Friday, April 14, 2017

Vikash Kumar Roy Resume

Seven years back I posted this blog . Now it is time to move forward and explore new opportunities. I am all set with my new resume. Let me know if you have any suitable opening which you would like to discuss.

Monday, December 26, 2016

Restrict AGEE users from specific IP

Writing after Feb 2016 . What I am going to write about ? Today I am going to show the way to restrict set of Internet users accessing AGEE URL  
Here is the use case behind it. There are set of users  who need to be restrict to access AGEE URL over internet so that they access it when trying from specific subnet . At the same time other users should be allowed to access from anywhere. How can we achieve this?
We thought of using AAA group and restricting it using session policy. We created two AAA group matching AD group, one which needs to be restricted and other unrestricted.
image
Now we created two policies . One which has AD group allowed only from specific set of IP . So how it’s expression looks like ?
image
And if you look at the session profile , we have bind this AD group under Gateway session profile –>security –>Advance –>
image
For the other set of we mapped the other profile with no IP is defined and profile is tagged to different set of session policy
image
Once this is created we have to check if the policy is getting hit when user try to access we will use following command  “ nsconmsg -g pol_hits -d current “
image
Please provide feedback so that we can improve incase needed.

Tuesday, February 16, 2016

StoreFront HighAvilibility and Application aggregation

Warning :Hold your breath and read this maxi post . I am planning to get little bit about the design as well. Lets start the requirement and how to achieve the same.

Requirement  :I wanted to aggregate resource from two site and show single icon to the users. I started with following KEYWORD option suggested but it just make the published application as primary and secondary. It will not aggregate the application as single icon. To get application aggregated we have to follow below steps .

We have two sites one in Mumbai and other in Chennai . Both site have their own farm but  HighAvailability (and not the loadbalancing) is required between  two sites. It would have been easier if we had single farm setup across the site as explained in my previous blog. In order to get that we have to create two resource group or delivery group at both the site and map users to those two delivery group .

What is the problem in doing it ?

If we map same set of users to both the site then user will see two icon for same resource and will unsure which one to click for Mumbai or Chennai.

What is the plan ? Plan is to get HSD/Paint/Calculator/Notepad published for both Mumbai and Chennai users. Below diagram represent that we have two separate farm with two separate SF server group .

TCS agregassion for blog

                                                                                                                                   Figure

Plan A To make simpler for the users , show one icon from both the site (HSD) and only icon from the respective site. Above figure shows for PlanA user in Mumbai see icon of paint and user in Chennai will see icon of Calculator though user have access to both the app.  When users hit https://mumbai.company.com they will land on StoreFront of Mumbai and will get aggregated resource from Mumbai/Chennai . When XDC of Mumbai is down , they will get failover to Chennai .

Prerequisite for it : Citrix suggest to make changes in web.config file located under the store  C:\inetpub\wwwroot\Citrix\storename\ directory, where storename (not the storeweb ) is the name specified for the store when it was created. There will be section within Web.config find out following section

image_thumb[3]

Now file which needs to be included between above selection should look like this  . But how do I get all these detail?

Make sure you gather it before hand and then start making changes.

image_thumb[14]

To get  value for name= domain\usergroup and sid=“Securityidentifier” use AD power shell. I would suggest map “EveryOne” or “Domain Users” so that latter you don’t have to make changes every now and then

image_thumb[20]

equivalentFarmSet name="setname"                          :    This can be Mumbai or Chennai based on which location I am specifying

loadBalanceMode="{LoadBalanced | Failover}          : I have chosen Failover mode as I want to configure users to failover to other site

aggregationGroup="aggregationgroupname"           :  You can provide any name for the convenient . This can be same for both the site.

farm name="primaryfarmname"                                      :Most of the time people make mistake to understand what exactly it is and how to get it. If you  check storefront configuration for delivery controller it is the name of   that set. And this is how it looks like. For Mumbai aggregationgroupname is “MumbaiController” and for Chennai it is “ChennaiController”, also this is case sensitive .

Note: StoreFront at both the site will have entry for all the XDC as shown below . MumbaiController will have XDC entry for Mumbai and ChennaiControler will have XDC entry for Chennai.

image_thumb[25]

So what editior should I use it edit web.confi? I have tried many other editor like XML notepad but then found Oxygen XML editor very helpful .

image

The other reason I would suggest oXygen is because it will help you with tagging .

image

Wrong tagging

image

So here is the config file for Plan1.  Changes need to made on both the site StoreFront and flip the order so that first site should be local site and second site will be remote site. Also note the change in this line

<resourcesWingConfigurations>
  <resourcesWingConfiguration name="Default" wingName="Default">

VS

<resourcesWingConfigurations>
  <resourcesWingConfiguration name="Default" wingName="Default"  /> While making changes make sure you remove  “/”

For Mumbai                                                                                              For Chennai

image

Plan B To make simpler for the users , show one icon from both the site and all the published application for the users.  When users hit https://mumbai.company.com they will land on StoreFront of Mumbai and will get aggregated resource from Mumbai/Chennai  and all the other resources which user has been assigned. Referring to above figure, user at both the site can see all the application (HSD/Notepad/Paint/Calculator)irrespective of the sites he/she belongs to.

