NetScaler Gateway 12 ‚Äď SSL VPN

Last Modified: Apr 4, 2018 @ 1:48 pm

Navigation

ūüí° = Recently Updated

Change Log

Overview

Here’s an overview of the NetScaler Gateway connection process:

  1. Users use SSL/TLS to connect to a NetScaler Gateway Virtual Server (VIP).
  2. NetScaler Gateway prompts the user for authentication.
  3. Once the user is authenticated, NetScaler Gateway uses Session Policies/Profiles to determine what happens next.

NetScaler Gateway 12 supports six different connection methods:

  • ICA Proxy to XenApp/XenDesktop and StoreFront ‚Äď the client is built into Citrix Receiver
  • SSL VPN ‚Äď requires installation of NetScaler Gateway plug-in (VPN client)
  • Clientless ‚Äď browser only, no VPN client, uses rewrite
  • Secure Browse ‚Äď from MDX-wrapped mobile applications (XenMobile), uses rewrite
  • RDP Proxy ‚Äď only RDP client is needed
  • PCoIP Proxy – only VMware Horizon Client is needed

You can configure NetScaler Gateway Session Policies/Profiles to only use one of the connection methods. Or NetScaler Gateway can be configured to let users choose between ICA Proxy, Clientless, and SSL VPN connection methods. Here’s a sample Client Choices screen using the RfWebUI theme:

  • The Clientless Access option opens a portal page that has icons from Citrix StoreFront (ICA Proxy), icons for RDP Proxy, icons for PCoIP Proxy, and links to websites.
    • The website links can be proxied through NetScaler. Proxy methods include: clientless rewrite, SSL VPN, and traditional load balancing.
    • NetScaler Gateway can optionally Single Sign-on to the websites.
  • ¬†The Virtual App and Desktop Access option only displays icons from Citrix StoreFront (ICA Proxy). For other types of icons, you’ll need Clientless Access.
  • The¬†Connect with NetScaler Gateway Plug-in option launches the VPN tunnel. After the tunnel is established, a portal page is displayed. This can be the Clientless Access portal, or a user defined website URL (e.g. intranet).

Session Policies/Profiles have several settings that control the behavior seen after authentication:

  • ICA Proxy – ON or OFF
    • If ON, then ICA Proxy is the only connection method allowed, overriding the other connection methods.
    • ICA Proxy does not launch the VPN client. It only needs Citrix Receiver.
    • ICA Proxy shows the Webpage that’s configured in the Web Interface Address field of the Session Profile. This is typically the StoreFront Receiver for Web page, but technically it can be any internal website.
    • If OFF, that doesn’t mean ICA Proxy doesn’t work. You can still send ICA traffic to the NetScaler Gateway Virtual Server, and the¬†NetScaler Gateway Virtual Server will still proxy it to internal VDAs.
    • Setting it to OFF allows the other connection methods to function. For example, Clientless Access can show both NetScaler Gateway Bookmarks and StoreFront published apps. If VPN is launched, then the portal page shown to the user after the tunnel is established can contain the StoreFront published applications.
  • Clientless Access – On, Off, Disabled
    • If On, then Clientless is the only connection method allowed, assuming ICA Proxy is not set to ON. After the user logs in, the user is presented with a portal page that contains a list of Gateway bookmarks and/or StoreFront published icons. The VPN Client is not launched.
    • The Home Page setting in the Session Profile allows you to display an internal website instead of displaying the NetScaler Gateway Portal Page.
    • Bookmarks are configured at NetScaler Gateway > Resources > Bookmarks. You can bind the Bookmarks (Urls) to the NetScaler Gateway Virtual Server, or to AAA Groups.
    • Only Bookmarks configured for Clientless Access will work without a VPN. The internal websites are rewritten so they are proxied through NetScaler Gateway. For example, if the internal website is http://intranet.corp.local, then Gateway rewrites them to https://gateway.corp.com/cvpn/http/internal.corp.local. This causes the web browser to send the HTTP Request to NetScaler Gateway, which then forwards the HTTP Request to the internal web server. No VPN needed.
  • Plug-in Type – Windows/MAC OS X
    • If both Clientless and ICA Proxy are set to Off, then the VPN Client will be downloaded and launched.
    • Once the VPN tunnel is established, the webpage configured in the¬†Home Page setting is displayed. Or the NetScaler Gateway Portal Page (Clientless Access) is displayed if no Home Page is configured. The Bookmarks in the Portal Page can link to internal websites that are only accessible through a VPN tunnel. Or Bookmarks can be configured for Clientless Access.
    • Additional Gateway objects control VPN behavior including: DNS Suffix, Intranet Applications, Intranet IPs, and Authorization Policies.
  • Client Choices – checked or unchecked
    • If Client Choices is checked, then it displays a page containing up to three buttons allowing the user to choose between VPN, Clientless, or StoreFront. The Network Access with the¬†NetScaler Gateway Plug-in (VPN) button is always displayed. The Clientless Access button is displayed if Clientless Access is set to On or Off (not Disabled). The Virtual App and Desktop Access button is displayed if a Web Interface Address is configured.

Here are some characteristics of Session Policies:

  • NetScaler Gateway > Global Settings > Change Global Settings has the same settings as a Session Profile. However, all Session Policies/Profiles override the settings configured in Global Settings. That’s the whole point of the¬†Override Global checkboxes in the Session Profiles.
  • Session Policy Expression¬†– If the Session Policy Expression is true, then the settings contained in the Session Profile are applied.
    • Action = Session Profile – The Session Profile is also sometimes called the Action. That’s because all NetScaler policies follow a standard structure – if the expression evaluates to True, then perform the Action. For Session Policies in particular, the policy Action = Session Profile.
    • EPA – The Session Policy Expression in Classic Syntax could include an Endpoint Analysis (EPA) expression.
  • Default Syntax Expressions vs Classic Syntax Policy Expressions – NetScaler 12 supports Default (Advanced) Syntax Expressions on Session Policies, in addition to the older Classic Syntax.
    • No syntax mixing – All Session Policies bound anywhere must be either Default or Classic. You cannot mix the two types.
    • EPA is Classic only – EPA Scans are only supported in Classic Expressions.
    • AD Group in Default Syntax – Default Syntax allows expressions for AD Group Membership like HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup"). This could eliminate AAA Groups in some circumstances.
  • Policy Bind Points – Session Policies can be bound to three different bind points – NetScaler Gateway Virtual Server, AAA Groups, and AAA User.
    • When bound to a¬†NetScaler Gateway Virtual Server, the Session policy/profile applies to all users that log into that Virtual Server.
    • When bound to a AAA Group, the Session policy/profile only applies to members of the AAA group (Active Directory group or local group)
    • When bound to a AAA User, the¬†Session policy/profile only applies to the AAA user (Active Directory user or local user)
  • Profile Conflicts – Multiple Session Policies/Profiles could apply to a single session. In this case, the Profile settings are merged. But if there’s a conflict (e.g. one Session Profile enables Clientless access, but another Session Profile disables Clientless access), then which one wins?
    • Priority number – When you bind a Session Policy to a bind point, you specify a priority number. This priority number usually defaults to¬†100.
    • Lowest priority number wins – The Session Policy binding that has the lowest priority number, wins. Session Policies bound with a priority of 80 will win over Session Policies bound with a priority of 100. Remember, for settings that don’t conflict, the two Profiles merge, but for settings that do conflict, the lower priority number policy/profile settings win.
    • Priority and multiple bind points¬†– the bind point location doesn’t matter. If you bind a Session Policy to a AAA Group with a priority of 100, and you also bind a Session Policy to the NetScaler Gateway Virtual Server with a priority of 80, then the conflicting settings in the Session Policy bound to the¬†NetScaler Gateway Virtual Server will win because it has the lower priority number. You might think that AAA-bound policies always override Virtual Server-bound policies, but that is not the case.
  • Global Settings vs Virtual Server Settings – When you bind a Session Policy to a NetScaler Gateway Virtual Server, the settings in the Session Profile only apply to connections through that particular NetScaler Gateway Virtual Server.
    • Settings in NetScaler Gateway > Global Settings > Change Global Settings apply to every Gateway Virtual Server.
    • Settings in AAA Group > Policies > Session Policy/Profile apply to every Gateway Virtual Server.
    • If you want a particular Gateway Virtual Server to override AAA or Global, your only choice is to bind a Session Policy to the Gateway Virtual Server with a lower priority number than the AAA Bind Points.

