Netscaler

Finetuning a Citrix StoreFront deployment

/ Bram Wolfs / 10 Comments

Finetuning a Citrix StoreFront deploymentFinetune

In this short blogpost I gathered some fine tuning tips I came across with when migrating a Webinterface deployment to Storefront with Netscaler Gateway. The deployment had the following main goals :

  1. Access from Receiver for Web and all the Native Receiver versions (Windows, IOS, Android, etc)
  2. Security on the client side is important, access takes place from unmanaged and public devices
  3. Performance needs to be comparable with the Webinterface deployment
  4. Customized branding for each Netscaler VIP

In this blogpost I will cover the following :

  • Prevent users from saving passwords
  • Shorten the login token lifetime
  • Increase performance (page load times, etc)
  • Modified homepage for different VIPs on the Netscaler
  • Workspace Control in combination with XenApp published desktops

Prevent users from saving passwords
Saved passwords may give users easy access to the environment, but it decreases the security of the environment, especially on unmanaged and public devices where it’s unknown how the devices are used and by who. To turn password saving off :

For Receiver for Web :
This is done automatically by the login page from Netscaler by telling the browser not to use the autocomplete feature. Most browsers respect this setting but IE 11 ignores it, you can read more about this here. It is recommended to always use 2-Factor authentication for external access when possible. To expensive? Take a look at SMS2, it’s free and the RADIUS extension works pretty neat in combination with Netscaler Gateway.

For Native Receivers :
Open the Authenticate.aspx file (default location : C:\inetpub\wwwroot\Citrix\Authentication\Views\ExplicitForms) and comment the SaveCredentialsRequirement statement like this :

SaveCredentialsRequirementThis will prevent the save password option from showing in the Native Receivers.

Shorten the login token lifetime
When a user logs on through the Native Receiver, the credential wallet service of Storefront will keep your token alive for 20 hours by default. When a user closes his application or desktop but doesn’t logoff the Receiver, it’s possible that someone else can click on the icon to log back on within this time period. This is not really secure when users are sharing devices or leave them unattendant. Receiver for Web is somewhat resticter, by default the page will timeout after 20 minutes idle time.
If you only publish a desktop and your users doesn’t need to click on published application icons the whole day, you can make the life time as short as possible without affecting the user experience. In the following example I will change the token life time to 5 minutes for both Native Receiver and Receiver for Web.

For Receiver for Web :
Open the web.config file in the Receiver for Web site folder (default location : C:\inetpub\wwwroot\Citrix\yourwebstore) and search for the session state timeout.
The value is in minutes :

Receiverforweb_Timeout

For Native Receivers :
Open the web.config file in the authentication folder (default location : C:\inetpub\wwwroot\Citrix\Authentication) and search the maxLifetime values till you found the correct one, see this example :

NativeReceiver_tokenlifetime

After making this changes, users have to authenticate again after 5 minutes idle time.

Increase performance (page load times, etc) 
After some tweaking the Storefront performance is good and acceptable, but it will not be as quick as Webinterface. I also think this isn’t possible because of the design differences. I changed 2 things to speed up Storefront : Enable socketpooling and disable signature verification (the latter will lower the security a bit).
On Marius Sandbu’s and Richard Egenas blog you can read more Storefront performance tips.

Modified homepage for different VIPs on the Netscaler
This deployment needed a customized branding for each Netscaler VIP, I will not go into detail how to configure this because there is already a very detailed article from Citrix here. It comes down to redirecting users based on the entered FQDN with Responder policies, while this works great the article doesn’t mention that it will break the access from the Native Receivers to the VIP where the responder policy is active. To prevent this change the responder policy expression to include :

Responder_Policy

When you create this exclusion, the Responder policy will not kick in when the User-Agent contains CitrixReceiver, allowing the Native Receivers to successfully connect.

Workspace Control for XenApp published desktops
When you publish a desktop through XenApp you will notice that Workspace Control isn’t working like expected in Storefront. This is because the desktop is shown on the Desktop tab and Workspace Control isn’t enabled there. Instead autolaunch is enabled which is also killing for single session control. If you want to use Workspace Control you need to treat the desktop as application by using the TreatAsApp keyword. You can read more about Workspace Control in combination with Storefront in great detail in a previous blog post : Deeper look into Workspace Control and it’s challenges.

