8/11/2019 Citrix AGE 9
1/122
Worldwide Consulting Solutions
Securing XenDesktop Environments
IntroductionThis document guides the user through hands-on set up and details how to create a complete lab-based Virtual DesktopInfrastructure using the Citrix XenDesktop Citrix XenServer, and Citrix Access Gateway Enterprise Edition products. Thisguide is divided into four main sections:
The first section details the steps required to build and load the server and workstation environment.
The second section provides details pertaining to the configuration of the component services. These include the
Citrix Desktop Delivery Controller, the Citrix Provisioning Server, and the Citrix Licensing Server. The third section provides details pertaining to the configuration of the XenDesktop environment and all the
required steps to make it accessible directly from the corporate LAN.
The fourth section provides details pertaining to a configuration that allows the VDI infrastructure to be accessedsecurely across a SSL VPN using the Citrix NetScaler Access Gateway product.
Each of the seditions is summarized in the table that follows. The Citrix Delivery Center products and third party productsthat architects typically leverage to provide this access include:
VDI Configuration Overview
Section Activity Summary Products Used
Section I Virtual Machine Hosting Infrastructure
(assumed to exist)
Citrix XenServer Version 5.0
Citrix XenCenter Version 5.0
Creating the environment and domain of
servers and workstations
Microsoft Windows Server 2003 32-bit
(3 VM Instances)
Windows XP Professional
(Several Instances)
Section II Installing the XenDesktop Environment Citrix XenDesktop Version 3.032bit
Citrix Provisioning Server Version 5.0
Citrix Licensing Server
Section III Configuring local access Citrix Receiver Version 1.0
Section IV Configuring Secure Remote Access Citrix NetScaler Access Gateway Version 9.0
Securing XenDesktop Environments
8/11/2019 Citrix AGE 9
2/122
2
All information in the above sections is presented in a concise run-book format.
This document provides information pertaining only to configuring the Virtual Desktop Infrastructure, and configuringaccessibility to it. Configuring access to applications from the VDI is not within the scope of this document, however.
This document discusses and guides the configuration required to have the various components interact with each other.It should also be noted that the network designand associated configurationsare suitable for lab purposes only.Configuration considerations pertaining to production network designs are not discussed in this document.
This guide includes steps that install and configure commercially available products.
In addition to requiring licenses (minimally evaluation licenses) for the Citrix NetScaler and Access Gateway (NetScaler
Platinum Edition), Citrix XenDesktop, and XenServer, licenses for the following systems are required:
Three instances of the Microsoft Windows Server 2003.
Several instances of the Windows XP Professional edition.
Without the appropriate licensing, the functionality of some components discussed in this document may be reduced.
8/11/2019 Citrix AGE 9
3/122
3
Contents
Introduction ................................................................................................. 1
Virtual Desktop Infrastructure ...................................................................... 5
Configuration Overview .................................................................................................................................... 6
Hardware Components ...................................................................................................................... 6
Endpoint User Workstations .............................................................................................................. 6
Virtual Desktops ................................................................................................................................ 6
Servers .............................................................................................................................................. 7
The Corporate Domain ...................................................................................................................... 7
Network Addressing .......................................................................................................................... 7
Lab Environment Expedience Considerations ................................................................................... 8
Section ICreating the Network ..................................................................................................................... 9
Part 1 - Creating the servers and the network ................................................................................... 9
Part 2Configuring the Domain Controller ..................................................................................... 14
Part 3Finalizing the Server Configurations .................................................................................. 21
Part 4Creating the Workstations .................................................................................................. 24
Section II - Creating the XenDesktop Environment ........................................................................................ 31
Part 1Preparing the XenDesktop Master Image and Template ................................................... 31
Part 2Installing the Citrix Desktop Delivery Controller Software .................................................. 33
Part 3Loading the Citrix Provisioning Server Software ................................................................ 40
Part 4 - Finalizing the XenDesktop Image ....................................................................................... 54
Section IIIConfiguring Local Access........................................................................................................... 65
Part 1 - Endpoint Configuration for Full-Screen-Only Mode Access ................................................ 65
Part 2 - Endpoint Configuration for Window-View Mode Access ..................................................... 70
Local Access Summary ................................................................................................................... 73
Remote User Access ................................................................................ 74
Section IVConfiguring Secure Remote Access .......................................................................................... 77
Part 1 - Perform the Basic NetScaler Configuration ........................................................................ 77
Part 2 - Install the Certificate ........................................................................................................... 81
Part 3Create the VIP Entry Point to the Access Gateway entry point in the NetScaler System ... 87
8/11/2019 Citrix AGE 9
4/122
8/11/2019 Citrix AGE 9
5/122
8/11/2019 Citrix AGE 9
6/122
6
Configuration Overview
The configuration planning consists of identifying the components required, and their connectivity.
Hardware Components
A XenServer system will host all virtual machines. These include Servers, virtual desktops, and user workstations. An
overview of their allocation follows the graphic.
Endpoint User Workstations
This environment contains two different user workstations to demonstrate the user experience. Both are hosted on theXenServer as virtual machines with the following characteristics:
EP-Full-01this user workstation will be configured to access the XenDesktop environment in Full-Screen-OnlyMode.
EP-Win-01this user workstation will be configured to access the XenDesktop environment in a Window-ViewMode.
Each of the above systems will be assigned static IP addresses
Virtual Desktops
XenDesktop Virtual Systems will be created and hosted on the XenServer infrastructure.
This document will provision five Virtual Desktops from a single Windows XP image. In this lab environment, thiswill be sufficient to host the anticipated maximum number of workstations while maintaining a pool of idle systems.
The operating system will be Windows XP, licensed as per above (User Workstations)
The names will be defined as vDesktopXwhere X is a number ranging from 1 through 5.
A base or model system vBaseDesktop1 will be created. This provides the XenDesktop base image.
Figure 1 - XenServer Overview
8/11/2019 Citrix AGE 9
7/122
7
These systems will receive IP addresses via DHCP.
Servers
Servers will be based upon Windows Server 2003 R2 32-bit edition. These servers are hosted on a XenServer andinclude the following:
vDesktopDmC this is the Domain Controller that hosts required services such as DNS, Active Directory, DHCP,and Certificate Server.
vDesktopDDCthis is the Citrix Desktop Delivery Controller. It hosts the DDC, and the Citrix Licensing Server.
vDesktopPvSthis is the Citrix Provisioning Server. It also hosts the Microsoft SQL Express server. This serveralso has an additional large disk partition to accommodate the XenDesktop systems.
The Corporate Domain
The domain used in this document is XenDT.net. All systems will be joined into this domain. Root certificates from thisdomain controller are installed on all participating servers, user workstations, and XenDesktop systems.
Network Addressing
IPv4 is used in this configuration. See Table 1VDI Add ressing Chart(below) for details.
Instructional steps in the following sections pertaining to the XenDesktop VDI environment refer to this centralized table.As such, all addresses required for all sections of this document are contained in this table.
Most readers will define their own naming conventions, domains, and IP addressing schemes and are encouraged to keeptrack of in a chart similar to Table 1.
8/11/2019 Citrix AGE 9
8/122
8
Addressing Chart
Runbook Name Runbook IP Address Function
Network Router 172.18.2.1 Default Route
XenServer 172.18.2.151 Physical host for virtual machines. The XenCenter Management
Console connects to it.
vDesktopDmC 172.18.2.191 Domain Controller
vDesktopDmC 172.18.2.161-174 DHCP Range
vDesktopPvS 172.18.2.192 Provisioning Server
vDesktopDDC 172.18.2.193 Desktop Delivery Controller
vBaseDesktop1 Via DHCP Model system for all virtual systems
vDesktopX Via DHCP Virtual Systems
EP-Full-01 172.18.2.195 Full Screen User Workstation
EP-Win-01 172.18.2.196 Windowed User Workstation
Table 1 VDI Addressing Chart
Lab Environment Expedience Considerations
In the interest of expediency in lab activities, the following configurations can be set.. These are not recommended forproduction environments.
Local firewall services have been turned off on all systems
Privately Generated Root Certificatea root certificate from the Domain controller is used and installed in allsystems.
SQL Express will be installed on the server running the Citrix Provisioning Server.
8/11/2019 Citrix AGE 9
9/122
9
Section ICreating the Network
Part 1 - Creating the servers and the network
This section contains the steps required to create the network of servers, services, and user systems for the XenDesktopenvironment.
The run-book begins by using an existing XenServer environment to create and host all systems.
An independent workstation is used to run the XenCenter dialog to connect to and manage the XenServer environment.
Creating the Windows Server 2003 Virtual Systems
Step Description Caption
1. Connect to your XenServer using
the Citrix XenCenter software.
