Deployment Guide

NetScaler SSL VPN &

Citrix Presentation Server
Deployment Guide
NetScaler SSL VPN front-ending ICA Proxy
A Technical Guide for Secure Multiuser Portal Traffic

Deployment Guide

Notice:
The information in this publication is subject to change without notice.
THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (CITRIX), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.
Copyright 2007 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 333092009 U.S.A. All rights reserved.

Table of Contents

Introduction...........................................................................................................................................4
Prerequisites..........................................................................................................................................5
Network Diagram..................................................................................................................................6
NetScaler Configuration.........................................................................................................................7
Deployment Model: Netscaler Two-Arm Mode..................................................................................7
Important NetScaler IP Addresses..................................................................................................10
IP Addresses, Interfaces and VLANs...............................................................................................11
Configuring NetScaler SSL VPN.....................................................................................................12
Creating the SSL VPN Policy..........................................................................................................15
Installing the NetScaler Root Certificate..........................................................................................19
Citrix Presentation Server Configuration...............................................................................................20
Setting up the backend applications...............................................................................................20
Publish the Application on Citrix Presentation Server......................................................................29
Add Users and Groups to Presentation Server................................................................................30
CPS Host VLAN Tagging compatibility............................................................................................35
Connecting a second Citrix Presentation Server..............................................................................35
Routing users based on authentication credentials.........................................................................35
Securing Traffic Flows between portals/users..................................................................................36
Save your configurations.................................................................................................................37
Appendix A - NetScaler Application Switch Configuration....................................................................38
Appendix B - Layer 2 Switch Configuration..........................................................................................46

Introduction
Citrix Presentation Server is the de facto standard for delivering Windows applications at the lowest
costanywhere. It offers both application virtualization and application streaming delivery methods
to enable the best access experience for any user, with any device, working over any network. By
centralizing applications and data in secure data centers, IT can reduce costs of management and
support, increase data security, and facilitate business continuity. Presentation Server allows IT to deliver
applications as a serviceproviding on-demand access to users, while affording IT the flexibility to
leverage future application architectures.
Citrix NetScaler optimizes the delivery of web applications increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership (TCO),
security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive
network system that combines high-speed load balancing and content switching with state-of-the-art
application acceleration, layer 4-7 traffic management, data compression, dynamic content caching,
SSL acceleration, network optimization, and robust application security into a single, tightly integrated
solution. Deployed in front of application servers, the system significantly reduces processing overhead
on application and database servers, reducing hardware and bandwidth costs.
As enterprises and service providers move toward the path of consolidation, they will continue to look
for ways to do more with less. The most efficient piece of equipment in the datacenter to perform this
task is the Citrix NetScaler. The Citrix NetScaler acts as a secure portal to direct traffic based on users
authentication credentials, into specific Citrix Presentation Server farms on the backend, all coming out
of the same physical NetScaler port. By adding Citrix Presentation Server to the backend, this not only
extends the value of both products, but increases the capability for cost savings exponentially. While the
SSL VPN provides front end security and serves as an access gateway into the server farms, it continues
to provide multi-scalable capabilities in a single, tightly integrated solution because it sends all backend
traffic out one port on the back of the NetScaler. On the backend, we can have a myriad installation
of CPS farms installed in either physical or virtual machines ready to accept the traffic coming from the
NetScaler. This deployment guide walks through the configuration details of how-to configure the Citrix
NetScaler and Citrix Presentation Server to provide this type of integration and scalability, while keeping
the traffic separate and secure.

Prerequisites
NetScaler running version 8.0+. (Qty 1 for single deployment, Qty 2 for HA deployment).
Citrix Presentation Server, version 4.5+.
Windows Server 2003, SP2, NIC w/ VLAN Tag Support.
Windows Domain Controller, Active Directory (optional).
Client laptop/workstation running Internet Explorer 6.0+.
Layer 2 switch w/VLAN support.

Network Diagram
The following is the Network that was used to develop this deployment guide, and is representative of a solution implemented at a customer site.

VLAN Legend

Primary NetScaler

Primary/Secondary NetScaler

IP Addresses:
NSIP 10.217.104.100
SNIP 10.217.104.103
SNIP 169.145.91.239
SNIP 169.145.92.239

VLAN 1
VLAN 91
VLAN 92

Shared IP Addresses:
VIP 10.217.104.102
VLAN 91:
Interface 1/4, Tagged
IP: 169.145.91.240

Secondary NetScaler
IP Addresses:
NSIP 10.217.104.105
SNIP 10.217.104.105
SNIP 169.145.91.241
SNIP 169.145.92.241

TRUNK
VLAN92:
Interface 1/4, Tagged
IP: 169.145.92.240
VLAN 4:
Interface 1/4, Untagged
VLAN 1:
Interface 1/2, No Tag.

