition to the nsroot user. Note, not all functionality is available to this account. Scroll down.
  14. In the Network Settings section, leave 0/1 selected and deselect 0/2.
  15. Click Add to connect the VPX to more interfaces.
  16. If you have Port Channels, select one of the LA interfaces.
  17. Try not configure any VLAN settings here. If you do, XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add.
  18. In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN. Click Done.
  19. After a couple minutes the instance will be created. Click Close.
  20. In your Instances list, click the IP address to launch the VPX management console. Do the following at a minimum (instructions in the NetScaler System Configuration page):
    1. Enable MAC Based Forwarding – System > Settings > Configure Modes > MAC Based Forwarding
    2. Add SNIPs for each VLAN – System > Network > IPs
    3. Add VLANs and bind to SNIPs – System > Network > VLANs
    4. Change default gateway – System > Network > Routes > 0.0.0.0
    5. Create another instance on a different SDX and High Availability pair them together – System > High Availability

Applying the Administration Configuration

At the time of provisioning a NetScaler VPX instance, the Management Service creates some policies, instance administration (admin) profile, and other configuration on the VPX instance. If the Management Service fails to apply the admin configuration at this time due to any reason (for example, the Management Service and the NetScaler VPX instance are on different subnetworks and the router is down or if the Management Service and NetScaler VPX instance are on the same subnet but traffic has to pass through an external switch and one of the required links is down), you can explicitly push the admin configuration from the Management Service to the NetScaler VPX instance at any time.

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler Configuration pane, click Apply Admin Configuration.
  3. In the Apply Admin Configuration dialog box, in Instance IP Address, select the IP address of the NetScaler VPX instance on which you want to apply the admin configuration.
  4. Click OK.

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP address and SSL certificates from SDX rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates so it’s probably best to do that from within the VPX instance.

To view the console of a NetScaler instance

  1. Connect to the Management Service using https.
  2. Viewing the console might not work unless you replace the Management Service certificate.
  3. In the Management Service, go to Configuration > NetScaler > Instances.
  4. On the right, right-click an instance and click Console.
  5. The instance console then appears.
  6. Another option is to use the Lights Out Module and the xl console command as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

 

To start, stop, delete, or restart a NetScaler instance

  1. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
  2. In the Instances pane, right-click the NetScaler instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
  3. In the Confirm message box, click Yes.

 

Creating a Subnet IP Address on a NetScaler Instance

You can create or delete a SNIP during runtime without restarting the NetScaler instance.

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler Configuration pane, click Create IP.
  3. In the Create NetScaler IP dialog box, specify values for the following parameters.
    • IP Address* – Specify the IP address assigned as the SNIP or the MIP address.
    • Netmask* – Specify the subnet mask associated with the SNIP or MIP address.
    • Type* – Specify the type of IP address. Possible values: SNIP.
    • Save Configuration* – Specify whether the configuration should be saved on the NetScaler. Default value is false.
    • Instance IP Address* – Specify the IP address of the NetScaler instance.
  4. Click Create.

Create a VLAN on a NetScaler instance

  1. Go to NetScaler > Instances.
  2. Right-click an instance and click VLAN Bindings.
  3. Click Add.
  4. Enter a VLAN ID and select an interface.
  5. Check the box for Tagged if needed.
  6. Notice there’s no way to bind a SNIP. You do that inside the instance. Click Create.

To save the configuration on a NetScaler instance

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler pane, click Save Configuration.
  3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the NetScaler instances whose configuration you want to save.
  4. Click OK.

Change NSIP of VPX Instance

If you change NSIP inside of VPX instead of using the Modify Instance wizard in the Service VM, see article http://support.citrix.com/article/CTX139206 to adjust the XenServer settings.

Enable Call Home

  1. On the Configuration tab, in the navigation pane, click the NetScaler node.
  2. On the right, click Call Home.
  3. Enter an email address to receive communications regarding NetScaler Call Home.
  4. Check the box next to Enable Call Home.
  5. Select the instances to enable Call Home and click OK.
  6. You can view the status of Call Home by expanding NetScaler and clicking Call Home.
  7. The right pane indicates if it’s enabled or not. You can also configure Call Home from here.

VPX Instance – Firmware Upgrade

Upload NetScaler Firmware Build Files

To upgrade a VPX instance from the Management Service, first upload the firmware build file.

  1. Download the NetScaler firmware using the normal method.
  2. In the Configuration tab, on the left, expand NetScaler and click Software Images.
  3. On the right, in the Software Images tab click Upload.
  4. Browse to the build…tgz file and click Open.

Upgrading Multiple NetScaler VPX Instances

You can upgrade multiple instances at the same time.

  1. To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
  2. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
  3. Right-click an instance and click Upgrade.
  4. In the Upgrade NetScaler dialog box, in Build File, select the NetScaler upgrade build file of the version you want to upgrade to. Ignore the Documentation File. Click OK.

Management Service Monitoring

  1. To view syslog, in the navigation pane, expand System, click Auditing and then click Syslog Message in the right pane.
  2. To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
  3. To view Management Service events, on the Configuration tab, in the expand System and click Events.
  4. NetScaler > Entities lets you see the various Load Balancing entities configured on the instances.

  5. To view instance alerts, go to NetScaler > Events > All Events.

  6. There is also event reporting.

Management Service Backups

The SDX appliance automatically keeps three backups of the Service VM configuration that are taken daily at 12:30 am.

Backups in NetScaler SDX 11.0 contain the following:

  • Single bundle image
  • NetScaler XVA image
  • NetScaler upgrade image
  • Management Service image
  • Management Service configuration
  • NetScaler SDX configuration
  • NetScaler configuration

You can go to Management Service > Backup Files to backup or restore the appliance’s configuration. And you can download the backup files.

You can configure the number of retained backups by clicking System on the left and then clicking Backup Policy in the right pane.

Web Interface Load Balancing – NetScaler 11

Last Modified: Nov 6, 2020 @ 7:24 am

Navigation

This procedure is only needed if you are running Web Interface instead of StoreFront.

Monitor

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Web Interface or similar.
  4. Change the Type drop-down to CITRIX-WEB-INTERFACE.
  5. If you will use SSL to communicate with the Web Interface servers, then scroll down and check the box next to Secure.
  6. Switch to the Special Parameters tab.
  7. In the Site Path field, enter the path of a XenApp Web site (e.g. /Citrix/XenApp/).
    • Make sure you include the slash (/) on the end of the path or else the monitor won’t work.
    • The site path is also case sensitive.
  8. Click Create.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding Web Interface servers.

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-WI-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure the Web Interface Monitor has Secure enabled.
  5. Scroll down and click OK.
  6. Click where it says No Service Group Member.
  7. If you did not create server objects then enter the IP address of a Web Interface Server. If you previously created a server object then change the selection to Server Based and select the server object.
  8. Enter 80 or 443 as the port. Then click Create.

  9. To add more members, click where it says 1 Service Group Member and then click Add. Click Close when done.

  10. On the right, under Advanced Settings, click Monitors.
  11. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
  12. Click the arrow next to Click to select.
  13. Select the Web Interface monitor and click Select.
  14. Then click Bind.
  15. To verify if the monitor is working or not, on the left, in the Service Group Members section, click the Service Group Members line.

  16. Highlight a member and click Monitor Details.
  17. The Last Response should indicate that Set-Cookie header was found. Click Close twice when done.
  18. Then click Done.

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Virtual Server. This certificate must match the DNS name for the load balanced Web Interface servers.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  3. On the right click Add.
  4. Name it Web Interface-SSL-LB or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  10. Click the arrow next to Click to select.
  11. Select your Web Interface Service Group and click Select.
  12. Click Bind.
  13. Click Continue.
  14. Click where it says No Server Certificate.
  15. Click the arrow next to Click to select.
  16. Select the certificate for this Web Interface Load Balancing Virtual Server and click Select.
  17. Click Bind.
  18. Click Continue.
  19. On the right, in the Advanced Settings column, click Persistence.
  20. Select SOURCEIP persistence. Note: COOKIEINSERT also works with Web Interface. However, it doesn’t work with StoreFront.
  21. Set the timeout to match the timeout of Web Interface.
  22. The IPv4 Netmask should default to 32 bits.
  23. Click OK.
  24. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.
    bind ssl vserver MyvServer -certkeyName MyCert
    
    set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
    
    unbind ssl vserver MyvServer -cipherName ALL
    
    bind ssl vserver MyvServer -cipherName Modern
    
    bind ssl vserver MyvServer -eccCurveName ALL
    
    bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP that listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443. This section details the Down vServer method. Alternatively you can configure the Responder method.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right, find the SSL Virtual Server you’ve already created, right-click it and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Change the name to indicate that this new Virtual Server is an SSL Redirect.
  4. Change the Protocol to HTTP on Port 80.
  5. The IP Address should already be filled in. It must match the original SSL Virtual Server. Click OK.
  6. Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
  7. On the right, in the Advanced Settings column, click Protection.
  8. In the Redirect URL field, enter the full URL including https://. For example: https://citrix.company.com/Citrix/XenApp. Click OK.
  9. Click Done.
  10. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

Global Server Load Balancing (GSLB) – NetScaler 11

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

💡 = Recently Updated

GSLB Planning

GSLB is nothing more than DNS. GSLB is not in the data path. GSLB receives a DNS query and GSLB sends back an IP address, which is exactly how a DNS server works. However, GSLB can do some things that DNS servers can’t do:

  • Don’t give out an IP address unless it is UP (monitoring)
    • If active IP address is down, give out the passive IP address (active/passive)
  • Give out the IP address that is closest to the user (proximity load balancing)
  • Give out different IPs for internal vs external (DNS View)

GSLB is only useful if you have a single DNS name that could resolve to two or more IP addresses. If there’s only one IP address then use normal DNS instead.

Citrix Blog Post Global Server Load Balancing: Part 1 explains how DNS queries work and how GSLB fits in.