Right click the XenServer object
in the left panel and click New
VMto install a model
Widows2003 Server on the
XenServer.
Set the Nameto Windows
Server 2003 Model Server.
All other servers will be based
upon this configuration. Specify
the following options when
prompted.
Memory: 1024MBDisk: 8.0GBIP address: 172.18.2.189
Install the Windows Server
2003operating system.
Right click the Window s Server
2003 Model Serverobject in the
left panel.
Select Install XenServer Tools
in the pop-up dialog.
8/11/2019 Citrix AGE 9
10/122
10
Creating the Windows Server 2003 Virtual Systems
Step Description Caption
2. Select the Consoletab in the
right panel.
Log in as the local Administrator.
Click the Windows Startbutton.
Right Click My Computer.
In the Remotetab, enable RDP
access.
In the Windows Network
Connectionsdialog, disable the
local firewall services.
Restart the Server.
Establish a connection and use
the Windows Updateutility toadd the .NET 3.5 Framework
and other appropriate updates.
3. This document references both
the use of RDP and the
XenCenter Console Tab to
access the workstation or server
console. Although both are
useable, connections via the
Windows RDP facility require
that this function be allowed. As
such, steps in this runbook are
included to update the My
Computer properties on each
system to enable RDP
connectivity. This is not required
if the XenCenter Console tab
access method is used.
8/11/2019 Citrix AGE 9
11/122
11
Creating the Windows Server 2003 Virtual Systems
Step Description Caption
4. From the Windows Startmenu,
click Run. In the pop-up enter
mmc.exeand click OKto start
the Management Console.
From the Filemenu, click
Add/Remove Snap-in.
In the pop-up dialog, click Add.
Click Certificates. Click Add.
Click the Computer Account
radio button.
Click Next.
Click Finish.
Click Close.
Click OK.
Close the Management
Consoleand Saveit to a
temporary directory at the root of
the C:\drive when prompted.
5. Prepare to run the Windows
sysprepprocess by performing
the following steps.
Insert the Windows installation
media into the DVD drive on the
XenServer.
On the Windows 2003 server,
use windows explorer to navigate
to the\Support\Toolsdirectory.
Click the Deploy.cabfile.
Copy the setupcl.exeand the
sysprep.exeto a temporary
directory at the root of the C:\
drive on the server.
8/11/2019 Citrix AGE 9
12/122
12
Creating the Windows Server 2003 Virtual Systems
Step Description Caption
6. Navigate to the temporary
directory created in the previous
step.
Run the sysprep.exeutility.
Select Shut Downfrom the drop
down list in the Shutdown Mode
field.
Click Resealand allow the
server to shut down.
Click OKto acknowledge the
dialog box pertaining to
regeneration of Security IDs.
Do not restart the server.
7. Wait until the server has been
shut down.
In the left panel of the XenCenter
console, right click the Windows
Server 2003 Model Server
object.
Click Convert to Template.
Acknowledge the warning
message and wait until the
process has been completed.
8/11/2019 Citrix AGE 9
13/122
13
Creating the Windows Server 2003 Virtual Systems
Step Description Caption
8. Right click the newly created
Windows Server 2003 Model
Servertemplate in the left panel.
Select New VMfrom the pop-up
menu.
Follow the dialogs to create three
new Windows Server 2003
systems from this XenServer
template.
To reflect references within this
guide, the virtual machines
should be named:
vDesktopDmC
vDesktopPvS
vDesktopDDC
Use default values as prompted
through the VM creation wizard.
8/11/2019 Citrix AGE 9
14/122
14
Part 2 Configuring the Domain Controller
This section contains the steps required to set up the first server will be set us as the Domain Controller. As such, it willhost the Active Directory, DHCP, and DNS services.
Setting up The Domain Controller
Step
Description
Caption
1. In the XenCenter Console tab,
click the vDesktopDmCserver
object in the left panel.
Click the Consoletab in the right
panel.
Login to the as the local
Administrator in the right panel.
Follow the steps to complete the
sysprepprocess on the server.
Set the server name, IP address,
and default gateway as per Table1 - Addressing Chart, above.
Specify Workgroup membership.
Upon reboot, log in as the local
administrator using the
XenCenter console.
Validate the settings for the local
firewall and Remote Access as
per above.
8/11/2019 Citrix AGE 9
15/122
15
Setting up The Domain Controller
Step Description Caption
2. Establish an RDP connection or
use the XenCenter console tab
to connection to the
vDesktopDmC server. Log in asthe local administrator.
If not already running, start the
Manage Your Serverutility from
Windows Start >All Programs.
Select Add or Remove a Role.
Click Nextin the Preliminary
Steps dialog.
Select Domain Controller.
Click Next.
Follow the wizard and select
Domain controller for new
domain name.
Throughout this run-book,
XenDT.net is used as the
domain name.
Continue using default values in
all prompts.
3. On the vDesktopDmCserver,
click Windows Start >
Administrative Tools >DNS.
In the left panel, expand the DNS
tree fully.
In the left panel, under
VDESKTOPDMCright click
Reverse Lookup Zones.
Select New Zone.
Follow the wizard for a Primary
Zone using defaults.
Add the Network IDwhen
prompted.
ClickNextuntil the wizard
finishes.
8/11/2019 Citrix AGE 9
16/122
16
Setting up The Domain Controller
Step Description Caption
4. If the process prompts for the
Windows 2003 Installation
media, mount it from the
XenCenter management dialog:
Click vDesktopDmCin the left
panel.
In the right panel, click the
Storagetab.
Select the Windows Server
2003 installation mediafrom
the drop down list.
Select the appropriate DVD
image from the XenCenter Menu.
Return to the RDP session andClick OK.
Allow the server to restart after
Active Directory and DNS
installation processes complete.
5. Log in to vDesktopDmCas the
domain administrator.
Restart the Manage Your
Serverutility if necessary.
Select Add or Remove a Role.
Select DHCPServer and click
Next.
Create a Scope Namecalled
XenDesktopwith a suitable
description.
Specify 172.18.2.161 - .174as
per Table 1 - Addressing Chart
(above).
Continue to configure the Default
Gateway by specifying the IP
address of the router as per
Table 1 - Addressing Chart
(above).
Click Next.
8/11/2019 Citrix AGE 9
17/122
17
Setting up The Domain Controller
Step Description Caption
6. In the Domain Name and
Servers menu, set the parent
domain fieldto XenDT.net.
Set the Server namefield to
vDesktopDmC.
Click Resolve.
Click Add. The resolved IP
address appears in the list.
Click Next.
Click Nextto bypass the WINS
Servers menu.
Click Nextto Activate this
scope now.
Click Finish.
7. Click Windows Start >
Administrative Tools >DHCP.
This opens the DHCP
Management Console.
Check that the DHCP service is
Authorized.
If it is not, the following steps will
Authorize it:
Right click vDesktopDmCin the
right panel.
Select Authorize.
In the top menu bar, click
Action.
Click Refreshfrom the drop
down list.
Ensure that the service is
running.
8/11/2019 Citrix AGE 9
18/122
8/11/2019 Citrix AGE 9
19/122
19
Setting up The Domain Controller
Step Description Caption
10. Click Windows Start >
Administrative Tools >Active
Directory Users and
Computers. This opens theActive Directory Management
Console.
Create five user accounts:
User_1
User_2
User_3
User_4
User_5
11. In the left panel, right click
XenDT.net.
Select Newin the pop-up dialog.
Select Organizational Unit.
Set the Namefield to
XenDesktop.
Close the Active Directory
Management dialog.
12. Reboot the Server.
8/11/2019 Citrix AGE 9
20/122
20
Setting up The Domain Controller
Step Description Caption
13. To install Certificate Services on
the vDesktopDmC, start the
Control Panel.
Select Add or Remove
Programs.
Select Windows Components.
Select CertificateServices.
Select Enterprise CA.
Click Next.
Set the Common Namefor this
CAfield to XenDT.
Click Nextand accept all
defaults.
The Windows Server installation
media may be required. If so,
mount it using the XenCenter
Storage tab for this virtual
machine.
8/11/2019 Citrix AGE 9
21/122
21
Part 3 Finalizing the Server Configurations
This section contains the steps required to finalize the basic server configurations. The servers will be added to thedomain, and the Domain Controllers root certificate will be added to each of the servers.
Finalizing the Server Configurations
Step
Description
Caption
1. Connect to your XenServer using
the Citrix XenCenter software.
Click vDesktopDDCin the left
panel.
In the right panel, click the
Consoletab.
Click Nextto continue the
Windows Setup Wizard.
Set the computer nameto
vDesktopDDC.
In the Network settingsdialog,
select Custom Settingsand set
the Network IP addressto
172.18.2.193as per Table 1 -
Addressing Chart(above).
