NetScaler VPX in Azure Deployment Guide - Citrix Docs [PDF]

Creating a NetScaler VPX Deployment in Microsoft Azure Reference Architecture

Produced by Citrix Solutions Lab This guide will walk you through an example of how to manually install a NetScaler VPX instance into Microsoft Azure and then configure NetScaler for external Citrix Workspace Cloud – Apps and Desktops Service connections through StoreFront. Updated October 2015

© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team

Table of contents Section 1: Executive summary .................................................................... 4 Audience .................................................................................................................... 4 Project Overview........................................................................................................ 4 Disclaimer .................................................................................................................. 4

Section 2: Pre-Installation Requirements .................................................... 5 Section 3: How to manually add a NetScaler VPX in Azure ........................ 6 Objective .................................................................................................................... 6 Addendum .................................................................................................................. 25

Section 4: How to obtain and license a NetScaler VPX system ................ 25 Section 5: NetScaler VPX SSL\Certificate configuration ........................... 34 Section 6: Configure NetScaler DNS settings ........................................... 41 Section 7: Enable the NetScaler Modes and Features.............................. 43 Section 8: How to integrate with XenApp and XenDesktop....................... 45 Section 9: Configuration of the Citrix Workspace Cloud – Apps and Desktops environment ............................................................................... 58 Section 10: External Client Connections .................................................. 60 Section 11: References ............................................................................ 61


Section 1: Executive summary Citrix Workspace Cloud simplifies the management of virtual applications, desktops, mobile devices, and data sharing with its cloud-based management platform. You can choose whether you put your resources (hypervisors, VDAs, and StoreFront servers, for example) on premises or in a private or public cloud.

This document will examine the placement of a single NetScaler VPX instance residing in the Microsoft Azure isolated cloud resource and leveraging the broker from Citrix Workspace Cloud and StoreFront from either the Azure Cloud or from the Citrix Workspace Cloud broker for external connections. The use of an existing VDA resource will not be covered within this document. This document works from the assumption that the reader has an existing Azure account, and at a minimum has configured an Active Directory/DNS server within the Azure environment.

For additional Workspace Cloud information, visit: www.citrix.com/WorkspaceCloud

Audience This document is intended for IT decision makers, architects, and partners who are new or first-‐time users to NetScaler VPX and the configuration of the XenApp/XenDesktop deployment through StoreFront for external connections.

Project Overview This project deploys and manages systems from a single cloud source – Azure. New customers can then use the Workspace Cloud Apps and Desktops Service for further management and control. This document covers the NetScaler VPX installation and configuration, and StoreFront connections for external users. Visit http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud.html for Workspace Cloud documentation.

Disclaimer This guide is not intended to constitute legal advice. Customers should consult with their legal counsel regarding compliance with laws and regulations applicable to their particular industry and intended use of Citrix products and services. Citrix makes no warranties, express, implied, or statutory, as to the information in this document.


4

Section 2: Pre-Installation Requirements The following check list of requirements should be completed before additional configuration: • • • •

• • • • •

A Microsoft Azure account and access to the Azure portal console. Configuration of an Azure Cloud Service. The use of an existing Azure Region/Affinity Group/Virtual Network. Azure Virtual Machine running instances of the following systems: Microsoft domain controller with DNS configured, 2x Citrix Workspace Cloud Connector systems, one or more shared hosted desktop systems with the Citrix VDA installed, and a NetScaler 10.5 or 11.x system. An account on MyCitrix.com with access to obtaining Citrix licenses. A valid third party server and root PEM certificates to be placed on the NetScaler system. An external FQDN -‐ DNS A record or CANME record; this will be used by the NetScaler system and ties in with the above third party certificate. A Citrix Workspace Cloud Apps and Desktops environment with the StoreFront -‐ NetScaler Gateway setting configured. One or more external client systems with Citrix Receiver installed with Internet access.


