Web Interface Load Balancing – NetScaler 10.5

Last Modified: Nov 6, 2020 @ 6:56 am

Navigation

This procedure is only needed if you are running Web Interface instead of StoreFront.

Monitor

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Web Interface or similar.
  4. Change the Type drop-down to CITRIX-WEB-INTERFACE.
  5. If you will use SSL to communicate with the Web Interface servers, then scroll down and check the box next to Secure.
  6. Switch to the Special Parameters tab.
  7. In the Site Path field, enter the path of a XenApp Web site (e.g. /Citrix/XenApp/).
    • Make sure you include the slash (/) on the end of the path or else the monitor won’t work.
    • The site path is also case sensitive.
  8. Click Create.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding Web Interface servers.

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-WI-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure the Web Interface Monitor has Secure enabled.
  5. Scroll down and click OK.
  6. On the right, under Advanced, click Members.
  7. Click where it says No Service Group Member.
  8. If you did not create server objects then enter the IP address of a Web Interface Server. If you previously created a server object then change the selection to Server Based and select the server object.
  9. Enter 80 or 443 as the port. Then click Create.

  10. To add more members, click where it says 1 Service Group Member and then click Add. Click Close when done.

  11. On the right, under Advanced, click Monitors.
  12. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
  13. Click the arrow next to Click to select.
  14. Select the Web Interface monitor and click OK.
  15. Then click Bind.
  16. To verify if the monitor is working or not, on the left, in the Service Group Members section, click the Service Group Members line.
  17. Highlight a member and click Monitor Details.
  18. The Last Reponse should indicate that Set-Cookie header was found. Click Close twice when done.
  19. Then click Done.

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Virtual Server. This certificate must match the DNS name for the load balanced Web Interface servers.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  3. On the right click Add.
  4. Name it Web Interface-SSL-LB or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  10. Click the arrow next to Click to select.
  11. Select your Web Interface Service Group and click OK.
  12. Click Bind.
  13. Click OK.
  14. Click where it says No Server Certificate.
  15. Click the arrow next to Click to select.
  16. Select the certificate for this Web Interface Load Balancing Virtual Server and click OK.
  17. Click Bind.
  18. Click OK.
  19. On the right, in the Advanced column, click Persistence.
  20. Select SOURCEIP persistence. Note: COOKIEINSERT also works with Web Interface. However, it doesn’t work with StoreFront.
  21. Set the timeout to match the timeout of Web Interface.
  22. The IPv4 Netmask should default to 32 bits.
  23. Click OK.
  24. On the right, in the Advanced column, click SSL Parameters.
  25. If the NetScaler communicates with the Web Interface servers using HTTP (aka SSL Offload), at the top right, check the box next to SSL Redirect. Otherwise the Web Interface page will never display.
  26. Uncheck the box next to SSLv3 and click OK. This removes a security vulnerability.
  27. NetScaler VPX 10.5 build 57 and newer lets you enable TLSv11 and TLSv12. See Citrix Blog – Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update. Click OK.
  28. On the right, in the Advanced column, click SSL Ciphers.
  29. On the left, in the SSL Ciphers section, remove all RC4 ciphers. See Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) for recommended ciphers.

    You can also run the following from the command line as described by Heikki Harsunen in Citrix Discussions:
    unbind ssl vserver <oursslvservername> -cipherName DEFAULTbind ssl vserver <oursslvservername> -cipherName TLS1-ECDHE-RSA-AES256-SHAbind ssl vserver <oursslvservername> -cipherName TLS1-ECDHE-RSA-AES128-SHAbind ssl vserver <oursslvservername> -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHAbind ssl vserver <oursslvservername> -cipherName TLS1-AES-256-CBC-SHAbind ssl vserver <oursslvservername> -cipherName TLS1-AES-128-CBC-SHAbind ssl vserver <oursslvservername> -cipherName TLS1-DHE-RSA-AES-256-CBC-SHAbind ssl vserver <oursslvservername> -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
    
  30. Click OK.
  31. Then click Done.
  32. Consider enabling Strict Transport Security by creating a rewrite policy and binding it to this SSL Virtual Server. See Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated).

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP that listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right, find the SSL Virtual Server you’ve already created, right-click it and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Change the name to indicate that this new Virtual Server is an SSL Redirect.
  4. Change the Protocol to HTTP on Port 80.
  5. The IP Address should already be filled in. It must match the original SSL Virtual Server. Click OK.
  6. Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click OK.
  7. On the right, in the Advanced column, click Protection.
  8. In the Redirect URL field, enter the full URL including https://. For example: https://citrix.company.com/Citrix/XenApp. Click OK.
  9. Click Done.
  10. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

NetScaler Insight Center

Last Modified: Nov 6, 2020 @ 7:12 am

This article is for Insight Center 11.0 and older. Consider Insight Center 11.1, which works with older NetScaler appliances.

Navigation

💡 = Recently Updated

Planning

Note: HDX Insight only works with Session Reliability on NetScaler 10.5 build 54 or newer. Older builds, including NetScaler 10.1, do not support Session Reliability with HDX Insight. Read the release notes for your NetScaler firmware build to see the latest known issues with AppFlow, Session Reliability, and High Availability.

Requirements for HDX Insight:

  • Your NetScaler appliance must be running Enterprise Edition or Platinum Edition.
  • NetScaler must be 10.1 or newer. Insight Center 11 does work with NetScaler 10.5.
  • HDX Insight works with the following Receivers:
    • Receiver for Windows must be 3.4 or newer.
    • Receiver for Mac must be 11.8 or newer.
    • Receiver for Linux must be 13 or newer.
    • Notice no mobile Receivers. See the Citrix Receiver Feature Matrix for the latest details.
  • ICA traffic must flow through a NetScaler appliance:

 

For ICA round trip time calculations, in a Citrix Policy, enable the following settings:

  • ICA > End User Monitoring > ICA Round Trip Calculation
  • ICA > End User Monitoring > ICA Round Trip Calculation Interval
  • ICA > End User Monitoring > ICA Round Trip Calculation for Idle Connections

Citrix CTX204274 How ICA RTT is calculated on NetScaler Insight: ICA RTT constitutes the actual application delay. ICA_RTT = 1 + 2 + 3 + 4 +5 +6:  💡

  1. Client OS introduced delay
  2. Client to NS introduced network delay (Wan Latency)
  3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)
  4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)
  5. NS to Server network delay (DC Latency)
  6. Server (XA/XD) OS introduced delay (Host Delay)

 

For Web Insight, HTML Injection for NetScaler 10.0 is only available in Platinum Edition. In NetScaler 10.1, HTML Injection is available in all editions.

The version/build of Insight Center must be the same or newer than the version/build of the NetScaler appliances.

Insight Center 11 lets you scale the deployment by building multiple nodes. After building the first Insight Center Server, you can go to Configuration > NetScaler Insight Center > Insight Deployment Method to enter some planning data (e.g. # of concurrent ICA connections) and it will tell you the number of Insight Center nodes you should build. The number of nodes is based on the VM specs shown at the top of the page.

In this example, it recommends two Database Nodes and two Connectors. Agents are only used for HTTP traffic. There’s more information at NetScaler Insight Center Deployment Management at docs.citrix.com.

Import Appliance

You can use either the vSphere Client or the vSphere Web Client to import the appliance. In vSphere Client, open the File menu and click Deploy OVF Template. vSphere Web Client instructions are shown below.

You might see this operating system error when not using the vSphere Web Client. Click Yes and proceed. It seems to work.

  1. Download Insight Center for ESX and then extract the .zip file.
  2. In vSphere Web Client, navigate to the vCenter object. Open the Actions menu and click Deploy OVF Template.
  3. In the Select source page, if you see a message regarding the Client Integration Plug-in, download the installer, run it, and then return to this wizard.
  4. In the Select source page, select Local file and browse to the NetScaler Insight .ovf file. Click Next.
  5. In the Review details page, click Next.
  6. In the Select name and folder page, enter a name for the virtual machine and select an inventory folder. Then click Next.
  7. In the Select a resource page, select a cluster or resource pool and click Next.
  8. In the Select storage page, change it to Thin Provision.
  9. Select a datastore and click Next.
  10. In the Setup networks page, choose a valid port group and click Finish.
  11. In the Ready to Complete page, click Finish.
  12. View the progress of the import in the Recent Tasks pane at the top-right of the window.
  13. After the appliance is imported, power it on.

IP Configuration and Multi-Node

  1. Open the console of the virtual machine and configure an IP address.
  2. Insight Center 11 lets you configure a DNS server.
  3. Enter 6 when done.
  4. When prompted for Insight Deployment Type, enter 1 for NetScaler Insight Server. The first appliance must always be NetScaler Insight Server.
  5. Enter Yes to reboot.
  6. Subsequent nodes can be Database Node, Connector node, etc. If you choose one of the other node types it asks you for the IP address of the NetScaler Insight Server node.
  7. Once you’ve built all of the nodes, in the NetScaler Insight Server webpage, go to NetScaler Insight Center > Insight Deployment Management.
  8. Scroll down and click Get.
  9. It should show you the nodes. Then click Deploy.

  10. After it reboots you’ll see the performance of each node.
  11. Since the database is on a separate node, you might want to enable database caching. Go to System > Change Database Cache Settings.
  12. Check the box next to Enable Database Cache.

Initial Web Configuration

  1. Point your browser to the Insight IP address and login as nsroot/nsroot.
  2. Click Get Started

  3. Enter the IP address and credentials of a NetScaler appliance and click Add.

    Note: if your NetScaler appliances require https for management communication then this won’t work. Click Cancel. On the Configuration tab, click System. On the right, in the left column, click Change System Settings.
    Change the drop-down to https and click OK.
    On the left, click Inventory. On the right, click Add.
    Enter the NSIP and nsroot credentials again. This time it should work.
  4. At the top of the page, if desired, check the box next to Enable Geo data collection for Web and HDX Insight.
  5. With Load Balancing selected in the View list, right-click your StoreFront load balancer and click Enable AppFlow.

  6. Type in true and click OK.
  7. Note: if your StoreFront Load Balancing vServer uses Service Groups, you might need to enable AppFlow logging on the Service Group. In the NetScaler GUI, edit the Service Group. In the Basic Settings section, check the box next to AppFlow Logging.
  8. Back in Insight Center, use the View drop-down to select VPN.
  9. Right-click a NetScaler Gateway Virtual Server and click Enable AppFlow.
  10. In the Select Expression drop-down, select true.
  11. For Export Option select ICA and HTTP and click OK. The HTTP option is for Gateway Insight.
  12. The TCP option is for the second appliance in double-hop ICA. If you need double-hop then you’ll also need to run set appflow param -connectionChaining ENABLED on both appliances. See Enabling Data Collection for NetScaler Gateway Appliances Deployed in Double-Hop Mode at docs.citrix.com for more information.
  13. New in NetScaler 11 is the ability to use SOCKS proxy (Cache Redirection) for ICA traffic without requiring users to use NetScaler Gateway and without making any routing changes. You configure this on the NetScaler appliance. See Enabling Data Collection for Monitoring NetScaler ADCs Deployed in LAN User Mode at docs.citrix.com for more information.
  14. If you want to add more appliances, click the Configuration tab. The Inventory node will be selected by default.
  15. On the right, click Add.

Citrix Blog PostNetScaler Insight Center – Tips, Troubleshooting and Upgrade

Nsroot Password

  1. On the Configuration tab, expand System, expand User Administration and click Users.
  2. On the right, highlight the nsroot account and click Edit.
  3. Enter a new password.
  4. You can also specify a session timeout. Click OK.

Management Certificate

The certificate to upload must already be in PEM format. If you have a .pfx, you must convert it to PEM (separate certificate and key files). You can use NetScaler to convert the .pfx and then download the converted certificate from the appliance.

  1. On the left, switch to the System node.
  2. In the right pane, in the left column, click Install SSL Certificate.
  3. Browse to the PEM format certificate and key files. If the keyfile is encyrpted, enter the password. Click OK.
  4. Click Yes to reboot the system.

System Configuration

  1. Click the Configuration tab on the top of the page.
  2. On the left, click the System node.
  3. On the right, modify settings (e.g.Time Zone) as desired.

  4. To set the hostname, click Change Host name.

  5. To change the Session Timeout, click Change System Settings.

  6. The ICA Session Timeout can be configured by clicking the link. Two minutes of non-existent traffic must occur before the session is considered idle. Then this idle timer starts. See Managing ICA Sessions at docs.citrix.com for more information

  7. On the left, expand System and click NTP Servers.
  8. On the right, click Add.

  9. After adding NTP servers, click NTP Synchronization.
  10. Check the box next to Enable NTP Sync and click OK.
  11. On the left, expand Auditing and click Syslog Servers.

  12. On the right, click Add.
  13. Enter the syslog server IP address and select Log Levels. Click Create.
  14. In the Action menu you can click Syslog Parameters to change the timezone and date format.

Email Notifications

  1. On the left, expand System, expand Notifications and click Email.
  2. On the right, on the Email Servers tab, click Add.
  3. Enter the SMTP server address and click Create.
  4. On the right, switch to the Email Distribution List tab and click Add.
  5. Enter an address for a destination distribution list and click Create.

Authentication

  1. On the left, expand System¸ expand Authentication and click LDAP.
  2. On the right, click Add.
  3. This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP. Change the Security Type to SSL and Port to 636. Scroll down.
  4. Enter the bind account.
  5. Check the box for Enable Change Password.
  6. Click Retrieve Attributes and scroll down.
  7. For Server Logon Attribute select sAMAccountName.
  8. For Group Attribute select memberOf.
  9. For Sub Attribute Name select cn.
  10. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
  11. If desired configure Nested Group Extraction.
  12. Click Create.
  13. On the left, expand User Administration and click Groups.
  14. On the right, click Add.
  15. Enter the case sensitive name of your NetScaler Admins group.
  16. Select the admin Permission.
  17. If desired, configure a Session Timeout. Click Create.

  18. On the left, under System, click User Administration.
  19. On the right click User Lockout Configuration.
  20. If desired, check the box next to Enable User Lockout and configure the maximum logon attempts. Click OK.
  21. On the left, under System, click Authentication.
  22. On the right, click Authentication Configuration.
  23. Change the Server Type to LDAP.
  24. Select the LDAP server you created and click OK.

Thresholds

  1. Go to NetScaler Insight Center > Thresholds.
  2. On the right, click Add.
  3. Enter a name.
  4. In the Entity field select a category of alerts. What you choose here determines what’s available in the Rule section.
  5. Check the box to Notify through Email.
  6. In the Rule section, select a rule and enter threshold values. Click Create.

Geo Map

  1. Download the Maxmind database from http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz.
  2. Extract the .gz file.
  3. On the Configuration tab, expand NetScaler Insight Center and click Geo Database Files.
  4. On the right, click the Action drop-down and click Upload.
  5. Browse to the extracted GeoLiteCity.dat file and click Upload.
  6. Click the Inventory node.
  7. Click the IP address for a device in the inventory.
  8. Check the box to Enable Geo data collection for Web and HDX Insight.
  9. You can define Geo locations for internal subnets. Go to NetScaler Insight Center > Private IP Block.
  10. On the right, click Add.
  11. Enter a name.
  12. Enter the starting and ending IP address.
  13. Select a Geo Location. Note that these are not necessarily alphabetical.
  14. Click Create.

Director Integration

Integrating Insight Center with Director requires XenApp/XenDesktop to be licensed for Platinum Edition. The integration adds Network tabs to the Trends and Machine Details views.

If using HTTPS to connect to Insight Center then the Insight Center certificate must be valid and trusted by both the Director Server and the Director user’s browser.

To link Citrix Director with NetScaler HDX Insight, on the Director server run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler. Do this on both Director servers.

Use Insight Center

HDX Insight

HDX Insight Dashboard displays ICA session details including the following:

  • WAN Latency
  • DC Latency
  • RTT (round trip time)
  • Retransmits
  • Application Launch Duration
  • Client Type/Version
  • Bandwidth
  • Licenses in use

HDX Insight can also display Geo Maps. Configure Insight Center with Private IP Blocks.

More info at HDX Insight Reports and Use Cases: HDX Insight at docs.citrix.com

Gateway Insight

Insight Center 11.0 build 65 adds a new Gateway Insight dashboard.

This feature displays the following details:

  • Gateway connection failures due to failed EPA scans, failed authentication, failed SSON, or failed application launches.
  • Bandwidth and Bytes Consumed for ICA and other applications accessed through Gateway.
  • # of users
  • Session Modes (clientless, VPN, ICA)
  • Client Operating Systems
  • Client Browsers

More details at Gateway Insight at docs.citrix.com.

Security Insight

The new Security Insight dashboard in 11.0 build 65 and newer uses data from Application Firewall to display Threat Index (criticality of attack), Safety Index (how securely NetScaler is configured), and Actionable Information. More info at Security Insight at docs.citrix.com.
localized image

Troubleshooting

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide: Syslog messages; Error counters; Troubleshooting checklist, Logs

Citrix Blog PostNetScaler Insight Center – Tips, Troubleshooting and Upgrade

See docs.citrix.com Troubleshooting Tips. Here are sample issues covered in docs.citrix.com:

  • Can’t see records on Insight Center dashboard
  • ICA RTT metrics are incorrect
  • Can’t add NetScaler appliance to inventory
  • Geo maps not displaying

Upgrade Insight Center

  1. Download the latest Upgrade Pack for Insight Center.
  2. Login to Insight Center.
  3. If you are running Insight Center 10.5 or older, on the Configuration tab, go to NetScaler Insight Center > Software Images and upload the file. If running Insight Center 11.0 or newer, you can skip this step.
  4. On the Configuration tab, on the left, click the System node.
  5. On the right, in the right pane, click Upgrade NetScaler Insight Center.
  6. Browse to the build-analytics-11.0.tgz Software Image Upgrade Pack and click OK.
  7. Click Yes to reboot the appliance.

  8. After it reboots, login. The new firmware version will be displayed in the top right corner.

Citrix Command Center

Last Modified: Nov 6, 2020 @ 7:12 am

Navigation

This page contains the following topics:

💡 = Recently Updated

Command Center Overview

Command Center can be used to monitor, alert, and report on the following devices:

  • NetScaler
  • NetScaler VPX
  • NetScaler SDX
  • NetScaler Gateway Enterprise Edition
  • CloudBridge
  • CloudBridge VPX
  • Citrix Repeater

Command Center is free for all editions of NetScaler so there’s no excuse to not install it.

Citrix whitepaper – Citrix Command Center – Deployment Sizing Guide: database sizing for scalar counters, vector counters, and Syslog.

SQL Express

If using SQL Express to store the Command Center database, do the following to enable TCP/IP:

  1. When downloading SQL Server 2012 Express, either select the option With Tools or download SQL Server Management Studio and install it separately.
  2. When installing SQL Express, feel free to use the default instance instead of a named instance.
  3. In SQL Server Configuration Manager, expand SQL Server Network Configuration and click the Protocols node.
  4. On the right, right-click TCP/IP and enable it. Then double-click TCP/IP.
  5. On the IP Addresses tab, scroll all the way down and in the IPAll section, remove any TCP Dynamic Ports and instead enter a static TCP Port. 1433 is the typical default port.
  6. On the left, click SQL Server Services.
  7. On the right, right-click SQL Server and click Restart.

Create SQL Database and SQL Account

SQL 2005, SQL 2008, and SQL 2012 are supported.

  1. In SQL Server Management Studio, go to the Properties of the SQL server and ensure that SQL authentication is enabled.

  2. Create a database and call it CitrixCommandCenter or similar. Configure the Recovery model as desired.


  3. Create a SQL Login (SQL Server authentication) for Command Center. Set the default database to the Command Center database.