Citrix has a good DNS and GSLB Primer.

When configuring GSLB, don’t forget to ask “where is the data?”. For XenApp/XenDesktop, DFS multi-master replication of user profiles is not supported so configure “home” sites for users. More information at Citrix Blog Post XenDesktop, GSLB & DR – Everything you think you know is probably wrong!

GSLB can be enabled both externally and internally. For external GSLB, configure it on the DMZ NetScaler appliances and expose it to the Internet. For internal GSLB, configure it on internal NetScaler appliances. Note: Each NetScaler appliance only has one DNS table so if you try to use one NetScaler for both public and internal then be aware that external users can query for internal GSLB-enabled DNS names. As described by Phil Bossman in the comments, you can use a Responder policy to prevent external users from reading internal DNS names.  💡

add policy patset GSLB_INTERNAL
bind policy patset GSLB_INTERNAL internalHostname.gslb.domain.com -index 1
add responder action DNS_Empty_Response respondwith DNS.NEW_RESPONSE
add responder policy GSLB_DNS_Empty_Response "(!(CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8)||CLIENT.IP.SRC.IN_SUBNET(192.0.0.0/16)||CLIENT.IP.SRC.IN_SUBNET(172.0.0.0/12)) && DNS.REQ.QUESTION.DOMAIN.CONTAINS_ANY(\"GSLB_INTERNAL\"))" DNS_Empty_Response
bind responder global GSLB_DNS_Empty_Response 100 END -type DNS_REQ_DEFAULT

For internal and external GSLB of the same DNS name on the same appliance, you can use DNS Policies and DNS Views to return different IP addresses depending on where users are connecting from. Citrix CTX130163 How to Configure a GSLB Setup for Internal and External Users Using the Same Host Name.

However, GSLB monitoring applies to the entire GSLB Service so it would take down both internal and external GSLB. If you need different GSLB monitoring for internal and external of the same DNS name, try CNAME:

  • External citrix.company.com:
    • Configure NetScaler GSLB for citrix.company.com.
    • On public DNS, delegate citrix.company.com to the NetScaler DMZ ADNS services.
  • Internal citrix.company.com:
    • Configure NetScaler GSLB for citrixinternal.company.com or something like that.
    • On internal DNS, create CNAME for citrix.company.com to citrixinternal.company.com
    • On internal DNS, delegate citrixinternal.company.com to NetScaler internal ADNS services.

 

Some IP Addresses are needed on each NetScaler pair:

  • ADNS IP: An IP that will listen for ADNS queries. For external, create a public IP for the ADNS IP and open UDP 53 so Internet-based DNS servers can access it. This can be an existing SNIP on the appliance.
  • GSLB Site IP / MEP IP: A GSLB Site IP that will be used for NetScaler-to-NetScaler communication, which is called MEP or Metric Exchange Protocol. The IP for ADNS can also be used for MEP / GSLB Site.
    • RPC Source IP: If running NetScaler 11.0 build 64 or newer then the GSLB Site IP can be anything and RPC traffic (MEP) can be sourced from the GSLB IP. For older NetScaler builds, RPC traffic is sourced from a SNIP, even if this is different than the GSLB Site IP. In older builds, it’s less confusing if you use a SNIP as the GSLB Site IP.
    • Public IP: For external GSLB, create public IPs that are NAT’d to the GSLB Site IPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
    • MEP Port: Open port TCP 3009 between the two NetScaler GSLB Site IPs. Make sure only the NetScalers can access this port on the other NetScaler. Do not allow any other device on the Internet to access this port. This port is encrypted.
    • GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 from the NSIP (management IP) to the remote public IP that is NAT’d to the GSLB Site IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
  • DNS Queries: The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT’d to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
  • IP Summary: In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
    • One public IP that is NAT’d to the IP that is used for ADNS and MEP (GSLB Site IP). You only need one IP for ADNS / MEP no matter how many GSLB names are configured. MEP (GSLB Site IP) can be a different IP, if desired.
    • One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
    • If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT’d to additional VIPs.

ADNS

  1. Identify an NetScaler-owned IP that you will use for ADNS. This is typically a SNIP.
  2. Configure a public IP for the ANDS Service IP and configure firewall rules.
  3. On the left, expand Load Balancing and click Services.
  4. On the right, click Add.
  5. Name the service ADNS or similar.
  6. In the IP Address field, enter an appliance SNIP.
  7. In the Protocol field, select ADNS. Then click OK.
  8. Scroll down and click Done.
  9. On the left of the console, expand System, expand Network and then click IPs.
  10. On the right, you’ll see the SNIP as now being marked as the ADNS svc IP. If you don’t see this yet, click the Refresh icon.
  11. Repeat on the other appliance in the other datacenter.

Metric Exchange Protocol

  1. Select an IP to be the GSLB Site IP. In NetScaler 11.0 build 64 and newer, this can be any IP. In older builds, you can use the same SNIP and same public IP used for ADNS.
  2. Open the firewall rules for Metric Exchange Protocol.
  3. On the left, expand Traffic Management, right-click GSLB and enable the feature.
  4. Expand GSLB and click Sites.
  5. On the right, click Add.
  6. Add the local site first. Enter a descriptive name and in the Site Type select LOCAL.
  7. In the Site IP Address field, enter an IP that this appliance will listen for MEP traffic. This IP must be in the default Traffic Domain. (Note: NetScaler 11.0 build 64 supports GSLB in Admin Partitions).
  8. For external GSLB, in the Public IP Address field, enter the public IP that is NAT’d to the GSLB Site IP. For internal GSLB, there’s no need to enter anything in the Public IP field. Click Create.
  9. Go back to System > Network > IPs and verify that the IP is now marked as a GSLB site IP. If you don’t see it yet, click the Refresh button.
  10. If you want to use the GLSB Sync Config feature, then you’ll need to edit the GSLB site IP and enable Management Access.
  11. When you enable Management Access on a dedicated GSLB site IP, SSH is already selected by default. That’s all you need.
  12. Go to the other appliance and also create the local GSLB site using its GSLB site IP and its public IP that is NAT’d to the GSLB site IP.
  13. In System > Network > IPs on the remote appliance, there should now be a GSLB site IP. This could be a SNIP. If GSLB Sync is desired, enable management access on that IP and ensure SSH is enabled.
  14. Now on each appliance add another GSLB Site, which will be the remote GSLB site.
  15. Enter a descriptive name and select REMOTE as the Site Type.
  16. Enter the other appliance’s actual GSLB Site IP as configured on the appliance. This IP does not need to be reachable.
  17. In the Public IP field, enter the public IP that is NAT’d to the GSLB Site IP on the other appliance. For MEP, TCP 3009 must be open to this IP from the local GSLB Site IP. For GSLB sync, TCP 22, and TCP 3008 must be open to this IP from the local NSIP. Click Create.
  18. Repeat on the other appliance.
  19. MEP will not function yet since the NetScalers are currently configured to communicate unencrypted on TCP 3011. To fix that, on the left, expand System, expand Network and click RPC.
  20. On the right, edit the new RPC address (the other site’s GSLB Site IP) and click Open.
  21. On the bottom, check the box next to Secure.
  22. In NetScaler 11.0 build 64 or newer, if your GSLB Site IP is not a SNIP then you’ll need to change the RPC Node to use the local GSLB Site IP as the source IP. Uncheck IPv6 first. Then enter the local GSLB Site IP. Click OK when done.
  23. Do the same thing on the other appliance.
  24. If you go back to GSLB > Sites, you should see it as active.

GSLB Services

GSLB Services represent the IP addresses that are returned in DNS Responses. DNS Query = DNS name. DNS Response = IP address.

GSLB should be configured identically on both NetScalers. Since you have no control over which NetScaler will receive the DNS query, you must ensure that both NetScalers are giving out the same DNS responses.

Create the same GSLB Services on both NetScalers:

  1. Start on the appliance in the primary data center. This appliance should already have a traffic Virtual Server (NetScaler Gateway, Load Balancing, or Content Switching) for the DNS name that you are trying to GSLB enable.
  2. On the left, expand Traffic Management > GSLB and click Services.
  3. On the right, click Add.
  4. The service name should be similar to the DNS name that you are trying to GSLB. Include the site name in the service name.
  5. Select the LOCAL Site.
  6. On the bottom part, select Virtual Servers and then select a Virtual Server that is already defined on this appliance. It should automatically fill in the other fields. If you see a message asking if you wish to create a service object, click Yes.
  7. Scroll up and make sure the Service Type is SSL. It’s annoying that NetScaler doesn’t set this drop-down correctly.
  8. The Public IP field contains the actual IP Address that the GSLB ADNS service will hand out. Make sure this Public IP is user accessible. It doesn’t even need to be a NetScaler owned IP.
  9. Scroll down and click OK.
  10. If the GSLB Service IP is a VIP on the local appliance, then GSLB will simply use the state of the local traffic Virtual Server (Load Balancing, Content Switching, or Gateway). If the GSLB Service IP is a VIP on a remote appliance, then GSLB will use MEP to ask the other appliance for the state of the remote traffic Virtual Server. In both cases, there’s no need to bind a monitor to the GSLB Service.
  11. However, you can also bind monitors directly to the GSLB Service. Here are some reasons for doing so:
    • If the GSLB Service IP is a NetScaler-owned traffic VIP, but the monitors bound the traffic Virtual Server are not the same ones you want to use for GSLB. When you bind monitors to the GSLB Services, the monitors bound to the traffic Virtual Server are ignored.
    • If the GSLB Service IP is in a non-default Traffic Domain, then you will need to attach a monitor since GSLB cannot determine the state of Virtual Servers in non-default Traffic Domains.
    • If the GSLB Service IP is not hosted on a NetScaler, then only GSLB Service monitors can determine if the Service IP is up or not.
  12. If you intend to do GSLB active/active and if you need site persistence then you can configure your GSLB Services to use Connection Proxy or HTTP Redirect. See Citrix Blog Post Troubleshooting GSLB Persistence with Fiddler for more details.
  13. Click Done.
  14. On the other datacenter NetScaler, create a GSLB Service.
  15. Select the REMOTE site that is hosting the service.
  16. Since the service is on a different appliance and not this one, you won’t be able to select it using the Virtual Servers option. Instead, select New Server.
  17. For the Server IP, enter the actual VIP configured on the other appliance. This local NetScaler will use GSLB MEP to communicate with the remote NetScaler to find a traffic Virtual Server with this VIP. The remote NetScaler respond if the remote traffic Virtual Server is up or not. The remote Server IP configured here does not need to be directly reachable by this local appliance. If the Server IP is not owned by either NetScaler, then you will need to bind monitors to your GSLB Service.
  18. In the Public IP field, enter the IP address that will be handed out to clients. This is the IP address that users will use to connect to the service. For Public DNS, you enter a Public IP that is usually NAT’d to the traffic VIP. For internal DNS, the Public IP and the Server IP are usually the same.
  19. Scroll up and change the Service Type to match the Virtual Server defined on the other appliance..
  20. Click OK.
  21. Just like the other appliance, you can also configure Site Persistence and GSLB Service Monitors. Click Done when done.
  22. Create more GSLB Services, one for each traffic VIP. GSLB is useless if there’s only one IP address to return. You should have multiple IP addresses (VIPs) through which a web service (e.g. NetScaler Gateway) can be accessed. Each of these VIPs is typically in different datacenters, or on different Internet circuits. The mapping between DNS name and IP addresses is configured in the GSLB vServer, as detailed in the next section.