Citrix
Presentation
Server

Citrix
NetScaler

https://10.217.104.102

VLAN 1

Vlan
Trunk

VLAN 91

user1

10.217.104.0
Interface 1/2

Interface1/4

srv1.citrixlabs.com
169.145.91.151
0x91

user2
VLAN 92

srv2.citrixlabs.com
169.145.92.152
0x92

Admin

NetScaler Configuration
Deployment Model: Netscaler Two-Arm Mode
NetScalers can be deployed alone or as a pair to provide high availability. Always start with the first
NetScaler. The NetScalers in Two-Arm mode provide the utmost is site security, as they provide a full
reverse-proxy gateway to intercept incoming traffic before it is sent to the Application servers (CPS). The
NetScaler acts as an authentication point and an enforcement point using its own internal database, but
can also be integrated with third party authentication/authorization systems for highly granular security.
The sample deployment in this guide will make use of the NetScalers own internal authentication database
combined with Session Policies for authorization and portal traffic direction.
There are three main components that require installation in this environment, the Citrix NetScaler(s), the
Layer 2 switch with VLAN trunking and tagging, and the Citrix Presentation Servers on the backend. We
will start with the NetScaler configuration, step-by-step.

Serial: 9600, n, 8, 1

1) Configure NSIP.
Connect via serial port.
Default login nsroot,
nsroot. Run the configns
command (nsconfig if at a
shell prompt), and set the
NetScaler IP (NSIP). In this
example: 10.217.104.100.
Note: Changing the
NSIP requires a reboot.

2) Connect to the
NetScaler via the NSIP
using a web browser.
In this example:
http://10.217.104.100
Ethernet

Note: Java will be installed.

Default login is:
nsroot, nsroot.

3) Confirm licenses
are installed.
Navigate to NetScaler
> System > Licenses.

4) Enable SSL VPN.

Navigate to NetScaler >
System > Settings > Basic
Features > SSL VPN.

5a) Add IP Addresses

that will be used on this
NetScaler device.
NetScaler > Network
> IPs > Add.

5b) When finished, all

Network IP Addresses
should be visible.

Important NetScaler IP Addresses

Acronym

Description

Usage

Note: NSIP is Mandatory and requires a reboot.

6) Assign a default route.

NetScaler > Network >
Routing > Routes > Add.

10

NSIP

NetScaler IP Address

The NetScaler IP (NSIP) is the management IP address for the

appliance, and is used for all management related access to the
appliance. There can only be one NSIP.

MIP

Mapped IP Address

The mapped IP address (MIP) is used by the Application Switch

to represent the client when communicating with the backend
managed server. Mapped IP addresses (MIP) are used for serverside connections and Reverse NAT. Think of this as the clients
source address on the server-side of the Application Switch,
assuming a two-arm proxy deployment. In this example you can
think of it as the Tagged VLAN IP.

SNIP

Subnet IP Address

The Subnet IP address (SNIP) allows the user to access an

Application Switch from an external host that is residing on another
subnet. When a subnet IP address is added, a corresponding
route entry is made in the route table. Only one such entry is
made per subnet. The route entry corresponds to the first IP
address added in the subnet.

VIP

Virtual IP Address

The Virtual Server IP address (VIP) is used by the Application

Switch to represent the public facing ip address of the managed
services. ARP and ICMP attributes on this IP address allow
users to host the same vserver on multiple Application Switches
residing on the same broadcast domain.

DFG

Default Gateway

IP Address of the router that forwards traffic outside of the subnet

where the appliance is installed.

IP Addresses, Interfaces and VLANs

Assigning IP Addresses to Interfaces is done virtually through the use of port based VLANs.
By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces.
This VLAN is the default VLAN with a VID equal to 1.
When an interface is added to a new VLAN as an untagged member, the interface is automatically
removed from the default VLAN and placed in the new VLAN. This becomes a convenient feature,
such that when we plug the Netscaler into a Switch that is using VLANs with tagging, we only need to
check the box, to turn on tagging. VLANs are typically used to separate subnet traffic.
In this example we will leave the default VLAN ID 1 for subnet 10.217.104.0. Here we create VLAN ID
91 for subnet 169.145.91.0. While we are there, it is easy to assign VLAN 91 to interface 1-4, and
assign the Mapped IP Address 169.145.91.240 by checking the make Active boxes. Since we are
connected to a switch that is using VLAN tagging, we turn on tagging.
7) Create VLANs and
Assign Mapped IP
Addresses to them.
NetScaler > Network
> VLANs > Add.
Note: For this example:
We create VLANs 4,
91, and 92 - all are
tagged, but only VLANs
91 and 92 have MIPs
associated with them.
Interface 1/4 will be used
as our 802.1q VLAN Trunk
to the Layer 2 Switch.
The corresponding port
on the Layer 2 switch
will be configured for
802.1q Trunking as well.

11

8) Disable unused
interfaces, and HA
monitoring.

TIP: Disabling the blinking LCD Panel

The LCD panel on the front of the NetScaler will flash intermittently until the unused interfaces are disabled
and HA monitoring is turned off on them. In the GUI, Navigate to NetScaler > Network > Interfaces.
Select an interface, right-click to disable. Right-click to Open, and disable HA monitoring.

Configuring NetScaler SSL VPN

9a) To configure the SSL
VPN, launch Navigate to
NetScaler > SSL VPN.
In the right-hand frame,
select the link <SSL
VPN Wizard>.

9b) Next.

12

9c) Virtual Server IP

(VIP). Here is where the
public facing Virtual IP
(VIP), SSL Port# and
FQDN are configured.

9d) To create an SSL

Certificate, select the
second button.

13

9e) Add the DNS

Server IP Address.