AAA Groups are a critical component of NetScaler Gateway VPN configuration:

  • Group extraction – Make sure the LDAP Policy/Server is configured to extract to the user’s Active Directory Groups.
  • Create AAA Groups on the NetScaler that match exactly (case sensitive) with the user’s Active Directory Group Name.
    • Default Syntax and AD Groups – An alternative to AAA Groups is to use HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") Default Syntax expressions. However, Default Syntax does not support Endpoint Analysis. And Default Syntax only applies to Session Policies and Authorization Policies, so you might still need AAA Groups for Bookmarks, Intranet Applications, and Intranet IPs.
  • You can¬†bind policies and other Gateway objects to the AAA Group, and these bindings only affect that particular AAA Group. These bindings include:
  • If the user belongs to multiple AAA Groups, then policies are applied as follows:
    • Session Policies – the settings are merged, unless there’s a conflict. If a conflict, then the policy with the lowest priority number wins.
    • Bookmarks, Intranet Applications, and Authorization Policies are merged.
    • Intranet IPs (IP Pool) are probably random allocation. It’s probably best to make sure a user only belongs to one AAA Group that assigns Intranet IPs.
  • You can also create local AAA Groups that are unrelated to Active Directory groups. There are several ways of getting users into these local AAA groups:
    • Create local AAA Users and assign them to the AAA Group
    • Configure Session Policy/Profile with a Client Security Check String¬†(EPA Scan). If the scan succeeds, users are placed into local Authorization AAA Groups. If the scan fails, then users are placed into a local Quarantine AAA Group, and removed from all other AAA Groups.
    • When users are authenticated with a particular authentication server, the authentication server can be configured to place users into a¬†Default Authentication Group. This lets you apply different Session Policy/Profiles (and other Gateway objects) depending on how the user authenticated.

NetScaler Gateway supports Client Security Expressions (Endpoint Analysis expressions) at three different locations:

  • Preauthentication Policy Expression
    • If the EPA Scan succeeds, then the user is allowed to login.
    • If the EPA Scan fails, then the user is not allowed to login.
    • Preauthentication Policies are¬†bound to NetScaler Gateway Virtual Servers only, and thus applies to all users of that Virtual Server.
  • Session Policy Expression
    • This type of EPA Scan is configured in the Session Policy Expression, not the Session Profile.
    • If the EPA Scan succeeds, then the settings in the Session Profile are applied to the session.
    • If the EPA Scan fails, then the Session Profile is ignored. Other Session Policies expressions are still evaluated. Remember, Session Policy/Profiles merge, so all applicable Session Policies must be considered.
    • A limitation of this EPA method is that nothing negative happens. Instead, you typically design higher priority number (lower priority) Session Policies with restrictive settings so that if the EPA Scans fail, then users still get something. For example, you can configure your highest priority number Session Policy/Profile with StoreFront (ICA Proxy) only. In the lower priority number Session Policies/Profiles, VPN might be enabled, but only if the EPA scan succeeds.¬†More restrictive Session Profiles usually uncheck Client Choices, and enable Clientless Access or ICA Proxy.
    • This method of EPA Scans is used in SmartAccess and SmartControl¬†configurations.
    • EPA expressions are not supported in Default Syntax, so you’ll need to use Classic Syntax instead.
  • Session Profile > Security tab > Advanced Settings > Client Security¬†Check String
    • If the EPA Scan succeeds, add the user to the listed Authorization AAA Groups.
    • If the EPA Scan fails, add the user to the selected Quarantine Group, and remove the user from all other AAA Groups.
    • If Quarantine Group is not defined, then prevent SSL VPN. Other methods of connecting (Clientless, StoreFront), still work.
  • Assigning EPA scans to Session Policies and Session Profiles is also known as Post-Authentication EPA Scans.
  • If Endpoint Analysis is configured anywhere, then an Endpoint Analysis plug-in is downloaded to the Windows or Mac client.

Prerequisites

Gateway Universal Licenses

Except for ICA Proxy, all NetScaler Gateway connection methods require a NetScaler Gateway Universal License for each concurrent session. Go to System > Licenses and make sure NetScaler Gateway User licenses are installed. Most NetScaler Editions come with built-in licenses.

DNS Name Servers

DNS usually needs to function across the VPN tunnel. Go to Traffic Management > DNS > Name Servers to add DNS servers.

AAA Groups

  1. Edit your LDAP Policy/Server, and make sure Group Extraction is configured. Configure the¬†Group Attribute and the¬†Sub Attribute Name. This causes NetScaler to extract the user’s AD groups when the user logs in using LDAP.
  2. Go to NetScaler Gateway > User Administration > AAA Groups.
  3. On the right, click Add.
  4. Enter a case sensitive group name that matches the group name in Active Directory. Click OK.
  5. On the right, in the Advanced Settings column, you can see the types of objects that can be bound to AAA Groups. These objects are detailed later in this post.

Create Session Profile

To enable SSL VPN: first create the Session Profile. Then create a Session Policy.

You can create multiple Session Policies/Profiles with different settings. Then you can bind these Session Policies to AAA groups and/or NetScaler Gateway Virtual Servers. The Session Profiles are merged, and if conflicts, lower priority bind points win.

To enable SSL VPN in a Session Profile:

  1. On the left, expand NetScaler Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab, and click Add.
  3. Name the profile VPN or similar.
  4. In Session Profiles, every field has an Override Global checkbox to the right of it. If you check this box next to a particular field, then you can configure that field, and the field in this session profile will override settings configured globally (NetScaler Gateway > Global Settings > Change Global Settings), or in a lower priority (higher priority number) session policy.

Network Configuration tab

  1. In the Session Profile, switch to the Network Configuration tab.
  2. You will find a setting that lets you select a DNS Virtual Server. Or if you don’t select anything, then the tunnel will use the DNS servers configured under Traffic Management > DNS > Name Servers.

Client Experience Tab

  1. In the Session Profile, switch to the Client Experience tab. This tab contains most of the NetScaler Gateway VPN settings.
  2. Override Plug-in Type, and set it to Windows/Mac OS X.
  3. On the Client Experience tab, override Split Tunnel and make your choice. Setting it to OFF will force all traffic to use the tunnel. Setting it to ON will require you to create Intranet Applications so the NetScaler Gateway Plug-in will know which traffic goes through the tunnel, and which traffic goes directly out the client NIC (e.g. to the Internet). REVERSE means all traffic goes through the tunnel except for the addresses defined in Intranet Applications.
  4. On the Client Experience tab, there are timers that can be configured. Global Settings contains default timers, so you might want to configure this Session Profile to override the defaults and increase the timeouts. See Configuring Time-Out Settings at Citrix Docs for details.
    1. Client Idle Time-out is a NetScaler Gateway Plug-in timer that disconnects the session if there is no user activity (mouse, keyboard) on the client machine.
    2. Session Time-out is a NetScaler timer that disconnects the session if there is no network activity for this duration.
    3. In addition to these two timers, on the Network Configuration tab, under Advanced Settings
    4. There’s a¬†Forced Timeout setting.
  5. By default, once the VPN tunnel is established, a portal page appears containing Gateway Bookmarks, and StoreFront published icons. An example of the portal page in the RfWebUI theme is shown below:

    1. The X1 theme is shown below:
  6. On the Client Experience tab, the Home Page field lets you override the the default portal page, and instead display a different webpage (e.g. Intranet). This homepage is displayed after the VPN tunnel is established (or immediately if connecting using Clientless Access).
  7. NetScaler Gateway can automatically start the VPN tunnel whenever the user is remote. On the Client Experience tab, click the plus icon next to AlwaysON Profile Name.

    1. Give the profile name. Hover over the question marks to see what each of them does.
    2. Then click Create.
    3. More info at AlwaysON at Citrix Docs.
  8. Additional VPN settings can be found by clicking Advanced Settings near the bottom of the Client Experience tab.
  9. Under Client Experience > Advanced Settings, on the General tab, there are settings to run a login script at login, enable/disable Split DNS, and enable Local LAN Access. Use the question marks to see what they do.
  10. Note: if Split Tunnel is OFF, and if Split DNS is set to REMOTE, NetScaler only returns one IP address to DNS queries. This behavior can be changed by following Citrix CTX200243 DNS Query Responds with Only One IP to Client PC When Connected Through NetScaler Gateway Full VPN.
  11. Under Client Experience > Advanced Settings, on the General tab, is a checkbox for Client Choices. This lets the user decide if they want VPN, Clientless, or ICA Proxy (StoreFront). Without Client Choices, one of the connection methods will occur automatically, depending on what’s enabled.
  12. An example of Client Choices is shown below:

    • On the main Client Experience tab, if you enabled Client Choices, you can set Clientless Access to Off¬†to add Clientless to the list of available connection methods in the Client Choices screen. Note: this used to be¬†Allow in NetScaler 11.1 and older.
    • Clientless Access is difficult to remove from the Client Choices page since you need Clientless Access for StoreFront integration. The following removal instructions were confirmed on a custom Portal Theme based on RfWebUI:¬† ūüí°
      1. WinSCP to the NetScaler.
      2. Navigate to /var/netscaler/logon/themes/<yourThemeName>/css.
      3. Edit the file theme.css.
      4. At the bottom of the file, add the following code: (source = CTP Sam Jacobs at NetScaler Gateway Client Choices Рhide/remove Virtual Apps and Desktops at Citrix Discussions.
        div.box:nth-child(2) {
         display:none;
        }
      5. When you refresh the Client Choices page, the Clientless box should be hidden.
  13. The Client Experience > Advanced Settings section has additional tabs. A commonly configured tab is Proxy, which allows you to enable a proxy server for VPN users.

