The purpose of this post is to dive a little deeper into the NetScaler Gateway settings with storefront, as this is one more component that a lot of the Web changed interface world. As a reminder, with the web interface, you can define settings only a single NetScaler Gateway (URL + callback pair) per page in the "Secure Access" and had the option to either authenticate to the NetScaler gateway or authentication at the web interface go with only ICA proxy traffic through the defined NetScaler Gateway. With Storefront, we changed these two things radically:
- It is possible to define multiple NetScaler gateways per Store (IIS Web site). Gateways are defined and listed, regardless of the store configuration.
- By default Storefront requires that the authentication gateway for ICA traffic occurring from the gateway proxy are. If you define a NetScaler Gateway in the storefront Console "pass-through of NetScaler Gateway" authentication automatically.
Now that the fact these two things are technically possible, does not mean that it should be done or must in all cases and some of the finer technical details will be made behind these settings we on the focus of this article is encountered in the field be.
Let's start with the number of NetScaler gateways per storefront shop. With the web interface, each gateway + Recall combination requires a new website so that it was not possible to route users to input various NetScaler gateways through the same website. It was possible to route internal and external users a single gateway address on the same site with IP in web interface is sufficient to identify with external users vs internal, but that was it. This is, incidentally, can be somewhat storefront and do, but different: it uses "lighthouses" in the console defines when users connect through a receiver client (receiver tried the "internal beacon" to contact and if it fails, provided that connect externally via a NetScaler Gateway)
Back to Gateway :. support for our larger customers with multiple NetScaler appliances for high availability and the scope and / or more NetScaler Gateway URLs different business, this could easily result to manage a lot of Web Interface sites. The ability to aggregate Storefront potentially all like this gateway definitions appear in a single site, as it is too good to be true, so let's dive a little deeper into how this is accomplished with storefront.
If we define multiple NetScaler gateways to be per site, must storefront to identify a way of traffic from each gateway correctly, it can route the traffic to / from the gateway (as for recall) correctly. If you screen in storefront look at the Gateway Settings, below, for the options here are the URL and the SNIP field. Storefront gets several IP addresses, and gateway FQDN passed, to identify it as an HTTP header (XCITRIXGATEWAY, XCITRIXVIA, XCITRIXVIAVIP and XFORWARDEDFOR) and used this information to the gateway user came from. If you have problems with storefront and gateway integration, a great first step is to trace logging to turn on storefront, take Login by NetScaler Gateway and a look at the authentication protocol on the server storefront. You will see the values of these header and the gateway storefront has selected on the basis of this information.
1. NetScaler gateways behind transparent GSLB : If multiple gateways are behind transparent GSLB that the URL is to be the same and is not a good differentiator, so we have to rely on an IP address. Putting the actual SNIP in the "SNIP" field will only work if the NetScaler appliance gateway VPS hosting is to communicate directly with the servers storefront. If there is another stage of the load balancer is between the gateway session and the storefront server (either NetScaler or third parties) as is the case with most of our larger environments, then will not see the SNIP the storefront server. In this case, the gateway vServer VIP should be entered in this field. The need to VIP entry to our eDocs page documents, but it is tucked away and we still have to see a lot of confusion in the field that the SNIP field means so I try to correctly terminate the case here. The Gateway vServer VIP is passed using the XCITRIXVIAVIP head storefront, which was an extension of the NetScaler Code and based on the test appear with each 10.1 or later build to be adopted as a standard. In previous builds of NetScaler, you need a custom rewrite to tie policy to the gateway vServer, add this header, as follows, after the VIP in SNIP can specify field, and everything works.
"add Rewrite action
2. "Default device" setting receiver : Although NetScaler gateways are defined separately from the Store configuration in the storefront console, for a user to successfully one of these gateways to register for the showcase, to the gateways are activated inside the store (just enough - if you users want to be able to log into the memory of all gateways, you can be all gateways) and a "default device" defined needs - that's the hard part -. as shown in the screenshot below
for Web browser-based access, the "Default device" setting has no effect. For native receiver access this setting is saved as part of the configuration to the receiver to connect to the Store to download and use the gateway, then by default. If all defined gateways share the same URL via GSLB, then again, this will not affect (receiver only uses that gateway definition to see which URL query) has. If the gateways different FQDNs and allow you, they are all used for a business, then depending on which is defined as the default on the first of all the receiver clients connect. This is problematic when you have two different user communities with different FQDNs, you want to aggregate in the same memory (for easy management) and they are equipped with receiver clients. for example if you https://myaps.company.com and https://myvdi.company.com and the selected gateway as the default for the store is "myapps." Any user who "myvdi" in receiver occurs during the first device so quickly to "myapps" be diverted as they meet storefront and are again prompted to authenticate. The cleanest way should therefore be treated with multiple gateway FQDNs and native Receiver customers through various shops and via different storefront server groups. Again quite specific scenario, but that's a different setting, we find, is not very well understood by the field.
to authentication requests gateway relocation. We have some customers who NetScaler Gateway purely implemented as ICA proxy facilitate firewall rules, but do authentication at the web interface. Recently, we also have customers who (which means that the ICA traffic has to pass through a NetScaler) in the collection HDX Insight data for internal users without forcing at a gateway, its internal users get explicitly authenticate interest. Default takes storefront that only external users is gateway come by and authentication will be occurring there - it is not possible to define a goal, without allowing "Pass Through NetScaler Gateway" authentication
Enter Gateway Optimal. Routing, which is a different config file-based setting, loose with the multi-site settings grouped. Assign the gateway Optimal routing settings of a gateway per XenApp / XenDesktop farm / site override anything defined on the console and are described in detail herein eDocs. There is an optional "enabledOnDirectAccess" parameters for a farm / site (or a number of farms / sites), so that each user session intended for farm / site (or a number of farms / sites) using a particular gateway enforces whether that user came through this gate or not, is passed back out through this gate. There are two possible uses for these settings: (1) to guide users to the gateway closest to the backend XenApp / XenDesktop farm / site which they are connected, essentially a preferred gateway mapping for each farm / site storefront is enumerating regardless of the user entry point, and (2) the (so that users can HDX Insight data acquisition to achieve goals without Gateway authentication implementation still use domain pass-through authentication at storefront, but come back through a specified gateway routed, the ICA send metrics HDX Insight for monitoring). It does not apply for all applications, as there are some inherent assumptions about the relative positions of XenApp / XenDesktop sites and your NetScaler gateways, and this should not be configured so that all users performs a single gateway through. But we
To summarize the teachings regarding Gateway Integration learned seen used as a creative solution metrics for collecting HDX Insight for internal users recently some of our customers with storefront .:
- storefront is typically less sites than the web interface require due to the consolidation of Gateway definitions
- Each IP gateway that uniquely an identified can be specified in SNIP field (not only the SNIP). When the storefront server share behind a separate stage of the load balancer of the gateways and multiple gateways a URL due GSLB, usually the indication works Gateway vServer IP (VIP) is best.
- to a store or server group defined per unique gateway URL when receiver clients can be used to connect externally, although a Gateway Gateway to allow for the correct definition of the standard, to showcase.
- gateway Optimal routing settings can be used to the gateways for only ICA proxy to use without gateway based (explicitly) authentication. Some customers have used this to allow its internal users to use pass-through authentication directly storefront while still traffic through a gateway routing back and collect HDX Insight metrics.
0 Komentar