  4. Add the SQL account to the db_owner database role in the Command Center database.

Install Command Center

  1. Command Center is supported on Windows Server 2008 R2, and Windows Server 2012 R2.
  2. On the Command Center server, run the downloaded Command Center 5.2.46.7 CC_Setup_5.2_46_7.exe.  💡
  3. If the installer refuses to launch without error then you’ll need to uninstall all previously installed Java. Command Center comes with its own Java.
  4. In the Introduction page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Choose Install Folder page, click Next.
  7. In the Choose Installation Type page, select Typical and click Next.
  8. In the Database Settings page, change the selection to MSSQL and fill in the details. Notice that SQL 2012 and SQL 2014 are now supported. Then click Test Connection.
  9. Click OK to acknowledge that the connection is successful and then click Next.
  10. In the Security Settings page, make your selection and click Next.
  11. In the Pre-Installation Summary page, click Install.
  12. In the Install Complete page, notice the URL. Click Done.

Windows Firewall

Windows Firewall must be configured to allow UDP 162 for SNMP Traps, UDP 514 for SYSLOG, and 8443 for the Command Center management console.


Weak Ciphers

  1. Point your browser to https://<Server_Name>:8443. If you see a message about weak ephemeral Diffie-Hellman then you’ll need to follow Citrix CTX202036 Error:”ssl_error_weak_server_ephemeral_dh_key” When Launching Citrix Command Center Website.
  2. Go to C:\Program Files (x86)\Citrix\Citrix Command Center\apache\tomcat\conf\backup and edit the file server.xml. You want the one in the backup folder.
  3. Near line 102, change the ciphers to the ones listed in the article.
  4. Go to C:\Program Files (x86)\Citrix\Citrix Command Center\conf and edit the file transportProvider.conf.
  5. Near line 45, change the ciphers to the ones listed in the article.
  6. Go to Services and restart the Citrix Command Center service.

Welcome Wizard

  1. Go to https://<Server_Name>:8443 and login as root and public.
  2. In the Change Command Center User Password section, enter a new root password and click Save.
  3. In the Add Device section, enter the NSIP of a NetScaler device. For a High Availability pair, only enter the NSIP of the primary device.
  4. Click the plus icon next to Device Profile.
  5. Give the Device Profile a name. The device profile contains the nsroot password so name the profile something that reflects the team that manages the devices.
  6. In the Device Login section, enter nsroot as the User Name and the password configured on the NetScaler appliances. Scroll down.
  7. In the SNMP section, enter a SNMP community name. Command Center will configure this on the appliances. Click Create.
  8. Back in the Add Device section, click Continue.
  9. Command Center will then begin discovery for the device. If Discovery fails, see CTX200377 – Command Center is Unable to Discover NetScaler
  10. After discovery is complete, click Continue.
  11. Don’t click Done yet.
  12. On the right, in the Advanced column, click Mail Server Settings.
  13. Enter the mail server information and click Save.
  14. On the right, in the Advanced column, click Disk Management.
  15. Adjust the grooming settings as desired and click Save.
  16. Then click Done.

Administration Configuration

  1. Switch to the Administration tab.
  2. Click Settings on the left. On the right, click Inventory Settings.
  3. In the Configure Inventory Settings window, decide if you want to Archive on “Save Config” trap. Click OK when done.
  4. Click Server Settings.
  5. Command Center defaults to displaying devices based on their IP address. This can be changed to Host Name. Click OK when done.
  6. In the Settings node, click Email Server Settings.
  7. Fill out the mail server information so you can receive email alerts and click OK.
  8. In the Settings section is Access Settings.
  9. You can change the Session Timeout.
  10. On the left, click Database Management. On the right, notice the Purge Settings links. Use those links to control the size of the database.
  11. In the Database Management node, click Database Monitor Settings.
  12. Specify a database size threshold. If your database automatically grows, then it’s probably best to configure an absolute database size instead of a size percentage.
  13. When the Threshold is reached, you can configure it to automatically purge data.
  14. You can also receive an email notification when the size limit is reached. Click OK when done.
  15. On the left, expand Authentication and click LDAP.
  16. On the right, click Add.
  17. Enter the IP Address of load balanced LDAP (or one Domain Controller).
  18. Change the Security Type to SSL.
  19. To support SSL and/or TLS, you need to install the LDAP root certificate on Command Center. Copy the root cert to C:\Program Files (x86)\Citrix\Citrix Command Center\Certs.
  20. Open an elevated command prompt and cd to C:\Program Files (x86)\Citrix\Citrix Command Center\bin.
  21. Run importLDAPSCertificate.bat. The first parameter is the name of the root certificate file. The second parameter is commandcenter, which is the password to the trust store.
  22. After importing the root cert, restart the Citrix Command Center service.
  23. Back in Command Center adding an LDAP server, enter a Base DN and Bind DN.
  24. Check the box next to Enable Group Extraction. This will cause more fields to appear.
  25. Enter the fields shown below. Use the question mark to see examples. Click Create.
  26. On the left, click the Authentication node. On the right, click Authentication Settings.
  27. Change the Authentication Server to External.
  28. Move your LDAP server to the right by clicking the plus icon or the right-arrow icon.
  29. Ensure Enable fallback local authentication is enabled and click OK..
  30. On the left, expand Security, and click Groups. On the right, click Add.
  31. Type in the case sensitive group name.
  32. Use the checkboxes to grant your desired permissions and click OK.
  33. Once the group is added to Command Center, you can right-click it and click Advanced Settings to restrict the entities that are accessible to the user.

  34. The Apply on bound entities also checkbox lets the group see the entities that are bound to the restricted object (e.g. services bound to a Virtual Server).
  35. On the left, expand Security and click Syslog Servers. On the right, click Add.
  36. Enter information for your syslog server and click Add.
  37. On the right, click Syslog Parameters.
  38. Set your desired parameters and click Modify.
  39. On the left, under Security, cilck SNMP Agent Configuration. On the right, click Add.
  40. Enter your SNMP information and click Create.

Command Center Certificate

  1. Use IIS or the certificates snap-in to create a certificate that matches the FQDN of the Command Center server.
  2. Export the certificate including private key to a .pfx file.
  3. In the Command Center console, on the Administration tab, click Tools on the left.
  4. On the right, click Install Certificate.
  5. Click Choose File to and browse to the PFX file.
  6. Enter the PFX password and click OK.
  7. Click OK

  8. Restart the Citrix Command Center service.

Discover Devices

Command Center to/from appliance communication:

  • Command Center uses SNMP and SSH to communicate with an appliance.
  • Appliances use SNMP traps to communicate with Command Center.
  • After Command Center discovers an appliance, it will configure the appliance with the correct SNMP settings. You can also configure the SNMP Traps on the appliance manually.
  • SFTP is used for file transfer.
  • Devices can be configured to send Syslog to Command Center.

The Command Center server supports two types of devices:

  • Standalone: A standalone device functions independently and is not configured in an HA setup.
  • HA pair: This represents a pair of devices configured in an HA setup. The primary device in an HA setup processes the traffic. The secondary device monitors the primary and takes over the functions of the primary device if that device is unable to continue processing traffic.

You can add devices by specifying the host names of the devices, the IP addresses of each device, a range of IP addresses, and NAT HA devices. You can also add devices by importing the device names from a file. Note that when you specify a range, the first three octets of the low and high addresses must be the same. Command Center can discover only 254 devices in an IP address range.

The Command Center discovery process involves the following steps:

  1. SNMP ping:The Command Center server sends a Simple Network Management Protocol (SNMP) GET request to a Citrix system-specific object identifier (OID) (for example, 1.3.6.1.4.1.5951.1.1). If the server successfully pings the device, it sets the status of step 2 to SUCCESS and proceeds to step 3. If the GET request fails, the device is not a Citrix device, or it is a Citrix device but SNMP is disabled on it. In either fail case, the Command Center server proceeds to step 2.
  2. Find Citrix device: The Command Center server attempts to open an SSH session to the device based on the user credentials configured when adding a map. If the SSH session fails, the device is discarded as a non-Citrix device. If the SSH session succeeds, the server issues a CLI command to check whether the device is a Citrix device. A positive result moves the device to the next step. Otherwise, Command Center discards the device as a non-Citrix device. To check the cause of failure of this step, on the Citrix Networktab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page.
  3. Enable SNMP:On the discovered Citrix device, Command Center executes a command to configure an SNMP community based on the details entered when configuring the map or when adding a device. This step may fail for various reasons, such as network issues or if another SNMP manager is already configured on the device. To check the cause of failure, on the Citrix Network tab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page.
  4. Add trap destination: Devices communicate with Command Center by sending trap notifications. The Command Center server adds its IP address to the list of trap destinations on the discovered device. This allows Command Center to receive all events/traps generated on the Citrix device. However, this step may fail if the number of trap destinations exceeds the maximum limit of trap destinations on the Citrix device. The limit on Citrix NetScaler devices is 10. If an error occurs you must take corrective measures before you initiate rediscovery of this device. To check the cause of failure, on the Citrix Networktab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page.
  5. Collect inventory:The Command Center server collects the basic system information for the discovered devices using SNMP. You can view this information on the Device Properties page. For more information, see “Viewing Device Properties” in the Citrix Command Center Online Help. This step may fail if the SNMP manager configured on the Citrix device is not that of the server. It may also fail because of network issues or because the SNMP ports are not configured properly on the firewall. To check the cause of failure, on the Citrix Network tab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page. If an error occurs you must take corrective measures, and then initiate rediscovery of the device.
  6. Download files: The Command Center server initiates a Secure File Transfer Protocol (SFTP) session based on the user credentials defined while configuring the map. Then, it downloads the configuration and license files of the device. For Repeater devices, it downloads only the configuration files. The Command Center server stores these files in the database. This step may fail because of the following reasons:
    • Incorrectly specified user credentials
    • Incorrectly configured SFTP ports in the firewall
    • Network issues

To check the cause of failure, on the Citrix Network tab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page. If an error occurs, you must take corrective measures, and then initiate rediscovery of this device.

Upon successful discovery, the devices appear on the corresponding maps as icons with their IP addresses or device names. If the server is unable to successfully discover the devices, it marks the devices as inaccessible, generates an event, and groups the devices under the Inaccessible Systems node.

To add more devices to Command Center:

  1. Click the Citrix Network
  2. Under Device Inventory, click NetScaler and on the right click Add.
  3. Enter the NSIP of the NetScalers, select a device profile and click Continue.
  4. You can click Discovery Status on the left of the page to check the status of the discovery.
  5. Click the Refresh button on the top right to update the display. If Discovery fails, see CTX200377 – Command Center is Unable to Discover NetScaler
  6. Once discovery is complete, you’ll see the devices on the Citrix Network tab in the Device Inventory node. Consult docs.citrix.com (http://docs.citrix.com/en-us/command-center/5-2.html) for more info on what you can do in Command Center.

Configure Device Syslog

By default, a discovered device is only configured for SNMP. Additional reporting can be enabled by configuring the devices to send Syslog to Command Center.

  1. In Command Center, switch to the Configuration
  2. On the left, under Configuration, click Built-in Tasks.
  3. On the right, select the NSConfigureSyslogServer task and click Execute.
  4. In the Devices page, move the devices to the right and click Next.
  5. In the User Input page, enter the IP address of the Command Center server and enter an Annotation. Click Next.
  6. In the Summary page, click Finish.
  7. Click OK to acknowledge that Task execution in progress.
  8. Review the Execution Log to ensure configuration was completed successfully.
  9. Or you can configure Syslog directly on the NetScaler appliance. Configure a Syslog action, a Syslog policy, and bind the Syslog policy globally. The Syslog action should point to the Command Center IP address on port UDP 514.

Alerts

  1. Switch to the Fault tab.
  2. On the left, expand SNMP, expand Alarms, and click Triggers. On the right, click Add.
  3. Give the filter a name. Indicate the alarms for which you wish to receive an email. For example, check the boxes next to Critical and Major. You can restrict the alarms to specific devices.
  4. Click Add Action.
  5. Enter a name for the action.
  6. Enter the email information including From and To addresses and the mail server name. You can click Test Email. Click OK when done.
  7. Click OK when done adding actions.
  8. If you have scheduled maintenance, you can schedule the triggers to disable and re-enable. Select the trigger and then click Schedule a Filter.  💡
  9. Uncheck the Enable Filter box and set the time you want the trigger to be disabled.
  10. Create another trigger schedule to re-enable the filter.
  11. Click the Scheduled Filters button to view the schedules. For more info see CTX211879 How Do I Suppress Command Center Alarm Related Actions For a Particular Time Period?

Use Command Center

See the release notes for new features in Command Center 5.2 build 46.7.  💡

See CTX211875 How Do I Monitor and Manage Changes on NetScaler Using Command Center? for an overview of Audit Templates and Audit Policies.

See docs.citrix.com for information on how to use Command Center to monitor and configure your appliances.

RADIUS Authentication – NetScaler Gateway 10.5

Last Modified: Nov 6, 2020 @ 7:08 am

Navigation

RADIUS Overview

For two-factor authentication using Azure Multi-factor Authentication, see Jason Samuel How to deploy Microsoft Azure MFA & AD Connect with Citrix NetScaler Gateway

Citrix CTX125364 How to Configure Dual Authentication on NetScaler Gateway Enterprise Edition for Use with iPhone and iPad

Some two-factor products (e.g. SMS Passcode) require you to hide the 2nd password field. Receiver 4.4 and newer supports hiding the 2nd field if you configure a Meta tag in index.html. See CTX205907 Dual-Password Field Shows in First Authentication When Connecting to NetScaler Gateway from Windows Receiver for instructions.

Two-factor authentication to NetScaler Gateway requires the RADIUS protocol to be enabled on the two-factor authentication product.

On your RADIUS servers, you’ll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the appliances as RADIUS Clients. And adjust firewall rules accordingly.

For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS, then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

Two-factor Policies Summary

When configuring the NetScaler Gateway Virtual Server, you can specify both a Primary authentication policy and a Secondary authentication policy. Users are required to successfully authenticate against both before being authorized for NetScaler Gateway.

For browser-based StoreFront, you need two authentication policies:

  • Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
  • Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Receiver Self-service (native Receiver on mobile, Windows, and Mac), the authentication policies are swapped:

  • Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
  • Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support two-factor authentication from both web browsers and Receiver Self-Service, then you’ll need at least four authentication policies as shown below.

Primary:

  • Priority 90 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Secondary:

  • Priority 90 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Create Two-factor Policies

Do the following to create the Two-factor policies:

  1. Create an LDAP policy/server.
  2. For RADIUS, on the left, expand NetScaler Gateway, expand Policies, expand Authentication, and click Radius.
  3. On the right, switch to the Servers tab. Click Add.
  4. Give the RADIUS server a name.
  5. Specify the IP address of the RADIUS load balancing Virtual Server.
  6. Enter the secret key specified when you added the NetScalers as RADIUS clients on the RADIUS server. Click Create.

    add authentication radiusAction RSA -serverIP 10.2.2.210 -serverPort 1812 -radKey Passw0rd
  7. On the right, switch to the Policies tab, and click Add.
  8. Name it RSA-SelfService or similar.
  9. Select the RADIUS server created earlier.
  10. Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is HTTP.HEADER User-Agent CONTAINS CitrixReceiver.
  11. Click Create.

    add authentication radiusPolicy RSA-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA
    
    add authentication radiusPolicy RSA-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA
    
    add authentication ldapPolicy Corp-Gateway-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway
    
    add authentication ldapPolicy Corp-Gateway-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway
  12. Create another policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS)
    Name Expression Server
    RSA-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA
    RSA-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver RSA

  13. Go to NetScaler Gateway\Policies\Authentication\LDAP. On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).
    Name Expression Server
    LDAP-Corp-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp
    LDAP-Corp-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

Bind Two-factor Policies to Gateway

  1. When you create the NetScaler Gateway Virtual Server, bind the policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.
    Policy Name Type Bind Point
    LDAP-Corp-Web LDAP Primary
    RSA-SelfService RADIUS Primary
    LDAP-Corp-SelfService LDAP Secondary
    RSA-Web RADIUS Secondary

    bind vpn vserver gateway.corp.com -policy Corp-Gateway-ReceiverForWeb -priority 100
    
    bind vpn vserver gateway.corp.com -policy RSA-ReceiverSelfService -priority 110
    
    bind vpn vserver gateway.corp.com -policy RSA-ReceiverForWeb -priority 100 -secondary
    
    bind vpn vserver gateway.corp.com -policy Corp-Gateway-ReceiverSelfService -priority 110 -secondary
  2. The session policy/profile for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab or the Session Profile is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.

    set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
  3. On the StoreFront server, when creating the NetScaler Gateway object, change the Logon type to Domain and security token.

RADIUS Load Balancing – NetScaler 10.5

Last Modified: Nov 6, 2020 @ 6:54 am

Navigation

RADIUS Load Balancing Overview

Two-factor authentication to NetScaler Gateway requires the RADIUS protocol to be enabled on the two-factor authentication product.

On your RADIUS servers you’ll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the NetScaler appliances as RADIUS Clients. And adjust firewall rules accordingly.

For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS, then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

When load balancing RADIUS, you’ll want a monitor that verifies that the RADIUS server is functional. The RADIUS monitor will login to the RADIUS server and look for a response. You will need static credentials that the RADIUS monitor can use to login to the RADIUS server.

If you don’t want your monitor to login to RADIUS, then the only other monitoring option is Ping. Adjust the firewall accordingly.

If you have RADIUS Servers in multiple datacenters, you can create multiple load balancing Virtual Servers and cascade them so that the local RADIUS Servers are used first and if they’re not available then the Virtual Server fails over to RADIUS Servers in remote datacenters.

RADIUS Monitor

The RADIUS Monitor attempts to successfully log into the RADIUS server. For RSA, create an account on RSA with the following parameters as mentioned by Jonathan Pitre:

  • Setup a user with a fixed passcode in your RSA console.
  • Ensure you login with that user at least once to the RSA console because you’ll be asked to change it the first time.
  • There is no need to assign a token to your monitor user as long as you are using a fixed passcode. You don’t want to waste a token on a user just for monitoring.

Henny Louwers – Configure RSA RADIUS monitoring on NetScaler:

  1. In the NetScaler Configuration Utility, on the left under Traffic ManagementLoad Balancing, click Monitors.
  2. On the right, click Add.
  3. Name the monitor RSA or similar. Change the Type drop-down to RADIUS.
  4. On the Standard Parameters tab, you might have to increase the Response Time-out to 4.
  5. On the Special Parameters tab, enter valid RADIUS credentials. Make sure these credentials do not change or expire. For RSA, in the Password field, enter the fixed passcode.
  6. Also enter the RADIUS key configured on the RADIUS server for the NetScaler as RADIUS client.
  7. For Response Codes, add both 2 or 3means success while 3 indicates some kind of failure. Either result means that the RADIUS server is responding and thus is probably functional. But 2 is the ideal response.
  8. Click Create when done.
    add lb monitor RSA RADIUS -respCode 2-3 -userName ctxsvc -password Passw0rd -radKey Passw0rd -resptimeout 4

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name; usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.

    add server RSA01 192.168.123.13
    add server RSA02 192.168.123.14
  6. Continue adding RADIUS servers.

Service Groups

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right click Add.
  3. You will create one Service Group per datacenter. Enter a name reflecting the name of the datacenter.
  4. Change the Protocol to RADIUS.
  5. Click OK.
  6. On the right, in the Advanced column, click Members.
  7. On the left, in the Service Group Members section, click where it says No Service Group Member.
  8. If you did not create server objects then enter the IP address of a RADIUS Server in this datacenter. If you previously created a server object, then change the selection to Server Based, and select the server object.
  9. In the Port field, enter 1812 (RADIUS).
  10. Click Create.

