7/24/2019 Setup and configure a NetScaler 11.1 VPX in ... · HOME » CITRIX » NETSCALER-AZURE » Setup and congure a NetScaler 11.1 VPX in Microsoft Azure, including NetScaler Gateway

7/24/2019 Setup and configure a NetScaler 11.1 VPX in Microsoft Azure, including NetScaler Gateway (ICA Proxy) configuration | christiaanbri…

https://christiaanbrinkhoff.com/2017/01/17/how-to-setup-a-netscaler-vpx-in-microsoft-azure-including-ica-configuration/ 1/40

HOME » CITRIX » NETSCALER - AZURE »

Setup and con�gure aNetScaler 11.1 VPX inMicrosoft Azure, includingNetScaler Gateway (ICAProxy) con�gurationBy Christiaan Brinkho�. Published on January 17, 2017.

In addition to my previous blogpost, How to Build your Citrix DisasterRecovery environment in Microsoft Azure, and of course, when you need toproceed the NetScaler setup in Azure for your own Citrix (hybrid)environment, I created this blog article, to show you how to get familiarwith the con�guration steps that must be done, to con�gure NetScaler 11.1VPX in the Microsoft Azure Cloud and con�gure the NetScaler Gatewaysteps for ICA Proxy – remote access.

One major con�guration limitation, that you de�nitely need to be knownwith, is that the default ports, 443 and 80 are in use for managementusage, and cannot be changed or used for other virtual servers (VIPs). Towork around this limitation, you need to NAT/reverse proxy ports from theinternet to the VM’s network interface, I will con�gure this by making use ofthe Azure Load Balancer functionality, the outside port 443 listens to port4443 on the inside (like picture below).

Another option I would like to mention is the SSL VPN – NetScaler gatewayfeature. You can use this to replace the Azure point-to-site vpn option, to

2

https://twitter.com/Brinkhoff_C

https://www.linkedin.com/in/christiaan-brinkhoff-18298740

https://www.youtube.com/channel/UCc5uZhbxExXq1wnQIICnxMw/videos

https://christiaanbrinkhoff.com/

https://www.christiaanbrinkhoff.com/feed/

mailto:[email protected]

https://christiaanbrinkhoff.com/

https://christiaanbrinkhoff.com/category/citrix/

https://christiaanbrinkhoff.com/category/citrix/netscaler/

https://christiaanbrinkhoff.com/category/microsoft/azure/

https://christiaanbrinkhoff.com/author/admin-cbrinkhoff/

https://www.christiaanbrinkhoff.com/2016/12/27/how-to-build-your-citrix-disaster-recovery-environment-in-microsoft-azure/



provide users a more simple way to connect to the Azure vNet network, bya uniform (custom) web portal.

Limitations you need to be known of

The NetScaler VPX 11.1 in Microsoft Azure did get an update last month,most of the limitations are now gone! Please check one of my new blogs – How to setup NetScaler Gateway SSL VPN in Azure as Point-to-Site VPNreplacement, using multiple network interfaces

The following ports cannot be use for vServer (VIP) con�guration; 21, 22,80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011,4001, 5061, 9000, 7000, they are reserved for internal usage;The order of the NICs inside the virtual machine (VM) will be random;No support for the following features; IPv6, Gratuitous ARP (GARP), L2Mode, Tagged VLAN, Dynamic Routing, Virtual MAC (VMAC), USIP, GSLB,CloudBridge Connector;The Intranet IP (IIP) feature is not supported;

All the supported features

Web LoggingContent SwitchingLoad BalancingSSL O�oadingContent FilteringSSL VPN – NetScaler GatewayRewriteResponderHTML InjectionWeb Interface on NSApp�owvPathStrong encryption

Requirements

NetScaler license (If you haven’t got any, please use a 90 day trial);Azure subscription;

We are using cookies to give you the best experience on our website.You can �nd out more about which cookies we are using or switch them off in settings.