5

Section 3: How to manually add a NetScaler VPX in Azure Objective The NetScaler VPX deployment in Azure will provide external access to resources placed into an Azure environment, allowing the Workspace Cloud resources to leverage the environment. A single NetScaler VPX instance was used for this configuration and can offer 1,500 external user connections. This document will not go into details on how to create and configure an Azure resource zone, configuration of security groups and general networking and the Workspace Cloud Apps and Desktops Service configuration specifics.

The following links provide guidelines for deploying a NetScaler VPX in Azure: Microsoft Azure Documentation: http://azure.microsoft.com/en-‐us/marketplace/partners/sharefile/netscaler-‐vpx-‐bring/ Citrix Product Documentation: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure/vpx-‐azure-‐release-‐notes.html http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure/configure-‐vpx-‐on-‐azure.html Citrix Deployment Guidelines: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure.html https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/netscaler-‐vpx-‐deployment-‐with-‐ xendesktop-‐and-‐xenapp-‐on-‐microsoft-‐azure.pdf https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/netscaler-‐on-‐microsoft-‐azure-‐solution-‐ brief.pdf Misc Info: http://blogs.citrix.com/2015/05/28/citrix-‐netscaler-‐vpx-‐on-‐microsoft-‐azure-‐accelerates-‐your-‐applications-‐in-‐the-‐cloud/


6

Navigate to https://portal.azure.com and log on using your Microsoft Azure credentials.


7

From the Azure portal site, select the Marketplace tile.


8

Search for Citrix NetScaler, then select the BYOL option and select Create.

Note: For this configuration example, the Classic deployment model will be used.


9

Provide the host name, user name and password.


10

Select the Pricing option and choose a selection. The recommended base option is the A2 Standard.


11

Select the Optional Configuration for Network. Within this section, we need to verify the correct IP subnet that will be used along with adding some additional endpoints. Within this configuration, only a single virtual network will be used. The virtual network should be the same as where your Microsoft Domain Controller resides. Verify the virtual network and subnet then select the OK button under Network settings.


12

We now need to configure some additional endpoints for connectivity. Add in endpoints for both HTTP and HTTPS, as seen here, then click the OK button for the Endpoint configuration section. Endpoint mappings are done on a per-‐VM basis. Azure performs port address translation for mapping public ports to private ports for requests.

Note: Both the SSH and HTTP endpoints are added to access and manage the initial NetScaler configuration. Once you have confirmed and completed your configuration, the best practice will be to remove both SSH and HTTP. Then all further NetScaler management will be done from within a VM hosted in the Azure resource zone using the Private IP address. Refer to the Port Usage Guidelines section for additional details: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure.html The following ports are reserved by the NetScaler virtual machine. You cannot define these as private ports when using the cloud service IP address for requests from the Internet. Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000.


13

This completes the Optional config section. Click the OK button.


14

The resource group placement of the NetScaler VPX needs to reside in the same group that your Microsoft domain controller\DNS server resides. Verify the correct resource group is selected and click OK to continue. First, obtain the resource group and virtual network/subnet settings from your domain controller.


15

Now, when selecting the resource group, ensure it's the same as above.


16

Once you have verified all sections for this VM, click the Create button.


17

Review the Offer details and click Create.

During the NetScaler deployment, you should see this within your Azure portal. This process can take 10-‐20 minutes to complete.


18

Upon completion, the following will be displayed.


19

You now need to set both the private IP address to static assigned to the NetScaler VPX.

Note: Citrix recommends setting the private IP address to static. For additional details, refer here: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure/configure-‐vpx-‐on-‐azure.html


20

From a VM system part of the same resource group that the NetScaler VPX was added to, using an internet browser, connect to the private IP obtained in the previous step. Log on using the username and password defined during the creation process. Once you have logged on, select the "2" option for subnet IP address.


21

The NetScaler Subnet IP (SNIP) is not an item that needs to be configured in Azure; select the option Do It Later to skip this.


22

Now select the "4" option for licenses.

For now, click Do It Later as this will be covered in a later section within this document.


23

Finally, click the Continue button to finish the Welcome process.