GSLB Virtual Server

The GSLB Virtual Server is the entity that the DNS name is bound to. GSLB vServer then gives out the IP address of one of the GSLB Services that is bound to it.

Configure the GSLB vServer identically on both appliances:

  1. On the left, expand Traffic Management > GLSB, and click Virtual Servers.
  2. On the right, click Add.
  3. Give the GSLB vServer a descriptive name. For active/active, you can name it the same as your DNS name. For active/passive, you will create two GSLB Virtual Servers, one for each datacenter, so include Active or Passive in the Virtual Server name.
  4. Click OK.
  5. If you intend to bind multiple GSLB Services to this GSLB vServer, then you can optionally check the box for Send all “active” service IPs. By default, GSLB only gives out one IP per DNS query. This checkbox always returns all IPs, but the IPs are ordered based on the GSLB Load Balancing Method and/or GSLB Persistence.
  6. On the right, in the Advanced Settings column, click Service.
  7. On the left, click where it says No GSLB Virtual Server to GSLBService Binding.
  8. Click the arrow next to Click to select.
  9. Check the box next to an existing GSLB Service and click Select. If your GSLB is active/passive then only bind one service.
  10. If your GSLB is active/active then bind multiple GSLB Services. Also, you’d probably need to configure GSLB persistence (Source IP or cookies).
  11. Click Bind.
  12. On the right, in the Advanced Settings column, click Domains.
  13. On the left, click where it says No GSLB Virtual Server Domain Binding.
  14. Enter the FQDN that GSLB will resolve.
  15. If this GSLB is active/passive, there are two options:
    • Use the Backup IP field to specify the IP address that will be handed out if the primary NetScaler is inaccessible or if the VIP on the primary appliance is marked down for any reason.
    • Or, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
  16. Click Bind.
  17. If this is active/active GSLB, you can edit the Method section to enable Static Proximity. This assumes the Geo Location database has already been installed on the appliance.
  18. Also for active/active, if you don’t want to use Cookie-based persistence, then you can use the Persistence section to configure Source IP persistence.
  19. Click Done.
  20. If you are configuring active/passive using the backup GSLB Virtual Server method, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.

  21. On the left, if you expand Traffic ManagementDNS, expand Records and click Address Records, you’ll see a new DNS record for the GSLB domain you just configured. Notice it is marked as GSLB DOMAIN.

  22. Configure identical GSLB Virtual Servers on the other NetScaler appliance. Both NetScalers must be configured identically.
  23. You can also synchronize the GSLB configuration with the remote appliance by going to Traffic Management > GSLB.
  24. On the right, click Synchronize configuration on remote sites.
  25. Use the check boxes on the top, if desired. It’s usually a good idea to Preview the changes before applying them. Then click OK to begin synchronization.

Some notes regarding GSLB Sync:

  • It’s probably more reliable to do it from the CLI by running sync gslb config and one of the config options (e.g. -preview).
  • GSLB Sync runs as a script on the BSD shell and thus always uses the NSIP as the source IP.
  • GSLB Sync connects to the remote GSLB Site IP on TCP 3008 (if RPC is Secure) and TCP 22.

Test GSLB

  1. To test GSLB, simply point nslookup to the ADNS services and submit a DNS query for one of the DNS names bound to a GSLB vServer. Run the query multiple times to make sure you’re getting the response you expect.
  2. Both NetScaler ADNS services should be giving the same response.
  3. To simulate a failure, disable the traffic Virtual Server.
  4. Then the responses should change. Verify on both ADNS services.

  5. Re-enable the traffic Virtual Server, and the responses should return to normal.


DNS Delegation

If you are enabling GSLB for the domain gateway.corp.com, you’ll need to create a delegation at the server that is hosting the corp.com DNS zone. For public GSLB, you need to edit the public DNS zone for corp.com.

DNS Delegation instructions will vary depending on what product host’s the public DNS zone. This section details Microsoft DNS, but it should be similar in BIND or web-based DNS products.

There are two ways to delegate GSLB-enabled DNS names to NetScaler ADNS:

  • Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).
  • Delegate an entire subzone. For example, delegate the subzone gslb.corp.com to the two NetScaler ADNS services. Then create a CNAME record in the parent DNS zone for gateway.corp.com that is aliased to gateway.gslb.corp.com. When DNS queries make it to NetScaler, they will be for gateway.gslb.corp.com and thus gateway.gslb.corp.com needs to be bound to the GSLB Virtual Server instead of gateway.corp.com. For additional delegations, simply create more CNAME records.

This section covers the first method – delegating an individual DNS record:

  1. Run DNS Manager.
  2. First, create Host Records pointing to the ADNS services running on the NetScalers in each data center. These host records for ADNS are used for all GSLB delegations no matter how many GSLB delegations you need to create.
  3. The first Host record is gslb1 (or similar) and should point to the ADNS service (Public IP) on one of the NetScaler appliances.
  4. The second Host record is gslb2 and should point to the ADNS Service (public IP) on the other NetScaler appliance.
  5. If you currently have a host record for the service that you are delegating to GSLB (gateway.corp.com), delete it.
  6. Right-click the parent DNS zone and click New Delegation.
  7. In the Welcome to the New Delegation Wizard page, click Next.
  8. In the Delegated Domain Name page, enter the left part of the DNS record that you are delegating (e.g. gateway). Click Next.
  9. In the Name Servers page, click Add.
  10. This is where you specify gslb1.corp.com and gslb2.corp.com. Enter gslb1.corp.com and click Resolve. Then click OK. If you see a message about the server not being authoritative for the zone, ignore the message.
  11. Then click Add to add the other GSLB ADNS server.
  12. Once both ADNS servers are added to the list, click Next.
  13. In the Completing the New Delegation Wizard page, click Finish.
  14. If you run nslookup against your Microsoft DNS server, it will respond with Non-authoritative answer. That’s because it got the response from NetScaler and not from itself.

That’s all there is to it. Your NetScalers are now DNS servers. For active/passive, the NetScalers will hand out the public IP address of the primary data center. When the primary data center is not accessible, GSLB will hand out the GSLB Service IP bound to the Backup GSLB vServer.

Geo Location Database

If you want to use DNS Policies or Static Proximity GSLB Load Balancing or Responders based on user’s location, import a geo location database.

NetScaler 11 has a built-in database at /var/netscaler/inbuilt_db/ that you can use. Or you can download a database. Common free databases are:

For IP2Location, see the blog post Add IP2Location Database as NetScaler’s Location File for instructions on how to import.

To Download GeoLite Legacy:

  1. Download the GeoLite Country database CSV from http://dev.maxmind.com/geoip/legacy/geolite/.
  2. Note: GeoLite City is actually two files that must be merged as detailed at Citrix Blog Post GeoLite City as NetScaler location database. GeoLite Country doesn’t need any preparation.
  3. Upload the extracted database (.csv file) to the NetScaler appliance at /var/netscaler/locdb.

To import the Geo database (including the built-in database):

  1. In the NetScaler GUI, on the left, expand AppExpert, expand Location and click Static Database (IPv4).
  2. On the right, click Add.
  3. Change the Import From selection to File.
  4. Click Browse.
  5. For the built-in database, browse to /var/netscaler/inbuilt_db/ and open Citrix_NetScaler_InBuild_GeoIP_DB.csv.
  6. Or browse to the Geo Location database file you uploaded and open it.
  7. In the Location Format field, if using the built-in database, select netscaler.
  8. If using GeoLite Country, select geoip-country.
  9. Click Create.
  10. When you open a GSLB Service, the public IP will be translated to a location.

You can use the Geo locations in a DNS Policy, static proximity GSLB Load Balancing, or Responders:

Horizon View Load Balancing – NetScaler 11

Last Modified: Sep 2, 2018 @ 7:52 am

Navigation

Use this procedure to load balance Horizon View Connection Servers, Horizon View Security Servers, and/or VMware Access Points.

Overview

Servers/Appliances

There are two VMware-provided remote access solutions for Horizon:

Access Points are preferred over Security Servers for the following reasons:

  • No need to pair with internal Connection Servers. This simplifies the configuration.
  • Linux appliance instead of Windows server.
  • Authentication can be offloaded to Access Point. This includes: Smart Cards, RSA, and RADIUS.

