Creating a NetScaler VPX Amazon Elastic Compute … a NetScaler VPX Amazon Elastic Compute Cloud...

Creating a NetScaler VPX Amazon Elastic Compute Cloud (Amazon EC2) Deployment Reference Architecture

Produced by Citrix Solutions Lab This guide will walk you through an example of how to manually install a NetScaler VPX Amazon EC2 instance and then configure NetScaler for external Citrix Workspace Cloud Apps and Desktops Service connections through StoreFront. Updated October 2015

Citrix.com 2

Table of contents

Section 1: Executive summary ..................................................................... 3 Audience .................................................................................................................... 3 Project Overview ........................................................................................................ 3 Disclaimer ................................................................................................................... 3

Section 2: Pre-Installation Requirements ..................................................... 4

Section 3: How to manually add a NetScaler VPX in AWS ......................... 5 Objective .................................................................................................................... 5

Section 4: Add additional network interfaces into AWS for use by NetScaler 15

Section 5: Obtain an external FQDN\DNS A or CNAME record ................ 25

Section 6: Configure AWS security groups for NetScaler connectivity ...... 28

Addendum ........................................................................................................ 29

Section 7: How to obtain and license a NetScaler VPX system ................ 29

Section 8: NetScaler VPX SSL\certificate configuration ............................ 39

Section 9: Configure NetScaler DNS settings ............................................ 45

Section 10: Enable the NetScaler modes and features ............................ 47

Section 11: How to integrate with XenApp and XenDesktop .................... 49

Section 12: Configuration of the Citrix Workspace Cloud Apps and Desktops environment ................................................................................ 61

Section 13: External client connections .................................................... 62

Section 14: References ............................................................................. 63

3 © 1999-2015 Citrix Systems, Inc. All Rights Reserved.

ards or Solutions Lab Team

Section 1: Executive summary Citrix Workspace Cloud simplifies the management of virtual applications, desktops, mobile devices, and data sharing with its cloud-‐based management platform. You can choose whether you put your resources (hypervisors, VDAs, and StoreFront servers, for example) on premises or in a private or public cloud.

This document will examine the placement of a single NetScaler VPX instance residing in the Amazon Virtual Private Cloud resource and leveraging the broker from Citrix Workspace Cloud and StoreFront from either the Amazon VPC or from the Citrix Workspace Cloud broker for external connections. The use of an existing VDA resource will not be covered within this document.

This document works from the assumption that the reader has an existing AWS account and at a minimum has configured an Active Directory/DNS server within the Amazon EC2 VPC environment. It also assumes you have an understanding of VPC network configuration, security groups, and Route 53 configuration.

For additional Workspace Cloud information, visit www.citrix.com/WorkspaceCloud.

Audience This document is intended for IT decision makers, architects, and partners who are new or first-‐time users to NetScaler VPX and the configuration of the XenApp/XenDesktop deployment through StoreFront for external connections.

Project Overview This project deploys and manages systems from a single cloud source, Amazon. New customers can then use the Workspace Cloud Apps and Desktops Service for further management and control. This document covers the NetScaler VPX installation and configuration and StoreFront connections for external users. Visit http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud.html for Workspace Cloud documentation.

Disclaimer This guide is not intended to constitute legal advice. Customers should consult with their legal counsel regarding compliance with laws and regulations applicable to their particular industry and intended use of Citrix products and services. Citrix makes no warranties, express, implied, or statutory, as to the information in this document.



