Out with the old, in with … AGEE VPX (part 2)

In part 1 of this series on the new Access Gateway Enterprise Edition VPX appliance I explained the steps to configure the basis settings to set up the AGEE VPX. In order to use the AGEE VPX in a two-legged implementation I needed to implement some additional settings to make it work in the customer’s production environment and in my homelab as well with the right certificate settings (using self-signed certificates).

 

I like to implement the Access Gateway with a least two network interfaces so I can separate the internal and external network traffic and apply different firewall rules if required. You can read more on the different options and motivations in this blog from The Generation V.
 

 

So let’s further explain the configuration I used to have my AGEE VPX fully functional, serving both external and internal requests.

A simple representation of my network configuration is shown by the following drawing:

 

AGEE VPX xIPs

Different IP address types for the AGEE VPX



 

Checking the setup wizards configuration

I for one like to know what settings are made by setup wizards and where I need to add some additional settings to ensure a working configuration. So let’s start by checking the current settings on the appliance and see if more settings are required.

 
Checking the basic settings

screendump explanation
AG VPX Setup

Network - IPs

Expand Network in the menu on the left and click on IPs.
Check if all required IPs (especially the required SNIP IPs) are created and if not, use the [Add] button to add additional IP-addresses.

 
For my homelab I needed to add the SNIP to ensure routing is in place to the external network.

 

To ensure all components of the XenApp infrastructure can communicate with the Access Gateway, you’ll need to ensure you have at least one IP-address (SNIP or MIP) configured per subnet so all network traffic is routed through the right interface and both the external clients and the internal XenApp servers can communicate with the Access Gateway.

Keep in mind that the second VIP will be created later on when we configure our internal VIP and can be ignored for now. So all you need right now is:

  • The NetScaler IP (NSIP) – 192.168.2.1 in our example (mgmt communication).
  • The Mapped IP (MIP) – 192.168.2.2 (internal network/server communication).
  • The Subnet IP (SNIP) – 192.168.1.1 (supports external network routing)
  • The virtual IP (VIP) – 192.168.1.100 (external IP for client connections)

 

screendump explanation
AG VPX Setup

DNS - Name Servers

Expand DNS in the menu on the left and click on Name Servers.
Check if all required Name Servers are created and if not, use the [Add] button to add additional Name Servers.

 
You can click on [Test] to check if the AGEE VPX can communicate with the Name Server.
AG VPX Setup

SSL - Certificates

Expand SSL in the menu on the left and click on Certificates.
Check if the required certificates are available and if not, use the [Install] button to add additional certificates.

 
You can check CTX109260 for instructions on on how to add certificates to your NetScaler and ensure they are linked in the right way.

 

When you want to use a self-signed certificate, created by the NetScaler itself, you need to ensure that the certificate is created as a self-signed certificate during the setup of the Access Gateway Wizard (AG Setup = Config part 2 from part 1). This way your certificate is signed by itself and not by www.ns.com (all other created self-signed certificates on the NetScaler 10.0 build 71.6.nc), which was not recognized as a Trusted Root Certificate Authority on my Windows 2008 R2 servers in my homelab.
 
Also keep in mind that the full certificate chain must be installed and correctly linked in the NetScaler when adding purchased certificates.

 

screendump explanation
AG VPX Setup

Configure AG VPN - Authentication - LDAP

Expand VPN in the left menu and navigate to Policies – Authentication/Authorization – Authentication – LDAP.
Check the configured LDAP settings.

 
You can use the Retrieve Attributes link to check if the AGEE VPX can communicate with the configured LDAP server.

 

Now that we have checked some of the basic settings that were created by the wizard setups from part 1, we can continue with adding extra settings for our two-legged configuration of the AGEE VPX.
The following extra steps explain how we configure access for different Receiver clients to StoreFront and how we create a second VIP for internal communications and authentication.

 

Adding additional features to the configuration

In order to differentiate between the StoreFront services that are available, we need to create Session policies that redirects the Citrix Receiver to the right StoreFront service. The NetScaler uses so called session policies that can link to different URLs, depending on the HTTP requests that are made by the Receiver clients.