Accept

https://www.christiaanbrinkhoff.com/wp-content/uploads/2017/01/1.png

https://www.christiaanbrinkhoff.com/2017/04/10/how-to-setup-netscaler-gateway-ssl-vpn-in-azure-using-multiple-network-interfaces/

https://support.citrix.com/article/CTX130498



IPsec or ExpressRoute tunnel (if your Citrix environment must becon�gured hybrid);Citrix XenApp/XenDesktop (at least 7.6);StoreFront (at least 3.0);

Deploy the NetScaler VPX from theMarketplace

Step 1: First go to the market place in the Azure Portal, search forNetScaler 11.1 VPX Bring Your Own License, select the name and click onCreate

Step 2: Fill in all the Basic server information, give in a random servername, disk type SSD (preferred), username, password, Azure subscription,select the Resource Group and the datacenter location. Click on ok


Accept

https://www.christiaanbrinkhoff.com/wp-content/uploads/2017/01/1484690403_image2.png



Step 3: Choose the VM size (sku), for this article I choose for the DS2_V2server, click on select

PS: Depending on the workload of your environment, you need to increasethe sizing


Accept




Step 4: In the next con�g screen; Change all the requested information:


Accept




Storage account: The storage account that you want to use

Virtual Network: The vNet of your Company (If you have: with the IPsecor ExpressRoute activated on)

Subnet: The subnet you want to place your NetScaler in


Accept




Public IP: Create a new “Static” Public IP, when you want to con�guredirectly from the internet into Azure

Network Security Group: To open the management portal fromexternal; Follow the next steps: (this is only

needed when you have no IPsec / ExpressRoutehybrid network to Microsoft Azure)

Step 5: The Network Security Group must be con�gured with at least thefollowing ports to accept; port 80, port 443. Add them as inbound securityrule.

Note: These steps are only needed when you haven’t got any IPsec VPN orExpressRoute connection to Azure.

First, create a rule for HTTP (management) access – with these settingsapplied, con�gure a CIDR block to provide access to your network only, tolimit the external access to the management portal.


Accept





Step 6: Afterwards create a rule for HTTPS (management) access – withthese settings applied, and the same CIDR setting from the previous step

Step 7: Create a rule for HTTPS-4443-External (external vServer – VIP)access – with these settings applied


Accept




All these NSG-inbound rules must listed to guarantee (external) access tothe management portal

Step 8:If you do not have any storage accounts created yet, create one andselect none in the availability set option.

PS: When you need to con�guring 2 NetScalers in Azure as HA-pair, thenalways make sure that they are in the same availability group!

NetScaler con�guration overview


Accept





Step 9: Validate the entire con�guration before deployment, click on Ok


Accept




Step 10: The license purchase screen, because you bring your own license,only the Virtual Machine usage costs will be charged. Click on Purchase tostart the deployment


Accept




The deployment is started…

Setup the Azure Load Balancer

To provide external access over the ports 80 (HTTP) and 443 (HTTPS), areverse proxy con�guration must be created, by using the load balancerservice in Azure.

Step 11: Create the Load Balancer, open the service – Load balancers –Click on + Add


Accept




Step 12: Fill in a random name, that �ts in your naming convention, I willname it NetScaler-LB, and select Public as type and click on the Public IPaddress option

Step 13: Create a new Public IP, select Static Assignment and click on Ok

Step 14: Select your Azure subscription, Resource Group, DC location andclick on Create to �nish the setup


Accept





Deployment is in progress…

Step 15: Name the new back-end pool for HTTPS tra�c and click on + Adda virtual machine to connect to the NetScaler Virtual Machine


Accept





Step 16: Select None in the availability set option, select the NetScalerVirtual Machine in the Virtual Machines section and click on Ok and Ok inthe previous screen


Accept




The backend pool is saving…

Step 17: Once the back-end pool is created, open the inbound NAT rulesand click on the + Add button


Accept




Step 18: Give in a name for the NAT rule, select the service HTTPS,protocol TCP, Port 443 (external), Target: NetScaler Virtual Machine |Availability Group None, Port mapping: Custom, target port 4443. Click onOk to save the new inbound rule


Accept




The rule in being created…

Step 19: The following rule is added, at this moment, all the external tra�cthat goes to 52.174.196.141:443 – redirect to the NetScaler Virtual


Accept




Machine, port 4443. Pretty awesome and e�ective, in just a few steps!

Step 20: Now we can add an external DNS record that point to thisexternal “destination” IP address, so I created citrix-azure.infrashare.net Arecord already in my hosting providers DNS portal.

Proceed the NetScaler – ICA Proxycon�guration

Step 21: When the deployment is �nished, please open an internetbrowser to check the availability by entering the internal IP (if you have aIPsec VPN or ExpressRoute) or by entering the “static” public IP address orDNS A record name.

