Professional Documents
Culture Documents
Contents
Prerequisites ......................................................................................
Configuring a Web Interface Site for LAN Users Using HTTP .........................
Configuring a Web Interface Site for LAN Users Using HTTPS .......................
16
Configuring a Web Interface Site for Remote Users Using NetScaler Gateway ...
27
Using Smart Card Authentication for Web Interface through NetScaler Gateway
33
39
40
Web Interface
The Web Interface on Citrix NetScaler appliances is based on Java Server Pages (JSP)
technology and provides access to Citrix XenApp and Citrix XenDesktop applications. Users
access resources through a standard Web browser or by using the Citrix XenApp plug-in.
The Web Interface runs as a service on port 8080 on the NetScaler appliance. To create
Web Interface sites, Java is executed on Apache Tomcat Web server version 6.0.35 on the
NetScaler appliance. The Web Interface sites provide user access to the XenApp and
XenDesktop resources, which include applications, content, and desktops.
The Web Interface installation includes installing the Web Interface tar file and JRE tar file
on the NetScaler appliance. To configure the Web Interface, you create a Web Interface
site and bind one or more XenApp or XenDesktop farms to it.
Following is a typical set of interactions among a user device, a NetScaler running the Web
interface, and a server farm.
1. A user authenticates to the Web interface through a Web browser or by using the
XenApp plug-in.
2. The Web interface reads the user's credentials and forwards the information to the
Citrix XML Service running on servers in the server farm.
3. The Citrix XML Service on the designated server retrieves from the servers a list of
resources that the user can access. These resources constitute the user's resource set
and are retrieved from the Independent Management Architecture (IMA) system.
4. The Citrix XML Service then returns the user's resource set to the Web interface running
on the NetScaler.
5. The user clicks an icon that represents a resource on the HTML page.
6. The Web interface queries the Citrix XML Service for the least busy server.
7. The Citrix XML Service returns the address of this server to the Web interface.
8. The Web interface sends the connection information to the Web browser.
9. The Web browser initiates a session with the server.
Prerequisites
The following prerequisites are required before you begin installing and configuring the
Web interface.
XenApp or XenDesktop farms are set up and running in your environment. For more
information about XenApp, see the XenApp documentation at http://edocs.citrix.com/.
For more information about XenDesktop, see the XenDesktop farms documentation at
http://edocs.citrix.com/.
Conceptual knowledge of the Web interface. For more information about Web interface
running on a server, see the Web interface documentation at http://edocs.citrix.com/.
Web interface tar file. The setup file for installing the Web interface on the NetScaler
appliance. This tar file also includes Apache Tomcat Web server version 6.0.35. The file
name has the following format: nswi-<version number>.tgz (for example, nswi-1.5.tgz).
JRE tar file. The JRE tarball. You must use the OpenJDK7 package for FreeBSD
8.x/amd64. The package named openjdk-7.17.02_2.tbz can be downloaded from http:/
/ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/8.4-RELEASE/packages/java/op
enjdk-7.17.02_2.tbz or from ftp://mirror.is.co.za/FreeBSD/ports/amd64/packages-8.4release/devel/openjdk-7.17.02_2.tbz.
Note: On a high availability setup, when installing the web interface with tar files (web
interface and JRE) that are already available on the appliance, ensure that the files are
available in the same location on both the primary and secondary appliances; otherwise,
the web interface will not be installed on the secondary appliance.
Copy the tar files to a local workstation or to the /var directory of the appliance.
These files install all the Web interface components and JRE on the hard drive and
configure automatic startup of the Tomcat Web server with Web interface at appliance
startup time. Both tar files are internally expanded in the /var/wi directory on the hard
drive.
Note: After installing web interface on the appliance and before creating a web interface
site, you must place the client plugin in the appliance by using the appropriate Upload
Plugins utility provided on the web interface details pane.
