Author: Vikash Jhagroe
pfSense / Pi-Hole

Moved from pfBlockerNG to Pi-Hole

- by Vikash Jhagroe - 5 Comments.
Reading Time: 6 minutes

The ad-free internet can exists!

For a while now I have pfSense firewall running at home. I really love the performance, stability and security pfSense provides. It is just rock-solid! But let me tell you why I moved from pfBlockerNG to Pi-Hole. What I also love in pfSense is the ability to install packages and add even more useful features to the platform. So I went ahead and installed the pfBlockerNG-devel package. At the time of writing this blog post the latest version of pfBlockerNG-devel is 2.2.5_29. Note the “devel” in the name because this is the branche of pfBlockerNG which is actively being developed.

Ads on themselves can be OK I think. It all depends on how ads are being used and in the end you need to find funding. After all this site is also using ads. Adding pfBlockerNG allows you not to only block ads but also block web tracking and ransomware. That there is added security and privacy you get when using pfBlockerNG. It will do this for your whole network using something called DNSBL (short for Domain Name System-based Blackhole List). Every device in your network will benefit from this and be protected. But pfBlockerNG does so much more like also giving you the ability to block internet traffic coming from certain IP addresses. These IP addresses translate to specific countries and regions so it can be very handy in protecting your network from all those hackers trying to get in your network.

I went ahead and set up both and for some time everything was working well. I enjoyed ad-free and tracking-free internet on all the devices in my LAN. But then something happened…

The internet broke down (well a little bit)

I have several iOT devices at home including Ikea Tradfri smart lights. Suddenly these lights because unreachable in the Apple Homekit App on my iPhone. The rest of my Homekit enabled iOT devices were doing fine. The first time this happened I thought it is probably a bug so let’s power cycle the Ikea Tradfri gateway. This was a success and the Ikea smart lights were available again. Nice!

Not so nice when I discovered an hour or so later that the Ikea Tradfri smart light were unreachable again. So now I’m thinking that maybe pfBlockerNG is blocking some hostname (the DNSBL feature). This is possible because maybe one of the DNSBL feeds I am using has got an update and some hostname which Ikea Tradfri gateway uses is bow blacklisted. Luckily pfBlockerNG gives you the ability to whitelist hostnames.

I went into the management interface of my pfSense firewall and selected the Reports tab in pfBlockerNG settings. The Reports tab shows a very nice list of hostnames which have been blocked by pfBlockerNG. There is a nice filtering option as well. See the screenshot below.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 01

My Ikea Tradfri gateway has 192.168.100.51 as IP address. This is static setup in the DHCP server on my pfSense. So I enter this IP address in the Alert filter to see if pfBlockerNG is blocking DNS requests from my Ikea Tradfri gateway. The result was 0 so according to pfBlockerNG nothing from my Ikea Tradfri gateway was blocked. See screenshot below.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 02

But still I had the same behavior. When I power cycle the Ikea Tradfri gateway all is well for a short time and then is just becomes unavailable. I continued my investigation and decided to replace the USB power adapter of the Tradfri gateway. That didn’t help. By now I was thinking that I have tried everything but to replace the unit. I went to Ikea and got a new Tradfri gateway. I set it up and went trough the painful experience of connecting all my Tradfri lights and switches to the new gateway. I was just wrapping up when I saw that all my Ikea lights were unreachable again! Imagine my frustration.

Bring on Pi-Hole!

OK now I was furious. Even after replacing the Ikea Tradfri gateway I had the same problem. I was getting more convinced that is has to be something in my network. First step for me now was that I wanted to know all the DNS queries the Ikea Tradfri gateway was making. I tried debugging that in Unbound resolver on my pfSense but there were so many DNS requests flying by that it made troubleshooting nearly impossible.

I needed another DNS server, one specifically for my Ikea Tradfri gateway. And I needed it quick. Since I had a Raspberry Pi lying around I went the Pi-Hole route. Just download the correct image from the Pi-Hole website, extract to the SD-card and startup your new DNS server. Within a couple of minutes I was up and running with Pi-Hole. I loaded the exact same DNSBL lists I was using on pfBlockNG on the Pi-Hole. Using DHCP reservation I managed to set -Pi-Hole as the DNS server on the Tradfri gateway.

Pi-Hole showed me all the DNS queries the Tradfri gateway was doing, which ones were allowed and which ones blocked. I was specifically interested in DNS queries being blocked. I saw immediately that a lot of DNS queries were being blocked to webhook.logentries.com. That DNS query did not came up when I was troubleshooting on pfBlockerNG to find out the blocked queries. I added webhook.logentries.com to the Pi-Hole’s whitelist and waiting a couple of hours. Ikea smart lights were working fine now. Even after 24 hours all my Tradfri lights were now working fine.

Now let’s remove webhook.logentries.com from the Pi-Hole’s whitelist I thought and see what happens. Within the hour my Tradfri lights were offline again. Root cause found :).

Why I made the switch to Pi-Hole

I began to investigate why pfBlockerNG was not showing the blocked DNS queries. I discovered that when I did a DNS lookup on pfSense with pfBlockerNG enabled the request for webhook.logentries.com was being “sink holed” to pfBlockerNG, but it was not showing up in the Reports tab as blocked (or allowed). Check the screenshots below what happens on pfSense.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 03

As you can see above the DNS request is blocked by pfBlockerNG because it is “sink-holed” to the DNSBL VIP pfBlockerNG is using (10.10.10.1). But when I check the Reports tab in pfBlockerNG, I don’t see the blocked DNS request.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 04

Now when I do the same DNS lookup against the Pi-Hole I can see the DNS lookup immediately in the Query Log tab:

vikash.nl - 05

The gui on the Pi-Hole makes it really easy to troubleshoot as it shows immediately which client is doing what DNS queries and which ones are being blocked. The gui is also very easy in filtering options.

Moved from pfBlockerNG to Pi-Hole - vikash.nl

And you can find very easy in which DNSBL feed a certain hostname is so you know what feed is blocking your internet traffic. It even tells you if the dns name is whitelisted. Makes management so much more easy.

This gui compared to pfBlockerNG was refreshing to me. Amazing how much time I spend troubleshooting on pfBlockerNG while the Pi-Hole showed me within minutes what was happening and where the problem was! Great tech :).