Section 2: Pre-Installation Requirements

The following checklist of requirements should be completed before additional configuration:

• An Amazon Web Services account and access to the AWS console • Configuration of an Amazon VPC public subnet • Amazon EC2 running instances of the following systems: Microsoft domain controller with

DNS configured, 2x Citrix Workspace Cloud Connector systems, one or more shared hosted desktop systems with the Citrix VDA installed, and a NetScaler 10.5 or 11.x system

• An account on MyCitrix.com with access to obtaining Citrix licenses • A valid thirrd-party server and root PEM certificates to be placed on the NetScaler system • An external FQDN - DNS A record or CNAME record; this will be used by the NetScaler

system and ties in with the above third-party certificate • A Citrix Workspace Cloud Apps and Desktops environment with the StoreFront -

NetScaler Gateway setting configured • One or more external client systems with Citrix Receiver installed with Internet access



Section 3: How to manually add a NetScaler VPX in AWS

Objective The NetScaler VPX deployment in AWS will provide external access to resources placed into an Amazon EC2 VPC environment, allowing the Workspace Cloud resources to leverage the environment. A single NetScaler VPX instance was used for this configuration and can offer 1,500 external user connections.

This document will not go into details on how to create and configure an Amazon VPC, configuration of security groups and general networking, and the Workspace Cloud Apps and Desktops Service configuration specifics.

The following links provide guidelines for deploying a NetScaler VPX in AWS:

Citrix Product Documentation:

http://docs.citrix.com/en-‐us/netscaler/11/getting-‐started-‐with-‐vpx/install-‐vpx-‐on-‐aws.html

Citrix Deployment Guidelines:

NetScaler 10.1:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/deployment-‐practices-‐and-‐guidelines-‐for-‐netscaler-‐101-‐on-‐amazon-‐web-‐services.pdf

NetScaler 10.5:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-‐solutions/deployment-‐practices-‐and-‐guidelines-‐for-‐netscaler-‐105-‐on-‐amazon-‐web-‐services.pdf



Select the EC2 option from the AWS management console.

Click the Launch Instance button.



Select AWS Marketplace in the left menu. Then select the Amazon Machine Image (AMI), and search for Citrix NetScaler. (The suggested option is the “Customer Licensed” edition to allow the customer to license based on their specific needs and also to save on running hourly costs from Amazon.)

Choose an Instance Type based on your needs. Citrix recommends a starting\basic m3.large instance or higher. For this configuration, the below options were utilized.



Configure the Instance Details. For this configuration, an existing VPC network and subnet will be selected. Change the value of Auto-‐assign Public IP to Enabled.

For adding storage, the default will be utilized for this case.



Tag the instance. Although not a requirement, this is useful for tracking AWS instances.

Configure the security group.



Note: These are the default examples used by Amazon. In some cases, these will need to be modified based on your security requirements or specific connection port needs.

Here is a subset of a custom list of inbound AWS security group rules for basic NetScaler connectivity.

Review your instance launch details.



After you click Launch, you will need to provide a new or existing key pair.

Note: For this example, an existing key pair will be selected that is being used for an active region.

It could take a few minutes for the creation of the instance.



Once the instance is in the running state and all status checks have passed, you need to obtain the network interface ID for your NetScaler management interface, as this will be assigned to a public elastic IP address. To obtain the network interface ID, choose the NetScaler instance and click on the network interface in the description tab. Copy the interface ID and save for reference or paste into Notepad.

Click on the elastic IPs on the left, and click the Allocate New Address button. Select the option to View Elastic IP.



Note: you will want to document this IP address for future reference.

Select Associate Address from the Action menu.

Fill in either the Instance or Network Interface ID (this was saved or copied into Notepad earlier for reference), and select the Reassociation option, and then click Associate.

Your NetScaler should now be accessible and ready to be configured. You can connect to it using the AWS elastic public IP address you assigned to the network interface. The default user name will be “nsroot” and the password is the AWS instance ID of the NetScaler AMI instance.



Note: As a security best practice, Citrix does not recommend keeping the External AWS Elastic IP open. Once you have confirmed and completed your configuration, the best practice will be to remove or disable the External AWS Elastic IP and or SSH access. Then all further NetScaler management will be done from within a VM hosted in the AWS resource zone.



