Advertisements

NetScaler Unified Gateway / SSO with Citrix StoreFront 3.9 and Client Access Mode

Been working on deploying the NetScaler Unified Gateway for the last few weeks. Our goal is to simply create a unified page to access internal resources such as Outlook Web Access, Intranet, ShareFile, as well as XenApp/XenDesktop resources running on the new version of Citrix StoreFront 3.9.  As a side note, I will be posting my customization code on StoreFront 3.9 in the coming weeks.

First let me discuss (again) about an issue I noticed with version of NetScaler NS11.0 running 63.16.nc when working with Content Switches and ZeroIP NetScaler Gateways.

I ran into a bug that crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP).  Meaning, that I was binding a profile policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is.

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1.  In my case I upgraded to the now latest version of 11.0 70.12nc.

Lets get started:

On your StoreFront server, make sure that the Enable Remote Access setting for the store is set to No VPN or Full VPN tunnel

sf_remote_enable.png

In the web.config file, located in drive:/inetpub/wwwroot/citrix/storeweb, make sure to set X-Frame-Options to allow and Content-Security-Policy to frame-ancestors ‘self‘. You will see 3 entries for this.  Make sure you change them all.  This will allow the page to come up with all browsers including IE.  Once the changes are made, simply reset IIS or reboot your SF server(s)

01-sf_webconf.png

On the NetScaler Session Profile the following settings are required:

ns_session_profile.png

  • On the Client Experience tab:
    Clientless Access = ON
    Single Sign-on to Web Applications = Checked
    Credentials Index = Primary

    On the Security tab:
    Default Authorization Action = Allow

    On the Published Applications tab:
    ICA Proxy = OFF
    Web Interface Address = https://serverFQDN/Citrix/StoreWeb (StoreWeb is the actual store name).
    Single Sign-on Domain = Configured

ns_session_profile_sso.png

Make sure you use the FQDN link to your storefront server.  You can run into an issue within Clientless Access mode not displaying the Storefront Server page if you configure to an IP.

ns_frame_issue.png

Once changed to FQDN the page displayed successfully (Ex: https://server.domain.com/Citrix/meWeb/)

ns_frame_working.png

This is a sample of the session profile I manually created and binded to the session policy the UG Wizard created.

add vpn sessionAction UG_VPN_SAct_dmz -defaultAuthorizationAction ALLOW -SSO ON -windowsAutoLogon ON -wihome “https://server.domain.com/Citrix/meWeb/” -wiPortalMode COMPACT -ClientChoices ON -ntDomain name_of_domain -clientlessVpnMode ON -emailHome “https://mail.domain.com/owa/”

Optionally, you can bypass the Client Choices option on NetScaler Unified Gateway with a Responder policy.  This way users wont have to click on the Client Access option, but instead be redirected to it after user log on.

02_user_choices.png

To do this:

Create a Responder action based on the URL your users will be connecting to

add responder action ug_redirect_ac redirect “\”https://name.domain.com/cgi/setclient?cvpn\”” -responseStatusCode 302

Create a Responder policy, notice it is looking for that choices.html page

 

add responder policy ug_redirect_pol “HTTP.REQ.HOSTNAME.EQ(\”name.domain.com\”) && HTTP.REQ.URL.CONTAINS(\”vpns/choices.html\”)” ug_redirect_ac

Bind the Responder policy to the NetScaler Gateway the UG config creates.  In my case it is called UG_VPN_ug_gtw_dmz

 

bind vpn vserver UG_VPN_ug_gtw_dmz -policy ug_redirect_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Once the policy is binded, users will simply be redirected to the “Clientless Access” portion of the site without being prompted to select VPN, Clientless Access, or good old StoreFront/Web Interface

That is it! Hope this helps!  Cheers :)

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Advertisements

NetScaler Gateway 11 footer customization

Ran into difficulties customizing a new NetScaler 11 Gateway.  Although I was happy to finally be able to apply themes per NetScaler Gateway vServer, I quickly saw that this new option presents new challenges if you are looking to customize beyond what the themes allow.

Our goal was to add footer information on the front page in order to provide Help Desk contact info, a Citrix Receiver download link and the RSA Self Service portal.   With NS 11, the problem is that the index.html file is no longer constructed the same as it was with 10.x.

Lets understand this a bit more.