Set the DNS addressto that
assigned to 172.18.2.191.
2. When prompted selectYes,
make this computer part of the
following domain.
Enter XenDT.netinto the
Domain Name field.
Authenticate to the domain as
the domain administrator.
Click Finishand let the system
reboot.
Using the XenCenter console,
log in as the domain
administrator.
Ensure that the local firewall is
off.
8/11/2019 Citrix AGE 9
22/122
22
Finalizing the Server Configurations
Step Description Caption
3. Establish an RDP connection or
use the XenCenter console tab
to connect to vDesktopDDC
Log in as Domain Administrator.
To install the Domain Controllers
Root certificate, perform the
following:
Set the browser to
ht tp: / /vdesktopdmc/certsrv
When prompted supply the
domain administrator credentials.
Click Download CA certificate,
certificate chain, or CRL.
4. Click the Base 64radio button.
Click Download CA certificate.
Click Save, and save the
certificate to temporary directory
at the root of the C:\drive.
Complete the dialog.
Close the browser.
8/11/2019 Citrix AGE 9
23/122
23
Finalizing the Server Configurations
Step Description Caption
5. On VDesktopDDC, click
Windows Start Logo > Run.
Enter mmc.exein the dialog box.
From File, click Add Remove
Snap-in.
Click Add.
Select Certificatesfrom the pop-
up dialog.
Click Add.
Select Computer Account.
Click Next.
Click Local Computer.
Click Finish.
Click Close.
Click OK.
6. Expand the Console Roottree
in the left panel.
Click Certificatesunder Trusted
Root Certificatesin the left
panel.
Right click and select All Tasks.
Click Import.
Follow the wizard to navigate to
the downloaded certificates
location.
Follow the prompts to complete
the import process.
7. Repeat steps 1 through 6 on thevDesktopPvS server.
8/11/2019 Citrix AGE 9
24/122
8/11/2019 Citrix AGE 9
25/122
25
Creating the Workstations
Step Description Caption
3. Select the Consoletab in the
right panel.
Log in as the local Administrator.
Click the Windows Startbutton.
Right Click My Computer.
In the Remotetab, enable RDP
access.
In the Windows Network
Connections dialog, disablethe
local Firewall service.
Restart the Windows XP system.
Establish an RDP connection or
use the XenCenter Console tabto start the Windows Update
utility to add the .NET 3.5
Frameworkand other
appropriate updates.
4. From the Windows Start menu,
click Run. In the pop-up enter
mmc.exeand click OKto start
the Management Console.
From the Filemenu in the new
window, click Add/Remove
Snap-in.
In the pop-up dialog, click Add.
Click Certificates. Click Add.
Click the Computer Account
radio button.
Click Next.
Click Finish.
Click Close.
Click OK.
Close the Management Consoleand click Savewhen prompted.
Hint: Save this to a location in a
new directory at the root of the
C:\ drive to avoid deletion
sysprep processing.
8/11/2019 Citrix AGE 9
26/122
26
Creating the Workstations
Step Description Caption
5. Install the Domain Controller's
Root certificate.
Set the browser to
http://vdesktopdmc/certsrv
When prompted, supply the
Domain Administrator
credentials.
Select Download CA
certificate, certificate chain, or
CRL.
6. Click the Base 64radio button.
Click Download CA certificate.
Select Save, and save the
certificate to a convenient
location.
Hint: Save this in the samelocation as the Management
Console plug-in.
Complete the dialog.
Close the browser.
8/11/2019 Citrix AGE 9
27/122
27
Creating the Workstations
Step Description Caption
7. Browse to the location of the
saved Management Console
Snap-inand click it to start the
dialog.
Expand the Certificatesfolder
under the Trusted Certificates
folder in the left panel.
Right click and select All Tasks.
Select Import.
Follow the wizard to navigate to
the downloaded certificate's
location.
Follow the prompts to complete
the import process.
8. Insert the Windows installation
media into the DVD drive on the
XenServer.
On the server, navigate to the
\Support\Toolsdirectory on the
DVD.
Click the Deploy.cabfile.
Copy the setupcl.exeand the
sysprep.exeto a temporarydirectory at the root of the C:\
Drive of the workstation.
8/11/2019 Citrix AGE 9
28/122
28
Creating the Workstations
Step Description Caption
9. Navigate to the temporary
directory created in the previous
step.
Run the sysprep.exeutility.
Select Use Mini-Setup.
Select Shutdownfrom the
Shutdown modedrop down list.
Click Resealand allow the
server to shut down.
Click OKto acknowledge the
dialog box pertaining to
regeneration of Security IDs.
Do not restart the workstation.
10. In the left panel of the XenCenter
console, click Windows XP
Model Workstation.
Click Convert to Template.
Acknowledge the warning
message.
Wait until the process has beencompleted.
8/11/2019 Citrix AGE 9
29/122
8/11/2019 Citrix AGE 9
30/122
8/11/2019 Citrix AGE 9
31/122
31
Section II - Creating the XenDesktop Environment
The previous section led the user through setting up the servers, user workstation, and network. The steps in this sectionpertain to installing and configuring Citrix components that will deliver the XenDesktop VDI.
Part 1 Preparing the XenDesktop Master Image and Template
The activities in this section pertain to creating the master image that will be used to create the virtual systems in theXenDesktop VDI.
Creating the XenDesktop Master Image
Step Description Caption
1. To create the XenDesktop base
virtual system image on the
XenServer, perform the
following:
In the left panel of the XenCenter
console, right click Windows XP
Model Workstationtemplate.
Select New VMfrom the pop-up
menu.
Set the Nameto
vBaseDesktop1.
Follow the prompts using the
following overrides.
RAM: 1024MB
Disk: 8GB/Windows XP
Disk: 16GB/Vista
Follow the Windows sysprepinstallation prompts.
Set the System Nameto
vBaseDesktop1.
In the Network Settings dialog,
lick Typical Settingsto use
DHCP.
Join the XenDT.netdomain.
8/11/2019 Citrix AGE 9
32/122
32
Creating the XenDesktop Master Image
Step Description Caption
2. Create a new Virtual Machine
template on the XenServer host.
This template will be used by the
Provisioning Server.
In the left panel of the XenCenter
console, right click the
XenServer object.
Click New VM.
Set the name to PvS VM
Template.
In the wizard, select Other
Install Media.
Click the Physical DVD drive
radio button.
Set the RAMto 1024MB
When Virtual Diskspanel is
presented (as shown at the
right), leave the Disk Allocation
blank.
Select other defaults until Finish
3. In the XenCenter left panel, right
click PvS VM Template.
Select Force Shutdown.
Wait until the system is down.
Right click PvS VM Template,
Click Convert to Template.
8/11/2019 Citrix AGE 9
33/122
33
Part 2 Installing the Citrix Desktop Delivery Controller Software
The activities in this section focus on creating the XenDesktop Delivery Controller (DDC) on vDesktopDDC. The Citrixlicensing server component is installed on vDesktopDDCand loaded with XenDesktop licenses.
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
1. Establish an RDP session or use
the XenCenter Console tab to
connect to the vDesktopDDC
server.
Log in as the domain
administrator.
Place the Desktop Delivery
Controller installation media into
the DVD drive via the XenCenter
console.
In the Welcome page, select
Install Server Components.
Scroll through the licensing
agreement and click the I accept
radio button.
ClickNext.
On the next page, select all
components.
ClickNext
8/11/2019 Citrix AGE 9
34/122
8/11/2019 Citrix AGE 9
35/122
35
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
4. Upon restart, log in with the
same domain administrator
account.
The installation will continue.
It may be necessary to restart
the installation process to
complete the installation.
Hint: To restart the installation
process, perform these steps:
Click MyComputer.
Click the DVD drive object in the
menu that is opened.
5. The installation continues after
the reboot.
Select Continue Anyway to
ignore error messages pertaining
to printer drivers.
Upon completion of the install
process, the server will prompt to
restart. Allow the system to do
so.
8/11/2019 Citrix AGE 9
36/122
36
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
6. When the Setup Complete
message appears, leave both
options checked.
Click Finish.
7. The Active Directory
Configuration Wizardbegins.
ClickNext.
In the Select an existing Active
Directory OUpanel, click
Browse.
In this example, theXenDesktop
OU was selected.
Click OK.
This field is set to
OU=XenDesktop,DC=XenDT,D
C=net
ClickNext.
ClickFinish.
Click Close.
8/11/2019 Citrix AGE 9
37/122
37
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
8. When prompted, clickYes to
start the Citrix Access
Management Console.
Click Nextto start the Discovery
wizard.
Click Add Local Computer.
ClickNext
ClickNext.
When the Discovery Completed
message is displayed, click
Finish.
9. Note the presence of this server
(VDESKTOPDDC) under
XenDesktop > Controllers.
