Jens Ostkamp
-
Posts
84 -
Joined
-
Last visited
-
Days Won
1
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Jens Ostkamp
-
-
On 9.10.2018 at 1:21 AM, Sergiu-Konrad Kork said:
i can, i've just set up one with several backed RDS SH, works like a charm. Even with RDS farms, using the connection broker as target.
what i can't get to work is with using client certificate authorization...
can you give some details about the configuration? i am currently hanging to set it up correctly:
https://discussions.citrix.com/topic/404362-netscaler-gateway-for-rds-farm/
as far as i understood RDP Proxy of NetScaler does support connections against RDS Broker but i guess i did something wrong in my configuration
-
On 14.6.2018 at 11:38 AM, Roberto Pereira said:
It seems that NetScaler can handle now RDP Connections in a RDS Farm with Connection broker: https://docs.citrix.com/en-us/netscaler-gateway/12-1/rdp-proxy/rdp-redirection.html and https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-common-protocols/lb-rdp-servers.html
I did the following now:
- In the RDP Server Profile I activated RDP Redirection
- I created a RDP Protocol Load Balancing vServer containing all 5 RDS Servers with Method Leastconnection with IP 1.1.1.1
- I created a Bookmark with the address rdp://1.1.1.1
When I click the bookmark, I am connected on one of the RDP Servers in the Load Balancing Group. This work only the first time, when I logoff or disconnect, I can't reconnect anymore.
In the article above there is a link to http://www.jasonfilley.com/rdpcookies.html regarding RDP Cookies. If I understand correct, I have to disable "Use IP Address Redirection" in the GPOs for all RDS Servers. I could not test this setting until now, I have to wait until a maintenance window. I am also not shure if the internal users can still connect and reconnect without problems over the connection broker with this GPO.
Somebody has already tested this? any help would be apreciate. Thanks.
Did you ever get this to work? I have a similar problem but I used some other workaround, unfortunately it still doesn't really click:
https://discussions.citrix.com/topic/404362-netscaler-gateway-for-rds-farm/
-
Hello everyone,
so i have come to an interesting setup I have been trying to test for a couple of time now. The idea is, that I want to use NetScaler Gateway as a Gateway for an RDS Farm.
Basically I want to add Bookmarks as RDP Connection which connects to the RDS Broker Server.
I have found some little posts about this, i know that the RDP Proxy Feature is in general working for an RDP Session to a computer but of course i want to achieve the same with RDS Apps.
The obvious problem has always been, that specific connection parameters aren't present in the RDP File the NetScaler will deliver to the Client.
Researching the internet, I have found an interesting comment on a blog post of JG Spiers: https://www.jgspiers.com/rdp-proxy-netscaler-gateway/
"Lafrance
July 27, 2018
Hi,
you can add those special parameters to the bookmark. this allow you to publish multiple RemoteApp + RDP desktop to your users.
here’s an example :
add vpn url RemoteApp RemoteApp “rdp://10.10.10.10?alternate shell:s:||ServiceCenter&remoteapplicationprogram:s:||ServiceCenter&remoteapplicationname:s:ServiceCenter&remoteapplicationcmdline:s:&remoteapplicationmode:i:1” -clientlessAccess ONAll you have to do, is to open the RDP RemoteApp file within a notepad and then extract those parameters and use & to append them after the ? in the bookmarkI used those 5 parameters to make it works. Nothing to change in the RDP ClientProfile. I had RDP Redirection = Enabled in the RDP ServerProfile on NS 12.1"One user is explaining that by adding the specific connection information after the Bookmark URL itself will store them into the RDP File which then "should" correctly work as a whole.
Adding the bookmark with the specific parameters worked perfectly, when I download the RDP-File I can see those parameters added succesfully but I can't establish a connection as I get the error "Connection for this computer cannot be established, because the information provided in the RDP-File couldn't get validated by the connection broker" (roughly translated from german).
Within the Eventviewer of the Connection Broker Server I found the following entry:
RD Connection Broker failed to process the connection request for user domain\user.
User's RDP file has invalid hint format.
Error: The request is not supported.Since my understanding of RDS isn't the best, I am not sure if there are some configrations missing (sounds for me like the broker doesn't "accept" the connection since the request comes from an "invalid" gateway - like if I forgot to add the Appliance to some kind of "allowed" relays, similar to Citrix Publishing where you have to add the Gateway which has to be used for this Store), but if anyone got this configuration working I'd highly appreciate any support regarding this.
My NetScaler configuration is basically the same JG Spiers describes in his blogpost:
-RDP Server and Client profile (same shared secret, RDP redirection enabled)
-VPN vServer with ICA only unchecked
-correct certificates on both sides
Thanks a lot in advance and best regards!
-
On 27.6.2019 at 2:16 PM, Gregor Blaj said:
Have you tried using the CLI? Wouldn’t be the first time I’ve seen the GUI do odd things.