With NetScaler Gateway 11, the logon form and pretty much the entire index.html body, is generated by 2 javascript files (gateway_login_view.js and gateway_login_form_view.js).

  1. gateway_login_view.js – creates the body and tables for the actual form
  2. gateway_login_form_view.js – creates the form itself, username and password fields, domain dropdown box, etc.

This naturally creates a headache if you are use to working with the 10.x firmware.  As with 10.x you can accomplish most of the customization by directly modifying the index.html file, and creating a custom global policy user interface.  On the other hand, this presented a challenge if you had to run multiple Gateway vServers  with a custom UI, and you had to get pretty creative on how to overcome  it.

For NS 11, I read a post where someone was struggling with a similar situation, luckily it pointed me in the right direction.  The post suggested to modify or create a new gateway_login_view.js  and/or gateway_login_form_view.js (you can read the post here).  

Rather than modifying existing code or creating new files then having to deal with responder policies, etc.  I figure I try to do this via the NetScaler Rewrite Policies and Actions to make it look something like the picture below.

ns11_rw_final

Environment:

  • Citrix NetsScaler 11.0Build 63.16.nc
  • StoreFront 3.0
  • RSA 8.1

Let’s get started.

  1. Add links at the bottom of the authentication page, unfortunately rewrite actions have a 255 character limit which you can easily bypass by adding “+” to the expression. Click here to view/download the syntax as WordPress messes with it.

2. Enable the EULA box by default:

add rewrite action ns_gtw_eula_checked_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”type=\’checkbox\’ checked\”” -pattern “type=\’checkbox\'”
add rewrite policy ns_gtw_eula_checked_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_eula_checked_action
bind vpn vserver portal_netscaler -policy ns_gtw_eula_checked_pol -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

3. Enable the Logon Button by default:

add rewrite action ns_gtw_LogonAutoEnable_rw_act replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”\’disabled\’:\’\’\”” -pattern “\’disabled\’:\’disabled\'”
add rewrite policy ns_gtw_LogonAutoEnable_rw_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_LogonAutoEnable_rw_act
bind vpn vserver portal_netscaler -policy ns_gtw_LogonAutoEnable_rw_pol -priority 120 -gotoPriorityExpression END -type RESPONSE

Hope this helps 🙂

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Customizing Citrix NetScaler Gateway 10.5 logon page with Dual Factor Authentication

Following up on my instructions on how to Customize the new version of Citrix StoreFront 2.6.  Below is how you can create your own Citrix NetScaler Gateway customization package , and ensure your changes are not lost when the appliance is rebooted.

Environment:

  • Windows 2008 R2
  • Citrix XenApp 6.5 Hotfix Rollup Pack 2
  • PVS 6.1.16
  • StoreFront 2.6
  • Citrix NetsScaler 10.5: Build 53.9.nc
  • RSA for dual factor

Now in my case, we are utilizing RADIUS for secondary authentication.  After creating the AGEE site, make sure the site is set to “Green Bubble” under “NetScaler” “Global Settings” Change Global Settings” , then head over to the “Client Experience” Tab, and select “Green Bubble” under the “UI Theme”

Once complete, your site will look something similar to the picture below.

01_green_bubble

01_logon_page

Now lets customize the following

  • Logo
  • First Authentication box
  • Second Authentication box
  • Fix Compatibility issues with Internet Explorer 11

Solution: (Connect to your NetScaler via WinSCP)

1. Copy the vpn folder from /var/netscaler/gui/ to your local desktop

2.  Edit “login.js” under /var/netscaler/gui/vpn to fix the “Password 1” entry

Around line 93

Replace

if ( pwc == 2 ) { document.write(‘ 1’); }

With

if ( pwc == 2 ) { document.write(‘ ’); }

3. Upload your company logo under under /var/netscaler/gui/vpn/media

4. Update “ctxs.authentication.css” under /var/netscaler/gui/vpn/css to update your logo and height and width where the logo will be placed

In my case, our company logo was bigger than the logo provided by Citrix. So I needed to modify the height and the width.