In the end

I moved from pfBlockerNG to Pi-Hole. Don’t get me wrong, I still love and use pfBlockerNG. But I now only use it to block IP addresses from certain countries and regions. It is still very useful for that.

Moved from pfBlockerNG to Pi-Hole - vikash.nl

But I don’t use the DNSBL option anymore because I have no faith in it’s reporting capabilities. And that starts to count very heavy when you are troubleshooting why something is not working in your network. Since I started using Pi-Hole I did find some other dns hostnames which were also blocked and were not reported by pfBlockerNG. One of them was to the download server of Ubiquiti for firmwares. Pretty important to know that sort of stuff.

I just can’t be bothered to make tcp dumps of my network traffic on pfSense and then use some kind of tool to analyze and try to find the needle in the haystack. So I recommend you use Pi-Hole for the DNSBL part as it is amazing at that. From the pragmatic perspective it is blazing fast and has great reporting options about what is happening in your network.

Moved from pfBlockerNG to Pi-Hole Read More
Home IT / pfSense

pfSense with routed IPTV and OpenVPN client for private internet access

- by Vikash Jhagroe - 4 Comments.
Reading Time: 10 minutes

What I wanted was pfSense with routed IPTV and OpenVPN client for private internet access. You know that there are a lot of prying eyes who are interested in your internet traffic. I think that what you do with your internet is your business only. So I use a VPN provider to route all my internet traffic. When you do that without taking into account a couple of rules, you will break IPTV. Recently I got fiber ( Fiber to the Home – FTTH) internet at home with IPTV included. My ISP now is Xs4all (soon to be KPN). With that service comes a very nice Fritz!box and an IPTV set-op box. The Fritz!box takes care of everything. You just plug the box in and follow a few steps on the manual and you are online. Very nice :). The Fritz!box has 4 network ports. These ports can be used to connect your computer or connect the IPTV set-op box. The Fritz!box will configure the network ports automatically for internet access or tv functionality depending on what device you connect. internet access.

So I wanted to get rid of the Fritz!box for a couple of reasons:

  • use pfSense as my firewall
  • have my WAN IP address directly on pfSense (no double NAT!)
  • use OpenVPN client on pfSense to my VPN provider (for privacy reasons)
  • route all my internet traffic via my VPN provider (Mullvad)
  • be in complete control of my network at home

Getting internet to work with my fiber connection and pfSense was no issue. There is plenty of information on the internet about how to setup PPPoE and all the VLAN stuff. Maybe I will do a blog post about that some day. Routed IPTV however was a different story. I had done some research and quickly discovered that getting routed IPTV to work with pfSense is going to require more effort than the plug-and-play method the Fritz!box was using. Mullvad has a great guide on how to configure pfSense with their services here. But there are no guides out there (at least I could not find them) on how to route all your internet traffic trough you VPN provider while at the same time routing your IPTV traffic outside the VPN tunnel. Note that this is not the same as making an exception for a device in your network to access the internet outside the VPN tunnel! There is routing and IGMP and firewall rules and dhcp options in play with different networks. I will show you how to setup pfSense to route all your internet traffic trough your VPN provider and at the same time make IPTV work!

So I made a little diagram of the situation I had in mind. I decided to get a mini-pc with multiple network ports (6 in total) so I could dedicate network ports for IPTV traffic or internet traffic. There are other options you could use like managed switches but I wanted to keep things lean. The diagram below shows the setup I implemented:

pfSense with routed IPTV and OpenVPN client for private internet access - 01

So basically the layout for the network ports on my pfSense firewall is as follows:

  • NIC 0: WAN / Internet/ Xs4all
  • NIC 1: LAN – to my managed switch for all the devices in my LAN.
  • NIC 2: free (future use)
  • NIC 3: free (future use)
  • NIC 4: IPTV set-op box Bedroom
  • NIC 5: IPTV set-op box Living room

VLANs

As you can see in my diagram above Xs4all is using VLANs. VLAN 4 is used for IPTV and VLAN 6 is used for internet access. That means that I need to have two VLANs coming in on my NIC 0 (WAN) on pfSense. On pfSense management interface go to Interface -> Assignments and then click on the VLANs tab. When you add the VLANs here make sure the correct VLAN tag is entered and choose the correct network interface. Create your VLANs here and make sure they look like the picture below:

pfSense with routed IPTV and OpenVPN client for private internet access creating_vlans

As you can see in the picture below VLAN 4 and 6 are both configured to use interface igb0. igb0 is the name pfSense gave NIC 0 on the mini-pc I am using. Make sure to check the name pfSense assigns to the network interfaces on your hardware. Description is optional so use it as you see fit. In the end our configuration should look something like my config below:

pfSense with routed IPTV and OpenVPN client for private internet access - 03

WAN configuration

WAN configuration consists of 2 parts. The first part is the internet access part and the second one is for IPTV.

Internet WAN side

I am not going to deep dive in the WAN configuration part. Internet access is living in VLAN 4 and there is some PPPoE configuration involved. In the end the WAN interface will be using NIC 0 and VLAN 6. It looks like this:

pfSense with routed IPTV and OpenVPN client for private internet access - 04

As you can see my WAN is coming in on igb0.6 with PPPoE. igb0.6 stands for NIC 0 VLAN 6. That is the way pfSense is naming the interfaces combined with the VLAN tag.