Security Tab

  1. Back in the main Session Profile, switch to the Security tab.
  2. Set the default authorization to Allow or Deny. If Deny (recommended), you will need to create authorization policies to allow traffic across the tunnel. You can later create different authorization policies for different groups of users.

Published Applications Tab

  1. On the Published Applications tab, set ICA Proxy to Off. This ensures VPN is used instead of ICA Proxy.
  2. Configure the Web Interface Address to embed StoreFront into the default Clientless Access portal page.
    • Note: for X1 theme,¬†additional iFrame configuration is required on the StoreFront side as detailed below. RfWebUI¬†theme does not need any StoreFront changes.
    • From Michael Krasnove: if you configured the Session Policy to direct users to StoreFront, but aren’t using RfWebUI, then placing the following¬†code in c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js will cause StoreFront to end the VPN tunnel when the user logs off of StoreFront.
      var LOGOFF_REDIRECT_URL = 'https://YourGatewayFQDN.com/cgi/logout';
       
      // Prevent the default "logoff" screen from being displayed
      CTXS.Controllers.LogoffController.prototype._handleLogoffResult = $.noop;
       
      CTXS.Extensions.afterWebLogoffComplete = function () {
       window.location.href = LOGOFF_REDIRECT_URL;
      };
  3. See the ICA Proxy post for more information on integrating StoreFront with NetScaler Gateway.

Other Tabs

  1. The Remote Desktop tab is detailed in the RDP Proxy post.
  2. The PCoIP tab is detailed in the PCoIP Proxy post.
  3. Click Create when you’re done creating the Session Profile.

Create Session Policy

Once the Session Profile is created, you need a Session Policy linked to it. The Session Policy contains an expression, where if true, then the Session Profile is applied.

If multiple Session Policies apply to a particular connection, then the settings in the policies are merged. For conflicting settings, the Session Policy with the highest priority (lowest priority number) wins. Session Policies bound to AAA groups only override Session Policies bound to NetScaler Gateway Virtual Servers if the AAA group bind point has a lower priority number. In other words, priority numbers are evaluated globally no matter where the Session Policy is bound. You can run the command nsconmsg ‚Äďd current ‚Äďg pol_hits to see¬†which Session Policies are applying to a particular connection. See¬†CTX214588¬†Understanding Session Policy Priority on Different Bind Points.

You can also include Endpoint Analysis expressions in a Session Policy, so that the Session Policy only applies to machines that pass the Endpoint Analysis scan. However, EPA Scans are only supported with Classic Syntax policy expressions, and not with Default Syntax.

To create a Session Policy that is linked to a Session Profile:

  1. On the left, go to NetScaler Gateway > Policies > Session.
  2. In the right pane, switch to the Session Policies tab, and click Add.
  3. Give the policy a descriptive name.
  4. Change the Profile drop-down to the VPN Profile you just created.
  5. The Expression box has an option for switching to Default Syntax.

    1. If Default Syntax, enter true in the Expression box so it always evaluates to true. If Classic Syntax, it would be ns_true instead of true.
    2. If Default Syntax, you can enter¬†HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") to restrict the Session Profile to members of a specific AD group. In Classic Syntax, this isn’t possible in an expression, and instead you must assign the Session Policy to a AAA Group.
  6. If Classic Syntax, you can add Endpoint Analysis scans to the Expression box. If the Endpoint Analysis scan succeeds, then the session policy is applied. If the Endpoint Analysis scan fails, then this session policy is skipped, and the next one is evaluated. This is how you can allow VPN if EPA scan succeeds, but all failed EPA scans will get a different session policy that only has ICA Proxy enabled.
    1. To add an Endpoint Analysis scan, use one of the Editor links on the right.
    2. Configure OPSWAT scans in the OPSWAT EPA Editor.
    3. Configure Client Security Expressions in the Expression Editor.
    4. You can combine multiple Endpoint Analysis scan expressions using Booleans (&&, ||, !).
  7. Click Create when done.

Bind Session Policy

Most of the NetScaler Gateway configuration objects can be bound to a NetScaler Gateway Virtual Server, AAA Groups, or both. This section details binding of Session Policies, but the other NetScaler Gateway objects (e.g. Authorization Policies) can be bound using similar instructions.

  • Objects bound directly to the NetScaler Gateway Virtual Server are evaluated for every user of that Gateway Virtual Server.
  • Objects bound to a AAA Group are only evaluated for members of that AAA Group.
    • Polices bound to AAA Groups usually have lower priority numbers than policies bound to Gateway Virtual Servers, so the AAA binding can override the Gateway binding.
    • However, objects/policies bound to a AAA Group are applied to every Gateway Virtual Server on the same appliance. To override AAA bindings at a specific Gateway, you can bind lower priority number policies to the Gateway Virtual Server.

Bind the new Session Policy to a NetScaler Gateway Virtual Server, or a AAA group.

To bind to a NetScaler Gateway Virtual Server

  1. Edit a NetScaler Gateway Virtual Server (or create a new one).
  2. To make sure ICA Only is unchecked:
    1. Click the pencil icon for the Basic Settings section.
    2. Click More.
    3. Make sure ICA Only is unchecked, and click OK to close the Basic Settings section.
    4. Note: with this box unchecked, Gateway Universal licenses are now required for all users connecting through this Gateway Virtual Server.
  3. While editing the Gateway Virtual Server, consider changing the Portal Theme to RfWebUI. This changes the default portal page to look identical to StoreFront.
  4. Scroll down to the Policies section, and click the Plus icon.
  5. In the Choose Type page, ensure the Choose Policy drop-down is set to Session.
  6. Ensure the Choose Type drop-down is set to Request, and click Continue.
  7. Click where it says Click to select.

    1. If you already have Session Policies bound to this Gateway Virtual Server, then you might have to click Add Binding first.
  8. Click the radio button next to the previously created Session Policy, and click Select.
  9. Note: you cannot mix Classic Syntax Policies and Default Syntax Policies.
  10. In the Priority field, adjust the priority number. If you want this Session Policy to override other Session Policies, then set the priority number to a low value. See CTX214588 Understanding Session Policy Priority on Different Bind Points.
  11. Click Bind.
  12. If you already have Session Policies bound to the Gateway Virtual Server, then the list of Policies is displayed. If you don’t see this list, on the left, in the¬†Policies section, click the line that says¬†Session Policies.
  13. From this list, you can right-click the policies to Edit Binding (priority number), or Edit Profile.
  14. If your NetScaler Gateway Virtual Server is configured with a Traffic Policy for Native OTP (One Time Passwords), change the Traffic Policy expression to the following. Source = Julien Mooren at¬†NetScaler ‚Äď Native OTP is breaking SSL VPN.¬† ūüí°
    http.req.method.eq(post)||http.req.method.eq(get) && false

Bind to AAA Group

  1. To bind to a AAA Group, go to NetScaler Gateway > User Administration > AAA Groups.
  2. On the right, add a AAA group with the same name (case sensitive) as the Active Directory group name. This assumes your LDAP policies/server are configured for group extraction (Group Attribute, and Sub Attribute).
  3. Edit the AAA Group.
  4. On the right, in the Advanced Settings column, add the Policies section.
  5. Click the plus icon to bind one or more Session Policies.
  6. If you want these Session Policies to override the Session Policies bound to the NetScaler Gateway Virtual Server, then make sure the Session Policies bound to the AAA Group have lower priority numbers. See CTX214588 Understanding Session Policy Priority on Different Bind Points.


NetScaler Gateway Plug-in Installation

Here is what the user sees when launching the VPN session for the first time. This assumes the user is an administrator of the local machine.



And then the default portal page is displayed. If using the RfWebUI theme, it might prompt you to install Receiver.

Only administrators can install the NetScaler Gateway Plug-in. You can download the Gateway plug-in from the NetScaler appliance at /var/netscaler/gui/vpns/scripts/vista and push it to corporate-managed machines. Or you can download VPN clients from Citrix.com. The VPN client version must match the NetScaler firmware version.