Section 4: Add additional network interfaces into AWS for use by NetScaler

The manual process of adding a NetScaler VPX AMI instance gives you a single network interface card (NIC) to be used as the NetsScaler IP address (NSIP) for management connectivity. The administrator will then need to add additional NetScaler NICs to be used for the subnet IP address (SNIP) and the virtual IP address (VIP).

You can have only one NSIP, which is used for management purposes. The SNIP is used for server-‐side connections to back-‐end infrastructure. The VIP is where external users will be authenticated.

Refer to the following articles for additional information on each type of NetScaler IP address:

• http://docs.citrix.com/en-‐us/netscaler/10-‐5/vpx/ns-‐gen-‐hw-‐com-‐clt-‐ser-‐con.html

• http://support.citrix.com/article/CTX120318?_ga=1.239141699.1129360064.1401459981

You now need to add additional network interfaces to your NetScaler VPX. This configuration only has added and configured the Eth0 -‐ NetScaler NSIP.

For specific AWS networking details, refer to the Citrix Deployment Guidelines listed above for the types and amount of network instances to be configured. The below guidelines will show how to add two additional network interfaces for Eth1, connected to subnet IP, and Eth2, connected to virtual IP.

Select Network Interfaces from the left menu of your NetScaler AMI instance, and then select the Create Network Interface button.



The following additional NIC will be configured for the NetScaler SNIP.

In the UI, enter the following:

Description: NetScaler VPX BYOL Eth1 -‐ SNIP

Subnet: Choose the subnet you created for your VPC.

Security groups: Select the one that has NetScaler VPX -‐ Customer Licensed in the name.

The following additional NIC will be configured for the NetScaler VIP.

In the UI, enter the following:

Description: NetScaler VPX BYOL Eth2 -‐ VIP

Subnet: Choose the subnet you created for your VPC.

Security groups: Select the one that has NetScaler VPX -‐ Customer Licensed in the name.

The NetScaler VIP will need to be part of the subnet that can also bind to an elastic IP for external access.

Make note of the network interface ID of the Eth2 VIP because this will be used in the next steps.



Now select Elastic IPs in the navigation pane, click Allocate New Address, and associate this with the above Eth2 -‐ VIP network interface ID.



Attaching Network Interfaces to NetScaler VPX It's recommended to stop the running NetScaler instance before attaching the additional network interfaces. You can do this from the Instances section of the navigation pane. Select the instance, go to Actions -‐> Instance State and click Stop. This can take a few minutes to completely stop.

After the instance has stopped, select the instance and go to the navigation pane and select Network Interfaces. Select the NSIP network interface and click Attach. In the pop-‐up, select the instance ID of the NetScaler. Repeat the same steps for the VIP network interface.

Start the NetScaler VPX AMI instance.

Note: it should show the additional network interfaces: Eth1, Eth2.



Note the private IPs for your NetScaler AMI instance. These will be used to further configure your NetScaler below.

Log into the NetScaler management configuration console using the user name “nsroot.” The password is your NetScaler AWS instance ID.

This will be the AWS elastic public IP address configured earlier. You will now need to add the two additional network interfaces from the above steps.

Ensure that you add the correct IP, netmask and IP types for the SNIP and VIP.

Go to the Configuration tab, click on Network and then IPs, and then click the Add button.



For SNIP, enter the following:

• IP address: the primary private IP address (you will find it in the AWS console) for your SNIP interface.

• IP Type: Subnet IP

Leave other settings at the default.

For VIP, enter the following:

• IP address: the primary private IP address (you will find it in the AWS console) for your VIP interface.

• IP Type: Virtual IP

Leave other settings at the default.



The two IPs will now show up as enabled in the IP section.



Section 5: Obtain an external FQDN\DNS A or CNAME record

Customers will need to obtain and use an external FQDN CNAME or DNS A record. You can get these by various third parties, such as GoDaddy.com.