IPTV WAN side

Let’s get the IPTV interface on pfSense up and running! I have named the IPTV WAN interface WAN_IPTV. This interface is on igb0 and has VLAN tag 4 assigned. You can see it in the picture above. The next step is configure some DHCP options for this interface. If we don’t do this pfSense will not be able to pick up a valid network configuration and won’t be able to pick up the IPTV feed on from the WAN side. Open the properties of the the interface. In my case it is the interface with the name WAN_IPTV. In the first part of the properties make sure that the interface is enabled and IPv4 Configuration Type is set to DHCP:

pfSense with routed IPTV 06

Now scroll down on this page because we have to make sure that we set a couple of properties here.

pfSense with routed IPTV 07

As you can see in the picture above you have to enable the Advanced Configuration option here. This will enable some options in the Lease Requirements and Requests segment of this page:

  • Send options field: in this field enter dhcp-class-identifier “IPTV_RG”
  • Request options field: in this field enter subnet-mask, routers, broadcast-address, classless-routes

Check the image below:

pfSense with routed IPTV 08

After these options you will see that the WAN_IPTV interface will get an IP address from the ISP.

pfSense with routed IPTV 09

Setup the IPTV interface (for local set-op boxes)

So let’s move on the IPTV. As I said before I am using NIC 4 and NIC 5 for my IPTV set-op boxes. That means that those set-op boxes will be directly connected to that network port. Select the interfaces you will use and assign them a static IP address. Make sure that each interface used for IPTV need to have their own subnet. In my case I will be using the following subnet:

  • 192.168.100.0/24 for my LAN (NIC 1 – igb1)
  • 192.168.112.0/24 for the IPTV set-op box in my Bedroom (NIC 4 – igb4)
  • 192.168.111.0/24 for the IPTV set-op box in my Living room (NIC 5 – igb5)

I know that the subnet I use for IPTV is a little bit big as I only have 1 set-op box on that interface :). Ah well, this works for me and maybe I will adjust it in the future to make it smaller or combine both my set-op boxes on one subnet. For now this works for me. The IPTV interface has to be assigned a static IP address. Make sure yours look something like the picture below:

pfSense with routed IPTV 10

Double check the network ports you will use for your IPTV set-op box. Below is an overview of the IPTV interfaces I will use. As you can see I have assigned the dedicated network interfaces for my IPTV set-op boxes.

pfSense with routed IPTV 11

Next step is to make sure that those set-op boxes will get an IP address when connected to those interfaces. For that to happen I will be running a dedicated DHCP server on each IPTV interface. I know that there are other options, but hey…this keeps is simple and pragmatic :). Luckily pfSense makes it easy to run multiple DHCP servers. After assigning a static IP address on a specific interface you will see that interface appear in the DHCP server configuration page. See the image below:

pfSense with routed IPTV 12

The screenshot below shows how I have setup DHCP on the interface where my IPTV set-op box for my Living room is connected. There is nothing special there. Just specify the range for DHCP here.

pfSense with routed IPTV 13

The same goes for all the set-op boxes which have their own dedicated interface on pfSense.

IGMP Proxy

We have to setup IGMP Proxy because IPTV uses multicast. The multicast traffic needs to be received by the set-op box in order to function properly. The way to get the IGMP traffic from the WAN_IPTV interface (from your ISP) to the set-op box is to let pfSense proxy it. By using IGMP proxy we also can isolate multicast traffic to only the set-op boxes in stead of flooding you whole LAN constantly with it. This in a nutshell is why we use IGMP proxy.

Go to Services and the IGMP Proxy. Enable IGMP Proxy by clicking the checkbox. Then we have to add one upstream configuration for the WAN_IPTV network and a downstream configuration for every set-op box you have.

In my case the WAN upstream interface needs to have 3 networks:

  • 217.166.0.0/16
  • 213.75.0.0/16
  • 10.0.0.0/8

These network are in use for IPTV by KPN/Xs4all. Check your ISP for what network ranges they use for upstream. See the below image:

pfSense with routed IPTV 14

We have to tell the IGMP Proxy Service also where our IPTV set-op boxes live. So for each set-op box we need to configure a downstream interface. My Living room IPTV set-op box has the network:

  • 192.168.111.0/24
pfSense with routed IPTV 15

Make sure you select the correct interface. In the end the IGPM Proxy Service settings should look like this:

pfSense with routed IPTV 16

Routing, firewall rules and NAT

Now we have to setup specific firewall rules, routing and also NAT. This blog post is about using IPTV while routing all your internet traffic trough your VPN provider in order to hide it from prying eyes. But we don’t want to route IPTV traffic trough the VPN tunnel because that will break watching old-fashoned tv using your set-op box.

My pfSense firewall is running a full-blown OpenVPN tunnel (OpenVPN client) 24/7. When my VPN tunnel is down for some reason I want to block all internet related traffic. This prevents leaking internet traffic accidentally when my VPN tunnel is down. This is also called a “kill-switch”. To achieve this I have to set my pfSense Outbound NAT mode in Manual mode and configure addition NAT rules for my IPTV set-op boxes.

NAT Mode

I will not discuss in this blog post what the consequense is in changing NAT mode to Manual. The network configuration in Manual NAT mode requires additional settings and this can be different depending on your VPN provider. If you are using Mullvad they have a terrific guide here. Go to Firewall -> NAT and click on the tab Outbound.

pfSense with routed IPTV 17

For every local network used for the IPTV set-op boxes we have to add specific NAT rules. We have to tell pfSense to send all the traffic from those networks trought the WAN_IPTV interface. In this way the traffic will not get trough the VPN tunnel.

For the IPTV set-op box in my Living room I have added a rule here with the following configuration:

  • Interface: WAN_IPTV
  • Address family: IPv4
  • Protocol: any
  • Source type: Network
  • Source network: 192.168.111.0/24 (the subnet for my IPTV in the Living room!)
  • Destination: Any

See screenshot below:

pfSense with routed IPTV 18

We have to add one very important rule here. The network 224.0.0.0/8 has to added here and also routed trough the WAN_IPTV. Again check your ISP for details on the network. Add it using the following configuration:

  • Interface: WAN_IPTV
  • Address family: IPv4
  • Protocol: any
  • Source type: Network
  • Source network: 224.0.0.0/8 (the subnet for my IPTV in the Living room!)
  • Destination: Any

See the screenshot below:

pfSense with routed IPTV 19

After adding all the rules relevant for your IPTV set-op boxes your configuration here should look something like this:

pfSense with routed IPTV 20

Routing and firewall rules

The next (and last) step is to add the correct routing and firewalling rules. Per IPTV interface we have to add two rules. One is to route the IGMP traffic and the other one is to route the IP traffic. If you go to Firewall -> Rules you should see several tabs there including the ones specifically for you set-op boxes. Select the tab for your set-op box and let’s add the IGMP rule first.

