NetScaler Gateway is the new name for the Citrix Access Gateway. Citrix changed the name because the access gateway is a feature from NetScaler. The NetScaler Gateway can be used for ICA Proxy. Also, Citrix released the functionality of using the NetScaler as an RDP Proxy in NetScaler 11. The RDP Proxy is available with Enterprise and Platinum licensing. Also, the NetScaler Gateway supports the secure browser-only access (CVPN) functionality. The NetScaler Gateway will be installed most of the time in the demilitarized zone, because this VIP will be used through the Internet.
Session policies will be used after the authentication, if successful. Based on the configuration in the session policy, the connected user will get to see the resources, for example, the StoreFront web page or a connection through VPN. A session policy always contains two parts: the session policy and the session profile. The session profile indicates what NetScaler needs to show. The session policy is the policy that needs to match to display what is configured in the session profile.
The session profile contains a lot of options and can handle multiple configurations. So, based on screenshots, we will explain the options.
Tip
The Citrix NetScaler Gateway session settings can be configured on the global level and based on session policies. When settings are made on the global level, all configured settings will be set for all available NetScaler Gateway virtual servers. Using session policies, we can define settings that are different for every available NetScaler Gateway virtual server. So, while creating a session profile / session policy, make sure that the Override Global setting is selected to make adjustments for this particular setting.
The Network Configuration pane will not be used most of the time, so in this case, we will skip this part. Under the Client Experience pane, we have multiple settings that we can define. All of these settings will be explained next. Some of these settings are necessary for ICA Proxy, and some of them are used for VPN. The available settings under the Client Experience pane are as follows:
Home Page: This is used while connecting through a VPN setting. Configuring this setting will show the home page that is entered here.
URL for Web-Based Email: This setting is for users to log in to web-based e-mail solutions, for example,
OWA.Split Tunnel: With this setting, we can define whether all client traffic or only the traffic meant for destined servers in the network should go through the gateway in a VPN connection.
Session Time-out (mins): This configures how long Citrix NetScaler keeps the session active when there is no network traffic. This applies to ICA Proxy and VPN as well. Default time-out is 30 minutes.
Client Idle Time-out (mins): This defines how long NetScaler waits before it disconnects the session when there is no user activity. This only applies to NetScaler Gateway plugins.
Clientless Access: This defines whether the SSL-based VPN should be enabled or disabled.
Clientless Access URL Encoding: This setting allows us to change the visibility of the URL from internal web applications. The options are obscured, encrypted, or in clear text.
Clientless Access Persistent Cookie: This is needed for access to certain features when using clientless VPN.
Plug-in Type: This setting defines the kind of plugin offered to the user—whether it is Windows/Mac-based or Java-based. It is used for VPN connections.
Single Sign-on to Web Applications: This setting allows NetScaler Gateway to perform Single Sign-on to the configured web interface address.
Credential Index: This setting allows us to choose which authentication credentials are to be forwarded to the web application. Here, we can choose from the primary or the secondary authentication set.
Single Sign-on with Windows: This setting allows the NetScaler Gateway plug-in to authenticate using the Windows credentials.
Client Cleanup Prompt: This is a prompt for client-side cache cleanup when a client-initiated session closes. This feature is not available for mobile devices.
In the Security pane, all that we need to do is make sure that the Default Authorization Action option is set to Allow. This ensures that the users are actually allowed to log in and access the resources. The Secure Browse option will be used in combination with Citrix XenMobile only. This option allows users to connect through NetScaler Gateway to network resources from iOS and Android mobile devices with Citrix Receiver. Users do not need to establish a full VPN tunnel to access the resources in the secure network. The Smartgroup option will be used for
Endpoint Analysis (EPA). This option contains the group in which the user is placed when the session policy associated with this session action succeeds. The VPN session policy will do the post-auth EPA check, and if the check succeeds, the user will be placed in the group specified with smartgroup.
Next, we have the Published Applications pane. This is where we enter the information needed to access our Citrix environment. The following are the settings:
ICA Proxy: This setting allows us to define whether the virtual server should be used as ICA Proxy through SSL or not.
Web Interface Address: This box contains the URL to the Citrix Web Interface or the Citrix StoreFront Receiver for Web URL.
Web Interface Portal Mode: This setting allows you to define whether the configured web interface should appear with full graphical experience or in compact view.
Single Sign-on Domain: This setting defines the AD or NDS domain that will be used for single sign-on.
Citrix Receiver Homepage: This setting will be used for a client's connection to a Citrix Receiver that doesn't support Citrix StoreFront. This box contains another URL for the client to connect to.
Account Services Address: This setting will be used for e-mail-based account discovery for Citrix Receiver. The URL must be in the form of
https://<StoreFront/AppController URL>/Citrix/Roaming/Accounts. This requires that the DNS be properly configured because there should be some SRV DNS records created, and it requires a wildcard certificate, or a certificate that containsdiscoverReceiver.domainin the Subject or Subject Alternative Name entry. For more information, refer to https://www.citrix.com/blogs/2013/04/01/configuring-email-based-account-discovery-for-citrix-receiver/
After creating the session profiles, there should also be a session policy created in order to bind this to a NetScaler Gateway virtual server. As we want all users to be bound to this policy, we use the ns_true general expression, as shown in the following screenshot:
After the session policies have been created, the NetScaler Gateway virtual server can be created. Follow these steps to create a NetScaler Gateway virtual server based:
Go to NetScaler Gateway | Virtual Server, and click on Add.