9f) Create a user in the

Local authentication
database. The local
database is used
for our example.
Other authentication
methods include RADIUS,
LDAP, Active Directory,
User Certificates
and TACACS.

14

9g) View the summary

screen and finish.

Creating the SSL VPN Policy

10) Creating the
SSL VPN Policy.
Navigate to NetScaler >
SSL VPN. In the righthand frame, select <SSL
VPN Policy Manager>.
10a) Under Available
Policies / Resources,
select Session Policies
> right-click > Add.

15

10b) Create Session Policy

by typing in the name of
the new session policy.

10c) After typing in the

Name, select New to
add a new Request Profile.
Type in a Session
Profile name.
Select the Override Global
check box next to Home
Page, ICA Proxy and
SmartAccess NT Domain.

Note:
In this example, we are using
the SSL VPN to Proxy ICA
connections, that is, stop
the user, authenticate them
with the NetScaler web
interface, then pass their
sessions on to the backend
Citrix Presentation Server.
This adds an extra level of
security at the perimeter
of the Citrix Presentation
Server (CPS) farm.

16

Note:
i. We point the Client to the
backend Citrix Presentation
Server home page at http://
Srv1.citrixlabs.com/Citrix/
AccessPlatform/.
ii. ICA Proxy is set to ON,
because this SSL VPN is
proxying ICA connections
before they reach the CPS
on the backend.
iii. The Windows Domain is
set to Srv1, because we are
using local authentication
on the CPS Windows
Server.
To use Active Directory, insert
the name of the Windows
Domain Controller

10d) After selecting

Create, Close in Session
Profile, you will return to
Create Session Policy.
Change the named
expressions to
General, ns_true.
Select Add Expression.
Select Create,
and Close.

10e) After the Policy

is created, it must be
enabled, and bound
to the VPN Global,
Configured Policies.
In the SSL VPN Policy
Manager, in the lefthand frame, under
Configured Policies /
Resources, expand
the VPN Global tree.
From the Available
Policies / Resources,
Click-and-drag the new
session policy, to the
Configured Policies

17

11a) Bind the Session

Policy to the user created
in the previous step.
Navigate to Netscaler
> SSL VPN > Users.
In the right-hand frame,
select the user created
in the previous step, and
open the configuration.
Select New and create
a group to place the user
into. Add the user to
the configured group.

11b) Select the Policies

Tab and place a check
next to the policy created
earlier in the SSL VPN
Policy Manager.
This will bind the Session
Policy and Session
Profile to the User
when they authenticate
on the Netscaler.

18

11c) Open the SSL VPN

Groups and assign the
Session Policy to the group
that the user belongs to.

Installing the NetScaler Root Certificate

In order for the client connection to work, the root certificate from the
Netscaler must be installed in the Trusted Root folder of the Clients
browser.

12) Installing the

NetScaler Root Certificate
in clients browser.

a. Use WinSCP to connect securely to the Netscaler and download the

root certificate you created in the earlier step. The root cert is stored in
/nsconfig/ssl with a filename of <filename>.cer-root.cert.
b. Launch internet explorer. Tools > Internet Options > Content
> Certificates. Select the tab labeled Trusted Root Certification
Authorities. Select Import and import the certificate.

19

Citrix Presentation Server

Configuration
Setting up the backend applications
It is assumed that installation has already been completed for CPS licensing, CPS Server, CPS Access
Management Console and CPS Web Interface. The CPS will need to be configured with an active
license file.

13a) To configure CPS,

Launch the Citrix Access
Management Console
and Navigate to Citrix
Resources > Web Interface
> right-click > Create site.

Note:
Before beginning this step, it is advisable to find out what port the Citrix XML service is running on. To
do this, from the Access Management Console, navigate to Citrix Resources > Presentation Server >
<server name> > Servers > <server name>.
Right click on the server name, and select Properties.
At the bottom is XML service.

20

13b) Select the type

of site to create.
For this example, we
are creating an Access
Platform site, accessible
through a Web Interface.

13c) Specify the

IIS Location.
For this example, we
use the default.
Notice the default directory
/Citrix/AccessPlatform
matches the Session
Profile in the NetScaler
configuration.

21

13d) Specify
Configuration Source.
For this example,
we use local files.

13e) Specify
Authentication Settings.
For this example we use
the built-in authentication
and access control.

22

13f) Confirm Settings.

13g) Finish.

23

13h) Specify Initial

Configuration.

13i) Specify Server Farm.

Add the Server farm name,
and the server to the farm.

24

13j) Select
Application Type.

13k) Specify Access

Method.

25

13l) Confirm Settings

and Finish.

13m) Because NetScaler

is configured to Proxy
ICA Connections, we
must change the Secure
Client Access method.
From the Access
Management Console,
navigate to Citrix
Resources > Configuration
Tools > Web Interface
> http://<sitename>/
Citrix/AccessPlatform.
Perform a right-click
> Manage Secure
Client Access > Edit
DMZ Settings.

26

13n) Edit the default

access method and
change it from Direct
to Gateway Direct.

13o) Set the Fully

Qualified Domain Name
(FQDN) on the Citrix
Presentation Server.
Navigate to Citrix
Resources > Configuration
Tools > Web Interface
> http://<sitename>/
Citrix/AccessPlatform.
Perform a right-click
> Manage Secure
Client Access > Edit
Gateway Settings.