Around line 210

#logonbox-logoimage
{
background-image: url(“../media/company_logo.png”);
border: 0 none;
float: right;
height: 48px;
position: absolute;
right: 71%;
top: 80px;
width: 273px;
}

5. Update “en.xml” under /var/netscaler/gui/vpn/resources  to change “Password 2:” for the secondary authentication box

Around line 83:

Replace

<String id=”Password2″>Password 2:</String>

With

<String id=”Password2″>RSA Code:</String>

6. Fix the Internet Explorer 11 compatibility issue, the quick fix is to tell IE11 to use  compatibility mode, however you can force the NetScaler page to emulate IE v.9, you can read more about this under http://stackoverflow.com/questions/6771258/whats-the-difference-if-meta-http-equiv-x-ua-compatible-content-ie-edge-e

01_logon_page_ie11

Edit index.html under /var/netscaler/gui/vpn

Under line 4 place

<META http-equiv=”X-UA-Compatible” content=”IE=EmulateIE9″ />

01_logon_page_ie11_fix

7. Upload your modified files and logo

01_upload

8. Head over to your site and make any corrections.  once you are happy with the results, create your custom package

Open Putty and log in as nsroot, then type (Note the name of the compressed file, this needs to match “customtheme.tar.gz“)

  • shell
  • mkdir /var/ns_gui_custom
  • cd /netscaler
  • tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

9. Now apply the package to your AGEE sites

  • In the configuration utility, under the Configuration tab, expand “NetScaler Gateway” and then click “Global Settings“.
  • In the details pane, under Settings, click Change global settings.
  • In Global NetScaler Gateway Settings, click the Client Experience tab.
  • Next to UI theme, click Custom and then click OK.

01_custom_agee

 

10. Reboot the NetScaler and you will notice your changes are intact.

01_fina_agee

 

Customize AGEE logon page for NetScaler 10.1 via Rewrite policies

While migrating to Access Gateway on the NetScaler 10.1.  I noticed the rewrite policies I implemented on 9.3 did not work.

While this can be done with some HTML customization, etc, and/or creating your own NetScaler theme, I just wanted to change the logon page by NetScaler Rewrite Policies.

Below are the policies that will allow you to do this.

Environment

  • MPX 8200 NetScaler 10.1: Build 122.17.nc
  • Web Interface 5.3 (Can’t deploy StoreFront here due to custom code we use)

Issue:

When two factor authentication is configured on Access Gateway Enterprise Edition, the user is prompted for User name, Password 1, and Password 2

agee_no_active_pol

The issue  seems to be due to change in the ‘ns_showpwd’ function on login.js under /var/netscaler/gui/vpn/ as it has been updated from 9.3

ns_showpwd function

ns_showpwd on Login.js

 

 

Solution:

1. Create the following actions under “Rewrite/Actions” with putty (no need to go under shell mode)

Rewrite Actions:

add rewrite action AD_agee_delete_rewrite_action delete_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” -pattern “document.write(\’&nbsp;1\’);” -bypassSafetyCheck YES

add rewrite action AD_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”AD Password\’\”” -pattern “\”Password\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re!e![ ]*\'[ ]*\+[ ]*_\(\”Password\”\)[ ]*!)/

add rewrite action RSA_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”RSA Code:\’\”” -pattern “\”Password2\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*\'[ ]*\+[ ]*_\(\”Password2\”\)[ ]*!)/

Rewrite Policies:

add rewrite policy AD_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_replace_rewrite_action

add rewrite policy RSA_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” RSA_agee_replace_rewrite_action

add rewrite policy AD_agee_delete_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_delete_rewrite_action

Bind the policies:

bind rewrite global AD_agee_rewrite_pol 100 NEXT -type RES_OVERRIDE

bind rewrite global RSA_agee_rewrite_pol 110 NEXT -type RES_OVERRIDE

bind rewrite global AD_agee_delete_pol 120 NEXT -type RES_OVERRIDE

Result:

Responder Policy AGEE 10.1

Responder Policy AGEE 10.1

Licensing your NetScaler AGEE nCore

Environment

  • MPX 7500 NetScaler 9.3 52.3nc
  • AGEE

Goal:

Apply a new AGEE license on your NetScaler without the need to modify your NetScaler’s host name.

Configuration:

First lets understand the AGEE licensing feature and assume that you downloaded the Access Gateway platform license from your MyCitrix.com portal.

