Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway
-
Upload
david-mcgeough -
Category
Technology
-
view
1.410 -
download
4
description
Transcript of Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway
How To Troubleshoot Deployments of StoreFront and NetScaler Gateway
Citrix Synergy, May 2014
Juan Zevallos, Escalation Engineer
Tweet about this session with hashtag #SYN401 and #citrixsynergy
© 2014 Citrix. Confidential.2
Prevent issues during configuration
Narrow down the issue
Tools to troubleshoot the issue
Agenda
DISCLAIMER: Examples used in this presentation are from a test internal lab environment and is not affiliated with any outside entities
© 2014 Citrix. Confidential.3
“” Alexander Graham Bell
“Before anything else, preparation is the key to success.”
StoreFront Configuration3 steps
© 2014 Citrix. Confidential.5
Enable Pass-through from NetScaler GatewayStep 1
© 2014 Citrix. Confidential.6
Add the GatewayStep 2
© 2014 Citrix. Confidential.7
Add the GatewayStep 2
© 2014 Citrix. Confidential.8
Enable Remote AccessStep 3
© 2014 Citrix. Confidential.9
What is the Discovery file?
Automatically configure the Store Account into Receiver – receiverconfig.cr
© 2014 Citrix. Confidential.10
How Do I Access the Discovery file?
Receiver for Web site StoreFront management console
© 2014 Citrix. Confidential.11
What’s in a Discovery file?
© 2014 Citrix. Confidential.12
StoreFront’s BaseURL
NetScaler Gateway ConfigurationQuick Configuration Wizard
© 2014 Citrix. Confidential.14
How To Access the Wizard?
© 2014 Citrix. Confidential.15
Create the Gateway
© 2014 Citrix. Confidential.16
Bind SSL Certificate
© 2014 Citrix. Confidential.17
Select the Authentication Settings
© 2014 Citrix. Confidential.18
Configure StoreFront Settings
© 2014 Citrix. Confidential.19
“” Coco Chanel
“Success is often achieved by those who don’t know that failure is inevitable.”
© 2014 Citrix. Confidential.20
Understanding the Flow
StoreFront
NetScaler
INTERNET INTERNAL NETWORKDMZ
443443/80
443
XenAppXenDesktop
Active Directory
389/636
ICA 1494/2598STA 80/8080
ICA
443
© 2014 Citrix. Confidential.21
Authenticating the End User
NetScaler
443
Active Directory
389/636
INTERNET INTERNAL NETWORKDMZ
© 2014 Citrix. Confidential.22
Failed to Authenticate
© 2014 Citrix. Confidential.23
Common Reasons for Authentication to Fail
Communication issue from NSIP or SNIP to the Domain Controller
Bad Service Account used for LDAP Bind
Misconfigured Base DN
Invalid credentials
© 2014 Citrix. Confidential.24
Troubleshoot Authentication with Aaad.debughttp://support.citrix.com/article/CTX114999
> shell
Run the following command to change to the /tmp directory:cd /tmp
Run the following command to start the debugging process:cat aaad.debug
© 2014 Citrix. Confidential.25
Troubleshoot Authentication with Aaad.debughttp://support.citrix.com/article/CTX114999
start_ldap_auth attempting to auth juanz @ 10.12.33.216
recieve_ldap_bind_event receive ldap bind event
recieve_ldap_user_search_event built group string for juanz of:Domain Admins
send_reject sending reject to kernel for : juanz
© 2014 Citrix. Confidential.26
Internal Server Error 29
© 2014 Citrix. Confidential.27
Accessing StoreFront After Authentication
NetScaler
443
Active Directory
389/636
INTERNET INTERNAL NETWORKDMZ
StoreFront443/80
© 2014 Citrix. Confidential.28
Receiver for Web vs Receiver Session Policy
Receiver Session Policy
Receiver for Web Session Policy
© 2014 Citrix. Confidential.29
How To See Policy Hitshttp://support.citrix.com/article/CTX138840
> shell
Run the following command to start viewing Policy hitsNsconmsg -d current -g pol_hits
© 2014 Citrix. Confidential.30
How To See Policy Hitshttp://support.citrix.com/article/CTX138840
1 7001 30 1 0 pol_hits Policy(192.168.2.10_LDAP_pol)
3 0 28 1 0 pol_hits Policy(PL_WB_192.168.200.10)
© 2014 Citrix. Confidential.31
Priority of Policies
The numerical priority takes precedence regardless of where the policy is bound.
