NetScaler VPX monitor error – Timeout during SSL handshake stage


I came across this by accident while setting up NetScaler GSLB for a Citrix solution for one of my customers. The service groups in NetScaler were giving an error message for the monitoring probes – https and CITRIX-XD-DDC (both secure). The NetScaler was VPX running 11.1.63.9nc firmware.

Last response: failure – Time out during SSL handshake stage

How do you troubleshoot such issues? There are a couple of options.

Wireshark can be a good tool or you could use the built-in nstrace utility in NetScalers. Additionally, you will also need to make sure that the required ports are open between your NetScaler and the backend servers/services.

If you run a trace and look at it, you can see the below

TLSv1 Record Layer: Alert (Level: Fatal, Description: Unsupported Certificate)
Content Type: Alert (21)

The certificate that was installed on the DDCs and Storefront servers were created with a key size of 4096 and that was the issue.

Fix was to generate a fresh certificate with 2048 key size and the issue will be gone. Also, note that this issue is only prevalent in VPX versions of NetScaler. NetScaler MPXs will NOT exhibit this issue due to their built-in SSL chips.

Hope, this helps somebody out there.

Create and Install a SAN certificate (Subject Alternative Name) in Windows without third-party tools


There are times you would want to create a SAN (Subject Alternative Name) certificate for your deployments in the organization. This is a much more secure approach as compared to using a wildcard as it allows only a limited number of servers to send and receive traffic. Unless you specifically compromise one of the machines specified in the certificate, it’s too hard to impersonate and do any real harm.

In this blog post, I will show you how to create a CSR (Certificate Signing Request) using any Windows machine in the organization that’s domain joined and subsequently, use the request file to issue a certificate using the internal Certification Authority (CA) server.

Create a Certificate Signing Request (CSR)

The first step is to create a CSR file and you can use any domain joined Windows server in the organization. I have used the Citrix Storefront server in this example.

Open the MMC console and add the Certificate snap-in to it as Local Computer. Right Click Personal node on the left and Select All Tasks –> Advanced Operations –> Create Custom Request

Choose Proceed without enrollment policy and Click Next. Choose No Template Legacy Key for compatibility reasons. Use PKCS#10

Click Next and click Properties

Give a friendly name for the certificate and a description. Ensure that you hit Apply as soon as you are done with the tab.

Click on Subject tab and add all the hostnames under “Alternative Name

Under Subject Name, enter the Common Name (CN), Organizational Unit (OU), Organization (O), State (S) and Country (C) values. Click Apply

Under the Extensions tab, expand Extended Key Usage (application policies) and select Server Authentication and Client Authentication

Click Apply

Under the Private Key tab, set the Key size to 2048 under Key options

P.S – Using a key size of 4096 or above will cause issues with NetScaler monitors failing if VPXs are used. MPXs don’t have this issue.

Tick Make Private Key exportable

Select Exchange as the Key type

Click Apply. Click OK

Select a location to save the file. Choose the file format as Base 64

Click Finish

Send the Certificate Request

Now navigate to the URL of the internal Certificate Authority (CA) server. Replace your CA server name for the <certauthority> value.

https://certauthority/certsrv
  • Click the Request a Certificate link.
  • Click the Advanced certificate request link.
  • Click Submit a certificate.
  • Paste the contents of your CSR file into the Saved Request text box. (Open the CSR file (with a .req extension) in Notepad and copy the contents without any leading or trailing spaces.)
  • For the Certificate Template drop-down list, select Web Server.
  • Click Submit.

You get the below once you click submit.

Issue the Certificate

  • Connect to the server where the Certification Authority is installed, if necessary.
  • Select Start > Control Panel > Administrative Tools > Certification Authority.
  • In the Certification Authority (Local) tree, select Your Domain Name > Pending Requests.
  • Select the CSR in the right navigation pane.
  • In the Action menu, select the ID number of the request > Issue.
  • Close the Certification Authority window.

