Tuesday, September 20, 2022

How to Set up Citrix WEM (HA) with a SQL DAG Tied into a NetScaler

 

SUMMARY

This blog will go over the steps needed for setting up a Citrix WEM load-balancing setup. It will consist of NetScaler ADC, SQL DAG, 2 WEM servers.

In my opinion, WEM is a straightforward UEM tool to set up. There are some excellent blogs out there that will show you how to do this. In this blog, I wanted to list all the details around the NetScaler, Setting up a Windows Cluster for the SQL DAG/BAG. I am not a SQL guy, and I am following some links online to get me past the SQL part. My SQL setup, again, is based on what I read and understood. The concept here shows you how to do the WEM in an AG tied into a NetScaler for Load Balancing. I know that I may have some non-enterprise steps on the SQL part. Again, the point is to help show you how WEM can be deployed in an AG with a NetScaler.

Not to get off on a tangent on slow logins!!

But in every environment I work in, there is one thing I commonly see: tons of GPP with login scripts, drive mappings, item-level targeting, and WMI filters. The same question arises, “why are my logins slow?”

I tell them all the same thing, which is… the first problem is that you are using a legacy approach in a CVAD GPP space. To be honest, some don’t understand, and some do. But because they have years of GPP settings, it may present a risk of moving them, and some just close the door on the idea altogether, thinking there must be other ways. Some throw top-of-the-tier hardware into the environment, thinking it will solve the login problems, which does to a point, but not as they thought. Some will think moving to a Container Profile solution will solve the issues (and it helps…some). Some businesses see it as adding a more complex setup or another troubleshooting aspect, then just don’t want to deal with it. Yea, ok, I can understand that.

In 80% of the environments I have been in, most of the time, they have no UEM tools in place, or they have them and don’t know how to use them properly, or they have business cases around not using them in a complex environment as it never worked. I have been in many debates over this concept. Hours of conversations on why I would use WEM or AppSense (another example).

Now I know some will be reading this thinking…”Ray, you don’t need WEM or any UEM tool.” Yea, you are correct. You don’t need anything like this. But GPP, in my humble opinion, even with asynchronous logins, is a Virtual/Virtual Desktop login killer. Ok, enough said, you get the concept.

WEM Blogs on settings
Here are some great WEM blogs on the product to read. Both gentlemen are humble and will go out of their way to help you and provide valuable help.

Deyda

WEM Administration Console – Part 1 (Actions, Filters & Assignments) – Deyda.net

WEM Administration Console – Part 2 (System Optimization, Policies & Profiles and Security) – Deyda.net

James Kindon

The Evolution of Citrix Workspace Environment Management Service (jkindon.com)

WEM Advanced Guidance – Part 1 | BLOGS (mycugc.org)

WEM Advanced Guidance–Part 2: User Interaction | BLOGS (mycugc.org)

WEM Advanced Guidance Part 3-The Leftovers: Good, Bad, Ugly | BLOGS (mycugc.org)

SQL AG links
At the time of writing up this blog, to understand the AG setup, I used this as a reference for a SQL Always on Availability group. You will need to install Failover cluster manager on the SQL Nodes, SQL itself. This will require an IP address as well for each part.

SQL Server AlwaysOn Step by Step Setup – Introduction to SQL (peruzal.com)

I used parts of this as well:

Carl Webster | The Accidental Citrix Admin

I also used this to help me get the Basic AG setup for WEM:

Citrix Workspace Environment Management (WEM) 1906 and SQL BAG – (arnaudpain.com)

Steps for Installing SQL Server AlwaysOn Availability Groups – SQLRx

Architecture
The goal here is to have WEM setup in a SQL AG with NetScaler.

Inventory
My lab consists of the following servers.

  1. Nutanix AHV CE running on a Dell PowerEdge R630 with 28 Cores and 256GB of Ram. I have 6TB or SSD (Jbod) allow the Nutanix Distributed storage Fabric works its magic.
    1. SQL is running on this
    1. NetScaler VPX is running on this.
  2. VMware vCenter7 with ESXi 7 running on a SuperMicro E300-8D with 8 cores and 128GB or Ram. It has a two SSD drives total of 500GB of Storage.
    1. WEM servers is running on this
  3. Windows Server 2022 with SQL 2019 Developer mode
    • LABSQL02 – 10.1001.17
    • LABSQL03 – 10.100.1.18
  4. Cluster Manager Name
    • WEMLB for the MSCS name (The name can be anything you would like to help indefinitely your Microsoft Cluster name)
    • WEMLB – 10.100.1.15
  1. SQL Listener Name for the WEM connection DB String
    • SQLAG for the AG listener
    • SQLAG – 10.100.1.16
  2. Citrix WEM Servers Running on Server 2022
    • WEM01 – 10.100.1.13
    • WEM02 – 10.100.1.14
  3. NetScaler running on 13.0.85.19
    • NetScaler ADC VIP
    • Web Server name for DNS and ports
    • WEMVIP – 10.100.1.20

You will need a SPN.  A SPN is needed to do the load balancing that will take effect soon. When the Broker server boots, the Citrix WEM service will start and provide a computer Kerberos ticket, asking AD to validate this ticket. That’s why Citrix WEM SPN must be appropriately configured with a known AD account.

setspn -U -S Norskale/BrokerService "sawem"

Remember this is used for “Use Windows authentication for infrastructure service database connection” in an LB state.

