http://docs.citrix.com/en-âus/netscaler/10-â5/vpx/deploy-âvpx-âon-âazure/vpx-âazure-â ... confirmed and completed your configuration, the best practice will be to remove both SSH and HTTP. ... NetScaler management will be done from within a VM hosted in the Azure ... cloud service IP address for requests from the Internet.
Creating a NetScaler VPX Deployment in Microsoft Azure Reference Architecture
Produced by Citrix Solutions Lab This guide will walk you through an example of how to manually install a NetScaler VPX instance into Microsoft Azure and then configure NetScaler for external Citrix Workspace Cloud – Apps and Desktops Service connections through StoreFront. Updated October 2015
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
Table of contents Section 1: Executive summary .................................................................... 4 Audience .................................................................................................................... 4 Project Overview........................................................................................................ 4 Disclaimer .................................................................................................................. 4
Section 2: Pre-Installation Requirements .................................................... 5 Section 3: How to manually add a NetScaler VPX in Azure ........................ 6 Objective .................................................................................................................... 6 Addendum .................................................................................................................. 25
Section 4: How to obtain and license a NetScaler VPX system ................ 25 Section 5: NetScaler VPX SSL\Certificate configuration ........................... 34 Section 6: Configure NetScaler DNS settings ........................................... 41 Section 7: Enable the NetScaler Modes and Features.............................. 43 Section 8: How to integrate with XenApp and XenDesktop....................... 45 Section 9: Configuration of the Citrix Workspace Cloud – Apps and Desktops environment ............................................................................... 58 Section 10: External Client Connections .................................................. 60 Section 11: References ............................................................................ 61
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
Section 1: Executive summary Citrix Workspace Cloud simplifies the management of virtual applications, desktops, mobile devices, and data sharing with its cloud-based management platform. You can choose whether you put your resources (hypervisors, VDAs, and StoreFront servers, for example) on premises or in a private or public cloud.
This document will examine the placement of a single NetScaler VPX instance residing in the Microsoft Azure isolated cloud resource and leveraging the broker from Citrix Workspace Cloud and StoreFront from either the Azure Cloud or from the Citrix Workspace Cloud broker for external connections. The use of an existing VDA resource will not be covered within this document. This document works from the assumption that the reader has an existing Azure account, and at a minimum has configured an Active Directory/DNS server within the Azure environment.
For additional Workspace Cloud information, visit: www.citrix.com/WorkspaceCloud
Audience This document is intended for IT decision makers, architects, and partners who are new or first-‐time users to NetScaler VPX and the configuration of the XenApp/XenDesktop deployment through StoreFront for external connections.
Project Overview This project deploys and manages systems from a single cloud source – Azure. New customers can then use the Workspace Cloud Apps and Desktops Service for further management and control. This document covers the NetScaler VPX installation and configuration, and StoreFront connections for external users. Visit http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud.html for Workspace Cloud documentation.
Disclaimer This guide is not intended to constitute legal advice. Customers should consult with their legal counsel regarding compliance with laws and regulations applicable to their particular industry and intended use of Citrix products and services. Citrix makes no warranties, express, implied, or statutory, as to the information in this document.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
4
Section 2: Pre-Installation Requirements The following check list of requirements should be completed before additional configuration: • • • •
• • • • •
A Microsoft Azure account and access to the Azure portal console. Configuration of an Azure Cloud Service. The use of an existing Azure Region/Affinity Group/Virtual Network. Azure Virtual Machine running instances of the following systems: Microsoft domain controller with DNS configured, 2x Citrix Workspace Cloud Connector systems, one or more shared hosted desktop systems with the Citrix VDA installed, and a NetScaler 10.5 or 11.x system. An account on MyCitrix.com with access to obtaining Citrix licenses. A valid third party server and root PEM certificates to be placed on the NetScaler system. An external FQDN -‐ DNS A record or CANME record; this will be used by the NetScaler system and ties in with the above third party certificate. A Citrix Workspace Cloud Apps and Desktops environment with the StoreFront -‐ NetScaler Gateway setting configured. One or more external client systems with Citrix Receiver installed with Internet access.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
5
Section 3: How to manually add a NetScaler VPX in Azure Objective The NetScaler VPX deployment in Azure will provide external access to resources placed into an Azure environment, allowing the Workspace Cloud resources to leverage the environment. A single NetScaler VPX instance was used for this configuration and can offer 1,500 external user connections. This document will not go into details on how to create and configure an Azure resource zone, configuration of security groups and general networking and the Workspace Cloud Apps and Desktops Service configuration specifics.
