Mar 202015
 

EDIT:  People have been requesting a tool to deploy SMS2 secret keys en mass, and the developer hasn’t implemented it yet.  Until he does I wrote a powershell script that will remotely connect to the sql database and inject the information needed for each user you select (http://pastebin.com/NBJHJPsX).  I have it setup for TOTP keys… which I think is what most people will use.
EDIT2:  I created a new script that does basically the same thing as the script posted above, but you can direct it against a specific AD group (http://pastebin.com/L9D8Jwaf).  Also, if you haven’t yet – upgrade your netscalers to version 11 – much easier to control the portal themes.

Get SMS2

Go to http://www.wrightccs.com/ and register for your free copy – an email will be sent to you with a download link and your xml based license.

Prepare your environment

You will need SQL/SQLExpress if you don’t already have it (will assume you do). You also need .NET 4 on the RADIUS server (will assume you have that too).

1. On the server you wish to use for RADIUS authentication open server management and click Add Roles and Features

2. Install the Network Policy and Access Services role and add any features that go along with that role – accept all the defaults.
clip_image001
clip_image002

3. Open the Network Policy Server Console

a. Expand Policies and select Network Policies

b. Right click Connections to other access servers and select properties

c. Change it from Deny access to Grant access and hit ok
clip_image003

d. Expand RADIUS Clients and Servers

e. Right click RADIUS Clients and select New

f. Create a connection for the local computer (so you can test connections).
Friendly name – whatever you want to name it
Address – the IP address of the RADIUS server you are creating
Shared secret – type something in that you will remember (will need it later)
Hit OK
clip_image004

g. Do the same thing for your Netscaler(s) using the NSIP(s) – again remember your shared secret – if you have more than one Netscaler use the same shared secret.
Should look something like this when you are done
clip_image005

4. Install SMS2

a. Next

b. For my purposes I select Custom (I don’t want SMS based authentication – just token)

i. Services I set CloudSMS to not install

ii. Under Clients I set all to install but the Citrix Web Interface Customization and SMS2…

c. Configure AuthEngine – enter the license text from the email you received and hit Check License (should pop up when it expires) – click ok and then Next

d. Leave the account as Local System and hit Next

e. On the next screen change the AuthEngine Address to 0.0.0.0 (will reply on all IP addresses of the server)
Type in your domain controller name/address and fill in user account credentials of a user with access to AD
optionally you can change the BaseDN, but I’ll leave it as the root of my test domain
test your config and hit Next if successful
clip_image006

f. Enter your SQL server information
If the SQL instance is on the RADIUS server itself (as it is in my case) check the box to “Use named pipes (local)”
Click Test Connection – I get an error about how it could not use the database… it wasn’t there yet. I hit test connection again and it is successful.
clip_image007

g. Enter your email information – uncheck SSL and Use Auth if you don’t need them (straight smtp for me) – Finish
clip_image008

h. Configure OATHCalc – Next – Finish

i. Configure AdminGUI/Clients – Set the AuthEngine Address to the IP of the RADIUS server, and hit Finish

j. Next – install – Finish

Configure SMS2 for Token

1. Browse to C:\Program Files\WrightCCS2\Settings (assuming you installed the 64bit version… if not the Settings directory will be in x86)

2. Open Configuration.xml in notepad and change these settings (by default they are True, which will mess things up)
<AuthEnginePinCode>False</AuthEnginePinCode>
<AuthEngineChallengeResponse>False</AuthEngineChallengeResponse>

3. Find the <AuthProviders> line

a. Under CloudSMS – disable it (we didn’t install it anyways)
<Enabled>false</Enabled>
<Default>false</Default>

b. Under OATHCalc set it as default
<Default>true</Default>

c. Under PINTAN – disable
<Enabled>false</Enabled>

d. Under Email – disable
<Enabled>false</Enabled>

4. Save the .xml file and restart the WrightAuthEngine service (if they are not started – start them)

Setup all users for token (this could potentially take a long time)

1. Launch the SMS2 Admin Console

2. Select the user on the right hand side to select, and hit Configuration Menu at the top.

3. Go to the Auth Options tab (don’t need the others)
clip_image009

4. Click TOTP (time-based) and click Generate Shared Secret – record the shared secret if you want
clip_image010

5. Click Save configuration and you will see a popup – click OK and then you will see a QR code – copy it to the clipboard and send it to the user (also keep a record of it if you want)
clip_image011

6. Click Close

7. Do that again and again until you have a token for every user who needs to connect to XenApp/XenDesktop through the gateway

At this point users would download Google Authenticator or Microsoft Authenticator (probably others) to their smartphone and add the account using that QR code. Let’s assume everyone has done that.

