As users of Azure RemoteApp I was tasked with finding a replacement due to the product being retired.

We used the service primarily as a remote access solution, allowing users to RDP to their desktops (assuming they were turned on).

The preferred solution recommended by Azure is Citrix Xenapp Express, a cloud only version of XenApp. This was trialed internally and vetoed almost straight away after deployment as it lacked two factor authentication – this is a huge oversight in my opinion. While views on this will vary company to company, I personally feel that ALL external applications should be protected by two factor authentication. It’s simply not good enough to rely on a username and password.

I decided to take a look at the Netscaler VPX appliance. It is available in the Azure Microsoft and can be deployed to any ARM environments.

Pros

  • Clientless access (although you need to have the Microsoft terminal services client installed – native in Windows, you need to install it on MacOSX, Android etc)
  • Works on every device I’ve tried – Includes iPhone, Android Tablets, MacOSX etc
  • Much cheaper than RemoteApp. A Netscaler VPX enterprise license (which you need for RDP Proxy) and 200mb throughput will be ~£8000 per year + Azure VM costs. We were spending circa £15,000 for 200 or so users.
  • Good user experience – web portal is fairly straight forward.
  • Performant – test users report their desktops are much more responsive than publishing RDP over Remote App.
  • Feature Rich – supports web bookmarks, load balancing, DDoS protection

Cons

  • I wouldn’t say Netscaler VPX is very intuitive to administer/configure. I think it’s more than just a lack of familiarity with the system.
  • IaaS – you need to maintain the system, patch it, and make sure it’s configured correctly
  • Supports any authentication methods you can think of. We are using radius in conjunction with the Microsoft multi factor authentication server.

The system is being trialed by our I.T department but it’s so far proved to be really good.

 

 

 

I’ve spent a lot of time on F5’s over the last few weeks as we’re implementing them in a new data center design. Route domain functionality is being used in order to provide load balancing services to both our Extranet/DMZ environments as well as on the LAN. While good practice would usually dictate that these are on separate devices, route domains allow you to cut up a single appliance into virtual areas where traffic is completely isolated from one another. One aspect of this scenario that has trouble me a little has been getting dynamic routing on each of these route domains working – there isn’t a great deal of example configurations and f5’s own documentation doesn’t seem to offer much in the way of how you actually get it all set up. Dynamic routing on multiple routing domains is new as of LTM and TMOS 11.2.0.

In reality the config is very simple but knowing where and what to add proved difficult to find.

Assuming you have a partition called LAN and within it a route domain with instance id ‘1’, the following is required.

VERY IMPORTANT: On the Self-IP of the VLAN/Interface that you wish to have participate in OSPF make sure the port lockdown allows OSPF. I ended up making a custom profile which allows this or you can select the ‘ALL’ or ‘Default’ settings which will permit this. Weirdly, the default state which allow nothing will permit FULL OSPF adjacencies to form (sometimes) but weird behavior – route tables showing in the OSPF database but those routes not being added to the route table of the routing domain. On the Cisco end I frequently saw EXSTART or EXCHANGE states which wouldn’t move.

To edit route domain one, from the CLI run “imish -r 1” (where 1 is the route domain).

Enter configuration mode by typing ‘conf t’

The following is an example that will form an adjacency with a Cisco switch.

interface /LAN/LANTrunk
ip ospf priority 0
!
router ospf 1
redistribute kernel
network 192.168.0.0 0.0.0.255 area 10

The priority of 0 will just mean your F5 doesn’t become the DR, this may or may not be preferable on your network.

Redistribute Kernel will advertise any live VIP’s from the active f5 node (if they’re in a cluster).