The following links provide guidelines for deploying a NetScaler VPX in Azure: Microsoft Azure Documentation: http://azure.microsoft.com/en-‐us/marketplace/partners/sharefile/netscaler-‐vpx-‐bring/ Citrix Product Documentation: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure/vpx-‐azure-‐release-‐notes.html http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure/configure-‐vpx-‐on-‐azure.html Citrix Deployment Guidelines: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure.html https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/netscaler-‐vpx-‐deployment-‐with-‐ xendesktop-‐and-‐xenapp-‐on-‐microsoft-‐azure.pdf https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/netscaler-‐on-‐microsoft-‐azure-‐solution-‐ brief.pdf Misc Info: http://blogs.citrix.com/2015/05/28/citrix-‐netscaler-‐vpx-‐on-‐microsoft-‐azure-‐accelerates-‐your-‐applications-‐in-‐the-‐cloud/
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
6
Navigate to https://portal.azure.com and log on using your Microsoft Azure credentials.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
7
From the Azure portal site, select the Marketplace tile.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
8
Search for Citrix NetScaler, then select the BYOL option and select Create.
Note: For this configuration example, the Classic deployment model will be used.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
9
Provide the host name, user name and password.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
10
Select the Pricing option and choose a selection. The recommended base option is the A2 Standard.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
11
Select the Optional Configuration for Network. Within this section, we need to verify the correct IP subnet that will be used along with adding some additional endpoints. Within this configuration, only a single virtual network will be used. The virtual network should be the same as where your Microsoft Domain Controller resides. Verify the virtual network and subnet then select the OK button under Network settings.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
12
We now need to configure some additional endpoints for connectivity. Add in endpoints for both HTTP and HTTPS, as seen here, then click the OK button for the Endpoint configuration section. Endpoint mappings are done on a per-‐VM basis. Azure performs port address translation for mapping public ports to private ports for requests.
Note: Both the SSH and HTTP endpoints are added to access and manage the initial NetScaler configuration. Once you have confirmed and completed your configuration, the best practice will be to remove both SSH and HTTP. Then all further NetScaler management will be done from within a VM hosted in the Azure resource zone using the Private IP address. Refer to the Port Usage Guidelines section for additional details: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure.html The following ports are reserved by the NetScaler virtual machine. You cannot define these as private ports when using the cloud service IP address for requests from the Internet. Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
13
This completes the Optional config section. Click the OK button.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
14
The resource group placement of the NetScaler VPX needs to reside in the same group that your Microsoft domain controller\DNS server resides. Verify the correct resource group is selected and click OK to continue. First, obtain the resource group and virtual network/subnet settings from your domain controller.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
15
Now, when selecting the resource group, ensure it's the same as above.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
16
Once you have verified all sections for this VM, click the Create button.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
17
Review the Offer details and click Create.
During the NetScaler deployment, you should see this within your Azure portal. This process can take 10-‐20 minutes to complete.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
18
Upon completion, the following will be displayed.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
19
You now need to set both the private IP address to static assigned to the NetScaler VPX.
Note: Citrix recommends setting the private IP address to static. For additional details, refer here: http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/deploy-‐vpx-‐on-‐azure/configure-‐vpx-‐on-‐azure.html
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
20
From a VM system part of the same resource group that the NetScaler VPX was added to, using an internet browser, connect to the private IP obtained in the previous step. Log on using the username and password defined during the creation process. Once you have logged on, select the "2" option for subnet IP address.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
21
The NetScaler Subnet IP (SNIP) is not an item that needs to be configured in Azure; select the option Do It Later to skip this.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
22
Now select the "4" option for licenses.
