NOTE: An up-to-date blog with NetScaler 10.5 and Storefront 2.5.2 can be found here!
In this blog I will describe step-by-step how to configure the Citrix NetScaler Access Gateway VPX with Citrix StoreFront. Including uploading the VPX to the XenServer, configuring the NetScaler, creating and installing the SSL certificate, creating the Access Gateway and the configuration of it, the redirection to the Citrix StoreFront server and finally the configuration of Citrix StoreFront server itself.
Before you begin make sure you have Java Runtime installed and that you have a license file for the NetScaler. The Citrix NetScaler Access Gateway needs a SSL certificate, make sure you can create a key by a CA. For this blog I will use and describe the step for creating the key by Go Daddy.
To install and configure Citrix StoreFront 1.2 see my previous blog here.
Downloading and Uploading the NetScaler Access Gateway VPX to the XenServer
For this installation I will download “Access Gateway VPX for XenSever Build 10.0.73.5002e Enterprise Edition” from the Citrix website.
After downloading the VPX, open XenCenter, open the File menu and choose the option Import…
Browse to the VDX and click on Next
Select your XenServer and click on Next
Select the storage you want to upload the Netscaler to and click Import
Select the network interface you want to connect to the Netscaler to and click Next
Click Finish
Configuring the Netscaler Access Gateway VPX
Start the NetScaler and go to the Console tab of the virual machine (XenCenter). Enter the desired IP Adress (this will be the management interface IP address a.k.a. NSIP), Netmask and Gateway address.
After entering all the network information there should be a menu to appear, but in this version of to the NetScaler it is not the case. From earlier versions I know option 4 is “Save and Quit”, so type in number 4 and hit Enter
After rebooting the Netscaler, open Internet Explorer and enter the NSIP address (management interface IP address). Login with User Name; nsroot and Password; nsroot
In the Configuration page, click Setup Wizard..
Click Next
Enter the Host Name (bearing in mind the license file where the name is case sensitive). In my case the resource servers are on the same subnet, so I choose the option Mapped IP and fill in the IP Address and Netmask.
Click on Manage Licenses
Click on Add to browse to your license file.
Click OK
Click on No (!!)
Click on Next
Click Finish
Optionally click on Configure Time Zone
Select the correct time zone and press OK
Click Exit
Click on Reboot
Select Save configuration and press OK
Installing the SSL Certificate
On the Configuration tab go to the SSL menu, on the right side of the screen click on Create RSA Key
Fill in the following information;
Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above
Click on Create and then Close
The next step is to create a request that needs to send over to the CA. On the right side of the screen click on Create CSR (Certificate Signing Request)
Fill in the following information;
Request File Name: “name”.REQ, anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Common Name: This is the address the users will type in their browsers
Organization Name: The name of your organization
Country: Your Country
State or Province: You State or Province
Challenge Password: A password you like
Click on Create and then Close
The .REQ file needs to be download for importing it to the CA. Go to “Manage Certificates / Keys / CSRs”
Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click on Download and then Close.
Open the .REQ file in Notepad and copy all the text. Go to your CA (in my/this case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file.
After creating the certificate, download it. Select IIS7 as server type.
After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .crt file.
Go to the menu SSL > Certificates. On the lower side on the screen click on Install..
Fill in the following information;
Certificate-Key Pair Name: Any name you want
Certificate File Name: Browse to the .crt file you just uploaded
Private Key File Name: Browse to the .KEY file created earlier
Password: The password entered when creating the request
Certificate Format: PEM
Click on Install and Close
After the installation you can see the status and the number of days the certificate expires.
Create the Access Gateway Virtual Server
On the Configuration tab go to VPN and then on the right site click on Access Gateway wizard
Click on Next
Fill the IP Address, this is the IP address the outside IP address must point to. Fill in port number 443 and the Virtual Server Name (anything you like). After this Wizard configure your router and/or firewall to redirect port 443 (and optionally port 80) from outside to this IP address.
By Certificate Options choose Use an installed certificate and private key pair. By Server Certificate choose the certificate installed in the previous step.
