Home » WALK THROUGH » Page 2


Citrix NetScaler Certificates – Submit to 3rd Party CA

Submitting the CSR to a 3rd party CA – Comodo Free SSL

We now need to take our CSR created in the previous section and submit that to a 3rd Party Certificate Authority or CA to verify our CSR and provide us with a certificate response we can combine with our CSR and generate the SSL certificate. For the purposes of this demonstration we will use Comodo as our 3rd Party CA, however there are many vendors you can choose from some are free (with restictions) others you must pay for your certificate(s).

Step Description Screenshot
 1 First we need to download our CSR for easy access from the NetScaler

Expand Traffic Management > SSL > SSL Files > CSRs tab

Tick the newly created .csr file and click Download

 2 We are going to browse to comodo and apply for a FREE SSL Certificate https://ssl.comodo.com/free-ssl-certificate.php
 3 Click the big Free Trial SSL button
4 Open the downloaded CSR file from step 1 and copy and paste the entire contents into the Comodo SSL site

Select Citrix as the Server software

Click Next

5 Comodo will then perform a domain ownership verification

In the example shown to keep it simple I will select the registered email address for jsconsulting.services from (WHOIS)

6 Enter your details for registration of the Certificate and for access to the COMODO SSL Site

7 Read the terms thoroughly and Accept if you are ready to continue
 8 Validate the email sent to your WHOIS registered email

 9 Download the CSR Files as a zip


If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Citrix NetScaler Certificates – Install your CA Response Cert

We will now take the Certificate response file (CRT file) from our 3rd party Certificate Authority (CA) and install it onto the NetScaler device, then using both the CRT and Private key to combine and finally create a fully functional NetScaler certificate.

Step Description Screenshot
 1 Expand Traffic Management > SSL > SSL Files

Click Upload

2 Browse for your Certificate file (provided by your 3rd Party CA)

Click Open

Note: The file is uploaded to the NetScaler but not yet usable!

3 Browse to Traffic Management > SSL > Server Certificates

Click Install

4 Give the new ‘Server Certificate’ a unique easily identifiable name

Certificate File: Choose the Certificate you just uploaded in step 2

Key File Name: select your private key file that is on the NetScaler

Provide the private key password

Click Install

5 Your certificate is now installed and ready to be used on NetScaler services, VIPs, NetScaler gateway etc.

Enabling SAML Authentication for AWS AppStream 2.0 with OKTA

OKTA – Create Application

Step Description Screenshot
PRQ Generate metadata from Okta
 1 Be sure to be accessing the ‘Classic UI’ and not the developer console

2 Click Add Applications
3 Search for ‘appstream’

Click Add

4 Provide Application label

Click Done

 5 Click Sign On tab
6 Click Identity Provider metadata

Save the metadata file locally (you will upload this to AWS configuration)

AWS – Create SAML Provider

Step Description Screenshot
PRQ Generate metadata from Okta (above steps)
 1 Open AWS Console

Click IAM

2 Click Identity Providers

Click Create Provider

 3 Choose Provider Type: SAML

Give Provider a Name: <Name>

Upload your okta_metadata.xml file

4 Click Create

Note your ProviderARN

5 You will be taken back to the identity providers screen
6 Click on the provider name ‘Okta’

Take note of your Provider ARN

AWS – Create Policy and Role

Step Description Screenshot
7 In IAM Click Policies

Click Create Policy

8 Click Create Your Own Policy
 9 Give your policy a recognisable Name, Description and paste the policy details as provided

This will give users access to all published stacks

You can change the resource from* to your specific stacks like this:

“Resource”: “arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME“,

10 Policy Details:

This gives users access to stream AppStream apps and to access all Stacks and resources within.

