Tutorial: Implementing a secure StoreFront Website on server 2012R2 behind NetScaler

3 Jun

At the moment I’m preparing for my CCE exam and one of the things I like to do is perform several setups. For this tutorial I implemented a XenDesktop & XenApp 7.5 server. A StoreFront server and a virtual NetScaler with a developer license. I already have in place a CA for my self signed certs, the domain joined machines automatically trust the Root CA cert and a Domain Controller is in place.

The goal of the tutorial is to get the StoreFront websites running on SSL. The XML traffic should be encrypted and the NetScaler has to connect to the StoreFront servers through SSL. Let’s start!

ENROLLING MACHINE CERTIFICATES

First you need computer certificates on your delivery controllers. Assuming your Certificate Authority is online and configured properly this isn’t a hard job. Fire up the Microsoft Management Console (mmc). Select the option to add a snap-in and add the Certificates snap-in

tutsecsf1

Choose to manage the certificates of the computer account. Next select the local computer.

tutsecsf2

tutsecsf3

Unfold the Personal store and rightclick certificates. Select request a new certificate

tutsecsf4

Select your AD Enrollment Policy and choose to enroll for a Computer certificate (this template is configured for Server Authentication and Client authentication)

tutsecsf5

tutsecsf6

You have to repeat these steps for all your Storefront and Delivery Controllers servers.

ENABLING HTTPS ON STOREFRONT

To enable SSL (HTTPS) on your StoreFront Website you need to fire-up IIS and edit the bindings of the StoreFront site. In my case the StoreFront site is part of the default website. Open up the bindings of the default website and add or edit the 443 (https) binding. Make sure to select the correct SSL certificate.

tutsecsf7

Now that your IIS website is configured you need to configure the Baseurl of your StoreFront. Rightclick Server Group and select Change Base URL. Then configure the correct URL (must correspondent with the Common Name of the certificate).

tutsecsf8

tutsecsf9

You can verify the service uses SSL if you select the Stores section.

tutsecsf10

ERRORS ENCRYPTING STOREFRONT

Failed to run discovery
Citrix.Web.DeliveryServicesProxy.ConfigLoader.DiscoveryServiceException, ReceiverWebConfigLoader, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null
An error occured while contacting the Discovery Service
at Citrix.Web.DeliveryServicesProxy.ConfigLoader.Discovery.AppendConfigurationFromDiscoveryService(WebReceiverConfigSection section)
at Citrix.Web.DeliveryServicesProxy.ConfigLoader.Discovery.RunDiscovery(WebReceiverConfigSection configSection)
at Citrix.Web.Proxy.Filters.DiscoveryComplete.OnAuthorization(AuthorizationContext filterContext)

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Url: https://<>/Citrix/<>
ExceptionStatus: TrustFailure
at System.Net.HttpWebRequest.GetResponse()
at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(String url, String token, HttpRequestParameters options, Object requestData, CookieContainer cookieContainer)
at Citrix.DeliveryServicesClients.Discovery.RequestHandler.DiscoveryHttpRequestHandler.GetDocument(String url)
at Citrix.Web.DeliveryServicesProxy.ConfigLoader.Discovery.AppendConfigurationFromDiscoveryService(WebReceiverConfigSection section)

Solution: This was a little bit of a stupid mistake. I did not use the FQDN in the BaseURL. I used https://server instead of https://server.domain.local and got this big red event in the eventlog. Changing the BaseURL that it corresponds with the common name on the certificate fixed this error.

ENCRYPTING TRAFFIC BETWEEN STOREFRONT AND THE DELIVERY CONTROLLERS

Well this isn’t just as simple as selecting HTTPS when configuring your Delivery Controllers. I got several errors trying to get this to work. You will get a message after authenticating on your StoreFront site telling you that ‘There are no desktops or applications available’.

tutsecsf11

The errors I ran in to:

An SSL connection could not be established: The server sent a security certificate identifying external.domain.name, external.domain.name, external.domain.name, but the SSL connection was to pc1.domain.local.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Solution: In this case another IIS website was listening on port 443 and had another SSL certificate bound to it. Remove the binding or configure the website on a different IP Address (not * or 0.0.0.0).

An SSL connection could not be established: None of the SSL cipher suites offered TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA were accepted by the server.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Solution: I only found a way to work around this, but I think it should be fixed by Citrix. I applied a GPO to my Delivery Controllers that enabled SSL Cipher Suite Order. Just enable it (no modifications) and reboot the servers. In my case that fixed it.

tutsecsf12

tutsecsf13

All the Citrix XML Services configured for farm XenApp 7.5 failed to respond to this XML Service transaction.