AGEE can run under two modes “Basic Mode” and “SmartAccess Mode”

Basic Mode:

Several Access Gateway features, such as full VPN functionality, EPA, Clientless Access, and SmartAccess, are unavailable, which means you can use this configuration if you are only utilizing a Citrix Web Interface once you authenticate to your AGEE portal, meaning your AGEE Authentication and Session Policies must point to a Citrix Web Interface server, pretty much making AGEE act as your good old Citrix Secure Gateway.

If you go this route and don’t need any of the advanced features, you will need to make sure your AG Platform license contains the entries below, you can read more about it on this article which will show you how to configure an Access Gateway Enterprise Edition Appliance with Unlimited ICA Connections

INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

SmartAccess Mode:

This gives you features such as VPN functionality, EPA, Clientless Access, and SmartAccess control.

For example, in the environment I am working on now, I created two session policies, were I can filter specific AD groups and assign them to specific Session policies.

AD-GroupVPN which contains VPN SSL users, see both the Network Access icon for VPN SSL sessions, as well as the Citrix XenApp icon which redirects users to a Citrix Web Interface.  In addition I set up another group, lets call it AD-GroupWI which only redirects users to a Citrix Web Interface page once they authenticate.

vpn_users

Below is a screenshot where the modes are configured under your AGEE virtual server

License installation:

Lets license AGEE with a license file that contains a name other than the host name of the NetScaler

The traditional set up would look like this… you set your host and the license file to be the same

  • Connect to the Access Gateway Enterprise Edition appliance by using the serial cable or a Secure Shell (SSH) utility.
  • Log in to the appliance by using the nsroot credentials.
  • Run the following commands to set the Fully Qualified Domain Name (FQDN) for the appliance:
  • set ns hostName access.example.com
  • save config
  • shell
  • echo hostname=\”access.example.com\” > /nsconfig/rc.conf
  • Restart the appliance.

Now lets assume your license file is similar to the one below, and the hostname of your NetScaler is called NS

License File:

SERVER this_host HOSTNAME=anotherhost

VENDOR CITRIX
USE_SERVER
INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

When you access the GUI or CLI (sh license) you will notice that the total number of Access Gateway Users Allowed has the default value of 5, meaning you can have no more than 5 SSL connections to your AGEE site, user number six will get an SSL Error 38 when launching applications.

DOCUME~1NelsonLOCALS~1Tempmsohtmlclip101clip_image001.png

Fix:

Edit the rc.conf file located under the /nsconfig/nsconf 

  • shell
  • echo hostname=\”anotherhost\” > /nsconfig/rc.conf

This will overwrite the rc.conf file with the hostname you have embedded in your license file

You can also do this with a program like FileZilla and edit the file directly over port 22

filezilla_edit

filezilla_edit2

Once you are done, reboot the appliance… now if you are running nCore, you can do a Warm reboot vs a standard reboot

This new option, “-warm,” has been introduced for the “reboot” command. This option can be used only on NetScaler nCore appliances. When the “-warm” option is specified, the NetScaler restarts NetScaler specific functionality without restarting the appliance, reducing the time required to implement changes that would otherwise require a complete reboot of the NetScaler appliance.

Redirecting AGEE URL – NetScaler 9.3 52.3nc

While working with a new AGEE site for a client (test2.mydomain.com), I was given the challenge to ensure that only a specific subnet is redirected to the new site while still connecting to the original url (test.mydomain.com), and ensure no one else is impacted by the redirector.

Luckily this can be achieved by setting up Responder Policies via the NetScaler

Environment

  • MPX 7500 NetScaler 9.3 52.3nc
  • AGEE

Goal:

Redirect an AGEE site based on a specific clients subnet

1. All users that go to AGEE1 http://test.mydomain.com site simply get redirected to AGEE1 site with SSL https://test.mydomain.com

2. All users from the 10.10.20.0/24 subnet that go to AGEE1 site http://test.mydomain.com get redirected to AGEE2 site https://test2.mydomain.com

Configuration:

1. First make sure the Responder feature is turned on by right clicking “Responder” and selecting “enable responder feature”

Once it is enabled, it will look like this

responder_enable

2.  Now lets create Actions.  This will tell policies what to do.

Lets create a redirect action for ALL users to be redirected to AGEE1 SSL site https://test.mydomain.com

01_all_users_action

Now lets create a redirect action for a specific subnet and redirect to AGEE2 SSL site https://test2.mydomain.com

02_subnet_users_action

Now that we have the actions defined, lets create the policies that will be assigned to your VIP