Conclusion
I must say I like Storefront, it’s stable (talking about the latest versions of course), looks good and gives users an unified login experience, but I have some wishes left so in case someone from Citrix read this, here are my feature requests for Storefront :

  • More options in the GUI, manual editing the web.config files feels a little silly and can be error prone. If the goal is to keep the console simple, then I would suggest an option to switch to advanced view
  • More informative messages for the users, for example Webinterface shows when a Desktop is (re)starting and cleaner messages when applications are disabled etc
  • Redirect users to a specific Store (when using Native Receiver), now the user gets a popup to select a store but it will be nice to control this in a session policy or directly in Storefront

Please note that the information in this blog is provided as is without warranty of any kind.

IE11 ignores Autocomplete=Off setting used by Netscaler Gateway and put users at risk

/ Bram Wolfs / 8 Comments

IE-Red-smallSince Microsoft is pushing Internet Explorer 11 through Windows Update as an important update for Windows 7, a lot of users are starting to use it as their default browser. Also users on Windows 8.1 are already using Internet Explorer 11 by default.

Internet Explorer 11 brought some issues for customers using Netscaler Gateway, for example the login fields in combination with the Green Bubble theme weren’t displayed correctly and this prevented users from logging in correctly. Citrix released new maintenance releases for Netscaler Gateway which will fix this layout issues.

But there is more : Microsoft decided to ignore the Autocomplete=Off setting used by Netscaler Gateway (and a lot of other login pages), this setting tells the browser not to use the store password option and will protect the user from accidently saving their username and password on their machine (or worse a public machine!). Below a screenshot from the login.js file where you can find the autocomplete=off setting on the Netscaler :

Autocomplete

Up till Internet Explorer 10 and every other major browser like Chrome and Firefox respect this setting and will not bother the user to store the credentials, but Microsoft decided to ignore this setting (by default!) in IE11 because they want to give this control back to the user, you can read more about it here and here. Below a screenshot of the message users get when logging in through IE11 on Netscaler Gateway :

StorePassword

I think it’s a wrong choice of Microsoft to ignore the autocomplete=off setting, but even more wrong to ignore it by default, because they forget that a lot of people don’t know how to use a password manager wisely and just click OK on every message they see without thinking about the risks. When users click on Yes, everyone with access to their computer can simple hit the first letter of their username and the rest is auto filled so it’s very easy to make abuse of this :

Autocomplete2

Of course users can always bypass the autocomplete=off setting by installing\enabling a password manager themselves (also in other browsers) but in this way, they are conscious what they are doing. This default setting will put a lot of users (the ones we all know and hit Yes on everything on their way) at risk, without they even know it.

Possible workarounds when using Internet Explorer 11 :

  • When machines are managed (through GPO or tools like Thinkiosk) disable Autocomplete in the browser completely or only for certain websites
  • Change the password field on the Netscaler Gateway from type Password to type Text, this will prevent autocomplete from kicking in but will lower the security when people are typing in their password
  • Don’t allow IE11 : Block the login page from showing (through EPA scan or some code in the index page) and notify the users to use another browser
  • Don’t use Receiver for Web \ Netscaler Gateway Portal and only use the native Citrix Receivers

Of course 2-way factor authentication is a life saver here, but the security is already lowered when username and passwords are already stored on the machine. People with bad intentions only need the phone or token as an extra step to get access from a machine with prefilled username and password.
Please let me know if you have other ways to work around this default behaviour of Internet Explorer 11.

The future of Access Gateway

/ Bram Wolfs / 3 Comments

The future of Access Gateway

5 June was the second Citrix CiTIE 2012 event in the Benelux, I wasn’t able to join the event but I would like to thanks everybody on twitter for the live updates and Wilco van Bragt for the summary of the event.

