LDAP Authentication – Citrix Gateway

Last Modified: Nov 7, 2020 @ 6:34 am

This article applies to Citrix Gateway 13.0, Citrix Gateway 12.1, and NetScaler Gateway 12.0. Citrix ADC is the new name for NetScaler. Citrix Gateway is the new name for NetScaler Gateway.

Navigation

💡 = Recently Updated

Change Log

  • 2018 Dec 21 – updated screenshots for Citrix Gateway 12.1

LDAP Load Balancing

Before you create an LDAP authentication policy, load balance the Domain Controllers. If you don’t load balance your Domain Controllers, then when users enter an incorrect password, the user account will be prematurely locked out because it makes a failed login attempt against each Domain Controller.

If you have multiple domains, create different Load Balancing Virtual Servers for each domain. These multiple Load Balancing Virtual Servers can share the same VIP if their port numbers are different. Or you can use a different VIP for each domain.

Verify LDAPS

Use the tool ldp.exe to verify that the Domain Controllers have valid certificates installed, and the LDAP service account is able to bind to the LDAP tree.

  1. ldp.exe is included with the Remote Server Administration Tools (AD DS Snap-Ins and Command-Line Tools). On Windows Servers, install it from Server Manager > Add Roles and Features > Features > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools.
  2. Run ldp.exe.
  3. Open the Connection menu, and click Connect.
  4. In the Connect box:
    1. Enter the FQDN of a Domain Controller.
    2. Check the box next to SSL.
    3. Change the port to 636.
  5. Click OK.
  6. If it connected successfully, you can then attempt a bind. If the connection was unsuccessful, then there’s probably an issue with the certificate installed on the Domain Controller.
  7. Open the Connection menu, and click Bind.
  8. In the Bind box:
    1. Change the Bind type to Simple bind.
    2. Enter the service account credentials. You can enter DOMAIN\Username, or you can enter Username@Domain.com.
  9. Click OK.
  10. Look in the right pane to verify a successful bind. If not, fix the credentials and try again.
  11. Once you have successfully binded, you can view the directory tree by opening the View menu, and click Tree.
  12. Click the drop-down to view the directory partitions.
  13. Repeat these steps to verify each Domain Controller, and any load balanced LDAPS.

LDAP Authentication Server

You can configure StoreFrontAuth as an alternative to LDAP. StoreFrontAuth delegates authentication to StoreFront servers instead of performing authentication on Citrix ADC.

To create the LDAP Authentication Server, do the following:

  1. On the left, expand Authentication, and click Dashboard.
  2. On the right, click Add.
  3. Change the Choose Server Type drop-down to LDAP.
  4. In the Name field, enter LDAP-Corp or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain. so make sure you include the domain name.
  5. Change the selection to Server IP. Enter the VIP of the load balancing vServer for LDAP.
  6. Change the Security Type drop-down to SSL.
  7. Enter 636 as the Port. Scroll down.

  8. In the Connection Settings section, do the following:
    1. In the Base DN field, enter your Active Directory DNS domain name in LDAP format.
    2. In the Administrator Bind DN field, enter the credentials of the LDAP bind account in userPrincipalName format. Domain\Username also works.
    3. Enter the Administrator Password.
    4. Click Test Connection. Citrix ADC will attempt to login to the LDAP IP.
  9. Scroll down.
  10. In the Other Settings section, use the drop-downs next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
  11. On the right side of the Other Settings section, check the box next to Allow Password Change.

  12. If you want to restrict Citrix Gateway access to only members of a specific AD group, in the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    memberOf=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local
    You can add :1.2.840.113556.1.4.1941: to the Search Filter so it searches through nested groups. Without this, users will need to be direct members of the filtered group.
    memberOf:1.2.840.113556.1.4.1941:=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local

    1. An easy way to get the full distinguished name of the group is through Active Directory Users and Computers.
    2. Open the View menu, and enable Advanced Features. The Attribute Editor is only present if this feature is enabled.
    3. Browse to the group object, right-click it, and click Properties. Note: you cannot use Find. Instead, you must navigate through the tree to find the object.
    4. Switch to the Extensions page. On the right, switch to the Attribute Editor tab. This tab is only visible if Advanced Features are enabled, and you didn’t use the Find feature.
    5. Scroll down to distinguishedName, double-click it, and then copy it to the clipboard.
    6. Back on the Citrix ADC, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
  13. For another LDAP Search Filter expression, see CTX226808 Expression to exclude multiple domains by using search filter in LDAP on NetScaler
    !(|(userprincipalname=*@aa.lab.com)(userprincipalname=*@ns.lab.com)
  14. Scroll down, and click More.
  15. For Nested Group Extraction, if desired, change the selection to Enabled. Configuring Nested Group Extraction allows the Nested Groups to be used for AAA Groups.
    1. Set Group Name Identifier to samAccountName.
    2. Set Group Search Attribute to memberOf. Select << New >> first.
    3. Set Group Search Sub-Attribute to CN. Select << New >> first.
    4. For the Group Search Filter field, see CTX123795 Example of LDAP Nested Group Search Filter Syntax.
  16. Scroll down, and click Create.

    add authentication ldapAction Corp-Gateway -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=Citrix Remote,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  17. The status of the LDAP Server should be Up.

LDAP Policy Expression

The Authentication Dashboard doesn’t allow you to create the LDAP Policy, so you must create it elsewhere.

You can create the LDAP policy now. Or you can wait and create it later when you bind the LDAP Server to the Citrix Gateway vServer.

To create it now:

  1. Enter LDAP in the menu Search box to find one of the nodes that lets you create Basic Authentication Policies.

    • Or, navigate to Citrix Gateway > Policies > Authentication > LDAP.
  2. On the right, in the Policies tab, click Add.
  3. Change the Server drop-down to the LDAP Server you created earlier.
  4. Give the LDAP Policy a name (one for each domain).
  5. In the Expression box, enter ns_true.
    • Citrix Gateway does not support Advanced Authentication policies bound directly to the Gateway Virtual Server. If you prefer Advanced Authentication Policies, then you’ll instead need to configure nFactor.
  6. Click Create.

     add authentication ldapPolicy LDAP-Corp ns_true LDAP-Corp
  7. If you see a message about classic authentication policies deprecation, click OK and ignore it.

Gateway Authentication Feedback

  1. On the left, under Citrix Gateway, click Global Settings.
  2. On the right, in the right column, click Change authentication AAA settings.
  3. Optionally, near the middle of the page, check the box for Enable Enhanced Authentication Feedback. This feature provides a message to users if authentication fails. The messages users receive include password errors, account disabled or locked, or the user is not found, to name a few. This setting might not be advisable in a secure environment.
  4. Click OK.

    set aaa parameter -enableEnhancedAuthFeedback YES

Next Step

Multiple Domains – UPN Method

Cascade – To support multiple Active Directory domains on a Citrix Gateway, you create multiple LDAP authentication policies, one for each Active Directory domain, and bind all of the LDAP policies to the Citrix Gateway Virtual Server. When the user logs into Citrix Gateway, only the username and password are entered. The Citrix ADC will then loop through each of the LDAP policies in priority order until it finds one that contains the entered username/password.

Same user/password in multiple domains – What if the same username is present in multiple domains? As Citrix ADC loops through the LDAP policies, as soon as it finds one with the specified username, it will try to authenticate with that particular LDAP policy. If the password doesn’t match the user account for the attempted domain, then a failed logon attempt will be logged in that domain and Citrix ADC will try the next domain.

Unfortunately, the only way to enter a realm/domain name during user authentication is to require users to login using userPrincipalNames. To use userPrincipalName, configure the LDAP Policy/Server with the Server Logon Name Attribute set to userPrincipalName.

You can even do a combination of policies: some with samAccountName, and some with userPrincipalName. Bind the userPrincipalName policies with higher priority (lower priority number) than the samAccountName policies so the UPN policies are tried first.

Citrix ADC supports adding a domain name drop-down list to the logon page. Then use Cookie expressions in the auth policies and session policies. However, this probably doesn’t work when authenticating through Workspace app or Receiver. See CTX203873 How to Add Drop-Down Menu with Domain Names on Logon Page for NetScaler Gateway 11.0 64.x and later releases for details.

Another option for a domain drop-down is nFactor Authentication for Citrix Gateway. The newest versions of Citrix ADC 12.1 are supposed to support nFactor authentication in the newest versions of Workspace app.

After authentication is complete, a Session Policy will be applied that has the StoreFront URL. The Citrix Gateway will attempt to Single Sign-on to StoreFront so the user doesn’t have to login again. When logging into Citrix Gateway, only two fields are required: username and password. However, when logging in to StoreFront, a third field is required: domain name. So how does Citrix ADC specify the domain name while logging in to StoreFront?

In a single domain configuration, you simply edit your Session Policy/Profile and on the Published Applications tab configure the Single Sign-on field with your domain name. However, this method won’t work if users are authenticating to multiple domains.

For authentication to multiple domains, Citrix Gateway has two methods of identifying the domain name based on which LDAP Policy/Server authenticated the user:

  • userPrincipalName – the easiest method is to configure the LDAP policy/server to extract the user’s UPN, and then Single Sign-on to StoreFront using UPN. This is the easiest method, but some domains don’t have userPrincipalNames configured correctly. StoreFront needs to accept the userPrincipalName suffixes.
  • AAA Group – as the Citrix ADC loops through the LDAP policies during authentication, once a successful LDAP policy is found, the LDAP Server can put the user in a domain-specific AAA Group. Then you can bind a Session Policy with domain name to the domain-specific AAA Group.
    • LDAP Servers have a field called Default Authentication Group. If the user successfully authenticates with this LDAP Server, then the user is placed in the AAA Group name specified here. Specify a unique Default Authentication Group per LDAP Server. Then create AAA Groups with the same names you specified in the LDAP Servers. Bind domain-specific Session Policies with domain name to each of the AAA Groups. See Multiple Domains – AAA Group Method for details.
    • Another option is to create a unique domain-specific group in each Active Directory domain and add users to these domain-specific groups. Each domain has a different name for this AD group. Citrix ADC will extract this group during the user’s login. Create AAA Groups on Citrix ADC that match these Active Directory group names and bind domain-specific Session Policies with domain name to each of the AAA Groups.

The userPrincipalName method is detailed below:

  1. In each of your Citrix ADC LDAP policies/servers, in the Other Settings section, in the SSO Name Attribute field, enter userPrincipalName (select –<< New >>– first). Make sure there are no spaces after this attribute name. Citrix ADC will pull this attribute from AD, and use it to Single Sign-on the user to StoreFront. Notice that Server Logon Name Attribute is still sAMAccountName.
  2. In StoreFront Console, in the middle, right-click your Store, and click Manage Authentication Methods.
  3. On the right, click the gear icon, and then click Configure Trusted Domains.
  4. In the Trusted domains box, select Any domain.
  5. Or add your UPN domain suffixes in DNS format. The advantage of entering domain names is that you can select a default domain. The DNS format is required for UPN logins (e.g. SSO from Citrix Gateway).
  6. On the Citrix Gateway Virtual Server, bind LDAP authentication polices in priority order. It will search them in order until it finds a match.
  7. In your Session Policies/Profiles, in the tab named Published Applications, make sure Single Sign-on Domain is not configured. Since Citrix ADC is using the userPrincipalName, which inherently contains a domain name, there’s no need for a Session Policy to specify a domain name. If the Single Sign-on Domain field is configured, then Single Sign-on authentication will fail.

Multiple Domains – AAA Groups Method

Another method of specifying the domain name when performing Single Sign-on to StoreFront is to use a unique session policy/profile for each domain. Use AAA Groups to distinguish one domain from another.

  1. Go to Citrix Gateway > Policies > Authentication > LDAP. The easiest way to get there is to enter LDAP in the search box at to the top of the menu.
  2. On the right, switch to the tab named Servers.
  3. Make sure all domains are in the list. Edit the LDAP Server for one of the domains.
  4. Scroll down to the Other Settings section,
  5. On the right, in the Default Authentication Group field, enter a new, unique group name. Each domain must a different group name. This group is only locally significant and does not need to be added to AD. Click OK.
  6. Edit the LDAP Server for another domain.
  7. Specify a new unique group name for this domain. Each domain has a different group name.
  8. In the menu, go to Citrix Gateway > User Administration > AAA Groups.
  9. On the right, click Add.
  10. Name the group so it exactly matches the group name you specified in the LDAP Server. Click OK.
  11. On the right, in the Advanced Settings section, click Policies to move it to the left.
  12. On the left, in the Policies section, click the Plus icon.

    1. In the Choose Type page, select Session, and click Continue.
    2. Click the Add button or plus icon to create a new Session policy.
    3. Give the Session Policy a name that indicates the domain. You will have a separate Session Policy for each domain.
    4. Click the Add button or plus icon to create a new Session Profile.
    5. Give the Session Profile a name that indicates the domain. You will have a separate profile for each domain.
    6. Switch to the tab named Published Applications.
    7. Scroll down and next to Single Sign-on Domain check the Override Global box .
    8. Enter the domain name that StoreFront is expecting for this LDAP Server. Click Create.
    9. If your other Session Policies are created using Advanced syntax, then leave this Session Policy as Advanced Policy and enter true as the Expression.
      • If your other Session Policies are created using Classic syntax, then change this Session Policy to Classic Policy and enter ns_true as the Expression.
    10. Click Create.
    11. In the Priority field, give it a number that is lower than any other Session Policy that has Single Sign-on Domain configured so that this Session Policy will override those other Session Policies. Then click Bind.
    12. Click Done.
  13. Create another AAA Group.
  14. Give it the AAA Group a name that matches the Default Authorization Group configured for the next domain.
  15. On the right, click Policies to move it to the left.
  16. On the left, click the Plus icon to add a policy binding.
  17. For Choose Type, select Session and click Continue.
  18. In the Policy Binding field, click Add to create another Session Policy.
  19. In the Profile drop-down, click Add to create another Session Profile.
  20. On the Published Applications tab, specify the domain name of the next domain.
  21. Set the Session Policy Expression to either true (Advanced) or ns_true (Classic).
  22. Bind the new policy with a low Priority number.
  23. When a user logs in, Citrix ADC loops through LDAP policies until one of them works. Citrix ADC adds the user to the Default Authentication Group specified in the LDAP Server. Citrix Gateway finds a matching AAA Group and applies the Session Policy that has SSON Domain configured. Since the policy is bound with a low priority number, it overrides any other Session Policy that also has SSON Domain configured.

Domain Controller (LDAPS) Load Balancing – Citrix ADC

Last Modified: Apr 12, 2023 @ 4:29 am

Navigation

💡 = Recently Updated

Changelog

  • 2017 Dec 25 – updated entire article for 12.0 build 56. Monitor section has new build 56 instructions.

Overview

If you plan to use LDAP (Active Directory) for Citrix Gateway, or Citrix ADC management authentication, then load balance the Domain Controllers that are used for authentication. A single LDAP Policy/Server points to the load balanced VIP.

Premature lockout – An alternative to load balancing is to bind multiple LDAP Policies, with each Policy pointing to a single Domain Controller in the same domain. However, Citrix ADC will try each authentication policy until it finds one that works. If the user enters a wrong password, and if you have three authentication policies pointing to different Domain Controllers in the same domain, then three different failure attempts will be recorded, thus causing premature account lockout. Use Load Balancing to avoid this behavior.

LDAPS and certificates – This page details LDAPS, aka Secure LDAP. This protocol requires certificates to be installed on the Domain Controllers. When a user’s password expires, Active Directory does not allow password changes over clear text LDAP, so LDAPS must be used instead. Make sure you have certificates installed on your Domain Controllers. The easiest way to accomplish that is to deploy a Microsoft Certificate Authority in Enterprise Mode, which allows the Domain Controllers to request certificates automatically.

Monitor -An ldaps monitor can be used to verify that the Domain Controller is functional.

  • The ldaps monitor will login as an account, perform an LDAP query, and look for a successful response. The ldaps monitor uses a service account to login. Make sure the service account’s password does not expire. Domain User permissions are sufficient.
  • Since this monitor is a Perl script, it uses NSIP as the source IP. You can use RNAT to override this as described in Configure to source Citrix ADC FreeBSD data traffic from a SNIP address at Citrix Docs.

Multiple datacenters – If you have Domain Controllers in multiple datacenters, you can create multiple load balancing Virtual Servers, and cascade them so that the local Domain Controllers are used first, and if they’re not available, then the Virtual Server fails over to Domain Controllers in remote datacenters.

Load Balancing Protocol – The Load Balancing Virtual Server for LDAPS can be TCP protocol or SSL_TCP protocol:

  • TCP – If the protocol is TCP, then SSL-encrypted LDAP traffic is not terminated on the Citrix ADC, and is simply forwarded to the LDAP servers. If your LDAP client (e.g. Linux machine) needs to verify the LDAP server certificate, then this Load Balancing configuration will not work, since each back-end LDAP server will have a different certificate.
  • SSL_TCP – If your Load Balancing Virtual Server is protocol SSL_TCP, then a certificate must be installed on the Citrix ADC and bound to the Load Balancing Virtual Server. SSL is terminated at the Citrix ADC and re-encrypted before sending it to the destination Domain Controller. The primary benefit of Citrix ADC SSL termination is that your LDAP clients can verify the Virtual Server SSL certificate.

Source IP – When Citrix ADC uses a local (same appliance) load balanced Virtual Server for LDAPS authentication, the traffic is sourced from the Citrix ADC SNIP (Subnet IP). When Citrix ADC uses a direct connection to a Domain Controller without going through a local Load Balancing Virtual Server, or if Citrix ADC uses a remote (different appliance) Load Balancing VIP, then the traffic is sourced from the Citrix ADC NSIP (NetScaler IP). Adjust firewall rules accordingly.

LDAPS Monitor

Note: Perl (scriptable) monitor uses NSIP as the source IP. You can use RNAT to override this as described in Configure to source Citrix ADC FreeBSD data traffic from a SNIP address at Citrix Docs.

12.0 build 56 and newer

Instructions for creating the monitor changed in 12.0 build 56 and newer. If your build is older, skip to the older instructions.

  1. In the Citrix ADC Configuration Utility, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name the monitor ldaps-Corp or similar. The ldaps monitor logs into Active Directory, performs an LDAP query, and looks for a successful response. The monitor configuration has domain-specific information, so if you have multiple Active Directory domains, then you will need a separate ldaps monitor for each domain. Include the domain name in the monitor name.
  4. In the Type field, click where it says Click to select.
  5. Scroll down and click the circle next to LDAP.
  6. At the top of the window, click the blue Select button.
  7. Scroll down the Basic  Parameters section, and check the box next to Secure. This checkbox instructs the monitor to connect to the Domain Controllers using LDAPS instead of LDAP.
  8. Scroll back up, and configure the following:
    • In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com).
    • In the Bind DN field, enter the UPN login (e.g. ctxsvc@company.com) of a service account in the domain that can browse all objects. Any normal Domain User should be sufficient. Just make sure the password doesn’t expire.
    • In the Filter field, enter cn=builtin. This limits the search results so it’s not returning the entire domain.
    • In the Password field (higher in the list), enter the password for the service account. Make sure there is no semicolon in the password or the Perl script will be unable to parse the parameters.
  9. Scroll down and click Create.

    add lb monitor LDAP-Corp LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -secure YES -baseDN "dc=corp,dc=local" -bindDN "corp\\ctxsvc" -filter cn=builtin
  10. If you have multiple domains, then create additional monitors: one for each domain.
  11. Jump to the Servers section.

12.0 older than build 56

  1. In the Citrix ADC Configuration Utility, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name the monitor ldaps-Corp or similar. The ldaps monitor logs into Active Directory, performs an LDAP query, and looks for a successful response. The monitor configuration has domain-specific information, so if you have multiple Active Directory domains, then you will need a separate ldaps monitor for each domain. Include the domain name in the monitor name.
  4. Change the Type drop-down to LDAP.
  5. Scroll down the Standard Parameters tab, and check the box next to Secure. This checkbox instructs the monitor to connect to the Domain Controllers using LDAPS instead of LDAP.
  6. Scroll back up, and switch to the Special Parameters tab.
  7. Configure the following on the Special Parameters tab:
    • Use the Script Name drop-down list to select the nsldap.pl file.
    • In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com).
    • In the Bind DN field, enter the UPN login (e.g. ctxsvc@company.com) of a service account in the domain that can browse all objects. Any normal Domain User should be sufficient. Just make sure the password doesn’t expire.
    • In the Filter field, enter cn=builtin. This limits the search results so it’s not returning the entire domain.
    • In the Password field, enter the password for the service account. Make sure there is no semicolon in the password or the script will be unable to parse the parameters.
  8. Click Create.

    add lb monitor LDAP-Corp LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -secure YES -baseDN "dc=corp,dc=local" -bindDN "corp\\ctxsvc" -filter cn=builtin
  9. If you have multiple domains, then create additional monitors: one for each domain.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter the following in the Create Server section.
    • In the Name field, enter a descriptive server name. Usually it matches the actual server name.
    • In the IPAddress field, enter the IP address of the server. Note: you can alternatively change the selection to Domain Name and enter a FQDN. This requires the Citrix ADC the be able to resolve the FQDN.
    • Enter comments to describe the server.
  4. Click Create.

    add server AD01 10.2.2.11
    add server AD02 10.2.2.12
  5. Continue adding Domain Controllers. You usually want at least two per domain.

Service Groups

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, click Add
    .
  3. In the Basic Settings section, do the following:
    • In the Name field: You will create one Service Group per datacenter. Enter a name reflecting the name of the data center. Also, you will create a set of service groups per Active Directory domain, so include the domain name.
    • Change the Protocol drop-down to SSL_TCP.
  4. Scroll down, and click OK to close the Basic Settings section.