TEST!!!

1. Download NTRadPing (https://thwack.solarwinds.com/thread/14486) – google it if that link doesn’t work… you will find it

2. From your RADIUS server unzip it and run it (remember we created a client connection for the local computer earlier)
Type the IP of your radius server (port is 1812 if it isn’t there by default)
Leave the reply/retries set to default
Type in your secure string that you associated with the local computer RADIUS client
Type in the domain\username of a user you have configured to use one of the authenticator apps
Type in the password followed immediately with whatever code is showing in your authenticator app. If the password is “P@ssword!” then the password would be P@ssword!456123 (where 456123) is the number generated.
Click Send – If you see Reply-Message=Message accepted then you are good to go. If not then something is wrong.
clip_image012

Configure Netscaler

GUI 10.5

1. Logon your netscaler and browse to Netscaler Gateway\Policies\Authentication\RADIUS

2. Click the Servers tab and click Add
Give it a name
Select Server IP and punch in the IP of the RADIUS server
Port will be 1812
Type in the secret key you used to create the Netscaler RADIUS clients on the RADIUS server
clip_image013
Click Details and set Accounting* to OFF
Click Create

3. Click the Policies tab and click Add
Name the policy
Select the Server you just created (if it isn’t pre-selected)
Type in “ns_true” into the Expression field and hit Create
clip_image014

4. Bind the policy to your Netscaler Gateway virtual server(s) (NetScaler Gateway\Virtual Servers)
Select the virtual server and hit edit
Click the + on Authentication
clip_image016
Choose RADIUS and Secondary from the drop downs and hit Continue
clip_image017
Click to select the policy
clip_image018
Tick the policy you just created and hit ok
clip_image019
Click Bind
clip_image020
Click done and save

At this point you should be ready to test logging onto the gateway page

Testing the gateway

1. Hit your gateway address you will probably notice it has changed and looks something like this:
Password1 is your password
Password2 is your token pin
clip_image021

2. Logon using your credentials and the token generated by Google Authenticator (or whatever app you are using).

a. If it works then you are good to go and can move onto customizing the web interface

b. If it does not work unbind the policy and test to figure out where things are going wrong

i. Could be the wrong IP entered in for the Netscaler on the RADIUS server or wrong security string

Fixing the gateway appearance

1. Download Notepad++ and install (http://notepad-plus-plus.org/download/v6.7.5.html)

2. Download Tunnelier (http://www.bitvise.com/ssh-client-download)

3. Install and run Tunnelier (Bitvise SSH Client)

4. Connect to your netscaler using the password method
clip_image022

5. A command window and a SFTP window will open – select the SFTP window and on the right hand side browse to: /var/netscaler/gui/vpn

6. Select login.js and click the download button at the bottom (will download to your local desktop by default unless you change it on the left side… should be ok).
clip_image023

7. On the right side go into the resources folder and download en.xml

8. Make a backup copy of the files just in case

9. Open login.js using Notepad++
Find this line: if ( pwc == 2 ) { document.write(‘&nbsp;1’); }
and change it to:
if ( pwc == 2 ) { document.write(‘&nbsp;’); }
Just remove the 1 basically
Find the line that starts with: document.write(‘<TR><TD align=right style=”padding-top:
and change right to left

10. Save login.js

11. Open en.xml in Notepad++
Find this line: <String id=”Password2″>Password 2:</String>
Change it to: <String id=”Password2″>Token:</String>
You can name it whatever you want… I’m just using Token:

12. In Tunnelier upload the files to their respective directories overwriting them

13. Refresh your browser and your changes should be reflected.
clip_image024

The only problem now is that this change will not survive a reboot. In older versions of netscaler you could use a rewrite policy to rewrite the page and that would persist. In 10.1+ you have to use a custom theme.

 

Set a custom theme so the gateway appearance persists a reboot

NOTE: Linux is case sensitive… type things exactly as I have them.

