Re: Security settings (TLS & Certificates)

Whilst it is possible, we don’t recommend disabling TLSv1.0/1.1 on ESRS-VE gateways at this stage. The reason being there are still a few products which can only support TLSv1.0 for HTTPS call-home.

Note that ESRS-VE always uses TLSv1.2 secured connections across the Internet to the ESRS backend. Any TLSv1.0 connections are on the customer internal network between the Dell EMC product and the ESRS gateway.

Regarding your other question, to change the ESRS WebUI certificate see the following KB article:

https://support.emc.com/kb/485953

Kind Regards,

Marc

Related:

Some IP address or Domain are bypassing WSS

I need a solution

Hi,

Some times I see some IP address or Domain access going direct to network gateway were It should go to web security services through unified Agent or Explicit method.

When I search that IP and Domain in WSS portal Bypass List, they are not there.

Do anyone knows why is It happening?

As a sample, some akamai http/https destinations are going direct where the main URL goes to WSS.

O want all 80/443 traffic going to WSS.

I appreciate any help.

0

Related:

Re: One question regarding VPLEX witness deployment.

Hello experts,

We have a question regarding VPLEX witness deployment.

Our witness virtual server is on a third site, but it reaches the 2nd site via the the gateway(firewall) in 1st site , unless the firewall in 1st site fails, in that situation, the gateway will switch to the firewall in 2nd site, the gateway switch delay time is about 5 seconds.

Now suppose 1st site fails totally(lose power for example), both VPLEX and network are down in this site, when this happen, the witness will not reach to the VPLEX management server in 2nd site in the first 5 seconds, because of the gateway switch delay, in such situation, the distributed volumes will probably also be suspended in 2nd site.

Is there a perfect network connection solution, so the witness can communicate with both sites symmetrically(without any path and gateway switch …) ?

Related:

ECS: Unable to connect to hosts on a subnet with 172.17.x.x

Article Number: 479579 Article Version: 2 Article Type: Break Fix



ECS Appliance,ECS Appliance Software with Encryption,ECS Appliance Software without Encryption,ECS Appliance Software with Encryption 2.2,ECS Appliance Software without Encryption 2.2

The ECS nodes are using an internal docker bridge interface of 172.17.42.1 with an interface name of docker0. This interface has a subnet mask of 255.255.0.0. This subnet mask means that if a customer attempts to access a host in their environment on the subnet 172.17.x.x, the ECS will not be able to route to the host by default.

ecs1-n1:~ # ifconfig docker0

docker0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX

inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0

UP BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

To work around this issue a static route will need to be added to the host on the ECS nodes to allow the ECS to route to the host.

To work around this issue, a static route will need to be added for the host on the ECS nodes to allow the ECS to route to the host.

Edit the following file on all ECS nodes.

vi /etc/sysconfig/network/routes

Under the default route, add the IP address of the host in question followed by the IP of the default gateway of the public interface, followed by the subnet mask of 255.255.255.255 with a – at the end of the line.

Example:

<HOST IP> <PUBLIC DEFAULT GATEWAY> 255.255.255.255 –

172.17.10.5 10.213.1.1 255.255.255.255 –

In the example above, the host IP is 172.17.10.5, use the public default gateway 10.213.1.1. If you are not sure of the public interface default gateway, use the command netstat -rn and identify the gateway with the flag UG for the public interface.

ecs1-n1:~ # netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 10.213.1.1 0.0.0.0 UG 0 0 0 public

10.213.1.0 0.0.0.0 255.255.255.0 U 0 0 0 public

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 private.4

172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0

192.168.219.0 0.0.0.0 255.255.255.0 U 0 0 0 private

After the /etc/sysconfig/network/routes file has been edited on all nodes, reload the network configuration on all nodes with the command service network reload.

Attempt to ping the host to confirm you are now able to route to the host.

Related:

One question regarding VPLEX witness deployment.

Hello experts,

We have a question regarding VPLEX witness deployment.

Our witness virtual server is on a third site, but it reaches the 2nd site via the the gateway(firewall) in 1st site , unless the firewall in 1st site fails, in that situation, the gateway will switch to the firewall in 2nd site, the gateway switch delay time is about 5 seconds.

Now suppose 1st site fails totally(lose power for example), both VPLEX and network are down in this site, when this happen, the witness will not reach to the VPLEX management server in 2nd site in the first 5 seconds, because of the gateway switch delay, in such situation, the distributed volumes will probably also be suspended in 2nd site.

Is there a perfect network connection solution, so the witness can communicate with both sites symmetrically(without any path and gateway switch …) ?