I would go with this too. Adding Ciphers to a user defined group has always been a struggle and contained various GUI bugs.
When you did the config re-import - did you just copy paste the config into the NetScaler (or just copied the ns.conf into the netscaler directory)? I've had various problems when I tried to just copy paste the cli commands into NetScaler, I think the backup/restore function is better for these cases, as you usually have to alter the old ns.conf quite a bit to not run into weird issues after executing the old ns.conf on a new NetScaler
-
Hello alltogether,
I've come up with an issue, that's more and more present for my clients, regarding Microsoft Online/On-Premise Hybrid configuration.
So, I have a pretty much basic Exchange 2013 publishing (Content Switch, Pre-Authentication, Load Balancing) with an ADC 10.5 (yes I know it should get updated but this one particular client is a bit "stubborn" regarding firmware update...).
Everything works fine and as expected, now we have the issue, that the Microsoft Exchange Online configuration permanently needs to access /ews directory (and autodiscover as well i think) and its subdirectories to exchange free/busy information and so on. Until now I have solved this by just adding these EWS-paths alongside the public IPs of Azure for Exchange Online into a separate Content Switching Policy which forwards the traffic to an additional loadbalancing Server where no Pre-authentication is configured.
Apparently the paths/IPs has changed over the time, because it doesn't work anymore (still the policy is getting hits, but I assume that there is just some other sub directory or another public IP which causes this).
So my question is - how do you guys solve this issue in general? I really don't want to keep adding stuff to a policy or pattern set because I think that it's an endless thing since Microsoft will surely change or add public IPs etc. etc., so - is it better to just fully deactivate Pre-Authentication on /ews subdirectory? This would cause some "minor" (depends how you see it) security issues, as of course all external clients which use /ews services will be able to get through to Exchange without any Authentication at NetScaler.
I am not completely sure how to solve this, because deactivating pre-authentication is like "too easy" regarding the fact, that i basically just want to bypass one specific service (Microsoft Online) from pre-authentication.
Any help or ideas are greatly appreciated. Thanks a lot!
Best regards
Jens
-
I have the official statement of the support technician, that this is a known bug/issue which is being worked upon. There is a possible solution to this which I was unable to test yet: removing the "Group Attributes" field within the LDAP Actions. However, this is not possible as NetScaler will automatically re-fill the Group Attribute to memberOf, regardless of the change you make to this field (probably another bug). So you basically will have to enter some dummy group attribute to get rid of the MemberOf attribute. If someone has the same issue currently and is able to test this, please let me know as i am currently not able to do this kind of test.
But basically the problem persists: it is a known bug and it's being worked upon, so there is probably no way at the moment, to work around this, especially if you need the Group Attribute "memberOf" for further configuration/authorization requirements.
-
Meanwhile we have the exact same issue within a different environment at a different client. We will open a support ticket for this
-
Hey :)
I have recently set up the OTP feature within a customers environment. I followed this guide by Carl Stalhood:
http://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/
So, the initial Setup worked pretty well, we have used a fresh test user and everything went fine.
Users can log in through their manageotp -> set up their devices -> test OTP -> log in with the otp.
Now, when we tried it with a regular user, the OTP verification fails. It would basically look like this: User can log in through manageotp. User can add their device (QR Code shown), as soon as the user tries to verify/test the OTP, NetScaler throws an error. The device then is automatically deleted again (when trying to login into manageotp again).
I verified, that NetScaler is able to write the Seed into AD Attribute, retrieves the Seed but then somehow it just breaks down.
So I started to check other possibilites and recognized that the usual User of my client is a member of ~100 AD Groups. After doing some testing i could verify, as soon as your user is in more than 36 groups, the failing behaviour is shown. Everything to 36 works fine. Whenever you add a 37rd group, OTP Verification fails. It doesnt matter what group it is, it doesnt matter what user it is. We tested it with a fresh user and added him to one group after another, we tested it with a duplicate of a regular user and removed one group after another. The breaking point seems the 36/37 groups. Anyone ever encountered similar thigns? I know that there are issues with many AD Groups and NetScaler somehow getting a timeout if one user is in too many groups, but from what i have researched so far, the limitations shouldnt be like 36 groups.
OTP is used for MFA with LDAP for NetScaler Gateway to StoreFront
Thank you very much in advance
NetScaler Gateway for RDS Farm
in Core ADC use cases
Posted
hey, thanks for your response!
i use the server profile to configure RDP redirection. i have read in several other posts that this is mandatory if NSGW should be able to work as rdp proxy when there is an RDS broker in the backend farm.
so do you have applications and desktops as bookmarks? how do you separate them? from my understanding i have to add these mentioned parameters after my bookmark link so it is clear which application/desktop a user is trying to connect to.
but i dont use lb vservers, i basically point my gateway directly to the RDS-Broker server (configured within client profile)