cloud gateway v1.6

www.citrix.com

Citrix Systems, Inc. © 2012 Confidential Page i of 126

Proof of Concept Guide | Citrix CG Marketing

CloudGateway Enterprise PoC Best Practice Guide

Citrix CloudGateway & Receiver Group

Citrix CloudGateway Proof of Concept Guide

Contents

CloudGateway Enterprise PoC Best Practice Guide ................................................................................................ i

Purpose and Scope ................................................................................................................................................. 2

CloudGateway Components .................................................................................................................................... 2

Recommended Product Versions ............................................................................................................................................. 3

Integrating CloudGateway with XenDesktop/XenApp ............................................................................................. 3

Leveraging Existing WI/PNA Infrastructure ............................................................................................................................. 3

Deploying StoreFront ............................................................................................................................................................... 4

Recommended Product Versions ............................................................................................................................................. 5

3 Phases to a successful PoC ................................................................................................................................. 6

Phase 1: Deploying AppController and Receiver ...................................................................................................................... 6

Phase 2: Deploying Access Gateway ........................................................................................................................................ 6

Phase 3: Integrating with XD / XA ............................................................................................................................................ 7

Best practice Deployment flowchart ........................................................................................................................................ 8

Phase 1: Deploying AppController and Receiver .................................................................................................... 9

Downloading, Importing and Configuring Citrix AppController ............................................................................................... 9

Basic Configuration of the Web Admin Console..................................................................................................................... 20

Adding Categories, Configuring Roles, and Assigning Applications ....................................................................................... 28

Configuring Data .................................................................................................................................................................... 37

Endpoint Configuration .......................................................................................................................................................... 46

Phase 2: Deploying Access Gateway ....................................................................................................................49

Authentication Server Configuration ..................................................................................................................................... 49

Authentication Policy Configuration ...................................................................................................................................... 50

Virtual Server – Basic Configuration ...................................................................................................................................... 51

Virtual Server – Authentication Configuration ....................................................................................................................... 53

Access Gateway Session and Access Policy & Profile Configuration ...................................................................................... 54

AppController Configuration .................................................................................................................................................. 68


Phase 3: Integrating StoreFront .............................................................................................................................73

AppController Configuration .................................................................................................................................................. 73

StoreFront Configuration ....................................................................................................................................................... 76

AccessGateway Configuration ............................................................................................................................................... 88


Deploying through Web Interface ..........................................................................................................................93



Appendix ................................................................................................................................................................96

PNA Session Policy and Profile: .............................................................................................................................................. 96

Clientless Access Policy and Profile: ..................................................................................................................................... 101

Receiver for Web Session Policy and Profile: ........................................................................................................................ 104

Native Receiver Session Policy and Profile: .......................................................................................................................... 109

ChromeOS Session Policy and Profile: .................................................................................................................................. 114

Access Gateway Plugin Policy and Profile: ........................................................................................................................... 118


Citrix Systems, Inc. © 2010 Page 2 of 126

Purpose and Scope

The purpose of this document is to help Citrix sales, partners and customers recommend a staged approach to CloudGateway Proof of Concept deployments. It provides a high-level view of the product versions required and a detailed list of prerequisites to get the best user experience across different Receivers all while reducing the complexity of the deployment. Each PoC is unique and requires careful assessment of the current environment and in some cases hands-on consulting engagement. As such, this document should be used in conjunction with other admin and deployment guides. As a level set, it is important to recognize the features that CloudGateway offers, distinct from XenDesktop and XenApp. Generally, customers are interested in CloudGateway because they want to leverage Enterprise Mobility features, specifically, the product features listed below:

MDX App Vault - Mobile App Management

MDX Web Connect – Secure Browser for Intranet Resources

Secure Mobile Mail

Web & SaaS applications – Single Sign On and Provisioning

ShareFile – Corporate Directory Integration & Data Security

CloudGateway Components

CloudGateway is comprised of three key technology components:

1. Citrix Receivers are used to deliver CloudGateway enabled applications to the end users 2. AppController is the key infrastructure component in CloudGateway that integrates with

Active Directory, ShareFile, Web/SaaS applications and native mobile apps to deliver enterprise mobility features

3. Access Gateway allows secure access to enterprise resources from outside of the corporate network and is an integral part of the CloudGateway solution suite

The following diagram illustrates CloudGateway deployment at a high level.

Figure 1 CloudGateway Deployment Diagram



In this deployment, users will need to download the latest Receiver on the device and create an account that points to AppController or Access Gateway to access CloudGateway delivered applications. See the CloudGateway Deployment guide for further instructions on setting up infrastructure components.

Recommended Product Versions

Infrastructure

AppController 2.0 or latest

Access Gateway 10.0.70 or latest

Receivers Customers should use the latest versions of Citrix Receivers to get best user experience. More specifically, the following Receiver versions are recommended for CloudGateway deployments.

iOS 5.6

Android 3.1

Windows 3.3

Mac 11.6

Integrating CloudGateway with XenDesktop/XenApp

CloudGateway can easily fit into an existing XenDesktop and XenApp deployment to deliver unified application experience for Windows applications, desktops, Web & SaaS applications and native mobile apps through Citrix Receivers. The following sections describe two separate approaches to accomplish this integration.