  5. On the left, in the Service Group Members section, click where it says No Service Group Member.

    1. If you did not create server objects, then leave the selection set to IP Based, and enter the IP address of a Domain Controller in this datacenter.
    2. If you previously created server objects, then change the selection to Server Based, and select the server objects.
    3. In the Port field, enter 636 (LDAPS). This assumes the Domain Controllers have certificates installed.
    4. Click Create.
  6. Click OK to close the Service Group Members section.
  7. On the right, in the Advanced Settings column, click Monitors.
  8. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.

    1. In the Select Monitor field, click where it says Click to select.
    2. Click the circle next to the LDAPS monitor you created earlier. The monitor might be on Page 2.
      1. The circle must be clicked exactly (no room for error). If you click outside the circle, then the monitor will open for editing. If this happens, click Close to return to the selection screen.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.
  9. To verify the members are up, click in the Service Group Members section.

    1. Right-click a member, and click Monitor Details.
    2. The Last Response field should say Success – Probe succeeded. Click Close. It’s too bad you can’t edit the monitor from here.

      • If the monitor doesn’t work, use ldp.exe to verify the Domain Controller certificate.
  10. Click Close and Done to finish creating the Service Group.

    add serviceGroup svcgrp-LDAP-Corp SSL_TCP
    bind serviceGroup svcgrp-LDAP-Corp AD01 636
    bind serviceGroup svcgrp-LDAP-Corp AD02 636
    bind serviceGroup svcgrp-LDAP-Corp -monitorName LDAP-Corp
  11. Add additional service groups for Domain Controllers for each domain in each data center.

Load Balancing Virtual Server

  1. Create or import a certificate that matches the FQDN that resolves to the new Load Balancing VIP for LDAPS.
  2. On the left, expand Traffic Management, expand Load Balancing, and click Virtual Servers.
  3. On the right, click Add.
  4. In the Basic Settings section, do the following:
    • Name it LDAPS-Corp-HQ-LB or similar. You will create one Virtual Server per datacenter, so include the datacenter name. Also, each domain has a separate set of Virtual Servers, so include the domain name.
    • Change the Protocol drop-down to SSL_TCP.
    • Enter a Virtual IP. This VIP cannot conflict with any other IP + Port already being used. You can use an existing VIP that is not already listening on TCP 636.
    • Enter 636 as the Port.
  5. Click OK to close the Basic Settings section.
  6. On the left, in the Service Group section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    1. Click where it says Click to select.
    2. Click the circle next to a previously created Service Group. It might be on page 2.
      1. The circle must be clicked exactly (no room for error). If you click outside the circle, then the Service Group will open for editing. If this happens, click the x on the top right, or the Done button on the bottom, to return to the selection screen.
    3. At top of the screen, click the blue Select button.
    4. Click Bind.
  7. Click Continue to close the Services and Service Groups section.
  8. On the left, in the Certificates section, click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the circle next to a certificate that matches the FQDN that resolves to this VIP. It might be on page 2.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.
  9. Click Continue to close the Certificates section.

    add lb vserver lbvip-LDAP-Corp SSL_TCP 10.2.2.210 636 -persistenceType NONE -cltTimeout 9000
    
    bind lb vserver lbvip-LDAP-Corp svcgrp-LDAP-Corp
  10. There’s no need to configure Persistence for LDAP.
  11. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, and bind an A+ Cipher Group.
  12. Click Done to finish creating the Virtual Server.
  13. The new Virtual Server should show as UP.

Backup Virtual Server

You can optionally configure this Load Balancing Virtual Server to failover to a different Load Balancing Virtual Server. This allows you to load balance Domain Controllers in this datacenter, and if down, failover to the other datacenter.

  1. Create additional Load Balancing Virtual Servers for each datacenter.
    • These additional Virtual Servers do not need a VIP, so change the IP Address Type to Non Addressable. Only the first Virtual Server will be directly accessible.

      add lb vserver lbvip-LDAP-Corp-Backup SSL_TCP 0.0.0.0 0
    • Notice that the additional datacenter Virtual Servers show up with an IP Address of 0.0.0.0 and port of 0.
  2. After you are done creating a Virtual Server for each datacenter, right-click the primary datacenter’s Virtual Server, and click Edit.
  3. On the right, in the Advanced Settings column, click Protection.
  4. On the left, in the Protection section, change the Backup Virtual Server to one of the other datacenter Virtual Servers. If all of the services in this datacenter are DOWN, the backup Virtual Server will be used instead. You can cascade multiple Virtual Servers using this method. Click OK and Done.

    set lb vserver lbvip-LDAP-Corp -backupVServer lbvip-LDAP-Corp-Backup

CLI Commands

Here is a list of CLI Commands for Domain Controller Load Balancing.

# SSL Global Parameters
# ---------------------
set ssl parameter -denySSLReneg NONSECURE

# Certs
# -----
add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "Passw0rd"


# Load Balancing Global Parameters
# --------------------------------
enable ns mode FR L3 Edge USNIP PMTUD ULFD
set lb parameter -sessionsThreshold 150000
set ns param -cookieversion 1 -timezone "GMT-06:00-CST-America/Chicago"
set dns parameter -dns64Timeout 1000
set ns tcpParam -WS ENABLED -SACK ENABLED
set ns httpParam -dropInvalReqs ON
set ns tcpbufParam -memLimit 390

# Monitors
# --------
add lb monitor ldaps-Corp LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -secure YES -baseDN "dc=corp,dc=local" -bindDN admin@corp.local -filter cn=builtin


# Servers
# -------
add server AD01 10.2.2.11

add server AD03 10.2.2.115


# Service Groups
# --------------
add serviceGroup svcgrp-LDAPS-Corp-HQ SSL_TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svcgrp-LDAPS-Corp-HQ AD01 636
bind serviceGroup svcgrp-LDAPS-Corp-HQ AD03 636
bind serviceGroup svcgrp-LDAPS-Corp-HQ -monitorName ldaps-Corp
set ssl serviceGroup svcgrp-LDAPS-Corp-HQ -sslProfile ns_default_ssl_profile_backend


# Load Balancing Virtual Servers
# ------------------------------
add lb vserver LDAPS-Corp-DR-LB SSL_TCP 0.0.0.0 0 -persistenceType NONE -cltTimeout 9000
bind lb vserver LDAPS-Corp-DR-LB svcgrp-LDAPS-Corp-HQ

add lb vserver LDAPS-Corp-HQ-LB SSL_TCP 10.2.5.220 636 -persistenceType NONE -cltTimeout 9000 -backupVServer LDAPS-Corp-DR-LB
bind lb vserver LDAPS-Corp-HQ-LB svcgrp-LDAPS-Corp-HQ


# SSL Virtual Servers
# -------------------
set ssl vserver LDAPS-Corp-DR-LB -sslProfile ns_default_ssl_profile_frontend
bind ssl vserver LDAPS-Corp-DR-LB -certkeyName WildcardCorpCom
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_256
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_384
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_224
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_521

set ssl vserver LDAPS-Corp-HQ-LB -sslProfile ns_default_ssl_profile_frontend
bind ssl vserver LDAPS-Corp-HQ-LB -certkeyName WildcardCorpCom
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_256
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_384
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_224
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_521

Next Steps

You may now use this Virtual IP in your Citrix Gateway LDAP authentication policies, or Citrix ADC management login.

ICA Proxy (StoreFront) – Citrix Gateway

Last Modified: Apr 30, 2024 @ 10:22 am

This article applies to Citrix Gateway 13.x, Citrix Gateway 12.1, and NetScaler Gateway 12.0. Citrix ADC is the new name for NetScaler. Citrix Gateway is the new name for NetScaler Gateway.

Navigation

💡 = Recently Updated

Change Log

Overview

Here’s a high level overview of internal connectivity from client devices to Citrix Virtual Apps and Desktops (CVAD):

  1. HTTP connection to Citrix StoreFront:
    • Authentication to StoreFront
    • User interface that displays a list Citrix published icons
  2. ICA connection directly to a Citrix Virtual Delivery Agent (VDA)
    • ICA is a display protocol similar to RDP protocol

Citrix Gateway has an ICA Proxy feature that authenticates the user, proxies HTTP traffic to StoreFront, and then proxies ICA traffic to VDAs.

  • ICA Proxy is just one of the features that Citrix Gateway supports. Other Gateway features include: SSL VPN, Unified Gateway, RDP Proxy, PCoIP Proxy, etc.
  • ICA Proxy only exposes a single IP address to the user. All communication from all external Citrix clients to all internal StoreFront servers and all internal VDAs is proxied through the one IP address.
    • The “single IP address” feature is also sometimes useful internally, especially if there’s any Network Address Translation between internal subnets, or if the Citrix VDAs are protected behind an internal firewall.
  • Citrix Gateway supports many different authentication methods, including: LDAP, RADIUS, SAML, OpenID Connect, nFactor, Client Certificates (Smart Cards), etc.
    • Citrix Gateway has more authentication options than StoreFront. Sometimes Citrix Gateway is deployed in front of StoreFront just for the additional authentication options that Citrix Gateway provides.
  • Both HTTP and ICA are proxied through a single TLS-encrypted port 443. ICA Proxy decrypts the traffic and inspects it.
    • If the traffic is HTTP protocol, then ICA Proxy forwards it to Citrix StoreFront. The address of the StoreFront server is defined in a Session Policy/Profile on the Published Applications tab.
    • If the traffic is ICA protocol, then ICA Proxy uses a Secure Ticket Authority (STA) server to authenticate the connection, and then forwards the unencrypted ICA traffic to the VDA.
    • DTLS-encrypted (UDP) port 443 is also an option – UDP protocol for ICA traffic performs better than TCP on high latency links

There are two user interface options for connecting to Citrix Virtual Apps and Desktops (CVAD). Both user interface options rely on a connection to StoreFront. ICA Proxy is configured differently for each user interface.

  • Web Browser – Chrome, Safari, etc. connecting to the Receiver for Web website hosted on Citrix StoreFront.
  • Receiver Self-Service – native user interface built into Workspace app that connects to an XML-based API hosted on Citrix StoreFront.
    • In all operating systems, Receiver Self-Service is the user interface that opens when you launch Receiver or Workspace app from the app launcher.
    • In Windows, Receiver Self-Service is the user interface that you can open from the Receiver / Workspace app systray icon.
    • In Windows, Receiver Self-Service can download icons from StoreFront and put the icons on the client device’s app launcher (Start Menu and/or Desktop) without needing to actually open the Receiver Self-Service window.

Links:

Session Profiles

Partly based on Citrix Docs Configure Citrix Gateway Session Policies for StoreFront.

To create Session Profiles/Policies for ICA Proxy (StoreFront):

  1. On the left, expand Citrix Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab, and click Add.

    1. Name the first one Receiver Self Service or similar. This is for the Receiver Self-Service interface (not from a web browser).
    2. Switch to the Client Experience tab.
    3. On the Client Experience tab, check the Override Global box next to Clientless Access, and set it to Off. Scroll down.
    4. Check the Override Global box next to Plug-in Type, and set it to Java.
    5. Check the Override Global box next to Single Sign-on to Web Applications and enable it. Scroll up.

      • If you need two-factor authentication (RADIUS) using classic Authentication Policies (not nFactor, not AAA vServer), the Session Policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Only change this in the Receiver Self-Service profile; leave the session profile for Web Browsers set to PRIMARY.
    6. Scroll up and switch to the Security tab.
    7. Check the Override Global box next to Default Authorization Action, and set it to Allow.
    8. Switch to the Published Applications tab.
    9. Check the Override Global box next to ICA Proxy, and set it to ON.
    10. Check the Override Global box next to Web Interface Address, and enter the load balanced URL (FQDN) to the StoreFront servers. You can use an IP address instead of FQDN. Don’t add any path to the end of the URL.
    11. If you only have one domain, then check the Override Global box next to Single Sign-on Domain, and enter the name of your Active Directory domain. Enter the same domain name that’s configured in StoreFront’s Configure Trusted Domains.

    12. For Account Services Address, enter the Base URL for StoreFront. Citrix Gateway needs to be able to resolve this FQDN’s DNS name.
    13. Click Create.
  3. Right-click the just-added session profile, and click Add. This copies the settings from the existing profile into the new one.

    1. Change the name of the second Session Profile to Receiver For Web or similar.
    2. Switch to the Client Experience tab.
    3. On the Client Experience tab, Clientless Access should be set to Off. Scroll down.
    4. Plug-in Type should still be set to Java.
    5. Single Sign-on to Web Applications should be enabled.

      • If you need two-factor authentication using Classic authentication policies (not nFactor, not AAA vServer), the session profile for Receiver for Web needs Credential Index set to PRIMARY. Only the Receiver Self-Service policy needs SECONDARY as detailed earlier.
    6. Scroll up and switch to the Security tab.
    7. The Default Authorization Action should still be Allow.
    8. Switch to the Published Applications tab.
    9. For the Web Interface Address field, add the path to your Receiver for Web site (e.g. /Citrix/StoreWeb).
    10. Everything else should be the same. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. If you have multiple domains, then leave this field blank and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
    11. Account Services Address is not needed in this profile but there’s no harm in leaving it.
    12. Click Create.
  4. On the right, switch to the Session Policies tab, and click Add.

    1. Name the Policy Receiver Self Service or similar.
    2. Change the Profile to Receiver Self Service.
    3. In the Expression box, type in the following expression:
      HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
    4. Then click Create.
  5. Right-click on the just-added Session Policy, and click Add.

    1. Change the name to Receiver For Web or similar.
    2. Change the Profile to Receiver For Web.
    3. In the Expression box, either type in the following, or use the Expression Editor. It’s the same as the Receiver Self-Service expression, except it has .NOT on the end.
      HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT
    4. Click Create.

The CLI commands for these Session Policies/Profiles are shown below:

add vpn sessionAction "Receiver Self-Service" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com" -ntDomain Corp.local -clientlessVpnMode OFF -storefronturl "https://storefront.corp.com"

add vpn sessionAction "Receiver for Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com/Citrix/StoreWeb" -ntDomain Corp.local -clientlessVpnMode OFF

add vpn sessionPolicy "Receiver Self-Service" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" "Receiver Self-Service"

add vpn sessionPolicy "Receiver for Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver for Web"

Traffic Policy

In Citrix ADC 13.0 build 64.35, the SSO option in Session Policy/Profile no longer sends credentials to StoreFront. To work around this issue, add a Traffic Policy that enables SSO. See Enable SSO for Basic, Digest, and NTLM authentication at Citrix Docs. Citrix says that this won’t be necessary for StoreFront on newer builds of ADC 13.0.

  1. On the left, expand Citrix Gateway, expand Policies and click Traffic.
  2. On the right, switch to the tab named Traffic Profiles.
  3. Click Add.
  4. Name it something similar to StoreFrontSSO.
  5. Change the setting for Single Sign-on to ON. This is the only setting we need.
  6. At the bottom, click Create.
  7. On the right, switch to the tab named Traffic Policies.
  8. Click Add.
  9. Name it something similar to StoreFrontSSO.
  10. Select the Request Profile (aka Traffic Profile) you created earlier.
  11. In the Expression box, enter true. This assumes you are doing Advanced (Default) syntax policies.
  12. Click Create.

  13. See the next section to bind the Traffic Policy to the Gateway Virtual Server.

The CLI commands to create the Traffic Policy for StoreFront Single Sign-on are shown below:

add vpn trafficAction StoreFrontSSO http -SSO ON
add vpn trafficPolicy StoreFrontSSO true StoreFrontSSO
# or for full VPN:
add vpn trafficPolicy StoreFrontSSO "HTTP.REQ.METHOD.EQ(post) || HTTP.REQ.METHOD.EQ(get) && false" StoreFrontSSO

Citrix Gateway Virtual Server

This section assumes LDAP authentication, with optional RADIUS for two-factor. Create the Authentication Policies before beginning this section.

  • You can configure StoreFrontAuth as an alternative to LDAP. StoreFrontAuth delegates authentication to StoreFront servers, instead of performing authentication on Citrix Gateway.
  • For other forms of authentication, see the Authentication section in the Citrix ADC menu page.

To create the Citrix Gateway Virtual Server for ICA Proxy and StoreFront:

  1. At Traffic Management > SSL > Certificates > Server Certificates, Create a Server Certificate for the Citrix Gateway Virtual Server. The certificate must match the DNS name users will enter to access the Citrix Gateway.

    • For email discovery in Citrix Receiver / Workspace app, the certificate must have subject alternative names (SAN) for discoverReceiver.email.suffix (use your email suffix domain name). If you have multiple email domains then you’ll need a Subject Alternative Name for each suffix.
  2. Link the certificate to the Intermediate CA certificate. Do not link the Intermediate CA certificate to the Root CA certificate.
  3. On the left, right-click the Citrix Gateway node, and click Enable Feature.
  4. On the left, expand Citrix Gateway, and click Virtual Servers.
  5. On the right, click Add.
  6. Name it gateway.corp.com or similar.
  7. Enter a new VIP that will be exposed to the Internet (typically through NAT).
  8. Click More.

    1. If you don’t have enough Citrix Gateway Universal licenses installed for all of your Gateway users, then check the box next to ICA Only. This option disables SmartAccess and VPN features but does not require any additional licenses.  Note: most Citrix ADC Editions come with built-in Gateway Universal Licenses.
    2. Note: it’s also possible to disable authentication on Gateway and make StoreFront do it instead as described in Configure StoreFront Log On when authentication is disabled on Citrix Gateway VIP at Citrix Docs. However, it’s more secure to require Gateway to authenticate the users before the user can communicate with StoreFront.
    3. On the right, check the box next to DTLS.
      • DTLS enables EDT protocol, and UDP Audio.
      • EDT requires UDP 443 on client side, and UDP 1494/2598 on the server side.
      • VDAs support MTU Discovery for EDT traffic since UDP cannot be fragmented. ADC 13.1 build 17 and newer can enforce the Don’t Fragment bit when VDAs perform EDT MTU Discovery. See PMTUD discovery and DF bit propagation for EDT over Citrix Gateway at Citrix Docs for details. The setting can be enabled on the ADC at System > Settings > Change ICA Parameters.

    4. Click OK to close the Basic Settings section.
  9. In the Certificate section, click where it says No Server Certificate.

    1. In the Server Certificate Binding section, click where it says Click to select.
    2. Click the radio button next to a previously created certificate that matches the Citrix Gateway DNS name, and then click the blue Select button at the top of the window.
    3. Click Bind.
  10. Click Continue to close the Certificate section.
  11. In the Basic Authentication section, click the plus icon in the top right. Note: Citrix Gateway only seem to only support Basic Authentication policies, and not Advanced Authentication policies. For Advanced Authentication Policies, you’ll instead need to configure nFactor.

    1. Change the Choose Policy drop-down to LDAP,
    2. Leave the Choose Type drop-down set to  Primary, and click Continue.
    3. If you’ve already created an LDAP Policy, then click where it says Click to select, and select the policy.

    4. If you used the Authentication Dashboard to create an LDAP Server, then you probably haven’t created the corresponding LDAP Policy yet. Click the plus icon (Add button) to create a new policy.

      1. Use the Server drop-down to select the previously created LDAP Server.
      2. Give the policy a name. The Policy name can match the Server name.
      3. In the Expression box, enter ns_true (a Basic or Classic expression), or select it from the Saved Policy Expressions drop-down. Click Create.
    5. Click Bind.
    6. Or for two-factor authentication, bind two Basic authentication policies to Primary and two Basic authentication polices to Secondary. Note: if you instead do nFactor authentication, then you don’t need to swap the fields for Workspace app.
      • Primary = LDAP for Browsers (User-Agent does not contain CitrixReceiver)
      • Primary = RADIUS for Receiver Self-Service (User-Agent contains CitrixReceiver)
      • Secondary = RADIUS for Browsers (User-Agent does not contain CitrixReceiver)
      • Secondary = LDAP for Receiver Self-Service (User-Agent contains CitrixReceiver)
  12. Click Continue to close the Basic Authentication section.
  13. In the Advanced Authentication section, click Continue.
  14. Scroll down to the Profiles section, and click the pencil icon.
  15. In the TCP Profile drop-down, do one of the following:
    1. Follow the instructions at Citrix CTX232321 Recommended TCP Profile Settings for Full Tunnel VPN/ICAProxy from NetScaler Gateway 11.1 Onwards. In this case, there’s no need to change the TCP Profile.
    2. Or, select nstcp_default_XA_XD_profile, and click OK to close the Profiles section.
  16. To bind the Session Policies, scroll down to the Policies section, and click the plus icon near the top right.

    1. Select Session, select Request, and click Continue.
    2. Click where it says Click to select.
    3. Click the radio button next to one of the Receiver Session Policies, and click the blue Select at the top of the window. It doesn’t matter in which order you bind them.
    4. There’s no need to change the priority number. Click Bind.
  17. Repeat these steps to bind the second policy. In the Policies section, click the plus icon near the top right.

    1. Select Session, select Request, and click Continue.
    2. Click Add Binding.
    3. Click where it says Click to select.
    4. Click the radio button next to the other Receiver session policy, and click Select.
    5. There’s no need to change the priority number. Click Bind.
    6. The two policies are mutually exclusive so there’s no need to adjust priority. Click Close.
  18. In ADC 13.0 build 64.35, bind a Traffic Policy that enables Single Sign-on. Citrix says that this won’t be necessary on newer builds of ADC 13.0.
    1. Click the plus icon near the top right.
    2. Select Traffic, select Request, and click Continue.
    3. Click where it says Click to select.
    4. Click the radio button next to the Traffic Policy you created earlier and click Select at the top of the window.
    5. There’s no need to change the priority number. Click Bind.
  19. To bind Secure Ticket Authorities (STAs), on the right, in the Advanced Settings section, click Published Applications.
  20. On the left, in the Published Applications section, click where it says No STA Server.

    1. Enter a Delivery Controller in the https://<Controller_FQDN> or http://<Controller_FQDN> format, depending on if SSL is enabled on the Delivery Controller or not. This must be a FQDN or IP address. Short names don’t work.
    2. Click Bind.
  21. To bind another Secure Ticket Authority server, on the left, in the Published Applications section, click where it says 1 STA Server.

    1. In the VPN Virtual Server STA Server Binding section, click Add Binding.
    2. Enter the URL for the second Controller, and click Bind.
    3. This view shows if the STAs are reachable or not. To refresh the view, close the STA Server Bindings list, and reopen it.
    4. The list of Citrix Gateway Virtual Servers also shows you if the STAs (STA Status) are up or not.
    5. By default, STA server reachability is only checked every 2 minutes. You can change this at Traffic Management > Load Balancing > Monitors, and edit the sta and stasecure built-in monitors (source = CTX231916 NetScaler Takes 3-4 Minutes to Mark STA as DOWN)

  22. On the right, in the Advanced Settings column, click Portal Themes.
  23. On the left, in the Portal Theme section, change the drop-down to X1 or RfWebUI. You can also click the plus icon to create a theme. Note: many existing Portal Theme customizations are written for X1, but not for RfWebUI.
  24. Click OK to close the Portal Theme section.
  25. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind an A+ Cipher Group, and enable Strict Transport Security.
  26. Click Done when done.
  27. Configure SSL Redirect for the Citrix Gateway DNS name and VIP.
  28. Configure StoreFront to use Citrix Gateway.

The CLI commands to create a Citrix Gateway vServer for ICA Proxy are shown below:

add vpn vserver gateway.corp.com SSL 10.2.2.200 443 -icaOnly ON -dtls ON -tcpProfileName nstcp_default_XA_XD_profile
bind vpn vserver gateway.corp.com -policy "Receiver Self-Service" -priority 100
bind vpn vserver gateway.corp.com -policy "Receiver for Web" -priority 110
bind vpn vserver gateway.corp.com -policy StoreFrontSSO -priority 100
bind vpn vserver gateway.corp.com -policy Corp-Gateway -priority 100
bind vpn vserver gateway.corp.com -staServer "http://xdc01.corp.local"
bind vpn vserver gateway.corp.com -staServer "http://xdc02.corp.local"
bind vpn vserver gateway.corp.com -portaltheme RfWebUI
set aaa parameter -wafProtection AUTH VPN -securityInsights ENABLED

Verify SSL Settings

After you’ve created the Citrix Gateway Virtual Server, run the following tests to verify SSL:

  1. Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website. Citrix Blogs – Scoring an A+ at SSLlabs.com with Citrix NetScaler – Q2 2018 update.
  2. Citrix CTX200890 – Error: “Failed with status 1110” When Launching Desktops or Apps Through NetScaler Gateway: You can use OpenSSL to verify the certificate. Run the command: openssl s_client -connect gateway.corp.com:443. Replace the FQDN with your FQDN. OpenSSL is installed on the Citrix ADC, or you can download and install it on any machine.

WAF for Citrix Gateway

In NetScaler 14.1 build 21 and newer, you can enable Web App Firewall (WAF) on NetScaler Gateway. This feature is available in all editions of NetScaler.

  1. In the left menu, expand NetScaler Gateway and click Global Settings.
  2. On the right, in the right column, click Change authentication AAA settings.
  3. Find the WAF Protection drop-down and change it to AUTH and VPN. This enables the built-in WAF profiles globally.
  4. Change the Security Insights drop-down to ENABLED.

    set aaa parameter -wafProtection AUTH VPN -securityInsights ENABLED
  5. Scroll down and click OK.
  6. In NetScaler Console build 21 and newer, you can enable WAF Security Violations when enabling or editing Analytics on the Virtual Server.

  7. If you have NetScaler Premium Edition, then you can go to Security > NetScaler Web App Firewall > Profiles to see the WAF configuration.

    1. There are three built-in WAF profiles with names starting with ns-.
    2. If you edit one and click Security Checks, notice that only REST API Schema Validation is enabled. You can optionally enable the other security checks, but you will need a process to train/learn the config and correct issues. NetScaler Docs details some modifications you can make to the WAF profiles.

View ICA Connections

To view active ICA proxy sessions, click the Citrix Gateway node on the left, and then click ICA Connections on the right.

show vpn icaconnection

To view historical ICA sessions, search your Syslog server for ICASTART and/or LOGIN.

Or, if you don’t have Syslog server configured, then search /var/log/ns.log on the local appliance. Source = CTX232581 How to View Active Users Sessions Connected to Specific NetScaler Gateway vServers.

Logoff is Successful

With newer versions of StoreFront and Citrix Gateway, when you logoff StoreFront 3.15+ that is proxied through Citrix Gateway, all you see is a white page with the text “Logoff is successful”.

Alternatively, you can redirect to the Gateway logon page by creating and binding a Responder policy: (source = Storefront 3.15 “Logoff Is Successful” at Reddit)

  1. In the menu, go to AppExpert > Responder > Actions.
  2. Enable the Responder feature if it isn’t already enabled.
  3. On the right, click Add.
  4. In the Create Responder Action window:
    1. Give the Responder Action a name. The purpose of this Responder is to redirect to the Gateway logon page after StoreFront is logged off.
    2. Change the Type drop-down to Redirect. Note: it’s easy to miss this step.
    3. In the Expression box, you can enter "https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE or you can enter the actual https:// URL to the Gateway Virtual Server. The first option uses the Gateway FQDN originally entered by the user.
  5. Click Create.
  6. On the left, in the menu, click the Policies node under Responder.
  7. On the right, click Add.
  8. In the Create Responder Policy window:
    1. Give the Responder Policy a name.
    2. Change the Action drop-down to the name of the Responder Action you just created.
    3. If and higher, in the Expression box enter HTTP.REQ.URL.CONTAINS("/vpn/logout") || HTTP.REQ.URL.CONTAINS("/cgi/logout"). ADC 13.0 build 13.0 76.x  changed the URL from /cgi/logout to /vpn/logout.
  9. Click Create.
  10. In the menu, go to Citrix Gateway > Virtual Servers.
  11. Edit your Citrix Gateway Virtual Server.
  12. Scroll down to the Policies section and click the plus icon.
  13. Change the Choose Policy drop-down to Responder and click Continue.
  14. In the Policy Binding section, click where it says Click to select.
  15. Click the radio button (circle) next to the Responder Policy you just created and then click the blue Select button at the top of the page.
  16. Click Bind.

Related Pages

Certificates – NetScaler 12 / Citrix ADC 12.1

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

💡 = Recently Updated

Change Log

Convert .PFX Certificate to PEM Format

You can export a certificate (with private key) from Windows, and import it to NetScaler.

To export a Windows certificate in .pfx format

  1. If Windows Server 2012 or newer, on the Windows server that has the certificate, you can run certlm.msc to open the Certificates console pointing at Local Computer.
    1. Or, run mmc.exe, manually add the Certificates snap-in, and point it to Local Computer.
  2. Go to Personal > Certificates.
  3. Right-click the certificate, expand All Tasks, and click Export.
  4. On the Welcome to the Certificate Export Wizard page, click Next.
  5. On the Export Private Key page, select Yes, export the private key, and click Next.
  6. On the Export File Format page, click Next.
  7. On the Security page, check the box next to Password, and enter a new temporary password. Click Next.
  8. On the File to Export page, specify a save location and name the .pfx file. Don’t put any spaces in the filename. Click Next.
  9. In the Completing the Certificate Export Wizard page, click Finish.
  10. Click OK when prompted that the export was successful.

To import a .pfx file

Newer builds of NetScaler ADC (e.g. 12.0 build 59 and 12.1 build 49) import .pfx files and use them in their native encrypted format.

  • NetScaler ADC 12.0 build 58 and NetScaler ADC 12.1 build 48 had bugs preventing PFX files from importing correctly. Upgrade to a newer build.

Older builds of NetScaler ADC convert the .pfx file to an unencrypted .pem file that is named the same as the original .pfx file but with an additional .ns extension.

To import the .pfx file:

  1. On the NetScaler, expand Traffic Management, and click SSL.
  2. If the SSL feature is disabled, right-click the SSL node, and click Enable Feature.
  3. Go to Traffic Management > SSL > Certificates > Server Certificates.
  4. There are four different certificate nodes:
    1. Server Certificates have private keys. These certificates are intended to be bound to SSL vServers.
    2. Client Certificates also have private keys, but they are intended to be bound to Services so NetScaler can perform client-certificate authentication against back-end web servers.
    3. CA Certificates don’t have private keys. The CA certificates node contains intermediate certificates that are linked to Server Certificates. CA certificates can also be used for SAML authentication, and to verify client certificates.
    4. Unknown Certificates list the certificates that don’t fall under the other categories. The Azure SAML certificate shows up here.
  5. On the left, click the Server Certificates node.
  6. On the right, click Install.
  7. Give the certificate (Certificate-Key Pair) a name.
  8. Click the drop-down next to Choose File, select Local, and browse to the .pfx file that you exported earlier.
  9. After browsing to the .pfx file, NetScaler ADC will prompt you to enter the password for the .pfx file.
  10. Then click Install.
  11. If you click the information icon next to the new certificate…

    • You’ll see that NetScaler ADC uses the file in native .pfx format. No PEM conversion.
  12. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
  13. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy NetScaler Management and Analytics System. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

To convert PFX to PEM (with Private Key encryption)

To convert PFX to PEM, do the following:

  1. In the NetScaler Configuration GUI, on the left, expand Traffic Management, and click SSL.
  2. In the right column of the right pane, in the Tools section, click Import PKCS#12.
  3. In the Import PKCS12 File dialog box:
    1. In the Output File Name field, enter a name for a new file where the converted PEM certificate and private key will be placed. This new file is created under /nsconfig/ssl on the NetScaler appliance.
    2. In the PKCS12 File field, click Choose File, and select the previously exported .pfx file.
    3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
    4. By default, the private key in the new PEM file is unencrypted. To encrypt the private key, change the Encoding Format selection to AES256 (if NetScaler 12.1 build 49 or newer) or DES3. This causes the new PEM file to be password protected, and encrypted.
    5. Enter a permanent password for the new PEM file, and click OK.
  4. You can use the Manage Certificates / Keys / CSRs link to view the new PEM file.

    1. Right-click the new file, and click View.
    2. Notice that the Private Key is encrypted.
    3. If you scroll down, notice that the file contains both the certificate, and the RSA Private key.
  5. Now that the PFX file has been converted to a PEM file, the PEM certificate file must be installed before it can be used.
    1. On the left side of the NetScaler Configuration GUI, go to Traffic Management > SSL > Certificates > Server Certificates.
    2. On the right, click Install.
    3. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    4. In the Certificate File Name field, click the drop-down next to Choose File, and select Appliance.
    5. Click the radio button next to the .cer file you just created, and click Open. The new file is probably at the bottom of the list.
    6. NetScaler will ask you to enter the password for the encrypted private key.
    7. Click Install.
  6. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
  7. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy NetScaler Management and Analytics System. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.
  8. You can also export the certificate files and use them on a different NetScaler.

Create Key and Certificate Request

If you want to create free Let’s Encrypt certificates, see John Billekens’ PowerShell script detailed at Let’s Encrypt Certificates on a NetScaler.

You can create a key pair and Certificate Signing Request (CSR) directly on the NetScaler appliance. The CSR can then be signed by an internal, or public, Certificate Authority.

Most Certificate Authorities let you add Subject Alternative Names when creating (or purchasing) a signed certificate, and thus there’s no reason to include Subject Alternative Names in the CSR created on NetScaler. You typically create a CSR with a single DNS name. Then when submitting the CSR to the Certificate Authority, you type in additional DNS names.

  • For a Microsoft Certificate Authority, you can enter Subject Alternative Names in the Attributes box of the Web Enrollment wizard.
  • For public Certificate Authorities, you purchase a UCC certificate or purchase a certificate option, that lets you type in additional names.

To create a key pair on NetScaler

  1. On the left, expand Traffic Management, expand SSL, and click SSL Files.
  2. On the right, switch to the Keys tab.
  3. Click Create RSA Key.
  4. In the Key Filename box, enter a new filename (e.g. wildcard.key). Key pair files typically have a .key extension.
  5. In the Key Size field, enter 2048 bits.
  6. By default, the private key is unencrypted. To encrypt it, set the PEM Encoding Algorithm drop-down to AES256 (if NetScaler 12.1 build 49 or newer) or DES3.
  7. Enter a password to encrypt the private key.
  8. Click Create.
  9. To view the new file:
    1. Go to Traffic Management > SSL.
    2. On the right, in the right column, click Manage Certificates / Keys / CSRs.
    3. Scroll down to the new file, right-click it, and click View.
    4. The Private Key should be encrypted with your chosen encoding algorithm.

To create CSR file

  1. Back in the SSL Files page, on the right, switch to the CSRs tab.
  2. Click Create Certificate Signing Request (CSR).
  3. In the Request File Name field, enter the name of a new CSR file. CSR files typically have .csr or .txt extension.
  4. In the Key Filename field, click Choose File and select the previously created .key file. It’s probably at the bottom of the list.

  5. If the key file is encrypted, enter the password.
  6. You can optionally change the CSR Digest Method to SHA256. This only applies to the CSR and does not affect the CA-signed certificate.
  7. Newer builds of NetScaler let you specify up to three Subject Alternative Names in the CSR. Some Certificate Authorities ignore this field and instead require you to specify the Subject Alternative Names when purchasing the signed certificate. See CTX232305 How to create a SAN CSR in NetScaler 12.0 57.19.
  8. In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN. This is the field that normally must match what users enter into their browser address bars.
  9. In the Organization Name field, enter your official Organization Name.
  10. Enter IT, or similar, as the Organization Unit.
  11. Enter the City name.
  12. In the State field, enter your state name without abbreviating.
  13. Scroll down and click Create.
  14. Right-click the new .csr file, and click Download.

Get CSR signed by CA, and install certificate on NetScaler

  1. Open the downloaded .csr file with Notepad, and send the contents to your Certificate Authority.

    1. Chrome requires every certificate to have at least one Subject Alternative Name that matches the FQDN entered in Chrome’s address bar. Public CAs will handle this automatically. But for Internal CAs, you typically must specify the Subject Alternative Names manually when signing the certificate.

    2. If the CA asks you for the type of web server, select Apache, or save the CA response as a Base 64 file.
  2. After you get the signed certificate, on the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL > Certificates, and click Server Certificates.
  3. On the right, click Install.
  4. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
  5. In the Certificate File Name field, click the drop-down next to Choose File, and select Local.
  6. Browse to the Base64 (Apache) .cer file you received from the Certificate Authority.
  7. In the Key File Name field, click the drop-down next to Choose File, and select Appliance.
  8. Select the key file you created earlier, and click Open. It’s probably at the bottom of the list.
  9. If the key file is encrypted, enter the password.
  10. Click Install.
  11. The certificate is now added to the list.
  12. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
  13. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix NetScaler Management and Analytics. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.
  14. You can also export the certificate files and use them on a different NetScaler.

Intermediate Certificate

If your Server Certificate is signed by an intermediate Certificate Authority, then you must install the intermediate Certificate Authority’s certificate on the NetScaler. This Intermediate Certificate then must be linked to the Server Certificate.

To get the correct intermediate certificate

  1. Log into Windows, and double-click the signed certificate file.
  2. On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
  3. On the Details tab, click Copy to File.
  4. In the Welcome to the Certificate Export Wizard page, click Next.
  5. In the Export File Format page, select Base-64 encoded, and click Next.
  6. Give it a file name, and click Next.
  7. In the Completing the Certificate Export Wizard page, click Finish.

To import the intermediate certificate

  1. In the NetScaler configuration GUI, expand Traffic Management, expand SSL, expand Certificates, and click CA Certificates.
  2. On the right, click Install.
  3. Name it Intermediate or similar.
  4. Click the arrow next to Choose File, select Local, and browse the Intermediate certificate file.
  5. Click Install.

Link Intermediate Certificate to Server Certificate

  1. Go back to Traffic Management > SSL > Certificates >Server Certificates.
  2. Right-click the server certificate, and click Link.
  3. The previously imported Intermediate certificate should already be selected. Click OK.
  4. You might be tempted to link the Intermediate certificate to a Root certificate. Don’t do this. Root certificates are installed on client machines, not on NetScaler. NetScaler must never send the root certificate to the client device.

Export Certificate Files from NetScaler

You can easily export certificate files from the NetScaler, and import them to a different NetScaler.

  1. Go to Traffic Management > SSL > Certificates > Server Certificates.
  2. Move your mouse over the certificate you want to export, and then click the information icon on the far left.
  3. Note the file names. There could be one or two file names.
  4. On the left, go to Traffic Management > SSL.
  5. On the right, in the right column, click Manage Certificates / Keys / CSRs.
  6. Find the file(s) in the list, right-click it, and click Download.
    1. While it seems like you can download multiple files, actually, it only downloads one at a time.
    2. You might have to increase the number of files shown per page, or go to a different page.
  7. Also download the files for any linked intermediate certificate.
  8. You can now use the downloaded files to install certificates on a different NetScaler.

Default Management Certificate Key Length

To see the key size for the management certificate, right-click the ns-server-certificate (Server Certificate), and then click Details.

If the management certificate key size is less than 2048 bits, simply delete the existing ns-server-certificate certificate files, and reboot. NetScaler will create a new management certificate with 2048-bit keys.

  1. Go to Traffic Management > SSL.
  2. On the right, in the right column, click Manage Certificates / Keys / CSRs.
  3. Highlight any file named ns-* and delete them. This takes several seconds.
  4. Then go to the System node, and reboot.
  5. After a reboot, if you view the Details on the ns-server-certificate, it will be recreated as self-signed, with 2048-bit key size.

Replace Management Certificate

You can replace the default management certificate with a new trusted management certificate.

High Availability – When a management certificate is installed on one node of a High Availability pair, the certificate is synchronized to the other node, and used for the other node’s NSIP. So make sure the management certificate matches the DNS names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some names the management certificate should match (note: a wildcard certificate won’t match all of these names):

  • The FQDN for each node’s NSIP. Example: ns01.corp.local and ns02.corp.local
  • The shortnames (left label) for each node’s NSIP. Example: ns01 and ns02
  • The NSIP IP address of each node. Example: 192.168.123.14 and 192.168.123.29
  • If you enabled management access on your SNIPs, add names for the SNIPs:
    • FQDN for the SNIP. Example: ns.corp.local
    • Shortname for the SNIP. Example: ns
    • SNIP IP address. Example: 192.168.123.30

If you prefer to create a separate management certificate for each HA node, then see CTP George Spiers How to secure management access to NetScaler and create unique certificates in a highly available setup.  💡

Request Management Certificate

If you are creating a Subject Alternative Name certificate, it’s probably easiest to request a SAN certificate from an internal CA using the MMC Certificates snap-in on a Windows box.:

  1. Open the MMC certificates snap-in by running certlm.msc on a Windows 2012 or newer machine.
  2. Go to Personal, right-click Certificate, expand All Tasks, and click Request New Certificate.
  3. A web server certificate template should let you specify subject information.
  4. In the top half, change the Subject name > Type drop-down to Common Name. Enter a DNS name, and click Add to move it to the right.
  5. In the bottom half, change the Alternative Name > Type drop-down to either DNS or IP address (v4). Type in different names or IPs as detailed earlier, and click Add to move them to the right.

  6. On the Private Key tab, expand Key Options, and make sure Mark private key as exportable is checked.
  7. Then finish Enrolling the certificate.
  8. Export the certificate and Private Key to a .pfx file.

  9. On the NetScaler, if you want to encrypt the private key, then use the Traffic Management > SSL > Import PKCS#12 tool to convert the .pfx to PEM format.

  10. Then follow one of the procedures below to replace the management certificate.

Methods of replacing the Management Certificate

There are two methods of replacing the management certificate:

  • In the NetScaler GUI, right-click ns-server-certificate, and click Update. This automatically updates all of the Internal Services bindings too. This method is intended for dedicated management certificates, not wildcard certificates. Notes:
    • You cannot rename the ns-server-certificate in the NetScaler GUI. It remains as ns-server-certificate.
    • ns-server-certificate cannot be bound to Virtual Servers. So make sure you are replacing it with a dedicated management certificate.
  • Or manually Bind a new management certificate to each of the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https, so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, expand Certificates, and click Server Certificates.
  3. On the right, right-click ns-server-certificate, and click Update.
  4. Check the box next to Click to update the certificate and key.
  5. Click Choose File, and browse to the new management certificate. It could be on the appliance, or it could be on your local machine.
  6. If the PEM private key is encrypted, enter the password.
  7. Check the box next to No Domain Check. Click OK.
  8. Click Yes to update the certificate.
  9. You can now connect to the NetScaler using https protocol. The certificate should be valid, and it should have a 2048 bit key.

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https, so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, expand Certificates, and click Server Certificates.
  3. On the right, use the Install button to install the new management certificate.

  4. Go to Traffic Management > Load Balancing > Services.
  5. On the right, switch to the Internal Services tab.
  6. Right-click one of the services, and click Edit.
  7. Scroll down, and click where it says 1 Server Certificate.
  8. Click Add Binding.
  9. Click where it says Click to select.
  10. Click the radio button next to the new management certificate, and click Select.
  11. Click Bind, and click Close.
  12. Click Close.
  13. If Default SSL Profile is not enabled, then you can modify the SSL Parameters and/or Ciphers on each of these Internal Services.
  14. Repeat for the rest of the internal services. There should be at least 6 services. Additional Internal Services are created for SNIPs with management access enabled, and High Availability.

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP.

  1. Connect to the NSIP using https.
  2. On the left, expand System, expand Network, and click IPs.
  3. On the right, right-click your NetScaler IP, and click Edit.
  4. Near the bottom, check the box next to Secure access only, and then click OK.
  5. If you are connected using http, the page will reload using https.

    set ns ip 10.2.2.126 -gui SECUREONLY
  6. Repeat this procedure on the secondary appliance.
  7. Repeat for any SNIPs that have management access enabled.