27

13p) Add the FQDN and

Secure Ticket Authority
to the local Citrix
Presentation Server.
The FQDN should point
back to the NetScaler
SSL VPN Gateway.
The Secure Ticket
Authority (STA) is
configured locally on CPS.
Note: Take notice of
the use of port 8080
for XML in the URL.

13q) The STA must also be

configured in the NetScaler
SSL VPN Gateway.
On the NetScaler GUI:
Navigate to NetScaler >
SSL VPN. In the right
frame select <SSL VPN
Policy Manager>.
In the left side frame,
navigate to Configured
Policies / Resource
> Virtual Servers >
<access gateway
name> > STA Servers.
Right click on STA
Servers and Add
the URL of the Citrix
Presentation Server STA.
In this example,
http://169.145.91.151
:8080. Note: The use
of port 8080 for XML.

28

13r) On the local CPS

machine, Add entries
into the /etc/hosts file
for the local CPS.
In this example,
169.145.91.151 equates
to srv1.citrixlabs.com.
Also, add entries into
the NetScaler DNS table
for the backend CPS.
Navigate to NetScaler
> DNS > Records >
Address Records > Add.

Publish the Application on Citrix Presentation Server

14) Publish the
Application on the Citrix
Presentation Server.
From the Access
Management Console,
navigate to Citrix
Resources > Presentation
Server > Servers > rightclick > All tasks > Publish
Application on server.
In this example,
we published the
server desktop.

29

Add Users and Groups to Presentation Server

On the CPS machine or Active Directory Domain Controller, Add users and a group that will be given
access to this Citrix Presentation Server. In this example, we created a group named cps1, and
added users cps1user1, and cps1user2 to that group. These users will only have access to Citrix
Presentation Server Srv1. (for testing we used a password of netscaler1!).

Tip:
For a Local Authentication implementation on the Local Citrix Presentation Server, as we did in this
example, you do not need to add users and a group to the Domain Controller, but will add the users
and group to the local CPS. When logging into the Web Interface, instead of typing in a Domain, you
will type in the Server name. In this example, it would be Srv1 instead of Citrixlabs.

Note:
Be sure to add the cps1 group to be a member of Remote Desktop Users group, otherwise the
Application will not launch from CPS. The Terminal Services right is automatically a part of the Remote
Desktop Users group, which is necessary to launch CPS.

15) Add users and a

group that will be given
access to this Citrix
Presentation Server.
On the the local CPS1
machine we created
local users local000srv1
and local001srv1 and
added them to the
RemoteDesktopUsers
group.
If we were going to use the
Active Directory Domain
Controller, we would
have created a group
named cps1, and added
users cps1user1, and
cps1user2 to that group.
All of these users, local
or domain, will only
have access to Citrix
Presentation Server Srv1.

30

16) On the local Citrix

Presentation Server,
open the Group Remote
Desktop Users and
add the same group.
In this example, we
added group cps1.
If we were using Active
Directory, we would have
to authenticate to the
Domain Controller.

Note:
By default on Windows Server 2003, members of the Administrators and Remote Desktop Users
groups can connect using Windows Terminal Services. The Remote Desktop Users group contains
no users when it is initially created; you must manually add any users or groups who require Windows
Terminal Services access. If the users are not already members of the computers local group,
you must also add them. Unlike Windows 2000 Server policies, the Allow log on locally policy (a
Computer local policy under User rights) no longer provides access to Terminal Service connections.
For additional information, see the Windows Server 2003 online documentation.

31

17a) Add the cps1

group (& users) to the
Application in Citrix
Presentation Server.
From the Access
Management Console,
navigate to Citrix
Resources > Presentation
Server > <servername>
> Applications >
<servername> right-click
> Modify Application
Properties > Modify Users.

17b) Select Allow

only configured users
and click Add.
Then double clock the
domain to add users
from. In this example
SRV1, the local machine.
Double click on Users
and select the check
box Show Users.
Double click on the group
to add it to this CPS
Application, giving access
to the users in that group.
In this example, we
added Remote Desktop
Group, which gives local
users local000srv1 and
local001srv1 access to
this CPS Application.

32

Note:
If we were using Active
Directory, we would use
the domain Citrixlabs, and
add users from the Domain
Controller.

18a) To test the Citrix

Presentation Server
installation locally, change
the Secure Client Access
method from Gateway
Direct back to Direct
and the launch the web
interface http://localhost/
Citrix/AccessPlatform on
the CPS server locally.
Use the login credentials
for the local user, in
this example, user:
local000srv1, pass:
local000srv1, domain:srv1.
If we were using a Domain
Controller, we would login
using domain credentials,
user:cps1user1,
pass:netscaler1!,
domain:citrixlabs.
18b) Successful login.