Leveraging Existing WI/PNA Infrastructure A large majority of the existing XenDesktop/XenApp install base will have Web Interface or PNA Site optionally fronted by Access Gateway for remote worker use case. In this scenario adding AppController atop the current environment will allow customers to leverage CloudGateway features. Receivers can continue to talk to Web Interface or PNA Site (Standalone or Netscalar) for Windows applications and can now integrate with AppController (optionally through Access Gateway) for Web, SaaS and Mobile apps.



The following diagram illustrates the recommended deployment architecture at a high-level:

Figure 2 CloudGateway with WI/PNA Infrastructure

The benefit with this approach is that it minimizes the number of moving parts and allows customers to easily augment their current environment with CloudGateway components. With this approach, users will need to configure Receiver to create separate connections - one to their existing WI/PNA site and another to AppController (or Access Gateway for remote use cases) for CloudGateway delivered apps.

Deploying StoreFront

In this deployment, StoreFront replaces or deploys in parallel with WI/PNA Site for new Receivers. Legacy Receivers can continue to connect to the existing WI server. StoreFront is used to aggregate Windows applications & desktops through XenDesktop/XenApp and Web, SaaS, Mobile and ShareFile data through CloudGateway for new Receivers. StoreFront allows single sign-on capabilities across the delivery controllers (XenDesktop, XenApp Farms, CloudGateway) and provides a unified view of the applications to the end user. For large scale deployments it is recommend phasing out WI in stages.



The following diagram illustrates the recommended deployment model

Figure 3 CloudGateway with StoreFront

Recommended Product Versions

Infrastructure

AppController 2.0

StoreFront 1.2

Access Gateway 10.0.70

XenApp & XenDesktop – See StoreFront and CloudGateway Admin guide for recommended versions

Receivers Customers should use the latest versions of Citrix Receivers to get best user experience. More specifically, the following Receiver versions are recommended for CloudGateway deployments.

iOS 5.6

Android 3.1

Windows 3.3

Mac 11.6



Known StoreFront Limitations Relative to Web Interface The limitations listed below are related to StoreFront and are relative to the other alternative, which is to leverage (Web Interface or PNA Site) for windows applications and desktops.

Multi-Site support: StoreFront doesn’t support redundancy across multiple sites and disaster recovery yet.

Advanced Authentication Methods: StoreFront currently supports AD & OTP authentication methods only. Advanced methods such as SmartCard, Proximity Cards, ADFS, SAML are not yet supported.

Advanced Features: o Desktop appliance site o Elective AD password change

In the next major release of StoreFront, we intend to bridge some of the critical feature gaps relative to StoreFront. Customers who deem these features as critical to their deployment can continue to use Web Interface for delivering Windows applications and desktops.

3 Phases to a successful PoC

Breaking down the PoC deployment into 3 phases will make the configuration process easy. Each phase presents its own unique set of challenges, so completing all 3 phases at the same time will cause the entire PoC to be delayed or fail. This deployment guide builds upon the previous so that issues are isolated to a single phase, creating a path of least resistance.

Phase 1: Deploying AppController and Receiver

Deploying AppController and Receiver in a controlled environment is only accessible on the internal network. Deployment on an internal network allows us to focus on the success of application delivery without the distraction of dealing with DMZ firewalls or XenApp or XenDesktop integration.

Phase 2: Deploying Access Gateway

Phase 2 adds Access Gateway to the successfully deployed AppController and Receiver. This allows access from the internet to all the applications already tested internally. Access Gateway deployments have their own set of challenges which are different from deploying AppController. It is suggested that users approach this as a separate project altogether. Deploying Access Gateway in the DMZ will most likely involve other individuals and or departments within an Enterprise.



Phase 3: Integrating with XD / XA

The last phase is to include already existing XenDesktop or XenApp into the deployment. There are two possible approaches:

First, the easier approach, is to configure the Receiver on the endpoint to connect to the existing Web Interface server. In this case the Receiver has two stores configured. The user is required to switch between stores depending on what application he or she would like to access.



The second approach requires the deployment of StoreFront. With StoreFront all application delivery services are aggregated through a single StoreFront service. In this case users will have all their applications available through a single store, no switching is required.

Best practice Deployment flowchart



Phase 1: Deploying AppController and Receiver

Downloading, Importing and Configuring Citrix AppController

Before proceeding, the virtual imagine containing the package you need to install AppController must be downloaded.

To install AppController on the XenServer platform, the VM file with .xva extension must be downloaded

To install AppController on the VMWare platform, the VM file with .ova extension must be downloaded

Download the AppController Virtual Image Here

Step Action

1.

Log on to www.mycitrix.com using your MyCitrix ID Click Downloads

http://support.citrix.com/proddocs/topic/appcontroller-11/clg-appc-install-download-image-tsk.html



Step Action

2.

Select CloudGateway from the Select Product drop-down menu

3.

Select Product Software from the Select Download Type drop-down menu



Step Action

4.

Click Find

5.

Click the + sign



Step Action

6.

Click CloudGateway Enterprise

7.

Click the Download button that corresponds to the type of virtual appliance you need



Step Action

8.