To deploy the Gateway Plug-in using Group Policy, see¬†CTX124649¬†How to Deploy NetScaler Gateway Plug-in and Endpoint Analysis Installer Packages for Windows by Using Active Directory Group Policy.¬† ūüí°

While a VPN tunnel is established, you can open the Gateway Plug-in to see status. If the Gateway Plug-in is merged with Receiver, right-click Receiver, click Advanced Preferences, click NetScaler Gateway Settings, and click Open.

Or, if the Gateway Plug-in icon is separated from Receiver, then right-click the Gateway Plug-in icon, and click Open.

The hamburger menu on the left lets you see more info about the VPN tunnel.

If the Gateway VPN session isn’t established, you can open the Gateway plug-in, and login. No browser needed.

The Configuration page lets you enable Logging. Then the Logging page lets you collect the logs. See Citrix CTX138155 How to Collect Client VPN Logs for NetScaler Gateway.

VPN Client (NetScaler Gateway Plug-in) Session Profile Settings

Separate Icons for Receiver and Gateway

  1. By default, if Receiver, and NetScaler Gateway Plug-in, are installed on the same machine, then the icons are merged. To see the NetScaler Gateway Plug-in Settings, you right-click Receiver, open Advanced Preferences, and then click NetScaler Gateway Settings. This makes it difficult to log off.

  2. You can configure the Session Profile to prevent the NetScaler Gateway Plug-in from merging with Receiver. Edit your VPN Session Policy/Profile. On the Client Experience tab…
  3. Scroll down, and check the box next to Advanced Settings.
  4. At the bottom of the General tab, check the box next to Show VPN Plugin-in icon with Receiver.
  5. This setting causes the two icons to be displayed separately thus making it easier to access the NetScaler Gateway Plug-in settings, including Logoff.

Cleanup

  1. When the user logs off of VPN, a Cleanup page is displayed. This can be enabled or disabled in a Session Profile on the Client Experience tab.

  2. The cleanup options can be forced in a Session Profile on the Client Experience tab…
  3. Under Advanced Settings > Client Cleanup.

VPN Client Upgrades

  1. Whenever NetScaler firmware is upgraded, all users will be prompted to upgrade their VPN clients. You can edit a Session Policy/Profile, and on the Client Experience tab…
  2. Use the Upgrade drop-downs to disable the automatic upgrade.
  3. The Plugin Upgrade settings are also configurable in the Gateway Virtual Server…
  4. In the Basic Settings > More section.


Authorization Policies

If your Session Profile has Security tab > Default Authorization Action set to Deny (recommended), then create Authorization Policies to allow access across the tunnel.

  1. On the left, under NetScaler Gateway, expand Policies, and click Authorization.
  2. On the right, click Add.
  3. Name the Authorization Policy.
  4. Select Allow or Deny.
  5. For the Expression, NetScaler Gateway 12 supports both Classic Syntax and Default Syntax.
    • Default Syntax gives you much greater flexibility in matching the traffic that should be allowed or denied. Hit Control+Space on your keyboard to begin building a Default Syntax expression. You typically want to identify traffic based on Destination IP Address, Destination Port Number, HTTP Request URL, HTTP Host Header, etc. Common expressions include:
      • CLIENT.IP.DST.IN_SUBNET()
      • CLIENT.TCP.DSTPORT.EQ()
      • You can also use HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") in your expressions.
    • CTX232237¬†NetScaler Unified Gateway Advanced Authorization Policy Support for UDP/ICMP/DNS Traffic explains new types of Authorization Policies in NetScaler 12.0 build 56 and newer.¬† ūüí°
      • CLIENT.UDP.DSTPORT.EQ(2080)
      • CLIENT.IP.PROTOCOL.EQ(ICMP)
      • CLIENT.UDP.DNS.DOMAIN.CONTAINS("citrix")
    • Note: you cannot mix both Classic Syntax and Default Syntax. You must unbind every Classic Syntax Authorization Policy before you can bind Default Syntax Authorization Policies.
  6. Click Create when done.
  7. Authorization Policies are usually bound to AAA groups. This allows different groups to have different access across the tunnel.
    1. Or, you can use HTTP.REQ.USER.IS_MEMBER_OF("MyADGroup") in your Default Syntax expressions.
  8. Edit a AAA Group at NetScaler Gateway > User Administration > AAA Groups.
  9. On the right, in the Advanced Settings column, add the Authorization Policies section.
  10. Then click where it says No Authorization Policy to bind policies.

Intranet Applications

If you enabled Split Tunnel, then you’ll need to create Intranet Applications to specify which traffic goes through the tunnel.

  1. On the left, under NetScaler Gateway, expand Resources, and click Intranet Applications.
  2. On the right, click Add.

    1. Enter a name for the Internal subnet.
    2. Change the Interception Mode to TRANSPARENT.
    3. Enter an IP subnet. Only packets destined for this network go across the tunnel.
      1. You typically specify a summary address for all internal subnets (e.g. 10.0.0.0/8).
      2. Alternatively, you can define minimal Intranet Application destinations as a security mechanism (assuming Split Tunnel is enabled), but Authorization Policies are more appropriate for that task.
  3. Click Create.
  4. Create additional Intranet applications for each internal subnet.
  5. Intranet Applications are usually bound to the Gateway Virtual Server, but you can also bind them to AAA Groups.
  6. On the right, in the Advanced Settings column, add the Intranet Applications section.
  7. On the left, click No Intranet Application to bind Intranet Applications.

DNS Suffix

Specify a DNS Suffix for Split DNS to function with single label DNS names. NetScaler Gateway adds these DNS suffixes to DNS queries across the VPN tunnel.

  1. On the left, under NetScaler Gateway, expand Resources, and click DNS Suffix.
  2. On the right, click Add.
  3. Enter the DNS Suffix, and click Create. You can add multiple suffixes.

Bookmarks

Bookmarks are the links that are displayed in the default portal interface. They can point to websites, or RDP addresses. PCoIP bookmarks come from VMware Horizon Connection Server. ICA bookmarks come from Citrix StoreFront.

  1. Under NetScaler Gateway, expand Resources, and click Bookmarks.
  2. On the right, click Add.

    1. Give the bookmark a name, and display text.
    2. Enter a website or RDP address.
    3. Optionally browse to an Icon file.
    4. You typically need to check Use NetScaler Gateway As a Reverse Proxy, especially for Clientless Access (rewrite without VPN) to an internal website.
    5. The other fields are for Single Sign-on through Unified Gateway.
  3. Click Create.
  4. Bookmarks (aka Published Applications > Url) are usually bound to AAA groups so different groups can have different bookmarks. But it’s also possible to bind Bookmarks to NetScaler Gateway Virtual Servers.
  5. If NetScaler Gateway Virtual Server, add the Published Applications section to bind Bookmarks (Url).
  6. For AAA Group, it’s the Bookmarks section.
  7. On the left, find the Published Applications section, and click No Url to bind Bookmarks.

VPN Client IP Pools (Intranet IPs)

By default, NetScaler Gateway VPN clients use NetScaler SNIP as their source IP when communicating with internal resources. To support IP Phones or endpoint management, you must instead assign IP addresses to VPN clients.

Any IP pool you add to NetScaler must be reachable from the internal network. Configure a static route on the upstream router. The reply traffic to VPN Client IPs should be routed through a NetScaler SNIP. Or the NetScaler can participate in OSPF.

When a client is assigned a client IP, this IP address persists across multiple sessions until the appliance reboots, or until the appliance runs out of IPs in the pool.

  1. Edit a NetScaler Gateway Virtual Server, or a AAA group.
  2. On the right, in the Advanced Settings section, click the plus icon next to Intranet IP Addresses.
  3. On the left, click where it says No Intranet IP.
  4. Enter a subnet and netmask. Click Bind.
  5. In a Session Profile, on the Network Configuration tab, check the box next to Advanced Settings.
  6. Use the Intranet IP drop-down to configure the behavior when there are more VPN clients than available IPs in the address pool.

    1. If you set it to NOSPILLOVER, then users can only have one VPN session, as described in CTX218066 How to Limit One Session Per User on NetScaler Gateway?.


  7. To see the Client IP address, on the client side, after the tunnel is established, right-click the NetScaler Gateway Plug-in, and click Open.
  8. See the Internal network address.
  9. To see the client IP on the NetScaler, go to NetScaler Gateway, and on the right is Active user sessions.
  10. Select one of the views, and click Continue.
  11. The right column contains the Intranet IP.

StoreFront in Gateway Clientless Access Portal

If you enabled the RfWebUI theme, then no StoreFront configuration is necessary.

But if you want to embed StoreFront in the other Gateway themes (X1, Default, Green Bubble), then follow these instructions.