Close the Access Management
Console.
8/11/2019 Citrix AGE 9
38/122
38
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
10. To prepare for licensing, it is
critical to have the correct
hostname of the license server.
Administrators can check byfollowing these steps:
On the vDesktopDDCserver,
click on Windows Start > Run
Type cmd.
Click OK.
Type hos tnameand press
Enter. The hostname is
displayed.
It is critical to specify the case
sensitive hostname whenactivating the licenses and
downloading the license file from
MyCitrix.com
11. It is assumed that the license has
been pre-arranged and retrieved.
If not, download an evaluation
license using your account from
MyCitrix.
The license file may be
compressed. If so, extract it.
On the vDesktopDDCserver,the Citrix License Manager
should be active from the
previous steps.
In the License Management
dialog, click Copy license file to
this license server.
Browse to the location of the
stored license, and select the
license file.
Click Upload.
8/11/2019 Citrix AGE 9
39/122
39
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
12. The license upload process
completes quickly.
Check that the license has been
uploaded.
Close the License Management
Console.
8/11/2019 Citrix AGE 9
40/122
40
Part 3 Loading the Citrix Provisioning Server Software
The activities in this section focus on creating the Provisioning Server (PvS) on vDesktopPvS.
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
1. Additional disk storage must be
allocated to the Provisioning
Server (vDesktopPvS).
For these lab activities, 50GB of
storage is sufficient to host the
file systems for 5 virtual desktop
systems based upon Windows
XP operating system.
Formalized sizing procedure
outside the scope of this
documentwould be used to
determine storage requirementsfor production environments.
In the left panel of the XenCenter
console, click vDesktopPvS.
Select the Storagetab in the
right panel.
Set the Sizefield to 16GB.
Click Addto create a new 50GB
volume tovDesktopPvS.
2. Establish an RDP connection or
use the XenCenter console tabto connect to the vDesktopPvS
server.
Log in using the credentials of
the domain system administrator.
From the Control Panel>
Administrative Tools, start the
Computer Managementdialog.
Click Disk Management
Initialize the new 16GB volume.
Click Create a new partition.Select Primary Partition.
Format the new volume.
8/11/2019 Citrix AGE 9
41/122
8/11/2019 Citrix AGE 9
42/122
8/11/2019 Citrix AGE 9
43/122
43
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
7. Click the Completeradio button.
Click Next.
In the next menu, click Install.
Allow the installation process to
complete.
Click Finish.
The Server Configuration
wizardbegins.
Click Next.
8. In the DHCP Services panel,
select the The Service that runs
on another computerradio
button
Click Next.
8/11/2019 Citrix AGE 9
44/122
44
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
9. Select the default setting in the
PXE Services panel by selecting
The service that runs on this
computerradio button.Click Next.
In the next menu, select Create
Farm.
Click Next.
10. In the Database Server panel,
click Browse.
Select VDESKTOPPVSfrom the
Server namedrop down list.
Click OK.
The Server nameand the
Instance namefields are nowpopulated properly.
Click Next.
8/11/2019 Citrix AGE 9
45/122
45
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
11. In the next menu, accept the
defaults.
Note that this is a different FARM
entity than the one configured on
the Desktop Delivery Controller
and, as such, has its own name.
This can be a source of
confusion and error.
Click Next.
12. Important:
Change the name of the License
server in this menu.
Change the License Server
name to vDesktopDDC.
Do not change the License
server port assignment.
Click Next.
8/11/2019 Citrix AGE 9
46/122
8/11/2019 Citrix AGE 9
47/122
8/11/2019 Citrix AGE 9
48/122
48
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
16. Using the XenCenter console,
click vDesktopPvSin the left
panel.
In the right panel, click the
Storagetab.
From the drop down list, select
the XenDesktop Delivery
Controller installation media.
This assigns that volume to the
DVD drive of the vDesktopPvS
server.
Navigate to the three
executables under
w2k3\en\XenDesktop Setup
Tool(since this is a 32-bit
operating system.
Copy these files to a convenient
location on the server.
On the vDesktopPvSserver, run
the Setup.exefile to start the
XenDesktop Setup Wizard.
ClickNext.
Scroll through, read, and accept
the License Agreement.
ClickNext.
8/11/2019 Citrix AGE 9
49/122
49
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
17. In the Destination Folderpanel,
accept the defaults.
Click Next.
Click Install.
Click Finishwhen the installation
completes.
18. On the vDesktopPvSserver,
create a new subdirectory called
XDStore.
It is recommended to create this
on a non-system volume so that
it can be expanded if required.
In this example, E:\XDStoreiscreated.
8/11/2019 Citrix AGE 9
50/122
50
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
19. On the vDesktopPvS server,
select Windows Start>All
Programs>Citrix->Provisioning
Server->Provisioning ServerConsole.
In the left panel, right click
Provisioning Server Console and
click Connect to Farm.
Specify the FQDNof the PVS
server.
The field is set to
vDesktopPvS.XenDT.netin this
example.
Click Connect.
20. Expand the tree in the left panel.
Right click Stores.
Select Create Store.
In the pop up dialog, set the
Namefield to XDStore.
In the Pathstab, specify the path
and directory name createdabove.
8/11/2019 Citrix AGE 9
51/122
8/11/2019 Citrix AGE 9
52/122
52
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
23. In the right panel, right click the
newly created vDisk.
Click Properties.
In the pop up dialog, click Edit
File Properties
Click the Optionstab.
Click the option Active Directory
machine account password
management.
Click OK.
Click OK.
24. In the left panel, expand Sites.
Click the Serversobject.
In the right panel, right click
VDSEKTOPPVS.
Click Properties.
In the pop-up, click the Options
tab.
Click the option Enable
automatic password support.
Leave the default number of
days set to its default.
Click OK.
Acknowledge the Service
Restartmessage.
8/11/2019 Citrix AGE 9
53/122
53
Installing the Citrix Desktop Delivery Controller Software
Step Description Caption
25. In the left panel of the
Provisioning Server Console,
click XDStore.
In the right panel of the console,
right click vDisk1.
Click Mount vDisk.
26. From the vDesktopPvS
Windows Start menu, click My
Computer.
Note the new removable disk.
Right click the new Removable
Disk and Format it.
Close the explorer menu.
In the left panel of the
Provisioning Server Console,
select XDStore.
In the right panel, right click
vDisk1.
Click Unmount Disk.
8/11/2019 Citrix AGE 9
54/122
8/11/2019 Citrix AGE 9
55/122
55
Creating the XenDesktop System Image
Step Description Caption
2. In the XenCenter left panel, click
vBaseDesktop1.
Click the Storage tab in the right
panel.
Select the XenDesktop Delivery
Controller installation media from
the drop down list.
Connect to the console of
vBaseDesktop1.
The installation menu should be
up.
Click Install Virtual Desktop
Components.
Scroll through and read the
License Agreement and click I
accept.
ClickNext.
Accept default PORTand
Firewall setting adjustment
options.
3. Click the Select the farm now
Radio button.
Select the XenDTFarmfrom the
drop down list. This is the name
of the farm name in the Citrix
XenDesktop Delivery Controller
installation.
Click Next.
Click Install.
Click Continue Anywayto
Printer warning messages if they
are presented.
Click Finish.
ClickYes when prompted to
restart the system.
8/11/2019 Citrix AGE 9
56/122
56
Creating the XenDesktop System Image
Step Description Caption
4. Connect to the XenCenter
console. Right click
vBaseDesktop1in the left panel.
Click Properties.
In the pop up window, click
Startup Options.
Move Networkto the top of the
Boot Orderlist.
Click OK.
Click the Networktab in the right
panel.
Record the MAC Address
shown.
This will be used in the next step.
5. Establish an RDP connection or
use the XenCenter console tab
to connect to vDesktopPvS.
Log in as the domain
administrator.
Start the Provisioning Server
Console.
In the left panel expand the
entire tree and right click
Collection.
Click Create Device.
Enter the Nameand the
recorded MAC Addressfrom the
previous step. Do not be
concerned about the case
change.
Click OK.
8/11/2019 Citrix AGE 9
57/122
57
Creating the XenDesktop System Image
Step Description Caption
6. In the right panel, right click the
new device and clickProperties.
In the pop-up panel, select Hard
Diskin the Boot Fromdrop
down list.
Click the vDiskstab.
Click Add.
In the window under Select
Desired vDisks, click
XDStore\vDisk1.
Click OK.
Click OKagain to close the
dialog.
RestartvBaseDesktop1.
7. In the XenCenter left panel, click
vBaseDesktop1.
Click the Storagetab in the right
panel.
Select the Citrix Provisioning
Server installation media.
Connect to the vBaseDesktop1
console and log in as the domain
administrator.