If you are using Access Points instead of Security Servers then you’ll have the following machines in a highly available Horizon infrastructure:

  • Two Internal Connection Servers – these need to be load balanced on an internal VIP. Internal users connect to the internal VIP.
  • Two DMZ Access Point appliances – these need to be load balanced on a DMZ VIP. External users connect to the DMZ VIP. Access Points connect to the internal VIP.

With Security Servers instead of Access Points, a typical Horizon Infrastructure will have at least six connection servers:

  • Two Internal Connection Servers – these need to be load balanced on an internal VIP. Internal users connect to the internal VIP.
  • Two DMZ Security Servers – these need to be load balanced on a DMZ VIP. External users connect to the DMZ VIP. Each Security Servers connects directly to a “paired” Connection Servers.
  • The DMZ Security Servers are paired with two additional internal “paired” Connection Servers. There is no need to load balance the internal Paired Connection Servers. However, we do need to monitor them.

Since Security Servers are paired with Connection Servers, you need to configure load balancing monitors to disable the Security Server if the paired Connection Server is not accessible. Since Access Points are not paired with Connection Servers, you don’t need this special monitoring configuration.

Protocols/Ports

Horizon 7 introduces a new Blast Extreme protocol. VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7.

For VMware Access Point, Blast Extreme only needs TCP and UDP 443 only. HTML Access in Horizon 7 also uses Blast Extreme protocol (TCP/UDP 443). If you use VMware Access Point with Blast Extreme exclusively, then the number of ports is minimal, and load balancing configuration is simplified. Here are typical load balancing port requirements for Access Point with Blast Extreme only:

  • TCP 443
  • UDP 443

Note: UDP is disabled by default, but it can be enabled using a Blast GPO setting.

For View Security Servers, and Blast Extreme protocol only, then the following load balancing ports are needed. Note: Access Point supports 443 port sharing, but Security Servers do not.

  • TCP 443
  • TCP 8443
  • UDP 8443

Note: UDP is disabled by default, but it can be enabled using a Blast GPO setting.

For all other configurations that don’t use Blast Extreme (PCoIP, HTML Blast), the following ports must be load balanced:

  • TCP 443
  • TCP 4172
  • UDP 4172
  • TCP 8443

If you are load balancing internal Connection Servers only, and if the Secure Gateways are disabled, then the only port you need to load balance is:

  • TCP 443

VMware requires server persistence to apply across multiple load balanced port numbers. If a user is load balanced to a particular View Connection Server on TCP 443, then the connection on UDP 4172 must go the same View Connection Server. Normally load balancing persistence only applies to a single port number, so whatever sever was selected on 443 won’t be considered for the 4172 connection. But in NetScaler, you can configure a Persistency Group to use a single persistency across multiple load balancing vServers (different port numbers). In F5, you configure Match Across.

Also see Load Balancing with Access Point by Mark Benson at VMware Communities  💡

This topic primarily focuses on NetScaler GUI configuration. Alternatively, you can skip directly to the CLI commands.

Horizon 7 Origin Check

Horizon 7 might not accept your load balanced DNS name unless it’s the same name configured in the Connection Server’s Secure Tunnel configuration. You can change this behavior by disabling Origin Check as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7. Note: this configuration is almost mandatory for Access Points since Secure Tunnel is disabled on the Connection Servers.

Load Balancing Monitors

Users connect to Connection Servers, Security Servers, and Access Point appliances on multiple ports: TCP 443, UDP 443, TCP 8443, UDP 8443, TCP 4172, and UDP 4172. Users will initially connect to TCP port 443 and then be redirected to one of the other ports on the same server/appliance initially used for the TCP 443 connection. If TCP 443 is up but UDP 4172 is down on the same server/appliance then you probably wan’t to take TCP 443 down too. To facilitate this, create a monitor for each of the ports and bind all of the monitors to the TCP 443 service. Then if any of the monitors goes down then TCP 443 is also take down.

Note: TLS 1.0 is disabled in Horizon View 6.2.1 and newer. If your NetScaler supports TLS 1.2 on the back end then this isn’t a problem. Back-end TLS 1.2 was added to NetScaler MPX/SDX in 10.5 build 58. And it was added to NetScaler VPX in 11.0 build 65. For older NetScaler builds, you’ll need to enable TLS 1.0 (and HTML Blast) in Horizon or else the monitors won’t work.

In NetScaler VPX 11.0 build 64, secure HTTP monitors attached to SSL_BRIDGE services try to use TLS 1.2 instead of TLS 1.0. To fix this problem, run set ssl parameter -svctls1112disable enable -montls1112disable enable as detailed at CTX205578 Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Servers Break.

SSL Monitor

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Horizon-SSL or similar.
  4. Change the Type drop-down to HTTP-ECV.
  5. On the Standard Parameters tab, in the Destination Port field, enter 443.
  6. Scroll down and check the box next to Secure.
  7. On the Special Parameters tab, in the Send String section, enter GET /broker/xml
  8. In the Receive String section, enter clientlaunch-default
  9. Scroll down and click Create.

PCoIP Monitor

  1. On the right, click Add.
  2. Name it Horizon-PCoIP or similar.
  3. Change the Type drop-down to TCP.
  4. On the Standard Parameters tab, in the Destination Port field, enter 4172.
  5. Scroll down and click Create.

Blast Monitor

  1. On the right, click Add.
  2. Name it Horizon-Blast or similar.
  3. Change the Type drop-down to TCP.
  4. On the Standard Parameters tab, in the Destination Port field, enter 8443.
  5. Scroll down and click Create.

Paired Connection Server Monitor

Note: the steps in this section do not apply to Access Points or internal Connection Servers.

View Security Servers are paired with View Connection Servers. If the paired View Connection Server is down, then we should probably stop sending users to the corresponding View Security Server. Let’s create a monitor that has a specific IP address in it.

  1. Right-click the existing Horizon-SSL monitor and click Add.
  2. Normally a monitor does not have any Destination IP defined, which means it uses the IP address of the service that it is bound to. However, we intend to bind this monitor to the View Security Server but we need it to monitor the paired View Connection Server, which is a different IP address. Type in the IP address of the paired View Connection Server. Then rename the monitor so it includes the View Connection Server name. Click Create.
  3. Since we are embedding an IP address into the monitor, you have to create a separate monitor for each paired Connection Server IP. Create another monitor. Specify the IP of the other paired Connection Server. Click Create.

Load Balancing Servers

Create Server Objects for the DMZ Security Servers, DMZ Access Point appliances and the internal non-paired Connection Servers. Do not create Server Objects for the Paired Connection Servers.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the Access Point, Horizon Connection Server, or Horizon Security Server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding Access Points, Horizon Connection Servers, and/or Horizon Security Servers.

Load Balancing Services

Overview

Services vs Service Groups:

  • For Security Servers, if the paired Connection Server is down, then we need the Security Server to go down too. One of the monitors bound to the Security Server contains the IP address of the paired Connection Server. Since each Security Server is paired with a different Connection Server, that means each Security Server will have a unique monitoring configuration. This precludes us from adding multiple Security Servers to a single Service Group since you can only have one monitor configuration for the entire Service Group. Instead, create separate Services (multiple port numbers) for each Security Server.
    • Individual services per server are only needed for TCP 443. The other ports can be service groups.
  • For Access Points, there is no special monitoring configuration and thus these appliances could be added to Service Groups (one for each port number).
  • For internal Connection Servers (non-paired), there is no special monitoring configuration and thus these appliances could be added to one Service Group. Internal Connection Servers usually only need TCP 443 load balanced.

For Internal Connection Servers (not the paired servers), load balancing monitoring is very simple:

  • Create a service group for SSL 443.
  • To verify server availability, monitor port TCP 443 on the same server.
  • If tunneling is disabled then internal users connect directly to View Agents and UDP/TCP 4172 and TCP 8443 are not used on Internal Connection Servers. There’s no need to create service groups and monitors for these ports.

Security Servers and Access Point appliances are more complex:

  • For Blast Extreme protocol through Access Points, if UDP is not enabled, then you only need services for TCP 443. If UDP is enabled, then you also need load balancing services for UDP 443.
  • For Blast Extreme protocol through View Security Servers, if UDP is not enabled, then you only need services for TCP 443 and TCP 8443. If UDP is enabled, then you also need load balancing services for UDP 8443.
  • For PCoIP protocol, all traffic initially connects on TCP 443. The Horizon clients then connect to UDP 4172 on the same Security Server or Access Point. If 4172 is down, then 443 should be taken down. Bind monitors for each port to the TCP 443 service. If any of the monitors fails (e.g. 4172 is down), then TCP 443 is taken down and NetScaler will no longer forward traffic to TCP 443 on that particular server/appliance.
  • Each Security Server is paired with an internal Connection Server. If the internal Connection Server is down then the Security Server should be taken down. This requires custom monitors for each Security Server. This is not a problem for Access Points.

Load Balancing Services Configuration Summary

The summaries are split into PCoIP vs Blast Extreme, and View Security Servers vs Access Points. If you are using both PCoIP and Blast Extreme, combine their configurations.