Download the Certificate

  • In your web browser address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv.
  • Click the View the status of a pending certificate request link.
  • Select the certificate request with the time and date you submitted.
  • Select the encoding format for the downloaded certificate, such as Base 64 for a PEM certificate.
  • Click Download CA certificate to save the certificate. The certificate will have .CER extension

Install the Certificate

  • Navigate to the server where the certificate needs to be installed.
  • Open a MMC console as Administrator and add Certificate snap-in under Local Computer
  • Expand Personal node and right click the Certificates node.
  • Select All Tasks –> Import
  • Click Next
  • Locate the downloaded certificate file
  • Click Next
  • Place it under Personal node
  • Click Next
  • Click Finish

Note – The installed certificate in Certificate MMC shows a little key symbol and a badge. You gotta see these 2 things for the certificate to work or show up in IIS Manager in later steps.

Export the certificate as a .PFX file

Now, you need to export the certificate as a PFX file so that this could be installed on all the other servers which doesn’t have any clue of the privaty key used while requesting the CSR. If you recall, we did the CSR from one of the Storefront servers. The PFX certificate files contains the private key which is paramount for SSL deployments.

  • Navigate to the server where the certificate has been already installed.
  • Open a MMC console as Administrator and add Certificate snap-in under Local Computer
  • Expand Personal node and right click the Certificates node.
  • Select All Tasks –> Export
  • Click Next
  • Export the private key
  • Click Next
  • Under the Personal Interchange Format, PKCS#12, Tick all except for “delete the private key after successful export”
  • Click Next
  • Give it a password of your choice (make sure that you remember this; This is required for installing the certs on other servers)
  • Specify a file name to save it in a location
  • Click Next
  • Click Finish

Bind the website in IIS

  • Open IIS Manager and expand the Server name and choose the Default Web Site
  • Under Actions, select Bindings
  • Add the https and select the newly installed certificate
  • Click OK

Install the exported PFX certificate on the other servers and change the binding to https following the steps above. That’s all to it folks.

If there is anything that’s unclear, please feel free to comment or provide feedback in the comment section below.

How to find list of applications published on individual Citrix / VDA servers?


Ever wondered how to list all the published applications on individual Citrix servers. Below is a script that queries all the applications and lists them according to the delivery group and Servers they are published on. Just copy the below code and save as a Powershell file. I ran the below script in a XenApp 7.16 farm and it worked like a charm. This would work on other XenApp/CVAD 7.x versions too.

asnp citrix*
$apps = Get-BrokerApplication
foreach ($app in $apps){
Write-Output "`n`r"
Write-Output "Application name: $($app.name)"
$dgUIDs = $app.AssociatedDesktopGroupUids
foreach ($dgUID in $dgUIDs){
$VDAs = Get-BrokerDesktop -DesktopGroupUid $dgUID
Write-Output "`tDeliveryGroup:
$($VDA.DesktopGroupName)"
foreach ($VDA in $VDAs){
Write-Output "`t`tVDA: $($VDA.DNSName) Machine Catalog: $($VDA.CatalogName)"
}
}
}

The result will look like the following. The below is a sample of just a single application. The script lists all the applications published in the farm. So there you go!

Configure RDP Proxy in NetScaler


The RDP Proxy functionality is provided as part of the Citrix Gateway and currently is available to all NetScaler Enterprise and Platinum customers.

The following RDP Proxy features provide access to a remote desktop farm or an RDSH session host server through Citrix Gateway:

  • Secure RDP traffic through CVPN or ICAProxy mode (without Full Tunnel).
  • Single sign-on (SSO) to RDP servers through Citrix Gateway. Also provides an option to disable SSO if needed).
  • Enforcement (SmartAccess) feature, where Citrix ADC administrators can disable certain RDP capabilities through Citrix Gateway configuration.
  • Single/Stateless(Dual)  Gateway solution for all needs (VPN/ICA/RDP/Citrix Endpoint Management).
  • Compatibility with native Windows MSTSC client for RDP without the need for any custom clients.
  • Use of existing Microsoft-provided RDP client on MACOSX, iOS, and Android.

Firewall Ports

RDP proxy requires port 3389 to be opened from the internet. You could also choose to use other port numbers if you don’t want to use the 3389 port. In a nutshell, just opening 443 port isn’t enough to get this to work.

Initial Configuration

Now to get started, we will need to enable RDP proxy feature if it isn’t turned ON. For that, navigate to SystemSettingsConfigure Advanced Features and ensure that RDP proxy is turned ON. if not, tick the box to Turn ON RDP proxy feature. You will need NetScaler Enterprise and above for this feature to work.