From the main menu of the
installation dialog, click Install
Target Device for 32 bit
Platform.
Scroll through and accept the
License Agreement.
ClickNext.
8/11/2019 Citrix AGE 9
58/122
58
Creating the XenDesktop System Image
Step Description Caption
8. Enter your user and
organizational information.
Be sure to click Anyone who
uses this computer.
Click Next.
Accept the default Destination
Folder.
Click Next.
Click Install.
When the installation wizard
completes, click Finish.
Restart the system.
9. Log in as the domain
administrator when
vBaseDesktop1restarts.
Click the vDiskicon in the tray to
show status and statistics.
Check that the vDiskis active.
Close the dialog.
Use Windows explorer to
determine which drive letter
Windows has assigned to this
device.
The drive letter assignment is
typically E:\.
Make a note of this drive letter
assignment.
8/11/2019 Citrix AGE 9
59/122
59
Creating the XenDesktop System Image
Step Description Caption
10. To clone the vBaseDesktop1
system image to the vDisk, click
Windows Start > All Programs >Citrix > Citrix Provisioning
Server Image Builderfrom the
vBaseDesktop1system.
This utility is found under All
Programs > Citrix> Provisioning
server >Provisioning Server
Image Builder
Make certain that the destination
drive is correct.
Click Build.
Click yesto confirm the build
action.
This process will take some time.
Upon completion, shut down
vBaseDesktop1.
11. Establish an RDP connection or
use the XenCenter console tab
to connect to vDesktopPvS.
Log in as Domain Administrator.
If not running, start the
Provisioning Server Console.
Click XDStorein the left panel.
If a lock icon appears next to
vDisk1In the right panel, ensure
that vBaseDesktop1has been
shut down fully.
Right click the vDisk1object in
the right panel and click
Properties.
Click Edit File Properties.
Click the Modetab.
Select Standard Imagefrom the
Access Modedrop down list.
Click OK.
Click OKagain to exit.
8/11/2019 Citrix AGE 9
60/122
8/11/2019 Citrix AGE 9
61/122
61
Creating the XenDesktop System Image
Step Description Caption
14. In the Virtual Machine Template
menu, select PvS VM Template
from the list.
Ignore all other templates that
might exist.
ClickNext.
15. In the Virtual Disk menu, select
vDisk1.
ClickNext.
8/11/2019 Citrix AGE 9
62/122
62
Creating the XenDesktop System Image
Step Description Caption
16. In the Virtual Desktops menu,
specify the number of virtual
desktops, and the VirtualDesktop systems naming
structure.
The configuration specified in all
previous setup steps was set
with values that support 5
systems.
The complete name cannot
exceed 16 characters, including
the sequence numbers that are
appended to the Common
Name.
ClickNext.
17. In the Organizational Unit menu,
click Use Default
Organizational Unit.
ClickNext.
In the next menu, click Create a
new desktop groupcalled
XDGroup.
Leave the Allow Immediate
Accessoption checked.
ClickNext.
Review the summary information
in the Desktop Creation menu.
ClickNext.
8/11/2019 Citrix AGE 9
63/122
8/11/2019 Citrix AGE 9
64/122
8/11/2019 Citrix AGE 9
65/122
65
Section IIIConfiguring Local Access
Part 1 - Endpoint Configuration for Full-Screen-Only Mode Access
Full-Screen-Only Modeis one in which a user can access only the XenDesktop environment. No access to the local (end-point) system resources is allowed. XenDesktop access mode is configured on the users endpoint system.
Upon login to the endpoint system, the connection is made to the back end XenDesktop virtual machine. The credentialsare passed back to the virtual machine, and its desktop is displayed on the endpoint system.
Only the user that installed the client software can access local system resources.
The alternate connectivity mode (Window-View Mode) is discussed in the section that follows these Full Screenconfiguration steps.
To configure the endpoint system to allow only Full-Screen-Only Mode, follow the steps below.
Endpoint Configuration Full-Screen-Only Mode
Step Description Caption
1. If using RDP to access to the
endpoint systems in the lab,
make sure that the appropriateuser names are authorized on
the target systems.
Note that t this authorization is
required only in a lab/RDP
environment, and is not required
in a production deployment.
This is not requiredon the
XenDesktop virtual desktop
systems.
8/11/2019 Citrix AGE 9
66/122
66
Endpoint Configuration Full-Screen-Only Mode
Step Description Caption
2. Click EP-Fulll-01 inthe left panel
of the XenCenter menu
Click the Storagetab in the right
panel.
Select the Citrix Desktop
Delivery Controller installation
media.
Establish an RDP connection or
use the XenCenter console tab
to connection to EP-Full-01.
Log in as Domain Administrator.
On the EP-Full-01system,
browse DVD to the
w2k3\en\Clients\ica32 directory.
Click to run
DeskTopReceiverFull.msi.
Select your language.
ClickNext
Accept the license agreement.
ClickNext.
3. Set the Server Addressfield to
vDestopDDC.XenDT.net.
Click Next.
In the next menu, select the
default Destination Folder.
ClickNext.
Click Use machine name as
client namein the following
panel.
ClickNext.
8/11/2019 Citrix AGE 9
67/122
67
Endpoint Configuration Full-Screen-Only Mode
Step Description Caption
4. Click theYES radio button to use
the local user name and
password.
ClickNext.
In the next menu, clickYESfor
installing USB support.
ClickNext.
At the summary page, ClickNext
to begin the installation process.
After the installation completes,
click Finish.
Do not reboot when prompted.
8/11/2019 Citrix AGE 9
68/122
68
Endpoint Configuration Full-Screen-Only Mode
Step Description Caption
5. Click to run
DeskTopApplianceLock
_en.msiin the same directory
used in above installation.Accept the License Agreement
and click Install.
Allow installation to complete.
Click Close
Restart the system.
Installation of these two
components will force
XenDesktop Full-Screen-Only
Modefor all users except the
user that installed thesecomponents.
No other user will have access to
the local system resources.
6. Allow the EP-Full-01system to
restart.
Log in as XenDT domain userUser_1.
8/11/2019 Citrix AGE 9
69/122
69
Endpoint Configuration Full-Screen-Only Mode
Step Description Caption
7. One of the vDesktopX systems
is connected to this session.
The login credentials are passed
through to one of the idle
vDesktopXsystem that has
been allocated to this session.
Note: As this system is allocated,
background processes bring up
another idle XenDesktop system
as per the Idle Pool count
parameter.
8. Connect to the vDesktopDDC
server and launch the Access
Management Console.
Click Action > Refresh.
The console now shows that one
of the virtual systems is in use.
8/11/2019 Citrix AGE 9
70/122
70
Part 2 - Endpoint Configuration for Window-View Mode Access
Window-View Modeis an endpoint system configuration in which users can access the XenDesktop virtual machinedesktop through a window on their own endpoint workstation.
This will be the default configuration for users with personal PCs, or those connecting through a remote connection.
Upon login to the endpoint system, the user opens a browser and points to the Web Interface (running on vDesktopDDC in
this lab configuration). This triggers the allocation of a back end XenDesktop system from the idle pool, and presents logindialog.
To configure the endpoint system to allow only Widowed Access Mode, follow the steps below.
Endpoint Configuration Window-View Mode
Step Description Caption
1. Establish an RDP session or use
the XenCenter console tab to
connect connection to the EP-
Win-01system.
Log in as Domain Administrator.
Download the Citrix Receiver,
and install it on this workstation.
The Citrix Receiver can be found
atwww.Citrix.com.
Log out from the system.
http://www.citrix.com/http://www.citrix.com/http://www.citrix.com/http://www.citrix.com/8/11/2019 Citrix AGE 9
71/122
71
Endpoint Configuration Window-View Mode
Step Description Caption
2. Connect to EP-Win-01 again.
Log in as thelocal Administrator
or another user to simulate
logging in to a multi-purpose
workstation.
Using this username parallels
using a shared/guest system to
access the remote desktop
services.
This will show that the user will
be required to provide an
authorized XenDesktop user
name for access to be granted.
3. Open an internet browser.
Set the address bar to
http://vDesktopDDC/
The FQDN may also be used inthe browser address bar.
The login page appears.
Enter the login credentials
Name:User_4
Password:
Domain:XenDT
Click Log On
8/11/2019 Citrix AGE 9
72/122
72
Endpoint Configuration Window-View Mode
Step Description Caption
4. Acknowledge the licensing
agreement.
Click Download.
Click Runwhen prompted.
Acknowledge the publisher
warnings and continue the
installation.
5. Click Tools in Internet Explorer
menu bar.
Click Internet optionsfrom the
drop down menu.
In the Securitytab, add the
current site to the trusted siteslist.
Restart the browser.