  11. To add more members, in the Service Group Members section, click where it says 1 Service Group Member.
  12. Click Add to add another member. Click Close when done.
  13. On the right, in the Advanced column, click Monitors.
  14. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
  15. Click the arrow next to Click  to select.
  16. Select your new RADIUS monitor, and click OK.
  17. Click Bind.
  18. To verify the member is up, click in the Service Group Members section.
  19. Highlight a member and click Monitor Details.
  20. It should say Radius response code 2 (or 3) received. Click OK.
  21. Click Done to finish creating the Service Group.

    add serviceGroup svcgrp-RSA RADIUS
    bind serviceGroup svcgrp-RSA RSA01 1812
    bind serviceGroup svcgrp-RSA -monitorName RSA
  22. The Service Group is displayed as UP.
  23. Add additional service groups for Radius servers in each data center.

Virtual Server

  1. On the left, expand Traffic Management, expand Load Balancing, and click Virtual Servers.

  2. On the right, click Add.
  3. Name it lbvip-RADIUS-HQ or similar. You will create one Virtual Server per datacenter so include the datacenter name.
  4. Change the Protocol drop-down to RADIUS.
  5. Enter a Virtual IP. This VIP cannot conflict with any other IP + Port already being used. You can use an existing VIP if the VIP is not already listening on UDP 1812.
  6. Enter 1812 as the Port. Click OK.
  7. In the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  8. Click the arrow next to Click to select.
  9. Select a previously created Service Group and click OK.
  10. Click Bind.
  11. Click OK.
  12. Configuring RADIUS Load Balancing with Persistence at Citrix Docs recommends Rule Based Load Balancing. On the right, in the Advanced Settings column, add the Method section.
  13. Change the Load Balancing Method to TOKEN.
  14. In the Expression field, enter UDP.RADIUS.USERNAME and click OK.
  15. Click Done to finish creating the Virtual Server.
  16. If you are configuring this RADIUS Load Balancer for more than just NetScaler Gateway, you can add another Load Balancer on port 1813 for RADIUS Accounting. Then you need a Persistency Group to tie the two load balancers together. See Configuring RADIUS Load Balancing with Persistence at Citrix Docs.
    add lb vserver lbvip-RSA RADIUS 10.2.2.210 1812 -persistenceType RULE -lbMethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME
    bind lb vserver lbvip-RSA svcgrp-RSA
  17. The new Virtual Server should show as Up.
  18. Create additional Virtual Servers for each datacenter. These additional Virtual Servers do not need a VIP so change the IP Address Type to Non Addressable. Only the first Virtual Server will be directly accessible.

    add lb vserver lbvip-RSA-Backup RADIUS 0.0.0.0 0 -persistenceType NONE -cltTimeout 120
  19. Notice that the additional datacenter Virtual Servers show up with an IP Address of 0.0.0.0 and port of 0.
  20. After you are done creating a Virtual Server for each datacenter, right-click the primary datacenter’s Virtual Server, and click Edit.
  21. On the right, in the Advanced column, click Protection.
  22. On the left, in the Protection section, change the Backup Virtual Server to one of the other datacenter Virtual Servers. If all of the services in this datacenter are DOWN, the backup Virtual Server will be used instead. You can cascade multiple Virtual Servers using this method. Click OK and Done.

    set lb vserver lbvip-RSA -backupVServer lbvip-RSA-Backup
  23. You may now use this Virtual IP in your RADIUS authentication policies for NetScaler Gateway or NetScaler management login.

NetScaler 10.5 Certificates

Last Modified: Nov 6, 2020 @ 7:04 am

Navigation

Convert .PFX Certificate to PEM Format

You can export a certificate from Windows and import it to NetScaler. However, Windows certificates can’t be imported on NetScaler in their native PFX format and must first be converted to PEM as detailed below:

  1. On the Windows server that has the certificate, run mmc.exe, and add the certificates snap-in.
  2. Right-click the certificate and click Export.
  3. On the Export Private Key page, select Yes, export the private key and click Next.
  4. On the Export File Format page, ensure Personal Information Exchange is selected and click Next.
  5. Save it as a .pfx file. Don’t put any spaces in the filename.

    1. Back in the NetScaler Configuration GUI, on the left expand Traffic Management and click SSL. If the SSL feature is disabled, right-click it and click Enable Feature.
  6. On the right pane, click Import PKCS#12 in the Tools section.
  7. In the Import PKCS12 File dialog box:
    1. In the Output File Name field, enter a name (e.g. Wildcard.cer) for a new file where the PEM certificate and key will be placed.
    2. In the PKCS12 File field, click Browse and select the previously exported .pfx file.
    3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
    4. Change the Encoding Format selection to DES3. This causes the new Output file to be encrypted.
    5. Enter a password for the Output file and click OK.
  8. If you browse to the /nsconfig/ssl directory on the NetScaler and view the new .cer file you just created, you’ll see both the certificate and the private key in the same file. You can use the Manage Certificates / Keys / CSRs link to view the files.

  9. Notice that the file contains both the certificate and the RSA Private key.
  10. On the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
  11. On the right, click Install.
  12. In the Install Certificate dialog box:
    1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    2. In the Certificate File Name field, browse the appliance and select the .cer file you just created.
    3. In the Key File Name field, browse the appliance and select the same .cer file you just created. Both the certificate and the private key are in the same file.
    4. If the private key is encrypted, enter the password.
    5. Click Install. You can now link an intermediate certificate to this SSL certificate and then bind this SSL certificate to SSL Offload and/or NetScaler Gateway Virtual Servers.
  13. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center or NetScaler Management and Analytics System. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Create Key and Certificate Request

You can create a key pair and Certificate Signing Request directly on the NetScaler appliance. The Certificate Signing Request can then be signed by an internal or public Certificate Authority.

Most Certificate Authorities let you add Subject Alternative Names when submitting the Certificate Signing Request to the Certificate Authority and thus there’s no reason to include Subject Alternative Names in the Certificate Signing Request. You typically create a Certificate Signing Request with a single DNS name. Then when submitting the Certificate Signing Request to the Certificate Authority you type in additional DNS names. For a Microsoft Certificate Authority, you can enter Subject Alternative Names in the Attributes box of the Web Enrollment wizard. For public Certificate Authorities, you purchase a UCC certificate or purchase a certificate option that lets you type in additional names.

If you instead want to create a Certificate Signing Request on NetScaler that has Subject Alternative Names embedded in it as request attributes, see Citrix Blog Post How to Create a CSR for a SAN Certificate Using OpenSSL on a NetScaler Appliance. These instructions are performed on the NetScaler command line using OpenSSL. Or you can instead create a Subject Alternative Name certificate on Windows.

  1. On the left, expand Traffic Management, and click SSL.
  2. On the right, in the left column, click Create RSA Key.
  3. Give the new .key file a descriptive name.
  4. Set the Key Size to 2048 bits
  5. Set the PEM Encoding Algorithm to DES3 and enter a password. This encrypts the key file.
  6. Click OK. You will soon create a certificate using the keys in this file.
  7. On the right, in the right column, click Create CSR (Certificate Signing Request).
  8. In the Request File Name field, enter the name of a new .csr file.
  9. In the Key Filename field, browse to the previously created .key file.
  10. If the key file is encrypted, enter the password.
  11. In the State field, enter your state name without abbreviating.
  12. In the Organization Name field, enter your official Organization Name.
  13. Enter the City name.
  14. Enter IT or similar as the Organization Unit.
  15. In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN.
  16. Scroll down, and click OK.
  17. On the right side of the right pane, click Manage Certificates / Keys / CSRs.
  18. Find the .csr file you just created, and View it.
  19. Copy the contents of the file, and send it to the certificate administrator. Request the signed certificate to be returned in Apache or Base64 format.
  20. After you get the signed certificate, on the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
  21. On the right, click Install.
  22. In the Install Certificate dialog box:
    1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    2. In the Certificate File Name field, browse Local and select the Base64 (Apache) .cer (or .crt, or .cert) file you received from the Certificate Authority.
    3. In the Private Key File Name field, browse the appliance and select the key file you created earlier.
    4. If the key file is encrypted, enter the password.
    5. If desired, check the box next to Notify when expires.
    6. Click Install.
  23. The certificate is now added to the list. Notice the Days to Expire. You can now bind this certificate to any SSL Load Balancing, NetScaler Gateway, or SSL Content Switching Virtual Server.
  24. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center or Citrix NetScaler Management and Analytics. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Intermediate Certificate

If your Server Certificate is signed by an intermediate Certificate Authority, then you must install the intermediate Certificate Authority’s certificate on the NetScaler. This Intermediate Certificate then must be linked to the Server Certificate.

  1. Sometimes the public Certificate Authority will give you the Intermediate certificate as one of the files in a bundle. If not, log into Windows and double-click the signed certificate.
  2. On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
  3. On the Details tab, click Copy to File.
  4. In the Welcome to the Certificate Export Wizard page, click Next.
  5. In the Export File Format page, select Base-64 encoded and click Next.
  6. Give it a file name and click Next.
  7. In the Completing the Certificate Export Wizard page, click Finish.
  8. In the NetScaler configuration GUI, expand Traffic Management, expand SSL, and click Certificates.
  9. On the right, click Install.
  10. Name it Intermediate or similar.
  11. Browse locally for the Intermediate certificate file.
  12. Click Install. You don’t need a key file.
  13. Highlight the server certificate, open the Action menu, and click Link.
  14. The previously imported Intermediate certificate should already be selected. Click OK.

Create Certificate with NetScaler as Certificate Authority

If you don’t have an internal Certificate Authority, you can use NetScaler as a Certificate Authority. The NetScaler Certificate Authority can then be used to sign Server Certificates. This is a simple method for creating a new management certificate. The main problem with this method is that the NetScaler root certificate must be manually installed on any machine that connects to the NetScaler.

  1. On the left, expand Traffic Management, and click SSL.
  2. On the right, in the left column, click Root-CA Certificate Wizard.
  3. In the Key Filename field, enter root.key or similar. This is a new file.
  4. In the Key Size field, enter at least 2048.
  5. Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
  6. Click Create.
  7. In the Request File Name field, enter root.csr or similar. This is a new file.
  8. If the key file is encrypted, enter the password.
  9. Scroll down.
  10. In the State field, enter the non-abbreviated state name.
  11. In the Organization Name field, enter the name of your organization.
  12. Fill in other fields as desired.
  13. In the Common Name field, enter a descriptive name for this Certificate Authority.
  14. Click Create .
  15. In the Certificate File Name field, enter root.cer or similar. This is a new file.
  16. Change the Validity Period to 3650 (10 years) or similar.
  17. If the key file is encrypted, enter the password in the PEM Passphrase field.
  18. Click Create.
  19. In the Certificate-Key Pair Name field, enter a friendly name for this Certificate Authority certificate.
  20. If the key file is encrypted, enter the password in the Password field.
  21. Click Create.
  22. Click Done.
  23. In the right pane, in the left column, click Server Certificate Wizard.
  24. In the Key Filename field, enter mgmt.key or similar. This is a new file.
  25. In the Key Size field, enter at least 2048.
  26. Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
  27. Click Create.
  28. In the Request File Name field, enter mgmt.csr or similar. This is a new file.
  29. If the key file is encrypted, enter the password.
  30. Scroll down.
  31. In the State field, enter the non-abbreviated state name.
  32. In the Organization Name field, enter the name of your organization.
  33. Fill in other fields as desired.
  34. In the Common Name field, enter the hostname (FQDN) of the appliance.
  35. Click Create.
  36. In the Certificate File Name field, enter mgmt.cer or similar. This is a new file.
  37. Change the Validity Period to 3650 (10 years) or similar.
  38. Scroll down.
  39. In the CA Certificate File Name field, browse to the root.cer file.
  40. In the CA Key File Name field, browse to the root.key file.
  41. If the key file is encrypted, enter the password.
  42. In the CA Serial File Number field, enter the name of a new file that will contain serial numbers.
  43. Click Create.
  44. In the Certificate-Key Pair Name field, enter a friendly name for this management certificate.
  45. If the key file is encrypted, enter the password in the Password field.
  46. Click Create.
  47.  Click Done.

Default Management Certificate Key Length

In older NetScaler builds, the default management certificate (ns-server-certificate) key size is only 512 bits. To see the key size, right-click ns-server-certificate, and then click Details.


If you try to use Internet Explorer to connect to the NSIP using SSL, Internet Explorer will consider 512 bits to be unsafe and probably won’t let you connect. Notice there’s no option to proceed.

You can configure Internet Explorer to accept the 512-bit certificate by running Certutil ?setreg chain\minRSAPubKeyBitLength 512 on the same machine where Internet Explorer is running.

When you upgrade NetScaler, the management certificate remains at whatever was installed previously. If it was never replaced, then the management certificate is still only 512 bits. To replace the certificate with a new 2048-bit self-signed certificate, simply delete the existing ns-server-certificate certificate files and reboot.

  1. Go to Traffic Management > SSL.
  2. On the right, in the right column, click Manage Certificates / Keys / CSRs.
  3. Highlight any file named ns-* and delete them. This takes several seconds.
  4. Then go to System and reboot.
  5. After a reboot, if you view the Details on the ns-server-certificate, it will be recreated as self-signed with 2048-bit key size.

Replace Management Certificate

You can replace the default management certificate with a new trusted management certificate.

Only one certificate will be loaded on both nodes in a High Availability pair so make sure the management certificate matches the names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some names the management certificate should match (note: a wildcard certificate won’t match all of these names):

  • The FQDN for each node NSIP in a High Availability pair. Example: ns01.corp.local and ns02.corp.local
  • The shortnames (left label) for each node NSIP in a High Availability pair. Example: ns01 and ns02
  • The NSIP IP address for each node in a High Availability pair. Example: 192.168.123.14 and 192.168.123.29
  • If you enabled management access on your SNIPs, add names for the SNIPs:
    • FQDN for the SNIP. Example: ns.corp.local
    • Shortname for the SNIP. Example: ns
    • SNIP IP address. Example: 192.168.123.30

If you are creating a Subject Alternative Name certificate, it’s probably easiest to do the following:

  1. Create the certificate using the Certificates snap-in on a Windows box. You can add the Subject Alternative Names in the certificate request wizard. The Subject Alternative Names for the IP addresses must be added as IP address (v4). The other Subject Alternative Names are added as DNS.
  2. Export the certificate and Private Key to a .pfx file.
  3. On the NetScaler, use the Import PKCS#12 tool to convert the .pfx to PEM format. Then follow one of the procedures below to replace the management certificate.

There are two methods of replacing the management certificate:

  • Use the Update Certificate button for ns-server-certificate in the NetScaler GUI. This automatically updates all of the Internal Services bindings too.
    • You cannot rename the certificate in the NetScaler GUI. It remains as ns-server-certificate.
    • If your new management certificate is a wildcard that you need to use for other SSL entities, then you will bind ns-server-certificate to those entities instead of a more descriptive name. You can’t re-upload the wildcard certificate again with a different GUI name.
  • Or manually Bind the new certificate to the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, and click Certificates.
  3. On the right, highlight ns-server-certificate, and click Update.
  4. Check the box next to Click to update the Certificate/Key.
  5. Browse to the new management certificate. It could be on the appliance or it could be on your local machine.
  6. Click Yes when asked to update the existing certificate.
  7. If the PEM certificate is encrypted, enter the password.
  8. Check the box next to No Domain Check. Click OK.
  9. You can now connect to the NetScaler using https protocol. The certificate should be valid and it should have a 2048 bit key.
  10. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  11. On the right, switch to the Internal Services tab.
  12. You will see multiple services. Edit one of them.
  13. On the right, in the Advanced column, click SSL Ciphers.
  14. On the left, in the SSL Ciphers section, bind a custom cipher group that has RC4 ciphers removed. Click OK.
  15. Scroll down to the SSL Parameters section, and click the pencil icon.
  16. Uncheck the box next to SSLv3. NetScaler VPX 10.5 build 57 and newer lets you enable TLSv11 and TLSv12. Click OK.
  17. Repeat for the rest of the internal services.

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, and click Certificates.
  3. On the right, use the Install button to install the certificate if you haven’t already done so.
  4. On the right, highlight the new management certificate, open the Action menu, and click Details.
  5. Verify that the Public Key Size is 2048. Click OK.
  6. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  7. On the right, switch to the Internal Services tab.
  8. You will see multiple services. Edit one of them.
  9. Scroll down and click where it says 1 Client Certificate.
  10. Highlight the existing management certificate, and click Unbind.
  11. Click Yes to remove the selected entity.
  12. Click Add Binding.
  13. Click where it says Click to select.
  14. Select the new management certificate, and click OK.
  15. Click Bind.
  16. Click OK.
  17. On the right, in the Advanced column, click SSL Ciphers.
  18. On the left, in the SSL Ciphers section, bind a custom cipher group that has RC4 ciphers removed. Click OK.
  19. Scroll down to the SSL Parameters section, and click the pencil icon.
  20. Uncheck the box next to SSLv3. NetScaler VPX 10.5 build 57 and newer lets you enable TLSv11 and TLSv12. Click OK.
  21. Repeat for the rest of the internal services.

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP. Connecting to the NSIP using SSL also causes Java communication to use SSL (TCP 3008).

  1. Connect to the NSIP using https.
  2. On the left, expand System, expand Network, and click IPs.
  3. On the right, highlight your NetScaler IP, and click Edit.
  4. Near the bottom, check the box next to Secure access only, and then click OK.
  5. Repeat this on the secondary appliance.
  6. Repeat for any SNIPs that have management access enabled.

SSL Certificate – Update

If your certificate is about to expire, do the following:

  1. Create updated certificate files in PEM format. One option is to create a key file and Certificate Signing Request directly on the NetScaler. Another option is to convert a PFX file to a PEM file. Don’t install the certificate yet, but instead, simply have access to the key file and certificate file in PEM format.
  2. In NetScaler, navigate to Traffic Management > SSL > Certificates.
  3. On the right, highlight the certificate you intend to update, and click Update.
  4. Check the box next to Click to update the Certificate/Key.
  5. Browse to the updated certificate file.
  6. Click Yes when asked to update the existing certificate.
  7. Browse to the updated key file.
  8. If the key file is encrypted, enter the password.
  9. Check the box next to No Domain Check.
  10. Click OK. This will automatically update every Virtual Server on which this certificate is bound.
  11. Certificates can also be updated in Citrix Command Center or NetScaler Management and Analytics System.

NetScaler 10.5 System Configuration

Last Modified: Jan 15, 2021 @ 6:23 am

Navigation

This page contains the following topics:

Java Security

Citrix docs.citrix.com has information on configuring browsers for Java

When performing operations on NetScaler that require Java, you might see the message “Java Applet could not be loaded”. To fix it, do the following:

  1. Java uses TCP 3008 and TCP 3010 to communicate with the NetScaler NSIP (and/or SNIP). Make sure these ports are open on any firewall between the administrator workstations and the NetScaler management IPS.
  2. Go to Control Panel and open the Java applet.
  3. Switch to the Security
  4. Click Edit Site List.
  5. Click Add.
  6. Type in a URL to a NetScaler management IP. You must prepend http and/or https. The management IP is NSIP and/or SNIP.
  7. If you enter an http URL then you will see a warning message. Click Continue.
  8. Continue adding NetScaler management URLs to the list. Add both http and https so you can use either. Click OK when done.
  9. Then click OK to close the Java Control Panel applet.
  10. The Java site exception list is stored in %userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites and can be transferred to other users.

VPX – vSphere 5.1 and 5.5 issue

If you are licensed for VPX-1000 or higher, see Citrix Knowledgebase Article CTX139485 (Resource Requirements for Optional Multi-PE Configuration for NetScaler VPX) for correct vCPU and Memory configuration.