Using an HTTP or an HTTPS virtual server. You create an HTTP or an HTTPS virtual
server on the NetScaler appliance and bind the web interface service, running on port
8080 of the NetScaler appliance, to the virtual server. Clients on the LAN use the virtual
server IP address to access the web interface. When using this access method, the URL
format for the web interface site is as follows:
<HTTP or HTTPS>://<HTTP or HTTPS vserver IP address>:<vserver port
number>/<web interface site path>
The following access methods are available for clients accessing the web interface site
when it is configured using an HTTP or an HTTPS virtual server:
Figure 1. A Web Interface Site Configured for LAN Users Using HTTP
10
> add wi site WINS1 -siteType XenAppWeb -publishedResourceType Online -kioskMode ON -defaultAccessM
2. (Optional) Set an access method for a Client's IP address or network. At the command
prompt, type:
bind wi site <sitePath> -accessMethod <accessMethod> -clientIpAddress <ip_addr>
-clientNetMask <netmask>
3. If you have set the Translated access method for a Client's IP address or network then
provide Internal IP and external IP address mappings. At the command prompt, type:
bind wi site <sitePath> -translationInternalIp <ip_addr> -translationInternalPort
<port|*> -translationExternalIp <ip_addr> -translationExternalPort <port|*>
[-accessType <accessType>]
4. Bind XenApp or XenDesktop farms to the Web interface site. At the command prompt,
type:
bind wi site <sitePath> <farmName> <xmlServerAddresses> -xmlPort <value> -transport
( HTTP | HTTPS) -loadBalance ( ON | OFF )
Example
> bind wi site WINS1 XA1 10.102.46.6 -xmlPort 80 -transport HTTP -LoadBalance OFF
> bind wi site WINS1 XD1 10.102.46.50 -xmlPort 80 -transport HTTP -LoadBalance OFF
5. Create a service that is a logical representation of the Web interface service running on
the NetScaler appliance. At the command prompt, type:
add service <name> <IP address> <serviceType> <port>
Example
> add service WI_Loopback_Service 127.0.0.1 HTTP 8080
6. Add an HTTP vserver. At the command prompt, type:
add lb vserver <virtualServerName> <protocol> <IPAddress> <port>
Example
11
12
bind wi site
sitePath
13
add service
name
Name for the service. Must begin with an ASCII alphabetic or underscore (_) character,
and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon
(:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the service
has been created.
IP
IP to assign to the service.
serviceType
Protocol in which data is exchanged with the service.
Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, DTLS, NNTP, RPCSVR,
DNS, ADNS, SNMP, RTSP, DHCPRA, ANY, SIP_UDP, DNS_TCP, ADNS_TCP, MYSQL, MSSQL,
ORACLE, RADIUS, RDP, DIAMETER, SSL_DIAMETER, TFTP
port
14
add lb vserver
IPAddress
IPv4 or IPv6 address to assign to the virtual server.
port
Port number for the virtual server.
View description(s) in command reference Top
bind lb vserver
serviceName
Name of the service.
View description(s) in command reference Top
15
Figure 1. A Web Interface Site Configured for LAN Users Using HTTPS
16
17
> add wi site WINS1 -siteType XenAppWeb -publishedResourceType Online -kioskMode ON -defaultAccessM
2. (Optional) Set an access method for a Client's IP address or network. At the command
prompt, type:
bind wi site <sitePath> -accessMethod <accessMethod> -clientIpAddress <ip_addr>
-clientNetMask <netmask>
3. If you have set the Translated access method for a Client's IP address or network then
provide Internal IP and external IP address mappings. At the command prompt, type:
bind wi site <sitePath> -translationInternalIp <ip_addr> -translationInternalPort
<port|*> -translationExternalIp <ip_addr> -translationExternalPort <port|*>
[-accessType <accessType>]
4. Bind XenApp or XenDesktop farms to the Web interface site. At the command prompt,
type:
bind wi site <sitePath> <farmName> <xmlServerAddresses> -xmlPort <value> -transport
( HTTP | HTTPS) -loadBalance ( ON | OFF )
Example
> bind wi site WINS1 XA1 10.102.46.6 -xmlPort 80 -transport HTTP -LoadBalance OFF
> bind wi site WINS1 XD1 10.102.46.50 -xmlPort 80 -transport HTTP -LoadBalance OFF
5. Create a service that is a logical representation of the Web interface service running on
the NetScaler appliance. At the command prompt, type:
add service <name> <IPAddress> <serviceType> <port>
Example
> add service WI_Loopback_Service 127.0.0.1 HTTP 8080
6. Add an HTTPS vserver. At the command prompt, type:
add lb vserver <name>@ <protocol> <IPAddress> <port>
Example
18
19
20
bind wi site
sitePath
Path to the Web Interface site.
farmName
Name for the logical representation of a XenApp or XenDesktop farm to be bound to the
Web Interface site. Must begin with an ASCII alphabetic or underscore (_) character, and
must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:),
at (@), equals (=), and hyphen (-) characters.
accessMethod
21
add service
name
Name for the service. Must begin with an ASCII alphabetic or underscore (_) character,
and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon
(:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the service
has been created.
serviceType
Protocol in which data is exchanged with the service.
Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, DTLS, NNTP, RPCSVR,
DNS, ADNS, SNMP, RTSP, DHCPRA, ANY, SIP_UDP, DNS_TCP, ADNS_TCP, MYSQL, MSSQL,
ORACLE, RADIUS, RDP, DIAMETER, SSL_DIAMETER, TFTP
port
Port number of the service.
View description(s) in command reference Top
add lb vserver
No parameters provided in this topic or the command has no parameters. View
description(s) in command reference Top
bind lb vserver
policyname
22
23
24
26
Figure 1. A Web Interface Site Configured for Remote Users Using NetScaler Gateway
27
Configuring a Web Interface Site for Remote Users Using NetScaler Gateway
28
Configuring a Web Interface Site for Remote Users Using NetScaler Gateway
29
Configuring a Web Interface Site for Remote Users Using NetScaler Gateway
Path to the Web Interface site being created on the NetScaler appliance.
agURL
URL of the Access Gateway.
siteType
Type of access to the Web Interface site. Available settings function as follows:
* XenApp/XenDesktop web site - Configures the Web Interface site for access by a web
browser.
* XenApp/XenDesktop services site - Configures the Web Interface site for access by the
XenApp plug-in.
Possible values: XenAppWeb, XenAppServices
Default value: WI_XENAPPWEB
publishedResourceType
Method for accessing the published XenApp and XenDesktop resources.
Available settings function as follows:
* Online - Allows applications to be launched on the XenApp and XenDesktop servers.
* Offline - Allows streaming of applications to the client.
* DualMode - Allows both online and offline modes.
Possible values: Online, Offline, DualMode
Default value: WI_ONLINE
kioskMode
User settings do not persist from one session to another.
Possible values: ON, OFF
Default value: OFF
wiAuthenticationMethods
The method of authentication to be used at Web Interface
Default value: WI_EXPLICIT
webSessionTimeout
Time-out, in minutes, for idle Web Interface browser sessions. If a client's session is idle
for a time that exceeds the time-out value, the NetScaler appliance terminates the
connection.
30
Configuring a Web Interface Site for Remote Users Using NetScaler Gateway
Default value: 20
Minimum value: 1
Maximum value: 1440
defaultAccessMethod
Default access method for clients accessing the Web Interface site.
Note: Before you configure an access method based on the client IP address, you must
enable USIP mode on the Web Interface service to make the client's IP address available
with the Web Interface.
Depending on whether the Web Interface site is configured to use an HTTP or HTTPS
virtual server or to use access gateway, you can send clients or access gateway the IP
address, or the alternate address, of a XenApp or XenDesktop server. Or, you can send
the IP address translated from a mapping entry, which defines mapping of an internal
address and port to an external address and port.
Note: In the NetScaler command line, mapping entries can be created by using the bind
wi site command.
Possible values: Direct, Alternate, Translated, GatewayDirect, GatewayAlternate,
GatewayTranslated
loginTitle
A custom login page title for the Web Interface site.
Default value: "Welcome to Web Interface on NetScaler"
View description(s) in command reference Top
bind wi site
sitePath
Path to the Web Interface site.
farmName
Name for the logical representation of a XenApp or XenDesktop farm to be bound to the
Web Interface site. Must begin with an ASCII alphabetic or underscore (_) character, and
must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:),
at (@), equals (=), and hyphen (-) characters.
accessMethod
Secure access method to be applied to the IPv4 or network address of the client
specified by the Client IP Address parameter.
Depending on whether the Web Interface site is configured to use an HTTP or HTTPS
virtual server or to use access gateway, you can send clients or access gateway the IP
address, or the alternate address, of a XenApp or XenDesktop server. Or, you can send
31
Configuring a Web Interface Site for Remote Users Using NetScaler Gateway
the IP address translated from a mapping entry, which defines mapping of an internal
address and port to an external address and port.
Possible values: Direct, Alternate, Translated, GatewayDirect, GatewayAlternate,
GatewayTranslated
translationInternalIp
IP address of the server for which you want to associate an external IP address. (Clients
access the server through the associated external address and port.)
Default value: 0
View description(s) in command reference Top
32
33
Make sure that you install the latest web interface tar file (nswi-1.5.tgz). This tar file
provides support for smart card authentication.
You must configure Delegation on the Active Directory. Follow the Active Directory
Configuration section under Procedure, as described in the article at
http://support.citrix.com/article/CTX124603.