Click Yes, I accept

9.

Check the download agreement box and click Accept



Step Action

10.

Click Download your file manually and save the file

11.

Open XenCenter Right click the name of the XenServer and click Import



Step Action

12.

Click Browse and select the .xva image file from Step 10 Click Next

13.

Select the Home Server you want to import the image on Click Next

14.

Select a Storage repository Click Import



Step Action

15.

Click Add to add the Network Interface Click Next

16.

Click Finish to import the VM

17.

Click the Logs tab to view the status of the import process Once complete, click the Console tab



Step Action

18.

The login prompt for AppController will show up once the import process is complete.

19. Log in to the AppController CLI Username: admin Password: password

20.

The Main Menu is displayed Enter 0 to perform Express Setup



Step Action

21.

Enter 1 to configure the IP Address, Subnet Mask Configure AppController with the following: IP Address: <AppController IP address> Subnet Mask: 255.255.255.0

22.

Enter 2 to configure the Default Gateway Enter Default Gateway address



Step Action

23.

Enter 5 to Commit Changes Enter Y to restart AppController



Basic Configuration of the Web Admin Console

Here, administrators will perform basic configurations with the Web Admin Console. The basic configurations include changing the administrator password, configuring the Active Directory settings, and configuring the DNS and NTP server information.

Step Action

1. Open a browser and navigate to https://<AppController IP Address>:4443 to access the Web Admin Console. NOTE: You are taken to the /ControlPoint/index.html site. You can type the full path if you would like. However, the URL is not case sensitive. Ignore the certificate warning and continue to the site. Log on with Username: Administrator Password: password

NOTE: This is not the same password you changed from the XenServer console. The previous password was for account ‘admin’. This ‘Administrator’ account is used to configure the AppController via the web console. However, both administrator and admin accounts use the same password.



Step Action

2. You will be presented with the following screen. First we are going to run through the Configure Network wizard. Click Configure to continue.

3. You will be prompted to change the Administrator password. Type

Current password: password New password: <Type in a unique password> Administrator email: <Type in an Administrator email in UPN format>

Click Next



Step Action

4. Enter the following parameters for the System settings: Hostname: <Type in your Hostname> DNS suffixes: <Type in your DNS suffixes> Primary IP Address: <Enter your DNS server’s IP address>



Step Action

5. Enter the following parameters for the Active Directory configuration: Server: <Enter the Active Directory IP address> (this is the IP address of your Domain Controller) Domain name: <Type in a Domain name> Service account: <Type in a Service account in UPN format> Base DN: Point to the user DN Password: <Type in the password created in step 3>



Step Action

6. Enter the following parameters for the NTP Server Configuration: NTP server: <Enter NTP server’s IP address> (general best practice is to use the DC as time server) Time Zone: US/Eastern Enter the following information for your Workflow Email Settings: Email Server: <Enter your mail server’s IP address> Port: 25 Email: <Type in an Email in UPN format>(the sending account for the workflow)



Step Action

7. A summary of all your defined settings is displayed. Click Save

8. When the Configure dialog pop up is displayed, click Yes to continue

The AppController logs off when settings are saved and users are retrieved from Active Directory

9. Log back into the AppController Web Admin UI



Step Action

10. Click on the sprocket symbol in the upper right

11. Select Certificates from the left menu



Step Action

12. Create a PKCS#12 certificate on your certificate authority. Once created, select Server (.pfx) from the Import drop-down menu on the right and select the certificate

For more information on AppController certificates, please refer to the following link: http://support.citrix.com/proddocs/topic/appcontroller-20/clg-appc-config-certs-wrapper-c-con.html

13. Enter the certificate associated with the certificate when prompted

14. Select the newly imported certificate and click Make Active on the right side and confirm the Activation when prompted NOTE: You will be logged out. Simply log back into the AppController ControlPoint UI to continue

http://support.citrix.com/proddocs/topic/appcontroller-20/clg-appc-config-certs-wrapper-c-con.html



Adding Categories, Configuring Roles, and Assigning Applications

Here, administrators will create categories, configure roles, and assign applications that are specific to those roles. Roles are a primary way for administrators to deploy, provision and control applications.

Step Action

1. Click on the Apps tab

2. Click on + next to the All categories drop-down

Enter the following parameters for Add Category: Name: <Type in a unique category name> Description: <Type in a unique description> Repeat the above steps to create more categories as required



Step Action

3. Click Roles in the top menu

4. At the bottom left hand corner of the screen, click Add role

5. In the Add Role dialog enter the following information Role name: <Type in a unique role name> Move the required group from Available groups to Role members. Then click

Add NOTE: In the current version of AppController, only a single group can be assigned to a role



Step Action

6. Repeat steps 3 and 4 to create new roles and assign groups to them

7. Click Apps in the top menu

8. Click Web and SaaS App at the left hand panel

9. Search for an application from the available catalog

Click on Add to configure the connector



Step Action

10. From the Category drop-down menu select a category From the Assigned Role drop-down menu select one or more roles Click Save