Also see:

SSL Certificate – Update

There are two options for updating a certificate:

  • Create or Import a new certificate to NetScaler > Traffic Management > SSL > Certificates > Server Certificates. Then find all of the places the original certificate is bound, and manually replace the original certificate binding with the new certificate. This method is obviously prone to errors.
  • On NetScaler, simply right-click the existing certificate, and click Update. This automatically updates all of the bindings. Much faster and easier.

To update a certificate using the Update method:

  1. Create an updated certificate, and export it as .pfx file (with private key). Don’t install the certificate onto NetScaler yet, but instead, simply have access to the .pfx file.
  2. In NetScaler, navigate to Traffic Management > SSL > Certificates > Server Certificates.
  3. On the right, right-click the certificate you intend to update, and click Update.
  4. Check the box next to Update the certificate and key.
  5. Click Choose File > Local, and browse to the updated .pfx file.
  6. NetScaler will prompt you to specify the .pfx file password.
  7. Click OK. This will automatically update every Virtual Server on which this certificate is bound.
  8. Intermediate certificate – After replacing the certificate, you might have to update the cert link to a new Intermediate certificate.
    1. Right-click the updated certificate, and click Cert Links, to see if it is currently linked to an intermediate certificate.
    2. If not, right-click the updated certificate, and click Link, to link it to an intermediate certificate. If it doesn’t give you an option to link it to, then you’ll first have to install the new intermediate certificate on the NetScaler.

Certificates can also be updated in NetScaler Management and Analytics System.

Certificates can be updated from the CLI by running update ssl certKey MyCert. However, the certificate files must be stored somewhere on the appliance, and already be in PEM format.

SSL Virtual Servers – NetScaler 12.0 / Citrix ADC 12.1

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

This page contains generic SSL instructions for all SSL-based Virtual Servers, including: Load Balancing, Citrix Gateway, Content Switching, and AAA.

💡 = Recently Updated

Change Log

Custom Cipher Group

NetScaler 12.0 build 59 and newer have TLS 1.2 ciphers in the DEFAULT_BACKEND cipher group. Prior builds of NetScaler 12.0 do not include these ciphers.

References:

To get an A+ at SSL Labs, create a custom secure cipher group:

  1. Enable SSL Secure Renegotiation.
    1. On the left, go to Traffic Management > SSL.
    2. On the right, in the right column, click Change advanced SSL settings.
    3. Find Deny SSL Renegotiation, and set the drop-down to NONSECURE.
    4. Scroll down and click OK.

      set ssl parameter -denySSLReneg NONSECURE
  2. The easiest way to create a cipher group is from the CLI. See Citrix Blogs Scoring an A+ at SSLlabs.com with Citrix NetScaler – Q2 2018 update for cipher group CLI commands. Putty (SSH) to the NetScaler and paste the following commands.
    Note: The TLS 1.3 ciphers are not in the Citrix Blog Post. If your NetScaler build supports TLS 1.3, then you can add TLS 1.3 ciphers to the cipher group. Make sure the TLS 1.3 ciphers listed first (top of the list).
    add ssl cipher ssllabs-smw-q2-2018
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES128-SHA
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES256-SHA
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-128-CBC-SHA
    bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-256-CBC-SHA
  3. Or you can create the cipher group using the GUI.
    1. Go to Traffic Management > SSL > Cipher Groups.

      1. On the right, click Add.
      2. Name it SSL Labs or similar.
      3. In the middle, click Add.
      4. Use the search box to find a particular cipher.
      5. Check the box next to one of the results, and click the arrow to move it to the right.
      6. For TLS 1.3 support, add the TLS 1.3 ciphers first.
      7. Then add the ciphers from Citrix Blog Post Scoring an A+ at SSLlabs.com with Citrix NetScaler – Q2 2018 update.
      8. Use the up and down arrows to order the ciphers. NetScaler prefers the ciphers on top of the list, so the ciphers at the top of the list should be the most secure ciphers (TLS 1.3).
    2. Click Create when done.

Strict Transport Security – Rewrite Policy Method

To get an A+ at SSLLabs.com, you need to insert the Strict-Transport-Security HTTP header in the responses. NetScaler Rewrite Policy is one method of doing this. Another method is to enable HSTS in an SSL Profile, or enable it in SSL Parameters on a SSL vServer.

To create a Rewrite Policy that inserts the Strict-Transport-Security HTTP header:

  1. On the left, expand AppExpert, right-click Rewrite, and click Enable Feature.
  2. Create the Rewrite Action:
    1. Go to AppExpert > Rewrite > Actions.
    2. On the right, click Add.
    3. Name the action insert_STS_header or similar.
    4. The Type should be INSERT_HTTP_HEADER.
    5. The Header Name should be Strict-Transport-Security.
    6. The Expression should be the following:
      "max-age=157680000"

    7. Click Create.
  3. Create the Rewrite Policy:
    1. On the left, go to AppExpert > Rewrite > Policies.
    2. On the right, click Add.
    3. Name it insert_STS_header or similar.
    4. Select the previously created Action.
    5. In the Expression box, enter HTTP.REQ.IS_VALID.
    6. Click Create.
  4. Now you can bind this Rewrite Response policy to HTTP-based SSL vServers.
    1. When editing an SSL vServer (Gateway vServer, Load Balancing vServer, etc.), if the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
    2. On the left, in the Policies section, click the plus icon.
    3. Change the Choose Policy drop-down to Rewrite.
    4. Change the Choose Type drop-down to Response, and click Continue.
    5. Click where it says Click to select.
    6. Click the radio button next to insert_STS_header, and click Select.
    7. Click Bind.
enable ns feature rewrite

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite policy insert_STS_header true insert_STS_header

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Profiles – Custom and Default

You can use SSL Profiles to package several SSL settings together, and apply the settings package (Profile) to SSL-based Virtual Servers and SSL-based Services. These SSL settings include:

  • Disable SSLv3
  • Bind secure ciphers
  • Bind ECC curves
  • Enable HSTS (Strict Transport Security), etc.

There are default SSL Profiles, and there are custom SSL Profiles. The default SSL Profiles are disabled by default, because they would impact every SSL-based Virtual Server and Service on the appliance. Once default SSL Profiles are enabled, you cannot disable the default SSL Profiles.

  • Some features of custom SSL Profiles require default SSL Profiles to be enabled. For example, you cannot configure ciphers in a custom SSL Profile unless the default SSL Profiles are enabled.

Default SSL Profiles are intended to provide a baseline SSL configuration for all newly created SSL Virtual Servers and SSL Services. You can still create Custom SSL Profiles to override the Default SSL Profiles.

Enabling the default SSL profile will wipe out any SSL configuration on SSL entities (e.g. SSL Virtual Servers) that do not have a custom SSL profile bound. Citrix offers a script that can read your existing SSL entity SSL configuration and convert them to custom SSL Profiles. See Enabling the Default Profiles at Citrix Docs. The default_profile_script can be downloaded from an individual NetScaler ADC firmware download page under Additional Components. The commands output by the script won’t work until the default SSL Profile is enabled.  💡

To enable Default SSL profiles

Enabling Default SSL Profiles is irreversible.

  1. Make sure you are connected to the appliance NSIP using http, and not https.
  2. Go to Traffic Management > SSL.
  3. On the right, in the right column, click Change advanced SSL settings.
  4. Near the bottom, check the box next to Enable Default Profile. Note: this will change SSL settings on all SSL Virtual Servers to match the default SSL profile. You might want to do this during a maintenance window.

  5. Click OK to close Change Advanced SSL Settings.
  6. If you go back into Change Advanced SSL Settings, notice that the Default Profile is enabled, and there’s no way to disable it.

To create a custom SSL Profile

  1. On the left, expand System, and click Profiles.
  2. On the right, switch to the SSL Profile tab.

    1. Click Add.
    2. Enter a name.
    3. Change the SSL Profile Type to FrontEnd or BackEnd.
    4. Configure SSL Profile settings as desired (see below for some recommendations).
  3. After the SSL Profile is created, edit any SSL-based Virtual Server.

    1. On the right, in the Advanced Settings column, click SSL Profile to add the section.
    2. On the left, scroll down to the SSL Profile section, and select an SSL Profile. Click OK to close the SSL Profile section.

Recommended SSL Profile Settings

  1. On the left, expand System, and click Profiles.
  2. On the right, switch to the SSL Profile tab.
  3. Either create a new SSL Profile, or edit the default frontend or backend profile. This section focuses on a FrontEnd profile.
    1. Frontend = client-side connections to SSL Virtual Servers.
    2. Backend = server-side connections (SSL Services and Service Groups).
  4. Click the pencil icon in the Basic Settings section.

    1. Scroll all the way down to the Protocol section.
    2. Notice that SSLv3 is already unchecked.
    3. You can optionally uncheck TLSv1 and TLSv11.
    4. TLSv13 is an option in NetScaler 12.1 build 49 and later. If you enable this, then make sure your cipher group includes TLS 1.3 ciphers.

    5. To enable Strict Transport Security (HSTS), scroll up a little, and check the box next to HSTS.
    6. Enter 157680000 in the Max Age box.
    7. Note: enabling HSTS in the Default SSL Profile seems to break Native OTP. Enabling HSTS in a Rewrite policy works fine.
    8. If you do any SSL Offload (SSL on the client side, HTTP on the server side), then you’ll need to enable SSL Redirect. It’s above HSTS. With this option enabled, any 301/302 redirects from the server with HTTP Location headers are rewritten to HTTPS Location headers. You might need this option for StoreFront load balancing if doing SSL Offload (port 80 to the StoreFront servers). Note: this setting might be more appropriate in a custom SSL Profile instead of the default SSL Profile.
    9. Click OK when done modifying the Basic Settings section.
  5. Scroll down to the SSL Ciphers section, and click the pencil icon.

    1. Click Remove All, and click OK. You must click OK before binding the custom cipher group.

    2. Click the pencil icon again.
    3. Click Add.
    4. Scroll down, and select your custom cipher group (e.g. SSL Labs). Click the arrow to move it to the right.
      If you enabled TLS 1.3, then make sure your cipher group includes TLS 1.3 ciphers.

    5. Click OK to close the Custom Ciphers section.
    6. If you make changes to the Custom Cipher Group, then you might have to edit the SSL Profile, remove the Custom Cipher Group, and rebind it.

SSL vServers – Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

If you enabled the Default SSL Profiles feature, you can either leave the vServer configured with the Default SSL Profile; or you can change the vServer to use a Custom SSL Profile.

If you don’t use the Default SSL Profiles feature, then you’ll need to manually configure ciphers and SSL settings on every SSL vServer.

Do the following on every SSL vServer:

  1. When creating an SSL Virtual Server (e.g. SSL Load Balancing vServer), on the left, in the Certificates section, click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the radio button next to a certificate ,and click Select.
    3. Click Bind.

      bind ssl vserver MyvServer -certkeyName MyCert
  2. You can bind a Custom SSL Profile:
    1. Find the SSL Profile section on the left, and click the pencil icon.

      1. If you don’t see the SSL Profile section on the left, then add the SSL Profile section from the Advanced Settings column on the right.
    2. Select a Custom SSL Profile, and click OK.
  3. If default SSL Profiles are not enabled:
    1. On the left, in the SSL Parameters section, click the pencil icon.
    2. Uncheck the box next to SSLv3.
    3. Make sure TLSv12 is checked.
    4. TLSv13 is an option in NetScaler 12.1 build 49 and higher. If you enable this, then make sure your cipher group includes TLS 1.3 ciphers.
    5. You can optionally uncheck TLSv1 and TLSv11.
    6. Click OK.

      set ssl vserver MyvServer -ssl3 DISABLED -tls12 ENABLED
    7. If you didn’t bind an SSL Profile, scroll down to the SSL Ciphers section, and click the pencil icon.
    8. Click Remove All, and click OK. You must click OK before binding the custom cipher group. In other words, you will need to click OK at least twice during the procedure.
    9. Click the pencil icon again.
    10. Change the selection to Cipher Groups.
    11. Select your custom cipher group. It’s probably at the bottom of the list. If you enabled TLS 1.3, then make sure your cipher group includes TLS 1.3 ciphers. Then click OK.

      unbind ssl vserver MyvServer -cipherName ALL
      bind ssl vserver MyvServer -cipherName ssllabs-smw-q2-2018
  4. SSL Virtual Servers created on newer versions of NetScaler will automatically have ECC Curves bound to them. However, if this appliance was upgraded from an older version, then the ECC Curves might not be bound. If you are not using SSL Profile, then on the right, in the Advanced Settings column, click ECC Curve.

    1. On the left, in the ECC Curve section, click where it says No ECC Curve.
    2. Click where it says Click to select.
    3. Click the radio button next to ALL, and click Select.
    4. Click Bind.

      bind ssl vserver MyvServer -eccCurveName ALL
  5. If HSTS is not enabled in a bound SSL Profile, you can enable it in SSL Parameters, or you can enable it by binding a Rewrite policy.
  6. To enable HSTS by configuring SSL Parameters:
    1. On the left, find the SSL Parameters section, and click the pencil icon. This section is only present if Default SSL Profiles are not enabled. Don’t configure this if you bound a Custom SSL Profile.
    2. In the right column, check the box next to HSTS.
    3. Enter 157680000 in the Max Age box.
    4. Note: enabling HSTS in the Default SSL Profile seems to break Native OTP. Enabling HSTS in a Rewrite policy works fine.
    5. Click OK to close SSL Parameters.
  7. If enabling HSTS in an SSL Profile or SSL Parameters causes technical issues, then bind a Rewrite policy instead:
    1. If the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
    2. On the left, find the Policies section, and click the plus icon.
    3. Change the Choose Policy drop-down to Rewrite.
    4. Change the Choose Type drop-down to Response, and click Continue.
    5. Click where it says Click to select.
    6. Click the radio button next to the insert_STS_header policy, and click Select.
    7. Click Bind.

      bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

If you experience SSL performance problems on a NetScaler MPX, Citrix CTX207005 Performance Issues with NetScaler MPX SSL recommends creating and binding the following TCP Profile:

add ns tcpProfile tcp_test -WS ENABLED -SACK ENABLED -maxBurst 20 -initialCwnd 8 -bufferSize 4096000 -flavor BIC -dynamicReceiveBuffering DISABLED -sendBuffsize 4096000

SSL Tests

After you’ve created an SSL Virtual Server and configured SSL settings, run the following test:

SSL Redirect – Methods

There are typically three methods of performing SSL Redirect (http to https) in NetScaler:

  • Load Balancing Virtual Server Method – enable SSL Redirect directly on the Load Balancing Virtual Server. This is the easiest method.
    • This option is not available for Gateway Virtual Servers and Content Switching Virtual Servers.
    • There’s nothing in the GUI to indicate that the SSL Virtual Server is also listening on port 80.
  • Down vServer Method – create a new Load Balancing Virtual Server on Port 80, and configure the Redirect URL for when it is down.
    • The Virtual Server must be DOWN for the Redirect to occur. These Virtual Servers are shown as Red instead of Green.
  • Responder Method – create a new Load Balancing Virtual Server on Port 80, and bind a Responder policy that redirects to https.
    • The Responder policy only works if the Virtual Server is UP, which means it is shown as Green.
    • Some setup tasks are required – create the AlwaysUP service, and create the Responder Policy. But once setup is complete, it only requires slightly more steps than the Down vServer method.

SSL Redirect – SSL Load Balancing vServer Method

You can configure SSL Redirect directly in an SSL Load Balancing vServer (port 443) instead of creating a separate HTTP (port 80) Load Balancing vServer.

Limitations:

  • This is only an option for SSL Load Balancing vServers; it’s not configurable in Gateway vServers or Content Switching vServers.
  • Only one Redirect URL can be specified. Alternatively, the Responder method can handle multiple FQDNs to one VIP (e.g. wildcard certificate) and/or IP address URLs.

To configure an SSL Load Balancing vServer to redirect from HTTP to HTTPS:

  1. Edit the SSL Load Balancing vServer (port 443).
  2. In the Basic Settings section, click the pencil icon.
  3. Click More.
  4. In the Redirect from Port field, enter 80.
  5. In the HTTPS Redirect URL field, enter https://MyFQDN.
  6. Click Continue twice.
  7. When you view the list of Load Balancing Virtual Servers, there’s no indication that it’s listening on port 80.

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, then users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP, but listens on HTTP 80, and then redirects the user’s browser to reconnect on SSL 443.

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect.

To create the down Redirect Virtual Server:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  2. On the right, right-click an SSL Virtual Server you’ve already created, and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Or, if you are redirecting NetScaler Gateway, create a new Load Balancing vServer with the same VIP as the Gateway.
  4. Change the name of the Virtual Server to indicate that this new Virtual Server is an SSL Redirect.
  5. Change the Protocol to HTTP on Port 80.
  6. The IP Address should already be filled in. It must match the original SSL Virtual Server (or Gateway vServer). Click OK.
  7. Don’t bind any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
  8. On the right, in the Advanced Settings column, click Protection.
  9. On the left, in the Protection section, in the Redirect URL field, enter the full URL including https://. For example: https://storefront.corp.com/Citrix/StoreWeb.
  10. Click OK to close the Protection section.
  11. Click Done.
  12. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s expected. The Port 80 Virtual Server must be DOWN for this redirect method to work.

SSL Redirect – Responder Method

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect. This method requires the Redirect Virtual Server to be UP.

Responder Method Setup Tasks

  1. Create a dummy Load Balancing service. This dummy service can be bound to multiple Redirect Virtual Servers.
    1. Go to Traffic Management > Load Balancing > Services.
    2. On the right, click Add.
    3. Name the service AlwaysUp or similar.
    4. Enter a fake IP address. Try not to use any IP address owned by the Citrix ADC to avoid being able to access the ADC management web page.
    5. Click the More link.
    6. This dummy service must always be UP, so uncheck the box next to Health Monitoring.
    7. Click OK, and then click Done to close the Load Balancing Service.

      add server 1.1.1.1 1.1.1.1
      add service AlwaysUp 1.1.1.1 HTTP 80 -healthMonitor NO
  2. Create the Responder Action:
    1. On the left, expand AppExpert, and click Responder.
    2. If Responder feature is not enabled, right-click Responder, and click Enable Feature.

      enable ns feature RESPONDER
    3. Under Responder, click Actions.
    4. On the right, click Add.
    5. Give the action a name.
    6. Change the Type to Redirect. If you leave this set to Respond With then it won’t work.
    7. Enter an expression. The following expression redirects to https on the same URL the user entered in the browser. Or you can create a Responder Action with a more specific Target. Click Create.
      "https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE

      add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
  3. Create the Responder Policy:
    1. On the left, under Responder, click Policies.
    2. On the right, click Add.
    3. Give the policy a name.
    4. Select the previously created Responder action.
    5. For the expression, enter the following. Then click Create.
      HTTP.REQ.IS_VALID

      add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact

Enable Redirect using Responder Policy

  1. Create a Load Balancing Virtual Server with Protocol HTTP, and Port 80. The VIP should match an existing SSL Virtual Server or NetScaler Gateway Virtual Server.

  2. Bind the AlwaysUp service.
    1. In the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
    2. Click where it says Click to select.
    3. Check the box next to AlwaysUp, and click Select.
    4. Click Bind.
    5. Click Continue to close Services and Service Groups.
  3. Bind the Responder Policy:
    1. On the right, in the Advanced Settings column, click Policies.
    2. On the left, scroll down to the Policies section, and click the plus icon in the top right of the Policies box.
    3. Change the Choose Policy drop-down to Responder. Click Continue.
    4. Click where it says Click to select.
    5. Click the radio button next to the redirect Responder policy, and click Select.
    6. Click Bind.
    7. Then click Done to close the Load Balancing Virtual Server.

      add lb vserver MyvServer-HTTP-SSLRedirect HTTP 10.2.2.201 80
      
      bind lb vserver storefront.corp.com-HTTP-SSLRedirect AlwaysUp
      
      bind lb vserver storefront.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
  4. The primary advantage of this method is that the Redirect Virtual Server is UP.

Related Pages

StoreFront Load Balancing – Citrix ADC

Last Modified: Mar 9, 2022 @ 2:17 pm

This article applies to Citrix ADC 13.1, Citrix ADC 13.0, Citrix ADC 12.1, and NetScaler 12.0. Citrix ADC is the new name for NetScaler. Citrix Gateway is the new name for NetScaler Gateway.

Navigation

Change Log

Monitor

Note: This is a Perl monitor, which uses the NSIP as the source IP. To use SNIP, see Configure to source Citrix ADC FreeBSD data traffic from a SNIP address at Citrix Docs. Alternatively, you can create custom monitors not based on Perl as detailed in Citrix Blog Post Load Balancing Citrix StoreFront LTSR with NetScaler and DISA STIGs.

12.0 build 56 and newer

If your NetScaler 12.0 is older than build 56, jump to the older monitor instructions.

If your Citrix ADC is 12.1 or newer, or your NetScaler 12.0 is build 56 or newer, then do the following:

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it StoreFront or similar.
  4. In the Type field, click where it says Click to select.
  5. Scroll down and click the circle next to STOREFRONT.
  6. Scroll up to the top of the page and click the blue Select button.
  7. If you will use SSL/TLS/https to communicate with the StoreFront servers, in the Basic Parameters section, check the box next to Secure.

    • If you wish to enable the Check Backend Services checkbox, then see Citrix Service Monitor at Citrix Docs for the service that must be installed on the StoreFront Servers.
      Install-DSServiceMonitorFeature -ServiceUrl "https://localhost:443/StorefrontMonitor"
  8. In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.
  9. Scroll down and click Create.

    add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store
  10. Jump to the Servers section.

12.0 older than build 56

If your NetScaler 12.0 is not yet build 56 or newer:

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it StoreFront or similar.
  4. Change the Type drop-down to STOREFRONT.
  5. If you will use SSL/https to communicate with the StoreFront servers, then scroll down, and check the box next to Secure.
  6. Scroll up, and switch to the Special Parameters tab.
  7. In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.
  8. Click Create.

    add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. In the Name field, enter a descriptive server name. Usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding StoreFront servers.

    add server SF01 10.2.2.57
    add server SF02 10.2.2.58

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that the StoreFront Monitor has Secure checked.
  5. Scroll down, and click OK.
  6. Click where it says No Service Group Member.