Related:

Error: “Your apps are not available at this time. Please try again” When Receiver Connects Through NetScaler Gateway

Solution 1

To resolve this issue change the beacon entries in StoreFront. Add the NetScaler Gateway addresses to external beacon.

Reference: https://docs.citrix.com/en-us/storefront/3-11/integrate-with-netscaler-and-netscaler-gateway/configure-beacon.html

External Beacon

If you want to use ICA proxy from internal and external connections (all clients should only go through NetScaler), then add a fake address in the internal beacon of StoreFront.

Note: The internal beacon should only be resolvable inside the network, if the beacon is resolvable externally then Citrix Receiver will not be able to add the account.

Solution 2

The issue relates to compatibility of Receiver 4.x and Web Interface XenApp services site. Receiver 4.x supports services sites but when connecting thru NS, users may experience issues as described in CTX136828 – Error When Using Windows Receiver PNAgent through Access Gateway Enterprise Edition Appliance.

Also note Citrix Documentation – NetScaler to Web Interface XenApp Services site is not supported.

Related:

Re: SNMP Trap when failure recovered

Hello guys,

I’m testing SNMP function of Scaleio Gateway software(v2.0.0.2) with 3node cluster.

According to User Guide document(p.530), Scaleio gateway sends a SNMP trap when system failure has been fixed.

>Open and closing alerts will consist of the same code and issue number, with the

>exception of the first digit (0 or 1) in the <ISSUE> section. For example:

> SIOXX.XX.0XXXXXX indicates that the alert is active

> SIOXX.XX.1XXXXXX indicates that the alert has been closed

I’ve rebooted Secondary MDM to test the function above.

I had expected the trap contains “SIO02.01.1000001″ would be send by gateway after cluster recovered, but it wasn’t.

Is it normal behavior? If so, do I have to any setting or configuring to activate the function to send trap after failure recovered?

#please see packet capture log below:

————————————

tcpdump -i eth0 -T snmp -s 0 “(dst port 162) or (src port 161) or (dst port161)”

[Before reboot MDM2]

10:41:23.734093 IP [SIO-GATEWAY].38650 > [SNMP-RCV].snmptrap: V2Trap(188) system.sysUpTime.0=222765000 S:1.1.4.1.0=E:1139.101.1 E:1139.101.1.1=3 E:1139.101.1.2=”System.License.Trial_License_Used” E:1139.101.1.3=”[MDM1-id]” E:1139.101.1.4=”SIO01.02.0000003″

[After MDM2 shutdown]

10:41:53.734020 IP [SIO-GATEWAY].36025 > [SNMP-RCV].snmptrap: V2Trap(188) system.sysUpTime.0=222768000 S:1.1.4.1.0=E:1139.101.1 E:1139.101.1.1=3 E:1139.101.1.2=”System.License.Trial_License_Used” E:1139.101.1.3=”[MDM1-id]” E:1139.101.1.4=”SIO01.02.0000003″

10:41:53.734251 IP [SIO-GATEWAY].36025 > [SNMP-RCV].snmptrap: V2Trap(188) system.sysUpTime.0=222768000 S:1.1.4.1.0=E:1139.101.1 E:1139.101.1.1=5 E:1139.101.1.2=”MDM.MDM_Cluster.MDM_Not_Clustered” E:1139.101.1.3=”[MDM1-id]” E:1139.101.1.4=”SIO02.01.0000001″

[During MDM2 rebooting]

10:45:23.733943 IP [SIO-GATEWAY].59254 > [SNMP-RCV].snmptrap: V2Trap(188) system.sysUpTime.0=222789000 S:1.1.4.1.0=E:1139.101.1 E:1139.101.1.1=3 E:1139.101.1.2=”System.License.Trial_License_Used” E:1139.101.1.3=”[MDM1-id]” E:1139.101.1.4=”SIO01.02.0000003″

10:45:23.734308 IP [SIO-GATEWAY].59254 > [SNMP-RCV].snmptrap: V2Trap(188) system.sysUpTime.0=222789000 S:1.1.4.1.0=E:1139.101.1 E:1139.101.1.1=5 E:1139.101.1.2=”MDM.MDM_Cluster.MDM_Not_Clustered” E:1139.101.1.3=”[MDM1-id]” E:1139.101.1.4=”SIO02.01.0000001″

[After MDM2 rebooted]

