NetScaler VPX for XenApp with CLI

Steps to provision Citrix NetScaler VPX for XenApp with CLI

Information of VPX

Information Description
NS IP 192.168.1.176
Subnet IP 192.168.1.177
Virtual IP 192.168.1.178
Version NS12.0 Build 57.19 – Platinum / Developer License
SSL Cert Lets Encrypt Wild card – *.aventislab.com
vNIC Single Only
  1. Import the downloaded VPX (NS12.0 Build 57.19) to vSphere 6.7
  2. Change the MAC Address to match the license file for VPX

However, we do encounter the following error message in vSphere Web Client

Impermissible static Ethernet address: ’00:0c:29:3b:5c:be’. It conflicts with VMware reserved MACs.

Solution: Login to vSphere Host, and

[root@nuc1:/vmfs/volumes/5a641927-8bab2d50-1b2f-f44d306f60a1/NS1] ls -l *.vmx
-rwxr-xr-x    1 root     root          2829 Oct 12 09:11 NS1.vmx

vi NS1.vmx

#Enter the following 
ethernet0.checkMACAddress = "false"
ethernet0.address = "00:0c:29:xx:xx:xx"

#Check the ID of the VPX and power it on
vim-cmd vmsvc/getallvms 
vim-cmd vmsvc/power.on 79
  1. Initial configuration of NetScaler VPX after NS IP is configured in console
#Verify NS IP is configured 
sh ns ip

#verify Default Route is configured
sh ns runningConfig | grep route

#Host Name
set ns hostName ns1.aventislab.com

#Subnet IP
add ns ip 192.168.1.177 255.255.255.0 -vServer DISABLED

#Set DNS Server
add dns nameServer 192.168.1.200

#Add NTP Server
add ntp server my.pool.ntp.org
enable ntp sync

#Upload and install License
shell
cd /nsconfig/license 

#SCP the license from workstation to VPX
scp VPX-xx.lic nsroot@192.168.1.176:/nsconfig/license

#verify license is installed and updated successfully
sh ns license

#Set Timezone - Required to reboot
set ns param -timezone "GMT+08:00-MYT-Asia/Kuala_Lumpur"

#save configuration and reboot
save ns config 
reboot 

Enable the following features
* WL – Web Logging
* LB – Load Balancing
* SSL – SSL Offload
* SSLVPN – SSL VPN
* AAA –
* CH – Call Home

enable ns feature WL SP LB SSL SSLVPN AAA CH

Import the Lets Encrypt Certificate following the link below
Import PFX to NetScaler VPX

If you had performed factory reset of VPX with

clear ns config full
save ns config
reboot

The imported SSL Certificate will still remained and you can import it with

add ssl certKey AventisLab.com -cert "/nsconfig/ssl/AventisLab.pem" -key "/nsconfig/ssl/AventisLabKey.pem"
add ssl certKey LetsEncryptIntermediate -cert LetsEncryptIntermediate.cer
add ssl certKey LetsEncryptRoot -cert LetsEncryptRoot.cer
link ssl certKey AventisLab.com LetsEncryptIntermediate
link ssl certKey LetsEncryptIntermediate LetsEncryptRoot

Point the public URL (https://citrix.aventislab.com) to internal Store Front

#Add DNS A Record to point URL to Internal Store Front Server
add dns addRec citrix.aventislab.com 192.168.1.171

Configure the LDAP Authentication via AD Server
* LDAP Name = 192.168.1.200_LDAP
* LDAP Policy = 192.168.1.200_LDAP_pol

#LDAP Authentication 
add authentication ldapAction 192.168.1.200_LDAP -serverIP 192.168.1.200 -ldapBase "dc=UAT,dc=aventislab,dc=com" -ldapBindDn administrator@uat.aventislab.com -ldapBindDnPassword XXXXXXX -ldapLoginName sAMAcoountName -authentication DISABLED -requireUser NO

add authentication ldapPolicy 192.168.1.200_LDAP_pol NS_TRUE 192.168.1.200_LDAP

#Verify LDAP Authentication is working
shell
ldapsearch -b "dc=uat,dc=aventislab,dc=com" -D "administrator@uat.aventislab.com" -h 192.168.1.200 -p 389 -w 'XXXXXXXX'

Add the following Policies – Based on the Policies generated by using the Wizard

add vpn sessionAction AC_OS_192.168.1.178 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://citrix.aventislab.com/Citrix/StoreWeb" -ClientChoices OFF -ntDomain uat.aventislab.com -clientlessVpnMode OFF -storefronturl "https://citrix.aventislab.com" -sfGatewayAuthType domain
add vpn sessionAction AC_WB_192.168.1.178 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://citrix.aventislab.com/Citrix/StoreWeb" -ClientChoices OFF -ntDomain uat.aventislab.com -clientlessVpnMode OFF -sfGatewayAuthType domain
add vpn sessionPolicy PL_OS_192.168.1.178 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_192.168.1.178
add vpn sessionPolicy PL_WB_192.168.1.178 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_192.168.1.178

Add the VPN Server with Virtual IP = 192.168.1.178

#VPN Server
add vpn vserver _XD_192.168.1.178_443 SSL 192.168.1.178 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn citrix.aventislab.com

#HTTP to HTTPS redirect
add lb vserver 192.168.1.178http_redirect HTTP 192.168.1.178 80 -persistenceType NONE -redirectURL "https://citrix.aventislab.com" -cltTimeout 180

Bind the AAA, Portal Theme, staServer and policies to VPN Server – _XD_192.168.1.178_443

bind vpn vserver _XD_192.168.1.178_443 -staServer "http://citrix.aventislab.com"
bind vpn vserver _XD_192.168.1.178_443 -portaltheme X1
bind vpn vserver _XD_192.168.1.178_443 -policy 192.168.1.200_LDAP_pol

bind vpn vserver _XD_192.168.1.178_443 -policy PL_OS_192.168.1.178 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_192.168.1.178_443 -policy PL_WB_192.168.1.178 -priority 110 -gotoPriorityExpression NEXT -type REQUEST

Bind the Lets Encrypt Wild Card SSL Cert to _XD_192.168.1.178_443

bind ssl vserver _XD_192.168.1.178_443 -certkeyName AventisLab.com

#Save ns config
save ns config

Open Edge and login to https://citrix.aventislab.com
CitrixVPX-XenApp-01

Launch the App
CitrixVPX-XenApp-02

App successfully launched in HTML5
CitrixVPX-XenApp-03

Leave a Comment