    1. If you previously created server objects, then change the selection to Server Based, and select the server objects.
      • If you did not create server objects, then enter the IP address of a StoreFront Server.
    2. Enter 80 or 443 as the port. Then click Create.
    3. In the Service Group Members section, click OK.
  7. On the right, under Advanced Settings, click Monitors.
  8. On the left, scroll down to the Monitors section, and click where it says says No Service Group to Monitor Binding.

    1. In the Select Monitor field, click where it says Click to select.
    2. Find your StoreFront monitor. It might be on Page 2.
    3. Click the circle next to your StoreFront monitor.
      • You must click exactly in the circle (there’s no room for error). If you click outside the circle, then the monitor will open for editing instead of being selected. If you accidentally open a monitor, click Close to return to the selection screen.
    4. After the monitor is selected, scroll to the top of the window and click the blue Select button.
    5. Then click Bind.
  9. To verify that the monitor is working, on the left, scroll up to the  Service Group Members section, and click the Service Group Members line.

    1. Right-click a member, and click Monitor Details.
    2. The Last Response should be Success – Probe succeeded. Click Close twice. It’s too bad you can’t edit the monitor from here.
  10. On the left, if you see a Settings section, then click the pencil icon.

    • If you don’t see the Settings section, then on the right, under Advanced Settings, click Settings.
  11. On the left, in the Settings section, check the box for Client IP, and enter X-Forwarded-For as the Header.
  12. Then click OK in the Settings section. Make sure you click OK or your change won’t be saved.
  13. Scroll down, and click Done to finish creating the Service Group.

    add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For
    
    bind serviceGroup svcgrp-StoreFront-SSL SF01 443
    bind serviceGroup svcgrp-StoreFront-SSL SF02 443
    bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
  14. If the Service Group is http, and if you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to enable loopback in StoreFront.
    1. In StoreFront 3.5 and newer, you enable it in the GUI console.
    2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0.
      & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
      
      Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the StoreFront SSL Load Balancing Virtual Server. This certificate must match the DNS name for the load balanced StoreFront servers.

    • For email discovery in Citrix Receiver, the certificate must match discoverReceiver.email.suffix for each email suffix, which can be accomplished by configuring Subject Alternative Names.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  3. On the right, click Add.
  4. Name it lbvip-StoreFront-SSL or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.

    add lb vserver lbvip-StoreFront-SSL SSL 10.2.2.221 443 -persistenceType SOURCEIP -timeout 60
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    1. Click where it says Click to select.
    2. Click the circle next to your StoreFront Service Group.
      • You must click the circle exactly (no room for error). If you click outside the circle, then the Service Group will open for editing. If that happens, click the x on the top right, or click the Done button on the bottom, to return to the selection screen.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.

      bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL
  10. In the Services and Service Groups section, click Continue.
  11. Click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the circle next to the certificate for this StoreFront Load Balancing Virtual Server.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.

      bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom
  12. In the Certificates section, click Continue.
  13. On the right, in the Advanced Settings column, click Persistence.
  14. On the left, in the Persistence section, select SOURCEIP.
    Note: With SOURCEIP, all Citrix Gateway connections to StoreFront will go to the same StoreFront server because Gateway uses SNIP as the Source IP. COOKIEINSERT allows Citrix Gateway connections to be spread across multiple StoreFront servers but COOKIEINSERT might not work with Android clients.

  15. Set the Persistence timeout to match the timeout of Receiver for Web.
  16. Click OK to close the Persistence section. If you don’t click OK then you will lose the change that you made.
  17. If the Citrix ADC communicates with the StoreFront servers using HTTP (aka SSL Offload, which means SSL 443 on the client-side, and HTTP 80 on the server-side):
    1. If the default SSL Profile is not enabled, then you’ll need to edit the SSL Parameters section on the vServer, and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display.

      set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED
    2. If you have enabled the Default SSL Profile, then you’ll either need to edit the Default SSL Profile to include the SSL Redirect option, or create a new custom SSL Profile with the SSL Redirect option enabled, and then bind the custom SSL Profile to this vServer.
  18. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, disable TLS v1.0, disable TLS v1.1,, bind an A+ Cipher Group, and enable Strict Transport Security.
    bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert
    
    set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED
    
    unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
    
    bind ssl vserver lbvip-StoreFront-SSL -cipherName custom-ssl-labs
    
    bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL
    
    bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

When connecting to StoreFront through load balancing, if you want to put the server name on the StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix StoreFront 3.
Server name is displayed

SSL Redirect – SSL Load Balancing vServer Method

Users must enter https:// when navigating to the StoreFront website. To make it easier for the users, enable SSL Redirection.

This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. An alternative is to use the Responder method.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  2. On the right, find the SSL Virtual Server you’ve already created, right-click it, and click Edit.
  3. In the Basic Settings section, click the pencil icon.
  4. Click the More link.
  5. In the Redirect from Port field, enter 80.
  6. In the HTTPS Redirect URL field, enter your StoreFront Load Balancing URL (e.g. https://storefront.corp.com).
  7. Scroll down, and click Continue twice.

    set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront.corp.com
  8. Note: this method does not show you that the Virtual Server is listening on both port 80 and 443. If you look in the Virtual Servers list, you only see port 443, when actually it’s also listening on port 80.

StoreFront Base URL

  1. Create a DNS Host record that resolves to the new StoreFront Load Balancing VIP.
  2. The DNS name for StoreFront load balancing must be different than the DNS name for Citrix Gateway. Unless you are following the Single FQDN procedure.

  3. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  4. Enter the new Base URL in https://storefront.corp.com format. This URL must match the certificate that is installed on the load balancer. Click OK.
  5. Right-click your store, and click Manage Receiver for Web Sites.
  6. Click Configure.
  7. On the Advanced Settings page, in the third row, change Enable loopback communication to OnUsingHttp. This tells StoreFront to not use the load balancer for inter-server communication.

Subscription Replication Load Balancing

If you have multiple StoreFront Server Groups (usually in separate datacenters), you might want to replicate subscriptions (favorites) between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this port number, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at Citrix Docs for more information.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, right-click your existing StoreFront service group, and click Add.

    1. Change the Service Group name to indicate that it’s for Favorites (aka Subscriptions) Replication on TCP port 808.
    2. Change the Protocol to TCP.
    3. Scroll down, and click OK.
    4. In the Service Group Members section, click where it says No Service Group Member.
    5. Change the selection to Server Based, and select the StoreFront servers.
    6. Enter 808 as the port. Then click Create.
    7. Click OK to close the Service Group Members section.
    8. On the right, under Advanced Settings, click Monitors.
    9. On the left, scroll down, and in the Monitors section, click where it says No Service Group to Monitor Binding.
    10. Click where it says Click to select.
    11. Click the circle next to the tcp monitor.
      • You must click the circle exactly (no room for error). If you click outside the circle, then the monitor will open for editing. If this happens, click the Close button to return to the selection screen.
    12. At the top of the window, click the blue Select button.
    13. Click Bind.
    14. Click Done to close the Service Group.

      add serviceGroup svcgrp-StoreFront-FavRepl TCP
      bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
      bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808
  3. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  4. On the right, right-click the existing StoreFront Load Balancing vServer, and click Add.

    1. Change the name to indicate that this Virtual Server is for Favorites (aka Subscriptions) replication.
    2. Change the Protocol to TCP.
    3. Specify the same VIP that you used for SSL Load Balancing of StoreFront.
    4. Enter 808 as the Port.
    5. Click OK.
    6. In the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    7. Click where it says Click to select.
    8. Click the circle next to your StoreFront Subscription Replication Service Group.
      1. You must click the circle exactly (no room for error). If you click outside the circle, then the Service Group will open for editing. If this happens, click the x on the top right, or click the Done button on the bottom, to return to the selection screen.
    9. After selecting the Service Group, at the top of the window, click the blue Select button.
    10. Click Bind.
    11. In the Services and Service Groups section, click Continue to close the section.
    12. Scroll down, and click Done to close the Virtual Server. There’s no need for persistence or redirects.

      add lb vserver lbvip-StoreFront-FavRepl TCP 10.2.2.201 808 -persistenceType NONE
      
      bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl

CLI Commands

Here is a list of Citrix ADC CLI commands for StoreFront Load Balancing:

# SSL Global Parameters
# ---------------------
set ssl parameter -denySSLReneg NONSECURE

# SSL Cipher Group
# ----------------
add ssl cipher custom-ssllabs-cipher
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 3
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 4
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 5
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 6
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 7
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 8
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 9
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 10
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 11
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 12


# Cert
# -----
add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "Passw0rd"

# Load Balancing Global Parameters
# --------------------------------
enable ns mode FR L3 Edge USNIP PMTUD ULFD
set ns param -cookieversion 1 -timezone
set ns tcpParam -WS ENABLED -SACK ENABLED
set ns httpParam -dropInvalReqs ON

# Servers
# -------
add server SF01 10.2.2.17
add server SF02 10.2.2.18

# Service Groups
# --------------
add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svcgrp-StoreFront-SSL SF01 443
bind serviceGroup svcgrp-StoreFront-SSL SF02 443
bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_256
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_384
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_224
bind ssl serviceGroup svcgrp-StoreFront-SSL -eccCurveName P_521

add serviceGroup svcgrp-StoreFront-SubRepl TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svcgrp-StoreFront-SubRepl SF01 808
bind serviceGroup svcgrp-StoreFront-SubRepl SF02 808
bind serviceGroup svcgrp-StoreFront-SubRepl -monitorName tcp


# Load Balancing Virtual Servers
# ------------------------------
add lb vserver lbvip-StoreFront-SSL SSL 10.2.5.221 443 -persistenceType SOURCEIP -timeout 60 -cltTimeout 180 -redirectFromPort 80 -httpsRedirectUrl "https://storefront5.corp.com"
bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL

add lb vserver lbvip-StoreFront-SubRepl TCP 10.2.5.221 808 -persistenceType NONE -cltTimeout 9000
bind lb vserver lbvip-StoreFront-SubRepl svcgrp-StoreFront-SubRepl


# SSL Virtual Servers
# -------------------
set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -HSTS ENABLED -maxage 1576800000
unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
bind ssl vserver lbvip-StoreFront-SSL -cipherName custom-ssllabs-cipher
bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildcardCorpCom
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_256
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_384
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_224
bind ssl vserver lbvip-StoreFront-SSL -eccCurveName P_521

Related Posts

System Configuration – NetScaler 12 / Citrix ADC 12.1

Last Modified: Jan 15, 2021 @ 6:23 am

Navigation

💡 = Recently Updated

Change Log

VPX Virtual Hardware

CTX267027 CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance

Magnus Andersson Deploy Citrix ADC VPX On Nutanix AHV

VMware Compatibility (source = Support matrix for 12.1 and Support matrix for 12.0 at Citrix Docs)

  • Citrix ADC 12.1 build 49 and newer are supported on ESXi 6.7. NetScaler VPX 12.0 is not supported on ESXi 6.7.
  • NetScaler VPX 12 is not supported on ESXi 5.5.
  • NetScaler VPX 12 is the first version to support ESXi 6.5.

Citrix ADC 12.1 with E1000 or VMXNET3 supports vMotion. NetScaler 12.0 does not support any form of vMotion.

NetScaler ADC VPX supports changing the NIC type to VMXNET3 or SR-IOV. The imported appliance comes with E1000 NICs, so you’ll have to remove all of the existing virtual NICs, and add new VMXNET3 NICs.

Auto-Provision IP Address

When importing VPX into a hypervisor, you can use VM advanced configuration parameters to set the NSIP. See CTX128250 How to Auto-Provision NetScaler VPX Appliance on a VMware ESX or ESXi Host, and CTX128236 How To Auto-Provision NetScaler VPX on XenServer.

Power On VPX and configure NSIP

  1. After swapping out the NICs to VMXNET3, power on the NetScaler ADC VPX appliance.
  2. Configure the management IP from the VM’s console.
  3. Then point your browser to the management IP using either http or https and login as nsroot with password nsroot.

Customer User Experience Improvement Program

  1. You might be prompted to enable the Customer User Experience Improvement Program. Either click Enable, or click Skip.

  2. You can also enable or disable the Customer Experience Improvement Program by going to System > Settings.
  3. On the right is Change CUXIP Settings.
  4. Make your selection and click OK.
  5. See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
set system parameter -doppler ENABLED

Welcome Wizard

NetScaler ADC has a Welcome! Wizard that lets you set the NSIP, hostname, DNS, licensing, etc. It appears automatically the first time you login.

  1. Click the Subnet IP Address box.
  2. You can either enter a SNIP for one of your production interfaces, or you can click Do it later and add SNIPs later after you configure Port Channels and VLANs. Note: If you have a dedicated management network, to prevent it from being used for outgoing traffic, don’t put a SNIP on it.

    add ns ip 10.2.2.60 255.255.255.0 -type SNIP
  3. Click the Host Name, DNS IP Address, and Time Zone box.
  4. Enter a hostname. In a High Availability pair each node can have a different hostname. You typically create a DNS record that resolves the hostname to the NSIP (management IP).
  5. Enter one or more DNS Server IP addresses. Use the plus icon on the right to add more servers.
  6. Change the time zone to GMT-06:00-CST-America/Chicago or similar.
  7. Click Done.

    set ns hostname ns02
    
    add dns nameServer 10.2.2.11
    
    set ns param -timezone "GMT-06:00-CST-America/Chicago"
  8. Click Yes to save and reboot.
  9. Click the Licenses box.
  10. On the far right side of the screen, you’ll see the Host ID. You’ll need this to allocate your licenses at citrix.com. See below for detailed instructions on how to allocate the license to this Host ID.
  11. On the left, select Upload license files, and click Browse.
  12. Browse to the license file, open it, and click Reboot when prompted.

    • License files are stored in /nsconfig/license.
  13. After the reboot and logging in, a box will pop up showing you the installed license, including Days to Expiration (12.0 build 59 and newer).
  14. Also look in the top left corner to make sure it doesn’t say NetScaler VPX (1) or ADC VPX (Freemium). The number in the parentheses should match the MPX or VPX model number.

Licensing – VPX Mac Address

To license a NetScaler ADC VPX appliance, you will need its MAC address.

  1. Go to the Configuration tab.
  2. In the right pane, look down for the Host Id field. This is the MAC address you need for license allocation.
  3. Another option is to SSH to the appliance and run shell.
  4. Then run lmutil lmhostid. The MAC address is returned.

Licensing – Citrix.com

  1. Login to http://mycitrix.com.
  2. On the left, click All Licensing Tools.
  3. On the top right, in the horizontal menu, click Activate and Allocate Licenses.
  4. If you are activating an eval license, click Don’t see your product near the top, and enter the eval license key.

  5. Otherwise, check the box next to a Citrix NetScaler VPX or MPX license, and click Continue.
  6. If this is a NetScaler ADC MPX license then there is no need to enter a host ID for this license. so just click Continue.
  7. If this is a NetScaler ADC VPX license, enter the VPX MAC address into the Host ID field. It’s not obvious, but you can enter text in this drop-down field.
  8. If you have more than one VPX license, change the Quantity field to 1, and then click Continue.

    1. For a VPX appliance, you can get the Host ID by looking at the System Information page. Click the System node to see this page.
  9. Click Confirm.
  10. Click OK when asked to download the license file.
  11. Click Download.
  12. Click Save and put it somewhere where you can get to it later.
  13. For NetScaler Standard Edition or higher, at least 500 NetScaler Gateway Universal Licenses are already included in your NetScaler platform license. NetScaler Standard comes with 500 Gateway Universal, NetScaler Enterprise comes with 1,000 Gateway Universal, and NetScaler Platinum comes with unlimited Gateway Universal.
    • Note: NetScaler Gateway Enterprise Edition VPX does not come with any Gateway Universal Licenses.
  14. If you need more Gateway Universal licenses on your NetScaler, you can allocate them now. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
  15. Enter your appliance hostname (not Mac address) as the Host ID for all licenses. If you have two appliances in a HA pair, allocate these licenses to the first appliance hostname, then reallocate them to the second appliance hostname.
  16. Click Confirm.
  17. Click OK when prompted to download your license file.
  18. Click Download.
  19. Click Save.
  20. If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses, and reallocate them to the other hostname. The top right horizontal menu bar has a Reallocate option.

Install Licenses on Appliance

If you haven’t already installed licenses on your appliance, then do the following:

  1. In the NetScaler Configuration GUI, on the left, expand System, and click Licenses.
  2. On the top right, click Manage Licenses.
  3. Click Add New License.
  4. If you have a license file, select Upload license files, and then click Browse. Select the license file, and click Open.

    • License files are stored in /nsconfig/license.
  5. Click Reboot when prompted. Login after the reboot.
  6. After rebooting and logging in, a window will appear showing the installed license.

    1. Notice that Maximum ICA Users Allowed is set to Unlimited.
    2. Maximum NetScaler Gateway Users Allowed will vary depending on your NetScaler Edition.
    3. Days to Expiration is shown in 12.0 build 59 and newer.
  7. Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwidth or packets will drop.

VPX 100% CPU

NetScaler 12 packet engine consumes 100% of the hypervisor CPU. VPX 200 and lower only have one packet engine, so it’s probably consuming around 50% CPU.

You can change this behavior by doing the following:

  1. On the left, go to System > Settings.
  2. On the right, in the bottom of the second column, click Change VPX Configuration Settings.
  3. Change the CPU Yield drop-down to YES, and click OK.
  4. After making this change, you can see an immediate drop-off in CPU consumption.

Upgrade Firmware

Citrix CTX241500 Citrix ADC Firmware Release Cycle:

  • Versions that end in x.1 (e.g 11.1, 12.1, 13.1, 14.1 etc.) get three years of maintenance releases after one year of feature releases (new features).
  • Versions that end in x.0 (e.g 12.0, 13.0, 14.0, etc.) get one year of maintenance releases after one year of feature releases (new features).

CTX267027 CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance

CTX261055 Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway

Citrix CTX220371 Must Read Articles Before and After Upgrading NetScaler

NetScaler MAS can upgrade firmware. With MAS, the firmware upgrade can be scheduled. For more details, see Creating Maintenance Tasks at Citrix Docs. MAS does a precheck to make sure there are no upgrade issues.


To upgrade firmware using the NetScaler management utility (source = Citrix CTX127455 How to Upgrade Software of the NetScaler Appliances in a High Availability Setup):

  1. Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. 12.0 is End of Maintenance soon so you’ll want 12.1 instead. You want the Build, not the VPX. Note: Firmware for Citrix Gateway is identical to firmware for Citrix ADC.

  2. Make sure you Save the config before beginning the upgrade. Doing the save on the primary will cause both nodes to save their configs.
  3. Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
  4. When upgrading from 10.5 or older, make sure the NetScaler Gateway Theme is set to Default or Green Bubbles. After the upgrade, you’ll have to create a new Portal Theme and bind it to the Gateway vServers.
  5. Start with the Secondary appliance.
  6. Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
  7. Disk Cleanup – VPXs usually don’t have enough free space to perform the upgrade.

    • If you SSH to the appliance, run shell, run cd /var, then you can run the following command to see disk space consumption sorted by highest:
      du -d 1 | sort -n -r

    • /var/nsinstall has old firmware upgrades that can be deleted.
    • A common consumer of disk disk is the counter files located in /var/nslog.
    • Check /var/netscaler/nsbackup for old backup files.
  8. In the NetScaler GUI, with the top left node System selected, on the right, click System Upgrade.
  9. Click Choose File, and browse to the build…tgz file. If you haven’t downloaded firmware yet, then you can click the Download Firmware link.
  10. Click Upgrade.
  11. The firmware will upload.
  12. You should eventually see a System Upgrade window with text in it. Click Close when you see the line indicating that a reboot is required.
  13. Go back to the System node. On the right, click the Reboot button.
  14. Click OK to reboot.
  15. After the reboot, after you login, you can see the firmware version by clicking your name on the top right of the browser window.
  16. Once the Secondary is done, failover the pair.
  17. Then upgrade the firmware on the former Primary.

To install firmware by using the command-line interface

  1. To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
  2. Create a version directory under /var/nsinstall (e.g. /var/nsinstall/12.0.51.24).
  3. Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/12.0.51.24) directory on the appliance.
  4. Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
  5. At a command prompt, type shell.
  6. At a command prompt, type cd /var/nsinstall/<version> to change to the nsinstall directory.
  7. To view the contents of the directory, type ls.
  8. To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
  9. To start the installation, at a command prompt, type ./installns.
  10. When the installation is complete, restart NetScaler.
  11. When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The synchronization exceptions are mainly network interface configurations (e.g. LACP).

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

  1. Prepare the secondary appliance:
    1. Configure a NSIP.
    2. Don’t configure a SNIP. In Step 2, Subnet IP Address, you can click Do It Later to skip the wizard. You’ll get the SNIP later when you pair it.
    3. Configure Hostname and Time Zone.
    4. Don’t configure DNS since you’ll get those addresses when you pair it.

    5. License the secondary appliance.
    6. Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
  2. On the secondary appliance, go to System > High Availability > Nodes. Your build might not have the Nodes node.

    1. On the right, edit the local node.
    2. Change High Availability Status to STAY SECONDARY. If you don’t do this then you run the risk of losing your config when you pair the appliances.

      set ha node -hastatus STAYSECONDARY
  3. On the primary appliance, on the left, expand System, expand Network, and click Interfaces.

    1. On the right, look for any interface that is currently DOWN.
    2. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface, and click Disable. Repeat for the remaining disconnected interfaces.

      show interface
      disable interface 1/1
  4. On the left, expand System, expand High Availability, and click Nodes. Your build of NetScaler might not have a Nodes node.
  5. On the right, edit node 0.