  1. On StoreFront, edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\web.config.
    1. On the bottom, there are three sections containing X-Frame-Options. Change all three of them from deny to allow.
    2. Also change frame-ancestors from none to self.
  2. In NetScaler, go to NetScaler Gateway > Global Settings, and click Configure Domains for Clientless Access.
  3. Change the selection to Allow Domains, enter your StoreFront FQDN, and click the plus icon.
  4. Click OK.
  5. In a Session Policy/Profile:
    1. On the Client Experience tab, make sure Single Sign-on to Web Applications is enabled.
    2. On the Published Applications tab, configure the Web Interface Address to point to the StoreFront Receiver for Web page.
    3. Configure the Single Sign-on domain to match what’s configured in StoreFront.
    4. You might have to override the Web Interface Portal Mode.¬†¬†Source = NetScaler Gateway 11 and Clientless access at Citrix Discussions. ūüí°
  6. The Applications page of the 3-page portal (e.g. X1 theme) should automatically show the StoreFront published icons.

Quarantine Group

NetScaler Gateway can be configured so that if Endpoint Analysis scans fail, then the user is placed into a Quarantine Group. You can bind session policies, authorization policies, etc. to this quarantine group. Policies bound to other AAA groups are ignored.

  1. Go to NetScaler Gateway > User Administration > AAA Groups.
    1. Add a new local group for your Quarantined Users. This group is local, and does not need to exist in Active Directory.
    2. Bind session policies, authorization policies, etc. to your quarantine AAA group. These policies typically allow limited access to the internal network so users can remediate. Or, it might simply display a webpage telling users how to become compliant.
    3. The Session Policy bound to the Quarantine Group is usually different than the Session Policies bound to other AAA groups. You can use the variation in Session Policy names for SmartAccess.
      1. One option is to configure the Delivery Groups > Access Policy so that icons are shown for Session Policies bound to non-quarantine AAA Groups, but not for the Session Policy that is bound to the Quarantine Group.
      2. Another option is to configure Citrix Policies > Access Control to disable functionality for the Quarantine Group Session Policy, but not for other AAA Group Session Policies.
  2. Create or edit a Session Profile to include a Client Security Expression that checks for compliance.
    1. In the Session Profile, on the Security tab, check the box next to Advanced Settings.
    2. Scroll down, and check the box to the right of Client Security Check String.
    3. Use the Editor links to add an Endpoint Analysis expression.
    4. Just below the Client Security Check String, select the previously created Quarantine Group. If the Client Security Check String EPA Scan fails, then the failed users are added to the Quarantine Group and removed from all other AAA Groups.
  3. Click Create when done creating or editing the Session Profile.
  4. Create a Session Policy for the Session Profile that contains the Client Security Check String.
    1. Enter ns_true as the expression.
    2. Then click Create.
  5. Edit your Gateway Virtual Server, and bind the Session Policy/Profile that has the Client Security Check String configured.


  6. To troubleshoot Quarantine policies, use the command¬†nsconmsg ‚Äďd current ‚Äďg pol_hits.
  7. NetScaler MAS Gateway Insight shows users that failed EPA scans, and their quarantine status.

Related Pages

NetScaler Gateway 12 – RDP Proxy

Last Modified: Mar 11, 2018 @ 10:32 am

Navigation

ūüí° = Recently Updated

Change Log

RDP Proxy Overview

NetScaler supports RDP Proxy through NetScaler Gateway. No VPN required. RDP can connect through NetScaler Gateway on port 443.

There are several ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
    • Bookmarks can be defined by the administrator.
    • Or users can add their own RDP bookmarks.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.
  • In the RfWebUI Portal Theme, the¬†Bookmark link lets users enter an RDP address, and click Go.

Links:

Requirements

Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition or Platinum Edition.
  • NetScaler Gateway Universal Licenses for each user.
    • Most NetScaler Editions come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and¬†NetScaler Platinum Edition = unlimited licenses. See Feature Licensing in the Gateway Tweaks post.
  • TCP 443 opened to the NetScaler Gateway Virtual Server.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Configuration

Enable RDP Proxy Feature

  1. Go to System > Settings, and click Configure Advanced Features.
  2. In the left column, near the bottom, check the box for RDP Proxy, and click OK.

Create RDP Proxy Profile

  1. Expand NetScaler Gateway, expand Policies, and click RDP.
  2. On the right, switch to the Client Profiles tab, and click Add.

    1. Give the RDP Client Profile a name, and configure it as desired. Scroll down.
    2. For the¬†RDP Cookie Validity field, Citrix¬†CTX233207 says that after a HA failover, RDP Proxy session will not reconnect if the cookie has expired.¬† ūüí°
    3. It is no longer necessary to configure a Pre shared key or RDP Host. Just click Create.
  3. It is no longer necessary to create a RDP Server Profile.

Create RDP Bookmarks

  1. If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
  2. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.
  3. On the right, click Add.

    1. Give the Bookmark a name.
    2. For the URL, enter rdp://MyRDPServer using IP or DNS (FQDN).
    3. Check the box next to Use NetScaler Gateway As a Reverse Proxy,
  4. Click Create.
  5. Create more bookmarks as desired.

Edit a Session Profile

  1. Create or edit a Session Profile.
  2. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
  3. On the Remote Desktop tab, check Override Global, and select the RDP Client Profile you created earlier.
  4. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  5. On the Published Applications tab, make sure ICA Proxy is OFF.
  6. Click OK when done.

Edit NetScaler Gateway Virtual Server

  1. Edit or Create your Gateway Virtual Server.
  2. In the Basic Settings section, click the pencil icon to edit it, and click More to show more settings.

    1. It is no longer necessary to bind a RDP Server Profile. Instead, RDP is proxied through 443 on the Gateway.
    2. Scroll down. Make sure ICA Only is not checked. This means you’ll need NetScaler Gateway Universal licenses for each user that connects through this Gateway.
    3. Click OK to close the Basic Settings section.
  3. Bind a certificate.
  4. Bind authentication policies.
  5. In the Policies section, bind the Session Policy that has the RDP Client Profile configured.


  6. You can bind RDP Bookmarks to either the NetScaler Gateway Virtual Server, or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  7. On the left, in the Published Applications section, click where it says No Url.
  8. Bind your Bookmarks.

  9. While editing your Gateway vServer, you can also enable the RfWebUI Portal Theme.

Configure DNS

  1. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  2. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).

Use RDP Proxy

  1. Connect to your Gateway and login.
  2. If you configured Bookmarks, if RfWebUI theme, on the Apps tab, click Web and SaaS Apps.

    1. If X1 theme, the bookmarks are on the Web Apps page.
  3. If RfWebUI theme, you can click Details to mark the Bookmark as a Favorite.

  4. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter an IP address (e.g. rdpproxy/192.168.1.50) or a DNS name (/rdpproxy/myserver).
  5. If you edit the downloaded .rdp file, notice that it’s connecting on port 443.
  6. Then open the downloaded .rdp file.
  7. You can view the currently connected RDP users by going to NetScaler Gateway > Policies > RDP, and on the right, is the Connections tab.

Personal Bookmarks

  1. If using the RfWebUI theme, another way to launch RDP sessions is to click the Bookmark link, enter a destination DNS/IP, check the box next to RDP Link, and click Go.
  2. You can also give the Bookmark a name and Save it.
  3. Then access the saved bookmark from Apps > Personal Bookmarks.

  4. Personal bookmarks are stored in /var/vpn/bookmark on the appliance. You might want to back these up and replicate them to other Gateway appliances participating in GSLB. See NetScaler 11.1 Personal Bookmarks at Citrix Discussions.
  5. The X1 theme has an Add button on the Web Apps page.
  6. But there is no Go button. Instead, you save the Bookmark and launch it from the list.

SmartAccess / SmartControl – NetScaler Gateway 12

Last Modified: Jun 4, 2018 @ 6:08 am

Navigation

ūüí° = Recently Updated

Change Log

SmartAccess / SmartControl

SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings, hide icons) based on how users connect to NetScaler Gateway. Decisions are based on NetScaler Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.

SmartAccess vs SmartControl:

  • SmartAccess lets you control visibility of published icons, while SmartControl does not.
  • SmartControl is configured exclusively on NetScaler, while SmartAccess requires configuration on both NetScaler, and inside Citrix Studio.
  • SmartControl requires NetScaler Platinum Edition licensing, while SmartAccess is available in all NetScaler Editions.
    • Both features require NetScaler Gateway Universal licenses for every concurrent connection.