Priority Order
User (highest priority)
Group
Virtual Server
Global (lowest priority)
Priority Number
© 2014 Citrix. Confidential.32
Policy for the Web Browser
© 2014 Citrix. Confidential.33
Accessing StoreFront After Authentication
NetScaler
443
Active Directory
389/636
INTERNET INTERNAL NETWORKDMZ
StoreFront443/80
443
© 2014 Citrix. Confidential.34
Gateway logon page
StoreFront logon page
© 2014 Citrix. Confidential.35
Remote Access is NOT Enabled
© 2014 Citrix. Confidential.36
How Single Sign-On is Invoked on StoreFront
© 2014 Citrix. Confidential.37
HTTP Header X-Citrix-ViaEnable StoreFront Verbose Logging - CTX139592
© 2014 Citrix. Confidential.38
Cannot Complete Your Request
© 2014 Citrix. Confidential.39
How Callback Can Fail
StoreFront cannot resolve the Callback FQDN
StoreFront does not have network connectivity to the Gateway virtual server Port or IP
StoreFront does not trust the Gateway virtual server SSL Certificate
© 2014 Citrix. Confidential.40
Verify the Certificate Chainhttp://digicert.com/help
© 2014 Citrix. Confidential.41
StoreFront Callback URL Dilemma
NetScaler 1ag1.webteam.com
NetScaler 2ag1.webteam.com
StoreFront
? ?
© 2014 Citrix. Confidential.42
Configuring StoreFront with Multiple GatewaysAn example of two Gateways configured with the same URL but unique Callback URLs
NetScaler 1 NetScaler 2
192.168.200.10 192.168.200.11
https://callback1.webteam.com https://callback2.webteam.com
© 2014 Citrix. Confidential.43
DebugView and HTTP Headers
© 2014 Citrix. Confidential.44
A New Header: X-Citrix-Via-VIP
https://callback1.webteam.com
X-Citrix-Via-VIP 192.168.200.10
X-Citrix-Via-VIP 192.168.200.11
https://callback2.webteam.com
NetScaler 1ag1.webteam.com
NetScaler 2ag1.webteam.com
StoreFront
© 2014 Citrix. Confidential.45
DebugView and Callback Service
© 2014 Citrix. Confidential.46
Apps Enumerated
© 2014 Citrix. Confidential.47
Accessing StoreFront After Authentication
NetScaler
443
Active Directory
389/636
INTERNET INTERNAL NETWORKDMZ
StoreFront443/80
443
STA 80/8080
443ICA
XenAppXenDesktop
© 2014 Citrix. Confidential.48
DebugView and STA Ticket Request
© 2014 Citrix. Confidential.49
DebugView and STA Ticket Response
STA ID
STA Ticket
© 2014 Citrix. Confidential.50
Analyze the Default.ica Values
40 = Port 259810 = Port 1494 STA ID STA Ticket
© 2014 Citrix. Confidential.51
NetScaler Gateway and STA
STA ID
UP State
© 2014 Citrix. Confidential.52
NetScaler Trace and STA
> shell
nstcpdump.sh -A host <IP address or FQDN> and port <port number>
© 2014 Citrix. Confidential.53
NetScaler Request STA Ticket
<RequestData>
<Ticket ticketType="STAv4">
5F9EC00DA0ED19CCA447DEFDA802765A
</Ticket>
<TicketVersion>40</TicketVersion>
</RequestData>
© 2014 Citrix. Confidential.54
NetScaler Response STA Ticket
<TicketData>
<Value name="Refreshable">false</Value>
<Value name=… ServerAddress;192.168.2.28:1494…;UserName;juanz;… UserDomain;webteam;…ApplicationName;Calculater…</Value>
<Value name="CGPAddress">192.168.2.28:2598:localhost:1494</Value>
<Value name="ICAAddress">192.168.2.28:1494</Value>
</TicketData>
© 2014 Citrix. Confidential.55
Accessing StoreFront After Authentication
NetScaler
443
Active Directory
389/636
INTERNET INTERNAL NETWORKDMZ
StoreFront443/80
443
ICA 1494/2598
443ICA
XenAppXenDesktop
© 2014 Citrix. Confidential.56
Communication from NetScaler to 1494/2598
© 2014 Citrix. Confidential.57
What About Receiver?Supported Platforms
Windows 7/8/RT/Phone
Mac
Linux
Blackberry
Android
iOS
© 2014 Citrix. Confidential.58
Common issues for Receiver
The StoreFront Store is inaccessible (internally)
Misconfigured StoreFront BaseURL in Session Profile for Receiver
Internal Beacon is reachable externally
Customizations on the Gateway logon page
iOS Receiver does not support SHA256 SSL Certificates
Android does not support SAN SSL Certificates
Enable Windows Receiver logging – CTX134101
© 2014 Citrix. Confidential.59
Resources
How To Configure NetScaler Gateway with StoreFront – CTX139963
SSL Certificate Tester – Digicert Tool
How To Troubleshoot Authentication on NetScaler - CTX114999
How To Verify Policy Hits on NetScaler - CTX138840
How To Enable Verbose Tracing/DebugView on StoreFront - CTX139592
How To Enable STA Logging on XenApp - CTX120589
How To Capture nstrace from NetScaler CLI - CTX120941
© 2014 Citrix. Confidential.60
Before you leave…
Conference surveys are available online at www.citrixsynergy.com starting Thursday, May 8 at 9:00 a.m. • Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes
Download presentations starting Monday, May 19 from the My Event Planning tool
© 2014 Citrix. Confidential.61
WORK BETTER. LIVE BETTER.