1 / 39

SUM304: Best practices for troubleshooting Branch Repeater deployments

SUM304: Best practices for troubleshooting Branch Repeater deployments. Shoaib Yusuf: Lead Escalation Engineer Scott Rosendahl: Lead Escalation Engineer May 24, 2011. Agenda. Product line Deployment modes XA/XD optimization Repeater and AG SSL optimization. Citrix Repeater Product Line.

MikeCarlo
Download Presentation

SUM304: Best practices for troubleshooting Branch Repeater deployments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SUM304: Best practices for troubleshooting Branch Repeater deployments Shoaib Yusuf: Lead Escalation Engineer Scott Rosendahl: Lead Escalation Engineer May 24, 2011

  2. Agenda • Product line • Deployment modes • XA/XD optimization • Repeater and AG • SSL optimization Citrix Confidential - Do Not Distribute

  3. Citrix RepeaterProduct Line

  4. 5.6.x Citrix Repeater Product Line Branch Repeater VPX • Virtual appliance • XenServer or VMware ESX/ESXi 2.0.x / 3.0.x Branch Repeater Appliance 5.5.x / 5.7.x 5.5.x / 5.7.x Repeater Plug-in • CBR100,200,300 Linux & Windows • Half-size 1U • Link speeds up to 10 Mbps. Repeater Appliance • Software application • Remote single client (Windows desktops and laptops) • Communicate only with 8800/8500 series. • 8500-1U, 8800-2U • High-speed links (~500Mbps). 5.5.x = 2.0.x 5.7.x = 3.0.x 5.6.x Citrix Confidential - Do Not Distribute Next

  5. Product Placement Repeater Appliance (45-500 Mbps) 8800 Repeater Appliance (5-45 Mbps) 8500 Branch Repeater Appliance (1-10 Mbps) 100/200/300 500Mbps 45Mbps * Does not support Plug-in Branch Repeater w/ Windows Server Appliance (1-10 Mbps) 100/200/300 10Mbps * Does not support Plug-in Repeater VPX (1-45 Mbps) Repeater Plug-in Citrix Confidential - Do Not Distribute Next

  6. Deployment Modes

  7. Repeater Optimization w/ Inline Mode • Advanced TCP Flow Control • Multi-Level Compression • Protocol Optimization X-over Straight Site B SCP filter: Don’t accelerate Site B By default accelerate Site A Site A Datacenter SCP filter: Don’t accelerate Site A and Site B ping -t ping -t Citrix Confidential - Do Not Distribute Next

  8. Inline Deployment Common Issues CTX125100 Quick Installation • Cabling for proper bypass • BW send rate: 5-10% less then link • Symmetric packet flow required 45 Mbps 42 Mbps Citrix Confidential - Do Not Distribute

  9. Troubleshooting • Connection list • Compression ratio • Unaccelerated detail • Service Class Policies Citrix Confidential - Do Not Distribute Next

  10. WCCP Mode

  11. WCCP Deployment • Understand deployment • Isolated WCCP devices • WCCP Router limitations Citrix Confidential - Do Not Distribute

  12. HA Mode

  13. High Availability • Same subnet • Spanning Tree off • Bypass open state • TCP connections reset Citrix Confidential - Do Not Distribute

  14. Inline HA Recommended Deployment Procedure 192.168.1.202 VIP: 192.168.1.200 192.168.1.203 VRRP Citrix Confidential - Do Not Distribute Next

  15. Group Mode

  16. Group Mode “Owning” unit - hash Forwarding load on LAN interfaces • Use Aux1 or Primary 4 port w/ 5.5.6 Bypass open SYN SYN Active Active 5 SYN+ACK Citrix Confidential - Do Not Distribute Next

  17. ICA XA/XD Optimization

  18. ICA XA/XD Optimization Requirements • At least BR 5.x/2.x • ICA SCP: disk compression, dynamic QoS • XenApp: P.S. 4.5 + HRP03 (5.0 w/out patch) • XenApp Client: 11 • XenDesktop 4 Citrix Confidential - Do Not Distribute

  19. ICA Troubleshooting • XenApp servers registries (HKLM\System\CurrentControlSet\Control\Citrix\WanScaler) • EnableForSecureIca = 1 (default = 0 for XA) //1 for 128 bit advanced encryption • EnableWanScalerOptimization = 1 • UchBehavior = 2 • ICA_Debug.php (hidden page) • Help link (ica_debug_help.htm) • Tables – *session protocol version* Citrix Confidential - Do Not Distribute

  20. ICA Advanced Troubleshooting • Disable BR • Unaccelerated ICA via SCP • Bypass ICA Parser • Parameters.php hidden page (ICA.PassThrough on) • Test ICA vs. CGP (session reliability) ICA_Debug.php Citrix Confidential - Do Not Distribute

  21. Turbocharging Access Gateway

  22. What Is It • Accelerate access gateway traffic to data center resources • The Access Gateway and Repeater Plug-ins’ coexist on the user’s device XenApp XenDesktop Wide Area Network SharePoint Server Repeater Access Gateway Firewall File Server Data Center Access Gateway Plug-in RepeaterPlug-in Remote User Citrix Confidential - Do Not Distribute Next

