CAG and Storefront Setup 2

  • 格式:pdf
  • 大小:888.59 KB
  • 文档页数:14

Citrix CloudGateway with Access Gateway 5 Express Setup
Index
Index (2)
Overview (3)
Issues I had (4)
Citrix CloudGateway Server (Receiver StoreFront 1.1) (5)
StoreFront Configuration (5)
Server Groups (5)
Authentication (5)
Trusted Domain (6)
Stores (6)
Enable Remote Access (6)
Manage Server Farms (7)
Receiver for Web (7)
Gateways (8)
Enable Silent Authentication (8)
Secure Ticket Authority (8)
Beacons (9)
Certificate (9)
IIS (9)
Citrix Access Gateway 5.0 VPX (10)
Network Interfaces (10)
Name Service Providers (10)
Authentication Profiles (11)
Network Resources (11)
Logon Points (12)
SmartGroups (12)
XenApp or Desktop (13)
Secure Ticket Authority (13)
Certificates (13)
Firewall Rules (14)
From Outside to CAG (14)
From CAG to StoreFront (14)
From StoreFront to CAG (14)
From CAG to XenApp (14)
From CAG to DC (14)
Overview
Issues I had…
∙When I logon to Storefront from the LAN everything works fine. I can logon, and apps start.
When I logon to the AG, I can logon, I see the apps, but the apps don’t start.
∙How does the traffic go? When looking at the above picture it looks like the CAG is firewalling between the outside world and the Citrix Storefront/XenApp. Is this normal? Do the Citrix Storefront and XenApp servers need to have their DG set to the normal firewall?
∙When logging of from the ‘Storefront site within the CAG’ I get this error:
Solution (or part of / pointing me in the right direction)
http://www.jeroentielen.nl/self-service-plugin-storefront-merchandising-server-citrix-access-gateway-part3 /thread.jspa?threadID=307700
/thread.jspa?threadID=294793
/thread.jspa?threadID=299681
/thread.jspa?threadID=300714
TIP: Check the Citrix Delivery Services event log!
Citrix CloudGateway Server (Receiver StoreFront 1.1)
StoreFront Configuration
Server Groups
Authentication
Trusted Domain
Configured the internal domain name. Stores
Enable Remote Access
Manage Server Farms
Current setup was done just with one XenApp server.
Receiver for Web
Enable Silent Authentication
Secure Ticket Authority
Certificate
For this StoreFront server I have requested a certificate from a known CA, in this case Comodo.
I have exported the base64 version of this certificate for later use on the CAG.
IIS
Installed the certificate and bound to the Default Web Site where StoreFront is running.
Citrix Access Gateway 5.0 VPX
Network Interfaces
Eth0 and 1 are both connected to the DMZ network.
Eth0 and 1 are used to communicate internal and external.
Eth1 is used for accessing the CAG for management.
TODO: try to see if the internal and external role can be split. This also reflects the configuration of the firewall.
Name Service Providers
Since DNS is not used (otherwise port 53 needed to be opened up from DMZ to DC) the two hostnames (XenApp Server and StoreFront Server) used in the CAG are put in the hosts file.
Authentication Profiles
Network Resources
Logon Points
First I tried to set it up using a basic logon point. Later I tried using SmartAccess. This is the current working scenario.
TODO: try to see if basic also works.
SmartGroups
XenApp or Desktop
Secure Ticket Authority
Certificates
10.20.30.40 is default and not used.
Thawte Primary Root CA and Thawte SSL CA are CA trusted certificates chained to the wildcard certificate. The wildcard certificate is the server certificate set as default and used by the CAG to identify itself. vminfcsf1is the base64 public certificate to make the CAG trust the StoreFront’s IIS server.
The PositiveSSL CA 2 and AddTrust External CA Root certificates are chained to the vminfcsf1 certificate.
Firewall Rules From Outside to CAG
443 (HTTPS)
From CAG to StoreFront
443 (HTTPS)
From StoreFront to CAG
443 (HTTPS)
From CAG to XenApp
8080 (Citrix XML)
1494 (Citrix ICA)
2598 (Citrix SR)
7279 (Citrix Licensing) 27000 (Citrix Licensing) From CAG to DC
389 (LDAP)。