Accesshttp://vDesktopDDC/
Log in again:
Name:User_5
Password:
Domain:XenDT
http://vdesktopddc/http://vdesktopddc/http://vdesktopddc/http://vdesktopddc/8/11/2019 Citrix AGE 9
73/122
73
Endpoint Configuration Window-View Mode
Step Description Caption
6. You will now be connected
automatically to the Virtual
Desktop.
Unlike Full-Screen-Only Mode,
The Citrix Receiver prompts the
user to specify local resource
access preferences.
Local Access Summary
This concludes the setup of Local Access to the XenDesktop VDI environment. This configuration demonstrates themethodology used to configure access to the environment by local LAN based user communities.
Many default configuration options were set in the interest of simplifying the lab environment. For additional configurationoptions, consult the Citrix XenDesktop product documentation.
8/11/2019 Citrix AGE 9
74/122
74
Remote User AccessSecure remote access to the existing XenDesktop environment remotely will be provided and managed by the CitrixAccess Gateway SSL VPN product. In this configuration, the Access Gateway Enterprise Edition resident within thePlatinum Edition Citrix NetScalerwill be superimposed atop the existing XenDesktop infrastructure.
As shown above, requests from remote users are simply routed through the Access Gateway while local LAN based userscontinue to access the services through their existing LAN services.
Figure 2 - SSL VPN Overview
8/11/2019 Citrix AGE 9
75/122
8/11/2019 Citrix AGE 9
76/122
76
Additional addresses will be required to introduce the NetScaler Access Gateway into the traffic flo. These aresummarized in Table 2, below.
Most readers will define their own naming conventions, domains, and IP addressing schemes and are encouraged to keeptrack of in a chart similar to Table 2.
SSLVPN Access Addressing Chart
Runbook Name Runbook IP Address Function
Network Router 172.18.2.1 Default Route
NetScaler NSIP 172.18.2.150 NetScaler Management Dialog
NetScaler MIP 172.18.2.190 NetScaler egress port
NetScaler AGEE VIP 172.18.2.175 SSL VPN Address
Table 2 - SSLVPN Access IP Addresses
8/11/2019 Citrix AGE 9
77/122
77
Section IVConfiguring Secure Remote Access
Part 1 - Perform the Basic NetScaler Configuration
An SSH client can be used to connect directly to the NetScaler though the appliances d efault IP address of 192.168.100.1with a netmask of 255.255.0.0. Best Practices, however, have the user perform the initial NetScaler configuration via aserial connection when the appliance is not connected to the network.
In either methodology, the NetScaler command line interface is used initially. As such, screenshots are not provided. Theresults of these initial configuration steps, however do facilitate the connection to the NetScaler appliance via the webbased administrative Graphical User Interface (GUI).
Use the following procedure inserting the addresses in the SSLVPN Access Addressing Chart (Table 2).
NetScaler Initial Configuration Steps
1. Connect a serial cable from your computer to the NetScaler and power on the NetScaler Access Gateway.
2. Use HyperTerminal (or any other terminal emulation software) to connect to the serial port:8 bits, no parity, 1 stop bit
3. Logon using the default administrator account and passwordnsroot./nsroot
4. At the > prompt, type config nsand then type 1to set theNSIP address to 172.18.2.150 andsubnet maskto 255.255.255.0
5. After setting the above IP address, type 6to apply changes and exit.
6. Answer yesto save the configuration and reboot.
7. After the NetScaler reboots, login and confirm that the new NSIPhas been applied by typing show IP
8. To access the NetScaler Access Gateway from a different network segment, a default route must be set.At the prompt, type add route 0.0.0.0 0.0.0.0 172.18.2.1
Use the Network Routeraddress in the Addressing Chart, above.
9. Save the configuration changes:
At the prompt, type save ns config
10. Connect one of the NetScaler Access Gateway Ethernet interfaces to the network.
11. Verify connectivity to the network.
At the prompt, type ping 172.18.2.1
At the prompt, type ping 172.18.2.191
12. From a Command Prompt on vDesktopDmC:
Type ping 172.18.2.150
Table 3 - NetScaler Initialization
8/11/2019 Citrix AGE 9
78/122
78
After cabling has been completed, complete the basic configuration of the NetScaler by execute the following steps.
Initializing the NetScaler/Access Gateway
Step Description Caption
11. From a client device, connect to
the Access Gateway
Configuration Utility by
browsing to the NSIP address
http://172.18.2.150
Login as the NetScaler
administrator using the
nsroot/nsroot credentials.
Select Configurationfrom the
Start indrop down list.
Set the timeout value to the
desired interval. Since this is lab
environment, the default can be
increased for convenience.
Click Login.
12. The Access Gateway
Configuration Utility starts.
A Java Runtime Environment will
be retrieved and installed if it
does not exist.
Use this NetScaler Configuration
Utility (NetScaler ManagementGUI) to perform all subsequent
configuration steps.
Click the Setup Wizard button to
complete the initial configuration.
8/11/2019 Citrix AGE 9
79/122
79
Initializing the NetScaler/Access Gateway
Step Description Caption
13. ClickNextto begin the Setup
Configuration Wizard.
Validate the pre-populated IP
Address, Mask,and Host
Name.
Set the Mapped IP(MIP) and
Netmask as per Table 1 -
Addressing Chart,.
Click Next.
The default Gateway cannot be
modified from this panel.
ClickNext.
14. Set the Time Zone.
ClickNext.
In the next panel, ensure that the
appropriate licenses have been
installed.
The Citrix NetScaler Platinum
Editionshown at the right
includes the Access Gateway
functionality.
An additional SSLVPN
Concurrent User License
(shown to the right) is not
required for limited Lab activities.
ClickNext.
8/11/2019 Citrix AGE 9
80/122
80
Initializing the NetScaler/Access Gateway
Step Description Caption
15. Provide the root user password
and confirm.
Keep a record of the password
assigned to nsroot, the default
system user.
ClickNext.
16. Check the summary page.
Click Back to correct any
parameters if necessary.
Click Finish.
Click Exit.
17. Click the Savebutton in the
upper left part of the summary
panel.
Then click Reboot in the bottom
of the summary panel.
8/11/2019 Citrix AGE 9
81/122
81
Part 2 - Install the Certificate
The NetScaler is used to generate a Certificate Signing Request (CSR) that is passed to the domain controller. Once thesigning process has been completed by the domain controller, the resultant certificate is installed into the NetScalersystem.
Installing the Certificate
Step Description Caption
1. When the NetScaler has
restarted, log in again by setting
the browser address bar to:
http://172.18.2.150
Select Configurationfrom the
drop down list in login panel.
2. In the left panel, expand the tree
and click SSL.
In the right panel, click Create
RSA Key.
Set the Key Filenameto SSL-VPN-Key.
Set the KeySizeto 1024
Click DES3(aka Triple DES)
for PEM Encoding Algorithm.
Enter a password into the PEM
Passphrase field. In this
example, pempassphrase was
used.
Click Create.
Click Close.
8/11/2019 Citrix AGE 9
82/122
82
Installing the Certificate
Step Description Caption
3. In the right panel, click Create
Certificate Request.
Set the Request File Namefieldto SSL-VPN.csr.
Click Browse, and click SSL-
VPN-Key.
Supply the PEM Pass Phrase
from the previous step.
Set theCommon Namefield to
access.XenDT.net
Be sure to set to the field
accurately. It must match the
FQDN of the Access Gateway
VIP exactly as it will be
registered in DNS.
Fill in the other fields as
appropriate.
Click Create
Click Close.
4. Note: The next steps require an
SFTP client.
The screenshots in this
document depict the freely
available WinSCPclient.
Start a WinSCP session into the
NetScaler.
Use the management dialog
address (NSIP in the Addressing
Chart) and credentials from
above to login to the NetScaler.
8/11/2019 Citrix AGE 9
83/122
83
Installing the Certificate
Step Description Caption
5. In the right panel of the WinSCP
dialog, navigate to the NetScaler
/nsconfig/ssldirectory.Copy the SSL-VPN.csrfile to the
local computer.
Minimize the WinSCP session.
This session will be used again
in Step 10.
6. On your local machine, open a
browser to the Domain
Controllers certificate authority.
http://vDesktopDmc.Xendt.net/
certsrv
You should always use the DNS
registered FQDN.
Authenticate using the domain
administrator credentials when
prompted.
Click Request a Certificate.
8/11/2019 Citrix AGE 9
84/122
84
Installing the Certificate
Step Description Caption
7. Click Advanced Certificate
Request.
In the following panel, clickSubmit a certificate request
using base 64-encoded...
8. On the local machine, use
Notepad to edit the SSL-
VPN.csr exported and saved
from the NetScaler.
From within Notepad, Issue a
Select Alland then a Copycommand.