 

Information on how to Configure Session Profiles for CloudGateway Express can be found here on Citrix edocs.
 

 

Add VPN Policies Session settings

screendump explanation
AG VPX Setup

Configure AG VPN - Policies - Session

Expand VPN in the left menu and navigate to Policies – Session.
Click on [Add] to add a new policy for the Citrix Receiver Web.
Fill out the following information:

  • Name: Receiver_web_pol
  • Expression (using Advanced Free-Form): REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS

Click on [New] to add a new profile, with the name Receiver_web_prof.
Add the following settings to the Client Experience tab:

  • Clientless Access: Allow
  • Plug-in Type: Java
  • Single Sign-on to Web applications: selected

Add the following settings to the Published Applications tab:

  • ICA Proxy: ON
  • Web Interface Address: [StoreFront-ReceiverForWeb-WebsiteURL]
  • Single Sign-on Domain: [Windows-Domain]
Expand VPN in the left menu and navigate to Policies – Session.
Click on [Add] to add a new policy for the StoreFront services.
Fill out the following information:

  • Name: StoreFront_services_pol
  • Expression (using Advanced Free-Form): REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS

Click on [New] to add a new profile, with the name StoreFront_services_prof.
Add the following settings to the Client Experience tab:

  • Clientless Access: Allow
  • Single Sign-on to Web applications: selected

Add the following settings to the Published Applications tab:

  • ICA Proxy: ON
  • Web Interface Address: [StoreFront-Stores-URL]
  • Single Sign-on Domain: [Windows-Domain]
Expand VPN in the left menu and navigate to Policies – Session.
Click on [Add] to add a new policy for the (legacy) PNA Services.
Fill out the following information:

  • Name: PNA_services_pol
  • Expression (using Advanced Free-Form): REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS

Click on [New] to add a new profile, with the name PNA_services_prof.
Add the following settings to the Client Experience tab:

  • Clientless Access: Allow
  • Single Sign-on to Web applications: selected

Add the following settings to the Published Applications tab:

  • ICA Proxy: ON
  • Web Interface Address: [StoreFront-Stores-LegacySupport-URL]
  • Single Sign-on Domain: [Windows-Domain]

 

And with these additional settings I’m concluding part 2 of this series as we are almost done with the configuration of our AGEE VPX.
The last steps of my configuration will be addressed in the next part of this blog series, which will look at the configuration of the internal VIP to finish the configuration for our AGEE VPX and be able to start using it.
So bare with me and stay tuned for part 3.
 

 

This post is part of a serie of multiple posts to fully cover the configuration of the AGEE VPX:
Out with the old, in with … AGEE VPX (part 1)
Out with the old, in with … AGEE VPX (part 2)
Out with the old, in with … AGEE VPX (part 3)

 

Esther Barthel
Senior Consultant at PepperByte

Esther has been working in different roles and functions as an IT consultant ever since she finished her Masters degree in Computer Science in 1997. She has worked as a web developer, database administrator, and server administrator until she discovered how Server-Based Computing ( SBC ) combined servers, desktops, and user experience in one solution. Esther has been specializing in virtualization solutions such as SBC, VDI, application, and server virtualization for over eight years now and is currently working as a Senior Consultant at PepperByte, where she designs and implements Citrix® solutions for both small-business and large-enterprise infrastructures scaling from 100 to 15,000 users.
In january 2014 her first book Citrix XenApp 6.5 Expert Cookbook was published by Packt Publishing.

Esther is awarded as a Citrix Technology Professional (CTP) from 2015 - 2017.
Esther is awarded as a Microsoft Most Valuable Professional (MVP) in 2017.

Esther is a Citrix Certified Expert – Virtualization (CCE-V), Citrix Certified Professional – Mobility (CCP-M), Citrix Certified Professional – Networking (CCP-N) and RES Software Certified Professional (RCP).

2 thoughts on “Out with the old, in with … AGEE VPX (part 2)

  1. Pingback: Out with the old, in with … AGEE VPX (part 1) « virtuEs.IT

  2. Pingback: Out with the old, in with … AGEE VPX (part 3) « virtuEs.IT