Advertisements

Licensing your NetScaler AGEE nCore

Environment

  • MPX 7500 NetScaler 9.3 52.3nc
  • AGEE

Goal:

Apply a new AGEE license on your NetScaler without the need to modify your NetScaler’s host name.

Configuration:

First lets understand the AGEE licensing feature and assume that you downloaded the Access Gateway platform license from your MyCitrix.com portal.

AGEE can run under two modes “Basic Mode” and “SmartAccess Mode”

Basic Mode:

Several Access Gateway features, such as full VPN functionality, EPA, Clientless Access, and SmartAccess, are unavailable, which means you can use this configuration if you are only utilizing a Citrix Web Interface once you authenticate to your AGEE portal, meaning your AGEE Authentication and Session Policies must point to a Citrix Web Interface server, pretty much making AGEE act as your good old Citrix Secure Gateway.

If you go this route and don’t need any of the advanced features, you will need to make sure your AG Platform license contains the entries below, you can read more about it on this article which will show you how to configure an Access Gateway Enterprise Edition Appliance with Unlimited ICA Connections

INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

SmartAccess Mode:

This gives you features such as VPN functionality, EPA, Clientless Access, and SmartAccess control.

For example, in the environment I am working on now, I created two session policies, were I can filter specific AD groups and assign them to specific Session policies.

AD-GroupVPN which contains VPN SSL users, see both the Network Access icon for VPN SSL sessions, as well as the Citrix XenApp icon which redirects users to a Citrix Web Interface.  In addition I set up another group, lets call it AD-GroupWI which only redirects users to a Citrix Web Interface page once they authenticate.

vpn_users

Below is a screenshot where the modes are configured under your AGEE virtual server

License installation:

Lets license AGEE with a license file that contains a name other than the host name of the NetScaler

The traditional set up would look like this… you set your host and the license file to be the same

  • Connect to the Access Gateway Enterprise Edition appliance by using the serial cable or a Secure Shell (SSH) utility.
  • Log in to the appliance by using the nsroot credentials.
  • Run the following commands to set the Fully Qualified Domain Name (FQDN) for the appliance:
  • set ns hostName access.example.com
  • save config
  • shell
  • echo hostname=\”access.example.com\” > /nsconfig/rc.conf
  • Restart the appliance.

Now lets assume your license file is similar to the one below, and the hostname of your NetScaler is called NS

License File:

SERVER this_host HOSTNAME=anotherhost

VENDOR CITRIX
USE_SERVER
INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

When you access the GUI or CLI (sh license) you will notice that the total number of Access Gateway Users Allowed has the default value of 5, meaning you can have no more than 5 SSL connections to your AGEE site, user number six will get an SSL Error 38 when launching applications.

DOCUME~1NelsonLOCALS~1Tempmsohtmlclip101clip_image001.png

Fix:

Edit the rc.conf file located under the /nsconfig/nsconf 

  • shell
  • echo hostname=\”anotherhost\” > /nsconfig/rc.conf

This will overwrite the rc.conf file with the hostname you have embedded in your license file

You can also do this with a program like FileZilla and edit the file directly over port 22

filezilla_edit

filezilla_edit2

Once you are done, reboot the appliance… now if you are running nCore, you can do a Warm reboot vs a standard reboot

This new option, “-warm,” has been introduced for the “reboot” command. This option can be used only on NetScaler nCore appliances. When the “-warm” option is specified, the NetScaler restarts NetScaler specific functionality without restarting the appliance, reducing the time required to implement changes that would otherwise require a complete reboot of the NetScaler appliance.

Advertisements

About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

2 Responses to Licensing your NetScaler AGEE nCore

  1. Kevin says:

    Great post Daniel! Can you post examples of the policies and priorities you used to have two different AD groups have different access on a single VIP? one has full client choices and the other has just WI/ICA proxy. thanks!!!

  2. Robert says:

    yes, I’d really like to see the session examples too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: