Citrix AGE 9

8/11/2019 Citrix AGE 9

1/122

Worldwide Consulting Solutions

Securing XenDesktop Environments

IntroductionThis document guides the user through hands-on set up and details how to create a complete lab-based Virtual DesktopInfrastructure using the Citrix XenDesktop Citrix XenServer, and Citrix Access Gateway Enterprise Edition products. Thisguide is divided into four main sections:

The first section details the steps required to build and load the server and workstation environment.

The second section provides details pertaining to the configuration of the component services. These include the

Citrix Desktop Delivery Controller, the Citrix Provisioning Server, and the Citrix Licensing Server. The third section provides details pertaining to the configuration of the XenDesktop environment and all the

required steps to make it accessible directly from the corporate LAN.

The fourth section provides details pertaining to a configuration that allows the VDI infrastructure to be accessedsecurely across a SSL VPN using the Citrix NetScaler Access Gateway product.

Each of the seditions is summarized in the table that follows. The Citrix Delivery Center products and third party productsthat architects typically leverage to provide this access include:

VDI Configuration Overview

Section Activity Summary Products Used

Section I Virtual Machine Hosting Infrastructure

(assumed to exist)

Citrix XenServer Version 5.0

Citrix XenCenter Version 5.0

Creating the environment and domain of

servers and workstations

Microsoft Windows Server 2003 32-bit

(3 VM Instances)

Windows XP Professional

(Several Instances)

Section II Installing the XenDesktop Environment Citrix XenDesktop Version 3.032bit

Citrix Provisioning Server Version 5.0

Citrix Licensing Server

Section III Configuring local access Citrix Receiver Version 1.0

Section IV Configuring Secure Remote Access Citrix NetScaler Access Gateway Version 9.0

Securing XenDesktop Environments


2/122

2

All information in the above sections is presented in a concise run-book format.

This document provides information pertaining only to configuring the Virtual Desktop Infrastructure, and configuringaccessibility to it. Configuring access to applications from the VDI is not within the scope of this document, however.

This document discusses and guides the configuration required to have the various components interact with each other.It should also be noted that the network designand associated configurationsare suitable for lab purposes only.Configuration considerations pertaining to production network designs are not discussed in this document.

This guide includes steps that install and configure commercially available products.

In addition to requiring licenses (minimally evaluation licenses) for the Citrix NetScaler and Access Gateway (NetScaler

Platinum Edition), Citrix XenDesktop, and XenServer, licenses for the following systems are required:

Three instances of the Microsoft Windows Server 2003.

Several instances of the Windows XP Professional edition.

Without the appropriate licensing, the functionality of some components discussed in this document may be reduced.


3/122

3

Contents

Introduction ................................................................................................. 1

Virtual Desktop Infrastructure ...................................................................... 5

Configuration Overview .................................................................................................................................... 6

Hardware Components ...................................................................................................................... 6

Endpoint User Workstations .............................................................................................................. 6

Virtual Desktops ................................................................................................................................ 6

Servers .............................................................................................................................................. 7

The Corporate Domain ...................................................................................................................... 7

Network Addressing .......................................................................................................................... 7

Lab Environment Expedience Considerations ................................................................................... 8

Section ICreating the Network ..................................................................................................................... 9

Part 1 - Creating the servers and the network ................................................................................... 9

Part 2Configuring the Domain Controller ..................................................................................... 14

Part 3Finalizing the Server Configurations .................................................................................. 21

Part 4Creating the Workstations .................................................................................................. 24

Section II - Creating the XenDesktop Environment ........................................................................................ 31

Part 1Preparing the XenDesktop Master Image and Template ................................................... 31

Part 2Installing the Citrix Desktop Delivery Controller Software .................................................. 33

Part 3Loading the Citrix Provisioning Server Software ................................................................ 40

Part 4 - Finalizing the XenDesktop Image ....................................................................................... 54

Section IIIConfiguring Local Access........................................................................................................... 65

Part 1 - Endpoint Configuration for Full-Screen-Only Mode Access ................................................ 65

Part 2 - Endpoint Configuration for Window-View Mode Access ..................................................... 70

Local Access Summary ................................................................................................................... 73

Remote User Access ................................................................................ 74

Section IVConfiguring Secure Remote Access .......................................................................................... 77

Part 1 - Perform the Basic NetScaler Configuration ........................................................................ 77

Part 2 - Install the Certificate ........................................................................................................... 81

Part 3Create the VIP Entry Point to the Access Gateway entry point in the NetScaler System ... 87


4/122


5/122


6/122

6

Configuration Overview

The configuration planning consists of identifying the components required, and their connectivity.

Hardware Components

A XenServer system will host all virtual machines. These include Servers, virtual desktops, and user workstations. An

overview of their allocation follows the graphic.

Endpoint User Workstations

This environment contains two different user workstations to demonstrate the user experience. Both are hosted on theXenServer as virtual machines with the following characteristics:

EP-Full-01this user workstation will be configured to access the XenDesktop environment in Full-Screen-OnlyMode.

EP-Win-01this user workstation will be configured to access the XenDesktop environment in a Window-ViewMode.

Each of the above systems will be assigned static IP addresses

Virtual Desktops

XenDesktop Virtual Systems will be created and hosted on the XenServer infrastructure.

This document will provision five Virtual Desktops from a single Windows XP image. In this lab environment, thiswill be sufficient to host the anticipated maximum number of workstations while maintaining a pool of idle systems.

The operating system will be Windows XP, licensed as per above (User Workstations)

The names will be defined as vDesktopXwhere X is a number ranging from 1 through 5.

A base or model system vBaseDesktop1 will be created. This provides the XenDesktop base image.

Figure 1 - XenServer Overview


7/122

7

These systems will receive IP addresses via DHCP.

Servers

Servers will be based upon Windows Server 2003 R2 32-bit edition. These servers are hosted on a XenServer andinclude the following:

vDesktopDmC this is the Domain Controller that hosts required services such as DNS, Active Directory, DHCP,and Certificate Server.

vDesktopDDCthis is the Citrix Desktop Delivery Controller. It hosts the DDC, and the Citrix Licensing Server.

vDesktopPvSthis is the Citrix Provisioning Server. It also hosts the Microsoft SQL Express server. This serveralso has an additional large disk partition to accommodate the XenDesktop systems.

The Corporate Domain

The domain used in this document is XenDT.net. All systems will be joined into this domain. Root certificates from thisdomain controller are installed on all participating servers, user workstations, and XenDesktop systems.

Network Addressing

IPv4 is used in this configuration. See Table 1VDI Add ressing Chart(below) for details.

Instructional steps in the following sections pertaining to the XenDesktop VDI environment refer to this centralized table.As such, all addresses required for all sections of this document are contained in this table.

Most readers will define their own naming conventions, domains, and IP addressing schemes and are encouraged to keeptrack of in a chart similar to Table 1.


8/122

8

Addressing Chart

Runbook Name Runbook IP Address Function

Network Router 172.18.2.1 Default Route

XenServer 172.18.2.151 Physical host for virtual machines. The XenCenter Management

Console connects to it.

vDesktopDmC 172.18.2.191 Domain Controller

vDesktopDmC 172.18.2.161-174 DHCP Range

vDesktopPvS 172.18.2.192 Provisioning Server

vDesktopDDC 172.18.2.193 Desktop Delivery Controller

vBaseDesktop1 Via DHCP Model system for all virtual systems

vDesktopX Via DHCP Virtual Systems

EP-Full-01 172.18.2.195 Full Screen User Workstation

EP-Win-01 172.18.2.196 Windowed User Workstation

Table 1 VDI Addressing Chart

Lab Environment Expedience Considerations

In the interest of expediency in lab activities, the following configurations can be set.. These are not recommended forproduction environments.