From VMware knowledgebase article 2092809: After applying patches to an ESXi 5.1/5.5 host, Citrix NetScaler virtual machine with e1000 vNIC loses network connectivity: After patching your ESXi host to version 5.5 Update 2 (build 2143827) or 5.1 Patch 6 (build 2191751), you experience these symptoms:

  • Some Citrix NetScaler virtual machine appliance running the guest Operating System with e1000 vNIC driver loses network connectivity
  • Cannot access the console after applying the patches

See VMware’s article for their workaround.

From Citrix Knowledgebase article CTX200278 – NetScaler VPX Loses Network Connectivity on VMware ESXi 5.1.0 2191751 and VMware ESXi 5.5 2143827:

  1. Log in to the Citrix NetScaler virtual machine appliance as nsroot
  2. Type shell.
  3. Type the following command:
    cd /flash/boot
  4. Type the following command:
    touch /flash/boot/loader.conf.local
  5. Edit (vi) the file conf.local and add the following line to the end of it:
    hw.em.txd=512
  6. Save the changes
  7. Restart the NetScaler virtual machine appliance

Licensing – VPX Mac Address

To license a NetScaler VPX appliance, you will need its MAC address.

  • One method is to look in the GUI.

    • In the right pane, look down for the Host Id This is the MAC address you need for license allocation.
  • Another option is to SSH to the appliance and run shell.
    • Then run lmutil lmhostid. The MAC address is returned.

Licensing – Citrix.com

  1. Login to citrix.com.
  2. Click Activate and Allocate Licenses.
  3. Check the box next to a Citrix NetScaler license and click Continue.
  4. If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the lmutil lmhostid MAC address into the Host ID field and click Next.

    For a VPX appliance, you can also get the Host ID by looking at the System Information page.
  5. Click Confirm.
  6. Click OK when asked to download the license file.
  7. Click Download.
  8. Click Save and put it somewhere where you can get to it later.
  9. If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
  10. Enter your appliance hostname as the Host ID for all licenses.
  11. Click Confirm.
  12. Click OK when prompted to download your license file.
  13. Click Download.
  14. Click Save.
  15. If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.

Install Licenses on Appliance

  1. In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
  2. On the right, click Manage Licenses.
  3. Click Add New License.

    License files are stored in /nsconfig/license.
  4. If you have a license file, select Upload license files from a local computer, and then click Browse.
  5. Click Reboot when prompted. Login after the reboot.
  6. After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
  7. Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwidth or packets will drop.

Upgrade Firmware

Citrix CTX127455How to Upgrade Software of the NetScaler Appliances in a High Availability Setup:

  1. Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at http://support.citrix.com by clicking the Alerts link on the top right.
    Note: Citrix sometimes refreshes firmware builds (e.g 10.1 build 130.13 replaces 10.1 build 130.10). If this happens, make sure you install the refreshed version since the original version can no longer be downloaded. If you have an HA pair running 130.10, and if one of the appliances needs to be replaced, you can’t download 130.10 and thus can’t install it on the new secondary, and thus the config won’t replicate when you join the HA pair since the node firmware versions will be different. If you don’t have access to the 130.10 firmware, your only option is to upgrade the primary to 130.13 before joining the new secondary running 130.13.
  2. Make sure you Save the config before beginning the upgrade.
  3. If you configured NetScaler Gateway to use a Custom theme, change the theme back to Default (or Green Bubble). You will have to re-create the customtheme.tar.gz file after you upgrade.
  4. Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
  5. Start with the Secondary appliance.
  6. Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
  7. In the NetScaler GUI, with the top left node (System) selected, click System Upgrade.
  8. Browse to the build…tgz file. If you haven’t downloaded firmware yet, then you can click the Download Firmware link.
  9. Click More and then check the box next to Automatically move files to create space. Click Yes to acknowledge the prompt.
  10. Click Upgrade.

  11. The firmware will upload.
  12. You should eventually see a System Upgrade window with text in it. It will reboot automatically.
  13. Or if older than 10.5 build 56, click Upgrade Wizard
  14. In the Introduction page, click Next.
  15. In the Upload Software page, browse to the build…tgz file and click Next.
  16. In the Manage Licenses page, click Next.
  17. In the Clean Up / Reboot page, check both boxes and then click Next.
  18. If you select the option to automatically move files, you will be asked to delete unused kernels. Click Yes.
  19. In the Summary page, click Finish. The upgrade will begin. Do not disturb your browser session until you see that it is rebooting. It will run several commands after uploading the files.
  20. If you are asked to enable Call Home, select Yes, and click Go.
  21. When you see the message Rebooting… it is then safe to close the window.
  22. Once the Secondary is done, login and failover the pair.
  23. Then upgrade the firmware on the former Primary.

 

To install firmware by using the command-line interface

  1. To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
  2. Create a version directory under /var/nsinstall (e.g. /var/nsinstall/10.5.63).
  3. Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/11.5.63) directory on the appliance.
  4. Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
  5. At a command prompt, type shell.
  6. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
  7. To view the contents of the directory, type ls.
  8. To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
  9. To start the installation, at a command prompt, type ./installns.
  10. When the installation is complete, restart NetScaler.
  11. When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

  1. Prepare the secondary appliance:
    1. Configure a NSIP.
    2. Don’t configure a SNIP. You can click Do It Later to skip the wizard.
    3. Configure Hostname and Time Zone. Don’t configure DNS since you’ll get those addresses when you pair it.
    4. License the secondary appliance.
    5. Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
  2. On the secondary appliance, go to System > High Availability, double-click the local node, and change High Availability Status to STAY SECONDARY. If you don’t do this, then you run the risk of losing your config when you pair the appliances. See Terence Luk Creating a Citrix NetScaler High Availability pair without wiping out an existing configuration for more information.


    set ha node -hastatus STAYSECONDARY
  3. On the primary appliance, on the left, expand System, expand Network and click Interfaces.
  4. On the right, look for any interface that is currently DOWN. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface, and click Disable. Repeat for the remaining disconnected interfaces.

    show interface
    disable interface 1/1
  5. On the left, expand System, and click High Availability.
  6. On the right, click Add.
  7. Enter the other NetScaler’s IP address.
  8. Enter the other NetScaler’s login credentials, and click Create.

    add ha node 1 192.168.123.14
    Note: this command must be run separately on each appliance.
  9. If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.
  10. Eventually it will say SUCCESS.
  11. To enable Fail-safe mode, on the right, edit Node ID 0 (the local appliance).
  12. Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.

    set ha node -failSafe ON
  13. If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
  14. On the secondary appliance, go to System > High Availability, edit the local node, and change it from STAY SECONDARY to ENABLED.
  15. From the CLI, run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
  16. You can Force Failover of the primary appliance by opening the Actions menu, and clicking Force Failover.

    force ha failover
    If your firewall (e.g. Cisco ASA) doesn’t like the Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Multiple Interfaces – VLANs

Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.

 

You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Channel, or the new Redundant Interface Set feature in 10.5.e. See Webinar: Troubleshooting Common Network Related Issues with NetScaler

NetScaler VPX defaults to two connected interfaces, so if you only have one subnet, disconnect one of those interfaces.

 

Common interface configuration: Here is a common NetScaler networking configuration for a NetScaler that is connected to both internal and DMZ.

Note: If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.

  • 0/1 connected to a dedicated management network. NSIP is on this network.
    • 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, etc.) and don’t connect any cables to 0/1.
    • To prevent NetScaler from using this interface for outbound data traffic, don’t put a SNIP on this network, and configure the default gateway to use a different data network. However, if there’s no SNIP, and if default gateway is on a different network,  then there will be asymmetric routing for management traffic since inbound is 0/1 but outbound is LA/1. To work around this problem, enable Mac Based Forwarding. Or create a Policy Based Route.
    • It’s easiest if the switch port for this interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
  • 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
  • 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). Default gateway points to a router on a DMZ VLAN so replies can be sent to Internet clients.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.

 

SNIPs: You will need one SNIP for each connected subnet. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.

 

NSIP: The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any subnet that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).

 

To configure multiple connected subnets:

  1. On the left, expand System, and click Settings.
  2. On the right, in the left column, click Configure modes.
  3. Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).

    enable mode mbf
  4. Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
  5. On the right, click Add.
  6. Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
  7. Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
  8. Ensure the IP Type is set to Subnet IP. Scroll down.

    add ns ip 172.16.1.11 255.255.255.0 -type SNIP
  9. Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs, because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
  10. Click Create when done. Continue adding SNIPs for each connected network (VLAN).

    set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
  11. On the left, expand System, expand Network and click VLANs.
  12. On the right, click Add.
  13. Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
  14. Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
  15. If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
  16. If you don’t tag the VLAN, then the NetScaler interface/channel is removed from VLAN 1 and instead put in this VLAN ID.
  17. Switch to the IP Bindings tab.
  18. Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.

    add vlan 50
    bind vlan 50 -ifnum 1/1 -IPAddress 172.16.1.11 255.255.255.0
    
  19. The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network, and click Routes.
  20. On the right, click Add.
  21. Internal networks are only accessible through an internal router. Add a static route to the internal networks, and set the Gateway to an internal router. Then click Create.

    add route 192.168.0.0 255.255.0.0 192.168.123.1
  22. Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. To create a PBR, go to System > Network > PBRs.
  23. The source IP is the NSIP, and next hop is a router on the same network as the NSIP. Destination is not needed.
  24. Then open the Action menu, and click Apply.

    add ns pbr NSIP ALLOW -srcIP = 10.2.2.59 -nextHop 10.2.2.1
    apply ns pbrs
  25. Go back to System > Network > Routes. On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.

    rm route 0.0.0.0 0.0.0.0 192.168.123.1
  26. Then click Add.
  27. Set the Network to 0.0.0.0, and the Netmask to 0.0.0.0.
  28. Make sure NULL Route is set to No.
  29. Enter the IP address of the DMZ (or data) router, and click Create.

    add route 0.0.0.0 0.0.0.0 172.16.1.1

DNS Servers

  1. To configure DNS servers, expand Traffic Management, expand DNS, and click Name Servers.
  2. On the right, click Add.
  3. Enter the IP address of a DNS server and click Create.
  4. Note: The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP.
    add dns nameServer 192.168.123.11

NTP Servers

  1. On the left, expand System, and click NTP Servers.
  2. On the right, click Add.
  3. Enter the IP Address of your NTP Server (or pool.ntp.org) and click Create.

    add ntp server pool.ntp.org
  4. Open the Action menu and click NTP Synchronization.
  5. Select ENABLED and click OK.

    enable ntp sync
  6. You can click the System node to view the System Time.
  7. If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
  8. Ntpdate –u pool.ntp.org will cause an immediate NTP time update.

 

Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:

  1. Replace the following line in /etc/ntp.conf file, if it exists:
    >  restrict default ignore
  2. Add the following lines in file /etc/ntp.conf:
    # By default, exchange time with everybody, but don't allow configuration:
    restrict -4 default kod notrap nomodify nopeer noquery
    restrict -6 default kod notrap nomodify nopeer noquery
    
    # Local users may interrogate the ntp server more closely:
    
    restrict 127.0.0.1
    restrict ::1
  3. Restart NTP using the following commands:
    > shell
    root@ns# ps -aux |grep "ntp"
    root@ns# kill <PID obtained from step above>
    root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf

 

Citrix Knowledgebase Article CTX200355 – Citrix Security Advisory for NTP VulnerabilitiesBy default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler.

We recommend that customers apply the following remediation:

Open the NetScaler’s ntp.conf file in /etc and add the following lines:

restrict -4 default notrap nopeer nomodify noquery
restrict -6 default notrap nopeer nomodify noquery

In addition to adding the above two lines, all other ‘restrict‘ directives should be reviewed to ensure that they contain both ‘nomodify‘ and ‘noquery‘ and that the file contains no ‘crypto‘ directives.

When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production.

SYSLOG Server

Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.

  1. On the left, expand System, expand Auditing, and click Syslog.
  2. On the right, switch to the Servers tab and click Add.
  3. Enter a name for the Syslog server.
  4. Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
  5. Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
  6. Select your desired Time Zone and then click Create.

    add audit syslogAction CommandCenter 192.168.123.12 -logLevel ALL -timeZone LOCAL_TIME
  7. On the right, switch to the Policies tab, and then click Add.
  8. Give the policy a descriptive name, select the Syslog server, and then click Create.

    add audit syslogPolicy CommandCenter ns_true CommandCenter
  9. While still on the Policies tab, open the Actions menu and click Global Bindings.
  10. Click Bind.
  11. Check the box next to the Syslog policy you want to bind and click Insert.
  12. Then click OK.

    bind system global CommandCenter -priority 100

SNMP – MIB, Traps, and Alarms

  1. On the left, expand System, and click SNMP.
  2. On the right, click Change SNMP MIB.
  3. Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK.
  4. This configuration needs to be repeated on the other node.

    set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
  5. Expand System, expand SNMP, and click Community.
  6. On the right, click Add.
  7. Specify a community string and the Permission and click Create.

    add snmp community public GET
  8. On the left, under SNMP, click Traps.
  9. On the right, click Add.
  10. Specify a trap destination and Community Name and click Create.

    add snmp trap generic 192.168.123.12 -communityName public
    add snmp trap specific 192.168.123.12 -communityName public
  11. On the left, under SNMP, click Managers.
  12. On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
  13. Change the selection to Management Network.
  14. Specify the IP of the Management Host and click Create.

    add snmp manager 192.168.123.12
  15. The Alarms node allows you to enable SNMP Alarms and configure thresholds.
  16. You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.

    set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
  17. You can also configure the MEMORY alarm.

    set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.

  • ifTotXo?Sent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
  • ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
  • ifErrRxNoBu?s – .1.3.6.1.4.1.5951.4.1.1.54.1.30
  • ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31

Call Home

Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.

  1. On the left, expand System and click Diagnostics.
  2. On the right, in the left column, in the Technical Support Tools section, click Call Home.
  3. Check the box next to Enable Call Home.
  4. Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
  5. If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.

Change nsroot Password

  1. Expand System, expand User Administration and click Users.
  2. On the right, select nsroot, and click Change Password.
  3. Specify a new password and click OK.

    set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix Knowledgebase articles:

 

  1. On the left, expand System and click Settings.
  2. On the right side of the right pane, click Change TCP parameters.
  3. Check the box for Window scaling (near the top).
  4. Scroll down and check the box for Selective Acknowledgement. Click OK.

    set ns tcpParam -WS ENABLED -SACK ENABLED
  5. On the right, click Change HTTP parameters.
  6. Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.

    set ns param -cookieversion 1
  7. Check the box next to Drop invalid HTTP requests and click OK.

    set ns httpParam -dropInvalReqs ON
  8. You can run the following command to see statistics on the dropped packets:
    nsconmsg -g http_err_noreuse_ -d stats
  9. On the left, under Traffic Management, click SSL.
  10. On the right, in the right column, click Change advanced SSL settings.
  11. Change the Deny SSL Renegotiation selection to NONSECURE. Click OK.

    set ssl parameter -denySSLReneg NONSECURE
  12. See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run kill -HUP `cat /var/run/sshd.pid` to restart SSHD.
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    MACs hmac-sha1,hmac-ripemd160
  13. Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.
    add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES
    
    add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ?logAction ShellShock_Log
    
    bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

  • Maximum logon attempts on NetScaler Gateway Virtual Server
  • Rate Limiting for IP.SRC and HTTP.REQ.URL.
  • nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
  • Syslog logging
  • External website monitoring
  • Obfuscate the Server header in the HTTP response
  • Disable management access on SNIPs
  • Change nsroot strong password, use LDAP authentication, audit local accounts
  • Don’t enable Enhanced Authentication Feedback
  • SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
  • 2-factor authentication
  • Command Center and Insight Center
  • Review IPS/IDS & Firewall logs

Management Authentication

Load balancing of authentication servers is strongly recommended since during an authentication attempt only one LDAP server is chosen. If you instead bound multiple LDAP servers it would try all of them and for incorrect passwords will lock out the user sooner than expected.

  1. Expand System, expand Authentication, and then click LDAP.
  2. On the right, switch to the Servers tab. Then click Add.
  3. Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
  4. Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
  5. Change the Security Type to SSL.
  6. Enter 636 as the Port. Scroll down.
  7. In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
  8. Enter the credentials of the LDAP bind account in userPrincipalName format.
  9. Check the box next to BindDN Password and enter the password. Scroll down.
  10. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
  11. On the right, check the box next to Allow Password Change.
  12. It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
    You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.
    memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
    An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
    Scroll down to distinguishedName, double-click it and then copy it to the clipboard.

    Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
  13. Scroll down and click Nested Group Extraction to expand it.
  14. If desired, change the selection to Enabled.
  15. Set the Group Name Identifier to samAccountName.
  16. Set the Group Search Attribute to memberOf.
  17. Set the Group Search Sub-Attribute to CN.
  18. Example of LDAP Nested Group Search Filter Syntax

  19. Scroll down and click Create.

    add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  20. Switch to the Policies tab and click Add.
  21. Enter the name LDAPS-Corp-Mgmt or similar.
  22. Select the previously created LDAPS-Corp-Mgmt server.
  23. On the bottom, in the Expressions area, type in ns_true.
  24. Click Create.

    add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt
  25. Click Global Bindings in the right pane.
  26. Click where it says Click to select.
  27. Select the newly created LDAP policy, and click OK.
  28. Enter 100 for the priority, and click Bind.
  29. Click Done.

    bind system global Corp-Mgmt
  30. Under System, expand User Administration and click Groups.
  31. On the right, click Add.
  32. In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
  33. In the Command Policies section, click Insert.
  34. Select the superuser policy, and click Insert.
  35. Click Create.

    add system group "NetScaler Admins" -timeout 900
    bind system group "NetScaler Admins" -policyName superuser 100
  36. If you logout:
  37. You should be able to login to NetScaler using an Active Directory account.

CLI Prompt

  1. When you connect to the NetScaler CLI prompt, by default, the prompt is just a >.
  2. You can run set cli prompt %u@%h to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.