  23. Accelerating ICA Proxy Mode in Access Gateway with a Citrix Branch Repeater Appliance

  24. What Is It • Optimize ICA across all users in a branch location • Repeaters establish SSL tunnel to secure ICA traffic • Repeater must be on the external facing side of the AG • NOTE: Repeater is not a hardened security device! User Devices Web Interface Server Farm Access Gateway Firewall Firewall Repeater Repeater Wide Area Network Installed Behind The Access Gateway Connected Using Citrix online plug-ins • Published Applications • XML Service • Secure Ticket Authority Citrix Confidential - Do Not Distribute Next

  25. Requirements • Access Gateway • Repeater 5.7 or later • Branch Repeater w/Windows 3.0 or later • Branch Repeater Crypto License • Repeater SSL features enabled and configured Citrix Confidential - Do Not Distribute

  26. SSL Optimization

  27. What Is It • Compressed and optimized SSL traffic Accelerated SSL Connection SSL Signaling Connection XenApp XenDesktop SharePoint Server SSL Data Connection Client to Server Connection WAN SSL Tunnel Client Side SSL Connection Server Side SSL Connection Citrix Confidential - Do Not Distribute Next

  28. BR SSL Modes • SSL Split Proxy Mode • SSL Split Proxy Mode • SSL Transparent Proxy Mode • SSL Transparent Proxy Mode Server’s Private Keys (Public and Private Keys) Servers’ Credential (Certificate and Public Keys) SSL Signaling Connection XenApp XenDesktop SharePoint Server SSL Data Connection * Supports true client auth. * Does not support Temp RSA and Diffie-Hellman *Supports Temp RSA and Diffie-Hellman * True client auth. not supported Citrix Confidential - Do Not Distribute Next

  29. Basic Installation Steps • Install crypto license(s) • Enable SSL features • Acquire and install certs and keys • Configure and establish SSL Peer connectivity • Configure and enable SSL Profile • Configure SSL service class policy Citrix Confidential - Do Not Distribute

  30. Verifying SSL Peer SSL Peer/Tunneling Connection • SSL Peer must show Connected Available and Secure as True or Yes Repeater (Linux) Citrix Branch Repeater with Windows Server Citrix Confidential - Do Not Distribute

  31. Verifying SSL Peer Troubleshooting SSL Peer/Tunneling Connection If Secure column is not “Yes” or “True”, change signature to “None” for testing only. Citrix Confidential - Do Not Distribute

  32. Verifying SSL Connection Acceleration/Compression of SSL connection • SSL connection must show SSL Proxy as Yes • Compression Ratio greater than 1:1 Repeater (Linux) Citrix Branch Repeater with Windows Server Citrix Confidential - Do Not Distribute

  33. SSL Configuration Troubleshooting • Server certs on server-side Repeater (i.e. AG, servers...) • Service class policies (HTTPS / ICA) • Root and Intermediate CA certs CA Root and Intermediates (for the corresponding server) must all be concatenated Citrix Confidential - Do Not Distribute Next

  34. Important Points • SSL Key Store password required • SSL Compression: All Repeaters or none • Encrypted Disk • Plug-in’s compression history is not encrypted on the client Citrix Confidential - Do Not Distribute

  35. KB References • SSL • CTX128877 - Branch Repeater Crypto License • CTX128920 - How to Configure and Enable the SSL Features and Set Up the SSL Peer Connection on the Citrix Repeater / Branch Repeater [Linux appliances] • CTX128919 - How to Configure and Enable the SSL Features and Set Up the SSL Peer Connection on the Citrix Branch Repeater with Windows Server • CTX127284 - How to Set up an SSL Peer Connection between a Repeater Appliance and a Repeater Plug-in • CTX128928 - How to Configure Repeater SSL for Accelerating and Compressing SSL Traffic • CTX126301 - How to Accelerate the ICA Proxy Mode in Access Gateway with a Citrix Branch Repeater Appliance • CTX128536 - SSL Peer Connection Issue between Two Linux Repeater Appliances - Status: Waiting to connect

  36. KB References Cont… • Turbocharging Access Gateway • CTX121035 - Turbocharge Access Gateway Deployment Guide and Reference Architecture • WCCP • CTX123466 - How to configure the Citrix Repeater Appliance to Work with various WCCP Routers • CTX128537 - FAQ: WCCP Configuration in Multi-Router WAN Networks • High Availability • CTX128774 - Repeater SSL Certificate - Certificate Common Name Invalid • Group Mode • CTX120397 - Repeater Group Mode and High Availability Mode support for 4-port appliances • ICA • CTX120484 - Repeater's ICA Connections did not Successfully Negotiate ICA Acceleration

  37. Session surveys are available online at www.citrixsummit.com starting Thursday, May 26 Provide your feedback and pick up a complimentary gift at the registration desk Download presentations starting Friday, June 3, from your My Organizer Tool located in your My Synergy Microsite event account Before you leave…

  38. Questions?

More Related