Local firewall services have been turned off on all systems

Privately Generated Root Certificatea root certificate from the Domain controller is used and installed in allsystems.

SQL Express will be installed on the server running the Citrix Provisioning Server.


9/122

9

Section ICreating the Network

Part 1 - Creating the servers and the network

This section contains the steps required to create the network of servers, services, and user systems for the XenDesktopenvironment.

The run-book begins by using an existing XenServer environment to create and host all systems.

An independent workstation is used to run the XenCenter dialog to connect to and manage the XenServer environment.

Creating the Windows Server 2003 Virtual Systems

Step Description Caption

1. Connect to your XenServer using

the Citrix XenCenter software.

Right click the XenServer object

in the left panel and click New

VMto install a model

Widows2003 Server on the

XenServer.

Set the Nameto Windows

Server 2003 Model Server.

All other servers will be based

upon this configuration. Specify

the following options when

prompted.

Memory: 1024MBDisk: 8.0GBIP address: 172.18.2.189

Install the Windows Server

2003operating system.

Right click the Window s Server

2003 Model Serverobject in the

left panel.

Select Install XenServer Tools

in the pop-up dialog.


10/122

10



2. Select the Consoletab in the

right panel.

Log in as the local Administrator.

Click the Windows Startbutton.

Right Click My Computer.

In the Remotetab, enable RDP

access.

In the Windows Network

Connectionsdialog, disable the

local firewall services.

Restart the Server.

Establish a connection and use

the Windows Updateutility toadd the .NET 3.5 Framework

and other appropriate updates.

3. This document references both

the use of RDP and the

XenCenter Console Tab to

access the workstation or server

console. Although both are

useable, connections via the

Windows RDP facility require

that this function be allowed. As

such, steps in this runbook are

included to update the My

Computer properties on each

system to enable RDP

connectivity. This is not required

if the XenCenter Console tab

access method is used.


11/122

11



4. From the Windows Startmenu,

click Run. In the pop-up enter

mmc.exeand click OKto start

the Management Console.

From the Filemenu, click

Add/Remove Snap-in.

In the pop-up dialog, click Add.

Click Certificates. Click Add.

Click the Computer Account

radio button.

Click Next.

Click Finish.

Click Close.

Click OK.

Close the Management

Consoleand Saveit to a

temporary directory at the root of

the C:\drive when prompted.

5. Prepare to run the Windows

sysprepprocess by performing

the following steps.

Insert the Windows installation

media into the DVD drive on the

XenServer.

On the Windows 2003 server,

use windows explorer to navigate

to the\Support\Toolsdirectory.

Click the Deploy.cabfile.

Copy the setupcl.exeand the

sysprep.exeto a temporary

directory at the root of the C:\

drive on the server.


12/122

12



6. Navigate to the temporary

directory created in the previous

step.

Run the sysprep.exeutility.

Select Shut Downfrom the drop

down list in the Shutdown Mode

field.

Click Resealand allow the

server to shut down.

Click OKto acknowledge the

dialog box pertaining to

regeneration of Security IDs.

Do not restart the server.

7. Wait until the server has been

shut down.

In the left panel of the XenCenter

console, right click the Windows

Server 2003 Model Server

object.

Click Convert to Template.

Acknowledge the warning

message and wait until the

process has been completed.


13/122

13



8. Right click the newly created

Windows Server 2003 Model

Servertemplate in the left panel.

Select New VMfrom the pop-up

menu.

Follow the dialogs to create three

new Windows Server 2003

systems from this XenServer

template.

To reflect references within this

guide, the virtual machines

should be named:

vDesktopDmC

vDesktopPvS

vDesktopDDC

Use default values as prompted

through the VM creation wizard.


14/122

14

Part 2 Configuring the Domain Controller

This section contains the steps required to set up the first server will be set us as the Domain Controller. As such, it willhost the Active Directory, DHCP, and DNS services.

Setting up The Domain Controller

Step

Description

Caption

1. In the XenCenter Console tab,

click the vDesktopDmCserver

object in the left panel.

Click the Consoletab in the right

panel.

Login to the as the local

Administrator in the right panel.

Follow the steps to complete the

sysprepprocess on the server.

Set the server name, IP address,

and default gateway as per Table1 - Addressing Chart, above.

Specify Workgroup membership.

Upon reboot, log in as the local

administrator using the

XenCenter console.

Validate the settings for the local

firewall and Remote Access as

per above.


15/122

15



2. Establish an RDP connection or

use the XenCenter console tab

to connection to the

vDesktopDmC server. Log in asthe local administrator.

If not already running, start the

Manage Your Serverutility from

Windows Start >All Programs.

Select Add or Remove a Role.

Click Nextin the Preliminary

Steps dialog.

Select Domain Controller.

Click Next.

Follow the wizard and select

Domain controller for new

domain name.

Throughout this run-book,

XenDT.net is used as the

domain name.

Continue using default values in

all prompts.

3. On the vDesktopDmCserver,

click Windows Start >

Administrative Tools >DNS.

In the left panel, expand the DNS

tree fully.

In the left panel, under

VDESKTOPDMCright click

Reverse Lookup Zones.

Select New Zone.

Follow the wizard for a Primary

Zone using defaults.

Add the Network IDwhen

prompted.

ClickNextuntil the wizard

finishes.


16/122

16



4. If the process prompts for the

Windows 2003 Installation

media, mount it from the

XenCenter management dialog:

Click vDesktopDmCin the left

panel.

In the right panel, click the

Storagetab.

Select the Windows Server

2003 installation mediafrom

the drop down list.

Select the appropriate DVD

image from the XenCenter Menu.

Return to the RDP session andClick OK.

Allow the server to restart after

Active Directory and DNS

installation processes complete.

5. Log in to vDesktopDmCas the

domain administrator.

Restart the Manage Your

Serverutility if necessary.

Select Add or Remove a Role.

Select DHCPServer and click

Next.

Create a Scope Namecalled

XenDesktopwith a suitable

description.

Specify 172.18.2.161 - .174as

per Table 1 - Addressing Chart

(above).

Continue to configure the Default

Gateway by specifying the IP

address of the router as per

Table 1 - Addressing Chart

(above).

Click Next.


17/122

17



6. In the Domain Name and

Servers menu, set the parent

domain fieldto XenDT.net.

Set the Server namefield to

vDesktopDmC.

Click Resolve.

Click Add. The resolved IP

address appears in the list.

Click Next.

Click Nextto bypass the WINS

Servers menu.

Click Nextto Activate this

scope now.

Click Finish.

7. Click Windows Start >

Administrative Tools >DHCP.

This opens the DHCP

Management Console.

Check that the DHCP service is

Authorized.

If it is not, the following steps will

Authorize it:

Right click vDesktopDmCin the

right panel.

Select Authorize.

In the top menu bar, click

Action.

Click Refreshfrom the drop

down list.

Ensure that the service is

running.


18/122


19/122

19



10. Click Windows Start >

Administrative Tools >Active

Directory Users and

Computers. This opens theActive Directory Management

Console.

Create five user accounts:

User_1

User_2

User_3

User_4

User_5

11. In the left panel, right click

XenDT.net.

Select Newin the pop-up dialog.

Select Organizational Unit.

Set the Namefield to

XenDesktop.

Close the Active Directory

Management dialog.

12. Reboot the Server.


20/122

20



13. To install Certificate Services on

the vDesktopDmC, start the

Control Panel.

Select Add or Remove

Programs.

Select Windows Components.

Select CertificateServices.

Select Enterprise CA.

