In the perfect world it would be possible to run lots of services behind a single IP address going through the NetScaler Content Switch. Unfortunately we don’t live in a perfect world, and this post is NOT going to give the solution.
Now, there’s no problems running RDS Gateway and Horizon View on a dedicated IP address with a SSL Brigde, but my current Mission Impossible is to get them all running on a single IP address. At the moment I have a Unified Gateway and ADFS running on 443 which is a great victory for a NetScaler Newbie like myself.
The purpose of this blog post is to show the community what I have achieved so far and a reasonable workaround for the problem in question. I’m pretty confident that we as a community will figure this out together, some day…..There ‘s clearly a big interest in this topic.
Below is the configuration for my RDS Gateway and VMware Horizon View Security server. I did have some problems in the beginning getting the webpages to display, but got some help from my NetScaler mentor Dave Brett figuring that out. Seems like the NetScaler VIP get’s confused when the external certificate is bounded to both the VIP and IIS.
add server view 192.168.86.14
add serviceGroup svcgrp_view_https SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver vip_view_https SSL 0.0.0.0 0 -persistenceType SOURCEIP -timeout 5 -cltTimeout 180
add cs action act_view -targetLBVserver vip_view_https
add cs policy view -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"HOSTNAME.xenapptraining.com\")" -action act_view
bind lb vserver vip_view_https svcgrp_view_https
bind cs vserver UG -policyName view -priority 65
bind serviceGroup svcgrp_view_https view 443
bind ssl serviceGroup svcgrp_view_https -certkeyName DigiCertCA -CA -ocspCheck Optional
bind ssl vserver vip_view_https -certkeyName Wildcard-External
bind ssl vserver vip_view_https -certkeyName DigiCertCA -CA -ocspCheck Optional
bind ssl vserver vip_view_https -certkeyName TrustedRoot -CA -ocspCheck Optional
add server rdgw 192.168.1.173
add serviceGroup svcgrp_rdgw_https SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver vip_rdgw_https SSL 0.0.0.0 443 -persistenceType SOURCEIP -timeout 5 -cltTimeout 180
add cs action act_rdgw -targetLBVserver vip_rdgw_https
add cs policy rdgw -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"HOSTNAME.xenapptraining.com\")" -action act_rdgw
bind lb vserver vip_rdgw_https svcgrp_rdgw_https
bind cs vserver UG -policyName rdgw -priority 80
bind serviceGroup svcgrp_rdgw_https rdgw 443
set ssl vserver vip_rdgw_https -SNIEnable ENABLED
bind ssl serviceGroup svcgrp_rdgw_https -certkeyName DigiCertCA -CA -ocspCheck Optional
bind ssl vserver vip_rdgw_https -certkeyName Wildcard-External
bind ssl vserver vip_rdgw_https -certkeyName DigiCertCA -CA -ocspCheck Optional
bind ssl vserver vip_rdgw_https -certkeyName TrustedRoot -CA -ocspCheck Optional
I have configured VMware Horizon View Security Server and RDS Gateway as we’re supposed to with my external wildcard.xenapptraining.com certificate. Well, with that config the webpage never shows up when connecting. To fix the problem, you simply added the internal certificate instead.
Doing so the webpages shows up correctly and I’m able to log into the various services. Now the problem occur when I try connect, because it’s linked to an internal certificate that’s not recognized on the internet.
Jake Rutski did get this working on a different setup with NetScaler 10.5, but I’m running the latest release and there’s also some reports in the Citrix Support forum that RDS Gateway doesn’t work anymore on 65.35 but did on the 64.x.
Now what I’ve found as a reasonable workaround for me is to use the VPN function of the Unified Gateway. When connecting through VPN you get access to all SIP networks so it’s easy to connect to your internal services, though you get tons of SSL errors.
So until Citrix or the community figures this out, that’s the best workaround for homelabs running on a single IP Address. The only thing I want for Christmas is Citrix support for XenMobile behind a Content Switch (something the rumors says Citrix is working on).