For now, click Do It Later as this will be covered in a later section within this document.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
23
Finally, click the Continue button to finish the Welcome process.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
24
Addendum
Section 4: How to obtain and license a NetScaler VPX system Customers new to NetScaler will need to obtain a NetScaler VPX Express license. The below steps will guide you through this process. Allocate a license from the My Account Portal as detailed below: http://support.citrix.com/article/CTX131387 For adding a NetScaler license, first you need to obtain your NetScaler Host ID. This will be used in the Citrix -‐ My Account license allocation process.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
25
To obtain a NetScaler VPX Express license, first create or login to your account at mycitrix.com.
Once you have logged in, proceed to the Downloads area.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
26
Search for “NetScaler VPX Express License”.
Select the option for NetScaler VPX Express License.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
27
From the information page for NetScaler VPX Express, scroll to the very bottom of the page.
Expand the License option down arrow and select Get License.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
28
Please read and accept the End-‐User License Agreement.
Click on the Serial Number shown.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
29
By clicking on the Serial Number link, you will be redirected to the Activate and Allocate License area within your account.
Enter the NetScaler Host ID and click Continue.
Verify the information shown is correct and click Confirm.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
30
The following dialog box will appear, click OK to download the license file.
Click the Download button.
Once the .lic file has been downloaded, you can log out of the Citrix -‐ My Account portal. You will then need to log on to the NetScaler management console to proceed further.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
31
Select System, Licenses, Manage Licenses from your NetScaler console.
Click the Add New License button.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
32
Browse to the .lic file to upload and then click to Reboot once complete.
Upon reboot, your NetScaler system should display the following licensed features.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
33
Section 5: NetScaler VPX SSL\Certificate configuration For security concerns, external connections to a NetScaler system will require the use of SSL and certificates. For this configuration, the use of a third party SSL server and intermediate\Root Wildcard PEM certificates will be used. For additional details, please refer to Citrix online documentation. http://docs.citrix.com/en-‐us/netscaler-‐gateway/10-‐5/ng-‐configuration-‐mgmt-‐wrapper-‐con/ng-‐certificate-‐ wrapper-‐con.html
http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificatewrapper-con/ng-install-signed-cert-on-ng-tsk.html http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificatewrapper-con/ng-create-csr-tsk.html
http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificatewrapper-con/ng-install-signed-cert-on-ng-tsk.html http://support.citrix.com/article/CTX109260
SSL v3 security info:
http://support.citrix.com/article/CTX200238
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
34
Right click the "!" option to enable the SSL Feature.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
35
Select the option to Manage Certificates.
Select the option to Upload your certificates. You will also need to upload the .key file associated with this certificate. In the case below, a third party wildcard certificate was used along with the intermediate and RootCA certificate.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
36
Once you have added all the certificates, click the Close button.
Install the uploaded certificates.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
37
Fill in the details as needed, then click the Install button.
You also need to install the intermediate and/or root certificate as in the above case since a third party wildcard certificate was used.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
38
Once complete, you should now see the following certificates installed.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
39
Link the wildcard certificate to the intermediate\root certificate.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
40
Section 6: Configure NetScaler DNS settings The configuration of the DNS settings within NetScaler are needed in order for later connectivity for STA server connections.
http://support.citrix.com/article/CTX109556 It is not required to configure DNS suffix addresses.
Click the Add button from DNS/Name servers.
Fill in the IP Address of your DNS name server, leaving UDP for the Protocol type, then click Create.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
41
Ensure that both states are "Enabled" and "Up".
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
42
Section 7: Enable the NetScaler Modes and Features The following specific NetScaler modes and features have been enabled for this use case configuration based on the basic (ICA Proxy) connectivity.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
43
Modes:
Basic Features:
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
44
Section 8: How to integrate with XenApp and XenDesktop For this NetScaler configuration the basic (ICA Proxy) mode will be utilized. https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/citrix-‐netscaler-‐gateway-‐secure-‐remote-‐ access-‐from-‐anywhere-‐on-‐any-‐device.pdf •
Basic Mode, also known as ICA Proxy mode, is licensed (unlimited) by your NetScaler Gateway Platform license. The ICA Proxy session mode means basic ICA connections only for launching of a Citrix XenApp or XenDesktop session.