Using Smart Card Authentication for Web Interface through NetScaler Gateway
Using Smart Card Authentication for Web Interface through NetScaler Gateway
Additionally, smart card support on web interface requires certificate-based authentication
on the NetScaler GatewayAdditionally, smart card support on web interface requires
certificate-based authentication on the Access Gateway. If you do not have
certificate-based authentication already configured on the NetScaler Gateway vserver, do
the following:
1. Configure an NetScaler Gateway vserver and bind the server and CA certificate to it.
add vpn vserver <vpnvserver_name> SSL <AccessGateway_VIP> <port>
bind ssl vserver <vpnvserver_name> -certkeyName <Server_Cert_Key_Pair>
bind ssl vserver <vpnvserver_name> -certkeyName <Root_Cert_as_CKP> -CA
set ssl vserver <vpnvserver_name> -clientAuth ENABLED -clientCert Optional
add dns nameserver <dns_server_ip>
2. Configure a certificate-based authentication policy and bind itcertAction_name to the
NetScaler Gateway vserver.
add authentication certAction <certAction_name> -userNameField <string>
add authentication certPolicy <certPolicy_name> <rule> <certAction_name>
bind vpn vserver <vserver_name> -policy <certPolicy_name>
3. Configure the web interface site in ICA proxy mode through a session policy and then
bind it to NetScaler Gateway vserver.
add vpn sessionAction <sessionAction_name> -defaultAuthorizationAction ALLOW -SSO
ON -wihome "<WI_URL>" -wiPortalMode NORMAL -icaproxy ON
add vpn sessionPolicy <sessionPolicy_name> <rule> <sessionAction_name>
bind vpn vserver <vpnvserver_name> -policyName <sessionPolicy_name>
bind vpn vserver <vpnvserver_name> -staServer "<sta_server_url>"
35
Using Smart Card Authentication for Web Interface through NetScaler Gateway
defaultAccessMethod
Default access method for clients accessing the Web Interface site.
Note: Before you configure an access method based on the client IP address, you must
enable USIP mode on the Web Interface service to make the client's IP address available
with the Web Interface.
Depending on whether the Web Interface site is configured to use an HTTP or HTTPS
virtual server or to use access gateway, you can send clients or access gateway the IP
address, or the alternate address, of a XenApp or XenDesktop server. Or, you can send
the IP address translated from a mapping entry, which defines mapping of an internal
address and port to an external address and port.
Note: In the NetScaler command line, mapping entries can be created by using the bind
wi site command.
Possible values: Direct, Alternate, Translated, GatewayDirect, GatewayAlternate,
GatewayTranslated
View description(s) in command reference Top
36
Using Smart Card Authentication for Web Interface through NetScaler Gateway
37
Using Smart Card Authentication for Web Interface through NetScaler Gateway
Web address of the Web Interface server, such as http://<ipAddress>/Citrix/XenApp, or
Receiver for Web, which enumerates the virtualized resources, such as XenApp,
XenDesktop, and cloud applications. This web address is used as the home page in ICA
proxy mode.
If Client Choices is ON, you must configure this setting. Because the user can choose
between FullClient and ICAProxy, the user may see a different home page. An Internet
web site may appear if the user gets the FullClient option, or a Web Interface site if the
user gets the ICAProxy option. If the setting is not configured, the XenApp option does
not appear as a client choice.
wiPortalMode
Layout on the Access Interface. The COMPACT value indicates the use of small icons.
Possible values: NORMAL, COMPACT
icaproxy
Enable ICA proxy to configure secure Internet access to servers running Citrix XenApp or
XenDesktop by using Citrix Receiver instead of the NetScaler Gateway Plug-in.
Possible values: ON, OFF
View description(s) in command reference Top
38
Find. Displays the following search options that you can use to find one or more
instances of a text string in a configuration:
Look for. Provides a space for you to type the text string that you want to
locate in the configuration. As you type the text, the first instance is displayed.
If the word you are looking for is not in the file, the Look for text box will
change color.
Next. Finds and highlights the next occurrence of the text string you typed in
Look for.
Previous. Finds and highlights the previous occurrence of the text string you
typed in Look for.
Mark All. Highlights all instances of the text string at one time you typed in
Look for. Scroll to review each highlighted instance.
39
Find. Displays the following search options that you can use to find one or more
instances of a text string in a configuration:
Look for. Provides a space for you to type the text string that you want to
locate in the configuration. As you type the text, the first instance is displayed.
If the word you are looking for is not in the file, the Look for text box will
change color.
Next. Finds and highlights the next occurrence of the text string you typed in
Look for.
Previous. Finds and highlights the previous occurrence of the text string you
typed in Look for.
Mark All. Highlights all instances of the text string at one time you typed in
Look for. Scroll to review each highlighted instance.
40