Next Steps

Return to NetScaler Procedures list

Citrix ADC and CVAD Firewall Rules

Last Modified: Jul 8, 2021 @ 6:45 am

Navigation

See CTX101810 Communication Ports Used by Citrix Technologies

💡 = Recently Updated

Change Log

Citrix ADC Firewall Rules

From To Protocol / Port Purpose
Administrator machines NSIPs (and/or SNIPs) TCP 22
TCP 80
TCP 443
TCP 3010
TCP 3008
SSH and HTTP/SSL access to NetScaler configuration GUI. TCP 3008/3010 is Java and 3008 is used if traffic is encrypted. Java not needed in 10.5 build 57 and newer.
Administrator machines NetScaler SDX SVM, XenServer TCP 22
TCP 80
TCP 443
To administer NetScaler SDX
Administrator machines NetScaler Lights Out Module TCP 443
TCP 623
TCP 5900
CTX200367
NSIP
SNIP
DNS servers Ping
UDP 53
TCP 53
Ping is used for monitoring. Can be turned off by load balancing on the same appliance.
NSIPs
SNIP
NetScaler MAS TCP 27000
TCP 7279
Pooled Licensing
NSIPs
SNIP
NTP servers UDP 123 NTP
NSIPs
SNIP
Syslog server UDP 514 Syslog
NSIPs callhome.citrix.com
cis.citrix.com
taas.citrix.com
TCP 443 Call Home
NSIPs (default)
SNIP
LDAP Servers(Domain Controllers) TCP 389 (Start TLS)
TCP 636 (Secure LDAP)
Secure LDAP requires certificates on the Domain Controllers. Secure LDAP enables password changes when they expire.SNIP if Load Balanced on same appliance
NSIPs LDAP Servers TCP 389
TCP 636
Monitor Domain Controllers
NSIPs (default)
SNIP
RADIUS servers UDP 1812 RADIUS is used for two-factor authentication. SNIP if Load Balanced on same appliance
SNIP RADIUS servers UDP 1812
Ping
Monitor RADIUS servers
NetScaler SDX Service virtual machine NSIPs Ping
TCP 22
TCP 80
TCP 443
Only if NetScaler VPX runs as a virtual machine on top of NetScaler SDX
Local GSLB Site IP
SNIP
GSLB Site IP (public IP) in other datacenter TCP 3009
TCP 3011
GSLB Metric Exchange Protocol between appliance pairs
NSIPs GSLB Site IP (public IP) in other datacenter TCP 22
TCP 3008
TCP 3010
GSLB Configuration Sync
Local GSLB Site IP
SNIP
All Internet Ping
UDP 53
TCP (high ports)
RTT to DNS Servers for Dynamic Proximity determination
SNIP StoreFront Load Balancing VIP TCP 443 NetScaler Gateway communicates with StoreFront
SNIP StoreFront servers TCP 80
TCP 443
TCP 808
StoreFront Load Balancing
NSIPs StoreFront servers TCP 80
TCP 443
Monitor StoreFront servers
StoreFront servers NetScaler Gateway VIP (DMZ IP) TCP 443 Authentication callback from StoreFront server to NetScaler Gateway.
SNIP Each individual Delivery Controller in every datacenter TCP 80
TCP 443
Secure Ticket Authorities. This cannot be load balanced.
TCP 443 only if certificates are installed on the Delivery Controllers.
SNIP All internal virtual desktops and session hosts (subnet rule?) TCP 1494
TCP 2598
UDP 1494
UDP 2598
UDP 16500-16509
HDX ICA
Enlightened Data Transport
Session Reliability
UDP Audio
All Internet
All internal users
NetScaler Gateway VIP (public IP) TCP 80
TCP 443
UDP 443
Connections from browsers and native Receivers
DTLS for UDP Audio
All Internet
All internal DNS servers
SNIP ADNS Listener (Public IP) UDP 53
TCP 53
ADNS (for GSLB)
Web logging server NSIPs TCP 3010 Web logging polls the NetScalers.
NSIPs NetScaler MAS or other SNMP Trap Destination UDP 161
UDP 162
SNMP Traps
NSIPs
SNIP
NetScaler MAS or other AppFlow Collector UDP 4739
TCP 5557, 5558
TCP 5563
AppFlow (IPFIX, Logstream, and Metrics)
NSIP mfa.cloud.com
trust.citrixworkspacesapi.net
TCP 443 Native OTP Push (DNS required)
  • Authentication traffic uses NSIPs by default. This can be changed by creating a local Load Balancing Virtual Server on the same appliance and sending authentication traffic through the Load Balancing VIP.
  • Several of the Load Balancing monitors run as Perl scripts, which are sourced from the NSIPs, not SNIP. But actual load balancing traffic uses SNIP as the source IP.
  • DNS Name Servers use ping for monitoring. This can be disabled by creating a local Load Balancing Virtual Server on the same appliance and sending DNS traffic through the load balancer.
  • In a ADC with a dedicated management network and default route on a different data network, configure Policy Based Routes (PBRs) to send NSIP-sourced traffic through a router on the NSIP subnet.
  • Logstream defaults to SNIP as source but can be changed to NSIP. See CTX286215.

Citrix ADM Firewall Rules

Citrix Application Delivery Management (ADM) monitors and manages the ADC appliances.

From To Protocol / Port Purpose
ADM Floating IP
ADM Agent
NSIPs Ping
TCP 22
TCP 80
TCP 443
Discovery and configuration of ADC devices
NSIPs ADM Floating IP
ADM Agent
TCP 80
TCP 443
Nitro
ADM (Primary, Secondary) NSIPs UDP 161 SNMP
ADM Agents ADM Floating IP TCP 443
TCP 7443
TCP 8443
Agent Communication
NSIPs ADM Floating IP
ADM Agent
UDP 4739 AppFlow
SNIP ADM Floating IP
ADM Agent
TCP 5563 Metrics Collector
NSIPs
SNIP
ADM Floating IP
ADM Agent
TCP 5557, 5558 Logstream (ULFD)
NSIPs ADM Floating IP
ADM Agent
UDP 161
UDP 162
SNMP Traps
NSIPs ADM Floating IP
ADM Agent
UDP 514 Syslog
CPX NSIPs
VPX NSIPs
ADM Floating IP
ADM Agent
TCP 27000
TCP 7279
Pooled Licensing
Administrator Machines ADM Floating IP
ADM Agent
TCP 22
TCP 80
TCP 443
Web-based GUI
Director Servers ADM Floating IP TCP 80
TCP 443
Insight Integration with Director
ADM LDAP(S)
LDAP(S) VIP
TCP 389
TCP 636
LDAP authentication
ADM Mail Server TCP 25 Email alerts
ADM NTP Server UDP 123 NTP
ADM Syslog Server UDP 514 Syslog

Citrix Virtual Apps and Desktops Firewall Rules

From To Protocol / Port Purpose
Administrator machines Delivery Controllers TCP 80/443
TCP 3389
PowerShell
RDP
Delivery Controllers SQL Server TCP 1433
UDP 1434
Other static port
SQL database
Delivery Controllers vCenter TCP 443 vCenter
Delivery Controllers SCVMM (Hyper-V) TCP 8100 SCVMM
Delivery Controllers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
Citrix Licensing
StoreFront servers Delivery Controllers TCP 80
TCP 443
XML
Secure Ticket Authority
StoreFront servers StoreFront servers TCP 808 Subscription Replication
StoreFront servers Domain Controllers in Trusted Domains TCP 88
TCP 135
TCP 445
TCP 389/636
TCP 49151-65535
RPC
Discussions
Administrator machines StoreFront servers TCP 3389 RDP
Administrator machines Citrix Licensing TCP 8082-8083
TCP 3389
Web-based administration GUI
RDP
Delivery Controllers All VDAs TCP 80 Brokering
All VDAs Delivery Controllers TCP 80 Registration
All VDAs Global Catalogs
(Domain Controllers)
TCP 3268 Registration
All Server OS VDAs Remote Desktop Licensing Server RPC and SMB Remote Desktop Licensing
All Workspace apps
(Internal)
StoreFront SSL Load Balancing VIP TCP 80
TCP 443
Internal access to StoreFront
All Workspace apps Citrix Gateway VIP TCP 80
TCP 443
External (or internal) access to Citrix Gateway
All Workspace apps
(Internal)
All VDAs TCP 1494
UDP 1494
TCP 2598
UDP 2598
UDP 16500-16509
ICA/HDX
EDT
Session Reliability
UDP Audio
Administrator machines Director TCP 3389 RDP
Administrator machines
Help Desk machines
Director TCP 80
TCP 443
Web-based GUI
Director Delivery Controllers TCP 80
TCP 443
Director
Administrator machines
Help Desk machines
All VDAs TCP 135
TCP 3389
Remote Assistance

Also see Microsoft Technet Which ports are used by a RDS 2012 deployment?

Citrix Provisioning Firewall Rules

From To Protocol / Port Purpose
Provisioning Servers SQL Server TCP 1433
UDP 1434
Other static port
SQL database for Provisioning Services
Provisioning Servers Provisioning Servers SMB File copy of vDisk files
Provisioning Servers Provisioning Servers UDP 6890-6909 Inter-server communication
Provisioning Servers Citrix Licensing TCP 27000
TCP 7279
TCP 8082-8083
TCP 80
Citrix Licensing
Provisioning Servers Controllers TCP 80
TCP 443
Setup Wizards to create machines
Provisioning Servers vCenter TCP 443 Setup Wizards to create machines
Provisioning Servers Target Devices UDP 6901
UDP 6902
UDP 6905
Provisioning Services Console Target Device power actions (e.g. Restart)
Administrator machines Provisioning Servers TCP 3389
TCP 54321
TCP 54322
TCP 54323
RDP
SOAP
Controllers Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Add machines to Catalog
Target Devices DHCP Servers UDP 67 DHCP
Target Devices KMS Server TCP 1688 KMS Licensing
Target Devices Provisioning Servers UDP 69
UDP 67/4011
UDP 6910-6969
TFTP
PXE
Streaming (expanded port range)
Target Devices Provisioning Servers UDP 6969
UDP 2071
Two-stage boot (BDM)
Target Devices Provisioning Servers TCP 54321
TCP 54322
TCP 54323
Imaging Wizard to SOAP Service

Citrix Workspace app 2311.1

Last Modified: Mar 6, 2024 @ 8:00 am

Navigation

Workspace app is the new name for Receiver. This post applies to all Workspace app versions, including the Current Release version 2311.1 and the LTSR version 2203.6001.

💡 = Recently Updated

Change Log

Workspace app Versions

Citrix Workspace app uses a YYMM (year/month) versioning format, of which version 2311.1 (23.11.1.140) is the newest. See Citrix Docs for the list of new features, some of which only apply to Citrix Cloud.

Workspace app 2311 and newer have a new installer interface. 

Workspace app 2009 and newer have the new Citrix logo.

Workspace app 1912 and newer support App Protection. It’s available in LTSR version 2203 and the Current Release 2311.1 version. Workspace app 2303 and newer automatically install the App protection components with an option to start them after installation. Older Workspace apps have an option to install App protection and if you don’t select this and later want App protection then you must uninstall Workspace app and reinstall it.


  • See App Protection at Citrix Docs to enable App protection for the authentication screen. Workspace app 2305.1 and newer automatically start it for authentication if you have selected the Start App Protection check box during installation.

The only supported LTSR (Long Term Service Release) version of Workspace app is version 2203. Its latest cumulative update is 6 Update 1

  • The newest Workspace app versions contain many Teams optimization enhancements.
  • The LTSR versions of Workspace app do not support Browser Content Redirection (BCR) because the embedded browser is not included in the LTSR Workspace app.
  • Download LTSR version 22.03.6001,

Workspace app Modules

The Workspace app installer deploys multiple modules. Here are the important ones:

  • ICA Engine (wfica.exe) – process that uses the ICA protocol to connect to published apps and desktops.
  • Self-Service (selfservice.exe) – gets icons from StoreFront and displays them in a Window. When an icon is clicked, Self-service passes the ICA file to the ICA Engine to establish a connection.
  • Single Sign-on (SSON) for ICA (ssonsvr.exe) – captures user credentials and submits them to VDAs after an ICA connection is established
  • Workspace Auto-Update (CitrixReceiverUpdater.exe) – Notifies users of Workspace app updates. The most recent name for this component is Citrix Workspace Update.

Custom ICA files are no longer supported. However, Ryan Butler has created a script that asks StoreFront for an ICA file. Explicit credentials are supported. Find the script at Github.

Workspace app Discovery and Beacon Process

If you are using Workspace app’s built-in user interface (instead of a web browser), then Workspace app first prompts you to perform discovery, which is also called Add Account.

The Citrix logo changed in Workspace app 2009 and newer.

The Add Account wizard changed in Workspace app 2108 and newer. Enter a StoreFront FQDN, a Citrix Gateway FQDN, or Citrix Cloud Workspace FQDN. Just enter the FQDN. There’s no need to enter https or a path.

Workspace app will contact the FQDN and request download of the StoreFront Provisioning File.

  • If you entered a StoreFront FQDN, then Workspace app will download the Provisioning File directly from the StoreFront server.
  • If you entered a Gateway FQDN, then Gateway will first prompt the user to authenticate. After authentication, Gateway will connect to its configured Account Services address, and download the Provisioning File from StoreFront. The Account Services address is configured in the NetScaler Gateway Session Profile on the Published Applications tab.

If your StoreFront server is configured with multiple stores, then the user will be prompted to select a store. Unfortunately, there’s no configuration option in NetScaler Gateway to force a particular store.

The Provisioning File downloaded from StoreFront is an XML document containing values for several items configured in the StoreFront console. You can export the Provisioning File from the StoreFront console by right-clicking a Store.

The ReceiverConfig.cr Provisioning File looks something like this:

Here are the values in the Provisioning File:

  • Address – the Base URL configured in StoreFront Console
  • Internal Beacon – as configured in StoreFront Console. This can be the Base URL, or a manually specified URL.
  • External Beacons – as configured in StoreFront Console
  • Gateways – as configured in StoreFront Console. If there are multiple Gateways, when enabling Remote Access on the Store, then only one Gateway is selected as Default
  • SRID – Store ID. An important value to consider for multi-datacenter configurations. The SRID is set when the Store is created. It can also be changed by editing C:\inetpub\wwwroot\Citrix\Roaming\web.config.

Workspace app reads the Provisioning File, and configures itself by inserting the file’s contents into the user’s registry. The values are located under HKCU\Software\Citrix\Dazzle\Sites and HKCU\Software\Citrix\Receiver\SR. If you performed discovery through NetScaler Gateway, notice that the internal Base URL is added to the user’s registry.

Once Workspace app is configured, it then performs the following steps:

  1. Attempt to connect to the Internal Beacon.
  2. If the Internal Beacon is reachable, connect directly to the StoreFront Base URL (Address).
  3. If the Internal Beacon is not reachable:
    1. Attempt to connect to the External Beacons. If the External Beacons are not reachable, then stop attempting to connect.
    2. Connect to the Gateway address configured in the Provisioning File. If there is more than one Gateway, connect to the Gateway that is marked as the Default.

Here are some interesting notes on this connection process:

  • The FQDN you entered during Discovery has absolutely nothing to do with how Workspace app connects to StoreFront or Gateway. The actual connection process is controlled by the contents of the Provisioning File, not the Discovery address.
  • If the Provisioning File has multiple Gateways defined, Workspace app uses whichever Gateway is marked as Default. Workspace app completely ignores whatever Gateway FQDN you entered during Discovery. To use a non-default Gateway, the user must manually select the other Gateway in Workspace app’s Advanced Preferences.

In StoreFront Console, if any configuration changes are performed that affect the Provisioning File, it takes an hour for Workspace apps to reconfigure themselves automatically. Or users can remove Accounts and re-add (or Reset Citrix Workspace) so that the updated Provisioning File is imported.

Here are some additional methods of performing Workspace app Discovery:

  • After exporting the Provisioning File from StoreFront Console, distribute it to users, and ask them to double-click it.


  • After logging in to Receiver for Web (StoreFront), at the top right, click the username, and click Activate. This downloads the receiverconfig.cr file, which is identical to the one you can export from StoreFront Console. The user then must run the downloaded file.

Virtual Monitors

In Workspace app 1812 and newer, when connected to a published desktop on a single monitor, you can split the screen into virtual monitors. This feature is intended for large 4K monitors.

  • In the desktop toolbar at the top of the screen, click Preferences.
  • Switch to the Monitor Layout tab.
  • On the bottom, select Horizontal or Vertical, then click somewhere in the blue box to draw a line. The single monitor will be split along this line. You can set different DPI for each portion of the virtual display.
  • Right-clicking one of the split sections changes that section to the primary display.
  • Click OK when done.
  • In the toolbar, click Window to resize it to a window, and then click Full Screen to cause your virtual monitor configuration to take effect.

Uninstall Old Clients

Workspace app installer can do a force uninstall of old clients before installing the new version:

  • In Workspace app 2309 and newer, run CitrixWorkspaceApp.exe /CleanInstall /Silent
  • In Workspace app 1909 and newer, run CitrixWorkspaceApp.exe /ForceInstall /Silent.
  • In Workspace app 1908 and older (including Receiver), run CitrixWorkspaceApp.exe /RCU /Silent or CitrixReceiver.exe /RCU /Silent.

Citrix CTX325140: How to Remove Client Files Remaining on System after Uninstalling Receiver for Windows.

Installation and Configuration

Administrator privileges – Administrator privileges are required to install any missing prerequisites.

Internet required – Recent versions of Workspace app (e.g., 2311.1) download and install Microsoft Edge WebView2 Runtime, .NET Desktop Runtime 6.0.20, .NET Framework 4.8, and Visual C++. Internet access is required for the Workspace app installer to download these install files. Or there’s also an Offline Installer for Workspace app 2309 and newer.

.NET Desktop Runtime 6.0.20 – Workspace app 2309 and newer will install x86 .NET Desktop Runtime 6.0.20 if it’s not already installed.

This section contains a summary of all common command line switches, registry keys, and policy settings for Workspace app.

Links:

Workspace app 2203 LTSR CU2 and Workspace app 2212 and newer fix security vulnerabilities.

CitrixWorkspaceApp.exe current release version 2311.1 or LTSR version 2203 CU6 Update 1 (aka 22.03.6001) can be installed by simply double-clicking it.

  • LTSR Workspace app does not support Browser Content Redirection.
  • Workspace app 2006 and newer do not support Windows 7.
  • Workspace app 2206 and newer enable DPI Matching by default. DPI Matching can be disabled through client-side group policy, or in the Advanced Preferences in Workspace app 2212 and newer. DPI Matching prevents connections to CVAD 7.15. Multi-session VDAs with version 1912, by default, have DPI Matching disabled, but can be enabled in the VDA’s registry. See CTX460068 for details.

  • Workspace app 2311 and newer have a new interface for installation.


Administrator vs non-administrator

  • Non-administrator – If a non-administrator installs Workspace app, then each non-administrator that logs in to the same workstation will have to reinstall Workspace app.
    • Non-administrator installations are installed to %USERPROFILE%\AppData\Local\Citrix\ICA Client for each user.
  • Administrator – If CitrixWorkspaceApp.exe is installed using an administrator account. then the Workspace app only needs to be installed once.
    • Administrator installations are installed to C:\Program Files (x86)\Citrix\ICA Client.
    • Administrator installations of Workspace app 1912 and newer can be manually upgraded by non-administrators by clicking Check for Updates. Older versions cannot be upgraded by non-administrators.
  • Conflicts – If an administrator install of Workspace app is performed on a machine that has non-administrator installs of Workspace app, then the two installations will conflict. Best option is to uninstall non-admin Workspace app and Receiver before installing admin Workspace app. Otherwise, the user’s profile probably has to be reset before Workspace app is functional again.

Global App Configuration Service

Global App Configuration Service (GACS) is a Citrix Cloud service that can push configurations to Workspace app clients. This Citrix Cloud service is now available to all on-premises customers even if you don’t own any Citrix Cloud entitlements.

  1. Login to https://citrix.cloud.com. If you don’t have a Citrix Cloud account, then login using your Citrix.com account credentials and it will create a Citrix Cloud account.
  2. Use the top left hamburger menu to go to Workspace Configuration.
  3. Switch to the tab named App Configuration.
  4. Click Switch URL.
  5. Near the bottom, click Claim URL.
  6. Click Add URL to add your on-premises StoreFront/Gateway URL. See Citrix Docs for details. GACS uses this URL to determine which Workspace app clients should receive the settings that you configure.
  7. Back in the App Configuration page, you can now configure Workspace app settings as desired. Workspace apps that have stores under the claimed URL will then receive these settings.

Auto-Update

Workspace app supports auto-update.

Some notes:

  • If Workspace app 1912 or newer is installed as administrator, then non-administrators can click Check for Updates to manually update Workspace app. To prevent this, use group policy to disable Citrix Workspace Updates.

    • Older versions of Workspace app cannot be upgraded by non-administrators.
  • If Workspace app is installed on a VDA, auto-update is automatically disabled. This includes Remote PC.
  • Auto-update can be limited to LTSR updates only.
  • Auto-update is configurable through several mechanisms: group policy, StoreFront, Workspace app GUI, installer command line. See Configuring Citrix Workspace Updates at Citrix Docs.
  • Workspace app 2107 and later let users select an Update channel.

  • See George Spiers Citrix Receiver for Windows Auto-Update.

Auto-update is configured using Workspace app group policy under the Citrix Workspace Updates, or Auto-Update node.


Or use Global App Configuration Service.