Prerequisites

Both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in XenApp/XenDesktop at any time, but it won’t work, until you do the following:

  1. NetScaler appliance license: See Feature Licensing in the Gateway Tweaks post. In summary:
    • SmartAccess is available in all editions of NetScaler appliances.
    • SmartControl is available only in NetScaler Platinum Edition.
  2. NetScaler Gateway Universal Licenses – On the NetScaler, go to System > Licenses, and make sure you have NetScaler Gateway Universal Licenses allocated to the appliance.
    1. Most NetScaler Editions (except NetScaler Gateway Enterprise VPX) come with built-in Gateway Universal licenses: NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1,000 licenses, and NetScaler Platinum Edition = unlimited licenses.
    2. Additional NetScaler Gateway Universal licenses can be acquired through other means. See Feature Licensing in the Gateway Tweaks post for details.
    3. The Universal licenses are allocated to the hostname of the appliance (click the gear icon to change it), not the MAC address. In a High Availability pair, if each node has a different hostname, then you can allocate the licenses to one hostname, then reallocate to the other hostname. See Feature Licensing in the Gateway Tweaks post for details.

  3. NetScaler Gateway must have ICA Only unchecked.
    1. On the NetScaler, go to NetScaler Gateway > Virtual Servers, and edit your Gateway Virtual Server.
    2. In the Basic Settings section, click the pencil icon.
    3. Click More.
    4. Uncheck the box next to ICA Only, and click OK. This tells NetScaler Gateway to start using Universal licenses, and enables the SmartAccess and SmartControl features.
  4. Enable Trust XML on the XenDesktop Site/Farm:
    1. On a XenApp/XenDesktop Controller, run PowerShell as Administrator.
    2. Run asnp citrix.* to load the snapins.
    3. Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
  5. Configure Callback URL in StoreFront:
    1. In StoreFront Console, right-click the Stores node, and click Manage NetScaler Gateways.
    2. Edit a Gateway.
    3. On the Authentication Settings page, make sure a Callback URL is configured. The Callback URL must resolve to a NetScaler Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external, then the Callback FQDN must be different than the Single FQDN.

Once the prerequisites are in place, do the following as detailed below:

Endpoint Analysis

Endpoint Analysis (EPA) scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.

Endpoint Analysis is supported on Windows and Mac devices, and only from a web browser (not from native Receiver). Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.

EPA Policies

There are two methods of Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.

  • With a Preauthentication Policy, if the Endpoint Analysis scan fails, then users can‚Äôt login.
  • With a Postauthentication Policy, Endpoint Analysis doesn‚Äôt run until after the user logs in. Typically, you create multiple Session Policies. One or more Session Policies have Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there‚Äôs a fallback in case the client device doesn‚Äôt support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.
    • Inside the Session Profile is a field for Client Security expression, which supports an EPA expression. This field is for VPN only, and does not affect SmartAccess.

Preauthentication Policies and Profiles are configured at NetScaler Gateway > Policies > Preauthentication.

  1. On the right, switch to the Preauthentication Profiles tab, and create a Preauthentication Profile to allow access.

  2. Switch to the Preauthentication Policies tab, and create a Preauthentication Policy with an EPA expression. Select the Request Action that allows access.

  3. The right side of the Expression box has links to create EPA expressions, as detailed below.

Post-authentication Policies and Profiles are configured at NetScaler Gateway > Policies > Session.

  1. When creating a Session Policy, the right side of the Expression box has links to create EPA expressions, as detailed below. Note: In NetScaler 12 build 51, the OPSWAT EPA Editor link does not work correctly. But you can use the OPSWAT EPA Editor on a Preauthentication Policy, and then copy the expression to a Session Policy.
  2. Classic Syntax vs Default Syntax РEPA expressions can only be added to Classic Syntax Policies. If you click Switch to Default Syntax, then the OPSWAT EPA Editor disappears.
  3. If you edit a Session Profile, on the Security tab…
  4. Under Advanced Settings, you will see a Client Security Check String box that lets you enter an EPA Expression. This field applies to VPN only, and does not affect SmartAccess.

EPA Expressions

NetScaler has two Endpoint Analysis engines: the original Client Security engine, and the newer OPSWAT EPA engine.

  • Both EPA expression types require the Session Policy to be Classic Syntax. If you see any messages about Classic Syntax being deprecated, ignore those messages.

OPSWAT EPA Expressions

To configure OPSWAT EPA expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the OPSWAT EPA Editor link.
  2. Use the drop-down menus to select the scan criteria.
  3. You will see some fields with a plus icon that lets you configure more details for the scan.

    • Note: the text in these policy expressions is case sensitive.
  4. Then click Done.

Additional OPSWAT EPA Info

See the following links for more Advanced EPA information:

Original Client Security Expressions

To configure the original Client Security expressions:

  1. When creating a Preauthentication Policy or Session Policy, click the Expression Editor link.
  2. Change the Expression Type to Client Security.
  3. Use the Component drop-down to select a component.
    1. A common configuration is to check for domain membership as detailed at Citrix CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.
    2. Citrix CTX128039 How to Configure a Registry-Based EPA Scan Expression on NetScaler to Look for the Active Device or Computer Name of an Explicit Workstation

Once the Preauthentication and/or Session Policies are created, bind them to your NetScaler Gateway Virtual Server:

  1. Edit a NetScaler Gateway Virtual Server.
  2. Scroll down to the Policies section, and click the plus icon.
  3. Select either Preauthentication or Session, and select the policy you already created. Then click Bind.
  4. Session Policies with EPA Expressions are typically higher in the list (lower priority number) than non-EPA Session Policies.

EPA Libraries¬† ūüí°

In NetScaler 12.0 build 57 and newer, the EPA Libraries are updated out-of-band.

  1. Download the latest EPA libraries.
  2. In the NetScaler menu, click NetScaler Gateway node.
  3. On the right, in the left column, click Upgrade EPA Libraries.
  4. Click Choose File
  5. Browse to one of the .tgz library files, and click Open.
  6. Click Upgrade.
  7. Click OK when prompted that EPA Library upgraded successfully.
  8. Click Upgrade EPA Libraries again.
  9. Click Choose File.
  10. Browse to the other .tgz EPA library file, and click Open.
  11. Click Upgrade.
  12. Click OK when prompted that upgraded successfully.
  13. To see the versions, click Upgrade EPA Libraries.

EPA Plug-in

The EPA plug-in is automatically deployed when the user connects to NetScaler Gateway – either before the logon page, or after the logon page.

To pre-deploy EPA plug-in, see CTX124649 How to Deploy NetScaler Gateway Plug-in and Endpoint Analysis Installer Packages for Windows by Using Active Directory Group Policy. This article describes how to extract the plug-in .msi file, and deploy using Group Policy.

EPA and Portal Themes

The webpages displayed to the user when downloading the EPA plug-in and running the EPA plug-in can be customized by editing a Portal Theme.

Look in the Advanced Settings column on the right for the three EPA pages. Citrix CTX222812 How to Customize Custom Error Messages for NetScaler Gateway EPA Scans.

EPA Troubleshooting

From Citrix CTX209148 Understanding/Configuring EPA Verbose Logging Feature:

  1. Go to NetScaler Gateway > Global Settings.
  2. On the right, click Change Global Settings.
  3. On the Security tab, click Advanced Settings.
  4. Scroll down, check the box next to Enable Client Security Logging, and click OK.
  5. When the scan fails, the user is presented with a Case ID.
  6. You can then grep /var/log/ns.log for the Case ID. Or search your syslog.

For client-side logging, on the client machine, go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

  • Make a DWORD value named¬†“EnableEPALogging“, and set the value to 1.
  • After attempting the scan again, you’ll find¬†the¬†file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.

NetscalerAssasin EPA OPSWAT Packet flow and Troubleshooting shows a Wireshark trace of an EPA scan.

SmartAccess

Links:

Make sure the prerequisites are completed. This includes:

  • ICA Only unchecked on NetScaler Gateway Virtual Server
  • Gateway Universal licenses installed
  • Callback URL configured at StoreFront
  • Trust XML enabled on Delivery Controllers

SmartAccess is configured in two places:

  • Delivery Group > Access Policy¬†page
  • Citrix Policy (user half only) > filters > Access control

In both cases, you enter the name of a matching Gateway Virtual Server, and the name of a matching Session Policy (or Preauthentication Policy).

  • Set AG farm name¬†or Site or Farm name¬†to the name of the NetScaler Gateway Virtual Server.
  • Set Access condition or¬†Filter¬†to the name of the NetScaler Gateway Session Policy (or Preauthentication Policy).
  • You can use * as a wildcard in either field.
  • The matching NetScaler Gateway Session Policy typically has an¬†EPA Expression configured in the Policy Rule. That way the Session Policy only applies to connections that match the EPA Expression.

Icon visibility – Access Control at the Delivery Group controls visibility of icons published from that Delivery Group.