The IGMP rule should have the following configuration:

  • Action: Pass
  • Interface: IPTV_Livingroom (select your set-op box internal network here!)
  • Address Family: IPv4
  • Protocol: IGMP
  • Source: any
  • Destination: any
  • Advanced configuration: check Allow IP options

The Allow IP options is very important to allow multicast traffic. See the following screenshot:

pfSense with routed IPTV 21

The second rule must be configured with these options:

  • Action: Pass
  • Interface: IPTV_Livingroom (select your set-op box internal network here!)
  • Address Family: IPv4
  • Protocol: IGMP
  • Source: IPTVLIVINGROOM net (select the subnet where your set-op box lives in!)
  • Destination: any
  • Advanced configuration: check Allow IP options

You should end up with these rules in the tab for your set-op box:

pfSense with routed IPTV 22

As you can see I have also added some other rules. The one relevant here I think is to block all traffic from the IPTV subnet to your LAN. It’s up to you if you want this. I added that just because :).

So there you have it. You should now have a fully functional network where your IPTV traffic is routed to your ISP and all your internet traffic is seperated and routed trough your VPN provider. This setup also makes it so that when your VPN tunnel is offline your set-op boxes will still work given that your WAN is off course fully up and running. Very nice!

At the end I want to make clear that I am in no way connected or affiliated to the brands or services I named in my blog post.

pfSense with routed IPTV and OpenVPN client for private internet access Read More
Citrix / Endpoint Management / NetScaler / XenMobile

Added value of Citrix Endpoint Management with Microsoft EMS/Intune

- by Vikash Jhagroe - Leave a Comment
Reading Time: 4 minutes

What is going on?

As you know, that if you do anything with Enterprise Mobility Management and Office365 apps for Bring Your Own Devices (BYOD) or Company Owned Devices (COD), you can hardly do anything without Microsoft EMS/ Intune these days. We all know the most popular Office365 apps: Word, Excel, Outlook and PowerPoint. Other Office 365 apps like Microsoft SharePoint of Microsoft Dynamics 365 may be less popular but are still mission critical for organizations.

I have yet to encounter an organization that only uses Microsoft Office 365 apps on mobile devices. How about you? Mobile app deployment of most enterprise organizations these days looks like this:

  • Office 365 apps.
  • Other native mobile apps.
  • Custom build apps.
  • Web and SaaS apps.
  • Virtualized apps.

So, all these corporate apps have to be delivered to the end user on their device. It also means that you, as the company, want to have an insight in what is going on in these apps. The data in these corporate apps is yours, so you want to know how your data is being handled by the app on the user device? How is the user experience, regardless of internet being slow or even not available? Or on what platform does my app run? Your IT department wants to be able to answer all these questions.

How do we do it?

This is where Citrix Endpoint Management comes in! It allows us as IT to protect and isolate corporate data and apps from personal apps and data. Do you worry about how to deliver your corporate apps to the user? Stop worrying because with Citrix Endpoint Management comes with an app store. This is a secure and private app store specifically designed for the enterprise. In this app store you can use corporate apps and public apps. You need a public app to stay on a specific version for say compliance reasons? No problemo with the app store integrated in Citrix Endpoint Management. The Citrix Endpoint Management Appstore allows you to use apps from public app stores with your corporate policy on them! How cool is that.

Citrix Endpoint Management also delivers functionality like exchanging data and documents between Office 365 apps and corporate apps. That is not all. Because Citrix Endpoint Management can deliver per-app-micro-vpn. Your IT department can guarantee how data in motion is being handled. This is where Citrix Application Delivery Controller (ADC) comes in play. Formerly known as NetScaler, ADC can provide per-app functionality for all the corporate mobile apps. See the diagram below.

Overview Citrix Gateway for micro VPN
Overview Citrix Gateway for micro VPN (Source Citrix)

Let’s say that your employee is on the other end of the world and needs access to that very important research document? No worries. ADC will make sure that the session to deliver that document to the mobile device is fully secured and encrypted. Also, when the document is on the mobile device, Citrix Endpoint Management will secure that data at rest. How cool is that!

Micro-VPN to on-premise data (Source Citrix)
Micro-VPN to on-premise data (Source Citrix)

Security nirvana does exist!

It does when you use Citrix Endpoint Management with Microsoft EMS/ Intune. I often get the question: Vikash, why do you need Citrix Endpoint Management when you have Intune? My answer then is simple: Do you want first-class security, enhanced user experience and flexibility for apps and devices? You need Citrix Endpoint Management with EMS/Intune.

Let me explain. With Citrix Endpoint Management we can see what is going on in the communications layer for every user and every session and every app. That means we can deploy access policies based on app, user or device. And with device I mean not only mobile devices but also laptops and tablets. All these devices in the end-user space can now be made fully compliant with your corporate IT security policy! Amazing.

Interaction between Office 365 apps, ShareFile and Secure Mail (Citrix mobile apps) is seamless. Citrix makes that possible, because they use Microsoft EMS SDK. The data on the device stays in the secure enclave provided by Citrix Endpoint Management. While other vendors need to make a so-called bridge to exchange data between Office 365 apps and their corporate apps, Citrix mobile apps are “Intune-enlightened”. Below is an overview of the seamless interaction.

Secure Mail with Intune App Protection (Source Citrix)
Secure Mail with Intune App Protection (Source Citrix)

I am convinced!

Let’s face it. If you have Office 365 apps running on mobile devices, then you need an EMS / Intune infrastructure! Because you want to know what happens with your corporate data on those devices right? No questions there, if you ask me. But nowadays with security being more and more a critical aspect for enterprises you want to be at your a-game. Citrix Endpoint Management enables you just to do that. Let’s talk bullet points here:

  • Do you have Exchange on-prem? Regardless you want the higher level of security with the per-app vpn option.
  • Security for data in motion and data at rest.
  • Fine grained setup of policies for Mobile Device Management and Mobile Application Management.
  • Seamless integration of all Office 365 apps with Citrix Secure Mail. It just works.
  • Single pane of glass to manage different devices and platforms.
  • Wide range of supported devices (MacOS, ChromeOS, tvOS, Raspberry Pi, Android, iOS, Windows 10).
  • Enterprise app store for all your corporate apps.

Below is an architectural overview of how Office 365 apps can be integrated with Citrix Endpoint Management.

