NetScaler Gateway is the new name for the Citrix Access Gateway. Citrix changed the name because the access gateway is a feature from NetScaler. The NetScaler Gateway can be used for ICA Proxy. Also, Citrix released the functionality of using the NetScaler as an RDP Proxy in NetScaler 11. The RDP Proxy is available with Enterprise and Platinum licensing. Also, the NetScaler Gateway supports the secure browser-only access (CVPN) functionality. The NetScaler Gateway will be installed most of the time in the demilitarized zone, because this VIP will be used through the Internet.
Session policies will be used after the authentication, if successful. Based on the configuration in the session policy, the connected user will get to see the resources, for example, the StoreFront web page or a connection through VPN. A session policy always contains two parts: the session policy and the session profile. The session profile indicates what NetScaler needs to show. The session policy is the policy that needs to match to display what is configured in the session profile.
The session profile contains a lot of options and can handle multiple configurations. So, based on screenshots, we will explain the options.
The Citrix NetScaler Gateway session settings can be configured on the global level and based on session policies. When settings are made on the global level, all configured settings will be set for all available NetScaler Gateway virtual servers. Using session policies, we can define settings that are different for every available NetScaler Gateway virtual server. So, while creating a session profile / session policy, make sure that the Override Global setting is selected to make adjustments for this particular setting.
The Network Configuration pane will not be used most of the time, so in this case, we will skip this part. Under the Client Experience pane, we have multiple settings that we can define. All of these settings will be explained next. Some of these settings are necessary for ICA Proxy, and some of them are used for VPN. The available settings under the Client Experience pane are as follows:
OWA
.In the Security pane, all that we need to do is make sure that the Default Authorization Action option is set to Allow
. This ensures that the users are actually allowed to log in and access the resources. The Secure Browse option will be used in combination with Citrix XenMobile only. This option allows users to connect through NetScaler Gateway to network resources from iOS and Android mobile devices with Citrix Receiver. Users do not need to establish a full VPN tunnel to access the resources in the secure network. The Smartgroup option will be used for
Endpoint Analysis (EPA). This option contains the group in which the user is placed when the session policy associated with this session action succeeds. The VPN session policy will do the post-auth EPA check, and if the check succeeds, the user will be placed in the group specified with smartgroup.
Next, we have the Published Applications pane. This is where we enter the information needed to access our Citrix environment. The following are the settings:
https://<StoreFront/AppController URL>/Citrix/Roaming/Accounts
. This requires that the DNS be properly configured because there should be some SRV DNS records created, and it requires a wildcard certificate, or a certificate that contains discoverReceiver.domain
in the Subject or Subject Alternative Name entry. For more information, refer to https://www.citrix.com/blogs/2013/04/01/configuring-email-based-account-discovery-for-citrix-receiver/After creating the session profiles, there should also be a session policy created in order to bind this to a NetScaler Gateway virtual server. As we want all users to be bound to this policy, we use the ns_true
general expression, as shown in the following screenshot:
After the session policies have been created, the NetScaler Gateway virtual server can be created. Follow these steps to create a NetScaler Gateway virtual server based:
Fill in the correct information based on the following explanation:
VS_CAG_Server1
.After these steps, we will have a fully configured NetScaler Gateway function on Citrix NetScaler. Citrix StoreFront needs to be configured as well in order to user pass-through authentication through the NetScaler Gateway.
Disable SSLv3 and enable TLS1.1 and TLS1.2 for security purposes. Also make sure that the RC4 SSL ciphers are removed. RC4 and SSLv3 are security leaks and need to be disabled right away.
If we wish to use the HTML5 Citrix Receiver, it's necessary to enable the Enable WebSocket connections in the HTTP profile in Citrix NetScaler.
To use Citrix StoreFront with the NetScaler Gateway, we need to create session policies on the NetScaler Gateway and configure Citrix StoreFront for pass-through authentication through it. We will start by creating session profiles / session policies on the NetScaler Gateway.
One of the benefits of the Citrix Receiver configuration with Citrix StoreFront is their integration with each other. The Citrix Receiver automatically detects whether the user is an internal user or an external user. When it detects an external connection, it will connect through the NetScaler Gateway; otherwise, it will use the Citrix StoreFront authentication. This detecting will be done by the configured beacons in the Citrix StoreFront configuration. During the configuration of the Citrix Receiver, the beacons will be configured.
Now it's time to configure the Citrix Receiver session policy and profile in the NetScaler Gateway.
Create a new session policy and go to the Client experience pane. Change Clientless Access to Allow
, change the Plug-in Type to Java
, and enable Single Sign-on to Web Applications
. If we are using two-factor authentication, we also need to change Credential Index to Secondary
. As explained before, the Citrix Receiver authenticates in a different way; in order to support single sign-on, it's necessary to use the LDAP authentication for single sign-on authentication.
Go to the Published Application pane. Switch ICA Proxy to ON
. Web Interface Address should be StoreFront URL
. Change Web Interface Address Type to IPv4
, change Single Sign-on Domain to the AD
or NDS
domain name, and at least fill in Account Services Address with the https://<StoreFront/Citrix/Roaming/Accounts
value.
After these settings, the session profile is done. Now it's time to create the session policy. The expression would be REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
in this case.
The session policy is explained in this chapter, under the NetScaler Gateway section, Session policies.
Create a new session policy and go to the Client experience pane. Change Clientless Access to ON
and enable Single Sign-on to Web Applications
.
Go to the Published Application pane. Switch ICA Proxy to ON
. Web Interface Address should be StoreFront Receiver For Web URL
. Change Web Interface Address Type to IPv4
, and then change Single Sign-on Domain to the AD
or NDS
domain name.
After these settings, the session profile is done. Now it's time to create the session policy. The expression would be REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
in this case.
First, we need to add a gateway to StoreFront. This can be done from the GUI by navigating to StoreFront Administration Console | NetScaler Gateways. On the right-hand side here, click on Add NetScaler Gateway Appliance and then add the information as shown in the following screenshot:
Now, for the final part in Citrix StoreFront. The configured NetScaler Gateway appliance needs to be connected to a particular Citrix StoreFront store for external authentication. Navigate to the Store menu and click on the right-hand side of the console, on the Enable Remote Access button. Now, we have to specify whether the store will be available for external usage. The following are the settings:
As long as we don't need the VPN tunnel support, we select NO VPN Tunnel. We mark the Citrix NetScaler appliance that we added earlier. Propagate the changes to the other Citrix StoreFront if you have more than one Citrix StoreFront server.
Citrix NetScaler provides support to bind sessions, traffic, authorization, bookmarks, Intranet IP addresses, and Intranet applications based on groups. When the authentication policies are configured correctly, it's possible to extract Active Directory groups from the connecting users. If we want to bind an authorization policy to an Active Directory, it's necessary to add the group in the NetScaler Gateway. This can be done in AAA Groups in the User Administration menu under the NetScaler Gateway pane. Please be aware that this group name is exactly the same as the group name in Active Directory; it's key sensitive.