  • Access Control on a Delivery Group is Allow only. Icons are hidden from non-matching connections.
  • You can uncheck¬†Connections through NetScaler Gateway to hide the published icons from all NetScaler Gateway connections.
  • It’s not possible to hide individual published applications. You can hide all applications from a single Delivery Group, or none of them. If you need more granularity, then you’ll have to split the applications onto different Delivery Groups.
  • App Groups do not have an Access Control option. It’s Delivery Groups only.

Citrix Policy Settings – Access Control filter on a Citrix Policy determines if the Policy settings apply or not.

  • Access Control filter applies to User Settings only. It’s not configurable for Computer Settings.
  • You typically configure the Unfiltered Citrix Policy to block all client device mappings. Then you configure a higher priority Citrix Policy with Access Control filter to re-enable client device mappings for endpoint machines that match the Session Policy and EPA Expression.

When connected to a session, Director shows SmartAccess Filters on the Session Details page. Notice the Farm Name (Gateway Virtual Server name) and Filter Name (Session Policy name)

SmartControl

The SmartControl feature lets you configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at Citrix Docs for detailed instructions.

  • Note: SmartControl requires NetScaler Platinum Edition. If you don’t have Platinum Edition, you can instead configure SmartAccess.
  • SmartControl cannot hide published icons. If you need that functionality, configure SmartAccess, either as a replacement for SmartControl, or as an addition to SmartControl.

To configure SmartControl:

  1. Make sure the Prerequisites are completed. This includes: ICA Only unchecked, Gateway Universal licenses installed, Callback URL configured at StoreFront, and Trust XML enabled on Delivery Controllers.
  2. If you are using a Preauthentication Policy to run an Endpoint Analysis scan:
    1. Edit the Preauthentication Profile.
    2. Configure the Default EPA Group with a new group name. You’ll use this group name later.
  3. If you are instead using a Session Policy to run the post-authentication Endpoint Analysis scan:
    1. Edit the Session Profile
    2. On the Security tab, use the Smartgroup field to define a new group name for users that pass the scan. You’ll use this group name later.
  4. On the left, expand NetScaler Gateway, expand Policies, and click ICA.
  5. On the right, switch to the Access Profiles tab, and click Add.

    1. Configure the restrictions as desired, and click Create.
  6. Switch to the ICA Action tab, and click Add.

    1. Give the ICA Action a name.
    2. Select the ICA Access Profile.
    3. Click Create.
  7. Switch to the ICA Policies tab, and click Add.
  8. In the Create ICA Policy page, do the following:
    1. Give the ICA Policy a name.
    2. Select the previously created ICA Action.
    3. Enter an expression. You can use HTTP.REQ.USER.IS_MEMBER_OF(“MyGroup”).NOT¬†where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan.
  9. Click Create when done.
  10. Edit your Gateway Virtual Server.
    1. Scroll down to the Policies section, and click the plus icon.
    2. Change the Choose Type drop-down to ICA, and click Continue.
    3. Select the SmartControl policy you created earlier, and click Bind.

Related Pages

NetScaler Gateway 12 RADIUS Authentication

Last Modified: May 27, 2018 @ 5:50 pm

Navigation

Change Log

RADIUS Overview

One method of two-factor authentication to NetScaler Gateway is the RADIUS protocol with a two-factor authentication product (tokens) that has RADIUS enabled.

RADIUS Clients and Source IP¬†‚Äď On your RADIUS servers, you‚Äôll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the NetScaler appliances as RADIUS Clients. And adjust firewall rules accordingly.

  • For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client, since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS, then you‚Äôll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

Links:

Some two-factor products (e.g. SMS Passcode) require you to hide the 2nd password field. Receiver 4.4 and newer supports hiding the 2nd field if you configure a Meta tag in index.html.

Two-factor Policies Summary

NetScaler has two methods of multi-factor:

  • NetScaler Gateway Virtual Server has bind points for Primary and Secondary authentication. This functionality is available in all NetScaler Editions and is detailed in this post.
  • nFactor Authentication supports unlimited factors, but requires NetScaler Enterprise Edition or NetScaler Platinum Edition.

See the NetScaler 12 page for additional authentication mechanisms supported by NetScaler 12. Some require nFactor.

When configuring the NetScaler Gateway Virtual Server, you can specify both a Primary authentication policy, and a Secondary authentication policy. Users are required to successfully authenticate against both policies before being authorized for NetScaler Gateway.

For browser-based StoreFront, you need two authentication policies:

  • Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
  • Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Receiver Self-service (native Receiver on mobile, Windows, and Mac), the authentication policies are swapped:

  • Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
  • Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support two-factor authentication from both web browsers and Receiver Self-Service, then you’ll need at least four authentication policies as shown below.

Primary:

  • Priority 90 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

Secondary:

  • Priority 90 = LDAP¬†policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

Create Two-factor Policies

Create an LDAP Server/Action

See the LDAP post for instructions. Only the server/action is needed. The Policies will be created later.

Create a RADIUS Sever/Action

  1. On the left, expand Authentication, and click Dashboard.
  2. On the right, click Add.
  3. Change Choose Server Type to RADIUS.
  4. Give the server a name.
  5. Specify the IP address of the RADIUS load balancing Virtual Server.
  6. Enter the secret key specified when you added the NetScalers as RADIUS clients on the RADIUS server. Click Test Connection.
  7. If you want NetScaler to receive AAA Group information from RADIUS, see¬†CTX222260¬†Radius Group Extraction from Windows Server 2008/2012 with NetScaler/CloudBridge.¬† ūüí°
    • RADIUS attribute = 26 (Vendor-Specific)
    • Vendor Code = 3845 (Citrix)
    • Vendor-assigned attribute number = any number (e.g. 1). Configure RADIUS policy on NetScaler with same attribute number.
    • Attribute value = Group Name
  8. Scroll down, and click Create.

    add authentication radiusAction RSA -serverIP 10.2.2.210 -serverPort 1812 -radKey Passw0rd

Create Authentication Policies for LDAP and RADIUS

  1. Since you can’t create authentication policies from the authentication dashboard, go to NetScaler Gateway > Policies > Authentication > RADIUS.
  2. On the right, in the Policies tab, click Add.
  3. Name it RSA-ReceiverSelfService or similar.
  4. Select the RADIUS server created earlier.
  5. Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver. Note: NetScaler 12 does not natively support Advanced Authentication Policies so you’ll have to create them as Basic Policies (classic expressions).
  6. Click Create.
  7. If you see a warning about deprecation, click OK, and ignore it.
  8. Create another RADIUS policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS):
    Name Expression Server
    RSA-ReceiverSelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA
    RSA-ReceiverForWeb REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver RSA

  9. Go to the NetScaler Gateway\Policies\Authentication\LDAP node.
  10. On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).
    Name Expression Server
    LDAP-Corp-ReceiverSelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp
    LDAP-Corp-ReceiverForWeb REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

add authentication radiusPolicy RSA-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA

add authentication radiusPolicy RSA-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA

add authentication ldapPolicy Corp-Gateway-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway

add authentication ldapPolicy Corp-Gateway-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway

Bind Two-factor Policies to Gateway

  1. When you create or edit a NetScaler Gateway Virtual Server, bind the Basic Authentication Policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.
    Policy Name Type Bind Point
    LDAP-Corp-ReceiverForWeb LDAP Primary
    RSA-ReceiverSelfService RADIUS Primary
    LDAP-Corp-ReceiverSelfService LDAP Secondary
    RSA-ReceiverForWeb RADIUS Secondary

    bind vpn vserver gateway.corp.com -policy Corp-Gateway-ReceiverForWeb -priority 100
    
    bind vpn vserver gateway.corp.com -policy RSA-ReceiverSelfService -priority 110
    
    bind vpn vserver gateway.corp.com -policy RSA-ReceiverForWeb -priority 100 -secondary
    
    bind vpn vserver gateway.corp.com -policy Corp-Gateway-ReceiverSelfService -priority 110 -secondary
    
  2. The Session Policy/Profile for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.

    set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
  3. On the StoreFront server, when creating the NetScaler Gateway object, on the Authentication Settings page, change the Logon type to Domain and security token. This instructs Receiver to properly handle two-factor authentication. If you change this setting after Receiver has already performed discovery, then users might have to remove the Account from Receiver and re-add it.