Workspace app Splash Screen

Workspace app shows a Splash Screen on first launch with the text “Citrix Workspace app extends the capabilities of Citrix Receiver”.

To prevent this splash screen, set the following registry value: (source = Dennis Span on Twitter)

  • Key = HKEY_CURRENT_USER\SOFTWARE\Citrix\Splashscreen
    • Value (REG_SZ) = SplashscreenShown = 1

Add Account Wizard

After installation, Workspace app will launch and ask you to add an account. If Workspace app, notice the checkbox Do not show this window automatically at logon.

FTU (First Time Use aka Add Account Wizard) will be displayed only if a store is not configured. If a store is already configured via command line, GPO, or Citrix Studio, then FTU screen will not be available after installation. Otherwise, FTU can be suppressed by doing one of the following:

  • Rename CitrixWorkspaceApp.exe to CitrixWorkspaceAppWeb.exe.
  • Install using a command line switch:
    • CitrixWorkspaceApp.exe /ALLOWADDSTORE=N
  • Set the registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\EnableFTU=dword:00000000 (or EnableX1FTU =dword:0)
  • Disable the EnableFTU policy setting in Receiver.admx.
  • Change Registry values post installation to suppress the Add Account window. Under HKLM\Software\Wow6432Node\Citrix\Dazzle, set AllowAddStore value to N.
  • Set the registry value: HKEY_LOCAL_MACHINE\Software\Citrix\Receiver\NeverShowConfigurationWizard (REG_SZ) = true
  • Also see Suppressing Add Account dialog at Citrix Docs.

Discover Hidden Stores

When Workspace app is first launched, it must perform Discovery, which is the process of downloading the .xml provisioning file from StoreFront. Discovery is performed by entering a StoreFront FQDN or Gateway FQDN. To discover a hidden store (a store that’s not advertised), add ?StoreName to the end of the FQDN. CTX214819 How to configure Receiver to a Store that is not advertised.

CitrixWorkspaceApp.exe Command line switches

CTX227370 Citrix Workspace app Commandline Tool contains a GUI tool to build your installer command line.
image.png

For unattended installation of Workspace app, see CTA Dennis Span Citrix Workspace App unattended installation with PowerShell or Citrix Receiver unattended installation with PowerShell.

Installer Command Line Switches are detailed at Configure and install Receiver for Windows using command-line parameters at Citrix Docs. Common Command line switches include the following:

  • /silent
  • /includeSSON – enables pass-through authentication. GPO configuration is also required as detailed below.
    CitrixWorkspaceApp.exe /includeSSON
  • /ALLOWADDSTORE=A – by default, only SSL (HTTPS) stores are accepted. To allow non-SSL stores:
    CitrixWorkspaceApp.exe /ALLOWADDSTORE=A
  • /STORE0 – To add a store from the installation command line:
    CitrixWorkspaceApp.exe STORE0="AppStore;https://Citrix.corp.com/Citrix/MyStore/discovery;on;App Store"
    • Workspace App can discover the Store through NetScaler Gateway.
      CitrixWorkspaceApp.exe STORE0="AppStore;https://gateway.corp.com#MyStore;On;App Store"
  • /SELFSERVICEMODE=False – disables the Self-Service interface and enables shortcut-only mode:
    CitrixWorkspaceApp.exe /SELFSERVICEMODE=False
  • /AutoUpdateCheck=auto /AutoUpdateStream=LTSR – enables Citrix Workspace Update notifications and sets it to LTSR Branch only. AutoUpdateCheck can also be set to manual or disabled. AutoUpdateStream can also be set to Current. See Configuring Citrix Workspace Updates at Citrix Docs.
    CitrixWorkspaceApp.exe /AutoUpdateCheck=auto /AutoUpdateStream=LTSR
  • /ENABLEPRELAUNCH=True – enables prelaunch:
    CitrixWorkspaceApp.exe /ENABLEPRELAUNCH=True
  • /ALLOW_CLIENTHOSTEDAPPSURL=1 – enables Local App Access:
    CitrixWorkspaceApp.exe /ALLOW_CLIENTHOSTEDAPPSURL=1

Registry values

HKLM\Software\Wow6432Node\Citrix\Dazzle on the Workspace app machine. All are of type REG_SZ (string) unless specified. Note: several of these are configurable using the Reciever.admx group policy template.

  • SelfServiceMode (REG_SZ) = False – Turns off Workspace app’s Self-Service interface.
  • PutShortcutsOnDesktop (REG_SZ) = True – If Self-Service interface is disabled, places all shortcuts on desktop.
  • UseDifferentPathsforStartmenuAndDesktop (REG_SZ) = True
    • UseCategoryAsStartMenuPath (REG_SZ) = True or False
    • UseCategoryAsDesktopPath (REG_SZ) = True or False
  • StartMenuDir (REG_SZ) = name of folder on Start Menu where shortcuts are placed.
  • DesktopDir (REG_SZ) = name of folder on Desktop where shortcuts are placed
  • EnablePreLaunch (REG_SZ) = True – If SSON is enabled then PreLaunch is already enabled by default.
  • AllowAddStore (REG_SZ) = A – Only if using http (instead of https) to connect to StoreFront.
  • AllowSavePwd (REG_SZ) = A – Only if using http (instead of https) to connect to StoreFront.
  • UserDomainName (REG_SZ) = pre-filled domain name
  • InitialRefreshMinMs (REG_SZ) = 1 – minimizes the launch delay before contacting store
  • InitialRefreshMaxMs (REG_SZ) = 1 – minimizes the launch delay before contacting store
  • RefreshMs (REG_SZ) = 3600000 (1 hour) – interval for Receiver icon refreshes. 1 hour is the default value.
  • MaxSimultaneousFetches (REG_DWORD) = 6  – improves the time of loading icons in Start Menu
  • MaxSimultaneousSubscribes (REG_DWORD) = 6 – improves the time of loading icons in Start Menu
  • DontWarnOfRemovedResources (REG_SZ) = True – prevents dialog boxes when resources are removed from the server. (or False)
  • SilentlyUninstallRemovedResources (REG_SZ) = True – prevents dialog boxes when resources are removed from the server
  • PreferTemplateDirectory (REG_SZ) = UNC path or local path containing shortcuts copied by the prefer keyword. Give the shortcuts a short name.
  • PnaSSONEnabled (REG_SZ) = True – Enables Single Sign-on for PNAgent (Web Interface).
  • WSCReconnectMode (REG_SZ) = 3 (default) – If this Workspace app is running inside a VDA published desktop, set it to 0.
  • AlwaysUseStubs (REG_SZ) = True. Workspace app and Receiver 4.3.100 and newer don’t create .exe stubs by default. Set this to create .exe stubs. Also see Citrix CTX211893 Controlling Shortcut behavior in Receiver 4.3.100.
  • DontCreateAddRemoveEntry (REG_SZ) = True – don’t create “Delivered by Citrix” entries in Programs and Features
  • DesktopNameFormatString = format string for shortcut names – For example “{0}_{1}_{2}_{3}”. See the link for details.
  • SelfServiceFlags (REG_DWORD) = 4 – prevents duplicate shortcuts when roaming and Desktop is redirected.
  • ReEvaluateNetwork (REG_SZ) = true – for Beacon detection with Single FQDN

To prevent the Win+G popup on Windows 10 machines:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR
    • AllowGameDVR (REG_DWORD) = 0

To allow adding non-HTTPS stores to Workspace app:

  • HKLM\Software\Wow6432Node\Citrix\AuthManager
    • ConnectionSecurityMode (REG_SZ) = Any

To increase ICA bandwidth consumption over high latency links, set:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\TCP/IP

To prevent beacon probing from using proxy, set:

  • HKEY_LOCAL_MACHINE\Software\WOW6432Node\Citrix\Receiver\inventory
    • BeaconProxyEnabled (REG_DWORD) = 0

To enable foreground progress bar, set:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client
    • ForegroundProgressBar (REG_DWORD) = 1

For client-to-server file type redirection, set:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\ClientDrive
    • NativeDriveMapping=”TRUE”

To fix USB devices that emulate a keyboard, set:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Keyboard
    • KeyboardTimer=”10”

To prevent “USB Hub Power Exceeded” message, set (not needed in 4.2.100 and newer):

  • HKLM\SOFTWARE\Citrix\ICA Client\GenericUSB (same path for 32-bit and 64-bit, create the keys)
    • DisableInternalDeviceCtlDispatchHook (DWORD) = 0x1

To override the devices that are mapped using optimized channels instead of generic USB, see Citrix CTX123015 How to Configure Automatic Redirection of USB Devices

Group Policy Settings

Copy the Workspace app ADMX template (C:\Program Files (x86)\Citrix\ICA Client\Configuration\receiver.admx) to C:\Windows\PolicyDefinitions (or Sysvol). Also copy receiver.adml to C:\Windows\PolicyDefinitions\en-us (or Sysvol).

Edit a GPO that applies to client machines, go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Workspace and configure the following:

  • To enable pass-through authentication: go to | User Authentication |.
  • To add a store, go to | StoreFront |
    • StoreFront Accounts List – see the help text
  • To enable Auto-Update, go to |AutoUpdate| or |Citrix Workspace Updates|. (the node was renamed in 4.11 and Workspace app)
    • Enable or Disable AutoUpdate or
    • Citrix Workspace Updates
  • To enable Local App Access, go to | User Experience |
    • Local App Access Settings
  • To configure the Self-Service interface, go to | SelfService |
    • Set Manage SelfServiceMode to Disabled to completely disable the Self-Service window. This causes all icons to be placed on the Start Menu.
    • Enable Manage App Shortcut and configure it as desired.
      • To allow the Self-Service window, but prevent it from automatically opening (reside in systray), tick Prevent Citrix Workspace performing a refresh of the application list when opened. Source
    • Enable Control when Workspace attempts to reconnect to existing sessions. If this is a VDA published desktop, set it to Disabled. Otherwise configure it as desired.
    • Set Enable FTU to Disabled  to prevent the Add Account wizard from displaying.
    • Enable Allow/Prevent users to publish unsafe content if publishing content that’s opens a file or file share.

Enable automatic client drive and client microphone mapping.

  • In a client-side GPO, add the GPO ADM template from http://support.citrix.com/article/CTX133565.
  • Enable the setting Create Client Selective Trust Keys. See Below for details.
  • Configure the FileSecurityPermission setting in one or more of the regions.
  • Configure the MicrophoneAndWebcamSecurityPermission setting in one or more of the regions.

Citrix CTX203658 Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100 – Windows 8 and newer

  • Computer Configuration | Policies | Administrative Templates | Windows Components | File Explorer
    • Allow the use of remote paths in file shortcut icons = enabled

Deploy Workspace app using Active Directory

To deploy Workspace app using Active Directory, configure a GPO with a computer startup script that runs the Workspace app installer executable. Citrix provides sample scripts that can be downloaded from one of the Workspace app download pages (Workspace app current release version 2311.1, or LTSR version 2203 CU6 Update 1 (aka 22.03.6001)), by expanding Downloads for Admins (Deployment Tools).

Also see CTA Dennis Span Citrix Receiver unattended installation with PowerShell.

Change Workspace App’s Store Configuration, including Reset Citrix Workspace

You can change Workspace app’s configured Store/Account with a couple command lines:

"C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe" -deleteproviderbyname Corporate 
"C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe" -init -createprovider Corporate https://storefront.corp.com/Citrix/Store/discovery

 

It is sometimes necessary to Reset Citrix Workspace by right-clicking the Workspace app systray icon, clicking Advanced Preferences, and clicking the Reset link. You can do this from the command line by running "C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\CleanUp.exe" -cleanUser -silent. See CTX140149 How to Reset Receiver Using the Command Line.

Workspace app Group Policy ADMX Template

Many of the Workspace app configuration settings must be configured in group policy. These Workspace app settings are only available after installing the GPO templates.

Alternatively, Citrix Cloud customers can use Global App Configuration Service to configure Workspace app. Today it’s a REST API, but Citrix has started adding a GUI at Workspace Configuration > App Configuration.

For GPO configuration:

  1. From a machine that has Workspace app installed, find the .admx and .adml files in the C:\Program Files (x86)\Citrix\ICA Client\Configuration.
    • You can also download the ADMX files from one of the Workspace app download pages (Workspace app current release version 2311.1, LTSR version 2203 CU6 Update 1 (22.03.6001)), by expanding Downloads for Admins (Deployment Tools).
  2. Copy the CitrixBase.admx and receiver.admx files. Also copy the en-US folder. In Workspace app, the files are still named receiver.admx.
  3. Go to your domain’s SYSVOL share and in the Policies folder look for a PolicyDefinitions folder. If one exists, paste the .admx file directly into the PolicyDefinitions folder. If this folder doesn’t exist in SYSVOL, instead copy the .admx file to C:\Windows\PolicyDefinitions. Overwrite any existing Receiver ADMX files.
  4. The GPO settings can then be found at one of the following:
    • Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Workspace
    • Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver
  5. For example, you can disable Customer Experience Improvement Program (CEIP) from here.
  6. See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
  7. Workspace app 1905 and newer has a setting to Disable sending data to 3rd party (e.g., Google Analytics).
  8. Workspace app 1905 and newer let you disable embedded browser caching.
  9. Workspace app 1905 and newer have NetScaler LAN Proxy under Network routing > Proxy.
  10. Workspace app 1808 and newer have User authenticationSingle Sign-on for NetScaler Gateway.
  11. Citrix Workspace Updates, (aka AutoUpdate) can be configured using group policy. See Configuring Citrix Workspace Updates at Citrix Docs.
  12. Workspace app 1912 and newer can be configured to require in-memory ICA files only. The setting called Secure ICA file session launch is under the Client Engine node. See Citrix Docs for details on in-memory ICA files instead of writing ICA files to disk.
  13. The DPI node has a setting called High DPI that lets you disable DPI matching, which is enabled by default in Workspace App 2206 and newer.

    • Workspace app 2210 and newer let you use the GUI to re-enable High DPI.
    • Native resolution means DPI matching, whereas Yes means force high DPI.
  14. Workspace app has settings to hide Advanced Preferences, enable/disable showing the DPI option, and enable/disable H265.
  15. Workspace app 4.8 and newer have SplitDevices GPO setting under Citrix Workspace | Remoting client devices | Generic USB Remoting. See Configuring composite USB device redirection at Citrix Docs.
  16. Workspace app 2212 and newer by default disable App Protection for the authentication screen and icons list. To enable them, configure User authenticationManage App Protection and SelfServiceManage App Protection.

  17. Workspace app 2303 and newer have Anti-DLL Injection for App Protection. It is disabled by default. Enable it in a GPO at Citrix Components | Citrix Workspace | App Protection | Anti-DLL Injection. See Citrix Docs for details.
    App running

Pass-through Authentication

Citrix blog post – A Comprehensive Guide to Enabling Pass-Through Authentication with XenDesktop 7.5

  1. Run the command
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt on a Delivery Controller.

  2. Login to the PC as an administrator.
  3. If installing Workspace app, as an administrator, during installation, on the Enable Single Sign-on page, check the box next to Enable Single Sign-on. Then finish the installation.

  4. To verify that SSON is installed, go to C:\Program Files (x86)\Citrix\ICA Client and look for the file ssonsvr.exe.
  5. And if you open regedit and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order, you should see PnSson in the ProviderOrder.
  6. Install the receiver.admx (and .adml) template into PolicyDefinitions if you haven’t already.
  7. Edit a GPO that is applied to the client PCs where the Workspace app is installed.
  8. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Workspace.
  9. Expand Citrix Workspace and click User authentication.
  10. On the right, double-click Local user name and password.
  11. Select Enabled and then check the box next to Allow pass-through authentication for all ICA connections. Click OK.
  12. In Workspace app 1808 and newer, you can enable Single Sign-on for NetScaler Gateway.
  13. Ensure that the internal StoreFront FQDN is in the Local Intranet zone in Internet Explorer. You can use a GPO to configure this on the client side.
  14. Local Intranet zone should have Automatic logon only in Intranet zone enabled.
  15. For Windows 11 and newer, make sure the GPO setting Enable MPR notifications for the System is not enabled at Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Logon Options. Make sure HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableMPRNotifications is not set to 0 on the Workspace app machine.
  16. Logoff Windows and log back on. In Task Manager you should now see ssonsvr.exe. This won’t appear unless you logoff and log back on.
  17. If Workspace app won’t connect or is slow to enumerate icons, then you might have to disable Automatically detect settings in IE.
  18. Right-click the Workspace app icon and click Advanced Preferences.
  19. Click Configuration Checker.
  20. Check the box next to SSONChecker and click Run.
  21. The lines with red x will indicate the issue and corrective action.

StoreFront Accounts

You can use a client-side GPO to add a store (Account) to Workspace app Self-Service.

  1. Install the receiver.admx (and .adml) template into PolicyDefinitions if you haven’t already.
  2. Edit a GPO that applies to endpoint devices that have Citrix Workspace app installed.
  3. Go to Computer Configuration > Administrative Templates > Policies > Citrix Components > Citrix Workspace > StoreFront.
  4. On the right, double-click NetScaler Gateway URL/StoreFront Accounts List.
  5. Select Enabled, and then click Show.
  6. Enter a store path based on the example shown in the Help box. Workspace app lets you enter a Gateway path. Then click OK.
  7. Note: Gateway paths work in GPO, but might not work when specified in the CitrixWorkspaceApp.exe installation command line.

Published Shortcuts and Reconnect

Citrix CTX200924 How to Customize App Shortcuts with Receiver for Windows

Workspace app has a user interface for setting Shortcut Paths. Right-click the Workspace app systray icon, click Advanced Preferences, and then click Shortcuts and Reconnect, or Settings Option.


From Citrix Docs Configuring application delivery: There are several methods of controlling how Workspace app displays shortcuts on the Start Menu and Desktop as detailed below:

  • Workspace app Registry values
  • receiver.admx GPO Template
  • From StoreFront in C:\inetpub\wwwroot\Citrix\Roaming\web.config
  • Published App Keywords (e.g. prefer).
  • Workspace app and Receiver 4.2.100 and newer supports published app Delivery configuration for adding the shortcut to the desktop. This only works if the app is a Favorite, or if Favorites are disabled, or Mandatory Store.

Under HKLM\Software\Wow6432Node\Citrix\Dazzle (or HKCU\Software\Wow6432Node\Citrix\Dazzle) are several registry values related to shortcuts. Some of the settings only apply if SelfServiceMode is set to False. Here are some common options:

  • SelfServiceMode – set to False so Receiver disables the Self-Service interface and automatically places all published shortcuts on the Start Menu and/or Desktop. More details in Configuring application delivery at Citrix Docs.
  • PutShortcutsOnDesktop – set to True to place every app on the desktop
  • DesktopDir – Workspace app places every shortcut on the desktop so it’s probably best to place them in a folder.
  • StartMenuDir – If there is potentially a conflict between local apps and remote apps, then you should place the Start Menu shortcuts in a folder.
  • PreferTemplateDirectory (with KEYWORDS:prefer=shortcutname) – copies the shortcutname from the template directory to the Start Menu and/or Desktop.

If you import the receiver.admx (and .adml) into the PolicyDefinitions folder, under Computer Configuration > Administrative Templates > Citrix Components > Citrix Workspace (or Receiver) is a node called SelfService.

Disable the Manage SelfServiceMode setting to hide the Workspace app Window.

Enable the Manage App shortcut setting to control placement of shortcuts.

Workspace app and Receiver 4.2.100 and newer have the ability to configure (or disable) Workspace Control using group policy. Enable the setting Control when Citrix Workspace attempts to reconnect to existing sessions and configure it as desired.

Prelaunch

Staring with Receiver 4.2, prelaunch is automatically enabled if Workspace app is installed with SSON enabled. Otherwise, set registry values to enable prelaunch. Receiver 4.2.100 prevents the prelaunch icon from appearing on the Start Menu.