24

Addendum

Section 4: How to obtain and license a NetScaler VPX system Customers new to NetScaler will need to obtain a NetScaler VPX Express license. The below steps will guide you through this process. Allocate a license from the My Account Portal as detailed below: http://support.citrix.com/article/CTX131387 For adding a NetScaler license, first you need to obtain your NetScaler Host ID. This will be used in the Citrix -‐ My Account license allocation process.


25

To obtain a NetScaler VPX Express license, first create or login to your account at mycitrix.com.

Once you have logged in, proceed to the Downloads area.


26

Search for “NetScaler VPX Express License”.

Select the option for NetScaler VPX Express License.


27

From the information page for NetScaler VPX Express, scroll to the very bottom of the page.

Expand the License option down arrow and select Get License.


28

Please read and accept the End-‐User License Agreement.

Click on the Serial Number shown.


29

By clicking on the Serial Number link, you will be redirected to the Activate and Allocate License area within your account.

Enter the NetScaler Host ID and click Continue.

Verify the information shown is correct and click Confirm.


30

The following dialog box will appear, click OK to download the license file.

Click the Download button.

Once the .lic file has been downloaded, you can log out of the Citrix -‐ My Account portal. You will then need to log on to the NetScaler management console to proceed further.


31

Select System, Licenses, Manage Licenses from your NetScaler console.

Click the Add New License button.


32

Browse to the .lic file to upload and then click to Reboot once complete.

Upon reboot, your NetScaler system should display the following licensed features.


33

Section 5: NetScaler VPX SSL\Certificate configuration For security concerns, external connections to a NetScaler system will require the use of SSL and certificates. For this configuration, the use of a third party SSL server and intermediate\Root Wildcard PEM certificates will be used. For additional details, please refer to Citrix online documentation. http://docs.citrix.com/en-‐us/netscaler-‐gateway/10-‐5/ng-‐configuration-‐mgmt-‐wrapper-‐con/ng-‐certificate-‐ wrapper-‐con.html

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificatewrapper-con/ng-install-signed-cert-on-ng-tsk.html http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificatewrapper-con/ng-create-csr-tsk.html

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificatewrapper-con/ng-install-signed-cert-on-ng-tsk.html http://support.citrix.com/article/CTX109260

SSL v3 security info:

http://support.citrix.com/article/CTX200238


34

Right click the "!" option to enable the SSL Feature.


35

Select the option to Manage Certificates.

Select the option to Upload your certificates. You will also need to upload the .key file associated with this certificate. In the case below, a third party wildcard certificate was used along with the intermediate and RootCA certificate.


36

Once you have added all the certificates, click the Close button.

Install the uploaded certificates.


37

Fill in the details as needed, then click the Install button.

You also need to install the intermediate and/or root certificate as in the above case since a third party wildcard certificate was used.


38

Once complete, you should now see the following certificates installed.


39

Link the wildcard certificate to the intermediate\root certificate.


40

Section 6: Configure NetScaler DNS settings The configuration of the DNS settings within NetScaler are needed in order for later connectivity for STA server connections.

http://support.citrix.com/article/CTX109556 It is not required to configure DNS suffix addresses.

Click the Add button from DNS/Name servers.

Fill in the IP Address of your DNS name server, leaving UDP for the Protocol type, then click Create.


41

Ensure that both states are "Enabled" and "Up".


42

Section 7: Enable the NetScaler Modes and Features The following specific NetScaler modes and features have been enabled for this use case configuration based on the basic (ICA Proxy) connectivity.


43

Modes:

Basic Features:


44

Section 8: How to integrate with XenApp and XenDesktop For this NetScaler configuration the basic (ICA Proxy) mode will be utilized. https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/citrix-‐netscaler-‐gateway-‐secure-‐remote-‐ access-‐from-‐anywhere-‐on-‐any-‐device.pdf •

Basic Mode, also known as ICA Proxy mode, is licensed (unlimited) by your NetScaler Gateway Platform license. The ICA Proxy session mode means basic ICA connections only for launching of a Citrix XenApp or XenDesktop session.