In the browser window, issue a
paste command into the Saved
Requestwindow.
It is very important to remove the
trailing CR (Carriage Return) if
one exists.
From the drop down list under
Certificate Template, select
Web Server.
Click Submit
8/11/2019 Citrix AGE 9
85/122
85
Installing the Certificate
Step Description Caption
9. In the next panel, click the Base
64 Encodedradio button.
Click Download Certificate.
Save the certificate as SSL-
VPN.ceron the local computer.
Hint: Save the file with a
meaningful name. SSL-VPN.cer
was used in this example.
Close the download dialog.
Close this browser window.
10. Use WinSCP to copy the signed
certificate (SSL-VPN.cer) to the
NetScaler.
The certificate should be copied
to the/nsconfig/ssldirectory on
the NetScaler.
When the copy completes, close
the WinSCP session.
8/11/2019 Citrix AGE 9
86/122
86
Installing the Certificate
Step Description Caption
11. In the NetScaler GUI, expand
SSL in the left panel.
Select Certificates.
Click Addat the bottom of the
right panel.
Set the Certificate-Key Pair
Namefield to SSL-VPN-
Cert_Key-Pair.
Click Browse (Appliance)
opposite Certificate File Name.
Locate the signed certificate
uploaded in step 10.
Click Browse (Appliance)opposite Private Key File Name.
Locate the Private Key SSL-
VPN-Keycreated in step 2.
Use the PEM Passphrasethat
was defined for the key.
(pempassphrasewas used
earlier in this document.)
Click Install.
Click Close.
12. The certificate signed by theXenDT domain controllers Root
CA has now been installed on
the NetScaler.
8/11/2019 Citrix AGE 9
87/122
87
Part 3 Create the VIP Entry Point to the Access Gateway entry point in the NetScaler System
The Access Gateway Virtual Server provides the entry point for the SSL VPN connection. The following group of stepsdetails the creation of the Access Gateway Virtual IP, defining DNS other connectivity, authentication parameters andsome system-wide parameters.
Follow the next group of steps below.
Creating the Access Gateway Path in the NetScaler
Step Description Caption
1. In the left panel of the NetScaler
configuration GUI, expand the
tree in the left panel.
Click Access Gateway.
In the right panel, click the
Access Gateway Wizardlink.
ClickNextin the introductory
panel.
2. Set the IP addressfor the
Access Gateway VIPaccording
to the Addressing Chart.In this example the IP address is
172.18.2.175
Use the standard Port 443.
Provide a virtual server name.
Note: The virtual server name
can be different from the FQDN
but should have a related naming
convention. Syntax rules
disallow a name containing
embedded dots, however.
ClickNext.
8/11/2019 Citrix AGE 9
88/122
88
Creating the Access Gateway Path in the NetScaler
Step Description Caption
3. In the Certificate Options panel,
select Use an existing
certificate and key pairfrom thedrop down list.
Select the certificate just installed
from the Server Certificatedrop
down list.
Click Next.
4. Set the Configured DNS Server
field value to 172.18.2.191, the
IP address of vDesktopDmC,
the domain controller.
Click the DNSradio button for
Name Lookup Priority.
Click Next.
8/11/2019 Citrix AGE 9
89/122
89
Creating the Access Gateway Path in the NetScaler
Step Description Caption
5. Select LDAP from the Select an
authentication typedrop down
list. Set the values as follows:
IP Address: 172.18.2.191
(vDesktopDmC IP)
Base DN: DC=XenDT,DC=net
Administrator Bind DN:
Administ [email protected]
Password:
Server Logon Name Attribute:
samAccountName
Search Filter: (blank)
Group Attribute: memberOf
Sub Attribute Name: CN
Security Type: PlainText
Click Next.
6. Leave the Configure
Authorizationdefaults set.
Click Redirect to secure Web
address.
Add a URL that specifieshttps:/ /access.XenDT.net
Note: This automatically redirects
http requests to https. It is
considered a Best Practice for
ease of use.
ClickNext
8/11/2019 Citrix AGE 9
90/122
8/11/2019 Citrix AGE 9
91/122
8/11/2019 Citrix AGE 9
92/122
92
Part 4 - Set the Access Parameters within the NetScaler Access Gateway
In the next set of activities, the access parameters are set. Some activities have co-requisite activities on the othersystems in the network. These include creating a new Active Directory group for use by Access Gateway processing,adding the Access Gateway host and address to DNS, and updating the Access Gateway with a list of addresses it shouldprocess.
Follow the next group of steps below.
Setting Access Parameters
Step Description Caption
1. Establish an RDP connection or
use the XenCenter console tab
to connect to vDesktopDmC.
Log in as Domain Administrator.
For Access Gateway policies, an
Active Directory group selection
process will be implemented.
To add User_1 through User_5
to the Active Directory group
XDUsers, perform the following:
Click Windows Start >
Administrative Tools > Active
Directory Users and
Computers.
Right click the XenDT.net
domain object and click New >
Group.
2. Create the group XDUsers.Click OK.
Right click to the XDUsersgroup
in the right panel.
Click Properties.
Click the Memberstab.
Add XenDT\User_1 through
XenDT\User_5 to the group.
Click OK
These users are now members
of theXDUsersgroup.
Close this dialog.
8/11/2019 Citrix AGE 9
93/122
93
Setting Access Parameters
Step Description Caption
3. To create a DNS host entry for
the SSL VPN system follow
these steps.
On the Domain Controller
(vDesktopDmC) click Windows
Start > Administrative Tools >
DNS
Expand the tree in the left panel.
Right click XenDT.net
Click New Host (A).
4. In the pop up specify the details:
Name: access
Address: 172.18.2.175as per
Table 1 - Addressing Chart.
Click Add Host
Acknowledge the completion
dialog.
Click Done.
Close the DNS administration
window.
8/11/2019 Citrix AGE 9
94/122
8/11/2019 Citrix AGE 9
95/122
95
Setting Access Parameters
Step Description Caption
7. Set the Namefield to
DefaultAccessPol icy
In the Named Expressionsdrop
down list, select True Value.
Click Add Expression. This will
add ns_trueinto the window
above.
Click New,opposite Request
Profile.
8/11/2019 Citrix AGE 9
96/122
96
Setting Access Parameters
Step Description Caption
8. Set the Namefield to
DefaultAccessProf i le.
8/11/2019 Citrix AGE 9
97/122
97
Setting Access Parameters
Step Description Caption
9. Click the Client Experiencetab.
Click Override Globalfor
Windows Plugin Type.
Select Access Gatewayfrom
the drop down list.
Click Override Globalfor Split
Tunnel.
Select ONfrom the drop down
list.
8/11/2019 Citrix AGE 9
98/122
98
Setting Access Parameters
Step Description Caption
10. Click the SecurityTab.
Click Override Globalfor
Default Authorization Action.
Select DENYfrom the drop down
list.
Click Create.
11. Click Create.
Click Close.
8/11/2019 Citrix AGE 9
99/122
99
Setting Access Parameters
Step Description Caption
12. Select Virtual Serversunder
Access Gatewaytree in the left
panel.Click Accessin the right panel.
Click Openin the lower left
section of the right panel.
Click the Policiestab.
Select DefaultAccessPolicyin
the Policy Namecolumn.
Click the Intranet Applications
tab.
8/11/2019 Citrix AGE 9
100/122
8/11/2019 Citrix AGE 9
101/122
101
Setting Access Parameters
Step Description Caption
14. Validate the creation of the
configured application.
Click OK.
The usersAccess Gateway
Plug-in will be instructed to send
all traffic destined for the
172.18.2.0 network to the Access
Gateway VIP.
15. To configure an authorization
policy, click Authorizationunder
Policiesunder Access Gatewayin the left panel.
Click Add inthe right panel.
Set the Namefield to XD-
Access-Pol icy.
Click Addbelow the
Expressionswindow.
Select REQ, IP, DestIP, and ==
from the drop down lists.
Set the Valuefield to 172.18.2.0
Set the Netmask field to
255.255.255.0.
Click OK.
8/11/2019 Citrix AGE 9
102/122
8/11/2019 Citrix AGE 9
103/122
103
Setting Access Parameters
Step Description Caption
18. To enforce this policy, click the
Groupsunder the Access
Gatewayin the left panel.Double-click (to open) XDUsers
in the right panel.
Click the Authorizationtab.
Click the boxes in the Active
column for XD-Access-Policy
created in the previous steps.
Click OK.
19. To test the implementation, set
your browser to
http:/ /access.XenDT.net.
Note the automatic redirection to
https://access.XenDT.net.
Install the client software when
prompted.
Log in as User_1, a user in the
XDGroup.
Issue a PING against
172.18.2.191.
