Jump to content
Welcome to our new Citrix community!

How can you get the Wizard to recognize the current setup? Integrate with Citrix Products :: XenApp and XenDesktop :: Wizard :: Get Started


Recommended Posts

Recently, I inherited a Citrix ADC VPX 13.0-58.32.nc when a Citrix Admin walked out the door.  The ADC had been setup with a large number of issues and when I reviewed it with a Regional Citrix Representative he felt starting from a fresh ADC VPX would be wise where I could setup the ADC fresh but use the old one as an example for configuration settings.  I setup the new ADC VPX on 13.1-17.42.nc and used a "nFactor Flow" along with the Load Balancing Virtual Servers for LDAPS, DNS, etc. for all the various domains.  I setup the Citrix Gateway Virtual Server and everything with a customized nFactorPortalTheme for handling Native OTP, reCATPCHA and a Domain SELECT Input field.   Things were running fine for testing with a HOSTS file to resolve the IP for the Public Certificate.  I ended up migrating over from the old ADC 13.0 to the new ADC 13.1 and afterwards noticed something I missed...

 

On the new ADC 13.1-17.42.nc I did NOT use the "Integrate with Citrix Products" > "XenApp and XenDesktop" > "Get Started" Wizard to setup the Citrix Gateway Virtual Server as I was following the existing Configuration on the ADC 13.0 and other guides online.  Now that I'm running this new ADC if I go to "Integrate with Citrix Products" > "XenApp and XenDesktop" it still thinks this has not been setup even though a Citrix Gateway Virtual Server is actively being used and integrated with Citrix StoreFront.  So the "XenApp and XenDesktop" Dashboard is not loading as it still thinks the "Citrix Gateway" needs to be created.  If I try to use the "Get Started" it will not allow me to use the existing Citrix Gateway Virtual Server IP address as it recognizes it is already in use.  Sadly, it's not detecting that the reason it is in use is because there already is a Citrix Gateway Virtual Server with StoreFront settings in the Citrix Gateway Session Profile(s).  

 

Reviewing the "Integrate Citrix Gateway with StoreFront" ( https://docs.citrix.com/en-us/citrix-gateway/current-release/integrate-citrix-gateway-with-citrix-products/integrate-with-storefront.html ) I'm not seeing any way of using the CLI or some other option for it to assess your currently configured Citrix Gateway and then continue verifying and/or configuring using that Citrix Gateway Virtual Server IP.

 

Does anybody have any idea how to re-use the Citrix Gateway Virtual IP without destroying everything I already setup?

Edited by Jeffrey Faulstich
grammar
Link to comment
Share on other sites

If you use the wizard to create the vpn vserver, then you can use the wizard to edit its primary settings or go straight to the vpn server and session policies and make changes there. Something's are not editable if the wizard was used to create it them - like changing the vpn vserver name or VIP, which you could change if it was built manually.

 

You cannot take an existing manually created vserver and add it to the wizard interface for management. Its one or the other.  If you wanted to make a test vpx and use the wizard there to build the settings you missed and then manually port them over, you might. But on your current system, if you wanted to use the wizard you would either have to use a NEW VIP and new entity names OR remove your existing config and use the wizard to make new.  Usually though, you  just need to identify the session policy differences and you can close the gap.

 

 

Link to comment
Share on other sites

Rhonda,  well that isn't exactly what I was hoping to hear.  I'm trying to setup another VServer using the "Integrate with Citrix Products" :: "XenApp and XenDesktop" to see if there is something missed that then would allow it to recognize the existing Citrix Gateway VServer that is already setup with all of it's settings that are setup.  We'll see if I can find the specific issue of what was missing.

Link to comment
Share on other sites

I know its not what you wanted.  But the "wizard" interface only shows vpn vservers in the Integrate dashboard created by the wizard; it does not show manually created vpn vservers at all.

 

You could run the wizard for a NEW VIP to compare its session policies and authentication settings with your current config on a new parallel gateway instance so it does not conflict with your existing configuration.    Or run it on a test vpx with identical information that is not going to conflict with the IP in use.  

 

You can also get a copy of your previous config file and do a diff on the previous config file prev.ns.conf and your new.ns.conf and see what other differences show up. It may help you find the missing or settings discrepancy.  

 

But the wizard is just a script that runs commands and it doesn't usually handle existing conflicts.  

 

Link to comment
Share on other sites

I went through as much of the "Integrate Citrix Products" :: "XenApp and XenDesktop" as I could  but the Authentication is an issue.  We use an "nFactor Flow" which is associated with the "Authentication Profile"  :: "Authentication Virtual server" without any "Basic Authentication" or "Advanced Authentication" policies defined. 

 

This is apparently, not normal (or Best Practices) as the Wizard doesn't have that as an option right away.  I went ahead and it created the XenApp and XenDesktop VServer as much as it could without Authentication.  Then I went into the Configuration > Citrix Gateway > Virtual Servers and edited the _XD* VServer that it created to to have matching Session Policies, Authentication Profile, Portal Theme, etc.  After all this fun I have a quasi functioning Citrix Gateway and can see some Dashboard graphs in the "XenApp and XenDesktop" display.  However, the "Edit" (pencil icon) no longer functions.  When I try to use the "Download file" option I receive the following Error:

 

Cannot Download File. Operation not permitted [No StoreFront gateway authentication type configured for _XD_{%IP_ADDRESS_OF_VSERVER%}_443]

Where {%IP_ADDRESS_OF_VSERVER%} is the IP Address of the Citrix Gateway Virtual Server created by the "XenApp and XenDesktop" Wizard.