Architectural overview (Source Citrix)
Architectural overview (Source Citrix)
Added value of Citrix Endpoint Management with Microsoft EMS/Intune Read More
Citrix / Endpoint Management / NetScaler / XenMobile

Setup Citrix NetScaler Gateway for Citrix XenMobile Server 10.9

- by Vikash Jhagroe - 2 Comments.

Reading Time: 9 minutesIn this blog post I will show you how to setup Citrix NetScaler Gateway for Citrix XenMobile Server 10.9. You need Citrix NetScaler for XenMobile Server if you have the following scenarios:

  • Micro VPN access for access to internal resources.
  • Use Citrix Endpoint Management with Microsoft Intune/ EMS.
  • Micro VPN access for business apps to internal application servers or data.
  • Use XenMobile Apps for iOS or Android.

In this blog I will go through all the steps needed to successfully implement Citrix NetScaler for XenMobile Server, starting with importing the NetScaler appliance on my hyper visor and ending with a completed setup on the NetScaler ready for production. Before you start you have to setup and configure Citrix XenMobile Server 10.9. Check my blog post here to setup XenMobile Server 10.9.

Before we can start you have to make sure that you have the requirements in place. Nothing is more annoying than finding out that you forgot something during installation. This is the requirement list:

  • Minimum NetScaler 10.5 build 66.9. I am using NetScaler 12.1 build 49.23.
  • Platform/Universal license.
  • Public SSL certificate.
  • Several IP addresses. I will make a list for you.
  • DNS host names (FQDNs) which are accessible from the internet.

Let’s make a list of IP addresses we will need on the NetScaler. These IP addresses are all private IP addresses in my case, but also at customers I visit. This is because the NetScaler is always placed behind a firewall which does all the NAT stuff to map external IP to internal IP. So, in the end you will need a public IP of course which you will then map on your firewall to the NetScaler. This goes beyond this post. Check your firewall documentation how to do this. Below is the IP address list I will use for my setup:

FunctionIP address
NetScaler IP192.168.1.21
Subnet IP192.168.1.22
XenMobile Gateway Virtual IP192.168.1.23
XenMobile Gateway Virtual IP for MAM192.168.1.24
XenMobile Gateway Virtual IP for MDM192.168.1.25

Import Citrix NetScaler on Citrix XenServer

Make sure you download the correct NetScaler appliance (VPX) from Citrix. I have Citrix XenServer running so I downloaded the appliance for XenServer. Let’s start by importing the virtual Citrix NetScaler on XenServer. Start Citrix XenCenter and click on File->Import.

Locate the .xva file you downloaded from Citrix website. Browse to it and select it. Click then on Next.

Select the XenServer host you will import the appliance to. I have only one XenServer host running in free-mode so I will use that. Click on Next.

Select the storage you will import the NetScaler on. Click then on Import.

Select the network interface you will use to let the NetScaler appliance communicate on the network. Click then on Next.

Review your selections and if everything is ok you can start the actual import. Check Start VM after import to continue the setup. Click here on Finish.

After the import is finished, go to the console using XenCenter. The appliance will boot and, on the command-line, will ask you to configure network settings. The IP address here is the one we reserved for the NetScaler IP (NSIP). Enter the IP and hit enter.

Enter all the network configuration information (like netmask and gateway) and choose option 4 to save. The NetScaler will now reboot. After the reboot we can continue the initial configuration using a web browser.

Initial setup Citrix NetScaler

Open a web browser and go to http://<NSIP>. I am using 192.168.1.21 for my NSIP. Login using nsroot as username and nsroot as password. Make a note for yourself to change this after you are done with the configuration. Click on Log On.

The initial configuration will automatically start, and you will be prompted to opt-in for the Citrix User Experience Improvement Program. I choose Enable but you can skip this of course.

Next step is to specify a Subnet IP. Click on Subnet IP Address.

Enter the IP you reserved to be your subnet IP. I will use 192.168.1.22. Enter the corresponding netmask and click on Done.

Next step is to configure DNS IP Address, host name and Time Zone.

Enter the information matching your environment. In my case my DNS server is 192.168.1.15. The Host Name can be anything you want, it does not matter because we are using a VPX. If you are using an MPX (physical NetScaler appliance) make sure to note the host name because then your license file is linked to the host name. In the VPX the license file is linked to the mac address the virtual network interface. That’s why the Host Name can be anything here. Select the correct time zone and click on Done.

The NetScaler will reboot now to save the settings and let the changes take effect. Click on Yes.

Wait for it to reboot and leave the browser window open :).

Configure Licenses

The next step is to configure licenses. We need certain functions which are unlocked with the correct license for NetScaler. If you are only testing, you can go for a evaluation license for 90 days. During the evaluation period all the features of NetScaler are available to you. The features you need in NetScaler which require a special license are:

  • Load Balancing.
  • NetScaler Gateway for micro VPN and access to corporate resources.

After the NetScaler has rebooted login with nsroot username and password. Go to System -> Licenses and click on Manage Licenses.

Click on the button Add New Licenses.

Choose the option Upload license file. You must allocate the license file first using the licensing tools in the Citrix website. Make sure that when you allocate the NetScaler license on the Citrix website, enter the correct Host ID. The Host ID is displayed on the right side of the window. It is the mac address of the virtual nic. If you have multiple virtual nic’s configured, it will be the mac address the nic which is first listed by in the properties view of the appliance. Click on Browse to locate the license file.

After the license file is uploaded the NetScaler needs to reboot to activate the license file and the corresponding features. Click on Reboot.

Click on Yes.

Wait for the reboot to finish. Leave your browser window open.

After you login you will see a overview of the new licensed features and the VPX version.

Import SSL certificate

Next step is to import your SSL certificate. I am using a wildcard SSL certificate. If you are not using a wildcard certificate, check my blog post about setup and configuration of XenMobile Server 10.9 here to see what hostnames (FQDNs) you need in your SSL certificate. In the past I have done a blog post and showed how to import an SSL certificate in .pfx format on the NetScaler. Check that blog post here.

After I imported my certificate this is my SSL overview on my NetScaler.

