A few weeks ago I wrote a blog about Configuring NetScaler Access Gateway VPX and Citrix StoreFront. This blog was based on the NetScaler Access Gateway Enterprise Edition 10.0 with Citrix StoreFront 1.2. Last week Citrix released NetScaler ADC VPX 10.1 at Synergy 2013. Of course I want to look at it right away. The first thing that noticed me is the improved interface and the new welcome wizard (see screenshots below).
I know you can do a lot with the NetScaler but this blog will be limited to upload the NetScaler VPX to a Citrix XenServer, configure the NetScaler VPX, install the SSL Certificate, setting up the NetScaler Gateway and finally I will install and configure the Web Interface on NetScaler.
Before you begin make sure you have Java Runtime installed and that you have a license file for the NetScaler. The NetScaler needs a SSL certificate, make sure you can create a key by a CA. For this blog I will use and describe the step for creating the key by Go Daddy.
Downloading the NetScaler VPX and the Web Interface Components
For this installation I will download “NetScaler ADC VPX for XenSever 10.1 Build 112.13” from the Citrix website.
For the “Web Interface on NetScaler 10” I will download the “Web Interface on NetScaler Installation Package” and for the Java part I will use the “Open JDK6 Package”
Uploading the NetScaler VPX to the XenServer
In Citrix XenCenter, open the File menu and choose the option Import…
Browse to the NetScalerVDX and click Next
Select your XenServer and click on Next
Select the storage you want to upload the Netscaler to and click Import
Select the network interface you want to connect to the Netscaler to and click Next
Click Finish
Configuring the Netscaler ADC VPX
Start the NetScaler and go to the Console tab of the virual machine (XenCenter). Enter the desired IP Adress (this will be the management interface IP address a.k.a. NSIP), Netmask and Gateway address.
After entering all the network information there should be a menu to appear, but in this version of to the NetScaler it is not the case. From earlier versions I know option 4 is “Save and Quit”, so type in number 4 and hit Enter
After rebooting the Netscaler, open Internet Explorer and enter the NSIP address (management interface IP address). Login with User Name; nsroot and Password; nsroot
The new Welcome screen appears. Fill in the Subnet IP Address (will be used to connect to the resource servers), the Hostname and the DNS server. Select the correct time zone and optionally change the administrator password. Click Continue.
Click Browse to select your license file.
Select the license file uploaded in the previous step and click Continue
Click Yes to reboot the NetScaler
Installing the SSL Certificate
On the Configuration tab go to the Traffic Management > SSL menu, on the right side of the screen click on Create RSA Key
Fill in the following information;
Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above
Click OK and then Close
The next step is to create a request that needs to send over to the CA. On the right side of the screen click Create CSR (Certificate Signing Request)
Fill in the following information;
Request File Name: “name”.REQ, anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Country: Your Country
Organization Name: The name of your organization
State or Province: You State or Province
Common Name: This is the address the users will type in their browsers
Challenge Password: A password you like
Click OK and then Close
The .REQ file needs to be download for importing it to the CA. Go to “Manage Certificates / Keys / CSRs”
Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click on Download and then Close.
Open the .REQ file in Notepad and copy all the text. Go to your CA (in my case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file.
After creating the certificate, download it. Select IIS7 as server type.
After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .crt file.
Go to the menu Traffic Management > SSL > Certificates. On the upper right side on the screen click on Install..
Fill in the following information;
Certificate-Key Pair Name: Any name you want
Certificate File Name: Browse to the .crt file you just uploaded
Key File Name: Browse to the .KEY file created earlier
Password: The password entered when creating the request
Certificate Format: PEM
Click on Create and Close
After the installation you can see the status and the number of days the certificate expires.
Create the NetScaler Gateway Virtual Server
On the Configuration tab go to NetScaler Gateway and then on the right site click on NetScaler Gateway wizard
Click on Next
Fill the IP Address, this is the IP address the outside IP address must point to. Fill in port number 443 and the Virtual Server Name (anything you like). After this Wizard configure your router and/or firewall to redirect port 443 (and optionally port 80) from outside to this IP address.
By Certificate Options choose Use an installed certificate and private key pair. By Server Certificate choose the certificate installed in the previous step.
Fill in the DNS Server IP Address of your DNS server, leave WINS IP Address blank. Choose DNS as Name Lookup Priority and click next
Choose LDAP as authentication type. By Connection Settings fill in the requested information as shown in the screenshot above and click on Retrieve Attributes.
Click OK
Set Configure Authorization to Allow. Optionally you can enable Port 80 redirection. Click Next
Select what is applicable and click Next
Click Finish
Click Exit
The next step is to configure the LDAP server and LDAP policy and assign it to the NetScaler Gateway. Go to menu NetScaler Gateway > Policies > Authentication > LDAP. On the right side of the screen select the Servers tab, and then click Add.
Fill in the following information;
Name: Any name you want
IP Address: The IP address of your AD Domain Controller
Base DN (location of users): Distinguished Name of the domain
Administrator Bind DN: A domain administrator account name
Administrator Password: The password of the domain administrator account
Confirm Administrator Pass: Same as above
Click on Retrieve Attributes
Click OK
Click on Create and Close
Go the Policies tab and click Add
Fill in the following information;
Name: Any name you want
Server: The LDAP server created in the previous step
Select True value and click Add Expression, then click Create and Close
Go to menu NetScaler Gateway > Virtual Servers, select the server created in the previous steps and click Open…
Go to the Authentication tab and click on Insert Policy to apply the policy created in the previous step. Click OK
At this moment you can already logon to the NetScaler with the external URL (you must configured the router to allow the 443 traffic to the Access Gate IP Address).