The SA account will need to maintain DB connectivity in the screenshot above. SPN is needed to be set up for the SA account you used to maintain SQL connections.

To set up the Citrix WEM empty database, I followed this. Now, there may be better ways to achieve this. I am not a SQL guy by any means. So, I followed these to get it going:

Citrix Workspace Environment Management (WEM) 1906 and SQL BAG – (arnaudpain.com)

Citrix Workspace Environment Manager (WEM) and SQL Availability Groups – Database Master Key Issue | BLOGS (mycugc.org)

On my primary WEM01 Server, I needed the SQLAG to respond to I could input the information in SQLAG (listener name) when connecting/creating the DB that tI will make in SQL, then when I run through the WEM wizard (to create DB wizard in WEM) it will use the SQL AG Listener. After looking at the two links above. I decided to do the following:

  • On my WEM01, create a host file pointing to what will be the SQL Ag name.
  • The SQL AG name will be the SQLLAB02 server IP address
  • Go into WEM, setup the DB, and make the connection
  • Verify in SQL.
  • Setup the AG in SQL
  • Remove the Host FileUpdate DNS (that was the previous HOST File). That way, WEM would just see a DNS name and resume the connection from the DNS alias.

Now, install the WEM infrastructure setup, then open the “WEM database Management Utility.”

I opened the Host file and put a record on the WEM01 server to talk directly to the SQLDB02 server.

Note, for my lab. I left the defaults for the data and Log file. I would not do this in a live setup. Typically, you have SQL logs on a Drive and SQL Data on another drive. Depending on the SQL Administrator or the client/company polices.

C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\CitrixWEMLab

C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\CitrixWEMLAB_log

In this case, the Integration connection does not have access to SQL. I am simulating a setup that I am about to go through in an environment. The DBA will input a set of creds in instead.

I used the SA account, this is not required but is what I used during the time.

  1. Add the Citrix WEM Admin group.
  2. Add the SPN account we created either that will be used to serve the connection to the DB.
  3. Then set the vuemUser SQL account password. This is needed for a SQL AG setup
    1. You must set the vuemUser SQL user account password if you intend to deploy the Workspace Environment Management database in an SQL Server Always On availability group.
    1. If you set the password here, remember to specify the same password when you configure the infrastructure service.

Note: The service account must be in the local Administrators group on the Broker server(s). When the database security option is selected, the database expects the infrastructure service to connect to it using a Windows account. The Windows account you choose must not already have a login on the SQL instance. In other words, you cannot use the same Windows account to run the infrastructure service as you used to create the database.

Create DB:

Created.

Verified information on SQL Server.

Now we will need to create the Availability group and sync the DB to the second Server. This is where we will add the AG listener IP and then can do away with the host file created earlier as well.

You will need to perform A full backup first of the DB first to create the AG with the database.

I left the defaults, and you would want to put it on a SAN/NAS like a Exagrid or data domain. Depending on your SQL backup requirements.

Click ok to start the backup.

Now right click on Always On High availability option, and select “new Availability Group Wizard.”

Create a new AG.

Give it a name.

Select the “WEMLAB” name.  Click the password box and input the vuemuse password:
Database Master Keys and Availability Groups – Jonathan Kehayias (sqlskills.com)

Add the Replica.

Add the Listener.
(Note: I will add this to DNS now.)

For this, I was not 100% sure. So, I put it on a File Share. I would recommend you work with a DBA to determine what is the best option is on this. Or if you are the guy, research it and understand it a bit more.

I used a \\IP address, as it is my lab. I don’t do this in a prod setup. I had to add the SQL Servers for the NTFS share as well. Again, no SQL guy but this was something I did in my lab only.

Now as you can see the AG is setup for this test.

Event log on both servers.

  1. Always On Availability Groups connection with primary database established for secondary database ‘WEMDB’ on the availability replica ‘LABSQL02’ with Replica ID: {cc5a375a-60d3-4ed2-9bf1-a53eedc6b43b}. This is an informational message only. No user action is required.
  2. Always On Availability Groups connection with secondary database established for primary database ‘WEMDB’ on the availability replica ‘LABSQL03’ with Replica ID: {4e84754b-ea72-424c-85d3-a3424eb65f35}. This is an informational message only. No user action is required.