Solution: This was the most complicated one to fix. Altough my Broker services we’re listening on port 443 I still got this error. To fix you need a few things. First you need the GUID of the Broker service. Fire up a command prompt and run the command wmic product list You will see something like:

Citrix Broker Service {06CA1147-C38E-4196-8F96-6813444B60C9}. You need part between accolades.

Next you need the thumbprint of your machine certificate. Use the same procedure to fire up the certificates mmc and open the machine certificate. On the details tab you will find the thumbprint. Copy/paste it to notepad and remove the spaces. Beware of a questionmark copying the thumbprint to DOS.

tutsecsf14

Fire up an administrative prompt and run the following commands. Replace with your own IP address. The 0.0.0.0 binds all 443 traffic to the broker service.

netsh http add sslcert ipport=0.0.0.0:443 certhash=0038eb3cbb2f82a02846c95bc4afa9ea3f8bf742 appid={06CA1147-C38E-4196-8F96-6813444B60C9}
netsh http add sslcert ipport=192.168.1.10:443 certhash=0038eb3cbb2f82a02846c95bc4afa9ea3f8bf742 appid={06CA1147-C38E-4196-8F96-6813444B60C9}

To finish up you need to add a StoreFront server in the Citrix Studio for XenApp or XenDesktop. Don’t forget to use https 🙂

tutsecsf15

That’s it. You should have a working encrypted internal environment. Now for the External Part!

CONFIGURING STOREFRONT

Publishing the StoreFront externally via NetScaler requires some configuration in StoreFront and on the NetScaler. First Storefront:

In the NetScaler Gateway section of StoreFront configure a new NetScaler. Make sure the NetScaler Gateway URL (which is the URL you’ll use to connect to the NS externally) matches the common name of the certificate you’re using on your NetScaler. This can ofcourse be a self-signed, but it’s easier to purchase one from a commercial CA. Configure the NS version and the logon type. Now the important part is the callback URL. This can be the same URL you are using as the NetScaler Gateway URL as long as the StoreFront server can reach that IP address to complete authentication.

If you are in a setup where your NetScaler is in DMZ and your SF server cannot reach the NetScaler your authentication will fail. What you can do (there might be other options) to work around this is create an additional NetScaler Gateway vServer for local use. For instance if your public NetScaler is reached with netscaler.domain.com on public IP 123.456.789.123 and has the certificate netscaler.domain.com – create an additional NetScaler Gateway vServer with private IP eg. 10.20.30.40. assign the same name. Make sure 443 is allowed through your internal firewall and make sure the routing is in place so your StoreFront knows the route to your NetScaler. On this additional vServer you just assign the same certificate as you use externally. On your StoreFront server you can then add a host in your hosts file netscaler.domain.com with IP 10.20.30.40. Now you can use netscaler.domain.com as callback URL and the SF can reach the NetScaler. Your authentication will succeed.

tutsecsf16

Next configure your STA. Make sure you use the same STA on your NetScaler and ofcourse https 🙂

tutsecsf19

Finally configure authentication. in the Authentication section of StoreFront.

tutsecsf18

And last but not least….

CONFIGURING THE NETSCALER

I will only cover the NetScaler Gateway configuration in this section. Your NetScaler needs to be up and running and has DNS configured. It should be able to reach your domain controller and your storefront server on https. You have a (self signed or commercial) certificate in place and have reserved a public IP address for the NSGW or configured eg. port forwarding (like I did in my case – just forward 443 to a private IP). And of course the NetScaler should be licensed.

Ok first configure an LDAPS authentication server. Configure the BaseDN to the OU where your users reside. Configure a read-only account to read the AD. Configure port 636 and do not forget to configure SSL.

tutsecsf20

Create the authentication policy for the LDAPS serer that just says ns_true (authentication must pass)

tutsecsf21

Next navigate to the Session Policies and add a Session Profile. In the security section select secure browse (not particularly necessary but hey, it’s secure). Also set the default authorization action to allow.

tutsecsf22

In the published application tab configure ICA Proxy (ON), and the https address of your StoreFront webserver. Also configure a Single Sign-on Domain. Eg. if your domain is domain.local just enter DOMAIN.

tutsecsf23

And again add a Session Policy that just says ns_true (applies to all sessions)

tutsecsf28

Now is time to add the NetScaler Gateway vServer. Add the vServer. Configure the IP. Use protocol SSL and select the certificate.

tutsecsf24

On the authentication tab insert your authentication policies and don’t forget to enable authentication.

tutsecsf25

On the policies insert your session policy

tutsecsf26

On the published applications tab add your STA

tutsecsf27

And there you go. You should now have a working StoreFront environment that you can externally reach through your NetScaler!

Comments

Leave a Reply