One of the most prominent issues that I see in many environments is client version inconsistency.  The root causes vary from environment to environment, but at the end it all boils down to not being able to check on the client version on each and every workstation and ensuring everyone is running the same version.  This is why I’m a big fan of Citrix Merchandising Server (CMS); it allows organizations to do just that.  The best part is that it can be used for both internal and remote users.

Now, making CMS available from the internet is not always an option.  Some organizations don’t trust hypervisors on their DMZ and some others don’t like the fact that you could potentially access the management console from the outside.  So how do you address these concerns and still make the CMS available on the outside? If you have a NetScaler, there is no better option than using it to frontend the CMS.

This is what you would need:

  • Setup CMS in your internal network
  • Host a VIP for CMS on the NS
  • Set aside a public IP for the CMS and NAT it to the VIP on the NS
  • Create the appropriate firewall rules to allow traffic to that VIP on ports 80 and 443

       On the NetScaler:

  • Create an LB vserver with the VIP for the CMS listening on port 80, and bind a responder rule to it that redirects all requests on port 80 to “https://” + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY
    (Ideally, your users will never have to type the URL to get to the receiver download site, but if for some reason that happens and they don’t specify “https”, then you make sure you redirect them to the right place instead of showing  some “page not found” error.)
  • Create a second LB vserver with the VIP for the CMS listening on port 443, bind the appropriate certificates, and bind a responder rule that will prevent access to the management interface.
    This is the expression I used for my policy:  HTTP.REQ.URL.PATH.EQ(“/appliance”) || HTTP.REQ.URL.PATH.EQ(“/appliance/”) || HTTP.REQ.URL.PATH.EQ(“/appliance/loginAction.do”)
    The action redirects users to “https://” + HTTP.REQ.HOSTNAME + ”/appliance/download”

 

Hope you find this useful.

Until next time, Migs.

Miguel Contreras
Senior Consultant
Citrix Consulting