v2 march © 2015 citrix netscaler gateway with citrix desktops & apps the ultimate how-to guide...
TRANSCRIPT
v2 March © 2015 Citrix
NetScaler Gateway with Citrix Desktops & AppsThe Ultimate How-To Guide for Successful Deployments
Lucas Araujo
Readiness Specialist
May 2015
© 2015 Citrix
Agenda
• Traffic flow for NetScaler Gateway deployment scenarios
• How policies and Smart Access filters operate as well as the configuration consideration for StoreFront
• Troubleshooting tips to identify common issues in NetScaler Gateway deployments
© 2015 Citrix
Physical Deployment ModesOne-Arm
Public Private1. User Request 2. User Request
3. Response4. Response
© 2015 Citrix
Physical Deployment ModesTwo-Arm
Public Private
1. User Request 2. User Request
3. Response4. Response
© 2015 Citrix
STA XML
443 80/443
389/636
Published Application Enumeration Workflow
NetScaler StoreFront
XenAppXenDesktop
LDAP
External DMZ Internal
© 2015 Citrix
Published Application Launch Workflow
STA XML
NetScaler
StoreFront
XenAppXenDesktop
STA / XML
80/443
1494/2598
80/443
External DMZ Internal
443
© 2015 Citrix | Confidential
Policies & ConfigurationHow Policies and Smart Access Filters operate & configuration considerations
© 2015 Citrix
Session Policy
Receiver Session Policy
Receiver for Web Session Policy
What’s Gets Created?
© 2015 Citrix
Troubleshooting: Potential Issue Areas
VIP
Authentication
Authorization
App Enumeration
1- SF/WI Site Settings2- SF/.WI Trace3- Event Log
1- ProfileSettings2- NetScaler Trace3. Certifcate
1- XML Settings 2- STA Logging3- CDF Tracing
nssslvpn.txt
ICA file - ID
App Launch
LDAP /LDAPS (TCP) - 389/636
nssslvpn.txt
STA path on SF/WI
1- NS Trace2- STA Monitor (newnslog)3 - Licensing
1- Auth Svr Settings2- NS Trace3- aaad.debug
1- Auth Settings2- NS.log
Ports and IP rules
Security Event Log on DC (LDAP or IAS)
Problem Types:
Ports and IP rules
Ports and IP rules
External DMZ Internal
NetScalerStoreFront
XenAppXenDesktop
LDAP
SNIP or MIP
NSIP
CDF Tracing
© 2015 Citrix
Troubleshooting: Potential Issue Areas
VIP
LDAP /LDAPS (TCP) - 389/636
1- Auth Svr Settings2- NS Trace3- aaad.debug
Security Event Log on DC
(LDAP or IAS)
External DMZ Internal
NetScalerStoreFront
XenAppXenDesktop
LDAP
SNIP or MIP
NSIPAuthentication
Problem Types:
© 2015 Citrix
root@ns# cat /tmp/aaad.debugWed Aug 6 16:07:47 2008
/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[359]: process_kernel_socket call to authenticate user :ica, vsid :716Wed Aug 6 16:07:47 2008
/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40]: start_ldap_auth attempting to auth ica @ 172.16.1.27Wed Aug 6 16:07:47 2008
/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291]: receive_ldap_bind_event receive ldap bind eventWed Aug 6 16:07:47 2008
/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[551]: receive_ldap_user_search_event built group string for ica of: notepadWed Aug 6 16:07:47 2008
/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1142]: send_accept sending accept to kernel for : ica
Aaad.debug
© 2015 Citrix
root@ns# cat /tmp/aaad.debugWed Aug 6 16:03:49 2008
/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[359]: process_kernel_socket call to authenticate user :ica, vsid :716Wed Aug 6 16:03:49 2008 /home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40]: start_ldap_auth attempting to auth ica @ 172.16.1.27Wed Aug 6 16:03:49 2008
/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291]: receive_ldap_bind_event receive ldap bind eventWed Aug 6 16:03:49 2008 /home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[551]: receive_ldap_user_search_event built group string for ica of: notepadWed Aug 6 16:03:49 2008/home/build/rs_81_58_1/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1198]: send_reject sending reject to kernel for : ica