Click Next.

Set the Common Namefor this

CAfield to XenDT.

Click Nextand accept all

defaults.

The Windows Server installation

media may be required. If so,

mount it using the XenCenter

Storage tab for this virtual

machine.


21/122

21

Part 3 Finalizing the Server Configurations

This section contains the steps required to finalize the basic server configurations. The servers will be added to thedomain, and the Domain Controllers root certificate will be added to each of the servers.

Finalizing the Server Configurations

Step

Description

Caption

1. Connect to your XenServer using

the Citrix XenCenter software.

Click vDesktopDDCin the left

panel.


Consoletab.

Click Nextto continue the

Windows Setup Wizard.

Set the computer nameto

vDesktopDDC.

In the Network settingsdialog,

select Custom Settingsand set

the Network IP addressto

172.18.2.193as per Table 1 -

Addressing Chart(above).

Set the DNS addressto that

assigned to 172.18.2.191.

2. When prompted selectYes,

make this computer part of the

following domain.

Enter XenDT.netinto the

Domain Name field.

Authenticate to the domain as

the domain administrator.

Click Finishand let the system

reboot.

Using the XenCenter console,

log in as the domain

administrator.

Ensure that the local firewall is

off.


22/122

22





to connect to vDesktopDDC

Log in as Domain Administrator.

To install the Domain Controllers

Root certificate, perform the

following:

Set the browser to

ht tp: / /vdesktopdmc/certsrv

When prompted supply the

domain administrator credentials.

Click Download CA certificate,

certificate chain, or CRL.

4. Click the Base 64radio button.

Click Download CA certificate.

Click Save, and save the

certificate to temporary directory

at the root of the C:\drive.

Complete the dialog.

Close the browser.


23/122

23



5. On VDesktopDDC, click

Windows Start Logo > Run.

Enter mmc.exein the dialog box.

From File, click Add Remove

Snap-in.

Click Add.

Select Certificatesfrom the pop-

up dialog.

Click Add.

Select Computer Account.

Click Next.

Click Local Computer.

Click Finish.

Click Close.

Click OK.

6. Expand the Console Roottree

in the left panel.

Click Certificatesunder Trusted

Root Certificatesin the left

panel.

Right click and select All Tasks.

Click Import.

Follow the wizard to navigate to

the downloaded certificates

location.

Follow the prompts to complete

the import process.

7. Repeat steps 1 through 6 on thevDesktopPvS server.


24/122


25/122

25

Creating the Workstations


3. Select the Consoletab in the

right panel.

Log in as the local Administrator.

Click the Windows Startbutton.

Right Click My Computer.

In the Remotetab, enable RDP

access.

In the Windows Network

Connections dialog, disablethe

local Firewall service.

Restart the Windows XP system.

Establish an RDP connection or

use the XenCenter Console tabto start the Windows Update

utility to add the .NET 3.5

Frameworkand other

appropriate updates.

4. From the Windows Start menu,

click Run. In the pop-up enter

mmc.exeand click OKto start

the Management Console.

From the Filemenu in the new

window, click Add/Remove

Snap-in.

In the pop-up dialog, click Add.

Click Certificates. Click Add.

Click the Computer Account

radio button.

Click Next.

Click Finish.

Click Close.

Click OK.

Close the Management Consoleand click Savewhen prompted.

Hint: Save this to a location in a

new directory at the root of the

C:\ drive to avoid deletion

sysprep processing.


26/122

26



5. Install the Domain Controller's

Root certificate.

Set the browser to

http://vdesktopdmc/certsrv

When prompted, supply the

Domain Administrator

credentials.

Select Download CA

certificate, certificate chain, or

CRL.

6. Click the Base 64radio button.

Click Download CA certificate.

Select Save, and save the

certificate to a convenient

location.

Hint: Save this in the samelocation as the Management

Console plug-in.

Complete the dialog.

Close the browser.


27/122

27



7. Browse to the location of the

saved Management Console

Snap-inand click it to start the

dialog.

Expand the Certificatesfolder

under the Trusted Certificates

folder in the left panel.

Right click and select All Tasks.

Select Import.

Follow the wizard to navigate to

the downloaded certificate's

location.

Follow the prompts to complete

the import process.

8. Insert the Windows installation

media into the DVD drive on the

XenServer.

On the server, navigate to the

\Support\Toolsdirectory on the

DVD.

Click the Deploy.cabfile.

Copy the setupcl.exeand the

sysprep.exeto a temporarydirectory at the root of the C:\

Drive of the workstation.


28/122

28



9. Navigate to the temporary

directory created in the previous

step.

Run the sysprep.exeutility.

Select Use Mini-Setup.

Select Shutdownfrom the

Shutdown modedrop down list.

Click Resealand allow the

server to shut down.

Click OKto acknowledge the

dialog box pertaining to

regeneration of Security IDs.

Do not restart the workstation.

10. In the left panel of the XenCenter

console, click Windows XP

Model Workstation.


Acknowledge the warning

message.

Wait until the process has beencompleted.


29/122


30/122


31/122

31

Section II - Creating the XenDesktop Environment

The previous section led the user through setting up the servers, user workstation, and network. The steps in this sectionpertain to installing and configuring Citrix components that will deliver the XenDesktop VDI.

Part 1 Preparing the XenDesktop Master Image and Template

The activities in this section pertain to creating the master image that will be used to create the virtual systems in theXenDesktop VDI.

Creating the XenDesktop Master Image


1. To create the XenDesktop base

virtual system image on the

XenServer, perform the

following:


console, right click Windows XP

Model Workstationtemplate.

Select New VMfrom the pop-up

menu.

Set the Nameto

vBaseDesktop1.

Follow the prompts using the

following overrides.

RAM: 1024MB

Disk: 8GB/Windows XP

Disk: 16GB/Vista

Follow the Windows sysprepinstallation prompts.

Set the System Nameto

vBaseDesktop1.

In the Network Settings dialog,

lick Typical Settingsto use

DHCP.

Join the XenDT.netdomain.


32/122

32

Creating the XenDesktop Master Image


2. Create a new Virtual Machine

template on the XenServer host.

This template will be used by the

Provisioning Server.


console, right click the

XenServer object.

Click New VM.

Set the name to PvS VM

Template.

In the wizard, select Other

Install Media.

Click the Physical DVD drive

radio button.

Set the RAMto 1024MB

When Virtual Diskspanel is

presented (as shown at the

right), leave the Disk Allocation

blank.

Select other defaults until Finish

3. In the XenCenter left panel, right

click PvS VM Template.

Select Force Shutdown.

Wait until the system is down.

Right click PvS VM Template,



33/122

33

Part 2 Installing the Citrix Desktop Delivery Controller Software

The activities in this section focus on creating the XenDesktop Delivery Controller (DDC) on vDesktopDDC. The Citrixlicensing server component is installed on vDesktopDDCand loaded with XenDesktop licenses.

Installing the Citrix Desktop Delivery Controller Software


1. Establish an RDP session or use

the XenCenter Console tab to

connect to the vDesktopDDC

server.

Log in as the domain

administrator.

Place the Desktop Delivery

Controller installation media into

the DVD drive via the XenCenter

console.

In the Welcome page, select

Install Server Components.

Scroll through the licensing

agreement and click the I accept

radio button.

ClickNext.

On the next page, select all

components.

ClickNext


34/122


35/122

35



4. Upon restart, log in with the

same domain administrator

account.

The installation will continue.

It may be necessary to restart

the installation process to

complete the installation.

Hint: To restart the installation

process, perform these steps:

Click MyComputer.

Click the DVD drive object in the

menu that is opened.

5. The installation continues after

the reboot.

