White Paper | Citrix CloudGateway Express 1.

Citrix CloudGateway Express 1.2

Proof of Concept Implementation Guide

www.citrix.com

Contents
Contents .............................................................................................................................................................. 2 Introduction ........................................................................................................................................................ 3 Architecture ........................................................................................................................................................ 4 Installation and Configuration ......................................................................................................................... 5 Section 1: Receiver Storefront Server Initial Deployment ....................................................................... 6 Receiver Storefront Initial Server Configuration ................................................................................... 9 Create Authentication Service ................................................................................................................14 Create Store ...............................................................................................................................................15 Section 2: Configure Second Receiver StoreFront Server .....................................................................20 Section 3: Accessing Applications through Receiver ..............................................................................24 Receiver for Web ......................................................................................................................................27 Section 4: Configure Citrix Access Gateway Authentication ................................................................29 Section 5: NetScaler Load Balancing Configuration ...............................................................................36 Design Considerations ....................................................................................................................................41 Remote Users ...................................................................................................................................................41 Conclusion ........................................................................................................................................................41 Acknowledgments............................................................................................................................................42 References .........................................................................................................................................................42 Revision History ...............................................................................................................................................42

Page 2

Introduction
Citrix CloudGateway Express provides users with a common access experience across devices. Each CloudGateway Express user is able to subscribe to their favorite application and desktop resources, these favorite resources then automatically follow the user between devices. With Citrix Web Interface reaching end-of-life in 2015, it is important that administrators become familiar with CloudGateway Express to facilitate a successful transition between products. CloudGateway Expresss new modular architecture improves upon the existing design of Web Interface. It includes a new user authentication method which directly queries Active Directory rather than the existing double-hop Web Interface process where user credentials are sent from the Web Interface server to the XML broker who then negotiates authentication with the Domain Controller. CloudGateway Express also makes the process of deploying multiple servers easier through its configuration synchronization feature. Customers that require a single point of access and self-service for Windows, Web, and SaaS applications should utilize the Enterprise version of CloudGateway. CloudGateway Enterprise is a premium product that must be purchased. CloudGateway Express is a no-cost product that is freely available for download for Citrix XenDesktop and XenApp customers. For a complete list of both CloudGateway Express and Enterprise features, please reference the CloudGateway section of Citrix.com. This document will guide the reader through the steps required to create a successful CloudGateway Express proof of concept environment. To allow users and administrators transition time to become familiar with CloudGateway Express as compared to the well-known Web Interface, Citrix Consulting recommends that a small subset of Windows users should be selected for the CloudGateway Express proof of concept in parallel to an existing Web Interface environment. To experience the full self-service ability of CloudGateway Express this user group should primarily access XenApp published applications from multiple locations both inside and outside the corporate network.

Page 3

Architecture
CloudGateway Express consists of the Citrix Receiver Storefront and Citrix Merchandising Server components. Receiver Storefront is a server component which resides on Windows 2008 R2 server while Merchandising Server is a virtual appliance. This document only focuses on Receiver Storefront which performs the authentication and enumerating of applications and desktops. Receiver Storefront integrates seamlessly with an existing XenDesktop and XenApp infrastructure which allows users to have a consistent experience from multiple devices. Receiver StoreFront employs a modular architecture, as shown in the following diagram:

Figure 1: Citrix Storefront Receiver Architecture Authentication Service. Authenticates users to XenDesktop sites, XenApp farms, and AppController, handling all interactions to ensure that users only need to log on once. Store Services. Retrieves user credentials from the authentication service to authenticate users to the XenApp and XenDesktop servers providing the application and desktop resources. Enumerates the resources currently available from the servers and sends the details to Citrix Receiver. Receiver for Web. Enables users to access applications and desktop resources through a web page providing the same user experience as accessing those resources through Citrix Receiver.

Page 4

Resource Subscription Database. Stores details of individualized user subscriptions plus associated shortcut names and locations. Beacon. Citrix Receiver uses beacon points to determine whether users are connected to internal or public networks and then selects the appropriate access method.