Aaad.debug
© 2015 Citrix
Troubleshooting: Potential Issue Areas
VIP
Authorization
nssslvpn.txt
1- Auth Settings2- NS.log
Ports and IP rules
Problem Types:
External DMZ Internal
NetScalerStoreFront
XenAppXenDesktop
LDAP
SNIP or MIP
© 2015 Citrix
Grep ns.log
• # grep sac /var/log/ns.log
• Aug 1 16:00:37 <local0.alert> 10.217.140.160 08/01/2008:23:00:37 GMT ns 1958 : SSLVPN HTTP_RESOURCEACCESS_DENIED : Context [email protected] - User sac - Total_bytes_send 642 - Remote_host www.slashdot.org - Denied_url GET / - Denied_by_policy "SAC" - Group(s) "N/A"
• Aug 1 16:01:33 <local0.alert> 10.217.140.160 08/01/2008:23:01:33 GMT ns 2018 : SSLVPN HTTP_RESOURCEACCESS_DENIED : Context [email protected] - User sac - Total_bytes_send 484 - Remote_host 172.16.1.28 - Denied_url GET /cvpn/hHBFHmhttp://172.16.1.28/citrix/NSG - Denied_by_policy "SAC" - Group(s) "N/A"
• Aug 1 16:01:34 <local0.alert> 10.217.145.160 08/01/2008:23:01:34 GMT ns 2019 : SSLVPN NONHTTP_RESOURCEACCESS_DENIED : Context [email protected] - User sac - Client_ip 10.216.106.63 - Nat_ip "Mapped Ip" - Vserver 10.217.140.162:443 - Source 10.216.106.63:1888 - Destination 172.16.1.27:139 - Total_bytes_send 293 - Total_bytes_recv 0 - Denied_by_policy "SAC" - Group(s) "N/A"
• Aug 1 16:07:07 <local0.alert> 10.217.140.160 08/01/2008:23:07:07 GMT ns 2077 : SSLVPN HTTP_RESOURCEACCESS_DENIED : Context [email protected] - User sac - Total_bytes_send 484 - Remote_host 172.16.1.28 - Denied_url GET /cvpn/9nVti7http://172.16.1.28/citrix/NSG - Denied_by_policy "SAC" - Group(s) "N/A"
© 2015 Citrix
Troubleshooting: Potential Issue Areas
VIP
App Enumeration 1- SF/WI Site Settings2- SF/.WI Trace3- Event Log
1- ProfileSettings2- NetScaler Trace3- Certificate
1- XML Settings2- STA Logging3- CDF Tracing
nssslvpn.txt
Problem Types:
Ports and IP rules
External DMZ Internal
NetScalerStoreFront
XenAppXenDesktop
LDAP
SNIP or MIP
© 2015 Citrix
openssl x509 -noout -modulus -in certificate.crt openssl rsa -noout -modulus -in privateKey.key
openssl req -noout -modulus -in CSR.csr
Verify private key
© 2015 Citrix
Priority of Policies
Priority Order
User (highest priority)
Group
Virtual Server
Global (lowest priority)
The numerical priority takes precedence regardless of where the policy is bound.
Priority Number
© 2015 Citrix
How To See Policy Hitshttp://support.citrix.com/article/CTX138840
1 7001 30 1 0 pol_hits Policy(LDAP)
3 0 28 1 0 pol_hits Policy(PL_WB_10.25.223.119)
© 2015 Citrix
Troubleshooting: Potential Issue Areas
VIP
ICA file - ID
App Launch STA path on SF/WI
1- NS Trace2- STA Monitor (newnslog)3- Licensing
Problem Types:
Ports and IP rules
External DMZ Internal
NetScalerStoreFront
XenAppXenDesktop
LDAP
SNIP or MIP
CDF Tracing
© 2015 Citrix
1:47:12 (CITRIX) SERVER line says HOSTNAME=cag, hostid is HOSTNAME=ns 1:47:12 (CITRIX) Invalid hostid on SERVER line Users of CAG_SSLVPN_CCU: (Error: 2 licenses, unsupported by licensed serv
License.log
© 2015 Citrix
Resources
• How To Configure NetScaler Gateway with StoreFront – Deployment Guide
• How To Troubleshoot Authentication on NetScaler - CTX114999
• How To Troubleshoot License Issues – CTX11644
• How To Verify Policy Hits on NetScaler - CTX138840
• How To Enable STA Logging on XenApp - CTX120589
• How To Capture nstrace from NetScaler CLI - CTX120941
• NetScaler + Wireshark – Citrix Blog
© 2015 Citrix
Before you leave…
• Conference Surveys are available online at www.citrixsynergy.com starting Thursday, May 14 at 9:00 a.m.– Those who provide feedback by 6pm, Friday, May 15th will receive:
– $20 Amazon e-gift card– Name entered in a drawing for a free Trip to Synergy 2016 (5 chances)
Download presentations starting Monday May, 18th from the My Event Planning tool