Select Continue Anyway to

ignore error messages pertaining

to printer drivers.

Upon completion of the install

process, the server will prompt to

restart. Allow the system to do

so.


36/122

36



6. When the Setup Complete

message appears, leave both

options checked.

Click Finish.

7. The Active Directory

Configuration Wizardbegins.

ClickNext.

In the Select an existing Active

Directory OUpanel, click

Browse.

In this example, theXenDesktop

OU was selected.

Click OK.

This field is set to

OU=XenDesktop,DC=XenDT,D

C=net

ClickNext.

ClickFinish.

Click Close.


37/122

37



8. When prompted, clickYes to

start the Citrix Access

Management Console.

Click Nextto start the Discovery

wizard.

Click Add Local Computer.

ClickNext

ClickNext.

When the Discovery Completed

message is displayed, click

Finish.

9. Note the presence of this server

(VDESKTOPDDC) under

XenDesktop > Controllers.

Close the Access Management

Console.


38/122

38



10. To prepare for licensing, it is

critical to have the correct

hostname of the license server.

Administrators can check byfollowing these steps:

On the vDesktopDDCserver,

click on Windows Start > Run

Type cmd.

Click OK.

Type hos tnameand press

Enter. The hostname is

displayed.

It is critical to specify the case

sensitive hostname whenactivating the licenses and

downloading the license file from

MyCitrix.com

11. It is assumed that the license has

been pre-arranged and retrieved.

If not, download an evaluation

license using your account from

MyCitrix.

The license file may be

compressed. If so, extract it.

On the vDesktopDDCserver,the Citrix License Manager

should be active from the

previous steps.

In the License Management

dialog, click Copy license file to

this license server.

Browse to the location of the

stored license, and select the

license file.

Click Upload.


39/122

39



12. The license upload process

completes quickly.

Check that the license has been

uploaded.

Close the License Management

Console.


40/122

40

Part 3 Loading the Citrix Provisioning Server Software

The activities in this section focus on creating the Provisioning Server (PvS) on vDesktopPvS.



1. Additional disk storage must be

allocated to the Provisioning

Server (vDesktopPvS).

For these lab activities, 50GB of

storage is sufficient to host the

file systems for 5 virtual desktop

systems based upon Windows

XP operating system.

Formalized sizing procedure

outside the scope of this

documentwould be used to

determine storage requirementsfor production environments.


console, click vDesktopPvS.

Select the Storagetab in the

right panel.

Set the Sizefield to 16GB.

Click Addto create a new 50GB

volume tovDesktopPvS.


use the XenCenter console tabto connect to the vDesktopPvS

server.

Log in using the credentials of

the domain system administrator.

From the Control Panel>

Administrative Tools, start the

Computer Managementdialog.

Click Disk Management

Initialize the new 16GB volume.

Click Create a new partition.Select Primary Partition.

Format the new volume.


41/122


42/122


43/122

43



7. Click the Completeradio button.

Click Next.

In the next menu, click Install.

Allow the installation process to

complete.

Click Finish.

The Server Configuration

wizardbegins.

Click Next.

8. In the DHCP Services panel,

select the The Service that runs

on another computerradio

button

Click Next.


44/122

44



9. Select the default setting in the

PXE Services panel by selecting

The service that runs on this

computerradio button.Click Next.

In the next menu, select Create

Farm.

Click Next.

10. In the Database Server panel,

click Browse.

Select VDESKTOPPVSfrom the

Server namedrop down list.

Click OK.

The Server nameand the

Instance namefields are nowpopulated properly.

Click Next.


45/122

45



11. In the next menu, accept the

defaults.

Note that this is a different FARM

entity than the one configured on

the Desktop Delivery Controller

and, as such, has its own name.

This can be a source of

confusion and error.

Click Next.

12. Important:

Change the name of the License

server in this menu.

Change the License Server

name to vDesktopDDC.

Do not change the License

server port assignment.

Click Next.


46/122


47/122


48/122

48



16. Using the XenCenter console,

click vDesktopPvSin the left

panel.


Storagetab.

From the drop down list, select

the XenDesktop Delivery

Controller installation media.

This assigns that volume to the

DVD drive of the vDesktopPvS

server.

Navigate to the three

executables under

w2k3\en\XenDesktop Setup

Tool(since this is a 32-bit

operating system.

Copy these files to a convenient

location on the server.

On the vDesktopPvSserver, run

the Setup.exefile to start the

XenDesktop Setup Wizard.

ClickNext.

Scroll through, read, and accept

the License Agreement.

ClickNext.


49/122

49



17. In the Destination Folderpanel,

accept the defaults.

Click Next.

Click Install.

Click Finishwhen the installation

completes.

18. On the vDesktopPvSserver,

create a new subdirectory called

XDStore.

It is recommended to create this

on a non-system volume so that

it can be expanded if required.

In this example, E:\XDStoreiscreated.


50/122

50



19. On the vDesktopPvS server,

select Windows Start>All

Programs>Citrix->Provisioning

Server->Provisioning ServerConsole.

In the left panel, right click

Provisioning Server Console and

click Connect to Farm.

Specify the FQDNof the PVS

server.

The field is set to

vDesktopPvS.XenDT.netin this

example.

Click Connect.

20. Expand the tree in the left panel.

Right click Stores.

Select Create Store.

In the pop up dialog, set the

Namefield to XDStore.

In the Pathstab, specify the path

and directory name createdabove.


51/122


52/122

52



23. In the right panel, right click the

newly created vDisk.

Click Properties.

In the pop up dialog, click Edit

File Properties

Click the Optionstab.

Click the option Active Directory

machine account password

management.

Click OK.

Click OK.

24. In the left panel, expand Sites.

Click the Serversobject.

In the right panel, right click

VDSEKTOPPVS.

Click Properties.

In the pop-up, click the Options

tab.

Click the option Enable

automatic password support.

Leave the default number of

days set to its default.

Click OK.

Acknowledge the Service

Restartmessage.


53/122

53



25. In the left panel of the

Provisioning Server Console,

click XDStore.

In the right panel of the console,

right click vDisk1.

Click Mount vDisk.

26. From the vDesktopPvS

Windows Start menu, click My

Computer.

Note the new removable disk.

Right click the new Removable

Disk and Format it.

Close the explorer menu.

In the left panel of the

Provisioning Server Console,

select XDStore.

In the right panel, right click

vDisk1.

Click Unmount Disk.


54/122


55/122

55

Creating the XenDesktop System Image


2. In the XenCenter left panel, click

vBaseDesktop1.

Click the Storage tab in the right

panel.

Select the XenDesktop Delivery

Controller installation media from

the drop down list.

Connect to the console of

vBaseDesktop1.

The installation menu should be

up.

Click Install Virtual Desktop

Components.

Scroll through and read the

License Agreement and click I

accept.

ClickNext.

Accept default PORTand

Firewall setting adjustment

options.

3. Click the Select the farm now

Radio button.

Select the XenDTFarmfrom the

drop down list. This is the name

of the farm name in the Citrix

XenDesktop Delivery Controller

installation.

Click Next.

Click Install.

Click Continue Anywayto

Printer warning messages if they

are presented.

Click Finish.

ClickYes when prompted to

restart the system.


56/122

56



4. Connect to the XenCenter

console. Right click

vBaseDesktop1in the left panel.

Click Properties.

In the pop up window, click

Startup Options.

Move Networkto the top of the

Boot Orderlist.

Click OK.

Click the Networktab in the right

panel.

Record the MAC Address

shown.

This will be used in the next step.



to connect to vDesktopPvS.

Log in as the domain

administrator.

Start the Provisioning Server

Console.

