Successfully reported this slideshow.

Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway

6,580 views

Published on

This session will cover common deployment methods for StoreFront using NetScaler Gateway as well as review troubleshooting techniques to isolate deployment issues.

What you will learn
- Configuration steps for deploying StoreFront server with NetScaler Gateway
- Design considerations when preparing for deployment
- Tools for troubleshooting it isolate issues

Published in: Technology

Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway

  1. 1. How To Troubleshoot Deployments of StoreFront and NetScaler Gateway Citrix Synergy, May 2014 Juan Zevallos, Escalation Engineer Tweet about this session with hashtag #SYN401 and #citrixsynergy
  2. 2. © 2014 Citrix. Confidential.2 Prevent issues during configuration Narrow down the issue Tools to troubleshoot the issue Agenda DISCLAIMER: Examples used in this presentation are from a test internal lab environment and is not affiliated with any outside entities
  3. 3. © 2014 Citrix. Confidential.3 “”Alexander Graham Bell “Before anything else, preparation is the key to success.”
  4. 4. StoreFront Configuration 3 steps
  5. 5. © 2014 Citrix. Confidential.5 Enable Pass-through from NetScaler Gateway Step 1
  6. 6. © 2014 Citrix. Confidential.6 Add the Gateway Step 2
  7. 7. © 2014 Citrix. Confidential.7 Add the Gateway Step 2
  8. 8. © 2014 Citrix. Confidential.8 Enable Remote Access Step 3
  9. 9. © 2014 Citrix. Confidential.9 What is the Discovery file? Automatically configure the Store Account into Receiver – receiverconfig.cr
  10. 10. © 2014 Citrix. Confidential.10 How Do I Access the Discovery file? Receiver for Web site StoreFront management console
  11. 11. © 2014 Citrix. Confidential.11 What’s in a Discovery file?
  12. 12. © 2014 Citrix. Confidential.12 StoreFront’s BaseURL
  13. 13. NetScaler Gateway Configuration Quick Configuration Wizard
  14. 14. © 2014 Citrix. Confidential.14 How To Access the Wizard?
  15. 15. © 2014 Citrix. Confidential.15 Create the Gateway
  16. 16. © 2014 Citrix. Confidential.16 Bind SSL Certificate
  17. 17. © 2014 Citrix. Confidential.17 Select the Authentication Settings
  18. 18. © 2014 Citrix. Confidential.18 Configure StoreFront Settings
  19. 19. © 2014 Citrix. Confidential.19 “”Coco Chanel “Success is often achieved by those who don’t know that failure is inevitable.”
  20. 20. © 2014 Citrix. Confidential.20 Understanding the Flow StoreFront NetScaler INTERNET INTERNAL NETWORKDMZ 443 443/80 443 XenApp XenDesktop Active Directory 389/636 ICA 1494/2598 STA 80/8080 ICA 443
  21. 21. © 2014 Citrix. Confidential.21 Authenticating the End User NetScaler 443 Active Directory 389/636 INTERNET INTERNAL NETWORKDMZ
  22. 22. © 2014 Citrix. Confidential.22 Failed to Authenticate
  23. 23. © 2014 Citrix. Confidential.23 Common Reasons for Authentication to Fail Communication issue from NSIP or SNIP to the Domain Controller Bad Service Account used for LDAP Bind Misconfigured Base DN Invalid credentials
  24. 24. © 2014 Citrix. Confidential.24 Troubleshoot Authentication with Aaad.debug http://support.citrix.com/article/CTX114999 > shell Run the following command to change to the /tmp directory: cd /tmp Run the following command to start the debugging process: cat aaad.debug
  25. 25. © 2014 Citrix. Confidential.25 Troubleshoot Authentication with Aaad.debug http://support.citrix.com/article/CTX114999 start_ldap_auth attempting to auth juanz @ 10.12.33.216 recieve_ldap_bind_event receive ldap bind event recieve_ldap_user_search_event built group string for juanz of:Domain Admins send_reject sending reject to kernel for : juanz
  26. 26. © 2014 Citrix. Confidential.26 Internal Server Error 29
  27. 27. © 2014 Citrix. Confidential.27 Accessing StoreFront After Authentication NetScaler 443 Active Directory 389/636 INTERNET INTERNAL NETWORKDMZ StoreFront 443/80
  28. 28. © 2014 Citrix. Confidential.28 Receiver for Web vs Receiver Session Policy Receiver Session Policy Receiver for Web Session Policy
  29. 29. © 2014 Citrix. Confidential.29 How To See Policy Hits http://support.citrix.com/article/CTX138840 > shell Run the following command to start viewing Policy hits Nsconmsg -d current -g pol_hits
  30. 30. © 2014 Citrix. Confidential.30 How To See Policy Hits http://support.citrix.com/article/CTX138840 1 7001 30 1 0 pol_hits Policy(192.168.2.10_LDAP_pol) 3 0 28 1 0 pol_hits Policy(PL_WB_192.168.200.10)
  31. 31. © 2014 Citrix. Confidential.31 Priority of Policies The numerical priority takes precedence regardless of where the policy is bound. Priority Order User (highest priority) Group Virtual Server Global (lowest priority) Priority Number