10:45:53.734101 IP [SIO-GATEWAY].57034 > [SNMP-RCV].snmptrap: V2Trap(188) system.sysUpTime.0=222792000 S:1.1.4.1.0=E:1139.101.1 E:1139.101.1.1=3 E:1139.101.1.2=”System.License.Trial_License_Used” E:1139.101.1.3=”[MDM1-id]” E:1139.101.1.4=”SIO01.02.0000003″

10:46:23.734032 IP [SIO-GATEWAY].52960 > [SNMP-RCV].snmptrap: V2Trap(188) system.sysUpTime.0=222795000 S:1.1.4.1.0=E:1139.101.1 E:1139.101.1.1=3 E:1139.101.1.2=”System.License.Trial_License_Used” E:1139.101.1.3=”[MDM1-id]” E:1139.101.1.4=”SIO01.02.0000003″

————————————

*: “…” means repeating.

Regards,

Ichiro

Related:

How to Deploy XenApp 7.11 Hybrid Cloud in Azure Resource Manager Using Site-to-Site VPN

Step 1 – Connecting On-Premises Network to Azure using a site to to site VPN

The objective of a site to site VPN is to connect the two different sites, a specific Virtual Network on Azure and On-Premises network.

In this test deployment, Windows 2012 R2 RAAS has been used as site to site VPN.

To create a site to site VPN perform the following steps:

Create a Resource Group

  1. Log-in into Azure portal https://portal.azure.com and click on the Resource Groups and+ Add button.

  2. Give it a name “S2SVPN-ResGroup“.You will put all of your resources for the site to site VPN in here for better tracking and managing the resources.

    User-added image

Create a Virtual Network

  1. Go to Virtual networks -> Create virtual network and click on Add. Give any name as “S2SVPN-vNet“. Enter “10.1.0.0/24” for the address space. For the first subnet make the Subnet Name “Backend“. Make the Subnet address range “10.1.0.0/24“. Set it to the resource group you created in the previous step.

    User-added image

  2. Now create a virtual network gateway. This network gateway will contain the second subnet. Go to Virtual networks > S2SVPN-vNet –> Settings > Subnets.

  3. Click on + Gateway subnet. For the Address Range use “10.1.1.0/24“. This address range is the IP range for your RRAS server to use. So in your virtual network you should now have the two following Subnets –

    “Backend” with an address range of 10.1.0.0.24

    “GatewaySubnet” with an address range of 10.1.1.0/24

    User-added image

Create a Virtual Network Gateway

  1. Next we will create the Virtual Network Gateway. The virtual network gateway will be responsible for sending and receiving data. This is the bridge between Azure and the on premise RRAS server.

  2. Navigate to Virtual network gateways and click on Add. Name the gateway “S2SVPN-vNetGW“. For the virtual network select the existing one S2SVPN-vNet and select the gateway type as VPN, and leave VPN type to Route-based. For the public IP we will need to create one here. Click on choose a public IP address and click on Create New.

    User-added image

  3. After the Virtual network gateways is created note down the public IP address. This is required for configuring the RRAS server later. You can get this by going here, Virtual network gateways > S2SVPN-vNetGW > S2SVPN-vNetGW-IP > Settings.

This will take approximately 30 to 45 minutes to provision the public IP address.

Create a Local Network Gateway

  1. Now we need to create the local network gateway, this gateway will be configured with all of your on-premises network.

  2. Go to Local network gateways and click on +Add. Give it any name, “S2SVPN-LocalNWGW“ and enter the public IP of your RRAS server, in the address space enter an IP range for your on-premises network, and select your Resource Group.

    User-added image

Create the VPN connection

Now we need to create a connection in our local gateway. To do this navigate to the Settings > Connections and click on + Add. Name this “S2SVPN-vNetGW-Connection“.

The Connection type will default to Site-to-site (IPsec). Set the Virtual network gateway to “S2SVPN-vNetGW“. Set a Shared key (PSK) to be used and note it down somewhere it is required to configure the RRAS server.

User-added image

The RRAS server configuration:

  1. Configure the Windows Server 2012 R2 with two different networks internal and External. Configure the public IP address on external adopter and internal adapter as shown in the figure.

  2. Install the RRAS Windows Role.

    User-added image

Configuring the VPN in RRAS server

  1. Right click on the Network Interface, and select New Demand-dial Interface.

    User-added image

  2. Give it any name and click Next

    User-added image

  3. Choose VPN and click Next

    User-added image

  4. Select IKEv2 Encryption here for the VPN Type and click NextUser-added image

  5. Enter Azure public IP and click Next. If you don’t know your Azure Public IP, go to your Virtual LAN Gateway, and see within the Essentials properties.