Installing the Web Interface on NetScaler
Go to menu System > Web interface, on the right side of the screen click on Web Interface Wizard
Click Next
Browse local to the downloaded Web Interface and Java Runtime Tar files. Set Maximum number of sites to 3 and click Next.
Click OK
Select GatewayDirect as Default Access Method, Select the NetScaler Gateway Vserver and enter the STA’s of your XenApp and/or XenDesktop controllers/brokers. Click Next.
You now have to option to customize the Web Interface Site Appearance, fill in what you want to customize and click Next
Click Next
Click Add
Enter the information of your XenApp Controller or XenDesktop Broker and click Create and Close (repeat this step if you want to add more XenApp / XenDesktop farms)
Click Next
Click Finish
Click Exit
Configure the NetScaler to redirect to the Web Interface
Go to menu NetScaler Gateway and on the right side of the screen click Published application wizard
Click Next
Select the Virtual Server Name created in previous steps and click Next.
Enter the Web Interface Address “http://127.0.0.1:8080/Citrix/XenApp and fill in the Single Sign-on Domain. Click Add to add the STA’s of your XenApp server(s) and/or XenDesktop server(s) in this format: “http(s)://<servername>.<domainname>”. In previous versions it was needed to add “/scripts/ctxsta.dll” to this path, but with this version of the NetScaler it’s not needed (In my case).
Click Next
Select “SETVPNPARAMS_POL” and click Next
Click Finish
Click Exit
At this point everything should be working fine and you can now access the NetScaler Gateway with the https://<server adres>
After the logon you will be redirected to the Webinterface with the customizations you have specified during the wizard.
Great blog post man, just got a tip from one of my readers. The Netscaler wizard now seems to work much better than the earlier versions. I did a lot hands on with this version on Citrix Synergy.
Thanks Eric. The wizard is indeed an big improvement but also the complete interface.
Gr8 blog.
Thanks for the run down on 10.1. Would you by any chance know or have tested if the EPA scanner in 10.1 has improved functionality for Windows Security / Antivirus detection?
This is a great blog! I have not had the opportunity to setup the new version; however, this will assist in getting it configured correctly when I do.
Andre
Robin, great log. I’m not up to date NetScaler so this is a great stepping stone. Keep up the good work.
Dave
Great post Robin. I had my first look at the 10.1 last week at a customer site and liked the new “neo”. I’ve never completely trusted “wizard” installs. During my install I chose not to use the wizard and elected to use the old guia. Maybe as I have time to try your steps in our lab and then I might trust the wizard.
I cannot thank you enough..lol
firewall/netscaler novice here,
On the physical Netscaler device, how many network interfaces do I need, is one DMZ cable/port enough to carry all traffic from web and to internal network for MIP, SNIP, VIP and public traffic?
Hi Team,
I have one question. Where you mentioned the steps to Go to Godaddy or other CA provider & paste the text from our download certificate and create new certificate… there I have a question.
Can’t we use the same downloaded certificate ? because we don’t have any GoDaddy or other CA Provider and also we don’t like to purchase that as I am just doing this excercise for POC purpose.
So, can anyone suggest me the alternative way or way by skipping certificate ? I like to use Netscaler VPX.
Superb.. Really Gr8… Thanks
You are my hero … great job on the blog. Nice screenshots and concise instructions…
I can assure you, after spending quite some time working on the not very intuitive netscaler, Robin’s how to is simply the best on the Internet. An amazingly accurate and informative article, that will get you through the configuration, with zero difficulty. Thank you Robin, for your efforts in helping us, the Netscaler Challenged!!
Thanks!
Awesome and complete! Saved me hours of ripping my hair out. Thanks Robin
[…] Install and Configure Citrix NetScaler 10.1 […]
Hi Robin, extremly nice post.
I have one question :
Is the WI installed in the netscaler a better choice than using an (or two) external (Windows) WI 5.4 ?
The vendor who installed my NS tell me that the ‘future” of the WI into the NS is not “confirmed”.
I’m lost with the different solution available to loadbalance users on WI (for redundancy and unload on the WI).
1) simple VIP to LB on the WI (on windows servers)
2) using the Netscaler access gateway as an ICA proxy
3) using the WI provided by the Netscaler
My NS handle more than 200 simultaneous connection, I prefer having 2 windows WI , each handle so 100 connections.
Thx
Hello Nicolas, WI is official EOL in 2015. There are “rumors” that StoreFront is coming to the NetScaler. Till then I Always install StoreFront servers on externsl Windows Server systems.
Hi Robin, Thank you for your informative guides. Using a combination of three of them I’ve configured Storefront 2.0, with Netscaler VPX 10.1 – This is working great internally and externally for Windows clients with the latest Windows Receiver and after downloading the IOS Receiver I’m able to use the same external URL for iPads to connect to, which prompts to download the ICA file and then launches the published app with Receiver – Is there a way though that I can login just using the IOS Receiver app rather than browsing with Safari first?
Thanks,
David
Hello David, maybe this link will help you config the NetScaler for access with Receiver: http://support.citrix.com/article/CTX124937
Best step-by-step on the web right here. Exactly what I was needing.. Cheers and thank you Robin!
[…] Install and Configure Citrix NetScaler 10.1 (but then with running the XenMobile wizard) […]
Hi Robin,
I am using IE10, can you suggest a tool for capturing screenshot sequences including the java applets when you are doing a config for NS10.1?
cheers
Andrew
You can use Snagit for that.
thanks Robin!
Superb and Really Great. Thanks.
Fantastic blog.
The only thing I had to do was add an A record to my local DNS so I could resolve the public DNS of my NetScaler to its internal port from the XenDesktop server. Other than that worked a dream.
Thanks
good article