Two Access Points for Blast Extreme: if they are named VAP01 and VAP02, the load balancing service configuration for Blast Extreme in Horizon 7 (no PCoIP) is summarized as follows (scroll down for detailed configuration):

  • Service Group, Protocol = SSL_BRIDGE
    • Members = VAP01 and VAP02
    • Port = 443
    • Monitor = SSL (443)
  • Service Group, Protocol = UDP (this service group is only needed if Blast Extreme UDP is enabled)
    • Members = VAP01 and VAP02
    • Port = 443
    • Monitor = SSL (443) or ping

Two Access Points for PCoIP protocol: if they are named VAP01 and VAP02, the load balancing service configuration for PCoIP is summarized as follows (scroll down for detailed configuration):

  • Service Group, Protocol = SSL_BRIDGE
    • Members = VAP01 and VAP02
    • Port = 443
    • Monitor = SSL (443)
  • Service Group, Protocol = TCP
    • Members = VAP01 and VAP02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = UDP
    • Members = VAP01 and VAP02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = SSL_BRIDGE
    • Members = VAP01 and VAP02
    • Port = 8443
    • Monitor = Blast (8443)
  • Service Group, Portocol = UDP
    • Members = VAP01 and VAP02
    • Port = 8443
    • Monitor = Blast (8443)

Two Security Servers for Blast Extreme: if they are named VSS01 and VSS02, the load balancing service configuration for Blast Extreme in Horizon 7 (no PCoIP) is summarized as follows (scroll down for detailed configuration):

  • Service Group, Protocol = SSL_BRIDGE
    • Members = VSS01 and VSS02
    • Port = 443
    • Monitor = SSL (443)
  • Service Group, Protocol = SSL_BRIDGE
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = Blast (8443)
  • Service Group, Protocol = UDP (this service group is only needed if Blast Extreme UDP is enabled)
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = SSL (443) or ping

Two View Security Servers with PCoIP: If the View Security Servers are named VSS01 and VSS02, the load balancing service configuration for PCoIP is summarized as follows (scroll down for detailed configuration):

  • Server = VSS01, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) for paired View Connection Server VCS01.
  • Server = VSS02, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) for paired View Connection Server VCS02.
  • Service Group, Protocol = UDP
    • Members = VSS01 and VSS02
    • Port = 443
    • Monitor = SSL (443) or ping
  • Service Group, Protocol = TCP
    • Members = VSS01 and VSS02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = UDP
    • Members = VSS01 and VSS02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = SSL_BRIDGE
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = Blast (8443)
  • Service Group, Portocol = UDP
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = Blast (8443)

TCP 443 Load Balancing Services

Here are general instructions for the TCP 443 Horizon load balancing services. These instructions detail the more complicated Security Server configuration, since each Security Server needs to monitor its paired Connection Servers. If you are load balancing Access Point or internal Connection Servers, you could configure a Service Group instead of individual services. See the above configuration summaries for your specific configuration.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  2. On the right, click Add.
  3. Give the Service a descriptive name (e.g. svc-VSS01-SSL).
  4. Change the selection to Existing Server and select the Access Point, Security Server or internal (non-paired) Connection Server you created earlier.
  5. Change the Protocol to SSL_BRIDGE, and click OK.
  6. On the left, in the Monitors section, click where it says 1 Service to Load Balancing Monitor Binding.
  7. Ignore the current monitor and click Add Binding.
  8. Click the arrow next to Click to select.
  9. Select the Horizon-SSL monitor and click Select.
  10. Then click Bind.
  11. If you are load balancing PCoIP through a View Security Server or Access Point, add monitors for PCoIP Secure Gateway (4172) and Blast Secure Gateway (8443) too. If 4172 or 8443 fails, then 443 needs to be marked DOWN.

  12. If this is a Security Server, also add a monitor that has the IP address of the paired Connection Server. If the paired Connection Server is down, then the Security Server needs to marked as DOWN so NetScaler needs to stop sending connections to this Security Server.
  13. The Last Response should indicate Success. If you bound multiple monitors to the Service, then the member will only be UP if all monitors succeed. There’s a refresh button on the top-right. Click Close when done.
  14. Then click Done.
  15. Right-click the first service and click Add.
  16. Change the name to match the second Horizon Server or Access Point.
  17. Select Existing Server and use the Server drop-down to select to the second Horizon Server.
  18. The remaining configuration is identical to the first server. Click OK.
  19. You will need to configure the monitors again. They will be identical to the first server except for the monitoring of the paired View Connection Server. Click Done when done.

Other Ports Load Balancing Services

Here are general instructions for the remaining Horizon services. These instructions use Service Groups but you could just as easily add Services instead. See the above summaries for your specific configuration.

  1. On the left, go to Traffic Mgmt > Load Balancing > Service Groups.
  2. On the right, click Add.
  3. Name it svcgrp-Horizon-UDP443 or similar. UDP 443 is for Blast Extreme in Horizon 7 through Access Points. If View Security Servers, the name should be svcgrp-Horizon-UDP8443.
  4. Change the Protocol to UDP. Click OK.
  5. Click where it says No Service Group Member.
  6. Change the selection to Server Based and then click Click to select.
  7. Select your multiple Security Servers or multiple Access Points and click Select.
  8. If Access Points, enter 443 as the Port. If View Security Servers, enter 8443 as the port. Click Create.
  9. Click OK.
  10. On the right, in the Advanced Settings column, add the Monitors section.
  11. Click where it says No Service Group to Monitor Binding.
  12. Click to select.
  13. Select the Horizon-SSL monitor, click Select, and then click Bind.
  14. Click Done.
  15. Add another Service Group for PCoIP on TCP 4172.
    1. Name = svcgrp-Horizon-PCoIPTCP or similar.
    2. Protocol = TCP

    3. Members = multiple Security Servers or multiple Access Points.
    4. Port = 4172.
    5. Monitors = Horizon-PCoIP. You can add the other monitors if desired.
  16. Add another Service Group for PCoIP on UDP 4172.
    1. Name = svcgrp-Horizon-PCoIPUDP or similar.
    2. Protocol = UDP

    3. Members = multiple Security Servers or multiple Access Points
    4. Port = 4172.
    5. Monitors = Horizon-PCoIP. You can add the other monitors if desired.
  17. Add another Service Group for SSL_BRIDGE 8443.
    1. Name = svcgrp-Horizon-TCP8443 or similar.
    2. Protocol = SSL_BRIDGE
    3. Members = multiple Security Servers or multiple Access Points
    4. Port = 8443.
    5. Monitors = Horizon-Blast. You can add the other monitors if desired.
  18. If you haven’t done this already, add another Service Group for UDP 8443 (Blast Extreme in Horizon 7).
    1. Name = svcgrp-Horizon-UDP8443 or similar.
    2. Protocol = UDP
    3. Members = multiple Security Servers or multiple Access Points
    4. Port = 8443.
    5. Monitors = Horizon-Blast. You can add the other monitors if desired.
  19. The five service groups should look something like this:

Load Balancing Virtual Servers

Create separate load balancing vServers for internal and DMZ.

  • Internal VIP load balances the non-paired Internal Connections Servers. Access Point appliances also use this VIP to access the internal Connection Servers.
  • DMZ VIP load balances the Security Servers or Access Point appliances.

The paired View Connection Servers do not need to be load balanced.

For the internal Connection Servers you only need a load balancer for SSL_BRIDGE 443. If tunneling is disabled then you don’t need load balancers for the other ports (UDP/TCP 4172 and SSL_BRIDGE 8443).

However, Security Servers and Access Points listen on more ports so you will need separate load balancers for each port number. Here is a summary of their Virtual Servers, all listening on the same IP address. Depending on the configured protocol, you might not need all of these Virtual Servers.

  • Virtual Server on SSL_BRIDGE 443 – bind both Horizon SSL_BRIDGE 443 Services.
  • Virtual Server on UDP 443 (Horizon 7) – bind the UDP 443 service group.
  • Virtual Server on UDP 4172 – bind the PCoIPUDP service group.
  • Virtual Server on TCP 4172 – bind the PCoIPTCP service group.
  • Virtual Server on SSL_BRIDGE 8443 – bind the SSL_BRIDGE 8443 service group.
  • Virtual Server on UDP 8443 (Horizon 7) – bind the UDP 8443 service group.

Do the following to create the Virtual Servers:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right click Add.
  3. Name it Horizon-SSL-LB or similar.
  4. Change the Protocol to SSL_BRIDGE.
  5. Specify a new VIP. This one VIP will be used for all of the Virtual Servers.
  6. Enter 443 as the Port.
  7. Click OK.
  8. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
  9. Click the arrow next to Click to select.
  10. Select the two View-SSL Services and click Select.
  11. Click Bind.
  12. Click Continue.
  13. Then click Done. Persistency will be configured later.
  14. If this is Horizon 7, and if this is an Access Point, then create another Load Balancing Virtual Server for UDP 443:
    1. Same VIP as the TCP 443 Load Balancer.
    2. Protocol = UDP, Port = 443
    3. Service Group Binding = the UDP 443 Service Group
  15. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for PCoIP UDP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 4172
    3. Service Group Binding = the PCoIP UDP Service Group.
  16. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for PCoIP TCP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = TCP, Port = 4172
    3. Service Group Binding = the PCoIP TCP Service Group
  17. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for SSL_BRIDGE 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = SSL_BRIDGE, Port = 8443
    3. Service Group Binding = the TCP 8443 SSL_BRIDGE Service Group
  18. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for UDP 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 8443
    3. Service Group Binding = the UDP 8443 SSL_BRIDGE Service Group
  19. This gives you six Virtual Servers on the same VIP but different protocols and port numbers.

Persistency Group

For Security Servers and Access Points, users will first connect to SSL_BRIDGE 443 and be load balanced. Subsequent connections to the other port numbers must go to the same load balanced server. Create a Persistency Group to facilitate this.

For internal View Connection Servers, then you probably only have one SSL_BRIDGE load balancer for those servers, and thus you could configure persistence directly on that one load balancing vServer instead of creating a Persistency Group. However, since the Security Servers and Access Points have multiple load balancing vServers on different ports, then you need to bind them together into a Persistency Group.

  1. On the left, under Traffic Management, expand Load Balancing and click Persistency Groups.
  2. On the right, click Add.
  3. Give the Persistency Group a name (e.g. Horizon).
  4. Change the Persistence to SOURCEIP.
  5. Enter a timeout that is equal to or greater than the timeout in Horizon View Administrator, which defaults to 10 hours (600 minutes).
  6. In the Virtual Server Name section, click Add.
  7. Move all six Security Server / Access Point Load Balancing Virtual Servers to the right. Click Create.