Setup NetScaler for XenMobile

Now it’s time to setup the NetScaler for XenMobile. I have setup XenMobile Server 10.9 in a previous post here. In that blog post I showed you the ins-and-outs of the setup and configuration process of XenMobile Server. And to make the XenMobile resources available to our end-users we need to integrate NetScaler and XenMobile. NetScaler supplies an authentication mechanism for remote devices to the internal network and other MAM functionality.

For my blog I will use the XenMobile wizard which is supplied with NetScaler. This wizard is very good at getting the job done (pragmatic approach) and gets better with every new version of NetScaler. Login in to NetScaler using your browser and scroll down in the left column and click on XenMobile. Then click on Get Started.

Make sure that the options Access trough Citrix Gateway and Load Balance XenMobile Servers are checked. Then click on Continue.

Enter the IP address you will use for the Virtual Server (VIP) for NetScaler Gateway. Leave the port on 443. Click on Continue.

Select the certificate you want to use for the NetScaler Gateway VIP. This is my wildcard SSL certificate which I previously imported. Click on Continue.

The next step is to add your Active Directory/LDAP configuration. This is used for by NetScaler for user authentication in your Active Directory. Make sure that you have a service account in your Active Directory configured which you will use here. Enter the information and Click on Test Connection to test the configuration. Everything should be green. Click then on Continue.

This next step will ask you the FQDN for you MAM functions. Fill in the same FQDN here that you used when setting up XenMobile according to my post here. In my case that is: xnmob01.vikash.nl. Also set the IP address you will be using for the Load Balancer. Click then on Continue.

Next, we must select the certificate for XenMobile. This has to be same certificate you are using on your XenMobile server! In my case I have a wildcard running on my XenMobile Server and the same one on my NetScaler.

Now we have to tell NetScaler where the XenMobile server is. Click on Add Server.

Specify the IP address for XenMobile Server. I have my XenMobile Server running on 192.168.1.19. Fill in the IP address and click on Add.

Now it will list the XenMobile Server. Click on Continue.

Click now on Load Balance XenMobile Servers.

This is the IP address you will use to Load Balance MDM. Specify a name and then click on Continue.

You will get an overview of the Load Balancing Virtual Server Configuration. Click on Continue.

Then click on Done and we are done!

You will be taken to the Dashboard and see the configuration you made using the wizard.

 

We can see the different components the wizard added. See below the screenshots to get an idea where they are in the NetScaler configuration.

This concludes this blog post. In following posts, I will show you how to enroll devices using XenMobile. Feel free to contact me of you have any questions or comments.

You can follow me on twitter or add the RSS feed from my blog and you will be notified when I add new posts.

 

Setup Citrix NetScaler Gateway for Citrix XenMobile Server 10.9 Read More
Citrix / Endpoint Management / XenMobile

Setup Citrix Endpoint Management (Citrix XenMobile Server 10.9)

- by Vikash Jhagroe - Leave a Comment

Reading Time: 14 minutesIn this blog I will show you how to setup Citrix Endpoint Management (Citrix XenMobile Server 10.9). The new name for Citrix XenMobile is Citrix Endpoint Management. This version was released by Citrix on the 13th of September 2018. A few things are new in this version:

  • Access to XenMobile Tools from the Console.
  • Add Google Play Store apps using a package ID.
  • New public REST API’s.

You can read all about what is new here. XenMobile Server is a complete Enterprise Mobility Management (EMM) solution that provides both Mobile Device Management (MDM) and Mobile Application Management (MAM) through a single virtual appliance. You can run the virtual appliance on XenServer, Hyper-V or VMware. It supports all the major hypervisors as you can see so you have no excuse there for not using it :). This version of XenMobile has a single management console for your devices, apps and data.

So before we can start the setup and configuration we have to make sure we meet the requirements:

  • One of the hypervisors I mentioned before.
  • 4x virtual CPUs.
  • 4GB RAM minimum. 8GB is recommended.
  • 50 GB disk space.
  • Citrix License Server 11.15.x or later.
  • MS SQL Server 2012 SP4 or higher (if you plan on using an external database).
  • SSL Certificate (with the hostnames we are going to use in this blog or you can just use a wildcard certificate).

So this will get your XenMobile server up and running. Depending on your needs you will need additional components like Citrix NetScaler or mobile applications. I will discuss this in upcoming blog posts.

Where am I running this setup? I have Citrix XenServer running in my testlab so I downloaded Citrix XenMobile virtual appliance for XenServer. In my test lab I have Active Directory running on Windows Server 2016. Nothing is redundant or high-available as this is just my test lab :).  Let’s start.

Import the virtual appliance

Locate the virtual appliance file you just downloaded.

Open Citrix XenCenter and choose File -> Import.

Click on Browse to select the virtual appliance file. Click on Next.

Select the XenServer host on which you want to import the virtual appliance. In my case I have only on host, so this is automatically selected. You might notice that there is an orange triangle displayed in front of my XenServer host. That is because I am running the free version of Citrix XenServer. The orange triangle reminds me that Citrix XenServer is running on “free-mode”. After selecting your XenServer host click on Next.

Select the storage repository on which the virtual appliance will be stored. Click then on Import to start the import process.

After the import you will be asked to select the network interface the virtual appliance will use to communicate on the network. Use the drop down in the Network column to select the network and then click on Next.

Check the information in the review window and then click on Finish. Notice that the checkbox Start VM(s) after import is selected. So, when you click on Finish here XenServer will spin up the virtual appliance.

First-time use wizard Citrix XenMobile Server 10.9

So, after the import has completed and the virtual machine has booted it is time for the first-time setup. This will be done using the virtual machine console in Citrix XenCenter. We need to setup the IP address and subnet mask, default gateway, DNS servers, and other settings for XenMobile using the command-line console in XenCenter.

The wizard will start automatically, and you will be asked to enter a new password for the user “admin”. This is the default administrator user. Enter a password and hit enter. You will be asked twice to enter the same password. Hit enter after that and the wizard will continue.

Then you will be asked to enter the network configuration. After every entry hit enter. The IP address I will use in my test lab is 192.168.1.19. When you have entered all the network information you will be asked to commit the settings. Press y if you are sure and hit enter.