Create LDAP Profile and Policy

Create an LDAP profile for authentication. Navigate to NetScaler Gateway – Policies – Authentication – LDAP

Click on the Servers tab and click Add. Enter the required details such as AD server IP address, port details and a service account. For those who haven’t done this before, here is a helpful link from Citrix. It’s dead easy to set this up. https://docs.citrix.com/en-us/citrix-gateway/12-1/authentication-authorization/configure-ldap/ng-ldap-authen-configure-tsk.html If you have any questions, just pop it in the comments window and I will respond when I see them.

Now create the LDAP policy. Click on the Policies tab, click Add. Enter the entries as shown in the picture below. Ensure that the correct LDAP profile is selected.

Create the RDP Client Profile

Navigate to NetScaler Gateway – Policies – RDP Profiles and Connections – Client Profiles

Click Add

Give it a name such as RDProxy_Profile and leave the rest of the values default if you would like. I changed the RDP Cookie Validity from 60 sec to 120 seconds

Click OK

Create an RDP Server Profile

Create an RDP Server Profile. Click on the first tab that says Server Profile

Click Add and enter a name for the server profile. Enter the IP address (this is the IP address of the RDP Proxy Virtual Server that you will configure under the NetScaler Gateway). Enter the port number – You can choose to go with the default RDP port if you wish to or choose another one

Click OK

Create a Session Profile

Now, go to NetScaler Gateway – Policies – Session – Session Profiles. Click Add

Give the profile a Name

No changes under the Network Configuration tab. Leave everything as default there

Under Client Experience tab, change Clientless Access to ON and tick Single Sign-on to Web Applications and Credential Index to Primary. the last setting is turning ON Single Sign-on with Windows

Under the Security Tab, select Default Authorization to ALLOW and Secure Browse to ENABLED

Under Published Applications, set ICA PROXY to OFF

Under the Remote Desktop tab, pick the RDP Client profile that was created in the previous step

Click Create

Create a Session Policy

Now create a Session Policy that will be bound to the NetScaler Virtual Server. Remember that we haven’t created the virtual server yet.

Switch to Session Policies tab and click Add. Give the session policy a Name and pick the session profile that we just created in the previous step.

Create a Bookmark

Now create a Bookmark and this is what will appear to the users in the form of an application icon to click on.

Give a Name to the bookmark and enter the name of the string that you want to be displayed in the portal. Enter the Bookmark link in the format rdp://IPaddressOfTheBackendRDSServer

Click Create

Create the Gateway Virtual Server

Let’s create the Gateway Virtual server next. Navigate to NetScaler Gateway node, expand that and under Virtual Servers, click Add

Under Basic Settings, configure the below items

  • Name – RDPProxy_rdpproxy.fqdn.co.nz
  • IP Address type – IP Address
  • IP Address – X.X.X.X
  • Port – 443
  • Pick the RDP Server Profile – RDP Server Profile
  • Ensure that Enable Authentication, AppFlow Logging and State is turned ON
  • Disable ICA Only

Click OK

Attach a Server Certificate. The certificate can be a wild card cert or you could choose to get a named certificate that matches the external RDP proxy FQDN

Now bind the Primary authentication policy. We are going to use LDAP and hence I will use LDAP policy that we created in the steps above.

Under SSL Parameters, ensure that only TLS1.2 is turned ON for enhancing the security of client connections.

You can choose to go with the default SSL ciphers or modify the ciphers according to the company requirements.

Under Portal theme, I went with RfWebUI which I think is one of the cleanest UIs. You could choose to create a custom one and use that instead.

Under Published Applications, choose the URL Name and select RDP Link (this is the bookmark link that was created)

Under Policies, attach the Session Policy named RDP Session Policy

Click Create

Testing the Setup

Selecting the RfWebUI gives the below logon page and users could simply use their domain user name and password to log in. They don’t need to enter the domain name.

Upon login, you will be shown the Favorites page where you could add links for quick access. This is very similar to the subscriptions in Storefront.

Click on the Desktops tab and you will be able to see all the published Bookmarks there. I have one in there, you can choose to have any number of bookmarks.

Click on the RDP link to launch the application. It will first download the app.rdp file which could be used to launch the application. You will just need to give the users access to the servers locally by adding them to the Remote Desktop Users group or you could choose to do this via AD domain groups to manage it centrally.