Fill in the DNS Server IP Address of your DNS server, leave WINS IP Address blank. Choose DNS as Name Lookup Priority and click next.
Choose LDAP as authentication type. By Connection Settings fill in the requested information as shown in the screenshot above and click on Retrieve Attributes
Click OK
Set Configure Authorization to Allow. Optionally you can enable Port 80 redirection. Click Next
Select what is applicable and click Next
Click Finish
Click Exit
The next step is to configure the LDAP server and LDAP policy and assign it to the Access Gateway. Go to menu VPN > Policies > Authentication/Authorization > Authentication > LDAP. On the right side of the screen select the Servers tab, on the lower side of the screen click Add
Fill in the following information;
Name: Any name you want
IP Address: The IP address of your AD Domain Controller
Base DN (location of users): Distinguished Name of the domain
Administrator Bind DN: A domain administrator account name
Administrator Password: The password of the domain administrator account
Confirm Administrator Pass: Same as above
Click on Retrieve Attributes
Click OK
Click on Create and Close
Go the Policies tab and click Add
Fill in the following information;
Name: Any name you want
Server: The LDAP server created in the previous step
Select True value and click Add Expression, then click Create and Close
Go to menu VPN > Virtual Servers on the right side of the screen, right click the server and click Open
Go to the Authentication tab and click on Insert Policy to apply the policy created in the previous step. Click OK
At this moment you can already logon to the NetScaler with the external URL (you must configured the router to allow the 443 traffic to the Access Gate IP Address).
Configure Access Gateway to redirect to Citrix StoreFront
Go to menu VPN and on the right side of the screen click Published application wizard
Click Next
Select the Virtual Server Name created in previous steps and click Next
Enter by “Web Interface Address” the internal web address of the Citrix StoreFront server. By “Single Sign-on Domain” enter your domain name. Click Add to add the STA’s of your XenApp server(s) and/or XenDesktop server(s) in this format: “http(s)://<servername>”. In previous versions it was needed to add “/scripts/ctxsta.dll” to this path, but with this version of the NetScaler it’s not needed (In my case).
Click Next
Select “SETVPNPARAMS_POL” and click Next
Click Finish
Click Exit
Citrix StoreFront has by default a “Green Bubble” theme. This theme is also available in the NetScaler Access gateway. To configure the same theme on the NetScaler go to menu VPN > Global Settings and on the right side of the screen click Change global settings.
Open the Client Experience tab and select the GREENBUBBLE UI Theme. Click OK
Go to the Published Applications tab and set ICA Proxy ON. Click OK
Configure Citrix StoreFront
The final step is to configure the Citrix StoreFront server to work with the NetScaler Access Gateway.
Go to the StoreFront server and open the Authentication tab, on the right side, click on Add/Remove Methods
Select all the options and click OK
Go to the Gateways tab, on the right side of the screen click Add Gateway Server
Fill in the Display name (any name you like). In the Gateway URL field fill in the external NetScaler address users will enter in there browsers (https://..) and add “/Citrix/<storename>Web” to the end of it (see screenshot). Click Next.
Fill in the Callback URL, this is the external NetScaler address (https://..) click Next.
Click Add and enter the STA’s of your XenApp and/or XenDesktop servers and click OK
Click Create
Click Finish
Go to the Stores tab and click Enable Remote Access
Select Full VPN tunnel and click OK
At this point everything should be working fine. If the NetScaler does not successfully forward to the StoreFront website make sure the NetScaler can find the NetBIOS name of the Citrix Storefront server (or alias). If this is not the case add the DNS Address record of the StoreFront server (or alias) to the DNS of the NetScaler.
You can now access the Citrix NetScaler Access Gateway with the https://<server adres>
After the logon you will be redirected to the Citrix StoreFront server with the same UI Theme.
Troubleshooting
Cannot Complete your Request
When receiving this error, make sure you applied the following:
Edit the Windows Host file and add a new entry with the IP Address of your (internal) Gateway VIP Address pointing to the external address. For example; 192.168.1.5 citrix.robinhobo.com
As an alternative you can create a DNS record