You can �nd these, by opening the Virtual Machine, and going toNetwork interfaces


Accept






Step 22: Log in with the earlier de�ned account and password

Step 23: Skip the – Citrix User Experience Improvement Program opening– screen by clicking on Skip

Step 24: Choose for the Subnet IP Address option


Accept






Step 25: The SNIP is not required for this article, so click on the button –Do it later

Step 26: Click on the Host Name, DNS IP Address button

Step 27: Give in the IP Address of your Azure or on-premises (hybrid vNetrequired) domain controller, select your time zone, click on Done

Step 28: Ignore the Con�rm screen to upload the License �le �rst, beforewe reboot, click on NO


Accept






Step 29: Upload your NetScaler license �le and reboot the server

Click on Yes

Step 30: Clickon the Continue button to proceed the reboot

Step 31: After the reboot, please check if all the checkmarks are set, soyou know that the license �le is applied correctly


Accept






Upload the SSL Certi�cate

Step 32: Now we can start with the con�guration of the NetScaler, at �rstwe need to add the SSL certi�cate. I will use a .pfx �le, of my own wildcardcerti�cate. Go to Tra�c Management -> SSL -> Server certi�cates and clickon Install

PS:if you do not have a certi�cate yet, please check one my previous blogstep 19 – 34!


Accept


https://www.christiaanbrinkhoff.com/2016/11/07/how-to-install-and-configure-netscaler-11-1-unified-gateway/




Step 33: Give in a name for the certi�cate and click on – Choose File –Click on the Upload button to browse your computer and open thecerti�cate pfx �le

Step 34: Select the certi�cate �le and click on Open

Step 35: Enter the certi�cate private key and click on the Install button


Accept





Step 36: When the certi�cate is added successful, it must be listed in theCerti�cates screen. You can now add the RootCA and intermediatecerti�cates, and link them to create a valid keychain!

Setup the Storefront – ICA Proxyconnection

Step 37: Click on XenApp and XenDesktop at the end of the left menu


Accept





Step 38: Click on the get started button

Step 39: Let the Storefront option default and click on Continue


Accept





Step 40: Give in the external FQDN DNS name in the Gateway text �eld,enter the Gateway IP Address (the private IP of your NetScaler VM), give inthe port 4443 and click on Continue

PS: You can check the internal address at the Network Interfaces optionscreen of the NetScaler VM


Accept





Step 41: Select your Certi�cate, click Continue

Step 42: Create a Domain Authentication policy, �ll in all the correctinformation and click on Test Connection to check if the Account canconnect to your Domain Server, when the green border pops up, then clickon the Continue button

IP: The IP of the domain controller in Azure (or on-premises, if hybrid)Port: Default 389

Base DN: The DN name to search in for authenticate usersServiceaccount: Serviceaccount for connecting to AD

Password: Password of the accountTime-out: 3 (default)

Server Logon Name: sAMAccountName (default)


Accept





Step 43: Fill in your internal StoreFront URL and press – Retrieve Stores –to automatically �ll in the Web Path, set the default domain and enteryour STA URL address (default:http://DesktopDeliveryFQDN/scripts/ctxsta.dll), click on Continue

Step 44: The overview page shows all the con�guration steps, Click on theDone button to save all the settings and �nish the NetScalercon�guration part to proceed the next step


Accept


http://desktopdeliveryfqdn/scripts/ctxsta.dll




Con�gure StoreFront for Remote Access

Step 45: Log in to your StoreFront Server, open the Citrix StoreFrontConsole and click on the – Con�gure Remote Access Settings – option

Step 46: Check the box next to – Enable Remote Access – and click on theAddbutton


Accept





Step 47: Fill in the Displayname and the external FQDN DNS name ofyour NetScaler, click Next


Accept





Step 48: Add the STA url, click on Add and enter the HTTP url of yourDesktop Controller like the picture below, click on Ok and Next afterwards

Step 49: This option can be left empty, click on Create

PS: When you con�gure options like SmartAccess, the Callback URL optionis required


Accept





Step 50: The NetScaler gateway is successfully added, click on Finish

Step 51: Make sure the NetScaler Gateway is listed in the – NetScalerGateway Appliances – screen and as Default appliance, click on Ok


Accept




Change the Default NetScaler Theme

Step 52: Open the NetScaler Gateway – Virtual Servers menu option andEdit the just created VPN vServer

Step 53: Click on – Portal Themes – in the Advanced Settings menu


Accept





Step 54: Select the X1 theme and click on the Ok button to save thetheme

Test Remote Access

Step 55: Open an internet browser and go to the External DNS name, forme this will be https://citrix-azure.infrashare.net/

Step 55: Enter your credentials and click on Log On


Accept


https://citrix-azure.infrashare.net/



And yes, we are now logged on the NetScaler in Azure successfully!

And the Desktop also works!