From the NetScaler Configuration menu, select NetScaler Gateway -‐ Virtual Servers and click the Add button.


45

Provide a Virtual Server Name and IP address based on the NetScaler private IP address within Azure; for the port setting, this is based on the Azure endpoint that is configured for HTTPS. Click the More option.


46

From the drop down, select "ICA Only" and click OK to complete the Basic Settings section.

Now, select the Server Certificate option.


47

Select the arrow to expand the menu.

Select your existing wildcard certificate and click OK.


48

Once you certificate is selected, click Bind.

Click OK to complete the certificates section.


49

Click Continue to skip the Authentication section.

For security best practices, it's suggested to remove the check box for SSLv3.

http://support.citrix.com/article/CTX200238 Select to add the SSL Parameters option.


50

Uncheck the SSLv3 option and click OK.


51

We now need to add a section for the published applications; this is used to configure the STA (Secure Ticket Authority) server settings.

Click to expand the STA Server settings option.


52

For this configuration, the STA server settings will be the Citrix Workspace Cloud Connector systems; these need to pre-‐exist in your resource zone. Click Bind to complete the add process. Repeat this step if any additional STA servers need to be added. If the Cloud Connectors reside in an Azure resource zone, these would be the Private IP addresses.

Verify the STA servers are in the Up state then click Close to complete the process.


53

Once you have completed the Published Application section click Done at the very bottom to finalize the Virtual Server configuration.


54

At this point you will need to save your NetScaler configuration.

Once the save is complete, click the Refresh option.


55

Verify the Virtual Server is now shown in the Up state.

NetScaler CLI verification of "ICA Only" mode:

The NetScaler CLI equivalent of the above would be the following: "set vpn vserver -icaonly on" (for Basic mode)


56


57

Section 9: Configuration of the Citrix Workspace Cloud – Apps and Desktops environment Consult with your domain name internet provider to configure and obtain a CNAME record for the external NetScaler connection. First, determine your Azure portal NetScaler computer name. See the screenshot below for reference; this will be the host that your CNAME record points too.


58

For this example, using a popular domain name provider, the following CNAME Record was configured.

For access to cloud-‐hosted Storefront connections to the Citrix Workspace Cloud, you need to configure the Storefront\NetScaler Gateway connection info. Note: this is the Host name from your CNAME Record, configured to use port 443 shown in the example below. For additional details see the Use Case #1: Cloud-‐hosted Storefront section: http://docs.citrix.com/en-‐us/workspace-‐cloud/apps-‐desktops-‐service/setting-‐up-‐storefront.html


59

Section 10: External Client Connections External Receiver users can now connect using the Citrix Workspace Cloud -‐ Storefront site. From an internet browser, connect to your Citrix Workspace Cloud -‐ Customer site and append the /Citrix/StoreWeb/ Example: https://.xendesktop.net/Citrix/StoreWeb/


60

Section 11: References Citrix Workspace Cloud -‐ Apps and Desktops Info: http://docs.citrix.com/content/dam/docs/en-‐us/workspace-‐cloud/downloads/workspace-‐cloud-‐apps-‐desktop-‐ services-‐for-‐new-‐customers-‐reference-‐architecture.pdf http://docs.citrix.com/content/dam/docs/en-‐us/workspace-‐cloud/downloads/workspace-‐cloud-‐apps-‐desktop-‐ service-‐on-‐premises-‐resource-‐reference-‐architecture.pdf


61

Corporate Headquarters Fort Lauderdale, FL, USA

India Development Center Bangalore, India

Latin America Headquarters Coral Gables, FL, USA

Silicon Valley Headquarters Santa Clara, CA, USA

Online Division Headquarters Santa Barbara, CA, USA

UK Development Center Chalfont, United Kingdom

EMEA Headquarters Schaffhausen, Switzerland

Pacific Headquarters Hong Kong, China

About Citrix Citrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking and SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure, mobile workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com Copyright © 2015 Citrix Systems, Inc. All rights reserved. NetScaler and Workspace Cloud are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.


62