In the left panel expand the

entire tree and right click

Collection.

Click Create Device.

Enter the Nameand the

recorded MAC Addressfrom the

previous step. Do not be

concerned about the case

change.

Click OK.


57/122

57



6. In the right panel, right click the

new device and clickProperties.

In the pop-up panel, select Hard

Diskin the Boot Fromdrop

down list.

Click the vDiskstab.

Click Add.

In the window under Select

Desired vDisks, click

XDStore\vDisk1.

Click OK.

Click OKagain to close the

dialog.

RestartvBaseDesktop1.

7. In the XenCenter left panel, click

vBaseDesktop1.

Click the Storagetab in the right

panel.

Select the Citrix Provisioning

Server installation media.

Connect to the vBaseDesktop1

console and log in as the domain

administrator.

From the main menu of the

installation dialog, click Install

Target Device for 32 bit

Platform.

Scroll through and accept the

License Agreement.

ClickNext.


58/122

58



8. Enter your user and

organizational information.

Be sure to click Anyone who

uses this computer.

Click Next.

Accept the default Destination

Folder.

Click Next.

Click Install.

When the installation wizard

completes, click Finish.

Restart the system.

9. Log in as the domain

administrator when

vBaseDesktop1restarts.

Click the vDiskicon in the tray to

show status and statistics.

Check that the vDiskis active.

Close the dialog.

Use Windows explorer to

determine which drive letter

Windows has assigned to this

device.

The drive letter assignment is

typically E:\.

Make a note of this drive letter

assignment.


59/122

59



10. To clone the vBaseDesktop1

system image to the vDisk, click

Windows Start > All Programs >Citrix > Citrix Provisioning

Server Image Builderfrom the

vBaseDesktop1system.

This utility is found under All

Programs > Citrix> Provisioning

server >Provisioning Server

Image Builder

Make certain that the destination

drive is correct.

Click Build.

Click yesto confirm the build

action.

This process will take some time.

Upon completion, shut down

vBaseDesktop1.



to connect to vDesktopPvS.


If not running, start the

Provisioning Server Console.

Click XDStorein the left panel.

If a lock icon appears next to

vDisk1In the right panel, ensure

that vBaseDesktop1has been

shut down fully.

Right click the vDisk1object in

the right panel and click

Properties.

Click Edit File Properties.

Click the Modetab.

Select Standard Imagefrom the

Access Modedrop down list.

Click OK.

Click OKagain to exit.


60/122


61/122

61



14. In the Virtual Machine Template

menu, select PvS VM Template

from the list.

Ignore all other templates that

might exist.

ClickNext.

15. In the Virtual Disk menu, select

vDisk1.

ClickNext.


62/122

62



16. In the Virtual Desktops menu,

specify the number of virtual

desktops, and the VirtualDesktop systems naming

structure.

The configuration specified in all

previous setup steps was set

with values that support 5

systems.

The complete name cannot

exceed 16 characters, including

the sequence numbers that are

appended to the Common

Name.

ClickNext.

17. In the Organizational Unit menu,

click Use Default

Organizational Unit.

ClickNext.

In the next menu, click Create a

new desktop groupcalled

XDGroup.

Leave the Allow Immediate

Accessoption checked.

ClickNext.

Review the summary information

in the Desktop Creation menu.

ClickNext.


63/122


64/122


65/122

65

Section IIIConfiguring Local Access

Part 1 - Endpoint Configuration for Full-Screen-Only Mode Access

Full-Screen-Only Modeis one in which a user can access only the XenDesktop environment. No access to the local (end-point) system resources is allowed. XenDesktop access mode is configured on the users endpoint system.

Upon login to the endpoint system, the connection is made to the back end XenDesktop virtual machine. The credentialsare passed back to the virtual machine, and its desktop is displayed on the endpoint system.

Only the user that installed the client software can access local system resources.

The alternate connectivity mode (Window-View Mode) is discussed in the section that follows these Full Screenconfiguration steps.

To configure the endpoint system to allow only Full-Screen-Only Mode, follow the steps below.

Endpoint Configuration Full-Screen-Only Mode


1. If using RDP to access to the

endpoint systems in the lab,

make sure that the appropriateuser names are authorized on

the target systems.

Note that t this authorization is

required only in a lab/RDP

environment, and is not required

in a production deployment.

This is not requiredon the

XenDesktop virtual desktop

systems.


66/122

66



2. Click EP-Fulll-01 inthe left panel

of the XenCenter menu

Click the Storagetab in the right

panel.

Select the Citrix Desktop

Delivery Controller installation

media.



to connection to EP-Full-01.


On the EP-Full-01system,

browse DVD to the

w2k3\en\Clients\ica32 directory.

Click to run

DeskTopReceiverFull.msi.

Select your language.

ClickNext

Accept the license agreement.

ClickNext.

3. Set the Server Addressfield to

vDestopDDC.XenDT.net.

Click Next.

In the next menu, select the

default Destination Folder.

ClickNext.

Click Use machine name as

client namein the following

panel.

ClickNext.


67/122

67



4. Click theYES radio button to use

the local user name and

password.

ClickNext.

In the next menu, clickYESfor

installing USB support.

ClickNext.

At the summary page, ClickNext

to begin the installation process.

After the installation completes,

click Finish.

Do not reboot when prompted.


68/122

68



5. Click to run

DeskTopApplianceLock

_en.msiin the same directory

used in above installation.Accept the License Agreement

and click Install.

Allow installation to complete.

Click Close

Restart the system.

Installation of these two

components will force

XenDesktop Full-Screen-Only

Modefor all users except the

user that installed thesecomponents.

No other user will have access to

the local system resources.

6. Allow the EP-Full-01system to

restart.

Log in as XenDT domain userUser_1.


69/122

69



7. One of the vDesktopX systems

is connected to this session.

The login credentials are passed

through to one of the idle

vDesktopXsystem that has

been allocated to this session.

Note: As this system is allocated,

background processes bring up

another idle XenDesktop system

as per the Idle Pool count

parameter.

8. Connect to the vDesktopDDC

server and launch the Access

Management Console.

Click Action > Refresh.

The console now shows that one

of the virtual systems is in use.


70/122

70

Part 2 - Endpoint Configuration for Window-View Mode Access

Window-View Modeis an endpoint system configuration in which users can access the XenDesktop virtual machinedesktop through a window on their own endpoint workstation.

This will be the default configuration for users with personal PCs, or those connecting through a remote connection.

Upon login to the endpoint system, the user opens a browser and points to the Web Interface (running on vDesktopDDC in

this lab configuration). This triggers the allocation of a back end XenDesktop system from the idle pool, and presents logindialog.

To configure the endpoint system to allow only Widowed Access Mode, follow the steps below.

Endpoint Configuration Window-View Mode


1. Establish an RDP session or use

the XenCenter console tab to

connect connection to the EP-

Win-01system.


Download the Citrix Receiver,

and install it on this workstation.

The Citrix Receiver can be found

atwww.Citrix.com.

Log out from the system.
http://www.citrix.com/http://www.citrix.com/http://www.citrix.com/http://www.citrix.com/


71/122

71



2. Connect to EP-Win-01 again.

Log in as thelocal Administrator

or another user to simulate

logging in to a multi-purpose

workstation.

Using this username parallels

using a shared/guest system to

access the remote desktop

services.

This will show that the user will

be required to provide an

authorized XenDesktop user

name for access to be granted.

3. Open an internet browser.

Set the address bar to

http://vDesktopDDC/

The FQDN may also be used inthe browser address bar.

The login page appears.

Enter the login credentials

Name:User_4

Password:

Domain:XenDT

Click Log On


72/122

72



4. Acknowledge the licensing

agreement.