    1. Change the High Availability Status to STAY PRIMARY, and click OK.
  6. On the right, click Add.

    1. Enter the other NetScaler’s IP address.
    2. Enter the other NetScaler’s login credentials, and click Create.

      add ha node 1 192.168.123.14
      Note: this CLI command must be run separately on each appliance.
  7. If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.

    • Eventually it will say SUCCESS.
  8. Edit Node ID 0 (the local appliance).

    1. Change High Availability State back to ENABLED.
    2. Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down, and click OK.

      set ha node -failSafe ON
  9. If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
  10. On the secondary appliance, go to System > High Availability > Nodes and edit the local node 0.
  11. Change it from STAY SECONDARY to ENABLED. Also enable Fail-safe Mode. Click OK.
  12. On the new secondary appliance, go to System > Network > Routes, and make sure you don’t have two 0.0.0.0/0.0.0.0 routes. Joining an appliance to an HA pair causes the default route on the primary appliance to sync to the secondary appliance. But, it doesn’t delete the default gateway that was formerly configured on the secondary appliance.
  13. From the NetScaler CLI (SSH), run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed later..
  14. You can also disable HA heartbeats on specific network interfaces (System > Network > Interfaces).
    1. Note: Make sure HA heartbeats are enabled on at least one interface/channel.
    2. Note: this is an interface configuration, so this configuration change is not propagated to the other node.
  15. You can force failover of the primary appliance by going to System > High Availability > Nodes, opening the Actions menu, and clicking Force Failover.

    force ha failover
  16. If your firewall (e.g. Cisco ASA) doesn’t like Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Port Channels on Physical NetScaler MPX

If you are configuring a NetScaler MPX (physical appliance), and if you plugged in multiple cables, and if more than one of those cables is configured on the switch for the same VLAN(s), then you must bond the interfaces together by configuring a Port Channel.

  • On the switch, create a Port Channel, preferably with LACP enabled.
  • The Port Channel can be an Access Port (one VLAN), or a Trunk Port (multiple VLANs).
  • On the NetScaler, configure LACP on the network interfaces, or create a Channel manually. Both are detailed below.

Also see Webinar: Troubleshooting Common Network Related Issues with NetScaler.

LACP Port Channel

To configure Port Channels on a NetScaler, you can either enable LACP, or you can configure a Channel manually. If your switch is configured for LACP, do the following on NetScaler to enable LACP on the member interfaces.

  1. Go to System > Network > Interfaces.
  2. On the right, edit one of the Port Channel member interfaces.
  3. Scroll down.
  4. Check the box next to Enable LACP.
  5. In the LACP Key field, enter a number. The number you enter here becomes the channel number. For example, if you enter 1, NetScaler creates a Channel named LA/1. All member interfaces of the same Port Channel must have the same LACP Key. Click OK when done.
  6. Continue enabling LACP on member interfaces and specifying the key (channel number). If you are connected to two port channels, one set of member interfaces should have LACP Key 1, while the other set of member interfaces should have LACP Key 2.
  7. Note: in an HA pair, you must perform this interface configuration on both nodes. The LACP commands are not propagated across the HA pair.
  8. If you go to System > Network > Channels.
  9. You’ll see the LACP Channels on the right. These were created automatically.
  10. If you edit a Channel, there’s a LACP Details tab that shows you the member interfaces.

Manual Channel

If your switch ports are not configured for LACP, then you can instead create a Channel manually.

  1. Go to System > Network > Channels.
  2. On the right, click Add.
  3. At the top, choose an unused Channel ID (e.g. LA/1).
  4. On the bottom, click Add.
  5. Click the plus icon next to each member interface to move it to the right. Then click Create.

Redundant Interface Set

You can also configure the NetScaler for switch-independent teaming. Create a Channel manually, but select a Channel ID starts with LR instead of LA. This is called Link Redundancy or Redundant Interface Set.

Channel Minimum Throughput

Channels can be configured so that a High Availability failover occurs when the Channel throughput drops below a configured value. For example, if you have four members in a Channel, you might want a High Availability failover to occur when two of the member interfaces fail.

  1. Go to System > Network > Channels, and edit a Channel.
  2. Near the top, enter a minimum threshold value in the Throughput field. If the total bonded throughput drops below this level, a High Availability failover will occur.

Trunk Port and High Availability

If you are trunking multiple VLANs across the channel, and if every VLAN is tagged (no native VLAN), then a special configuration is needed to allow High Availability heartbeats across the channel.

  1. Go to System > Network > VLAN.
  2. Add a VLAN object.
  3. Bind the VLAN to a channel or interface. To bind multiple VLANs to a single interface/channel, the VLANs must be tagged.
  4. Configure one of the VLANs as untagged. Only untag one of them. Which one you untag doesn’t matter, except that the same VLAN should be untagged on the other HA node. If your switch doesn’t allow untagged packets, don’t worry, we’ll fix that soon.
  5. If your switch doesn’t allow untagged packets, go to System > Network > Channels, and edit the channel.
  6. Scroll down. On the Settings tab, set Tag all VLANs to ON. This causes NetScaler to tag all packets, including the VLAN you formerly marked as untagged. This special configuration is necessary to also tag High Availability heartbeat packets.
  7. Note: in an HA pair, you must perform this Tagall configuration on both nodes. The Tagall command is not propagated across the HA pair.

Common physical interface configuration

Here is a common NetScaler networking configuration for a physical NetScaler MPX that is connected to both internal and DMZ.

Note: If the appliance is connected to both DMZ and internal, then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server: in other words, traffic comes into a DMZ VLAN, but goes out an internal VLAN. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.

  • 0/1 connected to a dedicated management network. NSIP is on this network.
    • 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, LA/1, etc.) and don’t connect any cables to 0/1.
    • To prevent NetScaler from using this dedicated management interface for outbound data traffic, don’t put a SNIP on this management network, and configure the default gateway (route 0.0.0.0) to use a router on a different data network (typically the DMZ VLAN). However, if there’s no SNIP on this VLAN, and if the default gateway is on a different network, then there will be asymmetric routing for management traffic, since inbound management traffic goes in 0/1, but reply traffic goes out LA/1 or LA/2. To work around this problem, enable Mac Based Forwarding, or configure Policy Based Routing. Both of these options are detailed in the next section.
    • It’s easiest if the switch port for this dedicated management interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
  • 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
  • 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). The default gateway (route 0.0.0.0) points to a router on a DMZ VLAN so replies can be sent to Internet clients.
    • If only one DMZ VLAN, configure the switch ports/channel as an Access Port.
    • If multiple DMZ VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.

Dedicated Management Subnet

Dedicated Management Subnet implies that your NetScaler is connected to multiple VLANs. If you have a subnet that is for NSIP only, and don’t want to use the NSIP subnet for data traffic, then you’ll want to move the default route to a different subnet, which breaks the NSIP. To work around this problem, create a PBR for the NSIP to handle replies from NSIP, and to handle traffic sourced by the NSIP.

Citrix Blog Post Separating NetScaler Management and Data Traffic for DISA STIGs also uses PBRs.

  1. Go to System > Network > PBRs.
  2. On the right, click Add.
  3. Give the PBR a name (e.g. NSIP)
  4. Set the Next Hop Type drop-down to New.
  5. In the Next Hop field, enter the router IP address that is on the same network as the NSIP.
  6. In the Configure IP section, set the first Operation drop-down to =.
  7. In the Source IP Low field, enter the NSIP. This causes the PBR to match all traffic with NSIP as the Source IP address.
    • In an HA pair, the PBR command applies to both nodes in the pair. To accommodate this, in the Source IP Low field, enter the lower NSIP address. Then in the Source IP High field, enter the higher NSIP address.
  8. You don’t need anything else.
  9. Scroll down, and click Create.
  10. To handle DNS traffic sourced by the NSIP, create another PBR by right-clicking the existing one, and clicking Add.
  11. Change the name to NSIP-DNS or similar.
  12. Change the Action drop-down to DENY. This prevents the PBR from overriding normal DNS behavior.
  13. Change the Priority to a lower number than the original PBR. Scroll down.
  14. In the Configure Protocol section, click the Protocol drop-down, and select UDP (17).
  15. In the Destination section, change the Operation to =.
  16. In the Destination port Low field, enter 53.
  17. Scroll down, and click Create.
  18. Make sure the DENY PBR is higher in the list (lower priority number) than the ALLOW PBR.
  19. Then open the Action menu, and click Apply.

    add ns pbr NSIP-DNS DENY -srcIP = 10.2.2.126-10.2.2.127 -destPort = 53 -nextHop 10.2.2.1 -protocol UDP -priority 5
    add ns pbr NSIP ALLOW -srcIP = 10.2.2.126-10.2.2.127 -nextHop 10.2.2.1
    apply ns pbrs

If you want a floating management IP that is always on the Primary appliance, here’s a method of granting management access without adding a SNIP to the management subnet:

  1. Create a Load Balancing Service on HTTP 80 on IP address 127.0.0.1. You might already have one called AlwaysUp that is used with SSL Redirects. Note: NetScaler doesn’t allow creating a Load Balancing service on IP address 127.0.0.1 and port 443 (SSL).
    1. The IP address you enter is 127.0.0.1. When you view the Load Balancing Service, it shows the local NSIP. After a HA failover, the IP Address will change to the other NSIP.
  2. Create a Load Balancing Virtual Server using a VIP on the management subnet. Protocol = SSL. Port number = 443.

    1. Bind the AlwaysUp:80 or loopback:80 service to the Load Balancing Virtual Server. In summary: the front end is 443 SSL, while the LB Service is 80 HTTP.
  3. Add the new VIP to the PBRs so the replies go out the correct interface.
  4. You should then be able to point your browser to https://Step2VIP to manage the appliance.
  5. You can perform the same loopback trick for 22 SSH. Create a Load Balancing Service on TCP 22 on IP address 127.0.0.1.
  6. Create a Load Balancing Virtual Server using the management VIP specified earlier. Protocol = TCP. Port number = 22.

    1. Bind the loopback:TCP:22 service to the Load Balancing Virtual Server.
  7. You should then be able to point your SSH Client to <Step2VIP> to manage the appliance.
  8. CLI Commands for the floating management VIP:
    add service AlwaysUp 127.0.0.1 HTTP 80
    add service mgmt-SSH 127.0.0.1 TCP 22
    add lb vserver mgmt-SSL SSL 10.2.2.128 443
    add lb vserver mgmt-SSH TCP 10.2.2.128 22
    bind lb vserver mgmt-SSL AlwaysUp
    bind lb vserver mgmt-SSH mgmt-SSH
    set ns pbr NSIP-DNS DENY -srcIP = 10.2.2.126-10.2.2.128 -destPort = 53 -nextHop 10.2.2.1 -protocol UDP -priority 5
    set ns pbr NSIP ALLOW -srcIP = 10.2.2.126-10.2.2.128 -nextHop 10.2.2.1
    apply ns pbrs

Multiple Subnets / Multiple VLANs

Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.

If this is a physical MPX appliance, see the previous Port Channel section first.

If you only connected NetScaler to one subnet (one VLAN) then skip ahead to DNS servers.

Configuration Overview

The general configuration process for multiple subnets is this:

  1. Create a SNIP for each subnet/VLAN.
  2. Create a VLAN object for each subnet/VLAN.
    1. Bind the VLAN object to the SNIP for the subnet.
    2. Bind the VLAN object to the Port Channel or single interface that is configured for the VLAN/subnet.

SNIPs for each VLAN

You will need one SNIP for each connected subnet/VLAN. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.

NSIP Subnet

The NSIP subnet is special, so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any network that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as an access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).

Configure Subnets/VLANs

To configure NetScaler with multiple connected subnets:

  1. Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
  2. On the right, click Add.

    1. Enter the Subnet IP Address for this network/subnet. The SNIP will be the source IP address the NetScaler will use when communicating with any other service/server on this network. The Subnet IP is also known as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
    2. Enter the netmask for this network.
    3. Ensure the IP Type is set to Subnet IP. Scroll down.

      add ns ip 172.16.1.11 255.255.255.0 -type SNIP
    4. Under Application Access Controls, decide if you want to enable GUI management on this SNIP. This feature can be particularly useful for High Availability pairs, because when you point your browser to the SNIP, only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for a DMZ network.
    5. Click Create when done. Continue adding SNIPs for each connected network (VLAN).

      set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
  3. On the left, expand System, expand Network, and click VLANs.
  4. On the right, click Add.

    1. Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged, then any ID (except 1) will work.
    2. Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
    3. If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
    4. If your switches do not allow untagged packets, then you will need to use the tagall interface option to tag NetScaler High Availability heartbeat packets. See CTX122921 Citrix NetScaler Interface Tagging and Flow of High Availability Packets
    5. If you don’t tag the VLAN, then the NetScaler interface/channel is removed from VLAN 1, and instead put in this VLAN ID.
    6. Switch to the IP Bindings tab.
    7. Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.

      add vlan 50
      bind vlan 50 -ifnum LA/1 -IPAddress 172.16.1.11 255.255.255.0
  5. On the left, expand System, expand Network, and click Routes.
  6. On the right, click Add.

    1. Internal networks are usually only accessible through an internal router. Add a static routes to the internal networks
    2. Make sure NULL Route is set to No.
    3. Set the Gateway (next hop) to an internal router.
    4. Then click Create.

      add route 10.2.0.0 255.255.0.0 10.2.2.1
  7. The default route should be changed to use a router on the DMZ network (towards the Internet). Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. You usually only need to do this for dedicated management networks.
    1. Note: PBR is recommended over MBF, because PBR can handle traffic sourced by NSIP (e.g Syslog traffic), while MBF cannot.
    2. Mac Based Forwarding sends replies out the same interface they came in on. However, MBF ignores the routing table, and doesn’t handle traffic sourced by the NSIP (e.g. LDAP traffic). To enable MBF:
      1. On the left, expand System, and click Settings.
      2. On the right, in the left column, click Configure modes.
      3. Check the box next to MAC Based Forwarding (MBF), and click OK. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).

        enable mode mbf
  8. Go back to System > Network > Routes.
    1. On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route, PBR, or MBF to the IP address of the machine you are running the browser on.

      rm route 0.0.0.0 0.0.0.0 10.2.2.1
    2. Then click Add.
    3. Set the Network to 0.0.0.0, and the Netmask to 0.0.0.0.
    4. Make sure NULL Route is set to No.
    5. Enter the IP address of the DMZ (or data) router, and click Create.

      add route 0.0.0.0 0.0.0.0 172.16.1.1

DNS Servers

  1. To configure DNS servers, expand Traffic Management, expand DNS, and click Name Servers.
  2. On the right, click Add.

    1. Enter the IP address of a DNS server, and click Create.
    2. Note: The NetScaler must be able ping each of the DNS servers, or they will not be marked as UP. The ping originates from the SNIP.

      add dns nameServer 10.2.2.11
  3. NetScaler 12 includes DNS Security Options, which are useful if you use this NetScaler to provide DNS services to clients (e.g. DNS Proxy/Load Balancing, GSLB, etc.). You can configure them at Security > DNS Security.

  4. Additional DNS Security Options are detailed at Mitigating DNS DDoS attacks at Citrix Docs.

NTP Servers

  1. On the left, expand System, and click NTP Servers.
  2. On the right, click Add.
  3. Enter the IP Address of your NTP Server (or pool.ntp.org), and click Create.

    add ntp server pool.ntp.org
  4. On the right, open the Action menu, and click NTP Synchronization.
  5. Select ENABLED, and click OK.

    enable ntp sync
  6. You can click the System node to view the System Time.
  7. If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
  8. Ntpdate –u pool.ntp.org will cause an immediate NTP time update.

SYSLOG Server

Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will, by default, store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like NetScaler Management and Analytics System.

  1. On the left, expand System, expand Auditing, and click Syslog.
  2. On the right, switch to the Servers tab, and click Add.

    1. Enter a name for the Syslog server.
    2. You can change Server Type to Server Domain Name, and enter a FQDN.
    3. Enter the IP Address or FQDN of the SYSLOG server, and 514 as the port.
    4. Configure the Log Levels you’d like to send to it by clicking CUSTOM – typically select everything except DEBUG.
    5. Select your desired Time Zone.
    6. You can optionally enable other logging features.
    7. Then click Create.

      add audit syslogAction MySyslogServer 10.2.2.12 -logLevel ALL -timeZone LOCAL_TIME
      add audit syslogAction MySyslogServer syslog.corp.local -logLevel ALL -timeZone LOCAL_TIME
  3. On the right, switch to the Policies tab, and then click Add.

    1. Give the policy a descriptive name,
    2. Change the Expression Type selection to Advanced Policy.
    3. Select the previously created Syslog server.
    4. And then click Create.

      add audit syslogPolicy MySyslogServer ns_true MySyslogServer
  4. While still on the Policies tab, open the Actions menu, and click Classic Policy Global Bindings or Advanced Policy Global Bindings, depending on which one you chose when creating the Syslog policy.

    1. Click Add Binding.
    2. Click where it says Click to select.
    3. Click the radio button next to the Syslog policy you want to bind, and click Select.
    4. If you don’t select anything in Global Bind Type, then it defaults to SYSTEM_GLOBAL.
    5. Click Bind.
    6. Click Close.
    7. If you see a blank screen, click the back button.

      bind audit syslogGlobal -policyName MySyslogServer -priority 100
      bind system global MySyslogServer -priority 100

SNMP – MIB, Traps, and Alarms

  1. On the left, expand System, and click SNMP.
  2. On the right, click Change SNMP MIB.

    1. Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK.
    2. This configuration needs to be repeated on the other node.

      set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
  3. Expand System, expand SNMP, and click Community.

    1. On the right, click Add.
    2. Specify a community string, and the Permission, and click Create.

      add snmp community public GET
  4. On the left, under SNMP, click Traps.

    1. On the right, click Add.
    2. Specify a trap destination. The fields will vary for V2 vs V3. Click Create.

      add snmp trap generic 10.2.2.12 -communityName public
      add snmp trap specific 10.2.2.12 -communityName public
  5. On the left, under SNMP, click Managers.

    1. On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
    2. Change the selection to Management Network.
    3. Specify the IP of the Management Host, and click Create.

      add snmp manager 10.2.2.12
  6. The Alarms node allows you to enable SNMP Alarms and configure thresholds.

    1. You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm, and 50% normal, with a Critical severity.

      set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
    2. You can also configure the MEMORY alarm.

      set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.

  • ifTotXoffSent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
  • ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
  • ifErrRxNoBuffs – .1.3.6.1.4.1.5951.4.1.1.54.1.30
  • ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31

Call Home

Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.

Call Home at Citrix Docs has information on how it work.

From the Citrix ADC 12.1 build 49 release notes: CallHome is now enhanced to send Citrix ADC usage metrics to Citrix Insight Services (CIS) periodically. Citrix collects the data to understand how the appliance works and how to improve the product. By default, CallHome sends the metrics once in every 7 days. For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/configuring-call-home.html.

To enable Call Home:

  1. On the left, expand System, and click Diagnostics.
  2. On the right, in the left column, in the Technical Support Tools section, click Call Home.
  3. Check the box next to Enable Call Home.
  4. Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
  5. If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.

Change nsroot Password

  1. If you want to force strong passwords for local accounts, go to System > Settings, and on the right, click Change Global System Settings

    1. Scroll down to the Password section.
    2. You can change Strong Password to Enable Local, and also specify a Min Password Length. Click OK.
  2. Expand System, expand User Administration, and click Users.
  3. On the right, right-click nsroot, and click Change Password.
  4. Specify a new password, and click OK.

    set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix Docs Introduction to best practices for Citrix ADC MPX, VPX, and SDX security

Best practice settings:

  1. On the left, expand System, and click Settings.
  2. On the right, in the right column, click Change TCP parameters.

    1. Check the box for Window scaling (near the top).
    2. Scroll down, and check the box for Selective Acknowledgement. Click OK.

      set ns tcpParam -WS ENABLED -SACK ENABLED
  3. On the right, click Change HTTP parameters.

    1. Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.

      set ns param -cookieversion 1
    2. Check the box next to Drop invalid HTTP requests.
    3. Scroll down, and click OK.

      set ns httpParam -dropInvalReqs ON
  4. From Citrix CTX232321 Recommended TCP Profile Settings for Full Tunnel VPN/ICAProxy from NetScaler Gateway 11.1 Onwards:
    1. Expand System, and click Profiles.
    2. On the right, on the TCP Profiles tab, edit the nstcp_default_profile.
    3. Enable Window Scaling with a factor of 8.
    4. Set Minimum RTO (in millisec)600.
    5. Set TCP Buffer Size (bytes)600000
    6. Set TCP Send Buffer Size (bytes)600000
    7. Change TCP Flavor = BIC.
    8. Enable Use Nagle’s algorithm.
    9. Click OK when done.
  5. You can run the following command to see statistics on the dropped packets:
    nsconmsg -g http_err_noreuse_ -d stats
  6. See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run kill -HUP `cat /var/run/sshd.pid` to restart SSHD.
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    MACs hmac-sha1,hmac-ripemd160

Citrix Knowledgebase articles:

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

  • Maximum logon attempts on NetScaler Gateway Virtual Server
  • Rate Limiting for IP.SRC and HTTP.REQ.URL.
  • nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
  • Syslog logging
  • External website monitoring
  • Obfuscate the Server header in the HTTP response
  • Disable management access on SNIPs
  • Change nsroot strong password, use LDAP authentication, audit local accounts
  • Don’t enable Enhanced Authentication Feedback
  • SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers.
  • 2-factor authentication
  • NetScaler Management & Analytics System
  • Review IPS/IDS & Firewall logs

Management Authentication – LDAP

Load balancing of LDAP servers is strongly recommended. If you bound multiple LDAP servers instead of load balancing them, NetScaler ADC would try each of the LDAP servers, and for incorrect passwords, will lock out the user sooner than expected. But if you instead load balance your LDAP servers, the authentication attempt will only be sent to one of them.

  1. Expand System, expand Authentication, expand Basic Policies, and then click LDAP.
  2. On the right, switch to the Servers tab. Then click Add.