Then the wizard will ask you to generate a random passphrase to secure the server data. This passphrase is then used to encrypt, and decrypt part of data stored on the appliance. Note that you cannot view the passphrase if it is automatically generated. So, if you are planning to extend you XenMobile environment in the future make sure you enter your own passphrase! For now, I choose y because one XenMobile server is enough for a testlab. In my experience one XenMobile server is enough in production as well but of course this depends on your specific situation.

The wizard will now ask you if you want to enable FIPS (Federal Information Processing Standard). You need this if you must comply by law to security requirements for cryptographic modules used in security systems. Click here if you need more details on this. I don’t need this feature, so I select n and hit enter.

Next up the wizard will ask if you want to use a remote or a locale database. I am using a remote database because I have a dedicated Microsoft SQL server running in my test lab. Choose r for remote database. Choose mi for Microsoft SQL. Using Microsoft SQL is recommended in production environments by Citrix. Enter your database connection information and then press y to commit the settings.

The wizard will ask you if you want to enable cluster setup. This is the case when you have multiple Citrix XenMobile servers in your environment. Choose the setting that applies to your situation and hit enter. In my test lab I have enabled this, but I won’t be using it here.

Next the wizard will ask you for the XenMobile Server host name. This is the host name all your users will connect to for enrollment. A common host name chosen here is “mdm.domain.name”. This is because this is the FQDN for Mobile Device Management (MDM) and it is easy to remember. In my case I am using xnmob01.vikash.nl. This name must be present in the SSL certificate you will use. If you are using a wildcard certificate you are fine. Press y and hit enter to commit the changes.

Next step is about the communication ports. I just leave this to the default ports and commit the changes by pressing y and hitting enter.

Enter the name you want to use for the device management instance. This is used to setup XenMobile Autodiscovery Service. I will set this up in a later blog. For now, I choose the default instance name zdm. Enter the instance name you want then press on y and hit enter to commit your settings.

The wizard will now setup the internal Public Key Infrastructure (PKI). It will automatically generate the required certificated (how nice is that!). Later on, we will add our own certificate. For now, choose y to use the same password on all the certificates it generates. Enter the password and then press y and hit enter to commit the settings.

The wizard will now create an administrator account for logging on to the XenMobile console using your web browser. This is the account you will use to manage the XenMobile server from a web browser. I just choose the default username here (administrator) and entered the password I want twice. Once again press y to commit your settings.

The wizard will continue with the setup and all you must do is wait.

After the wizard completes the setup you will see a logging prompt. This means that everything on the command-line is setup and we can now continue the configuration using a web browser. This screen will also tell you what the URL is for the management console. In my case this is https://192.168.1.19:4443.

Continue setup of XenMobile Server 10.9 from web browser

Next step is entering License information and adding SSL certificates. Open a web browser and go to the management console URL. In my case that is https://192.168.1.19:4443. You may get a prompt telling you that the certificate for this website is not trusted. You can safely ignore this warning. We know that this is the certificate which the setup wizard automatically generated using the internal PKI. Enter your administrator account details here and click on Sign in.

Click on Start to continue.

Configure a License for XenMobile

We must start with the license configuration. If you don’t have a license XenMobile will have a trial license for 30 days. If you have a Citrix License server running with XenMobile licenses, then click on Configure License and then choose Remote license.

Enter the information of your license server and then click on Test Connection. If you have XenMobile licenses on your Citrix License server, they should appear here. Click on Next.

Install SSL certificate

You will now be asked to import certificates. In this screen I will import my own wildcard certificate. This is the certificate I will be using for the MDM and MAM services made available using XenMobile Server. Later on in the post we will request and import the APNs certificate which is used for Apple’s Push Notification service. For now, click on import.

Now pay close attention here. The certificate you will be using for MDM and MAM, in my case my vikash.nl wildcard certificate, you must set it as the SSL listener certificate. And because I have my certificate in a .pfx format I will choose the option KeyStore as import method. I suggest you use the .pfx file format also as it makes life easy when dealing with SSL certificates. Set the KeyStore type to PKCS#12 and set Use as to SSL Listener. Then click on Browse.

Locate your .pfx file, enter the encryption password for the .pfx file and click on Import.

You will get a warning popup about replacing an existing SSL Listener certificate. Because we don’t have one in place, yet this warning can be dismissed. If you are renewing SSL certificates (like in a production environment) pay extra attention here. In that case make sure that the FQDN names are the same in the renewed SSL certificate! We can click on OK here. The Certificate window will now list your SSL certificate. In my case it is my wildcard certificate. You will see that XenMobile Server also has selected my SSL certificate as the SSL Listener and informs me that is has the private key as well. Very nice.

Install an APNs Certificate

Before we install the APNs certificate we need to request it. First, we need a Certificate Signing Request (CSR) file. I will do this using Microsoft IIS on a Windows Server 2016 webserver I have running here (named STF01). Open Internet Information Services (IIS) Manager and select Server Certificates.

Click on Create Certificate Request.

The Common name is important. You must be able to reach that later on from the internet. Fill in the information in the required fields and click on Next.

Select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic Service Provider and 2048 for bit length. Then click on Next.

Specify the location and filename to save the CSR file. Click Finish. Leave the IIS manager console open in this view. We will come back to this later.

Now we must upload the CSR to Apple. Go to https://tools.xm.cloud.com/ and log in with your Citrix account. Click on Request pus notification certificate signature.

Before we upload the CSR make sure to change the file extension to .txt (or .pem) otherwise it will not sign. Then click on Upload the CSR to locate the CSR you generated in the above steps. Then click on Sign.

You will see a message that the CSR is successfully signed and you will be prompted to save the singed file (or it will be automatically saved in your browser download directory). This file will have the extension .plist.

Click on the second column on the bold and underlined text Apple Push Certificates Portal to head over to the Apple Push Certificates Portal. It will open in a new tab or window. Sign in using you Apple ID to continue.

Click on Create certificate to start.

Agree with the Terms of Use and click on Accept.

Next you will be asked to upload the signed CSR file (the .plist file). Browse to the file and then click on upload.

If everything goes well your push certificate should be created. Click Download to save it locally. The filename of the certificate you download here should something like MDM_ Zenprise_Certificate.pem.

Now we need this MDM_ Zenprise_Certificate.pem file to complete the CSR we made earlier on the webserver. This must be the same webserver you generated the CSR on! So, head back to the webserver, in my case it is STF01, to complete the certificate request. IIS Manager should still be open from previous steps in this blog so now you have to choose Complete Certificate Request from the right column.