Fill in the correct information based on the following explanation:
Name: Select a decent name that responds to the NetScaler Gateway virtual server, for example,
VS_CAG_Server1.IP Address Type: Select the corresponding IP address.
Port: Select the proper port. The default is 443.
Select ICA Only if you're using only ICA traffic. Otherwise leave this unselected. If you are not using the ICA Only mode, it's necessary to have the Citrix Universal Gateway license installed on Citrix NetScaler.
Bind the proper certificate.
Configure the proper authentication methods.
Then bind the session policies.
Configure the published application.
After these steps, we will have a fully configured NetScaler Gateway function on Citrix NetScaler. Citrix StoreFront needs to be configured as well in order to user pass-through authentication through the NetScaler Gateway.
Tip
Disable SSLv3 and enable TLS1.1 and TLS1.2 for security purposes. Also make sure that the RC4 SSL ciphers are removed. RC4 and SSLv3 are security leaks and need to be disabled right away.
If we wish to use the HTML5 Citrix Receiver, it's necessary to enable the Enable WebSocket connections in the HTTP profile in Citrix NetScaler.
To use Citrix StoreFront with the NetScaler Gateway, we need to create session policies on the NetScaler Gateway and configure Citrix StoreFront for pass-through authentication through it. We will start by creating session profiles / session policies on the NetScaler Gateway.
Tip
Citrix StoreFront always wants to use pass-through for Citrix NetScaler, even when the authentication method is disabled. To disable pass-through authentication in Citrix StoreFront, we need to disable requireTokenConsistency in inetpub\wwwroot\<storename>\web.config.
One of the benefits of the Citrix Receiver configuration with Citrix StoreFront is their integration with each other. The Citrix Receiver automatically detects whether the user is an internal user or an external user. When it detects an external connection, it will connect through the NetScaler Gateway; otherwise, it will use the Citrix StoreFront authentication. This detecting will be done by the configured beacons in the Citrix StoreFront configuration. During the configuration of the Citrix Receiver, the beacons will be configured.
Now it's time to configure the Citrix Receiver session policy and profile in the NetScaler Gateway.
Create a new session policy and go to the Client experience pane. Change Clientless Access to Allow, change the Plug-in Type to Java, and enable Single Sign-on to Web Applications. If we are using two-factor authentication, we also need to change Credential Index to Secondary. As explained before, the Citrix Receiver authenticates in a different way; in order to support single sign-on, it's necessary to use the LDAP authentication for single sign-on authentication.
Go to the Published Application pane. Switch ICA Proxy to ON. Web Interface Address should be StoreFront URL. Change Web Interface Address Type to IPv4, change Single Sign-on Domain to the AD or NDS domain name, and at least fill in Account Services Address with the https://<StoreFront/Citrix/Roaming/Accounts value.
After these settings, the session profile is done. Now it's time to create the session policy. The expression would be REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver in this case.
The session policy is explained in this chapter, under the NetScaler Gateway section, Session policies.
Create a new session policy and go to the Client experience pane. Change Clientless Access to ON and enable Single Sign-on to Web Applications.
Go to the Published Application pane. Switch ICA Proxy to ON. Web Interface Address should be StoreFront Receiver For Web URL. Change Web Interface Address Type to IPv4, and then change Single Sign-on Domain to the AD or NDS domain name.
After these settings, the session profile is done. Now it's time to create the session policy. The expression would be REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver in this case.
First, we need to add a gateway to StoreFront. This can be done from the GUI by navigating to StoreFront Administration Console | NetScaler Gateways. On the right-hand side here, click on Add NetScaler Gateway Appliance and then add the information as shown in the following screenshot:
Display name: Use NetScaler Gateway.
NetScaler Gateway URL: Fill in the box with the proper NetScaler Gateway URL. Citrix StoreFront requires this URL to verify that this configuration matches the NetScaler Gateway URL.
Subnet IP address: This box is optional and should be left empty if possible. It can be filled in if we are using more than one Citrix NetScaler Gateway on one Citrix NetScaler pointing to the same Citrix StoreFront environment.
Logon type: Select the proper log-on type. Use Domain and security token if you are using two-factor authentication and Domain only if you are using single-factor authentication.
Callback URL: The Callback URL field needs to point to the VIP address of NetScaler Gateway. This is needed so that Citrix StoreFront can send the validation back to the NetScaler Gateway authentication service.
Now, for the final part in Citrix StoreFront. The configured NetScaler Gateway appliance needs to be connected to a particular Citrix StoreFront store for external authentication. Navigate to the Store menu and click on the right-hand side of the console, on the Enable Remote Access button. Now, we have to specify whether the store will be available for external usage. The following are the settings:
None: This means that the store can't be used for external users.
No VPN Tunnel: This option makes the store available through Citrix NetScaler Gateway without the NetScaler Gateway plugin.
Full VPN Tunnel: This option makes the store available through an SSL VPN only. It requires the NetScaler Gateway plugin.
As long as we don't need the VPN tunnel support, we select NO VPN Tunnel. We mark the Citrix NetScaler appliance that we added earlier. Propagate the changes to the other Citrix StoreFront if you have more than one Citrix StoreFront server.
Citrix NetScaler provides support to bind sessions, traffic, authorization, bookmarks, Intranet IP addresses, and Intranet applications based on groups. When the authentication policies are configured correctly, it's possible to extract Active Directory groups from the connecting users. If we want to bind an authorization policy to an Active Directory, it's necessary to add the group in the NetScaler Gateway. This can be done in AAA Groups in the User Administration menu under the NetScaler Gateway pane. Please be aware that this group name is exactly the same as the group name in Active Directory; it's key sensitive.