NetScaler Gateway 12 – PCoIP Proxy

Last Modified: Aug 22, 2017 @ 5:49 pm

Navigation

Overview

NetScaler Gateway 12.0 supports the PC-over-IP (PCoIP) protocol, which is the remote display protocol for several non-Citrix VDI solutions, including VMware Horizon View. PCoIP is analogous to Citrix HDX/ICA protocol, and Microsoft RDP protocol. PCoIP uses UDP port 4172.

  • VMware Blast is currently not supported

When PCoIP is proxied through NetScaler Gateway, NetScaler Gateway can replace the traditional PCoIP remote access solutions, like View Security Server, or VMware Access Point.

Prerequisites

  • NetScaler Version – NetScaler 12.0 or newer.
    • Build 51 and newer for NAT
  • NetScaler Edition – PCoIP Proxy is available in all NetScaler Editions
  • Universal Licenses – PCoIP Proxy uses the Clientless Access feature of NetScaler Gateway, which means every NetScaler Gateway connection must be licensed for NetScaler Gateway Universal. On the NetScaler Gateway Virtual Server, ensure ICA Only is unchecked.
  • Horizon View infrastructure – A functioning internal Horizon View infrastructure. Ensure you can connect to Horizon View Agents internally without NetScaler Gateway.
    • Ensure that the Horizon View HTTP(S) Secure Tunnel and PCoIP Secure Gateway are not enabled on the Horizon View Connection Servers that NetScaler will proxy connections to.
    • Configure Desktop Pools and RDS Farms to use PCoIP as the default protocol.
  • Firewall Ports:
    • TCP 4172, UDP 4172, and TCP 443 open from Horizon View Clients to the NetScaler Gateway VIP.
    • TCP 4172, and UDP 4172 open from the NetScaler SNIP to all internal Horizon View Agents.
  • Certificate – A valid certificate for the NetScaler Gateway Virtual Server.
  • Authentication – An LDAP authentication policy/server.
  • Unified Gateway (optional) – If Unified Gateway, create the Unified Gateway before adding PCoIP functionality.
  • RfWebUI Portal Theme – For web browser access to Horizon View, the NetScaler Gateway Virtual Server must be configured with the RfWebUI theme.
  • Horizon View Client – The Horizon View Client must be installed on the client device, even if accessing Horizon published icons using the NetScaler RfWebUI portal.

PCoIP Profile

To create the PCoIP Profile:

  1. In the NetScaler management GUI, navigate to Configuration> NetScaler Gateway> Policies> PCoIP.
  2. On the right, in the PCoIP Profiles and Connections pane, you will create a VServer profile and a PCoIP profile.
  3. To create a VServer profile, on the VServer Profiles tab, click Add.

    1. Enter a name for the VServer profile. The only point of the VServer Profile is to specify the Active Directory domain name so name it accordingly.
    2. Enter an Active Directory Domain Name that will be used for Single Sign-on to Horizon View Connection Server, and then click on Create.
    3. Note: only a single Active Directory domain is supported per NetScaler Gateway Virtual Server. Also, the domain name specified here is displayed in the Horizon View Client.
  4. To create a PCoIP profile, on the Profiles tab, click Add.

    1. Enter a name for the PCoIP Profile. The PCoIP Profile specifies the internal DNS name for Horizon so name it accordingly.
    2. Enter the internal connection URL for the internal VMware Horizon View Connection Servers, and then click on Create. NetScaler SNIP needs to be able to connect to this URL.

Session Policy/Profile

To create or edit a Session Policy/Profile that has PCoIP Proxy enabled:

  1. Navigate to Configuration> NetScaler Gateway> Policies> Session.
  2. On the right, select the Session Profiles tab.
  3. On the NetScaler Gateway Session Policies and Profiles page, create or edit a NetScaler Gateway Session Profile.
    1. To create a NetScaler Gateway session profile, click Add, and provide a name.
    2. To edit a NetScaler Gateway session profile, select the profile, and click Edit.
  4. On the Client Experience tab, ensure that the Clientless Access value is set to On.
  5. On the Security tab, ensure that the Default Authorization Action value is set to ALLOW.
  6. On the PCoIP tab, select the required PCoIP profile. Note: you can also create or edit PCoIP Profiles from this tab.
  7. Click Create or OK to finish creating or editing the Session Profile.
  8. If you created a new Session Profile, then you must also create a corresponding Session Policy.
    1. Navigate to Configuration> NetScaler Gateway> Policies> Session.
    2. On the right, select the Session Policies tab.
    3. Click Add.
    4. Provide a name for the Session Policy, and select the required session profile name from the Profile drop-down.
    5. If you are creating the Session Policy using Default Syntax, first click Switch to Default Syntax, in the Expression area, type true, and then click on Create.