  • HKLM\Software\[Wow6432Node\]Citrix\Dazzle
    • EnablePreLaunch (REG_SZ) = true or false

Additional customizations can be configured at:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch

  • Name: State
    • REG_SZ: 0 = disable, 1 = just-in-time pre-launch, 2 = scheduled pre-launch
  • Name: Schedule
    • REG_SZ: HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU are the days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday, and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The session actually launches between 1:15 p.m. and 1:45 p.m.
  • Name: UserOverride
    • REG_SZ: 0  = HKLM overrides HKCU, 1 = HKCU overrides HKLM

Device Access Behavior (Client Selective Trust)

When connecting to a XenApp/XenDesktop session, you might see the following:

To configure the default behavior, see the Citrix Knowledgebase article How to Configure Default Device Access Behavior of Receiver, XenDesktop and XenApp. Note: there is a bug fixed in Receiver 4.2.100 and newer.

  1. Download the ADMX file from http://support.citrix.com/article/CTX133565.
  2. Copy the .admx and .adml files to PolicyDefinitions (Sysvol, or C:\Windows).
  3. The .adml file goes in the en-US folder.
  4. Edit a GPO that applies to the endpoint devices that are running Receiver.
  5. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Workspace (or Receiver) |  Citrix Client Selective Trust (x64).
  6. Enable the setting Create Client Selective Trust Keys.

  7. Then expand the regions, and configure the permission settings as desired.

Desktop Lock

As an alternative to Workspace app Desktop Lock, see Transformer in Citrix Workspace Environment Manager.

External links:

Use Studio to configure Workspace app Accounts in Published Desktop

In published desktops, Workspace app can be used for placement of shortcuts on the user’s Start Menu and Desktop. Use group policy to hide the common program groups and then use Workspace app to place published applications back on the Start Menu and Desktop based on user’s group membership and subscription preference.

  1. In Citrix Studio, on the left, expand the Configuration node, right-click StoreFront and click Add StoreFront.
  2. Enter a descriptive name for the StoreFront server.
  3. Enter the internal https URL of the load balanced StoreFront servers. Add the path to your store (e.g. /Citrix/Store) and then /discovery on the end of the URL. The full URL would be similar to https://citrix.corp.com/Citrix/Store/discovery. Click OK.
  4. Edit a Delivery Group that has a published desktop and Citrix Workspace app installed.
  5. On the StoreFront page, change the selection to Automatically, using the StoreFront servers selected below, and then check the box next to the StoreFront URL. Click OK. Now when users launch the published desktop, Workspace app will be automatically configured with this URL.

Published Desktop – use Workspace app to control Shortcuts

If you install Workspace app inside a published desktop (Workspace app on a VDA), then Workspace app can get icons from StoreFront and put those icons on the user’s published desktop Start Menu and Desktop. This is an alternative to using a User Experience Management product to control shortcut placement.

Note: Workspace app tends to be slow to create Start Menu shortcuts, so make sure you perform a Proof of Concept to determine how this functionality impacts logon times.

Configuration of Workspace app inside a published desktop is simplified if you have the following minimum versions:

  • Workspace app installed inside the VDA
  • VDA 7.17 or newer
  • StoreFront 3.14 or newer

If you meet these minimum version requirements, then Workspace app installed in the VDA automatically tries to launch published applications on the same local VDA rather than trying to launch them from a different VDA (aka double-hop). This feature is called vPrefer.

Do the following for all versions of Workspace app, VDA, and StoreFront, whether using the Prefer keyword or not:

  1. Make sure Workspace app or Receiver version 4.11 or newer is installed on the VDA.
  2. Install the Workspace app ADMX files if you haven’t already. For vPrefer, make sure they are the ADMX files from Workspace app.
  3. Enable the Group Policy setting Remove common program groups from Start Menu and apply it to non-administrators.
    • This removes all Public (aka All Users) Start Menu shortcuts. Workspace app will re-add the shortcuts based on user group membership.
  4. On the VDA, configure the following Workspace app Registry keys (or corresponding settings in the receiver.admx GPO template):
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle\WSCReconnectMode=”0″ so Workspace app doesn’t try to reconnect to the published desktop you’re already running.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle\SelfServiceMode to False. This turns off the Workspace app Self-Service GUI and acts like all icons are subscribed. Otherwise, only subscribed (favorited) icons would be placed on the Start Menu and Desktop.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle\UseCategoryAsStartMenuPath = True. This creates a Start Menu folder based on the published app’s configured Category.
  5. Configure each desired published app to Add shortcut to user’s desktop.

    • Or, configure HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle\PutShortcutsOnDesktop = True to place all icons on the desktop.
  6. To control icon placement, configure the following registry values:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle\StartMenuDir to place published applications in a sub-folder. Note: Windows Server 2012 and Windows 10 and newer only supports a single level of Start Menu folders, so setting this effectively turns off published app categories.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle\DesktopDir to place published applications in a sub-folder on the desktop.
  7. Pass-through authentication:
    1. In a GPO that applies to the VDA, import the receiver.admx file, and set Local user name and password to Enabled. Check the box next to Allow pass-through authentication for all ICA connections.
    2. If you’re using Gateway internally, and if Workspace app 1808 or newer, then also enable Single Sign-on for NetScaler Gateway.
    3. In a user-level GPO that applies to the VDA, add the StoreFront FQDN to the Local Intranet zone. Make sure it is not in the Trusted Sites zone, or enable Automatic logon with current user name and password for the Trusted Sites zone.
    4. Make sure ssonsvr.exe is running after you login to the VDA. If not, troubleshoot it.
  8. When configuring Citrix Profile Management, make sure !ctx_startmenu! is not excluded from roaming.
  9. In Citrix Studio, configure a Delivery Group with delivery type = Desktop and Applications. Assign users to the delivery group, and the individual published applications (if visibility is limited).
    1. In Citrix Studio, edit each published application, and on the Delivery tab, specify a category. This will become the Start Menu folder name.
    2. If Workspace app Self Service Mode (GUI) is enabled, in Studio, edit each application, and add KEYWORDS:Auto and/or KEYWORDS:Mandatory to the published application description. This forces the applications to be subscribed/favorited. Only subscribed (or Favorite) apps are displayed in the Start Menu and Desktop. Unless you disable Workspace app’s SelfService interface as described earlier.
    3. Another option is to go to the StoreFront Console, click Stores on the left, and on the right, click Configure Store Settings, and click Disable User Subscriptions. This causes all apps to appear on the Start Menu and/or Desktop depending on Workspace app configuration.
  10. Create a group policy that applies to VDAs, and configure the group policy to define the Store URL for Workspace app similar to https://citrix.corp.com/Citrix/Store/discovery. Replace the FQDN with your load balanced StoreFront FQDN. Also replace the path to the store with your store path. Make sure there is /discovery on the end. By default, Workspace app and Receiver only support https.
    1. Your StoreFront store probably delivers both application and desktop icons. If you want to filter out the desktop icons, then create a new StoreFront store, and configure the Workspace app on the VDA to connect to the new Store.
    2. In StoreFront Console, click the store for VDAs, and click Configure Store Settings. On the Advanced Settings page, in the Filter resources by type row, choose Citrix.MPS.Desktop.
  11. For vPrefer in Workspace app, VDA 7.17 (or newer), and StoreFront 3.14 (or newer), edit a GPO that applies to the VDAs.
    1. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Workspace (or Receiver) | SelfService.
    2. Edit the setting vPrefer. This setting is only in Workspace app ADMX templates from Workspace app.
    3. Set it to Allow all apps. Source = 7.17 vPrefer – not working with 32Bit Apps at Citrix Discussions.
  12. On your Delivery Controller, in PowerShell, run set-brokersite -TrustRequestsSentToTheXmlServicePort $true
    • This is required for Pass-through Authentication from Workspace app.
  13. Configure your client devices to connect to the published desktop.
    1. When users connect to the published desktop, Workspace app will auto-launch and hopefully auto-login.
    2. If Workspace app Self-Service Mode is disabled, all published applications should automatically appear in the Start Menu and Desktop.
    3. If Workspace app Self-Service Mode is enabled, then only applications with KEYWORDS:Auto and/or KEYWORDS:Mandatory in the published application description will be displayed. Users can open the systray icon to subscribe to more applications.
    4. Users can copy icons from the Start Menu to the desktop. Make sure the user Copies the icon and doesn’t Move it.
    5. Users can then launch applications directly from the Start Menu, from the Desktop, or from the Workspace app (if the Self-Service interface is enabled).
    6. If Workspace app 4.11 (or newer), VDA 7.17 (or newer), and StoreFront 3.14 (or newer), then vPrefer is enabled by default. When launching an app icon that came from Workspace app, Workspace app checks the local VDA machine to see if the application can be launched on the local VDA instead of by creating a new Citrix double-hop session.
    7. If the application is installed locally on the VDA then the local application shortcut should launch quickly. If the application is on a different delivery group then a second (double-hop) Citrix HDX/ICA connection will be established.
    8. If the user deletes Workspace app shortcuts from the Start Menu, you can get them back by going to the systray icon and refreshing the applications. Or sometimes you have to reset Workspace app.

If you are running components older than Receiver 4.11, VDA 7.17, and StoreFront 3.14, then you’ll need to configure the prefer keyword to get Receiver delivered icons to launch on the local VDA instead of in a new double-hop Citrix connection.

  1. Enable the Group Policy setting Remove common program groups from Start Menu and apply it to non-administrators.
    1. For applications that are installed on the same VDA that is publishing the desktop, configure Group Policy Preferences to recreate the application shortcuts based on Active Directory group membership. Applications on other delivery groups are handled by Receiver.
    2. Or use the prefer keyword to copy shortcuts from the PreferTemplateDirectory.
  2. On the VDA, configure the following Receiver Registry keys (or corresponding settings in the receiver.admx GPO template):
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle\PreferTemplateDirectory = a UNC path or local path containing shortcuts to be copied by the prefer keyword. This can point to C:\ProgramData\Microsoft\Windows\Start Menu.
  3. In Citrix Studio, configure a Delivery Group with delivery type = Desktop and Applications. Assign users to the Delivery Group and the applications (if visibility is limited).
    1. In Studio, edit each application and change KEYWORDS:Prefer to KEYWORDS:prefer. Notice the lower case p. It doesn’t work with uppercase P.
      • With the prefer keyword, if you publish an application that is also created using Group Policy Preferences, the Group Policy Preferences icon will take precedence. This is good. Otherwise the Receiver published application icon would result in a new Citrix double-hop session.
      • See Ralph Jansen Citrix Receiver 4.1 Prefer keyword examples
    2. If using the prefer keyword with the PreferTemplateDirectory, enter it as KEYWORDS:prefer=shortcutname where shortcutname is the name of the shortcut that is copied from the Template directory.
  4. Configure your client devices to connect to the published desktop.
    1. When users connect to the published desktop, Group Policy Preferences will create shortcuts to local applications.
    2. Receiver will auto-launch and hopefully auto-login.
    3. If Receiver Self-Service Mode is disabled, all published applications should automatically appear in the Start Menu and Desktop.
    4. If Receiver Self-Service Mode is enabled then only applications with KEYWORDS:Auto and/or KEYWORDS:Mandatory in the published application description will be displayed. Users can open the systray icon to subscribe to more applications.
    5. For published applications with KEYWORDS:prefer=shortcutname, Receiver should copy icons from the template directory to the Start Menu and/or Desktop. See below for considerations.
    6. Users can copy icons from the Start Menu to the desktop. Make sure the user Copies the icon and doesn’t Move it.
    7. Users can then launch applications directly from the Start Menu, from the Desktop, or from the Receiver (if Self-Service interface is enabled).
    8. If a local shortcut (e.g. Group Policy Preferences shortcut, or copied from template directory) matches a published application with KEYWORDS:prefer then the local shortcut will override the published application icon.
    9. If the application is installed locally on the VDA then the local application shortcut should launch quickly. If the application is on a different delivery group then a second (double-hop) Citrix HDX/ICA connection will be established.
    10. If the user deletes Receiver shortcuts from the Start Menu, you can get them back by going to the systray icon and refreshing the applications. Or sometimes you have to reset Receiver.

Notes regarding Prefer Template Directory

  • Prefer Template Directory can point to C:\ProgramData\Microsoft\Windows\Start Menu, which is the All Users Start Menu.
  • The shortcuts copied from the Prefer Template Directory are renamed to match the published app name.
  • For prefer local apps, any command line parameters specified in the published app are ignored. If you need these command line parameters, add them to the shortcut in the Prefer Template Directory.
  • If you have multiple published apps pointing to the same prefer local shortcut, then only one copy will be made, and it will have the name of only one of the published apps. To workaround this, in the Prefer Template Directory, create separate shortcuts for each published app, and adjust the published app prefer keyword accordingly.
  • Jan Hendrik Meier Automatic Shortcut generation for local installed applications in a Citrix XenDesktop / XenApp 7.x environment has a script that can create shortcuts based on the published apps with prefer keyword. These shortcuts can then be copied to your Prefer Template Directory.

How to Script/Automate Workspace app and Receiver Self-Service

From Citrix Knowledgebase article Driving the Citrix Receiver Self-Service Plug-in Programmatically: by default, Workspace app Self-Service (SSP) activities are driven by user interaction. However, SSP exposes sufficient information for its activities to be scripted.

When SSP builds a shortcut, it builds it to a small stub application in a file %appdata%\Citrix\SelfService\app-name-with-spaces-removed.exe for each resource. These files allow SSP to create a fake ‘install’ record for Add/Remove Software. Running these .exe files causes the application to launch. Note: Workspace app and Receiver 4.3.100 and newer don’t create stubs by default. To enable, set HKLM\Software\Wow6432Node\Citrix\Dazzle\AlwaysUseStubs (REG_SZ) = true.

If you want to drive SSP directly for launch instead of through an .exe stub, look at the keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall. There will be keys in there named farm-name@@server-farm-name.app-friendly-name. In these keys you’ll find a LaunchString value that shows the relevant parameters. These parameters are user-independent and can therefore be cloned from a reference user to a general case. You can copy and reuse these parameters without interpretation.

Running the command selfservice.exe –init –ipoll –exit starts SSP, performs a refresh (interactive poll) from the current provider, and forces a clean exit.

Additional command line parameters are detailed at Driving the Citrix Receiver Self-Service Plug-in Programmatically.

 

Citrix Workspace app come with a .dll file that implements the Citrix Common Connection Manager SDK. You can use the CCM SDK to do the following:

  • Launch Sessions
  • Disconnect Sessions
  • Logoff Sessions
  • Get Session Information

Citrix was kind enough to develop a PowerShell module that calls functions from the .dll. Get the CCMPowershellModule from Github. The PowerShell module contains functions like the following:

  • CCMTerminateApplication
  • CCMLaunchApplication
  • CCMGetActiveSessionCount
  • CCMDisconnectAllSessions

Launcher Scripts

Ryan C Butler Storefront ICA file creator at Github. See Create an ICA File from Storefront using PowerShell or JavaScript for more info.

Stan Czerno – Powershell Script to launch one or more Published Applications from Citrix Storefront 2.x through 3.11: the script launches a browser, connects to StoreFront (or NetScaler Gateway), logs in, and launches an icon. This is a very well-written script that uses a .dll file from Citrix Workspace app to display session information.

Citrix Solutions Lab StoreFront Launcher Script at Github. It attempts to closely resemble what an actual user would do by:

  1. Opening Internet Explorer.
  2. Navigating directly to the Receiver for Web site or NetScaler Gateway portal.
  3. Completing the fields.
  4. Logging in.
  5. Clicking on the resource.
  6. Logging off the StoreFront site.

David Ott StoreFront App/Desktop Launch Testing Script uses Internet Explorer to login to StoreFront and launch a resource. Sends email with the result. Uses wficalib.dll to get session information.

Microsoft Teams

Citrix and Microsoft jointly support the delivery of Microsoft Teams from Citrix Virtual Apps and Desktops using optimization for Microsoft Teams. The Teams optimization components are built into VDA and Workspace app. There is no need to install anything separately. The feature is based on Browser Content Redirection so don’t exclude that feature when installing the VDA.

Microsoft Teams optimization/offloading requires the following:

  • Newest version of Microsoft Teams machine-wide installation (ALLUSER=1)
  • Newest version of Citrix VDA
  • Newest version of Citrix Workspace app.

Feature matrix and version support at Citrix Docs shows the required versions of Teams, Citrix VDA, and Citrix Workspace app for various Teams features.

See Citrix Docs Optimization for Microsoft Teams.

Skype for Business

Citrix has a HDX RealTime Optimization Pack for Workspace app that enables offloading of Skype for Business media protocols to the client device. Here are the available versions:

The HDX RealTime Optimization Pack comes in two pieces: the Connector (on the VDA), and the Media Engine (on the Workspace app machine). Usually both pieces must be the same version, but versions 2.3 and higher now allow version mixing.

24-page Citrix PDF Delivering Microsoft Skype for Business to XenApp and XenDesktop Users.

For Skype for Business Location Based Routing, you’ll need the following: (Source = Citrix Derek Thorslund at Location based routing at Citrix Discussions)

  • Microsoft added support for Location Based Routing (LBR) with the virtualized Skype for Business 2016 client (and HDX RTOP 2.1 and above) in the Click-to-Run (C2R) download quite a long time ago, but it hasn’t yet been introduced in the MSI package.
  • It requires setting IsLBRInVDIEnabled on the Skype for Business Server to True:
    $x = New-CsClientPolicyEntry -Name "IsLBRInVDIEnabled" -Value "true"
    Set-CsClientPolicy -Identity "<ClientPolicyName>” -PolicyEntry @{Add=$x}

When offloading voice and video to Workspace app machines, don’t forget to configure QoS on the client machines. See Citrix Blog Post Implementing the Citrix HDX RealTime Optimization Pack: Don’t Forget About QoS/DSCP.

Citrix CTX222459 RealTime Optimization Pack Capability Checker: It will list out endpoint hardware/software information which will be used to process audio and video. The tool is independent of RealTime Optimization Pack version and runs any Windows machine.

Citrix CTX214237 LOPper – Lync Optimization Pack Log Parser: parses log files generated by Citrix HDX RealTime Optimization Pack (HROP) when an audio/video call is made using Lync 2013/Skype for Business (SfB) and shows relevant information in a UI.

Troubleshooting – Citrix QuickLaunch

Citrix CTX219718 QuickLaunch Tool (Testing Application and Desktop Launch) lets you launch Citrix sessions directly from a Controller without needing StoreFront.

You enter a Controller address, credentials, and then it shows you the published resources. You can pick a resource, edit properties on the other tabs, and then Connect. This allows you to easily try different connection properties.

If you run into problems launching a session, use Sysinternals DebugView while running CQL in Debug mode (/debug switch).

Troubleshooting – Workspace app Logging

In Workspace app 2309 and newer, if you right-click the Workspace app icon in the system tray, there’s a Troubleshooting menu with a Collect Logs option.

You can also access Log Collection from Advanced Preferences.

There are a couple methods of logging Workspace app for Windows operations. One method is CTX141751 Citrix Receiver Diagnostics Tool – For Windows, which creates a CDF trace that can be parsed by CDFControl.

Another method is CTX132883 How to Enable Logging on Receiver for Windows Using Registry Entries. The logfiles in %USERPROFILE%\Appdata\Local\Citrix\ are human readable. And CTX206102 Enable SSON Logging Using Registry Key.

