Out with the old, in with … AGEE VPX (part 3)

In the previous parts of this series I showed you the basic configurations of the new Access Gateway Enterprise Edition VPX (AGEE VPX) based upon the NetScaler code.
In the first part I explained the initial network configuration, the installation of the license and the automatic Access Gateway Setup Wizard that is run after the licenses are loaded.
In the second part I continued with some configuration checks, as I don’t want to blindly trust that setup wizard.

And now we are ready for the real fun part of the configuration … so let’s continu the saga with the configuration of the required Virtual Servers for our setup and deliver a working implementation for our two-legged design.

As a reminder I’ll show you my network drawing once more:

Different IP address types for the AGEE VPX

There are two VIPs mentioned in the drawing, one for the external connection, where our remote users log onto to connect to the published applications and desktops and another VIP for the internal network, which is used for the internal communications with the XenApp and StoreFront servers. Both VIPs are configured almost identical, except for the ip addresses used. And both require a different DNS entry for the same FQDN as both VIPs will be using the same certificate for SSL communications. So one entry on the external DNS service, linking to the external VIP and one entry on the internal DNS service, linking to the internal VIP. I’ll start this post with the setup wizard for the internal VIP, as we already created the external VIP in the previous parts. And we’ll run through all the settings to check for both VIPs afterwards to ensure everything is set up in the right manner.

Creating the internal VIP

We’ll be using the Access Gateway wizard to create the internal VIP

 
Access Gateway setup wizard

screendump	explanation
Access Gateway Wizard	Select VPN in the menu on the left. Click on Access Gateway wizard in the right pane to start the wizard.
Access Gateway Wizard - Introduction	AG Setup – Introduction Click [Next]
Access Gateway Wizard - Virtual Server	AG Setup – Create or choose a virtual server Select New and enter the IP-address of the internal VIP and use port 443. Enter a distinctive name for the Virtual Server to quickly identify both the external VIP and the internal VIP. (You can use something like “internal VIP”). Click [Next]
Access Gateway Wizard - Server Certificate	AG Setup – Specify a server certificate Use the following settings: Certificate Options: Use an installed certificate and private key pair Server Certificate: [certificate] (use the same certificate for both VIPs) Click [Next]
We need to use the same certificate on both virtual servers to ensure authentication is processed correctly. If you are gonna use test certificate in a lab environment, this step is the only step that creates a true independent/stand-alone test certificate that is self-signed. You can always use this step to create one and abort the setup wizard after the creation.
Access Gateway Wizard - Name Service	AG Setup – Configure Name Service Use the following settings: Configured DNS Server: [selection] WINS Server IP Address: [none] Name Lookup Priority: DNS Retry: 5 Click [Next]
Access Gateway Wizard - Authentication	AG Setup – Configure authentication Use the following settings: Authentication Type: LDAP IP address: [ip-address] Port: 389 Time out (seconds): 3 Base DN: [base-DN] Admin Base DN: [admin-base-DN] Logon Name: sAMAccountName Password: [admin-password] Click [Next]
More information on how to use a Distinguished Name (DN) or which name conventions to follow can be found at MSDN or in this Tech Blog or by using PowerShell. I for one use the Active Directory Users & Computers mmc with Advanced Features view on and check the distinguishedName on the Attribute Editor tab of the object properties.
Access Gateway Wizard - Additional Settings	AG Setup – Configure additional settings Use the following settings: Configure Authorization: Allow Redirect to secure web address: [not-selected] Click [Next].
Access Gateway Wizard - Clientless Access	AG Setup – Configure clientless access Use the following settings: Clientless Access: Use the AG plugin and allow access scenario fallback Clientless Access Persistent Cookie: Allow Click [Next]
Access Gateway Wizard - Summary	AG Setup – Summary Check the configured settings and click [Finish]

So after we’ve run the wizard, let’s check those settings one more time for both VIPs to ensure we have configured and linked all settings in the right manner.

Check VPN – Virtual Servers settings

Select VPN in the left menu and click on Virtual Servers after the menu expanded. You’ll see two entries for the virtual servers. Select the external VIP entry and click [Open] to check it’s configuration. The settings that are important are listed in the table below.

 

screendump	explanation
Configure AG VIP - Certificates	AG Virtual Server – Certificates Check if the right certificate is configured for the the Virtual Server. Keep in mind that both Virtual Servers need to use the same certificate for authentication purposes.
Configure AG VIP - Authentication	AG Virtual Server – Authentication Click on the Authentication tab and check whether authentication is enabled and if the right LDAP policy is selected. If not add the right LDAP policy (a LDAP policy is automatically created as part of the AG setup wizard procedure).
Configure AG VIP - Policies - Session	AG Virtual Server – Policies Select the Policies tab and check if the created Session Policies from part 2 are added to the list with the right priority: 100 – Receiver_Web_pol 90 – StoreFront_Services_pol 80 – PNA_Services_pol Other policies that may have been binded need to be removed by selecting them and clicking on [Unbind Policy]
Configure AG VIP - Published Applications	AG Virtual Server – Published Applications And finally select the Published Applications tab to add the required Secure Ticket Authority (STA) servers to communicate with the Citrix XenApp or XenDesktop infrastructure.
Keep in mind that you’ll need to enter exactly the same STA entries on this tab as you do when configuring the farm settings for the Citrix Web Interface or StoreFront server.

Make sure you check the same settings for the second Virtual Server as well.

And with these settings you should have yourself a nicely configured Access Gateway Enterprise Edition VPX.
As I’m having alot of fun writing this series, I’ll write up another part to explain my StoreFront configuration and even add another part explaining the steps I took to implement the Citrix theme to the Access Gateway. So more will follow!
 

Esther Barthel

Solutions Architect at cognition IT

Esther has been working in different roles and functions as an IT consultant ever since she finished her Masters degree in Computer Science in 1997. She has worked as a web developer, database administrator, and server administrator until she discovered how Server-Based Computing ( SBC ) combined servers, desktops, and user experience in one solution. Esther has been specializing in virtualization solutions such as SBC, VDI, application, and server virtualization for over eight years now and is currently working as a Senior Consultant at PepperByte, where she designs and implements Citrix® solutions for both small-business and large-enterprise infrastructures scaling from 100 to 15,000 users.
In january 2014 her first book Citrix XenApp 6.5 Expert Cookbook was published by Packt Publishing.

Esther is awarded as a Citrix Technology Professional (CTP) from 2015 - 2017.
Esther is awarded as a Microsoft Most Valuable Professional (MVP) in 2017.

Esther is a Citrix Certified Expert – Virtualization (CCE-V), Citrix Certified Professional – Mobility (CCP-M), Citrix Certified Professional – Networking (CCP-N) and RES Software Certified Professional (RCP).