Now at this part I ran this to syn the permissions between the two servers. But first you will need to import the DBA Tools. I am sure there are other ways to do this. As in the links above I included from other folks.

  1. Open PowerShell Install-Module dbatools
    • After getting them installed run these commands
    • Copy-DbaLogin -source SQLServer -Destination SQLServer

Now let’s go back to the WEM01 Server and remove the Host file, along with Adding the SQLAG DNS name in DNS in order for the WEM01 server to pick backup on the connection.

Added in DNS:

Host file removed.

Bring up the WEM Infrastructure Service Config to check things.

Save Configuration and it will restart the Infrastructure Service.

Open the WEM Console and connect to make sure it will still connect to the Database.

Loading and connecting:

It’s connected.

The next test will be to make some configuration changes. Then Fail it over to LABSQL03 to make sure the AG is working like it should. Once we confirm that, we will move on to the NetScaler part.

I just set the basic things, such as Enable CPU spike protection, Fast log off, and Multi session optimization in the GUI.

Now let’s jump back on the Primary LABSQL02 server and fail it over.

Looks good so far.

Check WEM console and make sure the changes is there still. I closed the Console and will reconnect to show you.

Ok, all good. Now I will go to the Second WEM02 (Server) and add the connection details.

Bring up the WEM Infrastructure Service Config to check things:

Save Configuration and it will restart the Infrastructure Service.

That concludes the SQL AG part. Not too bad, huh? Now the NetScaler LB part.

I get lots of questions about NetScaler setup, around how well I know it, what can I do with it. I have worked with NetScaler for about seven years now. I have done some nice things with it. But let’s face it, I don’t know it all and I learn based on other Citrix/Network guys on blogs, Googling, or videos.

Most of my NetScaler work has been setting them up from scratch (on which I have notes-as I can’t remember all the details at times), locking them down, SSL profiles, cert configurations, networking aspect of it for the most part, Citrix Gateway side, responders, rewrites, load balancing types, AAA (nFactor with FAS) and upgrades with and without ADM. I feel like I have a lot more to learn in this space. But as times goes on, we develop more skills.

I am no master by any means, but I do ok in this space. Yes, I use Google as well. Nothing wrong with saying that. Better to be humble in my opinion and know what you can and can’t do. Google is no different than 20 years or more ago, by picking up books and looking for the answer. This is our book now, it’s just digital 😊

I will take the approach and do it via CLI instead of the GUI. I find it faster and easier at times. If you want to see the GUI parts I will leave some links on other blogs that will help you.

How to configure Citrix Workspace Environment Management 4.x for Virtual Apps and Desktops – XenApp or XenDesktop, including NetScaler Broker Load Balancing | christiaanbrinkhoff.com – Sharing Cloud and Virtualization Knowledge

Load balancing with Citrix ADC | Workspace Environment Management 2206

Load Balance Citrix Workspace Environment Manager (WEM) with Citrix ADC 11.x/12.x – David Wilkinson

Note: the WEM01 and WEM02 is a filler and the actual servers’ names need to be added for this.

  • Enable ns feature LB:
  • ## WEM Broker Servers###

Add server WEM01 10.100.1.13
Add server WEM02 10.100.1.14

## WEM Service Groups

  • Add serviceGroup “Name” TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
  • Add serviceGroup CTX-WEM-BrokerAdmin_WEM01_WEM02 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
  • Add serviceGroup CTX_WEM_Agent_Cache_Sync_WEM01_WEM02 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
  • Add serviceGroup CTX_WEM_Agent_Service_WEM01_WEM02 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
  • Add serviceGroup CTX_WEM_Agent_CacheData_Synchronization_WEM01_WEM02 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
  • Add serviceGroup CTX_WEM_Monitoring_Port_WEM01_WEM02 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO

## Bind Service Group Members to Service Groups

  • bind servicegroup “name” “server” “port
  • bind servicegroup CTX-WEM-BrokerAdmin_WEM01_WEM02 WEM01 8284
  • bind servicegroup CTX-WEM-BrokerAdmin_WEM01_WEM02 WEM02 8284
  • bind servicegroup CTX_WEM_Agent_Cache_Sync_WEM01_WEM02 WEM01 8285
  • bind servicegroup CTX_WEM_Agent_Cache_Sync_WEM01_WEM02 WEM02 8285
  • bind servicegroup CTX_WEM_Agent_CacheData_Synchronization_WEM01_WEM02 WEM01 8288
  • bind servicegroup CTX_WEM_Agent_CacheData_Synchronization_WEM01_WEM02 WEM02 8288
  • bind servicegroup CTX_WEM_Agent_Service_WEM01_WEM02 WEM01 8286
  • bind servicegroup CTX_WEM_Agent_Service_WEM01_WEM02 WEM02 8286
  • bind servicegroup CTX_WEM_Monitoring_Port_WEM01_WEM02 WEM01 8287
  • bind servicegroup CTX_WEM_Monitoring_Port_WEM01_WEM02 WEM02 8287