33

18c) Now, To run the

Citrix Presentation Server
through the NetScaler SSL
VPN Gateway, change
the Secure Client Access
method from Direct
back to Gateway Direct
and then launch a web
interface remotely from
a client machine to the
NetScaler virtual server.
In this example
https://10.217.104.102.
(This is our public
facing VIP).
In this example, the
credentials to authenticate
with the NetScaler
SSL VPN Local Db are
u: user1, p: user1.
Upon successful
authentication the user
is passed through to
the Citrix Presentation
Server web interface
for authentication on
the local domain, where
we again Use the login
credentials for the user
added to the domain
controller. In this example,
user:local000srv1,
pass:local000srv1,
domain: srv1.
A successful logon will
look something like this:

34

CPS Host VLAN Tagging compatibility

Make sure the server that CPS is installed on has a NIC that supports VLAN tagging if you are going
to plug it into a 802.1q tagged switchport. To simplify troubleshooting, it helps to change the MAC
address on the CPS host to contain the VLAN ID.
In this example, our first CPS host we turned on VLAN Tagging support, and set the MAC address to
000000000091 to match the VID. When it shows up in the arp & bridge table in the NetScaler, we
know we are routing/bridging traffic correctly.

Connecting a second Citrix Presentation Server

To provide connectivity to a second Citrix Presentation Server farm, through the NetScaler SSL VPN
Gateway based on authentication credentials requires the following:
a. Add another user and group to the NetScaler SSL VPN. In this example we used user2 and
partner2.
b. Add another SessionPolicy and SessionProfile on the NetScaler SSL VPN that points to the second
Citrix Presentation Server farm. In this example, we used SessionPolicySrv2 & SessionProfileSrv2.
The difference this time is we pointed the Client to the backend Citrix Presentation Server home page
at http://Srv2.citrixlabs.com/Citrix/AccessPlatform/.
c. Install and Configure the second CPS on a different server. In this example, the Second CPS resides
on a different server at IP Address 169.145.92.152, and on VLAN 92. We followed the same installed
steps for CPS Srv1, only substituting Srv2, and IP Address 169.145.92.152.

Routing users based on authentication credentials

When completely finished, and accessing the NetScaler SSL VPN Gateway at https://10.217.104.102,
the user1 will be directed to CPS Srv1 upon authentication. Additional authentication into the Srv1
domain will be required at Srv1 through the CPS Web Interface.
In addition, launching another browser at https://10.217.104.102, logging in as user2 will be directed
to CPS Srv2 upon authentication at the NetScaler SSL VPN Gateway. Here again, this user will have
to authenticate into Srv2 domain through the CPS Web Interface.

35

Securing Traffic Flows between portals/users

To keep users on CPS farm1 from peeking into what is going on in CPS farm2, this is an important step.
It is also important to make sure VLANs are setup correctly on the Layer 2 switch, along with Trunking
on the Layer 2 switch port that connects to the NetScaler backend interface.
19) On the NetScaler GUI,
backend interface 1/4,
Trunking must be enabled.
Navigate to NetScaler >
Network > Interfaces.
Rght-click on interface
1/4 > Open.
Select Trunk, and Ok.

20) Layer 2 Mode

and Layer 3 Mode
(IP Forwarding) must
be disabled on the
NetScaler, otherwise traffic
from VLAN 91 can be
forwarded to VLAN 92.
On the NetScaler
GUI, navigate to
NetScaler > System >
Settings > Modes.
Disable Layer 2 Mode
and Layer 3 Mode.

36

The effect of this is to prevent users/partners from portal1, or CPS farm1 from roaming or hacking over
into other portals or CPS farms, such as CPS farm2. In this example, user1 cannot access any server
resources on the CPS farm in user2s portal.

Citrix
Presentation
Server

Citrix
NetScaler

https://10.217.104.102

Vlan
Trunk

VLAN 91

user1

srv1.citrixlabs.com
169.145.91.151
0x91

user2
VLAN 92
user1 blocked
from VLAN 92
srv2.citrixlabs.com
169.145.92.152
0x92

Save your configurations

On the NetScaler, in the GUI select the Save button. It is a good idea to navigate to NetScaler >
System > Diagnostics, and view the running configuration. You can select the save button to save a
copy to your local machine.
Switch vendors allow the use of tftp to upload configuration files, and its a good idea to create a
backup.

37

Appendix A - NetScaler Application Switch

Configuration
> #NS8.0 Build 49.2
set ns config -IPAddress 10.217.104.100 -netmask 255.255.255.0
enable ns feature LB CMP SSLVPN SSL
enable ns mode FR MBF Edge USNIP PMTUD
set lacp -sysPriority 32768
set system user nsroot 1026cbfab43a92237d72589b731c0550f12e58620767770af -encrypted
add system user partner1 12b38e42ad995b82900545e47a8f058e0e880422896dc3843 -encrypted
add system user sap1 10f68ca83f0b251be45f9c06292285974a68a86fb07dc5832 -encrypted
add system group partner1
add system group sap1
set interface 0/1 -speed AUTO -duplex AUTO -flowControl RX -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED throughput 0
set interface 1/1 -speed AUTO -duplex AUTO -flowControl RX -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED throughput 0
set interface 1/2 -speed AUTO -duplex AUTO -flowControl RX -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED throughput 0
set interface 1/3 -speed AUTO -duplex AUTO -flowControl RX -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED throughput 0
set interface 1/4 -speed AUTO -duplex AUTO -flowControl RX -autoneg ENABLED -haMonitor ON -trunk ON -lacpMode DISABLED throughput 0
add ns ip 10.217.104.101 255.255.255.0 -type MIP -vServer DISABLED
add ns ip 169.145.91.240 255.255.255.0 -type MIP -vServer DISABLED
add ns ip 169.145.91.239 255.255.255.0 -vServer DISABLED
add ns ip 10.217.104.103 255.255.255.0 -vServer DISABLED
add ns ip 10.217.104.102 255.255.255.255 -type VIP -snmp DISABLED
add ns ip 169.145.92.240 255.255.255.0 -type MIP -vServer DISABLED
add ns ip 169.145.92.239 255.255.255.0 -vServer DISABLED
add vlan 2