Click Download.

Click Runwhen prompted.

Acknowledge the publisher

warnings and continue the

installation.

5. Click Tools in Internet Explorer

menu bar.

Click Internet optionsfrom the

drop down menu.

In the Securitytab, add the

current site to the trusted siteslist.

Restart the browser.

Accesshttp://vDesktopDDC/

Log in again:

Name:User_5

Password:

Domain:XenDT
http://vdesktopddc/http://vdesktopddc/http://vdesktopddc/http://vdesktopddc/


73/122

73



6. You will now be connected

automatically to the Virtual

Desktop.

Unlike Full-Screen-Only Mode,

The Citrix Receiver prompts the

user to specify local resource

access preferences.

Local Access Summary

This concludes the setup of Local Access to the XenDesktop VDI environment. This configuration demonstrates themethodology used to configure access to the environment by local LAN based user communities.

Many default configuration options were set in the interest of simplifying the lab environment. For additional configurationoptions, consult the Citrix XenDesktop product documentation.


74/122

74

Remote User AccessSecure remote access to the existing XenDesktop environment remotely will be provided and managed by the CitrixAccess Gateway SSL VPN product. In this configuration, the Access Gateway Enterprise Edition resident within thePlatinum Edition Citrix NetScalerwill be superimposed atop the existing XenDesktop infrastructure.

As shown above, requests from remote users are simply routed through the Access Gateway while local LAN based userscontinue to access the services through their existing LAN services.

Figure 2 - SSL VPN Overview


75/122


76/122

76

Additional addresses will be required to introduce the NetScaler Access Gateway into the traffic flo. These aresummarized in Table 2, below.

Most readers will define their own naming conventions, domains, and IP addressing schemes and are encouraged to keeptrack of in a chart similar to Table 2.

SSLVPN Access Addressing Chart

Runbook Name Runbook IP Address Function

Network Router 172.18.2.1 Default Route

NetScaler NSIP 172.18.2.150 NetScaler Management Dialog

NetScaler MIP 172.18.2.190 NetScaler egress port

NetScaler AGEE VIP 172.18.2.175 SSL VPN Address

Table 2 - SSLVPN Access IP Addresses


77/122

77

Section IVConfiguring Secure Remote Access

Part 1 - Perform the Basic NetScaler Configuration

An SSH client can be used to connect directly to the NetScaler though the appliances d efault IP address of 192.168.100.1with a netmask of 255.255.0.0. Best Practices, however, have the user perform the initial NetScaler configuration via aserial connection when the appliance is not connected to the network.

In either methodology, the NetScaler command line interface is used initially. As such, screenshots are not provided. Theresults of these initial configuration steps, however do facilitate the connection to the NetScaler appliance via the webbased administrative Graphical User Interface (GUI).

Use the following procedure inserting the addresses in the SSLVPN Access Addressing Chart (Table 2).

NetScaler Initial Configuration Steps

1. Connect a serial cable from your computer to the NetScaler and power on the NetScaler Access Gateway.

2. Use HyperTerminal (or any other terminal emulation software) to connect to the serial port:8 bits, no parity, 1 stop bit

3. Logon using the default administrator account and passwordnsroot./nsroot

4. At the > prompt, type config nsand then type 1to set theNSIP address to 172.18.2.150 andsubnet maskto 255.255.255.0

5. After setting the above IP address, type 6to apply changes and exit.

6. Answer yesto save the configuration and reboot.

7. After the NetScaler reboots, login and confirm that the new NSIPhas been applied by typing show IP

8. To access the NetScaler Access Gateway from a different network segment, a default route must be set.At the prompt, type add route 0.0.0.0 0.0.0.0 172.18.2.1

Use the Network Routeraddress in the Addressing Chart, above.

9. Save the configuration changes:

At the prompt, type save ns config

10. Connect one of the NetScaler Access Gateway Ethernet interfaces to the network.

11. Verify connectivity to the network.

At the prompt, type ping 172.18.2.1

At the prompt, type ping 172.18.2.191

12. From a Command Prompt on vDesktopDmC:

Type ping 172.18.2.150

Table 3 - NetScaler Initialization


78/122

78

After cabling has been completed, complete the basic configuration of the NetScaler by execute the following steps.

Initializing the NetScaler/Access Gateway


11. From a client device, connect to

the Access Gateway

Configuration Utility by

browsing to the NSIP address

http://172.18.2.150

Login as the NetScaler

administrator using the

nsroot/nsroot credentials.

Select Configurationfrom the

Start indrop down list.

Set the timeout value to the

desired interval. Since this is lab

environment, the default can be

increased for convenience.

Click Login.

12. The Access Gateway

Configuration Utility starts.

A Java Runtime Environment will

be retrieved and installed if it

does not exist.

Use this NetScaler Configuration

Utility (NetScaler ManagementGUI) to perform all subsequent

configuration steps.

Click the Setup Wizard button to

complete the initial configuration.


79/122

79



13. ClickNextto begin the Setup

Configuration Wizard.

Validate the pre-populated IP

Address, Mask,and Host

Name.

Set the Mapped IP(MIP) and

Netmask as per Table 1 -

Addressing Chart,.

Click Next.

The default Gateway cannot be

modified from this panel.

ClickNext.

14. Set the Time Zone.

ClickNext.

In the next panel, ensure that the

appropriate licenses have been

installed.

The Citrix NetScaler Platinum

Editionshown at the right

includes the Access Gateway

functionality.

An additional SSLVPN

Concurrent User License

(shown to the right) is not

required for limited Lab activities.

ClickNext.


80/122

80



15. Provide the root user password

and confirm.

Keep a record of the password

assigned to nsroot, the default

system user.

ClickNext.

16. Check the summary page.

Click Back to correct any

parameters if necessary.

Click Finish.

Click Exit.

17. Click the Savebutton in the

upper left part of the summary

panel.

Then click Reboot in the bottom

of the summary panel.


81/122

81

Part 2 - Install the Certificate

The NetScaler is used to generate a Certificate Signing Request (CSR) that is passed to the domain controller. Once thesigning process has been completed by the domain controller, the resultant certificate is installed into the NetScalersystem.

Installing the Certificate


1. When the NetScaler has

restarted, log in again by setting

the browser address bar to:

http://172.18.2.150

Select Configurationfrom the

drop down list in login panel.

2. In the left panel, expand the tree

and click SSL.

In the right panel, click Create

RSA Key.

Set the Key Filenameto SSL-VPN-Key.

Set the KeySizeto 1024

Click DES3(aka Triple DES)

for PEM Encoding Algorithm.

Enter a password into the PEM

Passphrase field. In this

example, pempassphrase was

used.

Click Create.

Click Close.


82/122

82



3. In the right panel, click Create

Certificate Request.

Set the Request File Namefieldto SSL-VPN.csr.

Click Browse, and click SSL-

VPN-Key.

Supply the PEM Pass Phrase

from the previous step.

Set theCommon Namefield to

access.XenDT.net

Be sure to set to the field

accurately. It must match the

FQDN of the Access Gateway

VIP exactly as it will be

registered in DNS.

Fill in the other fields as

appropriate.

Click Create

Click Close.

4. Note: The next steps require an

SFTP client.

The screenshots in this

document depict the freely

available WinSCPclient.

Start a WinSCP session into the

NetScaler.

Use the management dialog

address (NSIP in the Addressing

Chart) and credentials from

above to login to the NetScaler.


83/122

83



5. In the right panel of the WinSCP

dialog, navigate to the NetScaler

/nsconfig/ssldirectory.Copy the SSL-VPN.csrfile to the

local computer.