1. Using Tunnelier switch to your terminal window
Commands:
shell
cp /nsconfig/ns.conf /nsconfig/ns.conf.save
mkdir /var/ns_gui_custom
cd /netscaler
tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

What we did there was make a backup of ns.conf (in case something goes awry – reverse the “cp” command to restore it), created a folder, and zipped the contents of /netscaler/ns_gui to /var/ns_gui_custom/customtheme.tar.gz ß that is the file and location that netscaler knows to use for a custom theme.

2. Open your netscaler in your browser, logon and navigate to NetScaler Gateway\Global Settings

3. Click the Change Global Settings link on the right side

4. Click the Client Experience tab and scroll to the bottom

5. Switch the UI Theme to Custom and hit OK
clip_image025

6. TEST the gateway page (I use a chrome incognito window when I make a change as it doesn’t use the cached website)

7. If the test is successful save your netscaler configuration

a. If you have a HA pair I am pretty sure you have to mirror all the steps on the secondary except for setting the UI Theme to Custom. On your secondary:

i. Copy the files to the correct locations on the secondary netscaler

ii. Run the commands from the terminal window

iii. Force a sync from the gui (System\High Availability à Actions)

Mar 162015
 

UPDATE:  I found trying to run this script through the Netscaler Gateway failed due to differences in the web pages.  I re-wrote the script so it will work internal directly to StoreFront, and externally with Netscaler Gateway.  The main caveat is that the wficalib.dll doesn’t allow you to logoff the session when going through the gateway.  I simply set it to look for any wfica32 processes prior to launching the application/desktop, compare that to the processes after launch, and kill the new process (disconnecting the session).  The script identifies the webpage as a gateway if */vpn/* is in the path.  I also set it to logoff of the Storefront/Gateway page when it ends the script.  If you were to run it back to back without logging off of the page it wouldn’t find what it is looking for initially and fail (because you’d probably already be logged on).  I may re-write this in the future with more functions to make it a bit shorter/cleaner, but as is it should work.
NOTE: I tested this with Netscaler 10.5… it may not work with previous versions as is, but if you read the script you should be able to figure out what needs to be changed.

I need to give credit to this Citrix blog post for getting me started.  This script will launch an application or desktop as a user you specify from the StoreFront web page, then send you an email to let you know if it was successful or not.

Variables you should edit:

In the send-results function
$smtpserver (line 19)
$msg.From (line 28)
$msg.to.Add (line 29)

In the main script (be sure to read the comments)
$username (line 84)
$passstring (line 86)
$resource (line 92)
$mask (line 94)
$wait (line 96)
$internetexplorer.visible (line 98)
$internetexplorer.navigate2 (line 99)

Requirements:
Powershell (x86)! – otherwise you cannot tie into the x86 dll for Receiver
(If you are going to the Netscaler Gateway it doesn’t matter which version as we won’t tie into the dll in that case)

Add the following to the registry if you are pointing to the internal StoreFront url – if you are pointing to the Netscaler Gateway it won’t matter
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\CCM]
“AllowLiveMonitoring”=dword:00000001
“AllowSimulationAPI”=dword:00000001

If you are running on an x86 machine change the registry path to exclude Wow6432Node, and change the path of the .dll on line 156 of the script to the correct path of the wficalib.dll.

Here is the script!

Contact me in in the channel David62277

Mar 052015
 

CitrixIRC is pleased to announce the first of hopefully many Citrix focused community driven Webinars! For those of you that don’t know, CitrixIRC is a community driven real time support channel which exists on the Freenode IRC server. YES… IRC is still around, and not just used for world domination! Freenode is actually the home of hundreds of technical IT channels. Wither it’s technical question, shooting the breeze, or just looking for some career advice CitrixIRC is the place to be.

 

Webinars topics will consist of debates, How To’s, tips from the field, and open discussions to name a few. The goal with the community driven focus is to have these conversations open up to the community, allowing everyone to learn from each others experiences. Panelists and presenters will consist of various industry professionals from the community and will constantly be switched up to always ensure new and exciting content.  Real time chat options during the webinar will be either audio, or chat using the CitrixIRC WebChat client . This is a first run, if we get some good feedback we’ll look to host these on a regular basis. We forward to your feedback and contributions!

Signup for this webinar at the following link: CitrixIRC Community Webinar 3/9/2015 

 

If you are unable to attend due to the time zone differences, please still register as you will receive a link to the recorded webinar!

If this is your first time here  click the “Web IRC Client” link to enter into the real time support channel! Or you can hit it directly by going to join.citrixirc.com

– CitrixIRC Team