Site icon Robin Hobo

Configuring NetScaler Access Gateway VPX and Citrix StoreFront

NOTE: An up-to-date blog with NetScaler 10.5 and Storefront 2.5.2 can be found here!

In this blog I will describe step-by-step how to configure the Citrix NetScaler Access Gateway VPX with Citrix StoreFront. Including uploading the VPX to the XenServer, configuring the NetScaler, creating and installing the SSL certificate, creating the Access Gateway and the configuration of it, the redirection to the Citrix StoreFront server and finally the configuration of Citrix StoreFront server itself.

Before you begin make sure you have Java Runtime installed and that you have a license file for the NetScaler. The Citrix NetScaler Access Gateway needs a SSL certificate, make sure you can create a key by a CA. For this blog I will use and describe the step for creating the key by Go Daddy.

To install and configure Citrix StoreFront 1.2 see my previous blog here.

Downloading and Uploading the NetScaler Access Gateway VPX to the XenServer

For this installation I will download “Access Gateway VPX for XenSever Build Enterprise Edition” from the Citrix website.

After downloading the VPX, open XenCenter, open the File menu and choose the option Import…

Browse to the VDX and click on Next

Select your XenServer and click on Next

Select the storage you want to upload the Netscaler to and click Import

Select the network interface you want to connect to the Netscaler to and click Next

Click Finish

Configuring the Netscaler Access Gateway VPX

Start the NetScaler and go to the Console tab of the virual machine (XenCenter). Enter the desired IP Adress (this will be the management interface IP address a.k.a. NSIP), Netmask and Gateway address.

After entering all the network information there should be a menu to appear, but in this version of to the NetScaler it is not the case. From earlier versions I know option 4 is “Save and Quit”, so type in number 4 and hit Enter

After rebooting the Netscaler, open Internet Explorer and enter the NSIP address (management interface IP address). Login with User Name; nsroot and Password; nsroot

In the Configuration page, click Setup Wizard..

Click Next

Enter the Host Name (bearing in mind the license file where the name is case sensitive). In my case the resource servers are on the same subnet, so I choose the option Mapped IP and fill in the IP Address and Netmask.

Click on Manage Licenses

Click on Add to browse to your license file.

Click OK

Click on No (!!)

Click on Next

Click Finish

Optionally click on Configure Time Zone

Select the correct time zone and press OK

Click Exit

Click on Reboot

Select Save configuration and press OK

Installing the SSL Certificate

On the Configuration tab go to the SSL menu, on the right side of the screen click on Create RSA Key

Fill in the following information;

Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click on Create and then Close

The next step is to create a request that needs to send over to the CA. On the right side of the screen click on Create CSR (Certificate Signing Request)

Fill in the following information;

Request File Name: “name”.REQ, anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Common Name: This is the address the users will type in their browsers
Organization Name: The name of your organization
Country: Your Country
State or Province: You State or Province
Challenge Password: A password you like

Click on Create and then Close

The .REQ file needs to be download for importing it to the CA. Go to “Manage Certificates / Keys / CSRs”

Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click on Download and then Close.

Open the .REQ file in Notepad and copy all the text. Go to your CA (in my/this case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file.

After creating the certificate, download it. Select IIS7 as server type.

After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .crt file.

Go to the menu SSL > Certificates. On the lower side on the screen click on Install..

Fill in the following information;

Certificate-Key Pair Name: Any name you want
Certificate File Name: Browse to the .crt file you just uploaded
Private Key File Name: Browse to the .KEY file created earlier
Password: The password entered when creating the request
Certificate Format: PEM

Click on Install and Close

After the installation you can see the status and the number of days the certificate expires.

Create the Access Gateway Virtual Server

On the Configuration tab go to VPN and then on the right site click on Access Gateway wizard

Click on Next

Fill the IP Address, this is the IP address the outside IP address must point to. Fill in port number 443 and the Virtual Server Name (anything you like). After this Wizard configure your router and/or firewall to redirect port 443 (and optionally port 80) from outside to this IP address.

By Certificate Options choose Use an installed certificate and private key pair. By Server Certificate choose the certificate installed in the previous step.