  For Mumbai                                                                                                 For Chennai

image

Once the configuration is completed , StoreFront will point to both the XDC and changes can not be made. So it is important to make necessary changes prior to editing the web.config

image

To achieve this I have refer various blogs,article and to name few:

1 Citrix Blog and here

2. euc.consulting

3. LalMohan

4. vhorizon.co.uk

Meanwhile vhorizon.co.uk has published latest blog for  StoreFront 3.1 . Currently SF3.1 is TP and is not supported under LTSR release.

Wednesday, December 23, 2015

Preparing Lotus Notes for Hosted Shared Desktop (XenApp)

To start with Lotus Notes instalaltion use following  command                                                        
D:\Lotus\setup.exe /v"SETMULTIUSER=1 MULTIUSERBASEDIR=H:\notes\data MULTIUSERCOMMONDIR=C:\SharedNotesData CITRIX=1
image
Choose next
 image
image
image
image
After installation right click on the shortcut of lotus notes and add the line "=H:\Notes\Data\notes.ini"
image
  • After this User NSF file is required to be copied to <<MultiUserBaseDir>> path given during installation.
  • Also require copying all the content given in <<MultiUserCommonDir>> to <<MultiUserBaseDir>>
  • There is logon script which we can use to simplify last step
Inputs for this blog is from Vipul Tripathi

Sunday, September 27, 2015

CA issued Client cert based authentication via NetScaler

Where we use this : Let’s say I am publishing my resource via NetScaler AGEE and would like to ensure that user should be bind to the PC while accessing resources externally from non corporate device. For my use case , it was external users who uses dealer management system to update inventories. We choose this method over all the available options like

a) Symantec MPKI b) Two factor Authentication c) Smart Card

One of the reason why we choose below method was for simple reason, it doesn’t evolve extra cost.

To start with we setup enterprise CA on MS windows 2012 R2 server. You will get enough document on how to install CA but I will cover what we needed for this specific use case. We wanted to ensure that user certificate generated is in PFX format. Also we had challenge with given name in AD. When certificate generated based on given name CN it would look like this

image

When CN is checked for certificate via NS profile

image

It use to put + in place of space like this

image

Now it is important that certificate must be generated with SPN name

image

By default CA doesn’t generate certificate using UPN and attribute must be inputs. So let’s discuss how we setup CA to generate user’s certificate with attribute. To generate CA certificate for users, information must be filled manually. CA doesn’t allow certificate to be generated manually hence template properties needs to be set properly. To create certificate template select certificate templates and choose manage under certificate manager.

image

This will open certificate container which will have list of certificate which can be duplicated. Here we have to choose “Users” certificate then duplicate it.  Remember while doing this, ensure that you have logged into appropriate ID since this changes are at Domain level. I have chosen Domain Admin to make changes

image

Once certificate is duplicated, it needs to be enrolled into all the certificate holders. Here I have chosen enrolled certificate hence option is “Reenroll All Certificate Holders”

image

Set the template properties for subject name to manual so it will allow to generate certificate for multiple users. Here we can define certificate validity period

image   image

Set the certificate for “Request Handling ” to “Allow private key to be exported”

image

Now when we browse certificate manager URL and then choose “Request a Certificate”

image

Then choose “Advance Certificate request”

image

Then choose “Create and Submit a request to this CA”

image

Choose correct template under drop down

image

Under Attributes supply SAN as SAN:UPN=Username@domain.com which matches the logon name of the users under users manager

imageimage

Once certificate is created, it will be present under certificate manager then it will provide option to export into PFX format

image

Choose private key and then choose password to export the certificate. Same password will be used to import.

imageimage

Once certificate is installed on client machine this will appear under Personal which can be viewed via IE – Internet option – Content – Certificate . If this doesn’t appear here then it will not work. In the next section we will discuss what setting is required on NetScaler.

image

In this case, I had been using NetScaler build 11.0 55.23Build . So will start with creation on certificate policy . For that we will create certificate profile with two factor ON and user name field as UPN and followed with policy to be set to ns_true

imageimage

Once Policy is ready it need to bind to the AGEE vServer as primary authentication as Cert policy

image

Now SSL parameter needs to be set to client certificate to “Mandatory”

image

Since we have using client UPN for the login, LDAP policy must be set to use “userPrincipalName”

image

Now when client type the AGEE URL for access it will prompt to select client and if machine has multiple client certificate it will provide option to choose. Below example shows machine had multiple certificate and it prompt users to choose

image

Once users choose the certificate users name will populated and all the users will have choice to type password

image

Post login and application is launched it will prompt to choose the certificate. Below example users try to launched notepad and it prompt users to choose certificate. This is known behavior and one would like to fix this can follow CTX200193. There are otherway which I am yet to test.

image

NOTE of caution : At the time of writing this blog, it was found that client certificate doesn’t work with native receiver . So if you have the use case where customer would like to use both native receiver and browser then avoid to choose this option.