Accept





About Latest Posts

Christiaan Brinkho�Christiaan Brinkho� works as Cloud Architect and TechnologyEvangelist for the Windows Virtual Desktop (WVD) and FSLogixteam within Microsoft (ExtOps) and is the owner ofchristiaanbrinkho�.com IT Consulting. In addition to his work,he shares his passion for Cloud innovation by speaking atlarge international conferences, writing articles for vendorsand external community programs, such as VDILIKEAPRO,WhatMatrix, as well as on his website. This community-relatedwork got him the privilege to achieve the following three -Microsoft Valuable Professional (MVP) for Microsoft Azure,Citrix Technology Professional (CTP), VMware vExpert - vendorawards. There are currently only �ve people in the world thathave all these titles combined.


Accept






LATEST AZURENEWS

Always-on, real-

time threat

protection with

Azure Cosmos DB

- part two

July 23, 2019

The Azure

Advanced Threat

Protection team’s

decision to use

Azure Cosmos DB

for its cloud-based

security service has

enabled the team

to meet all key

RECENTCOMMENTS

CHRISTIAAN

BRINKHOFF on

The little-(un)known S

Thanks for sharing,Konstantin.

KONSTANTIN

VORONOV on

The little-(un)known S

Thanks. Similarproblem wasresolved (activationrequest wasperiodicallyrepeated every 2-3time in environment

MOST VIEWEDPOSTS (LAST 3DAYS)

The little-

(un)known

Secrets of

using O�ce

365 ProPlus

and O�ce

2019 on a

Virtual

Desktop

environment

- survival

guide

Windows

Virtual

Configure Azure ActiveDirectory Domain Services …1 comment • 2 years ago

AvatarJohnS — delete

The future of Roaming Profiles– Add fast logon …8 comments • 4 months ago

Avatarfbifido — thanks

Lift-and-Shift On-Premises Configure Citrix Cloud App

ALSO ON CHRISTIAANBRINKHOFF.COM - SHARING CLOUD AND VIRTUALIZATION

1 Comment

christiaanbrinkhoff.com - Sharing Cloud and Virtualization

Ava

t Tweet f Share Sort by Newest

Join the discussion…

• Reply •

Wayrma New York • 25 days ago

The products consist of NetScaler ADC, an application deliverycontroller (ADC), NetScaler AppFirewall, an application firewall,NetScaler Unified Gateway, NetScaler Management & AnalyticsSystem, and NetScaler SD-WAN, which provides software-defined wide-area networking management△ ▽

Recommend

Share ›


Accept

https://azure.microsoft.com/en-us/blog/feed/

https://azure.microsoft.com/blog/

https://azure.microsoft.com/blog/always-on-real-time-threat-protection-with-azure-cosmos-db-part-two/

https://christiaanbrinkhoff.com/2017/01/17/how-to-setup-a-netscaler-vpx-in-microsoft-azure-including-ica-configuration/

https://christiaanbrinkhoff.com/?p=52339





https://christiaanbrinkhoff.com/2019/04/27/the-little-unknown-secrets-of-using-office-365-proplus-and-office-2019-on-a-virtual-desktop-environment-survival-guide/

https://christiaanbrinkhoff.com/2019/05/03/windows-virtual-desktop-technical-walkthrough-including-other-unknown-secrets-you-did-not-know-about-the-new-microsoft-managed-azure-service/

https://disq.us/?url=https%3A%2F%2Fchristiaanbrinkhoff.com%2F2017%2F11%2F16%2Fhow-to-configure-azure-active-directory-domain-services-for-citrix-cloud-workspaces-with-the-lowest-total-cost-of-ownership-in-azure-iaas%2F&key=KG4_2RRg--y5X8QmFx76NA

https://disq.us/?url=https%3A%2F%2Fchristiaanbrinkhoff.com%2F2017%2F11%2F16%2Fhow-to-configure-azure-active-directory-domain-services-for-citrix-cloud-workspaces-with-the-lowest-total-cost-of-ownership-in-azure-iaas%2F&key=KG4_2RRg--y5X8QmFx76NA

https://disq.us/?url=https%3A%2F%2Fchristiaanbrinkhoff.com%2F2019%2F03%2F21%2Fthe-future-of-roaming-profiles-add-fast-logon-performance-and-office-365-support-to-your-virtual-desktop-vdi-daas-environment-with-microsoft-fslogix-profile-container-including-existing-uem-sol%2F&key=ibhKrpv02q8cmTTIdl03tg