Locate the .pem file you downloaded from Apple and specify a friendly name. This name can be anything. Then click on OK.

Next step is to export the APNs certificate with the private key, so we can import it in XenMobile. Right click the APNs certificate from IIS Manager and click on Export.

Specify a location, a filename with the extension .pfx and a password. Then click on OK.

Now let’s head over to the XenMobile web console. The wizard will start automatically after logging in and will take you to the Certificates screen. Click on Import.

Select KeyStore in the Import box. The type should then be automatically set to PKCS#12. Very important to select APNs in the Use as dropdown menu. Browse to the exported .pfx APNs file from a few steps above and also enter the same password for decryption. Then click on Import.

Click on OK in the dialog window to confirm.

The import will complete successfully, and you should now have all the appropriate certificates installed to continue the Initial Configuration. Click on Next.

XenMobile NetScaler Gateway Configuration

The next step will lead you to the configuration for NetScaler Gateway. This is of course optional. But while we are here we might as well do the configuration. The actual setup and configuration of NetScaler will be another blog post. Enter a name here for NetScaler. The External URL is important because this will be used for Mobile Application Management (MAM). Note also that this is https. I leave the logon type to Domain only for now. Click then on Next.

XenMobile LDAP Configuration

For this step to complete make sure you have a service account for XenMobile configured in your Active Directory. Make sure the password expiration is disabled for this account. Also make sure that you have setup routers and firewalls correctly to allow LDAP (or Secure LDAP) communications to and from the NetScaler. There are also other ports which I will point out in my blog post about configuring the NetScaler but for now we will only need the LDAP port. Fill in the fields according to your environment. I only have one domain controller in my test lab so I enter that in the Primary server field. Because my Active Directory is plain and simple I don’t have complex User base DN or Group base DN. Check the advanced properties of the service account using Active Directory Users and Computers management console to see what they are in your environment.

After entering all the required information, we can click on Next.

Notification Server Configuration

This is the part where you enter your mail server information so XenMobile server can sent notifications. I have Postfix running as my local mail server, so I will enter that information here. You need the IP-address of the mail server and correct port number. Like in the previous step you should make sure that XenMobile Server can communicate on the specified port with the mail server. Enter the information required and click then on Test Configuration.

A window will pop up and ask for the recipient email address. Enter a valid email address where the test mail will be delivered to. Then click on Send.

You will get a notification that the mail is sent successfully. Click OK.

You will be prompted with a summary screen. You can now click Finish in the bottom.

We will now be transported to the main XenMobile management console with a message that we now can start managing XenMobile! How cool is that :).

So now we are almost ready to enroll our devices. The next step is configuring Citrix NetScaler to make XenMobile available in a secure way to our end users. Check that blog post here where I show you how to setup and configure Citrix NetScaler for XenMobile. This concludes this blog post. Feel free to contact me of you have any questions or comments.

You can follow me on twitter or add the RSS feed from my blog and you will be notified when I add new posts.

 

Setup Citrix Endpoint Management (Citrix XenMobile Server 10.9) Read More
Citrix / Virtual Apps and Desktops 7

Upgrading Citrix StoreFront 3.15 to Citrix StoreFront 3.16

- by Vikash Jhagroe - Leave a Comment

Reading Time: 4 minutesIn this blog post I will show you how to upgrade StoreFront 3.15 to version 3.16. There a few things you need to do before upgrading Citrix StoreFront 3.15 to Citrix StoreFront 3.16:

  • Make a backup of you existing StoreFront before starting the upgrade.
  • Check the issues Citrix fixed in this new release here.
  • Check the known issues here and make sure you or your end-users will not be affected by them.
  • Do this upgrade in a test environment. This enables you to test your complete configuration and specific customizations you might have.

My 3.15 version of StoreFront is empty because I just started to rebuild my test-lab and then decided to upgrade to version 3.16. You of course may have a complete production environment running on version 3.15 so you have to make sure to test your upgrade before deploying it in production. Please note that StoreFront 3.16 is only supported on Windows Server 2012 R2 and Windows Server 2016. My StoreFront 3.15 is running on Windows Server 2016.

Citrix StoreFront 3.16 is now part of the new brand new Citrix is using: Citrix Virtual Apps and Desktops 7. The new name is part of their cloud strategy branding. You can download Citrix StoreFront version 3.16 as a separate component or download the full ISO of Citrix Virtual Apps and Desktops 7. Check the download section of their website here. Let’s get to it then.

Upgrading Citrix StoreFront 3.15 to Citrix StoreFront 3.16

If you have downloaded the ISO then start by mounting it using Windows Explorer. Right-click the ISO and then click on Mount.

Browse to the mounted ISO (the DVD drive in Windows Explorer) and double-click on AutoSelect.exe.

The installer will start and automatically detect that there are Citrix components running on the server. It will present you with the option to upgrade them. Click on Upgrade.

Accept the license agreement and click on Next.

Next you will be presented with a checklist for a successful upgrade. After upgrading StoreFront you have to upgrade other components in this list as well. If you are ready check the box I’m ready to continue. Click then on Next.

The setup wizard will automatically configure the Windows Firewall. Leave the option on Automatically. Click then on Next.

The summary window will be displayed. Click on Upgrade.

When the upgrade starts you cannot cancel it. If you do this you might end up with a broken StoreFront server. Only if you are sure you are ready to continue with the upgrade click OK.

The upgrade will now start. All you have to do now is wait.

After the upgrade is finished you will be presented with the upgrade results. Check the box Open the StoreFront Management Console to continue. Click on Finish.

You can now continue to check your configuration. Mine is empty. In upcoming posts I will show how to configure StoreFront to present desktops and applications to end-users.

This concludes this blog post. In following posts I will show you how to configure StoreFront to deliver desktops and applications. I will also show you how to connect it to Citrix NetScaler so stay tuned. Feel free to contact me of you have any questions or comments.

You can follow me on twitter or add the RSS feed from my blog and you will be notified when I add new posts.

 

Upgrading Citrix StoreFront 3.15 to Citrix StoreFront 3.16 Read More