“Version”: “2012-10-17”,
“Statement”: [
“Effect”: “Allow”,
“Action”: “appstream:Stream”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“appstream:userId”: “${saml:sub}”,
“saml:sub_type”: “persistent”
11 Click Roles

Click Create Role

 12 Click Saml 2.0 federation
13 Select your SAML Provider created previously

Tick ‘Allow programmatic access only’

Type in Attribute ‘SAML:aud’

Value: https://signin.aws.amazon.com/saml

Click Next: Permissions

 14 Select the Previously created AppStream Policy

Click Next: Review

 15 Click Create Role
16 Click onto the Role Name and take note of the ARN


OKTA – Configure Application

Step Description Screenshot
17 Take your ARN from both steps 12 and 22

And combine them separated with a comma

I.e. roleARN,providerARN


For example if your Role ARN is:

arn:aws:iam::123456789012:role/OktaAppStreamUsers and your IDP ARN is arn:aws:iam::123456789012:saml-provider/OKTA, enter (no white spaces):


18 In the Okta Console under your Application

Click the Sign On tab

19 Click Edit
20 Provide the Default Relay State for your appstream sessions


Appstream infrastructure is based in Ireland eu-west-1

AppStream stack is called Appstream

Account id is 123456789123

Our Relay State URL example


See AWS Documentation

21 Provide the Role ARN and Idp ARN


Select Application username format: Okta username

 22 Click Save
 23 Assign this application to your Okta users

Click Assignments Tab

Click Assign to People/groups

Click Assign button against each Okta user you want to have access to this new app.


Okta Guide –


AWS Guide – http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms

Firmware Upgrade a Citrix NetScaler High Availability Pair

In this section we will walk through how to perform a simple firmware upgrade of the our Production NetScalers which are in a HA availability pair.

Upgrading the Passive node first, disabling HA sync, rebooting then confirm the device is OK before forcing a HA failover and repeating the upgrade steps on the other NetScaler.

Step Description Screenshot
 1 Download the latest firmware for Citrix NetScaler VPX
2 Open a PuTTy session and SSH to the Passive NetScaler and login as nsroot

Type ‘shell’

3 browse to /var/nsinstall by typing

‘cd /var/nsinstall’

 4 Create a new directory called 12nsinstall


‘mkdir 12nsinstall’

 5 Open WinSCP
6 Browse to the newly created directory in the WinSCP console /var/nsinstall/12nsinstall

Upload the NetScaler firmware downloaded in step 1

7 When copying completes

extract the tar file


‘tar -zxvf ./build-12.0-41.22_ns_32.tgz’

8 Stop the replication between the NetScalers set ha node -hasync disabled

Note: newer versions of NetScaler will do this automatically when they detect a Version mismatch.

 9 Once extraction is complete run the upgrade script

type ‘./installns’

10 Reboot the NetScaler

Type ‘y’ and press enter / return key

11 Ensure the NetScaler has rebooted without errors or issues and then failover the NetScalers.

From the NetScaler shell type ‘force HA failover’

12 Repeat all the above steps on the other NetScaler (the now passive server)


If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Configure NetScaler Gateway SAML to Google with Citrix Federated Authentication


 * Citrix FAS Service installation
 * XA/XD 7.6 or newer
 * StoreFront 3.6 or newer (I’ve tested with 3.9)
 * SAML Provider acting as the iDP (Google in this instance)
 * NetScaler Gateway configured as the SAML Service Provider (SP)
 * Active Directory Certificate Services
 * Access to edit Windows GPOS and OUs to assign the CFAS service its service location

Install The Citrix Federated Authentication Service (CFAS)

Step Description Screenshot
Mount the XA/XD ISO on your server and select the Federated Authentication Service
Read the license agreement and make your choice
Click Next
Click Next
Click Install
Click Finish
Create the GPO to point the FAS server to itself (see step 9)

When the GPO exists the ‘address’ field will be filled in for you automatically

Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory

c:\windows\policydefinitions Service\PolicyDefinitions


Edit group policy to have the server point to itself for FAS

open gpmc.msc

browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication

Enter the DNS server address of the server hosting the FAS service (as per screenshot)

Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied

run gpupdate /force
Right click the CFAS Administration console and always Run As Administrator
You should now have the CFAS server listed

Click OK

Click on Step 1 – Start Button
Click OK
You can verify the creation of the templates in ADCS
Once this is completed without errors click Start on Step 2
Click OK
Finally click Start on Step 3
Click OK
The console is waiting for the request to be approved (issued) from the AD Certificate Services
Log into the ADCS and Approve the pending Certificate request

Right click the Pending request

Select All Tasks

Select Issue

Step 3 will go green
Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate
Click Edit and Add the StoreFront Server to be able to use the ‘rule’

Remove domain computers as they will be set to ‘deny’

Click Apply

Create NetScaler SAML Policy to 3rd Party iDP (Google)

In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP.