Instead of creating the registry keys manually, you can use the following .reg file provided by Wolfgang Thürr:

Windows Registry Editor Version 5.00

;only for x64 windows os
;import with admin rights
;restart your computer to activate the logging and tracing settings
;create C:\TEMP for the launch ICA log and SSON logn (no environment variables can be used)

;general Workspace app and Receiver logging
;************************
;logpath: %USERPROFILE%\Appdata\Local\Citrix\Receiver
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix]
"ReceiverVerboseTracingEnabled"=dword:00000001

;Authentication Manager logging
;******************************
;logpath: %USERPROFILE%\Appdata\Local\Citrix\AuthManager
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\AuthManager]
"LoggingMode"="verbose"
"TracingEnabled"="True"
"SDKTracingEnabled"="True"

;Self Service logging
;********************
;logpath: %USERPROFILE%\Appdata\Local\Citrix\SelfService
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle]
"Tracing"="True"
"AuxTracing"="True"
"DefaultTracingConfiguration"="global all –detail"

;save launch ICA
;***************
;logpath: C:\TEMP\ica.log (no environemnt variables allowed)
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\Logging]
"LogConfigurationAccess"="true"
"LogConnectionAuthorisation"="true"
"LogEvidence"="true"
"LogICAFile"="true"
"LogFile"="C:\\TEMP\\ica.log"
"LogStartup"="true"

;Receiver Always On Tracing
;**************************
;generates ETL Files for analyzing with CDFControl see CTX111961 for details
;can be configured or overruled by GPOs (icaclient.admx)
;path %USERPROFILE%\AppData\Local\Temp\CTXReceiverLogs
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\AoLog]
"EnableTracing"=dword:00000001

;Single Sign-on Logging
;**************************
;https://support.citrix.com/article/CTX206102
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Install\SSON]
"DebugEnabled"="true"
"LogPath"="C:\\Temp"

Troubleshooting – Duplicate Stores

Stores are sometimes duplicated in Workspace app, especially if you are running Workspace app inside a VDA. (h/t Dan High)

StoreFront URLs can be defined in several places:

  1. In Studio, go to Configuration > StoreFront and delete all URLs configured here.
  2. Look in GPOs for Computer Configuration > Administrative Templates > Policies > Citrix Components > Citrix Workspace > StoreFront > NetScaler Gateway URL/StoreFront Accounts List. Remove any URLs configured here.
  3. In the client-side registry, at HKLM\Software\Wow6432Node\Citrix\Dazzle\Sites, you might see store addresses that were specified during a command line installation of Workspace app.
  4. When Citrix Workspace app switches between StoreFront servers in multiple datacenters, it’s possible for each datacenter to be treated as a separate Workspace app site. This can be prevented by doing the following. From Juan Zevallos at Citrix Discussions:
    1. Match the Base URL in all datacenters.
    2. Match the SRID in all datacenters – The SRID can be safely edited in the C:\inetpub\wwwroot\Citrix\Roaming\web.config. Make sure to propagate changes to other servers in the group.
    3. Match the Delivery Controller names under “Manage Delivery Controllers” – The XML brokers can be different, but the actual name of the Delivery Controller/Farm must be identical.

If you are running Workspace app on a VDA, once you’ve removed the configured URLs shown above, do the following to clean up the VDAs:

  1. On the VDA, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix – Delete the number folders representing policy entries.
  2. On session host VDAs, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Citrix – Remove the entries for storefront in the following folders.
    1. Under \receiver\ctxaccount delete all entries.
    2. Under \SR\Store delete the entries.
  3. On the VDA, C:\ProgramData\CitrixCseCache – Delete all files
  4. On the VDA, C:\ProgramData\Citrix\GroupPolicy – Delete all folders and files.
  5. Run gpupdate and logoff.
  6. In the user’s registry, HKEY_CURRENT_USER or the profile registry hive. Possible profile reset.
    1. Under Software\Citrix\Dazzle\Sites – Delete all entries.
    2. Under Software\Citrix\Receiver\ctxaccount – delete all entries.
    3. Under Software\Citrix\SR\Store – delete the entries.
  7. Verify no cached profile folders for user on server.

StoreFront 3.0 and older Config for NetScaler Gateway

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

Contained on this page are the following topics:

StoreFront Config

  1. See the NetScaler 10.5 page or NetScaler 11 page for instructions on configuring NetScaler Gateway for StoreFront.
  2. In the StoreFront Console, click Authentication on the left. On the right, click Add/Remove Methods.
  3. Check the box next to Pass-through from NetScaler Gateway and click OK.
  4. If you can’t resolve the NetScaler Gateway FQDN from the StoreFront server, edit the C:\Windows\System32\drivers\etc\hosts file and add an entry for the NetScaler Gateway FQDN.

    After configuring the HOSTS file, on the StoreFront server, open a browser and navigate to the DNS name. Make sure the Gateway vServer logon page appears.
  5. In the StoreFront Console, right-click NetScaler Gateway and click Add NetScaler Gateway Appliance.
  6. In the Gateway Settings page, enter a display name. This name appears in Citrix Receiver to make it descriptive. If you have multiple sites, include a geographical name.
  7. Enter the NetScaler Gateway Public URL. The NetScaler Gateway FQDN must be different than the FQDN used for load balancing of StoreFront (unless you are configuring single FQDN). This can be a GSLB-enabled DNS name.
  8. A Subnet IP address is not needed for NetScaler Gateway 10 and newer. However, if the NetScaler Gateway URL is GSLB-enabled then you’ll need to enter the VIP of the NetScaler Gateway Virtual Server so StoreFront can differentiate one NetScaler Gateway from another.
  9. Enter the Callback URL.
    1. In StoreFront 2.6 and newer, the Callback URL is optional. However, SmartAccess requires the Callback URL to be configured.
    2. The callback URL must resolve to any NetScaler Gateway VIP on the same appliance that authenticated the user. For multi-datacenter, edit the HOSTS file on the StoreFront server so it resolves to NetScaler appliances in the same datacenter.
    3. The Callback URL must have a trusted and valid (matches the FQDN) certificate.
    4. The Callback URL must not have client certificates set to Mandatory.
  10. If you have two-factor authentication (LDAP and RADIUS), change the Logon type to Domain and security token. Otherwise leave it set to Domain only.
  11. Click Next.
  12. In the Secure Ticket Authority page, click Add.
  13. Add both of your Controllers. Use http:// or https:// depending on the certificates installed on the Controllers. You can also enter a Load Balancing VIP here. However, you cannot use a Load Balancing VIP when configuring Secure Ticket Authorities on your NetScaler Gateway Virtual Server.
  14. Click Create when done.
  15. Then click Finish.
  16. Click Stores on the left. On the right, click Enable Remote Access.
  17. Select No VPN tunnel.
  18. Check the box next to the NetScaler Gateway object you just created and then click OK.
  19. Then in the StoreFront console, right-click Server Group and click Propagate Changes.

Single FQDN

Docs.citrix.com – Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally

Traditionally Receiver required separate FQDNs for StoreFront Load Balancing (internal) and NetScaler Gateway (external). Recently Citrix made some code changes to accept a single FQDN for both. This assumes that external users resolve the single FQDN to NetScaler Gateway and internal users resolve the same FQDN to StoreFront Load Balancing.

Single FQDN is fairly new and thus has the following requirements:

  • Receiver for Windows 4.2 or newer
  • Receiver for Mac 11.9 or newer
  • StoreFront 2.6 or newer
  • Split DNS – different DNS resolution for internal vs external
  • NetScaler 10.1 or newer

This section assumes NetScaler Gateway is in ICA Proxy mode. Different instructions are needed for when ICA Proxy is off. See docs.citrix.com for more information.

If you don’t care about email-based discovery then the configuration of Single FQDN is fairly simple. Sample DNS names are used below. Make sure the certificates match the DNS names.

  1. Internal DNS name = the Single FQDN (e.g. storefront.corp.com). Resolves to internal Load Balancing VIP for StoreFront. Set the StoreFront Base URL to this address.
  2. External DNS name = the Single FQDN (e.g. storefront.corp.com). Resolves to public IP, which is NAT’d to NetScaler Gateway VIP on DMZ NetScaler. Set the NetScaler Gateway object in StoreFront to this FQDN.
  3. Auth Callback = any internal DNS name (e.g. storefrontcb.corp.com) that resolves to a NetScaler Gateway VIP on the same DMZ NetScaler appliance that authenticated the user.

    • Auth callback is optional if you don’t need SmartAccess features.
    • The callback DNS name must be different than the Single FQDN.
    • Your external NetScaler Gateway certificate could match both the Single FQDN and the Callback FQDN. Or you can create separate NetScaler Gateway Virtual Servers on the same appliance with separate certificates that match these FQDNs.
  4. Internal Beacon = any internal website URL that is not externally accessible. You can’t use the Single FQDN as the Internal Beacon. Ideally, the Internal Beacon should be a new DNS name that resolves to the StoreFront Load Balancing VIP. However, this requires the StoreFront Load Balancing Virtual Server to have a certificate that matches both the Single FQDN and the Internal Beacon. See CTX218708 How to Configure Internal Beacon for Single FQDN on StoreFront.  💡

    • If are using Receiver for iOS internally then be aware that Receiver for iOS handles the Internal Beacon differently than Receiver for Windows. Receiver for iOS will append /Citrix/Store/discovery to the Internal Beacon and thus it only works if the Internal Beacon DNS name resolves to the StoreFront server. Since you can’t use the StoreFront Base URL as the Internal Beacon you’ll need a different DNS name that resolves to the StoreFront servers and matches the StoreFront certificate. Note: if you are not allowing internal iOS devices then this isn’t needed.
  5. Make sure the DMZ NetScaler resolves the Single FQDN to the internal StoreFront Load Balancing VIP. You typically add internal DNS servers to the NetScaler. Or you can create a local address record for the Single FQDN.
  6. In the NetScaler Gateway Session Profile, set the Web Interface Address and the Account Services Address to the Single FQDN.

If you need email-based discovery then here’s an example configuration for ICA Proxy NetScaler Gateway:

  • External DNS:
    • Storefront.corp.com resolves to public IP, which is NAT’d to NetScaler Gateway VIP on DMZ NetScaler.
    • If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to StoreFront.corp.com.
  • External publicly-signed certificate for NetScaler Gateway:
    • One option is wildcard for *.corp.com. Assumes email suffix is also corp.com.
    • Another option is the following Subject Alternative Names:
      • Storefront.corp.com
      • StorefrontCB.corp.com – for callback URL. Only accessed from internal.
        • Or you can create a separate Gateway vServer for callback with a separate certificate.
      • If email-based discovery, discoverReceiver.email.suffix
  • Internal DNS:
    • Storefront.corp.com resolves to Load Balancing VIP for StoreFront
    • StoreFrontCB.corp.com – resolves to NetScaler Gateway VIP on DMZ NetScaler. For authentication callback.
    • For the internal beacon, FQDN of any internal web server. Make sure this name is not resolvable externally.
    • If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to StoreFront.corp.com.
  • Internal certificate for StoreFront Load Balancing: publicly-signed recommended, especially for mobile devices and thin clients. Also can use the external certificate.
    • One option is wildcard for *.corp.com. Assumes email suffix is also corp.com.
    • Another option is the following Subject Alternative Names:
      • Storefront.corp.com
      • If email-based discovery, discoverReceiver.email.suffix

StoreFront Configuration:

  • Base URL = https://storefront.corp.com
  • Internal beacon = FQDN of internal web server. Make sure it’s not resolvable externally.
  • Gateway object:
    • Gateway URL = https://storefront.corp.com
    • Callback URL = https://storefrontcb.corp.com

Receiver for Web session policy (basic mode or ICA Only is checked):

  • Policy expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
  • Client Experience tab:
    • Home page = https://storefront.corp.com/Citrix/StoreWeb
    • Session Timeout = 60 minutes
    • Clientless Access = Off
    • Clientless Access URL Encoding = Clear
    • Clientless Access Persistent Cookie = Deny
    • Plug-in Type = Windows/Mac OS X
    • Single Sign-on to Web Applications = checked
  • Security tab:
    • Default authorization = ALLOW
  • Published Applications tab:
    • ICA Proxy = On
    • Web Interface address = https://storefront.corp.com/Citrix/StoreWeb
    • Web Interface Portal Mode = Normal
    • Single Sign-on Domain = Corp

Receiver Self-Service session policy (basic mode or ICA Only is checked):

      • Policy expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
      • Client Experience tab:
        • Session Timeout = 60 minutes
        • Clientless Access = Off
        • Clientless Access URL Encoding = Clear
        • Clientless Access Persistent Cookie = Deny
        • Plug-in Type = Java
      • Security tab:
        • Default authorization = ALLOW
      • Published Applications tab:
        • ICA Proxy = On
        • Web Interface address = https://storefront.corp.com
        • Web Interface Portal Mode = Normal
        • Single Sign-on Domain = Corp
        • Account Services address = https://storefront.corp.com

Multiple Datacenters / Farms

If you have StoreFront (and NetScaler Gateway) in multiple datacenters, GSLB is typically used for the initial user connection but GSLB doesn’t provide much control over which datacenter a user initially reaches. So the ultimate datacenter routing logic must be performed by StoreFront. Once the user is connected to StoreFront in any datacenter, StoreFront looks up the user’s Active Directory group membership and gives the user icons from multiple farms in multiple datacenters and can aggregate identical icons based on farm priority order. When the user clicks on one of the icons, Optimal Gateway directs the ICA connection through the NetScaler Gateway that is closest to the destination VDA. Optimal Gateway requires datacenter-specific DNS names for NetScaler Gateway.

Docs.citrix.com Set up highly available multi-site store configurations explains configuring XML files on StoreFront to aggregate identical icons from multiple farms/sites. Identical Icons are aggregated in farm priority order or load balanced across multiple farms. To specify a user’s “home” datacenter, configure different farm priority orders for different Active Directory user groups.

Shaun Ritchie Citrix StoreFront High Availability and Aggregation – A dual site Active Active design has a sample multi-site configuration using XML Notepad and explains how to use the Primary and Secondary keywords to override farm priority order.

Citrix Blogs StoreFront Multi-Site Settings: Some Examples has example XML configurations for various multi-datacenter Load Balancing and failover scenarios.

When Citrix Receiver switches between StoreFront servers in multiple datacenters, it’s possible for each datacenter to be treated as a separate Receiver site. This can be prevented by doing the following. From Juan Zevallos at Citrix Discussions: To have multiple StoreFront deployments across a GSLB deployment, here are the StoreFront requirements:

  • Match the SRID – in StoreFront, if you use the same BaseURL in the 2 separate installations, then the SRID should end up being identical. If the BaseURL is changed after the initial setup, the SRID doesn’t change. The SRID can be safely edited in the \inetpub\wwwroot\Citrix\Roaming\web.config file. It will be replicated into the discovery servicerecord entry in the Store web.config which can be edited as well or refreshed from the admin console by going into Remote Access setup for the store and hitting OK. Make sure to propagate changes to other servers in the group.
  • Match the BaseURL
  • Match the Delivery Controller names under “Manage Delivery Controllers” – The XML brokers can be different, but the actual name of the Delivery Controller/Farm must be identical. Here’s the exact setting I’m referring to: https://citrix.sharefile.com/d/sa562ba140be4462b

If you are running XenApp / XenDesktop in multiple datacenters, you must design roaming profiles and home directories correctly.

Optimal Gateway

The Optimal Gateway feature lets you override the NetScaler Gateway used for ICA connections. Here are some scenarios where this would be useful:

  • The NetScaler Gateway Virtual Server requires user certificates. If ICA traffic goes through this Virtual Server then each application launch will result in a certificate prompt. Use Optimal Gateway to force ICA connections through a different NetScaler Gateway Virtual Server that doesn’t have certificate authentication enabled. Note: Callback URL also cannot use a NetScaler Gateway Virtual Server where client certificates are set to Mandatory.
  • Multi-site Load Balancing. If the icon selected by the user is published from XenApp/XenDesktop in Datacenter A, then you probably want the ICA connection to go through a NetScaler Gateway Virtual Server in Datacenter A. This requires separate NetScaler Gateway DNS names for each datacenter. Also, Optimal Gateway is applied at the farm/site level so if you are stretching a farm across datacenters then Optimal Gateway won’t help you.
  • NetScaler Gateway for internal connections (AppFlow). If you want to force internal users to go through NetScaler Gateway so AppFlow data can be sent to Citrix Insight Center then you can do that using Optimal Gateway even if the user originally connected directly to the StoreFront server. See How to Force Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront for more information.

Optimal Gateway is configured by editing the StoreFront Store’s web.config file. See Docs.citrix.com: To configure optimal NetScaler Gateway routing for a store. For an example configuration see Docs.citrix.com: Examples of highly available multi-site store configurations.

Optimal Gateway works great if you have separate XenDesktop sites/farms in each datacenter. However, for those of you with a central XenDesktop site running globally dispersed VDAs and a NetScaler Gateway in each location, or a single globally distributed XenApp farm (which I know an awful lot of you still have), see the Citrix blog post – How to direct remote XenApp/XenDesktop users based on active directory group membership:

    1. On a Load Balancing NetScaler, create multiple StoreFront load balancers. Each has a unique Net Profile with a unique SNIP.
    2. On StoreFront, create multiple Gateway objects, each with a SNIP that matches the Net Profiles created on the load balancer. Each Gateway object has a datacenter-specific Gateway FQDN.
    3. On each NetScaler Gateway:
      1. Configuration LDAP group extraction.
      2. Create a session policy for each datacenter pointing to the one of the StoreFront Load Balancers.
      3. Create AAA groups and bind the session policies.

Gateway in Closest Datacenter

Citrix Blog post ‘Accurately’ Direct XenApp/XenDesktop Users to a Correct Location Based Datacenter:

  • An unsupported extension to StoreFront
  • Read’s the client’s IP and looks it up in a location database (GeoLite2) to determine the user’s closest datacenter
  • Adjusts the Gateway FQDN in the rendered .ica file to direct users to the closest datacenter.
  • Requires datacenter-specific or region-specific Gateway DNS names.
  • Every NetScaler Gateway should know about every potential Secure Ticket Authority server.

Multiple Gateways to One StoreFront

If you have multiple NetScaler Gateways connecting to one StoreFront Server Group, and if each of the NetScaler Gateways uses the same DNS name (GSLB), then you will need some other method of distinguishing one appliance from the other so the callback goes to the correct appliance.

  • In the StoreFront console, create multiple NetScaler Gateway appliances, one for each datacenter. Give each of them unique names.
  • Enter the same NetScaler Gateway URL in all of the gateway appliances. Since all of the appliances use the same DNS name, you cannot use the DNS name to distinguish them.
  • Each appliance has a different NetScaler Gateway VIP. This VIP can be entered in the Subnet IP field. StoreFront will use this VIP to distinguish one appliance from another. The field label is SNIP but we actually need to enter a VIP.
  • The callback URL must be unique for each Gateway appliance. The callback URL must resolve to a NetScaler Gateway VIP on the same appliance that authenticated the user. Create new datacenter-specific DNS names. For example: gateway-prod.corp.com and gateway-dr.corp.com.
  • The datacenter-specific DNS name must match the certificate on the NetScaler Gateway Virtual Server. Here are some options to handle the certificate requirement:
    • On the main NetScaler Gateway Virtual Server, assign a wildcard certificate that matches both the GSLB name and the datacenter-specific name.
    • On the main NetScaler Gateway Virtual Server, assign an SSL certificate with Subject Alternative Names for both the GSLB name and the datacenter-specific name.
    • Create an additional NetScaler Gateway Virtual Server on the appliance. Bind a certificate that matches the datacenter-specific name.
  • Configure name resolution for the datacenter-specific NetScaler Gateway DNS names. Either edit the HOSTS file on the StoreFront servers or add DNS records to your DNS servers.
  • When enabling Remote Access on the store, select both Gateway appliances. Select one as the default appliance.

Related Pages

Additional StoreFront Configuration

NetScaler 10.5