Hardware and Software Requirements

In preparation for executing all the steps outlined in this Proof of Concept (PoC) Implementation Guide, the following components will be required: Windows Server 2008 R2 SP1: Receiver Storefront is only available for installation on this version of Windows Server. Citrix Receiver 3.1 Windows (Standard): This is the only version of Citrix Receiver that supports direct connection to Receiver Storefront Stores. Previous versions of Receiver can be used, but applications and desktops will only be available from the Receiver for Web site. Citrix Access Gateway 9.3, Enterprise Edition or Citrix Access Gateway 5.0.4: While not required for internal access to resources, Access Gateway is a key feature to enable secure remote access. Microsoft SQL Server 2008 R2 Enterprise or Microsoft SQL Server 2008 R2 Express: The application subscription feature of CloudGateway Express requires a central database. It is recommended that Microsoft SQL 2008 R2 Enterprise be used so that high availability can be configured. Please note that this information will be updated frequently, so please reference Citrix eDocs for the latest server and receiver requirements

Installation and Configuration

The purpose of this document is to provide step-by-step instructions for the implementation of each component within the Proof of Concept environment. Each step is broken down into the following individual sections: Section 1: Receiver Storefront Initial Deployment Section 2: Configure Second Receiver StoreFront Server Section3: Accessing Applications through Receiver Section 4: Configure Citrix Access Gateway Authentication Section4: NetScaler Load Balancing Configuration

Page 5

Section 1: Receiver Storefront Server Initial Deployment

Receiver Storefront can be setup in a single or multi-server deployment. For simple Proof of Concept environments a single-server deployment should be used and SQL Server must be installed locally on the Receiver Storefront server. In the case of a multi-server deployment for evaluating HA and the configuration synchronization feature, SQL Server can either be installed on one of the Receiver Storefront servers or on another server in the same Active Directory forest. Citrix Consulting recommends that Receiver StoreFront be deployed in a multi-server configuration to ensure high availability. The following steps detail acquiring the installation media and initial database configuration on the Windows 2008 R2 SP1 server and database server.
1 The first step is to download the install media from Citrix.com Select Downloads from the top menu

Select CloudGateway from the drop down menu

Select CloudGateway Express

Page 6

Select Receiver StoreFront 1.2 and download the executable

Before the Receiver StoreFront installation can begin, the SQL database must be manually created To create the Receiver Storefront database, use SQL Server Management Studio to run the commands located on this page Three variables must be changed before the script is run:

%%DATABASE_NAME%% %%MDF_FILE%% %%LOG_FILE%%

Page 7

Once the database is created, begin the Receiver StoreFront installation by double clicking on the installation media previously downloaded

Check the accept terms of license box Select Next

Select Install Any pre-requisites missing such as the Web Server will be installed automatically by Receiver StoreFront installer.

Page 8

The installation has now been completed Select Finish The StoreFront Receiver administration console will automatically appear

Receiver Storefront Initial Server Configuration The first setup in configuring Receiver StoreFront is binding a SSL certificate (self-signed or procured through an internal certificate authority), defining a load balancing hostname, and specifying the database. The following section walks through the steps needed to complete these tasks.
Initial Server Configuration Screenshot 1

Description Before beginning the configuration, a SSL certificate matching the hostname chosen must be imported and bound to the default IIS Web Site This is accomplished in IIS Manager Select the local Server from the left menu Select Server Certificates from the features menu

Page 9

Select Import on the Actions menu

Select the certificate file to import Select OK

The certificate is now imported

Page 10

Select Default Web Site Select Bindings

Select Add

Select https as the Type Select the SSL Certificate from the dropdown menu Select OK

Page 11

The https binding is now listed Return to the Receiver Storefront console

When deploying a multiserver configuration, only the bottom two options are available The Deploy a Single Server option is greyed out because SQL Server is not installed locally Select Deploy a multiple server group

Page 12

10

Since a SSL certificate has already been bound, the hostname will automatically be filled in This is the Hostname of the load balancing vServer on the NetScaler for the Storefront servers If the hostname is blank, go back to the SSL certification installation steps Enter the SQL Database server Enter the Database name chosen Choose Test Connection

11

Select OK

12

Select Create

Page 13

13

Once the server group has been created, the initial screen will be returned

Create Authentication Service Before any Citrix resources can be configured, an authentication service must be created. This process defines the access method allowed for the environment.
Initial Server Configuration Screenshot 1

Description Select Create Service

Page 14

Choose which authentication methods to enable Select Create

The Authentication Service has been configured

Create Store Use the Store menu to add the XenApp farms and XenDesktop sites that will be made available to users. Administrators can create as many stores as needed; for example, the administrator may want to create a store for a particular group of users or to aggregate a specific set of resources. While all the stores in a Receiver Storefront deployment use the same authentication service, they each require their own database. A Store is created using the following instructions:

Page 15

Store Configuration Screenshot 1

Description Select Create Store under the Actions menu

Choose a name for the Store Recommend choosing a name that matches the XenApp farm so that it is easily identifiable Select Next