## Create WEM VIP

  • add lb vserver “name” “protcol” “IP” -persistenceType NONE -cltTimeout 9000
  • add lb vserver CTX-WEM-BrokerAdmin_WEM01_WEM02 TCP 10.100.1.20 8284 -persistenceType NONE -cltTimeout 9000
  • add lb vserver CTX_WEM_Agent_Cache_Sync_WEM01_WEM02 TCP 10.100.1.20 8285 -persistenceType NONE -cltTimeout 9000
  • add lb vserver CTX_WEM_Agent_CacheData_Synchronization_WEM01_WEM02 TCP 10.100.1.20 8288 -persistenceType NONE -cltTimeout 9000
  • add lb vserver CTX_WEM_Agent_Service_WEM01_WEM02 TCP 10.100.1.20 8286 -persistenceType NONE -cltTimeout 9000
  • add lb vserver CTX_WEM_Monitoring_Port_WEM01_WEM02 TCP 10.100.1.20 8287 -persistenceType NONE -cltTimeout 9000

## Bind Service Groups to VIP

  • bind lb vserver “LBVIP Name” “svcgrp name”
  • bind lb vserver CTX-WEM-BrokerAdmin_WEM01_WEM02 CTX-WEM-BrokerAdmin_WEM01_WEM02
  • bind lb vserver CTX_WEM_Agent_Cache_Sync_WEM01_WEM02 CTX_WEM_Agent_Cache_Sync_WEM01_WEM02
  • bind lb vserver CTX_WEM_Agent_Service_WEM01_WEM02 CTX_WEM_Agent_Service_WEM01_WEM02
  • bind lb vserver CTX_WEM_Agent_CacheData_Synchronization_WEM01_WEM02 CTX_WEM_Agent_CacheData_Synchronization_WEM01_WEM02
  • bind lb vserver CTX_WEM_Monitoring_Port_WEM01_WEM02 CTX_WEM_Monitoring_Port_WEM01_WEM02

Now we can login and check the GUI to see.

As I was checking things, I noticed 8285 was red. I had the older port added in and totally forgot Citrix did away with it now. Going back and looking at the port in the WEM DB connection details shows the port isn’t  needed.

8284“Administration port”. Port on which the administration console connects to the infrastructure service.
8286“Agent service port”. Port on which the agent connects to the infrastructure server.
8285 (NOT NEEDED)“Cache synchronization port”. Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server
8288“Cached data synchronization port”. Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server.
8287“WEM monitoring port”. Listening port on the infrastructure server used by the monitoring service.

I will remove that unused port being this setup is new and it’s on 2203 at this time of making the blog.

Next, I will add a DNS Load balancing name for the Agents to hit the VIP.

Now I will connect to the WEM02 Server and just make sure it connects to the DB.

Loaded and basic settings I set before are there.

Now I will check the WEMVIP and see if it can connect.

Connected.

At the time of writing this, I was using 2112 and I needed to upgrade to 2206. So, upgrading WEM isn’t hard, and I will take you through the quick steps here that has the AG and NetScaler part involved. More of a summary.

Infrastructure services

Database

The database upgrade process is not reversible. Ensure that you have a valid database backup before launching the upgrade process.

Reconfiguring the infrastructure services

Administration console

Now I go and do the same steps on the Second WEM server.

The only difference is the Database is upgrading already. If you try to run the “upgrade Database” again. You will get an upgrade error. Because it is already upgraded.

As a quick test I added another system Optimization to make sure the DB is in sync. On my wem02 server I added this:

Logged into the WEM01 server and connected to the WEMVIP DNS name.

Agent

Or GPO.

Leave on the C Drive.

Log back into the console. As you can see here, my PVS master image is reporting as it should.

To show the Load balance working we can view the LB virtual server statics in the NetScaler page. As you can see here the traffic is hitting the 8286 vServer and 10.100.1.14 is sending the request to the Agent. This is just a quick peek into 8286 port and to show a basic overview of the traffic pattern.

I will disable the Server, and then perform a WEM cache refresh to show the traffic go to the other server.

The WEM02 server is disabled.

After refreshing the WEM cache on the Agent, you can see there that the traffic hit the other node behind the vServer.

For now, that concludes the article and I hope it helps someone out. As always thank you.

No comments:

Post a Comment