  32. 32. © 2014 Citrix. Confidential.32 Policy for the Web Browser
  33. 33. © 2014 Citrix. Confidential.33 Accessing StoreFront After Authentication NetScaler 443 Active Directory 389/636 INTERNET INTERNAL NETWORKDMZ StoreFront 443/80 443
  34. 34. © 2014 Citrix. Confidential.34 Gateway logon page StoreFront logon page
  35. 35. © 2014 Citrix. Confidential.35 Remote Access is NOT Enabled
  36. 36. © 2014 Citrix. Confidential.36 How Single Sign-On is Invoked on StoreFront
  37. 37. © 2014 Citrix. Confidential.37 HTTP Header X-Citrix-Via Enable StoreFront Verbose Logging - CTX139592
  38. 38. © 2014 Citrix. Confidential.38 Cannot Complete Your Request
  39. 39. © 2014 Citrix. Confidential.39 How Callback Can Fail StoreFront cannot resolve the Callback FQDN StoreFront does not have network connectivity to the Gateway virtual server Port or IP StoreFront does not trust the Gateway virtual server SSL Certificate
  40. 40. © 2014 Citrix. Confidential.40 Verify the Certificate Chain http://digicert.com/help
  41. 41. © 2014 Citrix. Confidential.41 StoreFront Callback URL Dilemma NetScaler 1 ag1.webteam.com NetScaler 2 ag1.webteam.com StoreFront ? ?
  42. 42. © 2014 Citrix. Confidential.42 Configuring StoreFront with Multiple Gateways An example of two Gateways configured with the same URL but unique Callback URLs NetScaler 1 NetScaler 2
  43. 43. © 2014 Citrix. Confidential.43 DebugView and HTTP Headers
  44. 44. © 2014 Citrix. Confidential.44 A New Header: X-Citrix-Via-VIP https://callback1.webteam.com X-Citrix-Via-VIP 192.168.200.10 X-Citrix-Via-VIP 192.168.200.11 https://callback2.webteam.com NetScaler 1 ag1.webteam.com NetScaler 2 ag1.webteam.com StoreFront
  45. 45. © 2014 Citrix. Confidential.45 DebugView and Callback Service
  46. 46. © 2014 Citrix. Confidential.46 Apps Enumerated
  47. 47. © 2014 Citrix. Confidential.47 Accessing StoreFront After Authentication NetScaler 443 Active Directory 389/636 INTERNET INTERNAL NETWORKDMZ StoreFront 443/80 443 STA 80/8080 443 ICA XenApp XenDesktop
  48. 48. © 2014 Citrix. Confidential.48 DebugView and STA Ticket Request
  49. 49. © 2014 Citrix. Confidential.49 DebugView and STA Ticket Response STA ID STA Ticket
  50. 50. © 2014 Citrix. Confidential.50 Analyze the Default.ica Values 40 = Port 2598 10 = Port 1494 STA ID STA Ticket
  51. 51. © 2014 Citrix. Confidential.51 NetScaler Gateway and STA STA ID UP State
  52. 52. © 2014 Citrix. Confidential.52 NetScaler Trace and STA > shell nstcpdump.sh -A host <IP address or FQDN> and port <port number>
  53. 53. © 2014 Citrix. Confidential.53 NetScaler Request STA Ticket <RequestData> <Ticket ticketType="STAv4"> 5F9EC00DA0ED19CCA447DEFDA802765A </Ticket> <TicketVersion>40</TicketVersion> </RequestData>
  54. 54. © 2014 Citrix. Confidential.54 NetScaler Response STA Ticket <TicketData> <Value name="Refreshable">false</Value> <Value name=… ServerAddress;192.168.2.28:1494…;UserName;juanz;… UserDomain;webteam;…ApplicationName;Calculater…</Value> <Value name="CGPAddress">192.168.2.28:2598:localhost:1494</Value> <Value name="ICAAddress">192.168.2.28:1494</Value> </TicketData>
  55. 55. © 2014 Citrix. Confidential.55 Accessing StoreFront After Authentication NetScaler 443 Active Directory 389/636 INTERNET INTERNAL NETWORKDMZ StoreFront 443/80 443 ICA 1494/2598 443 ICA XenApp XenDesktop
  56. 56. © 2014 Citrix. Confidential.56 Communication from NetScaler to 1494/2598
  57. 57. © 2014 Citrix. Confidential.57 What About Receiver? Supported Platforms Windows 7/8/RT/Phone Mac Linux Blackberry Android iOS
  58. 58. © 2014 Citrix. Confidential.58 Common issues for Receiver The StoreFront Store is inaccessible (internally) Misconfigured StoreFront BaseURL in Session Profile for Receiver Internal Beacon is reachable externally Customizations on the Gateway logon page iOS Receiver does not support SHA256 SSL Certificates Android does not support SAN SSL Certificates Enable Windows Receiver logging – CTX134101
  59. 59. © 2014 Citrix. Confidential.59 Resources How To Configure NetScaler Gateway with StoreFront – CTX139963 SSL Certificate Tester – Digicert Tool How To Troubleshoot Authentication on NetScaler - CTX114999 How To Verify Policy Hits on NetScaler - CTX138840 How To Enable Verbose Tracing/DebugView on StoreFront - CTX139592 How To Enable STA Logging on XenApp - CTX120589 How To Capture nstrace from NetScaler CLI - CTX120941
  60. 60. © 2014 Citrix. Confidential.60 Before you leave… Conference surveys are available online at www.citrixsynergy.com starting Thursday, May 8 at 9:00 a.m. • Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes Download presentations starting Monday, May 19 from the My Event Planning tool
  61. 61. © 2014 Citrix. Confidential.61 WORK BETTER. LIVE BETTER.

×