11. Repeat step 9-10 to add more applications to the Store.

12. Click Mobile App at the top left hand panel



Step Action

13. Click Browse… and select the wrapped .cma file Click Next



Step Action

14. Enter the following parameters for Mobile App Details: Minimum OS version: <Type appropriate version> Maximum OS version: <Type appropriate version> Excluded devices: <Type list (comma separated) of devices to exclude> Category: <Select a category> Assigned role: <Assign one or more roles> Click Next



Step Action

15. Review and assign the appropriate policies you would like to apply to the application Click Finish

16. Repeat steps 13 – 16 to add more applications to the Store

17. Click Add Web Link at the top left pane Web links enable users to browse your enterprise’s internal websites from their mobile devices without needing full VPN connectivity



Step Action

18. Enter the following details:

App Name: <Provide a unique name> Description: <Enter a description for this web link> URL: <Enter the URL used to reach this application internally> Assign a Category and Role, and then click Save



Step Action



Configuring Data

ShareFile enables users to securely share data with anyone, and sync files across all of their devices. Unlike consumer file sync and sharing tools, ShareFile enables IT to deliver an enterprise-class file sharing service that secures intellectual property while delivering the service users expect. CloudGateway delivers transparent single sign-on access to apps and the ability to view or edit, sync and share files as users roam between devices.

This document will help you understand how to configure Follow Me Data from the AppController ControlPoint portal, so that apps and data are seamlessly available everywhere, across every type of device including tablets, smartphones, PCs, Macs, and thin clients allowing you to access your data anywhere.

Before you begin this step-by-step process, you will need the following:

1. A ShareFile service account

2. A .pem certificate for SAML

If you already have a ShareFile account with your own subdomain, go to step 4.

Step Action

1. Open a browser and navigate to http://www.citrix.com/lang/English/lp/lp_2324434.asp

2. Click on Sign-up free and create a test account

http://www.citrix.com/lang/English/lp/lp_2324434.asp



Step Action

3. Complete the required information

4. After the account is created, log in to the newly created account. Select the Admin link

located at the top right side of the page



Step Action

5. The Admin page comes up. Select Edit Subdomains

6. Configure a subdomains (Your Last Name for example) and click Save

7. Log out of ShareFile

8. Open a browser and navigate to https://<AppController FQDN>:4443

9. Log in with the administrator username and password



Step Action

10. Select the sprocket symbol on the top right side of the screen

11. The System Configuration is shown. Click Certificates



Step Action

12. Click New in the right pane and follow the wizard to create a new private key and CSR (Certificate Signing Request). Submit the CSR to your certificate authority and request for a certificate in the PEM format.

13. Once you receive the certificate, click the Import drop-down menu and select the Saml

(.pem) option Browse and select the PEM certificate



Step Action

14. You are prompted to input the certificate credentials. Enter and confirm the password and click Ok

15. Select the Docs tab

16. Click Edit



Step Action

17. Enter the following settings: Domain: <Subdomain configured when account was created> Assigned Role: <Select a role> Service Account: <username and password used to create your ShareFile account> (Format: e-mail address)

Click Save

18. Once complete, you should see SAML Configuration with your SAML certificate’s

FQDN



Step Action

19. Select the sprocket symbol on the top right hand side of the screen

20. Log out of the AppController

21. In Internet Explorer, navigate to http://www.sharefile.com

22. Log in with your account credentials

23. Select your Subdomain. If you have more than one subdomain, please select the one you configured with AppController

24. Click on Admin and then Configure Single Sign-on

http://www.sharefile.com/



Step Action

25. Notice that the SAML configuration has automatically been configured



Endpoint Configuration

Here, administrators will learn how to configure Receiver for iOS on their iPad.

Step Action

1.

Open Safari on an iPad that’s connected to the same network as the AppController and navigate to https://<AppController FQDN> You are automatically redirected to the AppController Receiver for Web Enter an Active Directory account username and password and click Log On



Step Action

2.

Tap on the user’s name at the upper right corner and tap Activate…

3.

Tap on Open in “Receiver” and when prompted log in with your Active Directory credentials

4.

When prompted, enter your Active Directory username, password and domain



Step Action

5.

Click the large green plus sign on the left to slide out the blade. Go to the category containing your mobile applications and tap the + sign corresponding to one of them to install on your iPad. Once installed, launch the application NOTE: The app will be installed on your springboard as well

6.

Tap on Log Off at the top left corner of the Store

7. If you log in as a user that belongs to a different role on AppController, the applications associated with that role will show up



Phase 2: Deploying Access Gateway

Complete the basic NetScaler configuration and then use the following Access Gateway configurations:

1. Create an Authentication Server and corresponding Authentication policy 2. Create and configure an Access Gateway virtual server

Authentication Server Configuration

The Authentication Server is where you configure Access Gateway to communicate with your authentication server. This is typically Active Directory, but since Access Gateway is not a trusted domain member, you must use LDAP as the communication protocol.

Step Action

1.

To configure a new Authentication Server or modify an existing one: Expand the Access Gateway node Expand the Policies node Click Authentication Click LDAP In the right pane click Servers Click Add to create a new Authentication Server Select LDAP as the authentication type Give the Authentication Server a unique name Fill in the LDAP bind information highlighted above NOTE: The Administrator account specified in the “Administrator Bind DN” field does not need to be a domain or forest administrator. It needs to be a user account with directory read privileges. It’s advisable to use a service account with a non-expiring password. Click Retrieve Attributes to test connection settings.