For this configuration, the use of an AWS Route 53 Hosted Zone will be used for external DNS queries. However, the details of the configuration of an AWS Route 53 Hosted Zone will not be covered here. Only the connection to an existing Hosted Zone will be used.

The AWS Route 53 Hosted Zone creates a DNS name, which is also used when obtaining a third-‐party server certificate for external address connectivity that will be configured in your NetScaler system.



Select the pre-‐existing AWS Route 53 Hosted Zone.

Click the Create Record Set option below.

Enter an external name you want to use for the NetScaler Gateway, along with the value for the NetScaler VIP IP address.



Once you select Create, it can take 10 to 15 minutes to resolve. You can then attempt an external connection to the FQDN address created above.



Section 6: Configure AWS security groups for NetScaler connectivity

Before you configure NetScaler specifics, you will need to ensure the AWS security groups have been properly configured. In this use case configuration, your domain controller\DNS server is part of a different AWS security group than that of the NetScaler instance. For this case, we need to ensure the following inbound rules have been added for the domain controller\DNS server security group.

Once you have added the below rules, click Save to complete the process.



Addendum

Section 7: How to obtain and license a NetScaler VPX system

Customers new to NetScaler will need to obtain a NetScaler VPX Express license. The steps below will guide you through this process.

Allocate a license from the My Account Portal, as detailed here: http://support.citrix.com/article/CTX131387.

To add a NetScaler license, first you need to obtain your NetScaler Host ID. This will be used in the Citrix license allocation process.



To obtain a NetScaler VPX Express license, first create or log in to your account at www.mycitrix.com.

Once you have logged in, proceed to the Downloads area.



Search for NetScaler VPX Express License.

Select the option for NetScaler VPX Express License.

From the information page for NetScaler VPX Express, scroll to the very bottom of the page.



Expand the License optionm and select Get License.



Please read and accept the end-user license agreement.

Click on the Serial Number shown.



By clicking on the serial number link, you will be redirected to the Activate and Allocate Licenses area within your account.

Enter the NetScaler Host ID, and click Continue.

Verify the information shown is correct, and click Confirm.



The following dialog box will appear. Click OK to download the license file.

Proceed and click the Download button.

Once the .lic file has been downloaded, you can log out. Then you need to log on to the NetScaler management console to proceed further.



Select System -‐> Licenses -‐> Manage Licenses from your NetScaler AMI console.

Click the Add New License button.



Browse to the .lic file to upload, and then click Reboot.

Upon reboot, your NetScaler system should display the following licensed features.



Section 8: NetScaler VPX SSL\certificate configuration

For security concerns, external connections to a NetScaler system will require the use of SSL and certificates. For this configuration, the use of a third-party SSL server and intermediate\root wildcard PEM certificates will be used. For more information, refer to Citrix product documentation:

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificate-wrapper-con.html

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificate-wrapper-con/ng-install-signed-cert-on-ng-tsk.html

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificate-wrapper-con/ng-create-csr-tsk.html

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-configuration-mgmt-wrapper-con/ng-certificate-wrapper-con/ng-install-signed-cert-on-ng-tsk.html

http://support.citrix.com/article/CTX109260

SSLv3 security info: http://support.citrix.com/article/CTX200238



Enable the SSL feature.



Select the option to Manage Certificates.

Select the option to upload your certificate. You will also need to upload the .key file associated with this certificate. In the case below, a third-party certificate was used.



Install the uploaded certificates.



Fill in the details as needed, and then select the Install button.

You also need to install the intermediate and/or root certificate as in the above case because a third-party wildcard certificate was used.



Once complete, you should now see the following certificates installed.

Link the wildcard certificate to the intermediate\root certificate.



Section 9: Configure NetScaler DNS settings

You will need to configure the DNS settings within NetScaler for future STA server connections. For more information, see http://support.citrix.com/article/CTX109556.

Configuring DNS suffix addresses is not required.

Select DNS -> Name Servers, and click Add.

