For this I used both Merchandising server 2.0 and 2.1 along with Receiver 2.0 and 2.1.
Configure the Merchandising Server
- Download and import the merchanding server (8GB HD space req)
- Configure with IP, subnet, etc and install the latest XenServer tools. Use receiver.yourfqdn as the hostname
- open https://ipaddress/appliance
- login as root with the default password (found in the citrix edocs, note this is different than the unix password you configures from the console)
- Configure Active Directory
- Source Name = your call
- Server Address = IP address to DC
- Server port = 389 or 3268
- Bind DN = user account to sync ldap (ie ldap@here.contoso.com)
- Bind Password = the password to the ldap account
- Base DN = your base dn (ie DC=here,DC=contoso,DC=com)
- Save (if it errors you did it wrong)
- Permissions
- In the search users box type your domain user first or last name (username will result in nothing)
- Select the radial button and click Edit
- Change to Admin
- Repeat for all other admins
- Logoff
- Enter a dns record for "receiver" pointing to the merch server IP address
- point your browser to https://receiver/appliance
- Logon as your newly configure admin account. Note that you'll need to use domain\username for now
- Go to configurations - options
- Enter your support desk email, website, phone as desired. Ensure you select Token Expiration of Never (unknown to me at this time if you set it to expire if the end clients will update automatically, or if it will just break it).
- Enter the default domain name desired (note that this will fix the need for using the domain\username format)
- Save
- Go to configurations Authentication
- Click Generate Token (needed for the anonymous access)
- Click Save
- Now we need to generate an ssl cert. Since most intermediaries now require all ssl certs be generated with 2048 or higher you won't be able to use the CMS built in cert request as it only generates at 1024. I used IIS7 for this.
- Open IIS manager
- On the server find Server Certificates
- Click Create Certificate Request
- Common name = receiver.ncgi.com
- Fill out rest of the request and generate the csr
- Copy the contents of the CSR and generate a cert (I used Godaddy)
- download the completed cert
- In IIS7 select the cert and click "Complete Certificate Request"
- Once finished select the cert and click export
- enter a location and password
- Download and install openssl http://www.openssl.org/related/binaries.html
- Convert the new cert from pfx format to pem using openssl
- open command prompt and navigate to where you installed openssl (default is C:\openssl\bin)
- openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\receiver.pem –nodes
- Enter the password you gave it when you exported it.
- Now that we have a cert in the proper format we can import it to the receiver. Go to configuration - ssl certifcate management
- Change the drop down to "import certificate from a certificate authority"
- For "Public Certificate File" browse to the newly created pem file
- For "Private Key File" browse to the newly created pem file
- Enter the password
- Submit
- The CMS will reboot at this point. When it comes back up you'll notice that you don't get a cert warning anymore (provided everything was done right).
- Dedicate an external IP address and map the external address to your internal address at your firewall. You'll need port 443 open obviously.
- Get the A-records mapped externally for receiver.fqdn to point to your external address if you haven't already
- under plug-ins click Get new
- select a plug-in that you want and click Download to server
- under Deliveries click Create/Edit
- Create
- Delivery Name = Default
- Check mark default delivery
- enter how often to check for updates
- Add a plug-in to push as the default package
- Set the schedule for Deliver Now
- Click Schedule
Citrix has a tool available for packaging the receiver. It works very well. Unfortunately I don't like it because it forces you package it alongside the Access Gateway client, which I don't necessarily want to push to all my workstations that will be using receiver. If you want to push that client as well then use this to package your receiver with the token.
Otherwise:
Here's an excellent tip on packaging the receiver. http://www.xenappblog.com/2010/receiver-asking-for-logon-information-after-msi-install/
Download the receiver msi from citrix.com. Then make your installation look like the below. Note that the token comes from the "Authentication" tab in the receiver. It's the token we generated way back on step 15.
start /wait msiexec /i "Receiver.msi" /qn ALLUSERS=1 REBOOT="ReallySuppress" SERVER_LOCATION=https://receiver.fqdn.com/appliance/services/applianceService VERBOSE=true AUTOUPDATE=true TOKEN=yourtoken
Alternatively you could use Orca to modify the msi.
New! Citrix has added a new page in their edocs regarding how to push the Citrix receiver and the switches available. You'll find it under Receiver for Windows - Installing Receiver for Windows.