    User-added image

  6. Enable Route IP packets on this interface and click Next.

    User-added image

  7. Enter any user name and rest blank and click Next

    User-added image

  8. Add the Static Route for your local network, 10.1.0.0/24, 255.255.255.0.

    User-added image

  9. Right-click on the interface just created, and go to the Security settings. Select the use preshared key for authentication option, and now enter that PSK we used in Azure portal and click OK.User-added image

  10. Now right click on the AzureARM-STSVPN connection and select connect. Then it will show as connected in RRAS as shown in the figure.

    User-added image

  11. In Azure portal you should also see the connection status as Connected and also you should see the data flowing in and out of your connection.

    User-added image

  12. Setup static route as shown in the following figure on RRAS server before it could communicate from on-premises to Azure.

    User-added image

Enable NAT on RRAS server

Without having NAT enabled none of the servers could reach the internet. The basic steps for enabling NAT on RRAS are as follows:

  1. Right-click NAT, and then click New Interface.
  2. Select the interface that connects to your private intranet, and then click OK.
  3. Select Private interface connected to private network, and then click OK.
  4. Right-click NAT, and then click New Interface again.
  5. Select the interface that connects to the public Internet, and then click OK.
  6. Select both Public interface connected to the Internet and Enable NAT on this interface, and then click OK.

Now spin up a new Azure VM on Azure Resource Manager and make sure you place it in the correct virtual network, then the VM should be able to communicate with your on-premises servers.

Step 2 – Create XenDesktop 7.11 Controller, VDA and StoreFont VMs in Azure

Provision 3 new VM instances in Azure Resource Manager for Controller, VDA and StoreFront server. Make sure to select the Virtual Network that is created in Step 1 when creating the VMs.

Follow these instructions to create virtual machines in Azure portal. https://azure.microsoft.com/en-gb/documentation/articles/virtual-machines-windows-tutorial/

Step 3 – Install XenDesktop 7.11

  • Login to the Controller VM and join to the on-premises domain.
  • Install the XenDesktop Controller and Studio.
  • Add the Controller to the existing site by pointing to the on –premises XenDesktop Controller.

Note: You will see an error when Delivery Controller in Azure connecting to an on premise primary XenDesktop site. This is because Microsoft Azure Virtual machine time is not syncing with the on premise Delivery Controller.

If you are using XenDesktop in a hybrid cloud scenario with an on premise domain infrastructure, you need to sync your Azure VMs with the on premise domain controller. This will require some manual configuration since Microsoft Azure resides in a different time zone than your local domain.

Refer to the KB article XenDesktop Controller in Azure Fails to Connect to an On-Premises Site/ VDAs Fails to Register to know more about fix the time sync issue.

Step 4 – Install VDA and create Master Image in Azure Resource Manager

Step 5 – Create Azure ARM Host Connection

You will notice there are two hosting connections present in the Studio as shown in the figure.

User-added image

Step 6 – Configuring XenDesktop Zones

In XenApp 7.11 you can configure Zones, which will allow you to run applications and desktops closer to user locations within a single XenApp site

  1. Login to your on-premises XenDesktop Controller machine and open the Citrix Studio.

  2. Navigate to Configuration > Zones and you will see the Primary Zone and the resources that already have in the site and the new Controller that you just build in the Azure Zone.

  3. Rename the Primary Zone by clicking Edit button. Rename it to On-Premise Zone.

    User-added image

  4. Click Create Zone from the Actions menu.

  5. Enter the zone name and select the resources that you want to assign to the new zone.

    User-added image

  6. Now the Studio should display two Zones.

    User-added image

Step 7 – Machine Catalog creation

Follow the steps as described in Creating Machine Catalog using Machine Creation Services Article and create MCS catalogs using Azure ARM.

Step 8 – Delivery Group Creation

  1. Right click on the Delivery Group node and select Create Delivery Group
  2. Choose the Machine Catalog that just created and enter the desired number of VMs to allocate to this Delivery Group and click next.
  3. Select Apps and Desktops and click next.
  4. Add the users to access the apps and desktops and click next.
  5. Wait for VMs power on and registration process and select the applications you want to publish and click next.
  6. Enter a friendly name and display name for the delivery group and click Finish.

Step 9 – NetScaler and StoreFront configuration

NetScaler Configuration: Refer to the NetScaler VPX Deployment with XenDesktop and XenApp on Microsoft Azure to deploy and configure the NetScaler in Azure.