    1. Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
    2. Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
    3. Change the Security Type to SSL.
    4. Enter 636 as the Port. Scroll down.
    5. In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
    6. Enter the credentials of the LDAP bind account in userPrincipalName format.
    7. Check the box next to BindDN Password and enter the password. Click Test Connection. Scroll down.
    8. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
    9. On the right, check the box next to Allow Password Change.
    10. It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
      memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
      You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this, users will need to be direct members of the filtered group.
      memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local

      An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object, and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
      Scroll down to distinguishedName, double-click it, and then copy it to the clipboard.

      Back on the NetScaler, in the Search Filter field, type in memberOf=, and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
    11. Scroll down and click More to expand it.
    12. For Nested Group Extraction, if desired, change the selection to Enabled.
    13. Set the Group Name Identifier to samAccountName.
    14. Set Group Search Attribute to –<< New >>–, and enter memberOf.
    15. Set Group Search Sub-Attribute to –<< New >>–, and enter CN.
    16. Example of LDAP Nested Group Search Filter Syntax

    17. Scroll down, and click Create.

      add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  3. On the left, go to System > Authentication > Advanced Policies > Policy.
  4. On the right, click Add.

    1. Enter the name LDAPS-Corp-Mgmt or similar.
    2. Change the Action Type drop-down to LDAP.
    3. Select the previously created LDAPS-Corp-Mgmt server.
    4. On the bottom, in the Expression area, type in true.
    5. Click Create.

      add authentication Policy LDAPS-Corp-Mgmt -rule true -action LDAPS-Corp-Mgmt
  5. Click Global Bindings in the right pane.

    1. Click where it says Click to select.
    2. Click the radio button next to the newly created LDAP policy, and click Select.
    3. Click Bind.
    4. Click Done.

      bind system global LDAPS-Corp-Mgmt -priority 100 -gotoPriorityExpression NEXT
  6. Under System, expand User Administration, and click Groups.

    1. On the right, click Add.
    2. In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
    3. In the Command Policies section, click Bind.
    4. Select the superuser policy, and click Insert.
    5. Scroll down, and click Create.

      add system group "NetScaler Admins" -timeout 900
      bind system group "NetScaler Admins" -policyName superuser 100
  7. To prevent somebody from creating an nsroot account in LDAP (Active Directory) and then using that external nsroot account to login to ADC, disable external authentication on the local nsroot account.
    1. On the left, go to System > User Administration > Users.
    2. On the right, edit the nsroot user.
    3. At the top of the page, in the System User section, click the pencil icon.
    4. Uncheck the box next to Enable External Authentication and then click Continue.
    5. Click Save and then click Done.
  8. If you logout:
  9. You should be able to login to NetScaler ADC using an Active Directory account.

Management Authentication – Two Factor

Citrix ADC 12.1 build 51 and newer support two factor authentication for management access. The technology is based on nFactor but works in all editions of ADC (no licensing restrictions). Here’s a summary of the configuration steps with more detail coming later:

  1. The first authentication factor must be an Advanced Authentication Policy that is bound globally. Classic Authentication Policies will not work.
  2. Create a Login Schema to ask for the second factor password (i.e. passcode).
    • This Login Schema is for second factor only and has no effect on the first factor. The second factor Login Schema should only ask for a single password prompt. It doesn’t appear to be possible to ask for both factors using the same Login Schema.
    • Login Schema for the second factor does not use the normal nFactor language files and you instead must hard code the password prompt label for the second factor logon field directly in the Login Schema .xml file.

  3. Create an Advanced Authentication Server and Policy for the second factor (e.g. RADIUS).
  4. Create an Authentication Policy Label with Feature Type set to RBA_REQ. This is not the default so make sure you change the Feature Type drop-down field.

    1. When creating the Policy Label, select the Login Schema for the second factor.
    2. Bind the second factor Advanced Authentication Policy to the Policy Label.
  5. Go to Global Bindings for Authentication, edit the existing authentication binding, click Next Factor, and select your new Policy Label. That’s it.

Here are detailed configuration instructions for adding a second authentication factor to the management logon page.

  1. Login Schema XML File:
    1. Point WinSCP to your ADC appliance.
    2. Navigate to /nsconfig/loginschema/LoginSchema and download the SingleAuth.xml file.
    3. Rename the file to MgmtNextFactor.xml or something like that.
    4. Edit the file.
    5. Look for the <Requirement> element with ID of passwd. Then look for the Label and set the Text field to whatever you want displayed on the second password page. Save the file when done.
    6. The Label Text you enter will be shown on the second factor logon page.
    7. In WinSCP, change the directory to /nsconfig/loginschema, which is one directory up from where you downloaded the file.
    8. Upload your modified file.
  2. RADIUS Authentication Server:
    1. Follow the link for instructions to create a RADIUS Server. Only create the Server object. The Policy object will be created later when creating the Authentication Policy Label.
      add authentication radiusAction RADIUSMgmt -serverName 10.2.2.42 -serverPort 1812 -radKey b746744 -encrypted -encryptmethod ENCMTHD_3
  3. On the left, go to System > Authentication > Advanced Policies > Policy Label.
  4. On the right, click Add.
  5. Name the Policy Label MgmtNextFactor or similar.
  6. In the Login Schema field, click Add.

    1. Name the Login Schema MgmtNextFactor or similar.
    2. In the Authentication Schema field, click the pencil icon.
    3. On the left, select the Login Schema .xml file you uploaded earlier.
    4. On the top right, click the blue Select button. Do NOT click Create on the bottom left until you’ve clicked this Select button.
    5. The window collapses showing you the Login Schema file that you selected. Now you can click Create.

      add authentication loginSchema MgmtNextFactor -authenticationSchema "/nsconfig/loginschema/MgmtNextFactor.xml"
  7. Back in the Authentication Policy Label screen, notice that you can edit the Login Schema object from here.
  8. Change the Feature Type drop-down to RBA_REQ. If you don’t do this, then you won’t be able to bind this later.
  9. Click Continue.

    add authentication policylabel MgmtNextFactor -type RBA_REQ -loginSchema MgmtNextFactor
  10. In the Policy Label Policy Binding field, click Add.

    1. Name the Authentication Policy RADIUSMgmt or similar.
    2. Change the Action Type drop-down to RADIUS.
    3. Select the RADIUS server that you created earlier. Or you can Add one from here.
    4. In the Expression box, enter the word true and then click Create.

      add authentication Policy RADIUSMgmt -rule true -action RADIUSMgmt
  11. Back in the Policy Label Policy Binding screen, click Bind.

    bind authentication policylabel MgmtNextFactor -policyName RADIUSMgmt -priority 100 -gotoPriorityExpression NEXT
  12. The Authentication Policy Label configuration is complete so click Done.
  13. On the left, go to System > Authentication > Advanced Policies > Policy.
  14. On the right, click the Global Bindings button.
  15. You should already have an Advanced Authentication Policy bound globally.
    add authentication ldapAction LDAPS-Corp-Mgmt -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword 5054fc33f673bf4c5c6 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED
    
    add authentication Policy LDAPS-Corp-Mgmt -rule true -action LDAPS-Corp-Mgmt
    
    bind system global LDAPS-Corp-Mgmt -priority 100 -gotoPriorityExpression END
  16. Right-click your existing global binding and click Edit Binding.
  17. In the Next Factor field, click where it says Click to select.
  18. Click the small circle next to your Management Next Factor Policy Label and then click the blue Select button at the top of the page.
  19. Back in the Policy Binding screen, click Bind.

    bind system global LDAPS-Corp-Mgmt -priority 100 -nextFactor RADIUSMgmt -gotoPriorityExpression END
  20. Click Done to close the Global Authentication Policy Binding screen.

CLI Prompt

  1. When you connect to the NetScaler CLI prompt, by default, the prompt is just a >.
  2. You can run set cli prompt %u@%h to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.

Backup and Restore

  1. On the left, expand System, and click Backup and Restore.
  2. On the right, click Backup/Import.
  3. Give the backup file a name.
  4. For Level, select Full, and click Backup.
  5. Once the backup is complete, you can download the file.

For a PowerShell script, see John Billekens Create offline backups of the NetScaler config

To restore:

  1. If you want to restore the system, and if the backup file is not currently on the appliance, you click the Backup button. Yes, this seems backwards.
  2. Change the selection to Add.
  3. Browse Local to the previously downloaded backup file.
  4. Then click Backup. This uploads the file to the appliance and adds it to the list of backup files.
  5. Now you can select the backup, and click Restore.

Next Steps

StoreFrontAuth and XenDesktop Wizard – Citrix Gateway

Last Modified: Jun 22, 2020 @ 7:09 pm

Navigation

Change Log

  • 2018 Dec 22 – updated screenshots for Citrix Gateway 12.1

Overview

NetScaler Gateway 12 and Citrix Gateway 12.1 and newer support a new form of authentication called StoreFrontAuth, which delegates Active Directory authentication to a StoreFront server. StoreFrontAuth replaces LDAP on Citrix Gateway. You usually don’t need both.

  • StoreFrontAuth uses nFactor, which means Citrix ADC must be licensed for Advanced Edition (formerly known as Enterprise Edition) or Premium Edition (formerly known as Platinum Edition).

The easiest method of enabling StoreFrontAuth is to use the XenApp and XenDesktop Wizard. The Wizard lets you select from several different authentication methods, including multi-factor.

Prerequisites

License – make sure the appliance is licensed for Advanced Edition (formerly known as Enterprise Edition) or Premium Edition (formerly known as Platinum Edition).

DNS Servers – make sure DNS Servers are configured on the Citrix ADC.

The Wizard creates a whole new Gateway Virtual Server. You’ll need the following:

  • DNS name for the Gateway
  • VIP for the Gateway
  • Certificate for the Gateway

URL to the StoreFront servers – StoreFront must be reachable from Citrix ADC SNIP and NSIP

  • To retrieve the list of stores, NSIP must be able to reach the StoreFront URL
  • StoreFront must be version 3.11 or newer

RADIUS – If you are doing multi-factor authentication, then you’ll need RADIUS information, including adding Citrix ADC NSIP and/or SNIP as RADIUS Clients.

Also see Citrix CTX223882 FAQ – Configuring Authentication at StoreFront using NetScaler Gateway

XenApp and XenDesktop Wizard

  1. In Citrix ADC, click XenApp and XenDesktop on the bottom left.
  2. On the right, click Get Started.
  3. Select StoreFront and then configure Continue
  4. In the Citrix Gateway section, enter the FQDN for the new Gateway.
  5. Enter the VIP for the new Gateway.
  6. Check the box next to Redirect requests from port 80 to secure port, and click Continue.
  7. In the Server Certificate section, if you already have a certificate on this appliance that matches the new Gateway FQDN, then select it. Or, change the selection to Install Certificate, and import a .pfx file. Click Continue when done.
  8. In the StoreFront section, enter the URL to StoreFront, and click Retrieve Stores.
  9. In the Receiver for Web Path drop-down, select a Receiver for Web Path.
  10. In the Default Active Directory Domain field, enter a domain name that your StoreFront server will accept.
  11. Enter a Secure Ticket Authority URL, including http:// or https://. Use the plus icon to add more than one STA server. STAs are usually your XenDesktop Controllers. Then click Test STA Connectivity.
  12. Check the box next to Use this StoreFront for Authentication and click Continue.
  13. In the Authentication section, in the Choose Authentication Type drop-down, notice that there are several options. Multi-factor will be detailed later. Leave it set to StoreFront Auth.
  14. Click the button to Retrieve Auth Enabled Stores.
  15. Use the Authentication Service URI drop-down to select a store.
  16. The Domain field can be used to enter a default domain. Note: the domain name entered here must match one of the domain names permitted by StoreFront. This will be explained below in the Multiple Domains section.
  17. Click Continue
  18. Review the summary screen, and click Done.
  19. If Default SSL Profiles are not enabled, then go to Citrix Gateway > Virtual Servers, edit the Gateway Virtual Server, and configure standard SSL vServer Settings.

Portal Theme and Login Schema

  1. If you point your browser to the Gateway URL, notice it’s an old theme.
  2. On the left, go to Citrix Gateway > Virtual Servers.
  3. On the right, edit the Gateway Virtual Server that was created by the wizard.
  4. On the right, in the Advanced Settings column, click Portal Themes.
  5. On the left, scroll down, and change the Portal Theme selection to RfWebUI, or one of its derivatives. Click OK.
  6. Now when you visit the Gateway URL, it’s shown using a newer theme. However, there’s a “First Factor” text in the middle of the page. We can fix that.
  7. Back in your Citrix Gateway, near the middle of the page, find the Authentication Profile section. Click the pencil icon. This object enables nFactor.
  8. Click the Edit button to edit the Authentication Profile.
  9. Note the name of the AAA vServer. Unfortunately, this Edit button doesn’t take us to a place where we can make the edit we need.
  10. Go back to the main Citrix ADC navigation menu, and go to Security > AAA – Application Traffic > Virtual Servers.
  11. You’ll see a new AAA vServer in the list. It’s down because there’s no certificate bound to it, but it still works. If the red icon bothers you, you’re welcome to bind a certificate to it.
  12. Edit the AAA vServer.
  13. Scroll down, and click where it says 1 Login Schema.
  14. Right-click the Login Schema, and click Edit.
  15. Click the Edit button next to the Profile field.
  16. Click the pencil in the Authentication Schema field.
  17. On the left, click the LoginSchema folder to open it.
  18. Move your mouse over the SingleAuth.xml file and click the download icon. Save it somewhere.
  19. Edit the downloaded .xml file.
  20. Find the line containing the First factor text and delete the line. Save the file with a new name.
  21. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the edited file to upload it.
  22. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
  23. On the left, click the new file to highlight it.
  24. On the right, click the blue Select icon.
  25. Notice that the file name has now changed to the new file. Click OK.
  26. Click OK again.
  27. Click Close.
  28. If you point your browser to the Gateway FQDN again, the extra text is gone. You’re welcome to make additional changes to the .xml file.

StoreFront Configuration for Gateway

  1. In Citrix ADC, on the bottom left, click XenApp and XenDesktop.
  2. On the top right, click Download file.
  3. In the Download StoreFront Settings page, you can either export all virtual servers, or just one of them. Click OK.
  4. Save the GatewayConfig.zip file somewhere.
  5. In StoreFront console, on the left, right-click the Stores node, and click Manage Citrix Gateways.
  6. At the top of the window, click the blue link imported from file.
  7. Click the Browse button, and select the GatewayConfig.zip file you saved earlier.
  8. Click the Import button next to the Gateway vServer you want to import.
  9. In the Select Logon Type page, you can optionally enter a SmartAccess Callback URL that resolves to any Citrix Gateway on the same appliance that authenticated the user. Click Verify.
  10. Click Next.
  11. In the Secure Ticket Authorities page, review the list of STAs, and click Next.
  12. In the Review Changes page, click Import.
  13. In the Summary page, click Finish.
  14. Click Close.
  15. The new Gateway is shown in the list. Notice that the new Gateway is already Used by Store, so there’s no need to enable Remote Access on the Store yourself. Click Close.
  16. Edit the newly imported Gateway object.
  17. On the Secure Ticket Authority page, check the box next to Enable session reliability. EDT protocol will not work unless you check this box. Click OK.

StoreFrontAuth and Multiple Domains

The wizard configures Session Profiles with a default domain name. Multiple domains won’t work until you remove this SSON Domain.

  1. At Citrix Gateway > Virtual Servers, edit the Gateway Virtual Server created by the wizard.
  2. Scroll down, and click where it says 2 Session Policies.
  3. Right-click each Session Policy, and click Edit Profile.
  4. On the tab named Published Applications, uncheck the box next to Single Sign-on Domain. Click OK.
  5. Repeat for the other Session Profile.

StoreFrontAuth authenticates users to StoreFront using normal StoreFront username syntax:

  • username only
  • Domain\username
  • username@domain.suffix (aka userPrincipalName)

If no domain name is specified, StoreFrontAuth can be configured with a default domain name.

  1. Go to Security > AAA > Virtual Servers, right-click the AAA vServer that has StoreFrontAuth enabled, and click Edit.

  2. Scroll down, and click where it says 1 Authentication Policy.
  3. Right-click the StoreFrontAuth policy, and click Edit Policy. Unfortunately, Edit Action doesn’t seem to work.
  4. Click the Edit button next to the Action.
  5. In the Domain field, enter a default domain name that will be used if the user does not specify a domain. Click OK.

Notes on domain names:

  • The domain names entered by users (domain\username, or username@domain.suffix), must be accepted by StoreFront.
  • The default domain name entered in the StoreFront Authentication Action must be accepted by StoreFront.
  • After StoreFront Authentication authenticates the user, it sends back the user’s UPN. Citrix Gateway then uses the UPN to Single Sign-on to StoreFront. Thus, the UPN suffixes must be accepted by StoreFront.

To configure the domain names accepted by StoreFront:

  1. In StoreFront Console, right-click your store, and click Manage Authentication Methods.
  2. Click the top gear icon, and click Configure Trusted Domains.
  3. If the selection is Any domain, then you’re good, and you don’t need to change anything.
  4. If it’s set to Trusted domains only, then make sure that UPN domain suffixes are in the list.
  5. To make it easier for users, add the NetBIOS domain names too. However, if you checked the box for Show domains list in logon page, then internal users will see both the NetBIOS domain names, and the UPN domain suffixes.
  6. Notice that there’s a drop-down to select the Default domain. This default domain is only used if the user does not specify a domain name, and if no domain name is configured in the StoreFrontAuth action.

Depending on how you configured the StoreFront trusted domains, users have several options for logging into Citrix Gateway:

  • Username only – the default domain name configured in the StoreFrontAuth action is used. If StoreFrontAuth default domain is not configured, then it uses the default domain name configured in StoreFront.
  • Domain\username – requires the short domain name (NetBIOS) to be included in StoreFront’s list of trusted domains.
  • UPN.suffix\username – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.
  • username@UPN.suffix – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.

Multi-factor authentication

The XenApp and XenDesktop Wizard supports several authentication configurations:

  1. On the bottom left, click XenApp and XenDesktop.
  2. On the top right, move your cursor over the existing Gateway, and click click the pencil icon to edit it.
  3. If you earlier removed the Single Sign-On Domain to support multiple AD domains, then the wizard will prompt you to re-enter a Default Active Directory Domain. Unfortunately, this field is not optional. After entering a domain name, and completing the steps shown in this section, you can follow the above instructions to remove it again.
  4. In the Authentication section, click the pencil icon.
  5. At the top of the Authentication section, there’s a drop-down for Choose Authentication Type. There are several options. Since this article is focused on StoreFront Auth, only RSA + StoreFront Auth will be detailed below.

    • The RSA + Domain option is equivalent to Citrix Gateway RADIUS + LDAP. The RADIUS + LDAP authentication is performed directly by Citrix Gateway, which means it doesn’t use nFactor or a AAA vServer. Unfortunately, the wizard does not configure Citrix Gateway correctly. See my Citrix Gateway RADIUS Authentication article to fix the authentication policies and Gateway binding configuration.

The RSA + StoreFront Auth option will ask you for RADIUS authentication information.

  1. Change the Choose Authentication Type drop-down to RSA + StoreFront Auth.
  2. Enter the RADIUS information, and click Test Connection. Citrix ADC will use its SNIP to verify the connection.
  3. Increase the RADIUS Time-out if your multi-factor is phone-based.
  4. StoreFront Auth should already be configured, so just click Continue.
  5. Note, if you see any error messages, you might have to completely delete the Gateway, and run the wizard from scratch. Unfortunately, the XenApp and XenDesktop wizard seems to be quite buggy.
  6. Click Done to close the Citrix Gateway Settings page.
  7. After changing the Gateway authentication, on the top right, download the configuration file again, and import to StoreFront.
  8. When you import to StoreFront, you can select an existing Gateway to overwrite.
  9. The Gateway that it imports to StoreFront is automatically configured with Domain and security token so you don’t have to configure this yourself.

If you point your browser to the Gateway URL, you will see two password fields. You would think that the first password field is where you enter the AD Password, but that’s incorrect. Actually, it wants Passcode in the first field, and AD Password in the second field.

To swap the fields, do the following:

  1. Go to Security > AAA – Application Traffic > Virtual Servers.
  2. Edit the AAA vServer that is linked to the Gateway vServer.
  3. Scroll down, and click where it says 1 Login Schema.
  4. Right-click the Login Schema, and click Edit.
  5. Click the Edit button next to the Profile field.
  6. Notice the DualAuth.xml file selection. Click the pencil in the Authentication Schema field.
  7. On the left, click the LoginSchema folder to open it.
  8. Move your mouse over the DualAuth.xml file, and click the download icon. Save it somewhere.
  9. Edit the downloaded .xml file.
  10. Look for the two lines containing passwd. Swap the passwd1 and passwd IDs. In other words, remove the 1 from passwd in line 27, and add it to the passwd in line 22. There are two ID tags in each line. Save the file with a new name.
  11. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the new file to upload it.
  12. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
  13. On the left, click the new file to highlight it.
  14. On the top right, click the blue Select icon.
  15. Notice that the file name has now changed to the new file. Click OK.
  16. Click OK again.
  17. Click Close.
  18. Now when you go to the Gateway URL, the fields should work as expected.

PCoIP Proxy – NetScaler Gateway 12 / Citrix Gateway 12.1

Last Modified: Dec 22, 2018 @ 8:47 am

Navigation

Change Log

  • 2018 Dec 22 – renamed NetScaler Gateway to Citrix Gateway
  • 2018 Oct 7 – updated screenshots for Citrix Gateway 12.1

Overview

NetScaler Gateway 12.0 and Citrix Gateway 12.1 and newer support the PC-over-IP (PCoIP) protocol, which is the remote display protocol for several non-Citrix VDI solutions, including VMware Horizon. PCoIP is analogous to Citrix HDX/ICA protocol, and Microsoft RDP protocol. PCoIP uses UDP port 4172.