CLI Commands

Here’s a list of CLI commands for the most basic configuration of two Access Points with Blast Extreme only (no PCoIP):

add server VAP01 10.2.2.187
add server VAP02 10.2.2.24
add lb monitor Horizon-SSL HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -secure YES
add serviceGroup svcgrp-Horizon-SSL SSL_BRIDGE
add serviceGroup svcgrp-Horizon-UDP443 UDP
bind serviceGroup svcgrp-Horizon-SSL VAP01 443
bind serviceGroup svcgrp-Horizon-SSL VAP02 443
bind serviceGroup svcgrp-Horizon-SSL -monitorName Horizon-SSL
bind serviceGroup svcgrp-Horizon-UDP443 VAP01 443
bind serviceGroup svcgrp-Horizon-UDP443 VAP02 443
bind serviceGroup svcgrp-Horizon-UDP443 -monitorName Horizon-SSL
add lb vserver Horizon-SSL-LB SSL_BRIDGE 10.2.2.204 443
add lb vserver Horizon-UDP443-LB UDP 10.2.2.204 443
bind lb vserver Horizon-SSL-LB svcgrp-Horizon-SSL
bind lb vserver Horizon-UDP443-LB svcgrp-Horizon-UDP443
bind lb group Horizon Horizon-SSL-LB
bind lb group Horizon Horizon-UDP443-LB
set lb group Horizon -persistenceType SOURCEIP -timeout 600

Here’s a list of CLI commands for the more complicated Security Server configuration:

add server VSS01 10.2.2.187
add server VSS02 10.2.2.24
add lb monitor Horizon-PCoIP TCP -destPort 4172
add lb monitor Horizon-Blast TCP -destPort 8443
add lb monitor Horizon-SSL HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -secure YES
add lb monitor Horizon-SSL-VCS01 HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -destIP 10.2.2.19 -destPort 443 -secure YES
add lb monitor Horizon-SSL-VCS02 HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -destIP 10.2.2.20 -destPort 443 -secure YES
add service svc-VSS01-SSL VSS01 SSL_BRIDGE 443
add service svc-VSS02-SSL VSS02 SSL_BRIDGE 443
bind service svc-VSS02-SSL -monitorName Horizon-SSL-VCS02
bind service svc-VSS02-SSL -monitorName Horizon-SSL
bind service svc-VSS02-SSL -monitorName Horizon-Blast
bind service svc-VSS02-SSL -monitorName Horizon-PCoIP
bind service svc-VSS01-SSL -monitorName Horizon-SSL-VCS01
bind service svc-VSS01-SSL -monitorName Horizon-Blast
bind service svc-VSS01-SSL -monitorName Horizon-PCoIP
bind service svc-VSS01-SSL -monitorName Horizon-SSL
add serviceGroup svcgrp-Horizon-UDP443 UDP
add serviceGroup svcgrp-Horizon-PCoIPTCP TCP
add serviceGroup svcgrp-Horizon-PCoIPUDP UDP
add serviceGroup svcgrp-Horizon-TCP8443 SSL_BRIDGE
add serviceGroup svcgrp-Horizon-UDP8443 UDP
bind serviceGroup svcgrp-Horizon-UDP443 VSS01 443
bind serviceGroup svcgrp-Horizon-UDP443 VSS02 443
bind serviceGroup svcgrp-Horizon-UDP443 -monitorName Horizon-SSL
bind serviceGroup svcgrp-Horizon-PCoIPTCP VSS01 4172
bind serviceGroup svcgrp-Horizon-PCoIPTCP VSS02 4172
bind serviceGroup svcgrp-Horizon-PCoIPTCP -monitorName Horizon-PCoIP
bind serviceGroup svcgrp-Horizon-PCoIPUDP VSS01 4172
bind serviceGroup svcgrp-Horizon-PCoIPUDP VSS02 4172
bind serviceGroup svcgrp-Horizon-PCoIPUDP -monitorName Horizon-PCoIP
bind serviceGroup svcgrp-Horizon-TCP8443 VSS01 8443
bind serviceGroup svcgrp-Horizon-TCP8443 VSS02 8443
bind serviceGroup svcgrp-Horizon-TCP8443 -monitorName Horizon-Blast
bind serviceGroup svcgrp-Horizon-UDP8443 VSS01 8443
bind serviceGroup svcgrp-Horizon-UDP8443 VSS02 8443
bind serviceGroup svcgrp-Horizon-UDP8443 -monitorName Horizon-Blast
add lb vserver Horizon-SSL-LB SSL_BRIDGE 10.2.2.204 443
add lb vserver Horizon-UDP443-LB UDP 10.2.2.204 443
add lb vserver Horizon-PCoIPUDP-LB UDP 10.2.2.204 4172
add lb vserver Horizon-PCoIPTCP-LB TCP 10.2.2.204 4172
add lb vserver Horizon-8443TCP-LB SSL_BRIDGE 10.2.2.204 8443
add lb vserver Horizon-8443UDP-LB UDP 10.2.2.204 8443
bind lb vserver Horizon-SSL-LB svc-VSS01-SSL
bind lb vserver Horizon-SSL-LB svc-VSS02-SSL
bind lb vserver Horizon-UDP443-LB svcgrp-Horizon-UDP443
bind lb vserver Horizon-PCoIPTCP-LB svcgrp-Horizon-PCoIPTCP
bind lb vserver Horizon-PCoIPUDP-LB svcgrp-Horizon-PCoIPUDP
bind lb vserver Horizon-8443TCP-LB svcgrp-Horizon-TCP8443
bind lb vserver Horizon-8443UDP-LB svcgrp-Horizon-UDP8443
bind lb group Horizon Horizon-SSL-LB
bind lb group Horizon Horizon-UDP443-LB
bind lb group Horizon Horizon-PCoIPUDP-LB
bind lb group Horizon Horizon-PCoIPTCP-LB
bind lb group Horizon Horizon-8443TCP-LB
bind lb group Horizon Horizon-8443UDP-LB
set lb group Horizon -persistenceType SOURCEIP -timeout 600

Horizon View Configuration – Security Servers

This section is not needed for Access Points. For Access Points, the secure gateways should be disabled, not enabled.

  1. On the Security Servers (or Connection Servers), request a certificate that matches the FQDN that resolves to the Load Balancing VIP.
  2. Make sure the private key is exportable.
  3. Set the Friendly Name to vdm and restart the View Security Server services.
  4. In View Administrator, go to View Configuration > Servers.
  5. On the right, switch to the Security Servers tab.
  6. Highlight a server and click Edit.
  7. Change the URLs to the FQDN that resolves to the load balancing VIP.
  8. Change the PCoIP URL to the VIP. For View Security Servers, this is typically a public IP that is NAT’d to the DMZ Load Balancing VIP.

NetScaler 11 System Configuration

Last Modified: Jan 15, 2021 @ 6:23 am

Navigation

This page contains the following topics:

💡 = Recently Updated

VPX Hardware

NetScaler VPX Release 11.0 Build 65.72 and newer supports new VPX models on ESXi. These new models include: VPX 25, VPX 5G, VPX 25G, etc. See the NetScaler VPX datasheet for more info.  💡

11.0 build 65.72 and newer firmware also supports changing the NIC type to VMXNET3 or SR-IOV. The imported appliance comes with E1000 NICs so you’ll have to remove the existing virtual NICs and add new VMXNET3 NICs.

 

NetScaler for Azure can now be upgraded to 11.0 build 65.31 or newer. It will be possible to upgrade to future releases of NetScaler firmware. More details by Thomas Goodwin at Citrix Discussions.  💡

Customer User Experience Improvement Program

  1. You might be prompted to enable the Customer User Experience Improvement Program. Either click Enable or click Skip.

  2. You can enable or disable Customer Experience Improvement Program by going to System > Settings.
  3. On the right is Change CUXIP Settings.
  4. Make your selection and click OK.
set system parameter -doppler ENABLED

Welcome Wizard

NetScaler has a Welcome! Wizard that lets you set the NSIP, hostname, DNS, licensing, etc. It appears automatically the first time you login.

  1. Click the Subnet IP Address box.
  2. You can either enter a SNIP for one of your interfaces or you can click Do it later.

    add ns ip 172.16.1.11 255.255.255.0 -type SNIP
  3. Click the Host Name, DNS IP Address, and Time Zone box.
  4. Enter a hostname. Your NetScaler Gateway Universal licenses are allocated to this hostname. In a High Availability pair each node can have a different hostname.
  5. Enter one or more DNS Server IP addresses. Use the plus icon on the right to add more servers.
  6. Change the time zone to GMT-05:00-CDT-America/Chicago or similar.
  7. Click Done.

    set ns hostname ns02
    
    add dns nameServer 192.168.123.11
    
    set ns param -timezone "GMT-05:00-CDT-America/Chicago"
  8. Click Yes to save and reboot.
  9. Click the Licenses box.
  10. You can click Add New License to license the appliance now. Or do it later.

    On the far right side of the screen is displayed the Host ID you need when allocating licenses.
    License files are stored in /nsconfig/license.
  11. Then click Continue.

Licensing – VPX Mac Address

To license a NetScaler VPX appliance, you will need its MAC address.

  1. One method is to look in the GUI.
  2. In the right pane, look down for the Host Id field. This is the MAC address you need for license allocation.
  3. Or go to System > Licenses.

  4. On the right, click Manage Licenses.
  5. Click Add New License.
  6. On the far right side of the screen the Host ID is displayed.
  7. Another option is to SSH to the appliance and run shell.
  8. Then run lmutil lmhostid. The MAC address is returned.

Licensing – Citrix.com

  1. Login to citrix.com.
  2. Click Activate and Allocate Licenses.
  3. Check the box next to a Citrix NetScaler license and click Continue.
  4. If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the lmutil lmhostid MAC address into the Host ID field and click Next.