Minimize the WinSCP session.

This session will be used again

in Step 10.

6. On your local machine, open a

browser to the Domain

Controllers certificate authority.

http://vDesktopDmc.Xendt.net/

certsrv

You should always use the DNS

registered FQDN.

Authenticate using the domain

administrator credentials when

prompted.

Click Request a Certificate.


84/122

84



7. Click Advanced Certificate

Request.

In the following panel, clickSubmit a certificate request

using base 64-encoded...

8. On the local machine, use

Notepad to edit the SSL-

VPN.csr exported and saved

from the NetScaler.

From within Notepad, Issue a

Select Alland then a Copycommand.

In the browser window, issue a

paste command into the Saved

Requestwindow.

It is very important to remove the

trailing CR (Carriage Return) if

one exists.

From the drop down list under

Certificate Template, select

Web Server.

Click Submit


85/122

85



9. In the next panel, click the Base

64 Encodedradio button.

Click Download Certificate.

Save the certificate as SSL-

VPN.ceron the local computer.

Hint: Save the file with a

meaningful name. SSL-VPN.cer

was used in this example.

Close the download dialog.

Close this browser window.

10. Use WinSCP to copy the signed

certificate (SSL-VPN.cer) to the

NetScaler.

The certificate should be copied

to the/nsconfig/ssldirectory on

the NetScaler.

When the copy completes, close

the WinSCP session.


86/122

86



11. In the NetScaler GUI, expand

SSL in the left panel.

Select Certificates.

Click Addat the bottom of the

right panel.

Set the Certificate-Key Pair

Namefield to SSL-VPN-

Cert_Key-Pair.

Click Browse (Appliance)

opposite Certificate File Name.

Locate the signed certificate

uploaded in step 10.

Click Browse (Appliance)opposite Private Key File Name.

Locate the Private Key SSL-

VPN-Keycreated in step 2.

Use the PEM Passphrasethat

was defined for the key.

(pempassphrasewas used

earlier in this document.)

Click Install.

Click Close.

12. The certificate signed by theXenDT domain controllers Root

CA has now been installed on

the NetScaler.


87/122

87

Part 3 Create the VIP Entry Point to the Access Gateway entry point in the NetScaler System

The Access Gateway Virtual Server provides the entry point for the SSL VPN connection. The following group of stepsdetails the creation of the Access Gateway Virtual IP, defining DNS other connectivity, authentication parameters andsome system-wide parameters.

Follow the next group of steps below.

Creating the Access Gateway Path in the NetScaler


1. In the left panel of the NetScaler

configuration GUI, expand the

tree in the left panel.

Click Access Gateway.


Access Gateway Wizardlink.

ClickNextin the introductory

panel.

2. Set the IP addressfor the

Access Gateway VIPaccording

to the Addressing Chart.In this example the IP address is

172.18.2.175

Use the standard Port 443.

Provide a virtual server name.

Note: The virtual server name

can be different from the FQDN

but should have a related naming

convention. Syntax rules

disallow a name containing

embedded dots, however.

ClickNext.


88/122

88



3. In the Certificate Options panel,

select Use an existing

certificate and key pairfrom thedrop down list.

Select the certificate just installed

from the Server Certificatedrop

down list.

Click Next.

4. Set the Configured DNS Server

field value to 172.18.2.191, the

IP address of vDesktopDmC,

the domain controller.

Click the DNSradio button for

Name Lookup Priority.

Click Next.


89/122

89



5. Select LDAP from the Select an

authentication typedrop down

list. Set the values as follows:

IP Address: 172.18.2.191

(vDesktopDmC IP)

Base DN: DC=XenDT,DC=net

Administrator Bind DN:

Administ [email protected]

Password:

Server Logon Name Attribute:

samAccountName

Search Filter: (blank)

Group Attribute: memberOf

Sub Attribute Name: CN

Security Type: PlainText

Click Next.

6. Leave the Configure

Authorizationdefaults set.

Click Redirect to secure Web

address.

Add a URL that specifieshttps:/ /access.XenDT.net

Note: This automatically redirects

http requests to https. It is

considered a Best Practice for

ease of use.

ClickNext


90/122


91/122


92/122

92

Part 4 - Set the Access Parameters within the NetScaler Access Gateway

In the next set of activities, the access parameters are set. Some activities have co-requisite activities on the othersystems in the network. These include creating a new Active Directory group for use by Access Gateway processing,adding the Access Gateway host and address to DNS, and updating the Access Gateway with a list of addresses it shouldprocess.

Follow the next group of steps below.

Setting Access Parameters




to connect to vDesktopDmC.


For Access Gateway policies, an

Active Directory group selection

process will be implemented.

To add User_1 through User_5

to the Active Directory group

XDUsers, perform the following:

Click Windows Start >

Administrative Tools > Active

Directory Users and

Computers.

Right click the XenDT.net

domain object and click New >

Group.

2. Create the group XDUsers.Click OK.

Right click to the XDUsersgroup

in the right panel.

Click Properties.

Click the Memberstab.

Add XenDT\User_1 through

XenDT\User_5 to the group.

Click OK

These users are now members

of theXDUsersgroup.

Close this dialog.


93/122

93



3. To create a DNS host entry for

the SSL VPN system follow

these steps.

On the Domain Controller

(vDesktopDmC) click Windows

Start > Administrative Tools >

DNS

Expand the tree in the left panel.

Right click XenDT.net

Click New Host (A).

4. In the pop up specify the details:

Name: access

Address: 172.18.2.175as per

Table 1 - Addressing Chart.

Click Add Host

Acknowledge the completion

dialog.

Click Done.

Close the DNS administration

window.


94/122


95/122

95



7. Set the Namefield to

DefaultAccessPol icy

In the Named Expressionsdrop

down list, select True Value.

Click Add Expression. This will

add ns_trueinto the window

above.

Click New,opposite Request

Profile.


96/122

96



8. Set the Namefield to

DefaultAccessProf i le.


97/122

97



9. Click the Client Experiencetab.

Click Override Globalfor

Windows Plugin Type.

Select Access Gatewayfrom

the drop down list.

Click Override Globalfor Split

Tunnel.

Select ONfrom the drop down

list.


98/122

98



10. Click the SecurityTab.

Click Override Globalfor

Default Authorization Action.

Select DENYfrom the drop down

list.

Click Create.

11. Click Create.

Click Close.


99/122

99



12. Select Virtual Serversunder

Access Gatewaytree in the left

panel.Click Accessin the right panel.

Click Openin the lower left

section of the right panel.

Click the Policiestab.

Select DefaultAccessPolicyin

the Policy Namecolumn.

Click the Intranet Applications

tab.


100/122


101/122

101



14. Validate the creation of the

configured application.

Click OK.

The usersAccess Gateway

Plug-in will be instructed to send

all traffic destined for the

172.18.2.0 network to the Access

Gateway VIP.

15. To configure an authorization

policy, click Authorizationunder

Policiesunder Access Gatewayin the left panel.

Click Add inthe right panel.

Set the Namefield to XD-

Access-Pol icy.

Click Addbelow the

Expressionswindow.

Select REQ, IP, DestIP, and ==

from the drop down lists.

Set the Valuefield to 172.18.2.0

Set the Netmask field to

255.255.255.0.

Click OK.


102/122


103/122

103



18. To enforce this policy, click the

Groupsunder the Access

Gatewayin the left panel.Double-click (to open) XDUsers

in the right panel.

Click the Authorizationtab.

Click the boxes in the Active

column for XD-Access-Policy

created in the previous steps.

Click OK.

19. To test the implementation, set

your browser to

http:/ /access.XenDT.net.

