AppController is a component of the Citrix CloudGateway Enterprise suite that orchestrates access to Enterprise Cloud applications.  Those applications may take many forms including Mobile Applications, Software-as-a-Service hosted in public clouds, and Web links.  Below I provided some tips to help with the implementation of AppController 2.5 (which is the latest version as of the publishing of this blog).

System Related

Including settings such as the Hostname, SSL certificates, and Restore.

TIPs:

  • Take a hypervisor level snapshot after the initial installation so that you can easily return to that base level if configuration or integrations efforts go awry.
  • The hostname cannot contain special characters in the AppController certificate signing request.
  • The hostname must match SSL certificate.
  • The system cert must be chained to its CA/(s).

Active Directory Related

Including settings such as the Server (Domain Controller), Base DN, and Service Account credentials.

TIPs:

  • The AppController only supports integration with a single domain.  Multiple domains require multiple AppControllers.  The NetScaler Access Gateway may be configured to allow users to access a single fully qualified domain name, yet be directed to their respective domain AppController through the use of Global Groups.  See CTX116169 for more information http://support.citrix.com/article/CTX116169
  • All user accounts must have a first name, last name, and email address configured or they will receive an authorization error when attempting to launch applications.  The bind Administrator account must also have email address configured or directory integration will fail.
  • Only LDAP (TCP 389) may be configured through the wizard that must be completed initially.  Thereafter LDAPS (TCP 636) may be configured through the full administration menu.
  • If the server name domain name is a load balanced DNS entry the initial import may work, yet subsequent bind attempts will fail.  Alternatively you may use the IP address of an LDAPS load balancer on a Netscaler with specific domain controllers configured as services.  See CTX135092 for more information http://support.citrix.com/article/CTX135092

Network Related

Including settings such as the IP address, @Workweb and NTP server.

TIPs:

  • Use IP private addresses as system addresses if possible.  When Trust Settings are configured for NetScaler Access Gateway it does not allow SSO to public addresses.  If public addresses must be used the NetScaler may be configured with an SSL Bridge to access the AppController.  See NetScaler Traffic Management document for more information.
  • NTP must be configured or SAML authentication may fail for SaaS sites if the time difference is significant.
  • When Trust Settings are configured for NetScaler Access Gateway it must be able to route to all application sites. It acts as a proxy for the client once an application is launched.
  • After installing the @Workweb application ensure that its network policy is set to “tunneled”, otherwise the application links which rely on access to the intranet, and were able to launch in the device’s native browser, will fail.

 

Matt Brooks

Architect
Worldwide Consulting Solutions
tweetmattbrooks