From the NetScaler Configuration menu, select NetScaler Gateway -‐ Virtual Servers and click the Add button.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
45
Provide a Virtual Server Name and IP address based on the NetScaler private IP address within Azure; for the port setting, this is based on the Azure endpoint that is configured for HTTPS. Click the More option.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
46
From the drop down, select "ICA Only" and click OK to complete the Basic Settings section.
Now, select the Server Certificate option.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
47
Select the arrow to expand the menu.
Select your existing wildcard certificate and click OK.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
48
Once you certificate is selected, click Bind.
Click OK to complete the certificates section.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
49
Click Continue to skip the Authentication section.
For security best practices, it's suggested to remove the check box for SSLv3.
http://support.citrix.com/article/CTX200238 Select to add the SSL Parameters option.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
50
Uncheck the SSLv3 option and click OK.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
51
We now need to add a section for the published applications; this is used to configure the STA (Secure Ticket Authority) server settings.
Click to expand the STA Server settings option.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
52
For this configuration, the STA server settings will be the Citrix Workspace Cloud Connector systems; these need to pre-‐exist in your resource zone. Click Bind to complete the add process. Repeat this step if any additional STA servers need to be added. If the Cloud Connectors reside in an Azure resource zone, these would be the Private IP addresses.
Verify the STA servers are in the Up state then click Close to complete the process.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
53
Once you have completed the Published Application section click Done at the very bottom to finalize the Virtual Server configuration.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
54
At this point you will need to save your NetScaler configuration.
Once the save is complete, click the Refresh option.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
55
Verify the Virtual Server is now shown in the Up state.
NetScaler CLI verification of "ICA Only" mode:
The NetScaler CLI equivalent of the above would be the following: "set vpn vserver -icaonly on" (for Basic mode)
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
56
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
57
Section 9: Configuration of the Citrix Workspace Cloud – Apps and Desktops environment Consult with your domain name internet provider to configure and obtain a CNAME record for the external NetScaler connection. First, determine your Azure portal NetScaler computer name. See the screenshot below for reference; this will be the host that your CNAME record points too.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
58
For this example, using a popular domain name provider, the following CNAME Record was configured.
For access to cloud-‐hosted Storefront connections to the Citrix Workspace Cloud, you need to configure the Storefront\NetScaler Gateway connection info. Note: this is the Host name from your CNAME Record, configured to use port 443 shown in the example below. For additional details see the Use Case #1: Cloud-‐hosted Storefront section: http://docs.citrix.com/en-‐us/workspace-‐cloud/apps-‐desktops-‐service/setting-‐up-‐storefront.html
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
59
Section 10: External Client Connections External Receiver users can now connect using the Citrix Workspace Cloud -‐ Storefront site. From an internet browser, connect to your Citrix Workspace Cloud -‐ Customer site and append the /Citrix/StoreWeb/ Example: https://.xendesktop.net/Citrix/StoreWeb/
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
60
Section 11: References Citrix Workspace Cloud -‐ Apps and Desktops Info: http://docs.citrix.com/content/dam/docs/en-‐us/workspace-‐cloud/downloads/workspace-‐cloud-‐apps-‐desktop-‐ services-‐for-‐new-‐customers-‐reference-‐architecture.pdf http://docs.citrix.com/content/dam/docs/en-‐us/workspace-‐cloud/downloads/workspace-‐cloud-‐apps-‐desktop-‐ service-‐on-‐premises-‐resource-‐reference-‐architecture.pdf
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
61
Corporate Headquarters Fort Lauderdale, FL, USA
India Development Center Bangalore, India
Latin America Headquarters Coral Gables, FL, USA
Silicon Valley Headquarters Santa Clara, CA, USA
Online Division Headquarters Santa Barbara, CA, USA
UK Development Center Chalfont, United Kingdom
EMEA Headquarters Schaffhausen, Switzerland
Pacific Headquarters Hong Kong, China
About Citrix Citrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking and SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure, mobile workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com Copyright © 2015 Citrix Systems, Inc. All rights reserved. NetScaler and Workspace Cloud are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.
© 1999-2015 Citrix Systems, Inc. All Rights Reserved. ards or Solutions Lab Team
62