38

add vlan 4
add vlan 91
add vlan 92
bind vlan 4 -ifnum 1/4 -tagged
bind vlan 91 -ifnum 1/4 -tagged
bind vlan 91 -IPAddress 169.145.91.240 255.255.255.0
bind vlan 92 -ifnum 1/4 -tagged
bind vlan 92 -IPAddress 169.145.92.240 255.255.255.0
add route 0.0.0.0 0.0.0.0 10.217.104.1 65535
set locationParameter -context geographic -q1label Continent -q2label Country -q3label Region -q4label City -q5label ISP -q6label
Organization
add cr policy sessionID -rule REQ.HTTP.HEADER Cookie CONTAINS sessionid=11*
add aaa user sslvpn -password cd3c1c5667c9 -encrypted
add aaa user user2 -password cb3c155225 -encrypted
add aaa user user_vpn -password cb3c155248d1322d -encrypted
add aaa user user11 -password cb3c15522696 -encrypted
add aaa user user12 -password cb3c15522695 -encrypted
add aaa user user1 -password cb3c155226 -encrypted
add aaa group partner1
add aaa group partner2
add aaa group grp3
add vpn trafficAction test1 tcp
add vpn trafficAction Flowprofile91 tcp
add vpn intranetApplication route_migrate_1 ANY 192.168.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT
add authorization policy sfg ns_true ALLOW
add authorization policy v91 REQ.VLANID == 91 ALLOW
add authorization policy v92 REQ.VLANID == 92 ALLOW
add authorization policy v92not REQ.VLANID != 92 DENY
add vpn trafficPolicy block-IP-10 REQ.IP.SOURCEIP == 10.1.0.0 -netmask 255.255.0.0 test1
add vpn trafficPolicy Flow91 REQ.IP.SOURCEIP == 0.0.0.0 -netmask 0.0.0.0 && REQ.IP.DESTIP == 169.145.91.0 -netmask 255.255.255.0

39

Flowprofile91
add vpn vserver coilgw.citrixlabs.com SSL 10.217.104.102 443 -maxAAAUsers 30 -downStateFlush DISABLED
set ns rpcNode 10.217.104.100 -password 8a7b474124957776a0cd31b862cbe4d72b5cbd59868a136d4bdeb56cf03b28 -encrypted srcIP 10.217.104.100
set responder param -undefAction NOOP
set rewrite param -undefAction NOREWRITE
add dns nameServer 10.217.120.2 -state DISABLED
add dns nameServer 10.217.104.10 -state DISABLED
set dns parameter -nameLookupPriority DNS
add dns addRec srv2.citrixlabs.com 169.145.92.152 -TTL 3600
add dns addRec srv1.citrixlabs.com 169.145.91.151 -TTL 3600
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey citrix -cert /nsconfig/ssl/citrix.cert -key /nsconfig/ssl/citrix.key
add ssl certKey ssltest -cert /nsconfig/ssl/ssltest.cert -key /nsconfig/ssl/ssltest.key
add ssl certKey coilgw_citrixlabs_com.cer -cert /nsconfig/ssl/coilgw_citrixlabs_com.cer.cert -key /nsconfig/ssl/coilgw_citrixlabs_com.cer.key
set ssl service nshttps-169.145.92.239-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-169.145.92.239-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect
DISABLED
set ssl service nshttps-169.145.92.240-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-169.145.92.240-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect
DISABLED
set ssl service nshttps-10.217.104.103-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-10.217.104.103-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect
DISABLED
set ssl service nshttps-169.145.91.239-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-169.145.91.239-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect
DISABLED
set ssl service nshttps-169.145.91.240-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-169.145.91.240-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect
DISABLED
set ssl service nshttps-10.217.104.101-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-10.217.104.101-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect

40

DISABLED
set ssl service nskrpcs-127.0.0.1-3009 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nshttps-127.0.0.1-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-127.0.0.1-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set cache parameter -memLimit 0 -via NS-CACHE-8.0: 100 -verifyUsing HOSTNAME_AND_IP -maxPostLen 0 -prefetchMaxPending
4294967294 -enableBypass YES
set cache contentGroup BASEFILE -relExpiry 86000 -maxResSize 256 -memLimit 2
set cache contentGroup DELTAJS -relExpiry 86000 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES
set aaa parameter -maxAAAUsers 25
add vpn sessionAction nssessionprofile1 -defaultAuthorizationAction ALLOW -homePage Citrix001 -icaProxy ON -ntDomain DEMO
add vpn sessionAction nssessionprofile2 -defaultAuthorizationAction ALLOW -homePage Citrix002 -icaProxy ON -ntDomain DEMO
add vpn sessionAction SGProfile1 -homePage Citrix001 -icaProxy ON -ntDomain DEMO
add vpn sessionAction SessionProfileSrv1 -homePage http://srv1.citrixlabs.com/Citrix/AccessPlatform -icaProxy ON -ntDomain Srv1
add vpn sessionAction SessionProfileSrv2 -homePage http://Srv2.citrixlabs.com/Citrix/AccessPlatform -icaProxy ON -ntDomain Srv2
add vpn sessionPolicy name1 ns_true nssessionprofile1
add vpn sessionPolicy SessionPolicy1 ns_true SGProfile1
add vpn sessionPolicy SessionPolicySrv1 ns_true SessionProfileSrv1
add vpn sessionPolicy SessionPolicySrv2 ns_true SessionProfileSrv2
set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true
set vpn parameter -splitDns BOTH -proxyLocalBypass DISABLED -forceCleanup none -clientOptions all -clientConfiguration all -SSO OFF
-windowsAutoLogon OFF -clientDebug OFF -icaProxy OFF -epaClientType PLUGIN
set audit syslogParams -serverIP 10.210.100.151 -logLevel ALL
bind aaa user user2 -policy SessionPolicySrv2
bind aaa user user_vpn -policy SessionPolicySrv1
bind aaa user user1 -policy SessionPolicySrv1
bind aaa group partner2 -userName user2
bind aaa group partner1 -userName user1
bind aaa group partner1 -policy Flow91 -priority 1
bind aaa group partner1 -policy SessionPolicySrv1 -priority 2
bind aaa group partner2 -policy v92

41

bind aaa group partner2 -policy v92not

bind aaa group partner2 -policy SessionPolicySrv2
bind system user partner1 network 0
bind system user sap1 network 0
bind system group partner1 -userName partner1
bind system group sap1 -userName sap1
bind system group sap1 -policyName network 0
bind tunnel global ns_tunnel_cmpall_gzip
bind vpn global -policyName name1
bind vpn global -policyName SessionPolicy1
bind vpn global -policyName SessionPolicySrv1
bind vpn global -policyName SessionPolicySrv2
bind vpn global -intranetApplication route_migrate_1
bind vpn vserver coilgw.citrixlabs.com -staServer http://169.145.92.152:8080
bind vpn vserver coilgw.citrixlabs.com -staServer http://169.145.91.151:8080
add ns acl Access91 ALLOW -destIP = 169.145.91.0-255.255.255.0 -vlan 91 -priority 10 -kernelstate SFAPPLIED61
apply ns acls
set rnat 10.251.31.0 255.255.255.0 -natIP 10.217.104.101
set lb sipParameters -addRportVip ENABLED
set bridgetable -bridgeAge 60
bind ssl service nshttps-169.145.92.239-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-169.145.92.239-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-169.145.92.240-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-169.145.92.240-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-10.217.104.103-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-10.217.104.103-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-169.145.91.239-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-169.145.91.239-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-169.145.91.240-443 -certkeyName ns-server-certificate

42

bind ssl service nsrpcs-169.145.91.240-3008 -certkeyName ns-server-certificate

bind ssl service nshttps-10.217.104.101-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-10.217.104.101-3008 -certkeyName ns-server-certificate
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate
bind ssl vserver coilgw.citrixlabs.com -certkeyName coilgw_citrixlabs_com.cer
add appfw profile Basic
add appfw profile Advanced
set appfw profile Advanced -startURLAction block learn log stats -startURLClosure ON -cookieConsistencyAction block learn log stats
-fieldConsistencyAction block learn log stats -crossSiteScriptingAction block learn log stats -SQLInjectionAction block learn log stats fieldFormatAction block learn log stats
bind appfw profile Basic -startURL ^[^?]+[.](html?|shtml|js|gif|jpg|jpeg|png|swf|pif|pdf|css|csv)$
bind appfw profile Basic -startURL ^[^?]+[.](cgi|aspx?|jsp|php|pl)([?].*)?$
bind appfw profile Basic -denyURL /core(/.*)?$ -comment Unix core file attacks -state DISABLED
bind appfw profile Basic -denyURL [\/]etc[\/](passwd|group|hosts) -comment Unix file attacks -state DISABLED
bind appfw profile Basic -denyURL ([ /=]|\t|\n)(ls|rm|cat)([ ;\\\\&].*)?$ -comment Command injection attack -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*[+][.]htr -comment HTR source disclosure -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*/[?][SM]=[AD] -comment Apache possible directory index disclosure vulnerability -state
DISABLED
bind appfw profile Basic -denyURL ^[^?]*/[?]wp- -comment Netscape enterprise server directory indexing vulnerability -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*/NULL[.]printer -comment Printer buffer overflow -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*/default[.]ida[?]N+ -comment CodeRed -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*/publisher -comment Netscape enterprise server web publishing vulnerability -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*Admin[.]dll -comment Nimbda-3 -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*/winnt/ -comment Nimbda-4 -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*[+]dir -comment IIS executable file parsing vulnerability-1 -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*/georgi[.]asp -comment IIS executable file parsing vulnerability-2 -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*[.](bat|ini|exe)(|[?].*)$ -comment IIS executable file parsing vulnerability-3 -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|] -comment Script exploit -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*[.]asp\.* -comment Microsoft IIS UNC mapped virtual host vulnerability -state DISABLED