Fill in the DNS Server IP Address of your DNS server, leave WINS IP Address blank. Choose DNS as Name Lookup Priority and click next.

Choose LDAP as authentication type. By Connection Settings fill in the requested information as shown in the screenshot above and click on Retrieve Attributes

Click OK

Set Configure Authorization to Allow. Optionally you can enable Port 80 redirection. Click Next

Select what is applicable and click Next

Click Finish

Click Exit

The next step is to configure the LDAP server and LDAP policy and assign it to the Access Gateway. Go to menu VPN > Policies > Authentication/Authorization > Authentication > LDAP. On the right side of the screen select the Servers tab, on the lower side of the screen click Add

Fill in the following information;

Name: Any name you want
IP Address: The IP address of your AD Domain Controller
Base DN (location of users): Distinguished Name of the domain
Administrator Bind DN: A domain administrator account name
Administrator Password: The password of the domain administrator account
Confirm Administrator Pass: Same as above

Click on Retrieve Attributes

Click OK

Click on Create and Close

Go the Policies tab and click Add

Fill in the following information;

Name: Any name you want
Server: The LDAP server created in the previous step

Select True value and click Add Expression, then click Create and Close

Go to menu VPN > Virtual Servers on the right side of the screen, right click the server and click Open

Go to the Authentication tab and click on Insert Policy to apply the policy created in the previous step. Click OK

At this moment you can already logon to the NetScaler with the external URL (you must configured the router to allow the 443 traffic to the Access Gate IP Address).

Configure Access Gateway to redirect to Citrix StoreFront

Go to menu VPN and on the right side of the screen click Published application wizard

Click Next

Select the Virtual Server Name created in previous steps and click Next

Enter by “Web Interface Address” the internal web address of the Citrix StoreFront server. By “Single Sign-on Domain” enter your domain name. Click Add to add the STA’s of your XenApp server(s) and/or XenDesktop server(s) in this format: “http(s)://<servername>”. In previous versions it was needed to add “/scripts/ctxsta.dll” to this path, but with this version of the NetScaler it’s not needed (In my case).

Click Next

Select “SETVPNPARAMS_POL” and click Next

Click Finish

Click Exit

Citrix StoreFront has by default a “Green Bubble” theme. This theme is also available in the NetScaler Access gateway. To configure the same theme on the NetScaler go to menu VPN > Global Settings and on the right side of the screen click Change global settings.

Open the Client Experience tab and select the GREENBUBBLE UI Theme. Click OK

Go to the Published Applications tab and set ICA Proxy ON. Click OK

Configure Citrix StoreFront

The final step is to configure the Citrix StoreFront server to work with the NetScaler Access Gateway.

Go to the StoreFront server and open the Authentication tab, on the right side, click on Add/Remove Methods

Select all the options and click OK

Go to the Gateways tab, on the right side of the screen click Add Gateway Server

Fill in the Display name (any name you like). In the Gateway URL field fill in the external NetScaler address users will enter in there browsers (https://..) and add “/Citrix/<storename>Web” to the end of it (see screenshot). Click Next.

Fill in the Callback URL, this is the external NetScaler address (https://..) click Next.

Click Add and enter the STA’s of your XenApp and/or XenDesktop servers and click OK

Click Create

Click Finish

Go to the Stores tab and click Enable Remote Access

Select Full VPN tunnel and click OK

At this point everything should be working fine. If the NetScaler does not successfully forward to the StoreFront website make sure the NetScaler can find the NetBIOS name of the Citrix Storefront server (or alias). If this is not the case add the DNS Address record of the StoreFront server (or alias) to the DNS of the NetScaler.

You can now access the Citrix NetScaler Access Gateway with the https://<server adres>

After the logon you will be redirected to the Citrix StoreFront server with the same UI Theme.


Cannot Complete your Request

When receiving this error, make sure you applied the following:

Edit the Windows Host file and add a new entry with the IP Address of your (internal) Gateway VIP Address pointing to the external address. For example;

As an alternative you can create a DNS record

Exit mobile version