Authentication Policy Configuration

After creating an Authentication Server, you must configure an Authentication Policy that determines when that authentication server will be used for authentication requests.

Step Action

1.

To create a new Authentication Policy or modify an existing one: Expand the Access Gateway node Expand the Policies node Click Authentication Click the Policies tab Click Add to create a new Authentication Policy Type the following in the Create Authentication Policy window: Name: <Give the Authetication Server a unique name> Authentication type: LDAP Server: <Select the Authentication Server created in “Authentication Server

Configuration”> Client is from different geographical reg…drop-down menu: True Value Click Add Expression Click Create



Virtual Server – Basic Configuration

The Access Gateway Virtual Server is the primary configuration point for remote access. It is where you configure IP Address, Certificate, and Authentication and where you bind access policies.

Step Action

1.

To configure a new Virtual Server or modify an existing one: Expand the Access Gateway node Click Virtual Servers Click Add



Step Action

2.

Type the following for each category: Give the Virtual Server a unique name

IP address: use an IP address that is externally accessible or is mapped to an externally accessible IP address Protocol: <Leave as is> Port: <Leave as is>

Select the radio button for SmartAccess Mode Available certificates: Select the appropriate server certificate Click Add >



Virtual Server – Authentication Configuration

The authentication server created is bound to the newly created virtual server by way of the authentication policy.

Step Action

1.

To associate an Authentication Server with an Access Gateway virtual server: Expand the Access Gateway node Click Virtual Servers Click the Virtual Server created in the previous section Click Open Click the Authentication tab Check Enable Authentication Click Primary Click Insert Policy

Authentication Policy: <Select the Authentication Policy created in

Authentication Policy Configuration> Priority: <Leave as is>

Click OK



Access Gateway Session and Access Policy & Profile Configuration

The steps below provide the steps used to create and bind the required session and access policies to the Access Gateway virtual server. These policies enable the various Citrix Receivers to connect to CloudGateway.

1. Navigate to Access Gateway->Policies->Clientless Access

2. In the right panel on the lower left click Add

3. In the Create Clientless Access Policy window click New



4. In the Create Clientless Access Profile configure the following settings:

Name: <Provide a unique name> Example: SF_cvpn URL Rewrite: ns_cvpn_default_inet_url_label Click the Client Cookies tab

5. Click New



6. Enter the following:

Name: <Enter a unique name with no white spaces> Example: StoreFront_cookies (Enter the Pattern and Index, and then click Add one at a time for the following): Pattern=CsrfToken, Index=1 Pattern=ASP.NET_SessionId, Index=2 Pattern=CtxsPluginAssistantState, Index=3 Pattern=CtxsAuthId, Index=4 Click Create twice to create the pattern set

7. Back in the Configure Clientless Access Policy window configure

Name: <Enter a unique name with no white spaces> Example: SF_cvpn_pol Expression: true (Simply type within the Expression window) Click Create to create the policy Click Close



8. Go to Access Gateway->Policies->Session

In the right panel click Add



9. Click New in the Create Access Gateway Session Policy window

10. Select the Client Experience tab and configure the following settings:

Name: <Enter a unique name> Example: prof_cvpn Home Page: <Enter the AppController Receiver for Web URL> Example: https://ac.training.lab/Citrix/StoreWeb

Clientless Access: On (Default is Allow, change to On) Clientless Access URL Encoding: Clear Check the Single Sign-on to Web Applications check-box



11. Select the Security tab and ensure the Default Authorization Action is set to Allow

12. Click the Published Applications tab and configure the following profile options:

Ensure that ICAProxy is set to OFF Web Interface Address: <Enter the AppController Receiver for Web URL> Example: https://ac.training.lab/Citrix/StoreWeb

Single Sign-on Domain: <Enter the Active Directory domain name> Click Create



13. Configure the following settings in the Create Access Gateway Session Policy window: Name: <Enter a unique name> Example: pol_cvpn Request Profile: <Select the profile created in the previous step> Example: prof_cvpn Click Add under the Expression box

14. Configure the following settings:

Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: EXISTS Header Name: Referer Click OK



15. Click Create and then click Close

16. Make sure you are still at the following location: Access Gateway->Policies->Session

Click Add in the right panel




18. Select the Client Experience tab and configure the following settings: Name: <Enter a unique name> Example: prof_native Clientless Access: On (Default is Allow, change to On) Clientless Access URL Encoding: Clear Check the Single Sign-on to Web Applications check-box

19. Select the Security tab and ensure the Default Authorization Action is set to Allow and

the Secure Browse check-box is checked



20. Click the Published Applications tab and configure the following profile options: Single Sign-on Domain: training Ensure that ICAProxy is set to OFF Click Create

21. Configure the following settings in the Create Access Gateway Session Policy window:

Name: <Enter a unique name> Example: pol_native Request Profile: <Select the profile created in the previous step> Example: prof_native Click Add under the Expression box



22. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: CitrixReceiver Header Name: User-Agent Click OK and then click Add under the Expression box, once again

23. Configure the following settings:

Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: EXISTS Header Name: X-Citrix-Gateway Click OK



24. h Set the drop-down to Match All Expressions Click Create and then click Close

25. Go to Access Gateway->Virtual Servers and double-click the Access Gateway vserver

26. Click the Policies tab and then do the following to bind the polices to the vserver: Click Insert Policy and select the first of the two session policies created in the previous section, from the Policy Name drop-down menu. Repeat this step to add the second policy as well.