One of the announcements I noticed was the retirement of the Access Gateway Standard edition.
I was surprised about this retirement at first, because of the effort Citrix put into the new 5.x version (new flash based GUI, more advanced HA options, etc) but second I thought why would Citrix support 2 products with almost exactly the same set of features?
Below I have summarized a quick list of features, between the Netscaler CAGEE and CAG Standard in combination with the advanced access control software. Of course Netscaler can do a lot more other things, but we will concentrate on the Access Gateway functionality here.

Netscaler (CAGEE) CAG Standard + AAC*
ICA Proxy Yes Yes
SSL VPN Yes Yes
Multiple Logon points (Basic + Smart access) Yes Yes
Clientless Access Yes Yes
Endpoint Analysis Yes Yes
High Availability Yes Yes
LDAP \ Radius authentication Yes Yes
Simultaneous user sessions 5,000 and up** 500

* Advanced Access Control software
** Depends on the model

As you can see a lot of the same features are present on both products, a big difference is the scalability and concurrent user limits.
But although a lot of the features are the same, they are working in very different ways for example :

They use a different SSL VPN plugin
Imagine the following scenario:
One day you will install the Access Gateway Enterprise plugin to access customer A through SSL VPN, then you need remote access to customer B which uses Access Gateway Standard.
The plugins cannot co-exist so you will have to remove the Enterprise plugin, install the Standard plugin and vice versa…

They use different types of logon points
Netscaler uses virtual IP’s (VIPs) that can be configured in Basic mode or Smart Access mode (see my previous blog post for more details about this modes), more VIPs can be created depending on the use case. Each VIP can be accessed through its own FQDN.

CAG Standard has one public facing FQDN, logon points are created after this FQDN like https:\\my.cag.com\lp\xenapp, this logon points can be in Basic mode or Smart Access mode, only one Logon Point can be set as the default.

They use different clientless access methods and have a different policy structure
Netscaler is very flexible when it comes to profiles and policies, you can manage policies on almost every level (Global, VIP, Groups\Users) and apply them based on different expression filters, this is why CAGEE really fits like a glove in a lot of different access scenarios.  There is no extra software needed to enable advanced functionality like clientless access.

CAG Standard in Smart Access Mode has some advanced features like Smart groups and SSL VPN. But if you really want all the advanced features (clientless access etc) you need to connect the appliance to the Advanced Controller software, which then synchronizes with the appliance. This software runs on a windows server which can be a security concern (not because it’s windows but you would need to update and secure 2 components in this setup)

They are different in architecture and hardware
Netscaler software runs on top of FreeBSD and has a large range of appliances you can choose from depending on your needs, this are the Netscaler models available today :

Physical Appliance (MPX) Virtual Appliance (Netscaler VPX)
MPX 5500 Licensed based on bandwidth (10,200,1000,3000)
MPX 7500/9500
MPX 9700/10500/12500/15500

The higher the range the more performance you get, physical appliances can have more concurrent connections because they have SSL offloading capabilities and because there is no Hypervisor layer. Physical appliances in higher ranges also have redundant components, like power supplies.

The Access Gateway Standard appliance runs on a stripped Red Hat kernel and comes in 2 flavors :

Physical Appliance (2010) Virtual Appliance (Access Gateway VPX)

The hardware of the 2010 appliance is really low level, it’s nothing more than hardware you find in a cheap PC.
I was a little bit ashamed when i opend this appliance on a customer site a while ago because of a bad harddrive, there is no way you can explain the amount of money paid for this appliance.

Conclusion : 
So Citrix have 2 products that have very similar features, because of the difference in architecture of this products, Citrix needs to update both to support new receivers and to provide new functionality (think of Cloud Gateway functionality for example). This may be one of the core reasons why Citrix will retire one of them.
I think CAGEE (Netscaler) is the best Access Gateway edition there is, it’s far more flexible and fits in a lot more different scenarios and use cases.  Access Gateway on Netscaler is also future prove because of :

– Access Gateway is lifting on Netscalers success (build on good hardware and install base)
– All Smart Access functionality is on board of the appliance no need for external software
– Fits in a lot of different scenarios based on the modular design of Netscaler
– Can be used for more functionality then Access Gateway only, Load balancing of services for example

Ok so what will be the future of Access Gateway?
If Citrix will retire CAG Standard + Advanced and Citrix makes some changes in the licensing model of Enterprise edition to replace the other editions, then we are done right?

