Site icon Robin Hobo

Configure Citrix NetScaler 10.5 including Gateway and Citrix StoreFront 2.5.2

Citrix released the Citrix NetScaler 10.5, in this blog I will show you how to setup this new NetScaler, including creating and installing a SSL certificate and how to create and configure the Gateway feature. I will also show you the steps that needs to be made within Citrix StoreFront 2.5.2 configuration.

Before starting with the installation and configuration make sure there is a license file for the NetScaler and that there are at least three IP address available for the configuration. The Access Gateway function needs a SSL certificate, make sure you can create a SSL certificate by a Certificate Authority (CA) and that there is an external DNS record in place.

For this blog a used NetScaler VPX for XenServer 10.5 Build 50.9 as source. The steps for downloading and uploading the NetScaler to the hypervisor are not covered in this blog, for these steps see my previous NetScaler blog (click here). Also the steps of how to install Citrix StoreFront are not covered, you can find these steps in my StoreFront blog (click here).

Good news, with NetScaler 10.5 you no longer need java, which is a really big improvement! There are a lot more improvements like a SSL certificate chain check (see later in this blog) and a very improved setup wizard. Let’s get started…

Configuring NetScaler 10.5

After downloading the NetScaler sources from the Citrix site and uploading it to the hypervisor it’s time to walk through the console configuration wizard.

Turn on the NetScaler and open the NetScaler console on the hypervisor. Fill in the following information:

–          IPv4 address
–          Netmask
–          Gateway IPv4 address

Choice option 4 to Save and quit. After that the NetScaler will reboot

After rebooting the NetScaler, open a browser and browse to the NSIP address (management interface IP address) you entered in the previous step. Login with User Name; nsroot and Password; nsroot

Citrix NetScaler 10.5 has a very improved First-time Setup Wizard making it possible to setup the NetScaler in a few clicks. Click on step 2, Subnet IP Address

Good explanation about the subnet IP Address within this wizard, even an infographic is displayed, nice! Fill in the Subnet IP Address and click Done

Click on Step 3 to configure Host Name, DNS IP Address, and Time Zone

Fill in the NetScaler Host Name, the DNS IP Address and the correct Time Zone. Click Done

If you have a license file select Upload licenses files from a local computer and click Browse

After uploading the license file, click Reboot

Create a SSL certificate

The next step is the install the SSL certificate. Browse to Traffic Management > SSL and click on Create RSA Key

Fill in the following information;

Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click on Ok

Click on Create CSR (Certificate Signing Request)

Fill in the following information;

Request File Name: anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step

Browse to the bottom of the page and fill in the following information;

Country: Your Country
State or Province: You State or Province
Organization Name: The name of your organization
City: Name your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: This is the address the users will type in their browsers
Challenge Password: A password you like
Company Name: Your Company Name

Click OK

To download the request file click on Manage Certificates / Keys / CSRs

Select the request file (in my case this is robinhobocom.txt) and click Download

Open the request file with Notepad and copy all the text. Go to your Certificate Authority (in my case this is Go Daddy) to create the key or re-key an existing certificate by pasting the text from the request file.

After creating the certificate, download it. Select IIS7 as server type

Browse to Traffic Management > SSL > Certificates and click on Install

Fill in a Certificate-Key Pair Name (anything you like). On the right side of the Certificate File Name click the arrow down button and select Local to browse to the downloaded certificate

Browse to the Key File Name (on the appliance), select PEM as Certificate Format. Fill in the password entered when creating the request file and click on Install

After the installation you can see the status and the number of days the certificate expires

Configuring the NetScaler 10.5 Gateway

Under Integrate with Citrix Products, click on XenApp and XenDesktop

The Before you Begin checklist is presented, we have already a server certificate installed, the LDAP authentication server details will be configured during this wizard. Click Get Started

An infographic is displayed with your deployment options, at this point the Single Hop deployment is my only option. Select Storefront as integration point and click Continue

Fill the Virtual Server Name (anything you like), the NetScaler Gateway IP Address, this is the IP address where the outside IP address must point to. Fill in the port number 443 and optionally you can enable the redirect request from port 80 to a secure port. Fill in the address without “https”. Click Continue

Select Use existing certificate, select the certificate that is installed in the previous steps and click Continue

Citrix NetScaler checks if the certificate chain of the SSL certificate is complete, a really great new feature. In my case the certificate chain is incomplete. NetScaler is displaying the missing parts of the chain that are needed and where to find them!

After installing all the certificates NetScaler displays the Server Certificate including the complete chain.

Scroll down to configure the LDAP configuration. Select Add new server and fill in the following information;

IP Address: The IP Address of a Domain Controller
Port: 389
Base DN: For example DC=RobinHobo,DC=Com
Service account: An account with AD read rights
Server Logon Name Attribute: choose sAMAccountName for XenApp/XenDesktop deployments
Password: The service account password
Confirm Password: same as above

Click Continue

An LDAP authentication policy and server are now automatically created

Scroll down to configure the StoreFront server, fill in the following information;

StoreFront FQDN: The FQDN of the StoreFront server
Site Path: The site Path of the Receiver for Web Store URL. For me this is /Citrix/HoboWeb
Single Sign-On Domain: Your internal domain name
StoreName: Your StoreFront storename
Secure Ticket Authority Server: The STA address of your XenApp or XenDesktop controller
Protocol: Protocol used by the server Storefront Server
Storefront Server: IP address of the StoreFront Server
Port: The port number used by StoreFront

Optionally you can enable Load Balancing and enter the IP address of the virtual loadbalance server

Click on Continue

To configure your Xen Farm select what you are using, XenApp, XenDesktop or both. Fill in the IP address of the XenApp / XenDesktop Controller server and the used services port. If you want to configure Load Balancing on your controllers select Load Balancing to enter the IP address of the virtual LB server. Click Continue

To apply Optimize TCP Profile Settings, Optimize SSL Quantum Settings, HTTP Caching and HTTP Compression, click Apply

Click OK

To Apply AppFW policies and profiles, click Apply

To apply HDX Insight AppFlow policies, click Apply

Click Done

Optionally you can change the default theme of the NetScaler webinterface, to do so, Browse to NetScaler Gateway > Global Settings and click Change Global Settings

Open the Client Experience tab

Browse to the bottom and select the UI Theme you want. I select the Green Bubble theme because I have the same theme with Storefront. Click OK

Save the configuration and reboot the NetScaler

Configure Storefront 2.5.2 for Remote Access

The final step is to configure Citrix Storefront 2.5.2 for remote access with Citrix NetScaler 10.5. Logon to the Storefront server and open the console.

Browse to Authentication and click on Add/Remove Methods. Make sure you enable Pass-through from NetScaler Gateway and click OK

Go to NetScaler Gateway and click on Add NetScaler Gateway Appliance

Fill in the following information;

Display name: Any name you like
NetScaler Gateway URL: The external URL of the Gateway
Version: 10.0 (Build 69.4) or later
Logon type: Domain
Callback URL:
The external URL of the Gateway

Click Next

Click Add to add a Secure Ticket Authority (STA)

Add http://<FQDN of XenApp/XenDesktop controller> and click OK

Click Create

Click Finish

Open the Stores page and click on Enable Remote Access

Select No VPN tunnel, select the just created NetScaler Gateway appliance and click OK

At this point everything should be working fine. If you open a browser en browse to the external URL you will see that HTTPS is used and that the certificate icon is displayed

After logon you will see the published Applications and Desktops in the Storefront interface with the same these as the NetScaler Gateway

Exit mobile version