3. Create Responder polcies – The actions you created above will need to be binded to your Responder polcies

Create a policy to to match the URL (in this case http://test.mydomain.com) then bind your previous action to redirect them to https://test.mydomain.com

Expression:

HTTP.REQ.IS_VALID

03_all_users_redirect_policy

Now create a policy that will match the url test.mydomain.com and will redirect users from the 10.10.20.0/24 to test2.mydomain.com

Expression:

HTTP.REQ.HOSTNAME.EQ(“test.mydomain.com”)&& CLIENT.IP.SRC.IN_SUBNET(10.10.20.0/24)

04_all_users_redirect_policy

4. Now lets assign these Responder policies to your AGEE1 site http://test.mydomain.com

Notice on the screenshot below, I simply created a service name “Dummy” and gave it the NetSacalers localhost IP 127.0.0.1, this is simply to make sure the TCP 80 VIP is able to come up under the AGEE IP (Since AGEE ONLY runs under TCP 443).  Note that Responder actions will not work under down VIPs.

05_responder_apply

Head over to the “Polcies” tab, then click on”Responder” and assign the polcies you previously created.  A reminder that the lower the priority number, the higher the priority actually is.  In the case below “subnetet_users_pol” wins

06_responder_apply

Hope this helps! 🙂

 

NetScaler AGEE 9.3 – Customize logon page via NetScaler rewrite policies

While working on a new project at a new company, we made the decision of utilizing the Access Gateway on the NetScaler to host a new client’s site as the XenApp entry point. Although it is clear on the benefits that AGEE brings, we can agree that it also brings a bit of complexity when customizing the log on page.

While this can be done with some HTML customizations, Citrix does not provide support for an AGEE customized site, so I figure this time I would look into NetScaler rewrite policies to accomplish the same.

Environment

  • MPX 7500 NetScaler 9.3 52.3nc
  • Web Interface 5.3 (I know :P)

Issue:

When two factor authentication is configured on Access Gateway Enterprise Edition, the user is prompted for User name, Password 1, and Password 2.

agee_no_active_pol

Solution:

1. Create the following actions under “Rewrite/Actions”

add rewrite action AD_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”AD Password\’\”” -pattern “\”Password\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*\'[ ]*\+[ ]*_\(\”Password\”\)[ ]*!)/

01_AD_replace_rewrite_action

add rewrite action RSA_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”RSA Password:\”” -pattern “\”Password2\”” -bypassSafetyCheck YES -refineSearch q/extend(20,50).REGEX_SELECT(re![ ]*\'[ ]*\+[ ]*\_\(\”Password2\”\)[ ]*\+[ ]*\’!)/

02_RSA_replace_rewrite_action

add rewrite action AD_delete_rewrite_action delete_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” -pattern “document.write(\’&nbsp;1\’);” -bypassSafetyCheck YES

03_AD_delete_rewrite_action

2. Create the following policies under “Rewrite/Policies”

add rewrite policy AD_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_replace_rewrite_action

01_AD_rewrite_pol

add rewrite policy RSA_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” RSA_replace_rewrite_action

02_RSA_rewrite_pol

add rewrite policy AD_delete_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_delete_rewrite_action

03_AD_delete_pol

3. Enable/Bind the policies

bind rewrite global AD_rewrite_pol 80 NEXT -type RES_OVERRIDE

bind rewrite global RSA_rewrite_pol 90 NEXT -type RES_OVERRIDE

bind rewrite global AD_delete_pol 100 NEXT -type RES_OVERRIDE

enable_pol

Result?

agee_with_active_pol

For the logo… head over to this CTX article , note that you can copy the customized version of the logon page to a new directory of the appliance, however you will need to edit the rc.netscaler script to copy the required files to the /netscaler/ns_gui/vpn/ directory every time the appliance restarts, if not the changes are gone.

The rc.netscaler script would look something like this…, however a reminder that Citrix does not support this with version 9.3, and with version 10 71.6014.e, they added templates

cp /flash/nsconfig/mod_cag/index.html /netscaler/ns_gui/vpn/index.html
cp /flash/nsconfig/mod_cag/login.js /netscaler/ns_gui/vpn/login.js
cp /flash/nsconfig/mod_cag/images/ctxHeader01.gif /netscaler/ns_gui/vpn/images/ctxHeader01.gif