Note the automatic redirection to

https://access.XenDT.net.

Install the client software when

prompted.

Log in as User_1, a user in the

XDGroup.

Issue a PING against

172.18.2.191.


104/122

104

Part 5 - Adjusting the XenDesktop Environment to Accept Requests from the Access Gateway

The last steps include adjusting the back end XenDesktop environment to accept requests from the NetScaler AccessGateway. In this guide, the XenDesktop environment configuration will be augmented to accept requests from both localLAN based users and those forwarded by the NetScaler Access Gateway.

The steps include defining an additional Web Interface site, and adjusting its control parameters to communicate with the

NetScaler Access Gateway.To complete this configuration, perform the following steps:

Setting XenDesktop Access Parameters


1. The first step is to install the Web

Interface Management Console.



to connect to vDesktopDDCand


In the XenCenter left panel, click

vDesktopDDC.

Select the Storagetab and.

Select the Citrix Desktop

Delivery Controller installation

media.

Browse the DVD to

w2k3\en\Administration\Acces

s Management Console\Setup

Run the ASC_WebInterface.msi

object. This installs the WebInterface management plug-in.

2. ClickNextat the Welcome

screen.

Accept the license Agreement

and ClickNextuntil completion.

Restart the Citrix Access

Management Console.

Note the presence of the

Internal Siteunder Web

Interface in the Configuration

toolssection of the tree.


105/122

105



3. Right click Web Interfacein the

left panel.

Click All Tasksin the pop up list.

Click Create Site.

Select XenApp Web(Default).

Click Next.

4. Set the Pathfield to an

appropriate value.

The path is set to

/Cit r ix /Xe nDesk top /in this

example.

Record this path information for

later use.

Leave the Set as the default

page for the IIS siteunchecked.

ClickNext.


106/122

106



5. The Point of Authentication

dialog is presented.

Select At Access Gatewayfrom

the drop-down list.

ClickNext

6. Enter the authorization service

URL.

https://access.XenDT.net/CitrixAuthService/AuthService.asmx

This must be https.

The fully qualified host name

references the DNS registered

fully qualified domain name that

corresponds to the Access

Gateway VIP.

Be sure to enter the URL

information accurately. This is a

common source of errors.

ClickNext


107/122

107



7. The summary follows.

Check all values for accuracy.

Correct as necessary.

Click Nextwhen done.

8. Look for the Site Successfully

Created message.

Ensure that Configure the site

nowis selected.

Click Next


108/122

108



9. In the next menu, set the Farm

Namefield to XenDTFarm.

Hint: Although a match is

unnecessary, use the name that

is displayed in the background

pane of the Citrix Access

Management Console.

Click Add to Create a server.

Enter the fully qualified name of

the server running the Desktop

Delivery Controller processes.

In this example, this field has

been set to

vDesktopDDC.XenDT.net.

Click OK.

Click Next

10. In the Specify Logon Screen

Appearance menu, click the

Minimalradio button.

Click Next


109/122

109



11. Click the Hostedradio button.

Click Next

12. Review the summary.

Click Backto correct errors.

Click Finishwhen complete.


110/122

110



13. In the Citrix Access Management

Console, select the newly

created Web Interface site.In the Center Panel, click

Manage secure access.

Then click Edit secure access

settings.

14. In the pop-up panel, click

Default.

Click Edit.

Select Gateway Directfrom the

drop down list.

Click OK.

ClickNext.


111/122

111



15. Enter the DNS registered FQDN

of the access gateway VIP.

In this example the value

access.XenDT.netis entered

into this field.

Click Enable session reliability.

ClickNext.

16. In the Secure Ticket Authority

Settings panel, click Add.

In the popup, enter the string as

displayed, using the STA

servers FQDN or IP address:

http:/ /vDesktopDDC.XenDT.net

/s c r ip ts /c tx s ta .d ll

In this configuration this is the

XenDesktop DDC which has

been DNS registered as

vDesktopDDC.XenDT.net

Ensure that this URL is typed

correctly. This is a common

source of error.

Click OK.

Click Finish.


112/122

112



17. To finalize the Access Gateway

configuration for XenDesktop, log

in to the NetScaler AccessGateway configuration GUI.

In the left panel, expand Access

Gateway and the Policiestree.

Under Policies, select Session.

Click Addin the right panel.

Set the Namefield to

XenDesktopPol icy.

Under the Expressionwindow,

select True Valuefrom the drop

down list.

Click Add Expression. Note the

appearance of ns_truein the

expression window.


113/122


114/122


115/122

115



21. In the same panel, click the

Published Applicationstab.

Click Addin the Secure Ticket

Authoritysection in the lower

half of the panel.

Specify http:/ /

/scripts/ctxsta.dll

In this example, the string

entered is

ht tp: / /vdesktopddc.xendt .net /

scr ipts/ctxsta.dl l

Be sure to enter this URL

information accurately. This is a

common source of error.

Click Create.

Click OK.


116/122


117/122


118/122


119/122

119

Testing the Configuration


5. Start the Citrix Access

Management Console on the

vDesktopDDCserver.

Right click Citrix Access

ManagementConsolein the left

panel.

Click Run discoveryto pick up

the change to the configuration.

6. On the users endpoint add the

site

http://access.xendt.net

to the trusted Internet Sites on

the workstation.

Restart the browser.

Set the address bar to

http:/ /access.Xendt.net


120/122


121/122

121

SummaryIn the document, the administrator has been guided through the configuration the Citrix XenDesktop and the CitrixNetScaler Access Gateway to provide the following services:

Creating the XenDesktop environment to offer virtual machines as user workstations. This includes keeping anumber spare systems ready in anticipation of user connections according to time of day

Providing access in Full-Screen-Onlyand Window-View modes

Providing single sign-on, pass through Active Directory authentication for all end users

Providing a fresh system image for every user connection

Configuring the NetScaler Access Gateway to provide SSL VPN services for remote users that wish to access theXenDesktop environment

The activities in this document were intended to introduce the Citrix XenDesktop and NetScaler Access Gatewayinteroperability. As such, a very basic configuration for the above XenDesktop access scenarios was created. Architectsdesigning production environments must also consider adding the following production level configuration elements thatcan be superimposed upon this basic design:

Install firewalls. Configure these as appropriate to manage traffic to and between servers.

Separate the Networks. In the lab configuration, one flat network was used for simplicity. Configure separatesubnets for production environments.

Create LDAP-specific users. Use these in your configurations rather than specifying the Domain Administratoraccount

Configure the XenDesktop virtual machines to access the corporate XenApp environment. These connections willtypically be simple LAN based connections.

Configure multiple Desktop Delivery Controllers and Web Interface instances. The NetScaler can then beconfigured to provide load-balancing services between these multiple environments. Additionally, XenDesktop-and XenApp-specific load balancing wizards configure the NetScaler to issue explicit health monitor probes that

validate the correct operation of Web Interface and Secure Ticket Authority service. The NetScaler thusunderstands the status of each XenDesktop environment, and will not send user requests to environments thatmay not be fully functional.

Configure SSL VPN Access Gateway High Availability. Install the NetScaler systems in pairs using the NetScalerHA facility. This ensures that an Access Gateway is always up and providing the SSL VPN services needed by theusers.

Configure DMZ bridging. The NetScaler Access Gateway can easily be configured in a double hop configuration inwhich multiple pairs of NetScaler systems are installed to prevent any single system from bridging the DMZ.

Configure Global Server Load Balancing (GSLB) services. These can be configured to provide multi-datacenterload balancing or provide Disaster Recovery redirection

Citrix AGE 9

Documents

Transcript of Citrix AGE 9