43

bind appfw profile Basic -denyURL ^[^?]*[.]htx -comment Microsoft IIS UNC path disclosure vulnerability -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*[.]id[aq] -comment Index server buffer overflow -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$ -comment Access attacks -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$ -comment Password file attacks -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*dvwssr[.]dll -comment Front Page server extensions buffer overflow-1 -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*fp30reg[.]dll -comment Front Page server extensions buffer overflow-2 -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*null[.]htw -comment Webhits source disclosure -state DISABLED
bind appfw profile Basic -denyURL debug[.][^/?]*(|[?].*)$ -comment Debug attacks -state DISABLED
bind appfw profile Basic -denyURL system( |\t|\n)*[(] -comment System command attacks -state DISABLED
bind appfw profile Basic -denyURL ^[^?]*/_vti_bin/shtml[.] -comment Front Page server extensions path disclosure vulnerability -state
DISABLED
bind appfw profile Advanced -denyURL /core(/.*)?$ -comment Unix core file attacks -state DISABLED
bind appfw profile Advanced -denyURL [\/]etc[\/](passwd|group|hosts) -comment Unix file attacks -state DISABLED
bind appfw profile Advanced -denyURL ([ /=]|\t|\n)(ls|rm|cat)([ ;\\\\&].*)?$ -comment Command injection attack -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*[+][.]htr -comment HTR source disclosure -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/[?][SM]=[AD] -comment Apache possible directory index disclosure vulnerability -state
DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/[?]wp- -comment Netscape enterprise server directory indexing vulnerability -state
DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/NULL[.]printer -comment Printer buffer overflow -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/default[.]ida[?]N+ -comment CodeRed -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/publisher -comment Netscape enterprise server web publishing vulnerability -state
DISABLED
bind appfw profile Advanced -denyURL ^[^?]*Admin[.]dll -comment Nimbda-3 -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/winnt/ -comment Nimbda-4 -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*[+]dir -comment IIS executable file parsing vulnerability-1 -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/georgi[.]asp -comment IIS executable file parsing vulnerability-2 -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*[.](bat|ini|exe)(|[?].*)$ -comment IIS executable file parsing vulnerability-3 -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|] -comment Script exploit -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*[.]asp\.* -comment Microsoft IIS UNC mapped virtual host vulnerability -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*[.]htx -comment Microsoft IIS UNC path disclosure vulnerability -state DISABLED

44

bind appfw profile Advanced -denyURL ^[^?]*[.]id[aq] -comment Index server buffer overflow -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$ -comment Access attacks -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$ -comment Password file attacks -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*dvwssr[.]dll -comment Front Page server extensions buffer overflow-1 -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*fp30reg[.]dll -comment Front Page server extensions buffer overflow-2 -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*null[.]htw -comment Webhits source disclosure -state DISABLED
bind appfw profile Advanced -denyURL debug[.][^/?]*(|[?].*)$ -comment Debug attacks -state DISABLED
bind appfw profile Advanced -denyURL system( |\t|\n)*[(] -comment System command attacks -state DISABLED
bind appfw profile Advanced -denyURL ^[^?]*/_vti_bin/shtml[.] -comment Front Page server extensions path disclosure vulnerability -state
DISABLED
set ns hostName ns
Done
>

45

Appendix B - Layer 2 Switch Configuration

Switch Configuration
! Any Layer 2 switch will work as long as it supports 802.1Q VLANs and Trunking.
! The following is the configuration used on our switch in the lab.
! Trunk port connecting to NetScaler interface 1/4
interface FastEthernet0/11

switchport trunk encapsulation dot1q

switchport mode trunk

! Port connecting to NetScaler Public VIP

interface FastEthernet0/15
! VLAN 91 interface connecting to CPS farm 1
interface FastEthernet0/21

switchport access vlan 91

! VLAN 92 interface connecting to CPS farm 2

interface FastEthernet0/23

switchport access vlan 92

Port VLAN Memberships

VLAN

Name

Ports

Note: Port Fa0/11 is not listed because it is a Trunk port

46

default

Fa0/1...Fa0/10, Fa0/12...Fa0/14,
Fa0/15, Fa0/16

91

VLAN91-to-CPSSrvFarm1

Fa0/21

92

VLAN92-to-CPSSrvFarm2

Fa0/23

47

Citrix Worldwide
Worldwide headquarters
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
T +1 800 393 1888
T +1 954 267 3000
Regional headquarters
Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000
Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700
Asia Pacific
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000
Citrix Online division
5385 Hollister Avenue
Santa Barbara, CA 93111
USA
T +1 805 690 6400
www.citrix.com

About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more
than 100 countries. Annual revenue in 2006 was $1.1 billion.
Citrix, NetScaler, GoToMyPC, GoToMeeting, GoToAssist, Citrix Presentation Server, Citrix Password Manager, Citrix Access Gateway, Citrix Access
Essentials, Citrix Access Suite, Citrix SmoothRoaming and Citrix Subscription Advantage and are trademarks of Citrix Systems, Inc. and/or one or more of its
subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. UNIX is a registered trademark of The Open Group in the U.S.
and other countries. Microsoft, Windows and Windows Server are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other
trademarks and registered trademarks are property of their respective owners.

www.citrix.com