NetScaler Gateway and StoreFront Deployment Guide

Tying it all together

Designing and building a new Citrix environment involves a lot of moving pieces.  For example, you cannot fully build StoreFront without having XenApp servers to connect for XML services and you cannot launch applications until you build your XenApp servers and publish those applications.  On the other hand, you cannot effectively test XenApp until you have StoreFront built and can validate your applications.  The same goes for NetScaler, do you define your load balanced servers first or do you build your individual components first then define your load balanced servers?

This creates a lot of chicken and egg problems.  That is why planning is so important.  At this point, refer back to your reference architecture and the virtual machine planning sheets.  Ideally, you have laid out what you are going to do long before we do it.  Since we know what will be defined where, we can build elements and define references to objects that might not be built yet.  Once we have all of the individual components built, we can they tie them in to together and complete our testing.

You may find the following guides useful:

Because there are many parts to integrating StoreFront and NetScaler, it is easy to get lost.  To make that process easier, you can follow this handy cheat sheet when building new environments:

Identify the base requirements

Gather your design principles and basic settings, such as:

  • NetScaler Gateway
  • Load Balancing Features
  • SSL Offload
  • High Availability
  • Other

Gather all prerequisites

Based on your design elements, document the following key decisions:

  • Identify target URLs for internal and external access
    • Request SSL certificates for each address
  • Determine deployment mode (one-arm or two-arm)
  • Secure IP Address for NetScaler Appliances
    • 1 Address per Appliance (NSIP)
    • 1 Address per Subnet (SNIP)
    • 1 Address per Virtual Server (VIP)

Install the NetScaler Appliances

Install physical appliances or import virtual appliances, then configure your appliances.

  • Assign management IP address, subnet mask, default gateway & reboot
  • Connect via web browser to management IP address, complete configuration
    • Change NSROOT password
    • Install license files (based on MAC address of appliance)
    • Configure SNIP
    • Install certificate(s)
  • Configure second appliance
    • Enable HA mode

Install and configure the StoreFront servers

Deploy your virtual servers for StoreFront, using your standards, and then perform the following tasks:

  • Modify host file
    • Create entry for base url using local host address
    • Create entry for Gateway call back (if necessary)
  • Install StoreFront 2.5 on two (or more) servers
    • IIS will be installed if it is not already
  • Create a new deployment
    • Assign Base URL
    • Assign Store Name
    • Add Delivery Controllers
    • Select Remote Access (No VPN Tunnel)
      • Enter NetScaler Gateway information
      • Enter STA server address
      • Enable/Disable Session Reliability
    • Create Deployment
  • Configure StoreFront
    • Update Authentication Methods
      • Add Domain pass-through for local Receivers
      • Configure trusted domains
      • Modify password options (optional)
    • Review Store Settings
    • Review NetScaler Gateway Settings
    • Review/manage Beacons
  • Install StoreFront on second server
    • Modify HOSTS File
    • Install StoreFront
    • Join existing server group
      • Click Add Server on StoreFront #1
      • Enter Authorization code in StoreFront #2
    • Verify all settings copied properly

Configure the load balance virtual servers on NetScaler

Once your StoreFront (or Web Interface) servers are configured, you can create the load balancing configuration on NetScaler:

  • Sign in to NetScaler Web Console, select Load Balancing under Traffic Management
    • Enable feature, if necessary
  • Select Servers, add Server for each target
    • Enter Name and IP address for each server
  • Select Monitors, add specialty monitors as necessary
    • Create StoreFront Monitor using the custom type STOREFRONT
      • Use Store Name but keep Host name blank
      • This allows one monitor to be reused
    • Create LDAP Monitor using custom type LDAP
    • If using Web Interface, create monitor using CITRIX-WEB-INTERFACE type
      • Use URL of the Web Site logon page
    • If using an XML load balancers, select CITRIX-XML-SERVICE
  • Select Services, add services for monitoring servers
    • Alternately, you can use service groups instead of individual servers
    • Name services by the monitor and server in use, such as LDAP-AD01
  • Select Virtual Servers, create the load balance groups
    • Enter Name and IP of the LB VIP
    • Select the protocol and port
    • Select the Services (or service groups) to balance
    • Select the Method and Persistence
    • Apply the SSL Binding, if necessary
    • Suggested Load Balanced Servers
      • LDAP
      • StoreFront
      • WebInterface
      • XML
  • Verify load balancers are operating correctly

Configure the NetScaler Gateway virtual server

Finally, once all other components are completed, you can configure the Gateway virtual server:

  • Sign in to NetScaler Web Console, select NetScaler Gateway
    • Enable feature, if necessary
  • Select Policies, Authentication, LDAP
    • Create LDAP Authentication Policy
    • Assign Name, Add Server
      • Define Authentication Server, use IP for the LDAP LB VIP
      • Use service account name with rights to read the directory
      • Click Retrieve Attributes to verify
    • Add TRUE expression
  • Select Policies, Session
    • Create Session Policy
    • Assign Name, Create New Profile
      • Name Policy
      • Configure Client Experience, Security, Published Applications tabs
    • Create Expressions
      • REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
      • REQ.HTTP.HEADER X-Citrix-Gateway EXISTS
    • Create a second policy for Web Only
      • Used as fallback/failsafe policy
  • Select Virtual Servers, add a new Virtual Server
    • Assign Name, IP address, and Certificate
    • Assign Authentication Policy
    • Assign Session Policies
    • Insert a Clientless Policy
      • Create new cvpn policy for URL rewrite
    • Published Apps, add Secure Ticket Authorities
  • Validate remote access through NetScaler Gateway
  • Add additional Pre-Authorization and Session Policies as required

Last Updated: 9/15/2015