Web Interface on NetScaler nCore–first impression
November 5, 2010 9 Comments
I have been waiting anxiously on this feature for a while since it has been delayed by Citrix a number of times, this feature was already announced at Citrix Synergy (SF 2010) back in May. And now I had the chance to install it at a customer which was also very interested in decommisioning his (Microsoft Windows) Citrix Web Interface servers and replacing it with Web Interface on Citrix NetScaler. For me it is the chance to find out what the pros and cons are about this feature.
Installation was ok, if it was up to me the Citrix Web Interface was just like other components such as Access Gateway just to be enabled within a build. Maybe can expect this in future releases. I installed the Web Interface on a more recent build of the nCore version (Build 98.6) so I had to downgrade to get this working. Good to know is that the Access Gateway customizations were retained which I was very happy about. Because you are downgrading Citrix NetScaler asks you if you would like to import a different nsconfig file.
There are very few settings possible when working within the NetScaler GUI. There is a wizard which let’s you create the websites.
I thought the documentation was not very complete, first thing you want to do is customize the Citrix Web Interface which you can find nothing about in de Admin Guide. The files you need to customize are in /var/wi/tomcat/webapps/Citrix/<web interface name>
You have to customize Citrix Web interface in the WebInterface.conf which is located in /var/wi/tomcat/webapps/Citrix/<web interface name>/WEB-INF/. This file is the same format as used in regular Citrix Web Interface servers installed on Windows.
There is an issue when importing the certificate for Access Gateway Web Interface. The certificate used for Citrix Access Gateway needs to be imported in the Java Diablo Latte JRE Webserver. At first I got “Import SSL certificate failed. Following command execution failed: ./export_cert.sh /nsconfig/ssl/<certname.pem>”, so executed this command at the CLI and got the following output “keytool error: java.lang.Exception: Input not an X.509 certificate”. Opening up export_cert.sh seems to be a script built around the Java Keytool executable which doesn’t quite work just jet. I imported the original .pfx certificate in Windows and exported it as a X.509 certificate, uploaded it to the Citrix NetScaler en executed “keytool -import -trustcacerts -file /nsconfig/ssl/<certname.cer> –alias <alias> -keystore $JAVA_HOME/jre/lib/security/cacerts” which succesfully imported the certificate in the JAVA keystore. It could be just coincedence that this happens when using Thawte certificates which I used in this environment, I googled more folks with this problem with Thawte certificates.
The Citrix Web Interface servers worked like a charm . I will update this post (or a new one) with results when it will be put into production.
Many customers use a Citrix NetScaler MPX 5500 series, Citrix has limited the number of Web Interfaces on these particulair series to 3 which I think is too bad. Expecially because of the enormous gap with the MPX 7500 series which supports 25. In a standard Citrix infrastructure environment I would like at least 4 Web Interfaces to get everything going:
– Citrix Web Interface site / HTTP (inside);
– Citrix XenApp Services site / HTTP (inside);
– Citrix Web Interface for Access Gateway / SSL (outside);
– Citrix XenApp Services site for Citrix Receiver / SSL (outside).
The supported numbers by platform:
Another limitation is the fact that it can only be used on Citrix NetScaler, I would like to see this feature released on the Citrix Access Gateway Enterprise which makes it a more complete (Enterprise) product.
On top of the Web Interface on NetScaler nCore download page it states “The solution requires the use of NetScaler MPX or VPX models with nCore”. As you may or may not know there is no nCore version for the VPX platform (only Classic), but there will be an nCore version for the VPX platform released within the next 2 months. So as of then it will be possible to install Web Interface on the VPX platform and I for one will be very curious about the limitations that will be built in.