    6. If you are creating the Session Policy using Classic Syntax. Then in the Expression area, type ns_true, and then click on Create.

Gateway Virtual Server

Bind the created PCoIP VServer profile and Session Policy to a NetScaler Gateway Virtual Server:

  1. Go to NetScaler Gateway > Virtual Servers.
  2. On the right, either Add a new NetScaler Gateway Virtual Server, or Edit an existing NetScaler Gateway Virtual Server.
  3. If you are editing an existing NetScaler Gateway Virtual Server, in the Basic Settings section, click the pencil icon.
  4. For both adding and editing, in the Basic Settings section, click More.
  5. Use the PCoIP VServer Profile drop-down to select the required PCoIP VServer Profile.
  6. Scroll down and ensure that ICA Only is unchecked. Then click OK to close the Basic Settings section.
  7. If you are creating a new NetScaler Gateway Virtual Server, bind a certificate, and bind an LDAP authentication policy.
  8. Scroll down to the Policies section and click the plus icon.
  9. The Choose Type page defaults to Session and Request. Click Continue.
  10. In the Policy Binding section, click on Click to select.
  11. Click the radio button next to the required Session Policy that has the PCoIP Profile configured, and click on Select.
  12. Back in the Policy Binding page, click Bind.
  13. If you want to use a web browser to connect to VMware Horizon View, then on the right, under Advanced Settings, add the Portal Themes section. If you are only using Horizon View Client to connect to NetScaler Gateway, then you don’t need to perform this step.

    1. Use the Portal Theme drop-down to select RfWebUI, and click OK.
    2. Horizon View published icons are added to the RfWebUI portal.
  14. To enable support for NAT, SSH to the NetScaler to access the CLI.
    1. Run the command set vpn vserver MyVserverName -vserverFqdn MyFQDN. This causes NetScaler to send the FQDN back to the Horizon Client, which enables it to connect to the public IP instead of the DMZ private IP address. Unfortunately, this setting is not available in the NetScaler GUI.

Horizon Configuration

  1. In Horizon Administrator, go to View Configuration > Servers. Edit the Horizon View Connection Server that NetScaler Gateway connects to.

    1. On the General tab, uncheck the HTTP(S) Secure Tunnel and PCoIP Secure Gateway.
  2. At Resources > Farms, edit your RDS Farms.

    1. Set the Default display protocol to PCoIP.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the PCoIP URL paths.

  1. In the NetScaler GUI, navigate to Configuration> Traffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || http.req.url.path.eq("/broker/xml") || http.req.url.path.eq("/broker/resources") || http.req.url.path.eq("/pcoip-client")

Use NetScaler Gateway PCoIP Proxy

  1. To connect, you must have Horizon View Client installed on the client device. Once installed, you can either use the Horizon View Client’s User Interface to connect to NetScaler Gateway, or you can use the NetScaler Gateway RfWebUI portal page to view the icons published from Horizon.
  2. To view the active PCoIP connections, in NetScaler, go to NetScaler Gateway > Policies > PCoIP.
  3. On the right, switch to the Connections tab. The active sessions are displayed with the following data: user name, Horizon View Client IP, and Horizon View Agent Destination IP.
  4. To terminate a connection, right-click the connection, and click Kill Connection. Or click Kill All Connnections to terminate all PCoIP connections.

CLI Commands

Here are CLI Commands for the configuration shown above.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"

add authentication ldapAction AD01 -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL
add authentication ldapPolicy AD01 ns_true AD01

add vpn pcoipVserverProfile corp -loginDomain corp
add vpn pcoipProfile vcs01 -conServerUrl "https://vcs01.corp.local"

add vpn sessionAction VPN -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -pcoipProfileName vcs01
add vpn sessionPolicy VPN true VPN

add vpn vserver VPN SSL 10.3.3.13 443 -downStateFlush DISABLED -Listenpolicy NONE -vserverFqdn vpn.corp.com -pcoipVserverProfileName corp

bind vpn vserver VPN -portaltheme RfWebUI
bind vpn vserver VPN -policy AD01 -priority 100
bind vpn vserver VPN -policy VPN -priority 100 -gotoPriorityExpression NEXT -type REQUEST -urlName RDP
bind ssl vserver VPN -certkeyName WildcardCorpCom