Not really,  I think Access Gateway VPX is a good replacement for the Secure Gateway software, a Netscaler can be a bridge to far for some customers. Also if a customer is already using a competitor of Netscaler (like F5), there may be some friction with adapting Netscaler to enable Access Gateway functionality.

The perfect future if you ask me, is that Citrix will strip the Access Gateway VPX to provide standard functionality (providing access to XenApp and XenDesktop) and give it to customers for free as a replacement of the Secure Gateway software.
Then they should retire the Advanced Controller software and ditch the 2010 appliance.
So at the end there will be 2 editions of Access Gateway left :

– Access Gateway VPX for providing basic functionality to access XA/XD
– Netscaler with Access Gateway Platform license for providing basic functionality to access XA/XD, which can be extended with Access Gateway Universal licenses (also included in Cloud Gateway Enterprise) to provide Smart Access functionality.

Please note that the information in this blog is provided as is without warranty of any kind, some information is based on speculations and predictions.

Citrix Cloud Gateway, a wrap-up so far

/ Bram Wolfs / 1 Comment

Citrix Cloud Gateway, a wrap-up so far

Table of contents :

1 : Introduction
2 : Cloud Gateway Editions
3 : Storefront services
4 : Access Gateway services
5 : Cloud Gateway Enterprise and the Access Gateway Universal License
6 : Cloud Gateway Express and the Platform License
7 : Webinterface V.S. Receiver for Web
8 : Conclusion

1 : Introduction

In this blog post I wanted to talk about Citrix Cloud Gateway, as you may already know, Cloud Gateway will replace Citrix Webinterface and Webinterface will go end of live in 2015. Webinterface has grown into a key component in almost every Citrix environment, and it is a so called “proven technology” product. Webinterface is great in providing access to XenApp and XenDesktop environments in many different ways and  different scenarios, but that is also its limitation, there is no possibility to integrate it with Cloud services like follow-me-data or SaaS applications. This is why Citrix made a new product from scratch, called Cloud Gateway. This blog post is a wrap-up so far about Cloud Gateway, because Citrix is working hard on the product things in this blog post may be very soon changed or outdated.

2 : Cloud Gateway Editions

There are currently 2 editions of Cloud Gateway :

Cloud Gateway Enterprise

Cloud Gateway Enterprise is the paid version and provides the following features :

– Access to XenApp and XenDesktop (through Storefront)
– ShareFile integration (new in version 2.0)
– Single Sign On (SSO) and account provisioning for Web and SaaS applications through AppController
– Mobile (native) app management + remote wipe (new in version 2.0)
– Access Gateway Universal License included

Cloud Gateway Express

Cloud Gateway Express is free for XenApp and XenDesktop customers and provides access to XenApp and XenDesktop and Merchandising services only.This version will be the direct replacement of Webinterface.
With Merchandising services you can manage the complete Citrix Receiver (and other plugins) life cycle.

3 : Storefront Services

As you can see in the above pictures Storefront is one of the key components in Cloud Gateway, it’s the broker for all the services behind it and provides a SSO experience for the users.
Storefront provides access to XenApp and XenDesktop in the following 3 ways :

1 : Access through the Native Receiver (Self Service plugin)
2:  Access through StoreWeb (Receiver for Web)
3:  Access through Legacy mode (PNAgent)

The native receiver can be configured with a provisioning file (.cr file which is XML based) downloaded from the Receiver for Web or distributed by Email or something like that.
To make the internal access to Storefront more clear I made the following drawing :

Every login point is used by different type of client devices, some Receivers (older Thinclients, Android devices and Iphones) still uses the legacy mode (PNAgent). But newer Receivers will talk to Storefront directly and not using Legacy mode anymore.