Note: this cannot currently be bound to a Gateway when using the NetScaler RFWebUI ‘theme’.

Step Description Screenshot
Connect to admin.google.com
Click Apps
Click SAML Apps
Click the + to add a new SAML Application
Select Setup my own custom app
Take note of the IDP data you are provided and copy and paste your URL

Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later.

Describe your new app
Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth
Click Finish

Summary of the App SSO Setup in the Google admin panel
Be sure to enable the new Application

click the three dots


ON for everyone

Note: this new configuration will take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message.

Note: users will have access to a shortcut to this new app in their Google Console
Upload the Google IDP Certificate to the NetScaler
Install the CA Certificate
Here you can see the certificate installed as another CA Certificate
Expand NetScaler > Security>AAA – Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers

Enter appropriate details for your new SAML profile

Note: the redirect URL and Single Logout URL will be unique to your Google account

Create a new SAML Authentication Policy

set the expression of this policy to ns_true

Link that to the newly created Google SAML Server

Bind this policy to your NetScaler Gateway

Click the + against Basic Authentication

Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method.

Choose SAML

Choose Primary

Click Continue

Select the SAML binding
Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field

NetScaler Gateway > Click Session Policies

Select the policy and edit the profile
Ensure Single Sign-on Domain is empty
Ensure your google email matches your AD User Logon Name
If not you can add a new UPN for the domain from Active Directory Domains and Trusts
Add any Additional UPN suffix you may require to match your google email sign-in

Configure StoreFront to Delegate Authentication to NetScaler

Step Description Screenshot
Open Citrix Studio or StoreFront management
Select your Store and left click Manage Authentication Methods
Click Passthrough from NetScaler Gateway > Configure Delegated Authentication
Click OK
Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers.


RDP to each Delivery Controller as a Citrix or local administrator

Open Powershell

type ‘asnp Citrix*’

type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Note: You can verify if this was successful by running get-brokersite

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Setup NetScaler Gateway VPN to use an LDAP Authentication Policy

Step Description Screenshot
 1 Let’s Bind the LDAP_NetScaler_Users policy now to this VPN / Gateway

(see previous posts on the creation of a LDAP policy, the one listed above is an example name based on our other posts)

2 Browse to the gateway and click Edit
3 Click the + on Basic Authentication

Choose LDAP as policy

Choose Primary Authentication

Click Continue

4 Select the LDAP policy you have created for NetScaler Users (and not administrators)
 5 Click Done
 6 Test and confirm
7 We must create an AAA Group and bind an authorisation policy to this group

Expand NetScaler Gateway > User Administration > AAA Groups

Click Add

8 Create a group name that MATCHES (Case sensitive) the AD group specified in the LDAP Policy/Profile

Click OK

 9 Attach the Authorization Policy to this group

Click + Authorization Policies on the right

10 Click the > to bring up the policy selection window
 11 Select the Authorization Policy previously created
12 Click Bind
13 Click Done

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Configure NetScaler Gateway with Split Tunnelling

Step Description Screenshot
 1 In order that our users devices know which network is ‘local’ and which network is remote we need to define our remote network resources
2 First we ensure that split tunnelling is enabled

NetScaler gateway > Global Settings > Change Global Settings

Click the Client experience tab

Change Split Tunnel* to ON

Click OK

3 Expand NetScaler gateway > Resources > Intranet Applications

Click Add

4 Here we add the remote networks we want the users / VPN tunnel to have access to when the Gateway client is logged on

In this example we will use the full home.local network

Click Create

5 Browse back to NetScaler gateway > Global Settings tab

Click Define intranet applications…

6 Click Add
 7 Click the Right Arrow (or the + symbol next to the Resource) to include the new Intranet Resources for our Split Tunnel
8 Click OK
 9 Save your NetScaler configuration
 10 Test your VPN connectivity

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]


Install the NetScaler Gateway Plugin for Microsoft Windows


Item Description
 * You should be a local administrator of the device where you are install the gateway plug-in

Step Description Screenshot
1 Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from)

Open a web browser to the NetScaler VIP


2 Select Network Access
3 Click Download
4 Click Run
5 Click Install

Note: You must be a local administrator to install this Software

6 Click Yes to any Windows UAC prompts
7 Click Finish
 8 The Gateway VPN will connect automatically and the web page will display the NetScaler VPN Home Page.