  • VMware Blast is currently not supported

When PCoIP is proxied through Citrix Gateway, Citrix Gateway can replace the traditional PCoIP remote access solutions, like Horizon Security Server, or VMware Unified Access Gateway.

Prerequisites

  • NetScaler Version – NetScaler 12.0 or newer.
    • Build 51 and newer for NAT
  • NetScaler Edition – PCoIP Proxy is available in all NetScaler Editions
  • Universal Licenses – PCoIP Proxy uses the Clientless Access feature of Citrix Gateway, which means every Citrix Gateway connection must be licensed for Citrix Gateway Universal. On the Citrix Gateway Virtual Server, ensure ICA Only is unchecked.
  • Horizon infrastructure – A functioning internal Horizon infrastructure. Ensure you can connect to Horizon Agents internally without Citrix Gateway.
    • Ensure that the Horizon HTTP(S) Secure Tunnel and PCoIP Secure Gateway are not enabled on the Horizon Connection Servers that NetScaler will proxy connections to.
    • Configure Desktop Pools and RDS Farms to use PCoIP as the default protocol.
  • Firewall Ports:
    • TCP 4172, UDP 4172, and TCP 443 open from Horizon Clients to the Citrix Gateway VIP.
    • TCP 4172, and UDP 4172 open from the NetScaler SNIP to all internal Horizon Agents.
  • Certificate – A valid certificate for the Citrix Gateway Virtual Server.
  • Authentication – An LDAP authentication policy/server.
  • Unified Gateway (optional) – If Unified Gateway, create the Unified Gateway before adding PCoIP functionality.
  • RfWebUI Portal Theme – For web browser access to Horizon, the Citrix Gateway Virtual Server must be configured with the RfWebUI theme.
  • Horizon Client – The Horizon Client must be installed on the client device, even if accessing Horizon published icons using the NetScaler RfWebUI portal.

PCoIP Profile

To create the PCoIP Profile:

  1. In the NetScaler management GUI, navigate to Citrix Gateway > Policies> PCoIP.
  2. On the right, in the PCoIP Profiles and Connections pane, you will create a VServer profile and a PCoIP profile.
  3. To create a VServer profile, on the VServer Profiles tab, click Add.

    1. Enter a name for the VServer profile. The only purpose of the VServer Profile is to specify the Active Directory domain name so name it accordingly.
    2. Enter an Active Directory Domain Name that will be used for Single Sign-on to Horizon Connection Server, and then click Create.
    3. Note: only a single Active Directory domain is supported per NetScaler Gateway Virtual Server. Also, the domain name specified here is displayed in the Horizon Client.
  4. To create a PCoIP profile, on the Profiles tab, click Add.

    1. Enter a name for the PCoIP Profile. The PCoIP Profile specifies the internal DNS name for Horizon so name it accordingly.
    2. Enter the internal connection URL for the internal VMware Horizon View Connection Servers, and then click Create. NetScaler SNIP needs to be able to connect to this URL.

Session Policy/Profile

To create or edit a Session Policy/Profile that has PCoIP Proxy enabled:

  1. Navigate to  Citrix Gateway > Policies> Session.
  2. On the right, select the Session Profiles tab.
  3. On the NetScaler Gateway Session Policies and Profiles page, create or edit a NetScaler Gateway Session Profile.
    1. To create a NetScaler Gateway session profile, click Add, and provide a name.
    2. To edit a NetScaler Gateway session profile, select the profile, and click Edit.
  4. On the Client Experience tab, ensure that the Clientless Access value is set to On.
  5. On the Security tab, ensure that the Default Authorization Action value is set to ALLOW.
  6. On the PCoIP tab, select the required PCoIP profile. Note: you can also create or edit PCoIP Profiles from this tab.
  7. Click Create or OK to finish creating or editing the Session Profile.
  8. If you created a new Session Profile, then you must also create a corresponding Session Policy.
    1. Navigate to Configuration > Citrix Gateway > Policies > Session.
    2. On the right, select the Session Policies tab.
    3. Click Add.
    4. Provide a name for the Session Policy, and select the required session profile name from the Profile drop-down.
    5. In the Expression area, type true (Default Syntax, or Advanced Policy), and then click Create.

Gateway Virtual Server

Bind the created PCoIP VServer profile and Session Policy to a Citrix Gateway Virtual Server:

  1. Go to Citrix Gateway > Virtual Servers.
  2. On the right, either Add a new Citrix Gateway Virtual Server, or Edit an existing Citrix Gateway Virtual Server.
  3. If you are editing an existing Citrix Gateway Virtual Server, in the Basic Settings section, click the pencil icon.
  4. For both adding and editing, in the Basic Settings section, click More.
  5. Use the PCoIP VServer Profile drop-down to select the required PCoIP VServer Profile.
  6. Scroll down and ensure that ICA Only is unchecked. Then click OK to close the Basic Settings section.
  7. If you are creating a new Citrix Gateway Virtual Server, bind a certificate, and bind an LDAP authentication policy.
  8. Then scroll down to the Policies section and click the plus icon.
  9. The Choose Type page defaults to Session and Request. Click Continue.
  10. In the Policy Binding section, click on Click to select.
  11. Click the radio button next to the required Session Policy that has the PCoIP Profile configured, and then click the blue Select button at the top of the window.
  12. Back in the Policy Binding page, click Bind.
  13. If you want to use a web browser to connect to VMware Horizon, then on the right, under Advanced Settings, add the Portal Themes section. If you are only using Horizon Client to connect to Citrix Gateway, then you don’t need to perform this step.

    1. Use the Portal Theme drop-down to select RfWebUI, and click OK.
    2. Horizon published icons are added to the RfWebUI portal.
  14. To enable support for NAT, SSH to the NetScaler to access the CLI.
    1. Run the command set vpn vserver MyVserverName -vserverFqdn MyFQDN. This causes NetScaler to send the FQDN back to the Horizon Client, which enables it to connect to the public IP instead of the DMZ private IP address. Unfortunately, this setting is not available in the NetScaler GUI.

Horizon Configuration

  1. In Horizon Administrator, go to View Configuration > Servers. Edit the Horizon Connection Server that Citrix Gateway connects to.

    1. On the General tab, uncheck PCoIP Secure Gateway.
    2. In Citrix Gateway 12.1 build 49 and newer, to enable USB Redirection, enable the HTTP(S) Secure Tunnel and enter the external FQDN for Citrix Gateway.
    3. Click OK when done.
  2. At Resources > Farms, edit your RDS Farms.

    1. Set the Default display protocol to PCoIP.

Update Content Switching Expression for Unified Gateway

If your Citrix Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the PCoIP URL paths.

  1. In the NetScaler GUI, navigate to Configuration> Traffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || http.req.url.path.eq("/broker/xml") || http.req.url.path.eq("/broker/resources") || http.req.url.path.eq("/pcoip-client")

Use Citrix Gateway PCoIP Proxy

  1. To connect, you must have Horizon View Client installed on the client device. Once installed, you can either use the Horizon View Client’s User Interface to connect to Citrix Gateway, or you can use the Citrix Gateway RfWebUI portal page to view the icons published from Horizon.
  2. To view the active PCoIP connections, in NetScaler, go to Citrix Gateway > Policies > PCoIP.
  3. On the right, switch to the Connections tab. The active sessions are displayed with the following data: user name, Horizon View Client IP, and Horizon View Agent Destination IP.
  4. To terminate a connection, right-click the connection, and click Kill Connection. Or click Kill All Connnections to terminate all PCoIP connections.

CLI Commands

Here are CLI Commands for the configuration shown above.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"

add authentication ldapAction AD01 -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL
add authentication ldapPolicy AD01 ns_true AD01

add vpn pcoipVserverProfile corp -loginDomain corp
add vpn pcoipProfile vcs01 -conServerUrl "https://vcs01.corp.local"

add vpn sessionAction VPN -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -pcoipProfileName vcs01
add vpn sessionPolicy VPN true VPN

add vpn vserver VPN SSL 10.3.3.13 443 -downStateFlush DISABLED -Listenpolicy NONE -vserverFqdn vpn.corp.com -pcoipVserverProfileName corp

bind vpn vserver VPN -portaltheme RfWebUI
bind vpn vserver VPN -policy AD01 -priority 100
bind vpn vserver VPN -policy VPN -priority 100 -gotoPriorityExpression NEXT -type REQUEST -urlName RDP
bind ssl vserver VPN -certkeyName WildcardCorpCom

Native One Time Passwords (OTP) – NetScaler Gateway 12 / Citrix Gateway 12.1

Last Modified: Oct 17, 2024 @ 12:50 pm

Navigation

Change Log

Overview

NetScaler Native OTP lets you enable two-factor authentication without purchasing any other authentication product. A typical configuration uses Google Authenticator to generate Passcodes. See the following for an overview:

Here are some notes:

  • NetScaler Native OTP is part of nFactor, and thus requires Citrix ADC Advanced Edition (aka NetScaler Enterprise Edition) or Citrix ADC Premium Edition (aka NetScaler Platinum Edition) licensing. NetScaler ADC Standard Edition licensing is not sufficient.
  • Workspace app 1809 and newer with Citrix Gateway (NetScaler) 12.1 build 49 and newer support nFactor authentication. Older Receivers and older NetScalers don’t support it, so you’ll instead have to use a web browser.  💡
  • Citrix Gateway VPN Plug-in 12.1 build 49 and later support nFactor when authenticating using the VPN Plug-in.  💡
  • nFactor requires a AAA vServer, which can be non-addressable – you don’t need any additional public IPs.
  • OTP stores device enrollment secrets in an Active Directory attribute that accepts Strings. Citrix’s documentation uses the userParameters Active Directory attribute.
    • The LDAP bind account must have permission to modify this attribute on every user.
  • Users can enroll multiple devices. There’s no way to prevent this.
  • The manageotp website is usually only protected by single factor authentication. Since users can add multiple devices, the manageotp website must be protected from external access.
  • Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).

Here are the OTP configuration objects:

  • Make sure NTP is configured on the NetScaler. Accurate time is required.
  • An LDAP Policy/Server with authentication disabled and OTP Secret configured. This one OTP-specific LDAP Policy/Server can be used for two scenarios:
    • manageotp device enrollment
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled. This LDAP Policy/Server verifies the entered passcode.
  • An LDAP Policy/Server with authentication enabled. This one policy is used for two scenarios:
    • Single-factor authentication to the manageotp authenticator/device enrollment website.
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled.
  • A single non-addressable AAA vServer with two Login Schemas for the following scenarios:
    • A single-factor Login Schema for manageotp.
    • A dual-factor Login Schema for NetScaler Gateway authentication.
  • An Authentication Profile to link the AAA vServer to the NetScaler Gateway vServer.

LDAP Policies/Actions

  1. Go to Security > AAA – Application Traffic > Polices > Authentication > Advanced Policies > Actions > LDAP.
  2. On the right, click Add.

    1. Create a normal LDAP Server if you don’t have one already. This one has Authentication enabled. This LDAP Policy/Server will be used for single-factor authentication to the manageotp website, and for first factor of dual-factor authentication to NetScaler Gateway (second factor is OTP). There are no special instructions for this LDAP Server.
  3. Create another LDAP Action.

    1. This one is used by the manageotp site to set the OTP authenticator in Active Directory, so name it accordingly.
    2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to modify the OTP Secret Active Directory attribute for all users.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work. Then click Test LDAP Reachability.
    5. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute where NetScaler will store the user’s OTP secret. You can use the userParameters attribute if that attribute isn’t being used for anything else.
    7. Thomas Rolfs in the comments advises not to enable Nested Group Extraction in this LDAP Action.
    8. Click Create when done.
  4. Create another LDAP Action.
    1. This one will verify the OTP code entered by the user, so name it accordingly. The only difference from the prior one is the addition of an LDAP Search Filter.
    2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to read the OTP Secret Active Directory attribute.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
    5. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the Search Filter field, enter the text userParameters>=#@. This syntax ensures that only users with enrolled authenticators can login. See George Spiers NetScaler native OTP for more info.
    7. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute containing the user’s OTP secret.
    8. Click Create when done.
  5. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy.
  6. On the right, click Add.

    1. You probably don’t already have an Advanced Authentication Policy for your normal LDAP server.
    2. Change the Action Type to LDAP.
    3. Select your normal LDAP server, which is the one that has Authentication enabled.
    4. Enter true as the expression. This uses Default Syntax instead of Classic Syntax.
    5. Click Create.
  7. Create another Authentication Policy.

    1. This policy is for OTP management so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the Set OTP LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should not have the Search Filter configured.
    4. Enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) in the Expression box, and click Create.
  8. Create another Authentication Policy.

    1. This policy is for OTP verification so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the OTP Verification LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should have the Search Filter configured to prevent unenrolled users from authenticating.
    4. Enter true in the Expression box, and click Create.

Login Schemas

  1. Go to Security > AAA – Application Traffic > Login Schema.
  2. On the right, switch to the Profiles tab, and click Add.

    1. This is the single factor Login Schema for manageotp so name the Schema accordingly.
    2. Click the Edit icon.
    3. On the left, click the LoginSchema folder to open it.
    4. Scroll down, and click SingleAuthManageOTP.xml to highlight it.
    5. On the top right, click Select.
    6. Click Create.
  3. Add another Login Schema profile.

    1. This Login Schema is for two-factor authentication to NetScaler Gateway so name it accordingly.
    2. Click the edit icon. Follow the same procedure as above, but this time select /LoginSchema/DualAuth.xml.
    3. Click More to reveal more options.
    4. Scroll down. In the Password Credential Index field, enter 1. This causes nFactor to save the user’s password into AAA Attribute #1, which we’ll use later in a Traffic Policy to Single Sign-on to StoreFront. If you don’t do this, then NetScaler Gateway will try to use the Passcode to authenticate to StoreFront, which obviously won’t work.
    5. Check the box next to Enable Single Sign On Credentials. Mark in the comments indicates that this checkbox is needed to Single Sign On to RDP Hosts.
    6. Click Create.
  4. On the right, switch to the Policies tab.
  5. Click Add to add a Login Schema policy.
    1. In the Profile field, select the Single Factor Manage OTP Login Schema Profile.
    2. Name the Login Schema Policy for OTP management.
    3. In the Rule field, enter the following. This ensures that this single factor Login Schema is only used if the user enters /manageotp, and if the user is on the internal network. You don’t want manageotp to be accessible externally, because it’s only protected by single factor authentication, and it’s too easy to add multiple devices.
      http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)
    4. Click Create.
  6. Create another Login Schema Policy.

    1. In the Profile field, select the dual factor Login Schema.
    2. Name the Login Schema to indicate dual factor authentication.
    3. In the Rule box, enter true.
    4. Click Create.

Authentication PolicyLabel

  1. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel.
  2. On the right, click Add.
  3. This PolicyLabel is for OTP management, and OTP verification, so name it accordingly.
  4. In the Login Schema field, select LSCHEMA_INT, which means noschema.
  5. Click Continue.
  6. In the Policy Binding section, Click to select.
  7. Click the radio button button next to the Manage OTP LDAP Policy that has authentication disabled, and OTP Secret configured. This one should have a policy expression that limits it to manageotp only. Click Select.
  8. Click Bind.
  9. Click Add Binding to add another one.
  10. Click to select.
  11. Click the radio button next to the LDAP Policy that verifies OTP. Click Select.
  12. Click Bind.
  13. Make sure the manageotp policy is higher in the list than the OTP Verification policy. To adjust priorities, right-click on the policies, and click Edit Binding. Click Done.

AAA vServer

  1. Go to Security > AAA – Application Traffic.
    1. If the AAA feature is not enabled, then right-click the AAA node, and click Enable Feature.
  2. Go to Security > AAA – Application Traffic > Virtual Servers.
  3. On the right, click Add.
  4. This AAA vServer is for OTP so name it accordingly.
  5. Change the IP Address Type to Non Addressable.
  6. Click OK.
  7. Click where it says No Server Certificate.

    1. In the Server Certificate Binding section, click Click to select.
    2. Click the radio button next to a certificate, and click Select. You can use the same certificate as NetScaler Gateway.
    3. Click Bind.
  8. Click Continue to close the Certificate section.
  9. In the Advanced Authentication Policies section, click where it says No Authentication Policy.

    1. Click where it says Click to select.
    2. Click the radio button next to the normal LDAP Policy that has authentication enabled. Then click the blue Select button.
    3. In the Select Next Factor field, click where it says Click to select.
    4. Click the radio button next to the OTP PolicyLabel, and click Select.
    5. Click Bind.
  10. In the Advanced Authentication Policies section, click Continue.
  11. On the right, in the Advanced Settings column, click Login Schemas.
  12. On the left, scroll down, and click where it says No Login Schema.

    1. Click where it says Click to select.
    2. Click the radio button next to the Manage OTP Login Schema, and click Select.
    3. Click Bind.
  13. Click where it says 1 Login Schema.

    1. Click Add Binding.
    2. Click where it says Click to select.
    3. Click the radio button next to the dual factor Login Schema, and click Select.
    4. Click Bind.
    5. Make sure the single factor Manage OTP Login Schema is higher in the list (lower priority number) than the dual factor Login Schema. Click Close.
  14. On the right, in the Advanced Settings column, click Portal Themes.
  15. On the left, scroll down, select RfWebUI as the Portal Theme, and click OK.
  16. Click Done.

Traffic Policy for Single Sign-on

  1. On the left, go to NetScaler Gateway > Policies > Traffic.
  2. On the right, switch to the Traffic Profiles tab, and click Add.
  3. This Traffic Profile is for OTP and/or nFactor. Name it accordingly.
  4. Scroll down.
  5. In the SSO Password Expression box, enter the following. This is where we use the Login Schema Password Attribute specified earlier.
    http.REQ.USER.ATTRIBUTE(1)
  6. Click Create.
  7. On the right, switch to the Traffic Policies tab, and click Add.
  8. In the Request Profile field, select the Traffic Profile you just created.
  9. Name the Traffic Policy.
  10. In the Expression box, enter true (Default Syntax).
    • If your NetScaler Gateway Virtual Server allows full VPN, change the expression to the following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSL VPN.
      http.req.method.eq(post)||http.req.method.eq(get) && false
  11. Click Create.

NetScaler Gateway and Authentication Profile

  1. Go to NetScaler Gateway > Virtual Servers.
  2. Edit an existing Gateway vServer. If you don’t have one, see the other NetScaler Gateway topics on this site.
  3. Scroll down to the Policies section, and click the plus icon.
  4. Change the Choose Policy drop-down to Traffic, and click Continue.
  5. Click to select.
  6. Click the radio button next to the Traffic Policy you created earlier, and click Select.
  7. Click Bind.
  8. On the right, in the Advanced Settings column, click Authentication Profile.
  9. On the left, scroll down to the Authentication Profile section.
  10. Click Add to create one.
  11. Authentication Profile links the NetScaler Gateway vServer with the OTP AAA vServer, so name it accordingly.
  12. In the Authentication Virtual Server section, Click to select.
  13. Click the radio button next to the OTP AAA vServer, and click Select.
  14. Click Create.
  15. Scroll down again to the Authentication Profile section, and click OK.
  16. The Portal Theme bound to the Gateway vServer should be RfWebUI, or a derivative.
  17. Go to System > Profiles.
  18. On the right, switch to the SSL Profile tab.
  19. Edit the ns_default_ssl_profile_frontend profile.
  20. Make sure HSTS is not enabled in the profile, or RfWebUI, and manageotp won’t work correctly. This is probably a bug. Note: the Rewrite method of enabling HSTS should work.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the manageotp paths.

  1. In the NetScaler GUI, navigate to ConfigurationTraffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || HTTP.REQ.URL.CONTAINS("/manageotp")

Manageotp

  1. Point your browser to https://mygateway.corp.com/manageotp or similar. Simply add /manageotp to the end of your Gateway URL.
  2. Notice it’s only single-factor authentication. Login using normal LDAP credentials.
  3. Click Add Device.
  4. Enter a device name, and click Go.
  5. Launch the Google Authenticator application on your phone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
  6. Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
  7. Click Test.
  8. Enter the passcode shown in your Authenticator, and click Go.
  9. If you logoff of manageotp, and access your Gateway URL normally, you’ll be prompted for two-factor authentication. Use the passcodes shown in your Google Authenticator application.
  10. It should Single Sign-on into StoreFront.

CLI Commands

Here’s a complete CLI configuration.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute2 userParameters
add authentication ldapAction LDAP_OTP_set_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication ldapAction LDAP_OTP_verify_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication Policy Corp-Adv -rule true -action LDAP-Corp
add authentication Policy LDAP_Manage_OTP-pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_OTP_set_no_auth
add authentication Policy LDAP_Confirm_OTP-pol -rule true -action LDAP_OTP_verify_no_auth

add authentication loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex 1
add authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.3.0.0/16)" -action Single_Manage_OTP-lschema
add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -action Dual_OTP-lschema

add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT
bind authentication policylabel OTP_pollabel -policyName LDAP_Manage_OTP-pol -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel OTP_pollabel -policyName LDAP_Confirm_OTP-pol -priority 110 -gotoPriorityExpression NEXT 

add authentication vserver OTP-AAA SSL 0.0.0.0
bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom

bind authentication vserver OTP-AAA -portaltheme RfWebUI
bind authentication vserver OTP-AAA -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Corp-Adv -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT

add vpn trafficAction OTP-trafficprofile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile

add authentication authnProfile OTP-authnprofile -authnVsName OTP-AAA

add vpn vserver Gateway.corp.com SSL 10.2.5.220 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile
set ssl vserver Gateway.corp.com -sslProfile ns_default_ssl_profile_frontend
add vpn sessionAction "Receiver For Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront2.corp.com/Citrix/StoreWeb" -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://storefront2.corp.com"
add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver For Web"
bind vpn vserver Gateway.corp.com -portaltheme RfWebUI
bind vpn vserver Gateway.corp.com -policy "Receiver For Web" -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver Gateway.corp.com -policy OTP-trafficpol -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver Gateway.corp.com -certkeyName WildcardCorpCom