27. Select Clientless under the Policies tab and click Insert Policy. Choose the Access Policy created in this document to bind the policy to the vserver Click Ok and close the vserver configuration window

28. Close the vserver configuration window and go to Access Gateway->Global Settings

Click Configure Domains for Clientless Access



29. The Configure Domains for Clientless Access window is shown

Select the radio button for Allow domains. Add the StoreFront server FQDN and the AppController FQDN to his list. Example: receiverstorefront.training.lab and ac.training.lab Click OK and close the configuration window

30. Log out of the NetScaler Configuration Utility. Click OK to save the configuration



AppController Configuration

This step-by-step guide will demonstrate how to configure AppController with Access Gateway.

Step Action

1.

Access the ControlPoint portal using the URL: https:// <AppController FQDN>:4443 Log in to the ControlPoint portal as administrator

2.

Click system settings



Step Action

3.

Click Trust Settings Click Edit

4.

Select Netscaler Access Gateway In the Trust Settings window, enter the following:

Display Name: <Enter a unique “Display name”> Callback URL: <Enter the Access gateway URL> External URL:< Enter the externally accessible, fully qualified, URL of your Access Gateway> Select authentication type from the Log on type drop-down menu

Click Save




So far, we have configured Receiver to communicate with AppController directly. At this point, remove the previously configured store from your Receiver for iOS. This step-by-step guide will demonstrate how to configure Receiver for iOS on an iPad to connect through Access Gateway.

Step Action

1.

Open Safari on the iPad and navigate to https://<Access Gateway URL> Log in using a set of Active Directory credentials



Step Action

2.

Tap on the account name at the upper right corner and tap Activate…

3.

Tap on Open in “Receiver”

4.

Log in to Receiver using your Active Directory credentials



Step Action

5.

Go to the category that contains your mobile applications and tap the + sign

corresponding to one of the mobile applications to install on your iPad NOTE: The app will be installed on your springboard as well.

6.

Click on one of your published web links to test the web connect microvpn as well Tap Log Off at the top right corner of the Store when complete



Phase 3: Integrating StoreFront

AppController Configuration

This step-by-step guide assumed that the basic AppController configuration has been complete. The guide below will demonstrate how to configure AppController so that users can deploy CloudGateway through StoreFront.

Step Action

1. Access the AppController ControlPoint portal using the following URL: https://<AppController’s FQDN>:4443

Login with the following credentials:

User name: Administrator

Password: <Enter the password>

2. Click the sprocket symbol



Step Action

3. Click Trust settings under System Configuration

Click Edit

4. Select StoreFront



Step Action

5. Enter the StoreFront’s FQDN prefixed with https in the web address field provided. Click Save



StoreFront Configuration

This step-by-step guide will demonstrate how to configure StoreFront and integrate it with Access Gateway.

Step Action

1. Connect to your StoreFront server.

2. Log on to StoreFront using your local administrator credentials.

3. Copy the StoreFront installer to your StoreFront server. Double click the CitrixStoreFront-x64 installer.

4. Check the I accept the terms of this license agreement check-box and click Next



Step Action

5. Click Install

6. Once the installation completes, click Finish



Step Action

7. In the Citrix StoreFront snap-in console click Deploy Single Server

8. Open IIS manager Expand the server node Expand Sites Expand Default Web Site Click Bindings in the right pane Click Add in the Site Bindings window



Step Action

9. Select https from the Type drop-down in the Add Site Binding window Click the associated certificate from the SSL certificate drop-down and click OK

10. Since the certificate has already been applied to your StoreFront server the Server

address field will auto populate with the correct URL Example: https://receiverstorefront.training.lab

Click Create



Step Action

11. Type the Store name of your choice and click Next

12. Click Add in the Create Store window



Step Action

13. Configure the following settings in the Add Delivery Controller window: Display Name: <Name of your choice> Type: CloudGateway Enterprise Server: <AppController FQDN> Port: 443 Click OK

14. If you would like to add additional delivery controllers such as XenDesktop and XenApp,

click Add in the Create Store window

15. Configure the following settings in the Add Delivery Controller window: Display Name: <Display name of your choice> Type: XenApp Click Add from just below the Servers section



Step Action

16. Type the XenApp server FQDN in the Server name field and click OK

17. Assign the appropriate transport type (HTTP/HTTPS) and the port number will

automatically change. Repeat steps 14-16 to add additional delivery controllers. Click OK



Step Action

18. Click Next

19. Select the Full VPN tunnel radio button from the Remote access section and then click

Add



Step Action

20. Configure the following details in the Add Gateway Server window: Display name: <Enter a unique display name>

Gateway URL: < Enter the externally accessible, fully qualified, URL of your

Access Gateway>

Deployment mode: Appliance

Check the Set server as Access Gateway Enterprise Edition check-box

Subnet IP address: <Enter the NetScaler subnet IP address>

Logon type: Domain only

Click Next



Step Action

21. In the Callback URL filed type

URL: <Enter the externally accessible, fully qualified, URL of your Access

Gateway>

Click Next

22. Click Add



Step Action

23. Type the STA server URL in the STA URL field and click OK

24. Repeat steps 22-23 to add more STA servers if required.

Click Create



Step Action

25. Click Create

26. Click Finish



AccessGateway Configuration

Now that we have integrated StoreFront in the CloudGateway environment, this guide provides the steps to change the session policies to point to StoreFront instead of AppController.