Page 16

This is the screen where the address of the XML server for XenApp or XenDesktop is entered Enter the Server address and choose the Transport Type and Port number Select Create

Select Finish

Page 17

The newly created Store will now be listed Additional XML servers can now be added to the Store by selecting Manage Server Farms

A generic farm name and the XenApp XML server entered in the previous screen are listed Select Edit

Page 18

Enter in the desired new Farm name Select Add to have an additional XML server listed to this farm

Enter the Server name for the additional XML server Select OK

Page 19

Once completed, select OK

Section 2: Configure Second Receiver StoreFront Server

Once the first server has been configured, a second server should be added to the multi-server deployment.
1 On the first server deployed select Add Server from the Server Group menu

Page 20

This server will now show an Authorization code that must be entered on the next server joined to the deployment Make a note of this information

On the second Storefront server select Join Existing Deployment

Enter the hostname of the primary Storefront server Enter the Authorization code presented earlier (Step 1) Select Join

Page 21

Once successfully joined select OK

On the primary Storefront server (cloudgateway2), the following dialog box appears indicating that the secondary server (cloudgateway3) was added. Select OK Switch back to the primary Storefront server Click Refresh to now see two servers listed Select Propagate Changes

Select OK

Page 22

Once the propagation has completed, select OK

10

Back on the administration panel, the Synchronization Status has been updated

Page 23

Section 3: Accessing Applications through Receiver

Once a Store has been configured inside Receiver Storefront it will be accessible to Citrix Receiver. The following steps require that Receiver 3.1 be installed on a Windows device.
1 Double Click the Citrix Receiver Icon from the system tray Click on the settings icon and choose Edit Accounts

On the Edit Accounts Menu, select Add

Page 24

Enter a Name for the account Enter in the URL of your Storefront listed in the Stores menu.

The newly added Storefront Account is now listed

Page 25

If Pass-Through is not enabled, the end user will need to login with their domain credentials

Published applications and desktops are now available to be launched

Page 26

Receiver for Web In addition to accessing Receiver Storefront stores within Citrix Receiver, users can also access Stores through a web page. This Proof of Concept guide focuses on Windows users because they are able to access Storefront via both Receiver and Receiver for Web (via website). If users of any other operating systems such as Mac, iOS, or Linux require access, either the PNAgent URL enabled via legacy support or the Receiver for Web site must be used. A website is created using the following instructions:
Receiver for Web Configuration Screenshot 1

Description Select Create Website under the Actions menu

Select the Store that the Website will serve Choose a Website path Select Create when finished

Page 27

The following screen will appear when the Website has been created successfully The URL for the Website is also displayed

The newly created Website is now listed

Page 28

At this point, Citrix Receiver Storefront can be accessed via the Website URL. As long as the User name and Password authentication method was selected earlier, a user can logon and access their applications or desktops The Storefront is not ready at this point to be accessed from Citrix Access Gateway

Section 4: Configure Citrix Access Gateway Authentication

To enable connections through Access Gateway, the Receiver Storefront configuration must be updated with URLs outside of the corporate network to be used as Beacon points. Citrix Receiver uses Beacon points to determine whether users are connected to internal or public networks and then selects the appropriate access method. If the internal Beacon, which is the internal hostname (cloudgateway.ccslab.net) can be resolved, Receiver connects locally and not through Access Gateway. The following steps include configuring Beacons & enabling remote access through Access Gateway:
Remote Access Configuration Screenshot 1

Description Select Add Gateway Server

Page 29

Enter a Display name for the Gateway server Enter the Gateway URL for the Access Gateway server. This is the address from which users will be accessing the environment Choose the deployment mode: Appliance Select Set server as Access Gateway Enterprise Edition Enter in the SNIP or MIP address configured on your NetScaler Select Next

Enter the FQDN of the Access Gateway server Select Next

Page 30

Choose to enable Session reliability or the ability to request tickets from two STAs Select Add to enter in a STA server

Enter in the STA URL Select OK

Page 31

Select Finish

The newly created Gateway is now shown Before a Store can be assigned to the Gateway, two Beacons must be configured To do this, select Beacons from the left menu

Page 32

Select Manage Beacons

Select Add

The internal beacon is automatically configured to be the internal hostname

10

Enter in any URL that can be resolved on the public Internet Select OK

Page 33

11

Repeat Step 10 again so that there are two Beacon URLs listed Select OK

12

The two Beacon URLs are now listed Now remote access must be enabled for the Store Select Stores from the left menu