    For a VPX appliance, you can also get the Host ID by looking at the System Information page.
  5. Click Confirm.
  6. Click OK when asked to download the license file.
  7. Click Download.
  8. Click Save and put it somewhere where you can get to it later.
  9. If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
  10. Enter your appliance hostname as the Host ID for all licenses.
  11. Click Confirm.
  12. Click OK when prompted to download your license file.
  13. Click Download.
  14. Click Save.
  15. If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.

Install Licenses on Appliance

  1. In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
  2. On the right, click Manage Licenses.
  3. Click Add New License.
  4. If you have a license file, select Upload license files from a local computer and then click Browse.

    License files are stored in /nsconfig/license.
  5. Click Reboot when prompted. Login after the reboot.
  6. After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
  7. Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwitdh or else packets will drop.

Upgrade Firmware

Citrix CTX127455How to Upgrade Software of the NetScaler Appliances in a High Availability Setup

  1. Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at http://support.citrix.com by clicking the Alerts link on the top right.
  2. Make sure you Save the config before beginning the upgrade.
  3. Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
  4. When upgrading from 10.5 or older, make sure the NetScaler Gateway Theme is set to Default or Green Bubbles. After the upgrade, you’ll have to create a new Portal Theme and bind it to the Gateway vServers.
  5. Start with the Secondary appliance.
  6. Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
  7. In the NetScaler GUI, with the top left node (System) selected, click, click System Upgrade.
  8. Browse to the build…tgz file. If you haven’t downloaded firmware yet then you can click the Download Firmware link.
  9. Click Upgrade.
  10. The firmware will upload.
  11. You should eventually see a System Upgrade window with text in it. Click Yes when prompted to reboot.
  12. Once the Secondary is done, login and failover the pair.
  13. Then upgrade the firmware on the former Primary.

 

To install firmware by using the command-line interface

  1. To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
  2. Create a version directory under /var/nsinstall (e.g. /var/nsinstall/11.0.61).
  3. Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/11.0.61) directory on the appliance.
  4. Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
  5. At a command prompt, type shell.
  6. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
  7. To view the contents of the directory, type ls.
  8. To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
  9. To start the installation, at a command prompt, type ./installns.
  10. When the installation is complete, restart NetScaler.
  11. When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

  1. Prepare the secondary appliance:
    1. Configure a NSIP.
    2. Don’t configure a SNIP. You can click Do It Later to skip the wizard.
    3. Configure Hostname and Time Zone. Don’t configure DNS since you’ll get those addresses when you pair it.
    4. License the secondary appliance.
    5. Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
  2. On the secondary appliance, go to System > High Availability, double-click the local node, and change High Availability Status to STAY SECONDARY. If you don’t do this then you run the risk of losing your config when you pair the appliances. See Terence Luk Creating a Citrix NetScaler High Availability pair without wiping out an existing configuration for more information.


    set ha node -hastatus STAYSECONDARY
  3. On the primary appliance, on the left, expand System, expand Network and click Interfaces.
  4. On the right, look for any interface that is currently DOWN. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface and click Disable. Repeat for the remaining disconnected interfaces.

    show interface
    disable interface 1/1
  5. On the left, expand System and click High Availability.
  6. On the right, click Add.
  7. Enter the other NetScaler’s IP address.
  8. Enter the other NetScaler’s login credentials and click Create.

    add ha node 1 192.168.123.14
    Note: this command must be run separately on each appliance.
  9. If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.

    Eventually it will say SUCCESS.
  10. To enable Fail-safe mode, edit Node ID 0 (the local appliance).
  11. Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.
    set ha node -failSafe ON
  12. If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
  13. On the secondary appliance, go to System > High Availability, double-click the local node, and change it from STAY SECONDARY to ENABLED.
  14. From the CLI, run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
  15. You can force failover of the primary appliance by opening the Actions menu, and clicking Force Failover.

    force ha failover
    If your firewall (e.g. Cisco ASA) doesn’t like Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Multiple Interfaces – VLANs

Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.

 

Channels: You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Manual Channel, or the new Redundant Interface Set feature. See Webinar: Troubleshooting Common Network Related Issues with NetScaler.

NetScaler VPX defaults to two connected interfaces, so if you only have one subnet, disconnect one of those interfaces.

A Redundant Interface Set is configured almost identically to a Manual Channel except that the Channel ID starts with LR instead of LA.

 

Common interface configuration: Here is a common NetScaler networking configuration for a NetScaler that is connected to both internal and DMZ.

Note: If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.

  • 0/1 connected to a dedicated management network. NSIP is on this network.
    • 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, etc.) and don’t connect any cables to 0/1.
    • To prevent NetScaler from using this interface for outbound data traffic, don’t put a SNIP on this network, and configure the default gateway to use a different data network. However, if there’s no SNIP, and if default gateway is on a different network,  then there will be asymmetric routing for management traffic since inbound is 0/1 but outbound is LA/1. To work around this problem, enable Mac Based Forwarding. Or create a Policy Based Route.
    • It’s easiest if the switch port for this interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
  • 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
  • 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). Default gateway points to a router on a DMZ VLAN so replies can be sent to Internet clients.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.

 

SNIPs: You will need one SNIP for each connected subnet. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.

 

NSIP: The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any subnet that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).

 

To configure multiple connected subnets:

  1. On the left, expand System, and click Settings.
  2. On the right, in the left column, click Configure modes.
  3. Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).

    enable mode mbf
  4. Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
  5. On the right, click Add.
  6. Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
  7. Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
  8. Ensure the IP Type is set to Subnet IP. Scroll down.

    add ns ip 172.16.1.11 255.255.255.0 -type SNIP
  9. Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs, because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
  10. Click Create when done. Continue adding SNIPs for each connected network (VLAN).

    set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
  11. On the left, expand System, expand Network and click VLANs.
  12. On the right, click Add.
  13. Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
  14. Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
  15. If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
  16. If you don’t tag the VLAN, then the NetScaler interface/channel is removed from VLAN 1 and instead put in this VLAN ID.
  17. Switch to the IP Bindings tab.
  18. Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.

    add vlan 50
    bind vlan 50 -ifnum LA/1 -IPAddress 172.16.1.11 255.255.255.0
    
  19. The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network and click Routes.
  20. On the right, click Add.
  21. Internal networks are only accessible through an internal router. Add a static route to the internal networks and set the Gateway to an internal router. Then click Create.

    add route 192.168.0.0 255.255.0.0 192.168.123.1
  22. Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. To create a PBR, go to System > Network > PBRs.
  23. The source IP is the NSIP, and next hop is a router on the same network as the NSIP. Destination is not needed.
  24. Then open the Action menu, and click Apply.

    add ns pbr NSIP ALLOW -srcIP = 10.2.2.59 -nextHop 10.2.2.1
    apply ns pbrs
  25. Go back to System > Network > Routes. On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.

    rm route 0.0.0.0 0.0.0.0 192.168.123.1
  26. Then click Add.
  27. Set the Network to 0.0.0.0 and the Netmask to 0.0.0.0. Enter the IP address of the DMZ router and click Create.

    add route 0.0.0.0 0.0.0.0 172.16.1.1

DNS Servers

  1. To configure DNS servers, expand Traffic Management, expand DNS and click Name Servers.
  2. On the right, click Add.
  3. Enter the IP address of a DNS server and click Create.
  4. Note: The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP. If you are unwilling to enable Ping then you will need to load balance your DNS servers on the local NetScaler appliance.

    add dns nameServer 192.168.123.11

NTP Servers

  1. On the left, expand System, and click NTP Servers.
  2. On the right, click Add.
  3. Enter the IP Address of your NTP Server (or pool.ntp.org) and click Create.

    add ntp server pool.ntp.org
  4. Open the Action menu and click NTP Synchronization.
  5. Select ENABLED and click OK.

    enable ntp sync
  6. You can click the System node to view the System Time.
  7. If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
  8. Ntpdate –u pool.ntp.org will cause an immediate NTP time update.

 

Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:

  1. Replace the following line in /etc/ntp.conf file, if it exists:
    >  restrict default ignore
  2. Add the following lines in file /etc/ntp.conf:
    # By default, exchange time with everybody, but don't allow configuration:
    restrict -4 default kod notrap nomodify nopeer noquery
    restrict -6 default kod notrap nomodify nopeer noquery
    
    # Local users may interrogate the ntp server more closely:
    
    restrict 127.0.0.1
    restrict ::1
  3. Restart NTP using the following commands:
    > shell
    root@ns# ps -aux |grep "ntp"
    root@ns# kill <PID obtained from step above>
    root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf

 

Citrix Knowledgebase Article CTX200355 – Citrix Security Advisory for NTP VulnerabilitiesBy default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler.

We recommend that customers apply the following remediation:

Open the NetScaler’s ntp.conf file in /etc and add the following lines:

restrict -4 default notrap nopeer nomodify noquery
restrict -6 default notrap nopeer nomodify noquery

In addition to adding the above two lines, all other ‘restrict‘ directives should be reviewed to ensure that they contain both ‘nomodify‘ and ‘noquery‘ and that the file contains no ‘crypto‘ directives.

When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production.

SYSLOG Server

Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.