Fill in the IP Address of your DNS name server, leave UDP for the Protocol type, and then click Create.



Ensure both states are Enabled and Up.



Section 10: Enable the NetScaler modes and features

The following specific NetScaler modes and features have been enabled for this use case configuration based on the basic (ICA proxy) connectivity.



Modes:

Basic Features:



Section 11: How to integrate with XenApp and XenDesktop

For this NetScaler configuration, the basic (ICA proxy) mode will be utilized. For more information, see:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-gateway-secure-remote-access-from-anywhere-on-any-device.pdf.

Basic mode, also known as ICA proxy mode, is licensed (unlimited) by your NetScaler Gateway Platform license.

The ICA proxy session mode means basic ICA connections only for launching of a Citrix XenApp or XenDesktop session.

From the NetScaler Configuration tab, select NetScaler Gateway -> Virtual Servers and click Add.



For the VPN virtual server, provide a name and IP address based on the NetScaler VIP that will be used (this ties in with the AWS elastic IP). Then click the More option.

From the drop-down, select the ICA Only option, and click OK to complete the Basic Settings section.



Now select the No Server Certificate option.

Select the arrow to expand the menu.



Select your existing wildcard certificate, and click OK.

Once your certificate is selected, click Bind.



Click OK to complete the Certificates section.

Click Continue to skip the Authentication section.



Expand the options for SSL Parameters.

For security, clear the check box for SSLv3. For more information, see http://support.citrix.com/article/CTX200238.



Now select Published Applications to configure the STA (Secure Ticket Authority) server settings.

Click to expand the STA Server settings option.



For this configuration, the STA server settings are the Workspace Cloud Connector systems (these need to pre-exist in your resource location). Click Bind to complete the add process. Repeat this step if any additional STA servers need to be added.



Once you have completed the Published Applications section, click the Done to finalize the virtual server configuration.



At this point, you need to save your NetScaler configuration.

Once the save is complete, select the refresh icon.



Verify the virtual server is now shown in the Up state.

NetScaler CLI verification of ICA Only mode:

The NetScaler CLI equivalent of the above would be the following: “set vpn vserver <name> -icaonly on” (for Basic mode).



Section 12: Configuration of the Citrix Workspace Cloud Apps and Desktops environment

For access to cloud-hosted StoreFront connections to Workspace Cloud, you need to configure the NetScaler Gateway connection information.

Note: this is the Host name from your CNAME or DNS A record, configured to use port 443.

For more details see the Use Case #1: Cloud-hosted StoreFront section:

http://docs.citrix.com/en-us/workspace-cloud/apps-desktops-service/setting-up-storefront.html



Section 13: External client connections

External Receiver users can now connect using the Workspace Cloud StoreFront site. From an Internet browser, connect to your FQDN site and append the /Citrix/StoreWeb/.

Example: https://<customername>.xendesktop.net/Citrix/StoreWeb/



Section 14: References

Citrix Workspace Cloud Apps and Desktops Service:

http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/workspace-cloud-apps-desktop-services-for-new-customers-reference-architecture.pdf

http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/workspace-cloud-apps-desktop-service-on-premises-resource-reference-architecture.pdf



Corporate Headquarters Fort Lauderdale, FL, USA

Silicon Valley Headquarters Santa Clara, CA, USA

EMEA Headquarters Schaffhausen, Switzerland

India Development Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China

Latin America Headquarters Coral Gables, FL, USA UK Development Center Chalfont, United Kingdom

About Citrix

Citrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking and SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure, mobile workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com

Copyright © 2015 Citrix Systems, Inc. All rights reserved. NetScaler and Workspace Cloud are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.

Creating a NetScaler VPX Amazon Elastic Compute … a NetScaler VPX Amazon Elastic Compute Cloud...

Documents

Transcript of Creating a NetScaler VPX Amazon Elastic Compute … a NetScaler VPX Amazon Elastic Compute Cloud...