8 thoughts on “NetScaler Gateway 12 – PCoIP Proxy”

  1. Hi, Carl!

    So, I’m giving this another whirl using a sandbox SDX virtual instance running 12.0 51.24. I’ve followed the steps, both on the NS and on a test Horizon 7 server with some desktop and RDS pools on it. I’ve gotten it all built, I get to the NSG login, log in OK, and …am staring at a mostly blank page. 🙁

    Top-left is the “Unified Gateway” logo (which is weird, b/c I’m not using any CSW), and under it is “Please select from the following:” with a bit empty void underneath it. I’m not sure what I’m missing!

    Here’s my config:
    #Creating the PCoIP VServer profile and client profile
    add vpn pcoipVserverProfile gw_pcoip_prof_vsrvProfile -loginDomain domain.tld
    add vpn pcoipProfile vpn_client_prof_pcoip_test -conServerUrl “https://horizon7v1tst.domain.tld” -sessionIdleTimeout 121

    #Creating the session profile and policy
    add vpn sessionAction gw_session_prof_pcoipTesting -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -pcoipProfileName vpn_client_prof_pcoip_test
    add vpn sessionPolicy gw_session_pol_pcoipTesting ns_true gw_session_prof_pcoipTesting

    #Creating the NSG virtual server (just GW, no CSW/UG involved)
    add vpn vserver gw_vsrv_pcoipProxyTesting SSL X.X.X.X 443 -downStateFlush DISABLED -Listenpolicy NONE -pcoipVserverProfileName gw_pcoip_prof_vsrvProfile
    set ssl vserver gw_vsrv_pcoipProxyTesting -eRSA DISABLED -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -HSTS ENABLED

    #Binding stuff to the NSG (excluding the default caching policies for brevity)
    bind vpn vserver gw_vsrv_pcoipProxyTesting -policy authe_pol_mgmtGuiAuth -priority 100
    bind vpn vserver gw_vsrv_pcoipProxyTesting -policy gw_session_pol_pcoipTesting -priority 100
    bind ssl vserver gw_vsrv_pcoipProxyTesting -certkeyName “DigiCert Wildcard (2017)”

    What am I missing? I’m stumped. :/

    Insights are, as always, appreciated!

      1. *bad German accent* Veeeeery interesting!

        That HSTS setting definitely jacks with it – I just confirmed in my own testing. Weird. Good call on that one! As soon as I disabled it and retried, I was getting automatically into the portal and seeing stuff.

        So here are a few follow-up questions about it, now that I’ve managed to successfully get into this thing:
        1. I’ve noticed that on a normal NSG (no UG), if I have both PCoIP config and Citrix config in the same session profile, I have to enable Client Choices in order to click “Clientless Access” and see both sets of resources. If I don’t, and I disable Client Choices, it logs me directly into only the Storefront side of things without showing any of the Horizon View resources. Is that expected, or did I derp something up?

        2. I’ve noticed when using a UG for this, I don’t have the Client Choices issue; however, none of the VMWare icons show. There are boxes for them, but they’re empty why squares with descriptions. They launch just fine – I just cant’ figure out why it is the actual icon previews don’t display.

        Thanks again for being a rockstar! 😀

        1. Clientless Access Portal is required for displaying of the Horizon PCoIP icons. StoreFront portal does not connect to Horizon and thus can’t show Horizon icons.

          1. That I understand, but I guess the question is whether or not you can define default post-logon behavior to go directly to the Clientless Access portal. Disabling the Client Choices sends you to the Receiver/Storefront portal, meaning you never see any of the other VMWare/Web/SaaS resources. My initial response to this was to change from a standard NSG to a UG, but that’s when I noticed the VMWare icon pictures don’t show up – just white squares.

  2. I’m really glad this is now a feature, and that you’ve covered it here. I’ve not been able to test my config yet because (I hope) of some missing configuration on the Connection Broker side of things. I’ll get to look at that in depth this week, though. I’m excited to see this work given all the problems we’ve had out of the IDM product. Presenting Horizon View resources through something not IDM has been a desire of ours almost since we implemented Horizon View. lol

Leave a Reply