Step Action

1. Login to NetScaler and navigate to Access Gateway->Policies->Session Click the Profiles tab in the right pane and then highlight the Receiver for Web profile created previously and then click Open

2. Select the Client Experience tab and configure the following settings: Name: prof_cvpn Home Page: <Change the home address from the AppController Receiver for

Web URL to the StoreFront Receiver for Web URL> Example: https://receiverstorefront.training.lab/Citrix/StoreWeb



Step Action

3. Click the Published Applications tab and configure the following profile options: Uncheck the Override Global check-box for Web Interface Address Click OK




This step-by-step guide will demonstrate how to configure receiver for iOS on an iPad.

Step Action

1.

Open Safari in the iPad and navigate to https://<Access Gateway URL> Log in using your Access Gateway credentials

2.

Tap on username at the upper right corner and tap Activate…



Step Action

3.

Tap on Open in “Receiver”

4.

Log in to Receiver using your Active Directory credentials

5.

You can now see the apps delivered from all your delivery controllers, in a single Store.



Step Action

6.

Tap on one of the categories containing the applications delivered from XenApp. Click the + sign corresponding to the application to your home screen and launch it

7.

Go the category containing your mobile applications and tap on the + sign corresponding to one of the apps NOTE: The app will be installed on your springboard as well

8. Click on one of your published web links to test the web connect microvpn as well. Tap Log Off at the top left corner of the Store when done.



Deploying through Web Interface This section assumes that you already have configured Access Gateway to communicate with Web Interface in order to deliver XenDesktop/XenApp applications to Receiver. This guide walks you through the process to connect Receiver to a PNAgent/Legacy site.


Step Action

1.

Open Receiver on your iPad and click Add Account



Step Action

2.

When prompted, enter the Access Gateway URL in the format below and click Next https://<Access Gateway URL>

3.

Once Receiver verifies the Access Gateway URL, you’re prompted for details Description: <Enter an appropriate description> Enter your Active Directory Username, Password and Domain Click Save



Step Action

4.

The apps and desktops from your PNAgent/Legacy appear



Appendix The steps below provide the procedure used to create session and access policies to the Access Gateway virtual server. These policies enable the various Citrix Receivers to connect to CloudGateway.

PNA Session Policy and Profile:

The session policy and profile described below is applicable to CloudGateway Express and is related to configuring remote access to PNA/legacy sites only. This policy does not have to be configured when setting up CloudGateway Enterprise.

1. Navigate to: Access Gateway->Policies->Session Click Add in the right pane




3. Select the Client Experience tab and configure the following settings: Name: <Provide a unique name> Example: prof_PNA




5. Click the Published Applications tab and configure the following profile options: ICA Proxy: ON Web Interface Address: <Provide the PNA site address> Example: https://store.training.lab/Citrix/Store/PNAgent/config.xml Click Create



6. Configure the following settings in the Create Access Gateway Session Policy window: Name: <Provide a unique name> Example: pol_PNA Request Profile: <Select the profile created above>In this example: prof_PNA Click Add under the Expression box




8. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: NOTEXISTS Header Name: X-Citrix-Gateway Click OK

9. Set the drop-down to Match All Expressions Click Create and then click Close



Clientless Access Policy and Profile:

The access policy and profile described below is applicable to CloudGateway Enterprise and is related to configuring remote access to CloudGateway stores only. This policy is used in conjunction with the Receiver for Web, Native Receiver, ChromeOS and Access Gateway Plugin policies and profiles described later in this appendix.

Step Action

1. Navigate to Access Gateway->Policies->Clientless Access Click Add in the right pane

2. The Create Clientless Access Policy window is shown Click New, next to the Profile drop-down menu



Step Action

3. The Create Clientless Access Profile opens. Configure the following settings: Name: <Provide a unique name> Example: SF_cvpn URL Rewrite: ns_cvpn_default_inet_url_label Click the Client Cookies tab

4. Click New



Step Action

5. Name the Pattern Set something unique (Example: StoreFront_cookies) and configure the following cookies

(Enter the Pattern and Index, and then click Add one at a time for the following):

Pattern=CsrfToken, Index=1 Pattern=ASP.NET_SessionId, Index=2 Pattern=CtxsPluginAssistantState, Index=3 Pattern=CtxsAuthId, Index=4 Click Create to create the pattern set

6. Configure the following settings in the Configure Clienless Access Policy window: Name: <Provide a unique name> Example: SF_cvpn_pol Expression: true Click Create to create the policy



Receiver for Web Session Policy and Profile:

The access policy and profile described below is applicable to CloudGateway Enterprise and is related to configuring remote access to CloudGateway stores via web browsers. This policy is used in conjunction with the Clientless Access policy and profile described in this appendix.