Configure Citrix NetScaler Unified Gateway – ICA Proxy


Item Description
 * DNS is configured on the NetScaler correctly
 * The internal or private IP Address of the VIP assigned to the NetScaler Gateway *
* Know the details of your Citrix Server STA (our Citrix DDC(s))
 * Firewall ports are open between the NetScaler and the StoreFront server
 * StoreFront already configured and setup (otherwise retrieve attributes doesn’t work)

In this section of the course we will connect the NetScaler Unified Gateway to our Citrix XA/XD Environment for ICA Proxy (Citrix sessions, no VPN).

Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Unified Gateway.

NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps

Create the NetScaler Unified Gateway – Wizard

Step Description Screenshot
1 Log into NetScaler

Click Unified Gateway in the Left Pane under ‘Integrate with Citrix Products’

2 Click Get Started
3 Click Continue
 4 Enter the following details as appropriate for your configuration
Use the existing certificate already installed

Click Continue

 5 Select the appropriate LDAP server

Click Continue

6 Change Portal Theme to the New RFWebUI

(note RFWebUI does not currently work with SAML)

7 Click the + Icon
8 Select XenApp & XenDesktop

Select Integration point as StoreFront

 9 Enter the Details of your XA&XD STA and StoreFront server URLs then click Retrieve Stores

Receiver for Web Path will appear and be validated providing it can contact your Storefront server

Click Continue

Click Done
 10 You will be returned to the Applications Page and a StoreFront application will appear
11 Click Continue
12 On the summary page click Done
 13 Access the Unified Gateway Page and check you can log into the NetScaler page
14 Select Clientless Access

Click Desktops and ensure you can see your XA&XD Desktops

Load the desktop to ensure a full end to end test is performed


If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Deploy a Citrix StoreFront Server for Citrix NetScaler Access

In the following steps we will detail how to configure a stand alone installation of Citrix Storefront and give examples of how to connect this to your Citrix NetScaler

Step Description Screenshot
1 Open the Citrix StoreFront Console

Expand Citrix StoreFront

Click Stores

Click Create Store

2 Click Next
3 Give the store a name

Select Set this receiver for Web site as IIS Default

Click Next

4 Click Add

On the Add Delivery Controller screen click Add

Add Delivery Controllers FQDN

Untick Servers are load balanced

Select Transport type as HTTP

(you should use HTTPS if the SF server is in a DMZ or for extra security)

Click OK

 5 Click Next
 6 Enable Remote Access

Ensure Allow Users to access resources only delivered through StoreFront (No VPN Tunnel) is selected

Click Add

7 Enter details for the new gateway

Example: my gateway is called gateway.jsconsulting.services and the URL is https://gateway.jsconsulting.services

Click Next

 8 On the STA Screen

Click Add

Enter the FQDN of the Citrix XA/XD server

 9 Enter the FQDN of the STA server

Click OK

10 Untick Load balance multiple sta servers

Tick Enable session reliability

Untick request tickets from two stas, where available

Click Next

 11 Enter the NetScaler details – Leave logon type as domain

Enter Callback URL as the same entered in step 6 https://gateway.jsconsulting.services

Click Create

12 Click Finish
 13 Ensure default appliance is the NetScaler appliance created / added in steps 1 through 12

Click Next

 14 Ensure that both methods of Authentication are selected – Username and password and Pass through from NetScaler Gateway

Click Next

15 Leave both options ticked

Click Create

16 Click Finish
 17 Back in the StoreFront console click Receiver for Web Sites tab and copy your StoreFront URL

Open your internet browser and test this URL




If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]