13

Select Enable Remote Access

Page 34

14

Click the Gateway created earlier Select OK

15

Back on the Gateways menu, Used By Stores is now set to Yes

Page 35

Section 5: NetScaler Load Balancing Configuration

This section will give an overview of the steps necessary to configure a NetScaler to load balance a CloudGateway Express deployment. 1
Select Service Groups from the Load Balancing feature menu Select Add from the bottom menu

First, select a name for the Service Group Change the Protocol from HTTP to SSL Under Specify Members, enter the IP address, port number, and weight for one of the Receiver StoreFront servers Select Add when all the information has been entered

Page 36

Once the second Receiver StoreFront server has been added, select Monitors

Select a monitor such as https Select the Advanced tab

In the Settings box, select Override Global Check Client IP Header Type in X-Forward-For Select the SSL Settings tab

Page 37

Select the appropriate SSL certificate that corresponds to your load balancing hostname Select Create when all the steps have been completed

Select Virtual Servers under the Load Balancing feature menu Select Add

Page 38

Select the Service Groups tab Enter in a Name for the Load Balancing vServer Select the Service Group created earlier In the Protocol dropdown box, select SSL Choose an IP address for the vServer Select the Method and Persistence tab

At the bottom under Persistence, choose SourceIP Choose None under Backup Persistence Select the SSL Settings tab

Page 39

10

Select the corresponding SSL certificate and click Add Select Create

11

The newly created vServer is now able to be used

Page 40

Design Considerations
As discussed earlier, while CloudGateway Express offers new functionality such as application subscriptions, it does have some additional considerations that need to be taken into account. For these reasons, it is important to properly choose the users who should be a part of the proof of concept. Since Windows and Mac are the only operating systems that currently support direct access to stores through Citrix Access Gateway, it is recommended that the proof of concept be limited primarily to these users in an effort to showcase the consistent user experience across access methods. Other operating systems and earlier Receiver clients require legacy support to be enabled for users to access applications remotely. Direct access to stores through mobile devices on iOS and Android is supported when connecting from the internal network. It is recommended that the user base be restricted primarily to XenApp users since Receiver Storefront currently is limited in some of XenDesktop features such as desktops restarts, Desktop Group, and visual separation of desktops and applications, but it should be noted that these features will be incorporated in the future.

Remote Users
Users can access their resources from either their locally installed Citrix Receiver or via the Receiver for Web site. For an optimal deployment that allows users to easily connect from inside and outside the organization, it is recommended that a Receiver Provisioning file be used. This file can either be distributed by the administrator or manually downloaded by the end user. This file contains information that allows Citrix Receiver to determine if the user is located on the corporate network or if a remote connection should be made through Access Gateway. This decision is made using the beacon addresses specified during the Gateway configuration on the Receiver Storefront panel. If the internal beacon can be resolved, Receiver will connect using the local address. If the internal address cannot be resolved, Receiver will instead make a connection through the Access Gateway URL specified during the setup of Gateways inside the Receiver Storefront console. For more information on configuring the Receiver Provisioning file, please reference Citrix eDocs.

Conclusion
CloudGateway Express should be piloted to users that are constantly switching between multiple devices and would like to have a consistent access experience. Citrix Consulting currently recommends installing CloudGateway Express for the aforementioned user group in parallel to the existing Web Interface environment to ensure that administrators start to become familiar with the new technology and features. Citrix Consulting strongly recommends a full analysis of user needs and CloudGateway Express 1.2 version functionality before migrating users away from Web Interface. By developing an understanding the CloudGateway Express now in a proof of concept

Page 41

capacity, administrators will be better prepared for the Web Interface migration process they will be facing in the future.

Acknowledgments
Citrix Consulting Solutions would like to thank all of the individuals that offered guidance and technical assistance during the course of this project - Carisa Stringer, Ray De Varona, Peter Schulz, and Adolfo Montoya. Additionally, thanks go to Peter Smeryage who helped with the build out of the environment.

References
How to Configure Access to Citrix Receiver StoreFront 1.0 through Access Gateway Enterprise Edition: http://support.citrix.com/article/CTX131908

Revision History
Revision 1.0 1.2 Change Description Initial Document Document Update Updated By Citrix Consulting Solutions Citrix Consulting Solutions Date March 27, 2012 April 12, 2012

About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on-demand service to any user, in any location on any device. Citrix customers include the worlds largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2009 was $1.61 billion. 2012 Citrix Systems, Inc. All rights reserved. Citrix, Access Gateway, Branch Repeater, Citrix Repeater, Citrix Receiver, HDX, XenServer, XenApp, XenDesktop, XenClient and Citrix Delivery Center are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. Page 42