1. Navigate to Access Gateway->Policies->Session Click Add in the right pane




3. Select the Client Experience tab and configure the following settings: Name: <Provide a unique name> Example: prof_cvpn Home Page: <Provide the Receiver for Web Address> Example https://receiverstorefront.training.lab/Citrix/StoreWeb Clientless Access: On Clientless Access URL Encoding: Clear Check the Single Sign-on to Web Applications check-box


https://receiverstorefront.training.lab/Citrix/StoreWeb



5. Click the Published Applications tab and configure the following profile options: Single Sign-on Domain: <Provide your Active Directory domain name> Example: training Ensure that ICAProxy is set to OFF Click Create

6. Configure the following settings in the Create Access Gateway Session Policy window: Name: <Provide a unique name> Example: pol_cvpn Request Profile: <Select the profile created above>In this example: prof_cvpn Click Add under the Expression box



7. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: NOTCONTAINS Value: CitrixReceiver Header Name: User-Agent Click OK and then click Add under the Expression box, once again

8. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: EXISTS Header Name: Referer Click OK



Native Receiver Session Policy and Profile:

The access policy and profile described below is applicable to CloudGateway Enterprise and is related to configuring remote access to CloudGateway stores via native Receivers installed on desktops and mobile devices. This policy is used in conjunction with the Clientless Access policy and profile described in this appendix.

1. Navigate to: Access Gateway->Policies->Session Click Add in the right pane




3. Select the Client Experience tab and configure the following settings: Name: <Provide a unique name> Example: prof_native Clientless Access: On Clientless Access URL Encoding: Clear Check the Single Sign-on to Web Applications check-box

4. Select the Security tab and ensure the Default Authorization Action is set to Allow and the Secure Browse check-box is checked



5. Click the Published Applications tab and configure the following profile options: Ensure that ICAProxy is set to OFF Single Sign-on Domain: <Provide your Active Directory domain name> Example: training Click Create

6. Configure the following settings in the Create Access Gateway Session Policy window: Name: <Provide a unique name> Example: pol_native Request Profile: <Select the profile created above>In this example: prof_native Click Add under the Expression box




8. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: EXISTS Header Name: X-Citrix-Gateway Click OK



9. Set the drop-down to Match All Expressions Click Create and then click Close



ChromeOS Session Policy and Profile:

The access policy and profile described below is applicable to CloudGateway Enterprise and is related to configuring remote access to CloudGateway stores via devices that run the Chrome Operating System. This policy is used in conjunction with the Clientless Access policy and profile described in this appendix.

1. Go to Access Gateway->Policies->Session Click Add in the right pane




3. Select the Client Experience tab and configure the following settings: Name: <Provide a unique name> Example: prof_ChromeOS Home Page: <Provide the Receiver for Web Address> Example https://receiverstorefront.training.lab/Citrix/StoreWeb Clientless Access: On Clientless Access URL Encoding: Clear Check the Single Sign-on to Web Applications check-box





5. Click the Published Applications tab and configure the following profile options: Ensure that ICAProxy is set to OFF Click Create

6. Configure the following settings in the Create Access Gateway Session Policy window: Name: <Provide a unique name> Example: pol_ChromeOS Request Profile: <Select the profile created above>In this example: prof_ChromeOS

Click Add under the Expression box



7. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: CONTAINS Value: crOS Header Name: User-Agent Click OK and then click Add under the Expression box, once again




Access Gateway Plugin Policy and Profile:

The access policy and profile described below is applicable to CloudGateway Enterprise and is related to configuring remote access to CloudGateway stores via desktop Receivers that run the Access Gateway plugin. With this session policy and profile, desktop Receivers are prompted to establish a full VPN connection when trying to access enterprise intranet applications published as Web Links on CloudGateway.

1. Navigate to Access Gateway->Policies->Session Click Add in the right pane




3. Select the Client Experience tab and configure the following settings: Name: <Provide a unique name> Example: prof_AGPlugin Split Tunnel: On




5. Click the Published Applications tab and configure the following profile options: Ensure that ICAProxy is set to OFF Web Interface Address: <Provide the Receiver for Web Address> Example https://receiverstorefront.training.lab/Citrix/StoreWeb Click Create

6. Configure the following settings in the Create Access Gateway Session Policy window: Name: <Provide a unique name> Example: pol_AGPlugin Request Profile: <Select the profile created above>In this example: prof_AGPlugin

Click Add under the Expression box




7. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: NOTEXISTS Header Name: Referer Click OK and then click Add under the Expression box, once again

8. Configure the following settings: Flow Type: REQ Protocol: HTTP Qualifier: HEADER Operator: NOTCONTAINS Value: CitrixReceiver Header Name: User-Agent Click OK



Notice

The information in this publication is subject to change without notice.

THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix.

The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own.

Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

Copyright © 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved.

cloud gateway v1.6

Documents

appcontroller configuration

server configuration

storefront configuration

endpoint configuration

citrix appcontroller

integrating cloudgateway

access gateway session

citrix systems