  1. On the left, expand System, expand Auditing, and click Syslog.
  2. On the right, switch to the Servers tab and click Add.
  3. Enter a name for the Syslog server.
  4. Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
  5. Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
  6. Select your desired Time Zone and then click Create.

    add audit syslogAction CommandCenter 192.168.123.12 -logLevel ALL -timeZone LOCAL_TIME
  7. On the right, switch to the Policies tab, and then click Add.
  8. Give the policy a descriptive name, select the Syslog server, and then click Create.

    add audit syslogPolicy CommandCenter ns_true CommandCenter
  9. While still on the Policies tab, open the Actions menu and click Global Bindings.
  10. Click the arrow next to Click to select.
  11. Select the Syslog policy you want to bind and click Select.
  12. Click Bind.
  13. Select the Syslog policy you want to bind and click Select.
  14. Then click Bind.
  15. Click Done.

    bind system global CommandCenter -priority 100

SNMP – MIB, Traps, and Alarms

  1. On the left, expand System, and click SNMP.
  2. On the right, click Change SNMP MIB.
  3. Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK.
  4. This configuration needs to be repeated on the other node.

    set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
  5. Expand System, expand SNMP, and click Community.
  6. On the right, click Add.
  7. Specify a community string and the Permission and click Create.

    add snmp community public GET
  8. On the left, under SNMP, click Traps.
  9. On the right, click Add.
  10. Specify a trap destination and Community Name and click Create.

    add snmp trap generic 192.168.123.12 -communityName public
    add snmp trap specific 192.168.123.12 -communityName public
  11. On the left, under SNMP, click Managers.
  12. On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
  13. Change the selection to Management Network.
  14. Specify the IP of the Management Host and click Create.

    add snmp manager 192.168.123.12
  15. The Alarms node allows you to enable SNMP Alarms and configure thresholds.
  16. You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.

    set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
  17. You can also configure the MEMORY alarm.

    set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.

  • ifTotXo?Sent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
  • ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
  • ifErrRxNoBu?s – .1.3.6.1.4.1.5951.4.1.1.54.1.30
  • ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31

Call Home

Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.

  1. On the left, expand System and click Diagnostics.
  2. On the right, in the left column, in the Technical Support Tools section, click Call Home.
  3. Check the box next to Enable Call Home.
  4. Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
  5. If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.

Change nsroot Password

  1. Expand System, expand User Administration and click Users.
  2. On the right, right-click nsroot, and click Change Password.
  3. Specify a new password and click OK.

    set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix Knowledgebase articles:

 

  1. On the left, expand System and click Settings.
  2. On the right side of the right pane, click Change TCP parameters.
  3. Check the box for Window scaling (near the top).
  4. Scroll down and check the box for Selective Acknowledgement. Click OK.

    set ns tcpParam -WS ENABLED -SACK ENABLED
  5. On the right, click Change HTTP parameters.
  6. Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.

    set ns param -cookieversion 1
  7. Check the box next to Drop invalid HTTP requests.
  8. Scroll down and click OK.

    set ns httpParam -dropInvalReqs ON
  9. You can run the following command to see statistics on the dropped packets:
    nsconmsg -g http_err_noreuse_ -d stats
  10. See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run kill -HUP `cat /var/run/sshd.pid` to restart SSHD.  💡
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    MACs hmac-sha1,hmac-ripemd160
  11. Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.
    add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES
    
    add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ?logAction ShellShock_Log
    
    bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

  • Maximum logon attempts on NetScaler Gateway Virtual Server
  • Rate Limiting for IP.SRC and HTTP.REQ.URL.
  • nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
  • Syslog logging
  • External website monitoring
  • Obfuscate the Server header in the HTTP response
  • Disable management access on SNIPs
  • Change nsroot strong password, use LDAP authentication, audit local accounts
  • Don’t enable Enhanced Authentication Feedback
  • SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
  • 2-factor authentication
  • Command Center and Insight Center
  • Review IPS/IDS & Firewall logs

Management Authentication

Load balancing of authentication servers is strongly recommended since during an authentication attempt only one LDAP server is chosen. If you instead bind multiple LDAP servers, it would try all of them, and for incorrect passwords, it will lock out the user sooner than expected.

  1. Expand System, expand Authentication, and then click LDAP.
  2. On the right, switch to the Servers tab. Then click Add.
  3. Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
  4. Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
  5. Change the Security Type to SSL.
  6. Enter 636 as the Port. Scroll down.
  7. In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
  8. Enter the credentials of the LDAP bind account in userPrincipalName format.
  9. Check the box next to BindDN Password and enter the password. Scroll down.
  10. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
  11. On the right, check the box next to Allow Password Change.
  12. It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
    You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.
    memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local

    An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
    Scroll down to distinguishedName, double-click it and then copy it to the clipboard.

    Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
  13. Scroll down and click Nested Group Extraction to expand it.
  14. If desired, change the selection to Enabled.
  15. Set the Group Name Identifier to samAccountName.
  16. Set Group Search Attribute to –<< New >>– and enter memberOf.
  17. Set Group Search Sub-Attribute to –<< New >>– and enter CN.
  18. Example of LDAP Nested Group Search Filter Syntax

  19. Scroll down and click Create.

    add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  20. Switch to the Policies tab and click Add.
  21. Enter the name LDAPS-Corp-Mgmt or similar.
  22. Select the previously created LDAPS-Corp-Mgmt server.
  23. On the bottom, in the Expressions area, type in ns_true.
  24. Click Create.

    add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt
  25. Click Global Bindings in the right pane.
  26. Click where it says Click to select.
  27. Select the newly created LDAP policy, and click Select.
  28. Click Bind.
  29. Click Done.

    bind system global Corp-Mgmt
  30. Under System, expand User Administration and click Groups.
  31. On the right, click Add.
  32. In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
  33. In the Command Policies section, click Insert.
  34. Select the superuser policy, and click Insert.
  35. Click Create.

    add system group "NetScaler Admins" -timeout 900
    bind system group "NetScaler Admins" -policyName superuser 100
  36. Now you should be able to login to NetScaler using an Active Directory account.

CLI Prompt

  1. When you connect to the NetScaler CLI prompt, by default, the prompt is just a >.
  2. You can run set cli prompt %u@%h to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.

Backup and Restore

11.0 build 64 has an improved backup and restore mechanism.

  1. Go to System > Backup and Restore.

  2. On the right, click the Backup button.
  3. Give the backup file a name.
  4. For Level, select Full and click Backup.
  5. Once the backup is complete, you can download the file.

To restore:

  1. If you want to restore the system and if the backup file is not currently on the appliance, you click the Backup button. Yes, this seems backwards.
  2. Change the selection to Add.
  3. Browse Local to the previously downloaded backup file.
  4. Then click Backup. This uploads the file to the appliance and adds it to the list of backup files.
  5. Now you can right-click the backup and click Restore.

Next Steps

Return to NetScaler Procedures list

NetScaler Gateway 11 RADIUS Authentication

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

RADIUS Overview

For two-factor authentication using Azure Multi-factor Authentication, see Jason Samuel How to deploy Microsoft Azure MFA & AD Connect with Citrix NetScaler Gateway

Citrix CTX125364 How to Configure Dual Authentication on NetScaler Gateway Enterprise Edition for Use with iPhone and iPad.

Some two-factor products (e.g. SMS Passcode) require you to hide the 2nd password field. Receiver 4.4 and newer supports hiding the 2nd field if you configure a Meta tag in index.html. See CTX205907 Dual-Password Field Shows in First Authentication When Connecting to NetScaler Gateway from Windows Receiver for instructions. 💡

Two-factor authentication to NetScaler Gateway requires the RADIUS protocol to be enabled on the two-factor authentication product.

On your RADIUS servers you’ll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the appliances as RADIUS Clients. And adjust firewall rules accordingly.

For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

Two-factor Policies Summary

When configuring the NetScaler Gateway Virtual Server, you can specify both a Primary authentication policy and a Secondary authentication policy. Users are required to successfully authenticate against both before being authorized for NetScaler Gateway.

For browser-based StoreFront, you need two authentication policies:

  • Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
  • Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Receiver Self-service (native Receiver on mobile, Windows, and Mac), the authentication policies are swapped:

  • Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
  • Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support two-factor authentication from both web browsers and Receiver Self-Service, then you’ll need at least four authentication policies as shown below.

Primary:

  • Priority 90 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Secondary:

  • Priority 90 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Create Two-factor Policies

Do the following to create the Two-factor policies:

  1. Create an LDAP server.
  2. For RADIUS, on the left, expand Authentication, and click Dashboard.
  3. On the right, click Add.
  4. Change Choose Server Type to RADIUS.
  5. Give the server a name.
  6. Specify the IP address of the RADIUS load balancing Virtual Server.
  7. Enter the secret key specified when you added the NetScalers as RADIUS clients on the RADIUS server. Click Create.

    add authentication radiusAction RSA -serverIP 10.2.2.210 -serverPort 1812 -radKey Passw0rd
  8. Since you can’t create authentication policies from the authentication dashboard, go to NetScaler Gateway > Policies > Authentication > RADIUS.
  9. On the right, in the Policies tab, click Add.
  10. Name it RSA-SelfService or similar.
  11. Select the RADIUS server created earlier.
  12. Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is HTTP.HEADER User-Agent CONTAINS CitrixReceiver.
  13. Click Create.

    add authentication radiusPolicy RSA-Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA
    
    add authentication radiusPolicy RSA-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA
    
    add authentication ldapPolicy Corp-Gateway-Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway
    
    add authentication ldapPolicy Corp-Gateway-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway
  14. Create another policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS):
    Name Expression Server
    RSA-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA
    RSA-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver RSA

  15. Go to the NetScaler Gateway\Policies\Authentication\LDAP node.
     
  16. On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).
    Name Expression Server
    LDAP-Corp-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp
    LDAP-Corp-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

Bind Two-factor Policies to Gateway

  1. When you create the NetScaler Gateway Virtual Server, bind the policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.
    Policy Name Type Bind Point
    LDAP-Corp-Web LDAP Primary
    RSA-SelfService RADIUS Primary
    LDAP-Corp-SelfService LDAP Secondary
    RSA-Web RADIUS Secondary

    bind vpn vserver gateway.corp.com -policy Corp-Gateway-Web -priority 100
    
    bind vpn vserver gateway.corp.com -policy RSA-SelfService -priority 110
    
    bind vpn vserver gateway.corp.com -policy RSA-Web -priority 100 -secondary
    
    bind vpn vserver gateway.corp.com -policy Corp-Gateway-SelfService -priority 110 -secondary
    
  2. The session policy/profile for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. In the Session Profile, on the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.

    set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
  3. On the StoreFront server, when creating the NetScaler Gateway object, change the Logon type to Domain and security token.