https://disq.us/?url=https%3A%2F%2Fchristiaanbrinkhoff.com%2F2019%2F03%2F21%2Fthe-future-of-roaming-profiles-add-fast-logon-performance-and-office-365-support-to-your-virtual-desktop-vdi-daas-environment-with-microsoft-fslogix-profile-container-including-existing-uem-sol%2F&key=ibhKrpv02q8cmTTIdl03tg

https://disq.us/?url=https%3A%2F%2Fwww.christiaanbrinkhoff.com%2F2017%2F12%2F01%2Fhow-to-lift-and-shift-on-premise-vmware-workloads-to-the-microsoft-azure-cloud-with-the-new-azure-migrate-service%2F&key=iTPh7gIuOlKc-6n0pcPIHg

https://disq.us/?url=https%3A%2F%2Fchristiaanbrinkhoff.com%2F2018%2F01%2F19%2Fhow-to-configure-citrix-cloud-app-layering-4-8-to-deliver-virtualized-apps-and-office-365-caching-user-layers-for-xenapp-and-xendesktop-service-cloud-workspaces-in-microsoft-azure%2F&key=1MQ1hIN7OIHXteNZKYDucA

https://disqus.com/home/forums/infrashare/

https://disqus.com/home/inbox/

https://disqus.com/by/wayrmaserg/

https://christiaanbrinkhoff.com/2017/01/17/how-to-setup-a-netscaler-vpx-in-microsoft-azure-including-ica-configuration/#comment-4520229927

https://disqus.com/by/wayrmaserg/



to meet all key

requirements,

including zero

database

maintenance,

uncompromised

real-time

performance,

elastic scalability,

high availability,

and strong security

and compliance.

Always-on, real-

time threat

protection with

Azure Cosmos DB

- part one

July 23, 2019

Microsoft Azure

Advanced Threat

Protection is a

cloud-based

security service

that uses

customers’ on-

premises Azure

Active Directory

signals to identify,

detect, and

investigate

advanced threats,

compromised

identities, and

malicious insider

actions.

CVAD 7 1811 non-persistent VDIWindows 10 Ent withO�ce 365 […]

JOHNS on

Con�gure Azure Activ

In DNS con�gurationit says "A host namemay contain lettersand numbers, andcan contain but notstart or end with adot or

Virtual

Desktop

technical

walkthrough,

including

other

(un)known

secrets you

did not

know about

the new

Microsoft-

Managed

Azure

Service

The future

of Roaming

Pro�les -

Add fast

logon

performance

and O�ce

365

support to

your virtual

desktop

(VDI) - DaaS

environment

with

Microsoft/FSLogix

Pro�le

Container,

including

existing

UEM

solutions

Use Azure

File Sync to

bridge your

storage

SMBs and

NFS needs

with Azure

Files Cloud


Accept

https://azure.microsoft.com/blog/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one/





https://christiaanbrinkhoff.com/2019/05/03/windows-virtual-desktop-technical-walkthrough-including-other-unknown-secrets-you-did-not-know-about-the-new-microsoft-managed-azure-service/

https://christiaanbrinkhoff.com/2019/03/21/the-future-of-roaming-profiles-add-fast-logon-performance-and-office-365-support-to-your-virtual-desktop-vdi-daas-environment-with-microsoft-fslogix-profile-container-including-existing-uem-sol/

https://christiaanbrinkhoff.com/2019/02/22/use-azure-file-sync-to-bridge-your-storage-smbs-and-nfs-needs-with-azure-files-cloud-storage-for-windows-virtual-desktop-citrix-virtual-desktops-and-other-daas-workloads-on-azure/



Storage for

Windows

Virtual

Desktop,

Citrix

Virtual

Desktops

and other

DaaS

workloads

on Azure

Using Azure

MFA as

Citrix ADC -

NetScaler

RADIUS

using the

new NPS

Extension

Copyright 2016 - 2019 © christiaanbrinkho�.com


Accept

https://christiaanbrinkhoff.com/2019/02/22/use-azure-file-sync-to-bridge-your-storage-smbs-and-nfs-needs-with-azure-files-cloud-storage-for-windows-virtual-desktop-citrix-virtual-desktops-and-other-daas-workloads-on-azure/

https://christiaanbrinkhoff.com/2017/02/17/how-to-configure-azure-mfa-for-citrix-netscaler-gateway-radius-by-using-the-new-nps-extension/

Documents

7/24/2019 Setup and configure a NetScaler 11.1 VPX in ... · HOME » CITRIX » NETSCALER-AZURE » Setup and congure a NetScaler 11.1 VPX in Microsoft Azure, including NetScaler Gateway