StoreFront Configuration

  1. Login to the StoreFront server in Azure and launch the StoreFront and click create a new deployment.

  2. Name the store and click next.

    User-added image

  3. Enter both delivery controller’s on-premises and Azure delivery controllers and click next.

    User-added image

  4. Check Enable Remote Access and click Add under NetScaler Gateway Appliances.

    User-added image

  5. Enter display name and NetScaler Gateway URL, Select Authentication and HDX routing from the drop down list and click next.

    User-added image

  6. Enter the STA URL and click next.

  7. Select Login type as Domain and enter the NetScaler gateway as callback URL and click Create.

    User-added image

  8. Repeat same step and add the on-premises NetScaler gateway. Both NetScaler gateways will appear in the list of appliances. Click create.

    User-added image

  9. Check user name and password and click Next.

    User-added image

  10. Click create and the store will be configured. The authentication, stores, Receiver for web and NetScaler Gateways should all be configured and visible from the StoreFront UI.

Optimal Gateway Routing configuration

Optimal gateway routing enables you to route HDX connections to different XenDesktop Zones via different NetScaler Gateways. This means all launches for resources in the Azure Zone will be performed through the Azure NetScaler gateway even if the request for the resource came from another gateway such as on-premises gateway.

  1. To configure optimal gateway routing, select the store and then select the Configure Store Settings actions in the right pane. Select Optimal HDX Routing and configure the gateways, Delivery controllers and Zones as shown in the figure.

    User-added image

  2. Install Citrix Receiver on your external machine and navigate to the NetScaler Gateway in Azure. Login as user which has apps in both on-premises and Azure zones.

    User-added image

  3. Two apps were created, Notepad and Command prompt. Notepad is running from the Azure zone and Command prompt from on-premises zone.

    User-added image

  4. Launch notepad, it should launch from Azure zone.

Launch Command prompt, it should launch from on-premises zone. Verify using ipconfig and the IP address should get from on-premises network.

User-added image

Related:

Avamar Gen4T >> How to reconfigure RMM4 root user to alternative user name (avoid Error message: Login failed. User does not have ‘Login to Embedded Management Software’ privilege.)

— All commands to be executed as root on the node where RMM4 user is being configured.

1 — Verify that RMM4 is configured for dedicated access (in case there is no valid IP address configured, replace “lan print 4” with “lan print 1” to check for shared access):

root@avamar:~/#: ipmitool lan print 4 |egrep “IP Address|Subnet Mask|Default Gateway” |egrep -v “Source|Header|Backup|MAC”

IP Address : 10.70.193.19

Subnet Mask : 255.255.255.128

Default Gateway IP : 10.70.193.126

2 — To list configured users (in case RMM access is configured as shared, replace “summary 4” with “summary 1” and “list 4” with “list 1”):

root@avamar:~/#: ipmitool user summary 4

Maximum IDs : 16

Enabled User Count : 1

Fixed Name Count : 1

root@avamar:~/#: ipmitool user list 4

ID Name Callin Link Auth IPMI Msg Channel Priv Limit

2 root true true true ADMINISTRATOR

3 — To rename user ID#2 [root](where “NewName” shall be replaced with the desired username and “Password” replaced with desired password):

root@avamar:~/#: ipmitool user set name 2 NewName

root@avamar:~/#: ipmitool user set password 2 Password

root@avamar:~/#: ipmitool user enable 2

root@avamar:~/#: ipmitool channel setaccess 4 2 link=on ipmi=on callin=on privilege=4

root@avamar:~/#: ipmitool channel getaccess 4 2

Maximum User IDs : 16

Enabled User IDs : 1

User ID : 2

User Name : NewName

Fixed Name : No

Access Available : call-in / callback

Link Authentication : enabled

IPMI Messaging : enabled

Privilege Level : ADMINISTRATOR

5 — List users again:

root@avamar:~/#: ipmitool user list 4

ID Name Callin Link Auth IPMI Msg Channel Priv Limit

2 NewName true true true ADMINISTRATOR

Related:

Connect your Docker container to enterprise services with the IBM Cloud Secure Gateway

The IBM Cloud Secure Gateway service offers a flexible means to
securely expose back-end enterprise services to your IBM Cloud applications.
Creating the Secure Gateway is relatively straightforward through the IBM Cloud
user interface. Ensuring that the gateway is secure and then leveraging the
gateway require some additional steps. This tutorial shows you how to
configure the gateway, how to add destinations to local enterprise services,
how to leverage a Docker container to establish the connection from your
enterprise, and how to access the service from your applications.

Related:

  • No Related Posts