8/11/2019 Citrix AGE 9
104/122
104
Part 5 - Adjusting the XenDesktop Environment to Accept Requests from the Access Gateway
The last steps include adjusting the back end XenDesktop environment to accept requests from the NetScaler AccessGateway. In this guide, the XenDesktop environment configuration will be augmented to accept requests from both localLAN based users and those forwarded by the NetScaler Access Gateway.
The steps include defining an additional Web Interface site, and adjusting its control parameters to communicate with the
NetScaler Access Gateway.To complete this configuration, perform the following steps:
Setting XenDesktop Access Parameters
Step Description Caption
1. The first step is to install the Web
Interface Management Console.
Establish an RDP connection or
use the XenCenter console tab
to connect to vDesktopDDCand
Log in as Domain Administrator.
In the XenCenter left panel, click
vDesktopDDC.
Select the Storagetab and.
Select the Citrix Desktop
Delivery Controller installation
media.
Browse the DVD to
w2k3\en\Administration\Acces
s Management Console\Setup
Run the ASC_WebInterface.msi
object. This installs the WebInterface management plug-in.
2. ClickNextat the Welcome
screen.
Accept the license Agreement
and ClickNextuntil completion.
Restart the Citrix Access
Management Console.
Note the presence of the
Internal Siteunder Web
Interface in the Configuration
toolssection of the tree.
8/11/2019 Citrix AGE 9
105/122
105
Setting XenDesktop Access Parameters
Step Description Caption
3. Right click Web Interfacein the
left panel.
Click All Tasksin the pop up list.
Click Create Site.
Select XenApp Web(Default).
Click Next.
4. Set the Pathfield to an
appropriate value.
The path is set to
/Cit r ix /Xe nDesk top /in this
example.
Record this path information for
later use.
Leave the Set as the default
page for the IIS siteunchecked.
ClickNext.
8/11/2019 Citrix AGE 9
106/122
106
Setting XenDesktop Access Parameters
Step Description Caption
5. The Point of Authentication
dialog is presented.
Select At Access Gatewayfrom
the drop-down list.
ClickNext
6. Enter the authorization service
URL.
https://access.XenDT.net/CitrixAuthService/AuthService.asmx
This must be https.
The fully qualified host name
references the DNS registered
fully qualified domain name that
corresponds to the Access
Gateway VIP.
Be sure to enter the URL
information accurately. This is a
common source of errors.
ClickNext
8/11/2019 Citrix AGE 9
107/122
107
Setting XenDesktop Access Parameters
Step Description Caption
7. The summary follows.
Check all values for accuracy.
Correct as necessary.
Click Nextwhen done.
8. Look for the Site Successfully
Created message.
Ensure that Configure the site
nowis selected.
Click Next
8/11/2019 Citrix AGE 9
108/122
108
Setting XenDesktop Access Parameters
Step Description Caption
9. In the next menu, set the Farm
Namefield to XenDTFarm.
Hint: Although a match is
unnecessary, use the name that
is displayed in the background
pane of the Citrix Access
Management Console.
Click Add to Create a server.
Enter the fully qualified name of
the server running the Desktop
Delivery Controller processes.
In this example, this field has
been set to
vDesktopDDC.XenDT.net.
Click OK.
Click Next
10. In the Specify Logon Screen
Appearance menu, click the
Minimalradio button.
Click Next
8/11/2019 Citrix AGE 9
109/122
109
Setting XenDesktop Access Parameters
Step Description Caption
11. Click the Hostedradio button.
Click Next
12. Review the summary.
Click Backto correct errors.
Click Finishwhen complete.
8/11/2019 Citrix AGE 9
110/122
110
Setting XenDesktop Access Parameters
Step Description Caption
13. In the Citrix Access Management
Console, select the newly
created Web Interface site.In the Center Panel, click
Manage secure access.
Then click Edit secure access
settings.
14. In the pop-up panel, click
Default.
Click Edit.
Select Gateway Directfrom the
drop down list.
Click OK.
ClickNext.
8/11/2019 Citrix AGE 9
111/122
111
Setting XenDesktop Access Parameters
Step Description Caption
15. Enter the DNS registered FQDN
of the access gateway VIP.
In this example the value
access.XenDT.netis entered
into this field.
Click Enable session reliability.
ClickNext.
16. In the Secure Ticket Authority
Settings panel, click Add.
In the popup, enter the string as
displayed, using the STA
servers FQDN or IP address:
http:/ /vDesktopDDC.XenDT.net
/s c r ip ts /c tx s ta .d ll
In this configuration this is the
XenDesktop DDC which has
been DNS registered as
vDesktopDDC.XenDT.net
Ensure that this URL is typed
correctly. This is a common
source of error.
Click OK.
Click Finish.
8/11/2019 Citrix AGE 9
112/122
112
Setting XenDesktop Access Parameters
Step Description Caption
17. To finalize the Access Gateway
configuration for XenDesktop, log
in to the NetScaler AccessGateway configuration GUI.
In the left panel, expand Access
Gateway and the Policiestree.
Under Policies, select Session.
Click Addin the right panel.
Set the Namefield to
XenDesktopPol icy.
Under the Expressionwindow,
select True Valuefrom the drop
down list.
Click Add Expression. Note the
appearance of ns_truein the
expression window.
8/11/2019 Citrix AGE 9
113/122
8/11/2019 Citrix AGE 9
114/122
8/11/2019 Citrix AGE 9
115/122
115
Setting XenDesktop Access Parameters
Step Description Caption
21. In the same panel, click the
Published Applicationstab.
Click Addin the Secure Ticket
Authoritysection in the lower
half of the panel.
Specify http:/ /
/scripts/ctxsta.dll
In this example, the string
entered is
ht tp: / /vdesktopddc.xendt .net /
scr ipts/ctxsta.dl l
Be sure to enter this URL
information accurately. This is a
common source of error.
Click Create.
Click OK.
8/11/2019 Citrix AGE 9
116/122
8/11/2019 Citrix AGE 9
117/122
8/11/2019 Citrix AGE 9
118/122
8/11/2019 Citrix AGE 9
119/122
119
Testing the Configuration
Step Description Caption
5. Start the Citrix Access
Management Console on the
vDesktopDDCserver.
Right click Citrix Access
ManagementConsolein the left
panel.
Click Run discoveryto pick up
the change to the configuration.
6. On the users endpoint add the
site
http://access.xendt.net
to the trusted Internet Sites on
the workstation.
Restart the browser.
Set the address bar to
http:/ /access.Xendt.net
8/11/2019 Citrix AGE 9
120/122
8/11/2019 Citrix AGE 9
121/122
121
SummaryIn the document, the administrator has been guided through the configuration the Citrix XenDesktop and the CitrixNetScaler Access Gateway to provide the following services:
Creating the XenDesktop environment to offer virtual machines as user workstations. This includes keeping anumber spare systems ready in anticipation of user connections according to time of day
Providing access in Full-Screen-Onlyand Window-View modes
Providing single sign-on, pass through Active Directory authentication for all end users
Providing a fresh system image for every user connection
Configuring the NetScaler Access Gateway to provide SSL VPN services for remote users that wish to access theXenDesktop environment
The activities in this document were intended to introduce the Citrix XenDesktop and NetScaler Access Gatewayinteroperability. As such, a very basic configuration for the above XenDesktop access scenarios was created. Architectsdesigning production environments must also consider adding the following production level configuration elements thatcan be superimposed upon this basic design:
Install firewalls. Configure these as appropriate to manage traffic to and between servers.
Separate the Networks. In the lab configuration, one flat network was used for simplicity. Configure separatesubnets for production environments.
Create LDAP-specific users. Use these in your configurations rather than specifying the Domain Administratoraccount
Configure the XenDesktop virtual machines to access the corporate XenApp environment. These connections willtypically be simple LAN based connections.
Configure multiple Desktop Delivery Controllers and Web Interface instances. The NetScaler can then beconfigured to provide load-balancing services between these multiple environments. Additionally, XenDesktop-and XenApp-specific load balancing wizards configure the NetScaler to issue explicit health monitor probes that
validate the correct operation of Web Interface and Secure Ticket Authority service. The NetScaler thusunderstands the status of each XenDesktop environment, and will not send user requests to environments thatmay not be fully functional.
Configure SSL VPN Access Gateway High Availability. Install the NetScaler systems in pairs using the NetScalerHA facility. This ensures that an Access Gateway is always up and providing the SSL VPN services needed by theusers.
Configure DMZ bridging. The NetScaler Access Gateway can easily be configured in a double hop configuration inwhich multiple pairs of NetScaler systems are installed to prevent any single system from bridging the DMZ.
Configure Global Server Load Balancing (GSLB) services. These can be configured to provide multi-datacenterload balancing or provide Disaster Recovery redirection
Top Related