 

Coming from a web developer background, I'd think anonymous access to the login form would be logical and then the nFactor Flow Authentication Profile with related Session Policies would make sense.  I'm definitely not thinking in the way the Citrix NetScaler/ADC developers designed this to function.

Link to comment
Share on other sites

Hi Jeffrey,

 

Best not to use the wizards ... Like Rhonda said, it's basically just a bunch of scripts, it has terrible naming conventions and I'm afraid it just isn't suited for the type of config you're trying to do here. I would also suggest to ditch the nFactor stuff and rebuild your flow by hand. nFactor is again some scripts that create policies, policylabels, ... with terrible names and strings those together. It is much more clean, and easier in my opinion, to create all of this manually. You'll lose the nFactor Visualizer yes, but that's not a big loss to be honest.

 

To iron out the issues in your current config, I again must concur with Rhonda and suggest to compare ns.conf files. If you're not familiar with the CLI this can seem a daunting task, but it's really the only way to be absolutely sure not to miss anything. Keep the CLI reference (https://developer-docs.citrix.com/projects/citrix-adc-command-reference/en/latest/) and the policy expression reference (https://developer-docs.citrix.com/projects/citrix-adc-advanced-policy-expression-reference/en/latest) guides close by would be my best tip here.

 

If you're looking for fancy graphs & statistics, you could look at ADM(Service) or extract the data via SNMP/API/... to the data processing solution of your choice. 

 

I know this is probably again not what you wanted to hear/read, but nonetheless I hope this helps somehow.


Cheers,

G.

Link to comment
Share on other sites

On 5/24/2022 at 11:14 AM, Gunther De Poortere said:

Hi Jeffrey,

 

Best not to use the wizards ... Like Rhonda said, it's basically just a bunch of scripts, it has terrible naming conventions and I'm afraid it just isn't suited for the type of config you're trying to do here. I would also suggest to ditch the nFactor stuff and rebuild your flow by hand. nFactor is again some scripts that create policies, policylabels, ... with terrible names and strings those together. It is much more clean, and easier in my opinion, to create all of this manually. You'll lose the nFactor Visualizer yes, but that's not a big loss to be honest.

 

To iron out the issues in your current config, I again must concur with Rhonda and suggest to compare ns.conf files. If you're not familiar with the CLI this can seem a daunting task, but it's really the only way to be absolutely sure not to miss anything. Keep the CLI reference (https://developer-docs.citrix.com/projects/citrix-adc-command-reference/en/latest/) and the policy expression reference (https://developer-docs.citrix.com/projects/citrix-adc-advanced-policy-expression-reference/en/latest) guides close by would be my best tip here.

 

If you're looking for fancy graphs & statistics, you could look at ADM(Service) or extract the data via SNMP/API/... to the data processing solution of your choice. 

 

I know this is probably again not what you wanted to hear/read, but nonetheless I hope this helps somehow.


Cheers,

G.

Gunther,

 

You and Rhonda are right that the Wizards are definitely limited in their usage.  I'm actually suppose to be a Developer more than a Systems Administrator, so it's a bit surprising to me that the GUI for the ADC is not nearly polished given the potential it has.  I've had to resort to using the CLI for some things for sure so far.  The "nFactor Flow" visualizer is far from polished with it's auto-arrangement and lack of detecting the client window size to use your vertical resolution.  Some minor CSS changes would fix the display (which I'm tempted to do to the GUI resource files), but the auto-arrangement is pretty insane.  I have a Visio diagram to actually have something reasonable to follow for the Inbound IP Switching, reCAPTCHA w/ NativeOTP, ManageOTP, Multi-Domain Custom Logins.  With some work Citrix Development team could definitely disable the auto-arrangement and save some position data of the factors to clear up a lot of confusion.

 

Thanks for your input and suggestions.  I'll have to get more comfortable with the CLI for sure.  The trick about CLI is the documentation and inline help is always only as good as the time someone put into it.  I was just recently trying to redo the STATIC Routes and using the CLI and a a little frustrated that the documentation lacked some option explanations that I really wanted to know.

 

Jeff

Link to comment
Share on other sites

Hi Jeff,

 

Honestly the GUI has been terrible the last couple of releases. In fact I have multiple support cases open regarding issues on basic stuff no longer working/displaying/... in GUI, but working and showing up fine in CLI. 

 

I'd advise against modifying system files, even if it's only CSS. If you ever need help from Citrix Support and they find out, you'll be immediately slapped with the fact that they will not want to support it since you modified the system. Even if you do manage to change some things, a reboot would most likely revert those changes anyway (there's ways around that of course as well ...).

 

I feel your pain with the documentation remark. Personally I hardly refer to the regular docs anymore as on most parts it's either too vague or just incomplete. Developer docs are somewhat more reliable, but there's still plenty of things not properly explained there either. In such cases it's usually trial and error to find whatever you're looking for.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...