4 : Access Gateway Services

Another key component in Cloud Gateway is the Access Gateway, there are 2 types of Access Gateways that can be used with Cloud Gateway:

1: Access Gateway VPX (with or without advanced controller software)
2: Access Gateway Enterprise (Netscaler VPX\MPX)

Whether you go for Cloud Gateway Express or Enterprise you need to buy a Access Gateway Platform license for one of this Access Gateways. The platform license will give you unlimited access to XenApp and XenDesktop, this is called ICA proxy. With ICA proxy you are allowed to land on the Webinterface and launch a XenApp and/or a XenDesktop session but you cannot use any advanced features of the Access Gateway (for example Clientless Access, VPN plugin, EPA scans, etc), if you want to use this features you need to purchase a Access Gateway Universal License per concurrent user (included with Cloud Gateway Enterprise license).
In Access Gateway you can choose between the following logon point\virtual server modes :

1: Basic Mode (ICA Proxy only) (Platform license needed)
2: Smart Access Mode (Advanced Features) (Platform license + Universal License needed)

To make this more clear I made a drawing how the access to storefront looks like with the Access Gateway Enterprise edition :

As you can see the Netscaler will check, if it is correctly configured, the type of Receiver based on expression filters and HTTP headers. Netscaler will then contact Storefront the right way depending on the Receiver type. With Access Gateway VPX you cannot configure this expression filters, Access Gateway VPX works with Receiver for Web, but I have not yet seen this working with the native receiver from the outside.
My guess is that Citrix will enable this in a feature release of Access Gateway VPX.

5: Cloud Gateway Enterprise and the Access Gateway Universal License

If you purchase Cloud Gateway Enterprise you are also entitled to use the Access Gateway Universal License, i think this is a logical step because Cloud Gateway Enterprise leverages the clientless access and VPN features of the Access Gateway, for example Appcontroller can be configured with keywords to start the VPN plugin and for access to Storefront clientless access is used.

6: Cloud Gateway Express and the Platform License (ICA Proxy)

As you may have noticed you need clientless access when you want to use the Native Receiver through Access Gateway, though it works on a VIP in basic mode the documentation says that you need a VIP in Smart Access mode to make this work. I can imagine that Citrix is going to allow one of the following when using Cloud Gateway Express with the platform license only :

1: Only allow landing on the Receiver for Website (same as ICA proxy using Webinterface)
2: Allow access for all type of Receivers, but only for use with XenApp and XenDesktop

Option 2 is most preferred imho! 😉

6 : Webinterface V.S. Receiver for Web

First : Webinterface cannot be directly compared to Storefront, because Storefront enables a lot more other features then Webinterface (SSO to other services, Application subscription, more advanced HA, etc.) But if we compare Webinterface with the Receiver for Website, it is safe to say that Webinterface has still a lot more features. Thomas Koetzing made a list of missing features here, but I am certain that Citrix is working hard on this feature list, remember that they are only at version 1.1 so there is a lot more to come.

The total redesign has also some very positive points, for example a big plus of Storefront is that it includes a new user authentication method which directly queries Active Directory rather than the existing double-hop Web Interface process where user credentials are sent from the Web Interface server to the XML broker who then negotiates authentication with the Domain Controller.

7: Conclusion

I think Cloud Gateway and Storefront have a lot of potential, it gives the user a true single logon experience with all of the applications and data they need in one place on almost every device. Integration is the key here as more and more companies are starting to use Cloud services,  Cloud Gateway aggregates and secures this services into one logical logon point with the same look and feel on every device.

On the down side, Storefront is still missing a lot of features compared to Webinterface, if you already installed Storefront and walked through the console you were probably done in 30 seconds 😉 not much to customize there. This is why Storefront is not yet a tight fit in scenarios with special needs and requirements. I hope Citrix will make it as flexible and customizable as Webinterface is today in feature releases!

If you want to know more about Fine-tuning Adaptive Display, please read my previous blog post and follow me on twitter or subscribe on this blogsite if you want to be notified when a new blog post is available! thanks!

Please note that the information in this blog is provided as is without warranty of any kind, it is a mix of own research and information provided by Citrix.