NetScaler Gateway 12 Tweaks

Last Modified: Mar 21, 2018 @ 7:26 am

Navigation

ūüí° = Recently Updated

Change Log

NetScaler Gateway Feature Licensing

Here is a listing of some NetScaler Gateway features and the licenses they require:

Feature NetScaler Editions Universal Licenses?
StoreFront Load Balancing Standard/Enterprise/Platinum
Global Server Load Balancing (GSLB) Enterprise/Platinum
ICA Proxy and StoreFront Proxy All
Two-factor Auth (RADIUS) All
StoreFrontAuth (nFactor) Enterprise/Platinum
nFactor Authentication Enterprise/Platinum
Native OTP Authentication (nFactor) Enterprise/Platinum
HDX Insight (AppFlow) Enterprise/Platinum
SmartAccess All Yes
SmartControl Platinum Yes
RDP Proxy Enterprise/Platinum Yes
SSL VPN All Yes
PCoIP Proxy Enterprise/Platinum Yes
Unified Gateway Enterprise/Platinum Yes
Citrix SCOM MP for NetScaler Platinum

All Editions = NetScaler Gateway Enterprise VPX, NetScaler Standard, NetScaler Enterprise, and NetScaler Platinum.

  • NetScaler Gateway Enterprise VPX¬†is the cheap VPX appliance that only does NetScaler Gateway. It doesn’t even do Load Balancing.
  • NetScaler Enterprise Edition is the minimum edition for many Gateway features, and thus is recommended for all Gateway purchases.

Gateway Universal Licenses – many NetScaler Gateway features require NetScaler Gateway Universal licenses for each concurrent connection to the NetScaler Gateway Virtual Server. See the above table for which features require these licenses.

When you create a NetScaler Gateway Virtual Server, in the Basic Settings section, the ICA Only setting determines if you need NetScaler Gateway Universal licenses or not. If the Virtual Server is set to ICA Only is true, then features requiring Universal Licenses are disabled. But if ICA Only is set to false, then you need a NetScaler Gateway Universal license for every user that connects to this NetScaler Gateway Virtual Server.

Most editions of NetScaler include Universal licenses:

  • NetScaler Gateway Enterprise VPX¬†does not come with any Gateway Universal Licenses
  • NetScaler Standard Edition¬†comes with 500 Gateway Universal Licenses
  • NetScaler Enterprise Edition¬†comes with 1,000 Gateway Universal Licenses
  • NetScaler Platinum Edition¬†comes with unlimited Gateway Universal Licenses

If your NetScaler Edition does not include a sufficient number of Universal Licenses for your user load, then you can acquire these licenses through other means:

  • XenApp/XenDesktop Platinum Edition includes Gateway Universal licenses for each licensed user
  • XenMobile App Edition and XenMobile Enterprise Edition¬†include Gateway Universal licenses for each licensed user
  • “a la carte” NetScaler Gateway Universal Licenses – these are very inexpensive

You can install more Gateway Universal licenses on the NetScaler appliance. The Gateway Universal licenses are allocated to the case sensitive hostname of each appliance. If you have an HA pair, and if each node has a different hostname, then allocate the Gateway Universal licenses to the first hostname, and then reallocate the same licenses to the other hostname.

To see the hostname, click your username on the top right.

To change the hostname:

  1. Click the gear icon on the top right.
  2. Then click the third section.

Go to mycitrix.com, and allocate your purchased Gateway Universal licenses to the hostname of the appliance.

To upload the allocated Gateway Universal licenses to the appliance, go to System > Licenses > Manage Licenses. A reboot is required.

To see the number of installed Gateway Universal licenses:

  1. On the left, expand System, and click Licenses.
  2. On the right, in the Maximum NetScaler Gateway Users Allowed field is the number of licensed users for NetScaler Gateway Virtual Servers that are not set to ICA Only.

RFWebUI Portal Theme

Citrix Blog Post Branding your Deployment Part 2: Matching NetScaler to StoreFront explains NetScaler Gateway Portal Themes, how to edit the Portal Theme CSS, and warns about GUI changes overwriting CSS file changes.

If you want the logon page for NetScaler Gateway to look more like StoreFront 3.0 and newer, enable the built-in RfWebUI or X1 theme. RfWebUI is optimized for Unified Gateway (Clientless VPN) since it provides the exact same appearance and user experience as StoreFront 3.x. The Unified Gateway RfWebUI theme can display RDP Links, Web Links (bookmarks), PCoIP published icons, along with the familiar StoreFront apps and desktops. Note: RfWebUI requires StoreFront 3.6 or newer.

  1. Go to NetScaler Gateway > Virtual Servers, and edit an existing Virtual Server.
  2. If you see the Portal Themes section on the left:
    • Then click the pencil icon.
  3. If you don’t see Portal Themes on the left:
    • On the right, in the Advanced Settings section, click Portal Themes.
  4. On the left, change the Portal Theme drop-down to RfWebUI. Click OK.
  5. Click Done.

    bind vpn vserver gateway.corp.com -portaltheme RfWebUI
  6. When you access the NetScaler Gateway login page you’ll see the theme.
  7. If you want an idle timer for RfWebUI, see CTP¬†Simon Gottschlag RfWebUI Idle Timeout.¬† ūüí°
  8. If you have challenge-based RADIUS authentication, and if you need to remove the second password field from RfWebUI, see¬†CTP¬†Simon Gottschlag Remove “Password 2” from RfWebUI.¬† ūüí°

Custom Portal Theme

You can create your own theme by starting from one of the built-in themes:

  1. Go to NetScaler Gateway > Portal Themes.
  2. On the right, click Add.
  3. Give the theme a name, select RfWebUI as the Template Theme, and click OK.
  4. In the Look and Feel section, there are two sub-sections: one for Home Page Attributes, and one for Common Attributes.
  5. The Home Page Attributes section is for Unified Gateway (aka VPN Clientless Access). Notice that the Websites Sections can be disabled.
  6. The Help Legend link at the top of the section shows you what the other fields modify.

  7. If you want to modify some attributes of the logon page, use the Common Attributes sub-section. The labels are changed later.
  8. The Help Legend link at the top of the Common Attributes section shows you what the fields modify.
  9. Make changes as desired, and click OK at the bottom of the page.
  10. After you click OK, the Language section appears.
  11. In the Language section, select a language, and click OK.
  12. On the right, in the Advanced Settings section, click Login Page.
  13. Make changes as desired (e.g. Password Field Titles), and click OK.
  14. At the top of the screen, click the link to Click to Bind and View Configured Theme.
  15. Select a Gateway Virtual Server, and click Bind and Preview. Notice that you can also bind Portal Themes to AAA vServers.
  16. The logon page is displayed.
  17. You could go to /var/netscaler/logon/themes/MyTheme/css and make more changes to custom.css, but this file gets overwritten any time you make a change in the Portal Themes section of the NetScaler GUI.
  18. Citrix CTX209526 NetScaler; How to Copy a Portal Theme from the Device running version 11.0 to another Device running 11.0.

Public DNS SRV Records

When a user launches Receiver, instead of typing in the Gateway FQDN, the user can enter an email address. Receiver uses the email suffix to lookup the Gateway FQDN. It does this by looking for an SRV record named _citrixreceiver._tcp in the email suffix’s domain (e.g. _citrixreceiver._tcp.corp.com). If you have multiple email suffixes, then you need to add the SRV record to each email suffix DNS zone.

Note: to eliminate certificate and/or trust prompts, the Gateway certificate must match discoverReceiver.email.suffix (e.g discoverReceiver.corp.com). If you have multiple email suffixes, then you need the certificate to match every email suffix.

To enable email-based discovery, add a SRV record to each public email suffix DNS zone. Here are sample instructions for a Windows DNS server:

  1. In Server Manager, click Tools > DNS.
  2. In the left pane of DNS Manager, right-click your DNS domain, and click Other New Records.
  3. In the Resource Record Type dialog box, select Service Location (SRV), and then click Create Record.
  4. In the New Resource Record dialog box, do the following:
    1. In the Service box, enter the host value _citrixreceiver.
    2. In the Protocol box, enter the value _tcp.
    3. In the Port number box, enter 443.
    4. In the Host offering this service box, specify the fully qualified domain name (FQDN) for your NetScaler Gateway Virtual Server in the form servername.domain (e.g. gateway.company.com).
  5. Click OK to close the New Resource Record dialog box.
  6. Click Done to close the Resource Record Type dialog box.

Customize Logon Page

Logon Page Labels

When two factor authentication is configured on NetScaler Gateway, the user is prompted for User name, Password, and Password 2.

The Password field labels can be changed to something more descriptive, such as Active Directory or RSA:

To change the labels, edit a Portal Theme:

  1. Go to NetScaler Gateway > Portal Themes, and edit an existing theme. You can’t edit the built-in themes, so you’ll have to create one if you haven’t already.
  2. If you see the Login Page section on the left:
    • Click the pencil icon in the¬†Login Page section.
  3. If you don’t see the Login Page section on the left:
    • On the right, in the Advanced Settings column, click Login Page to add it to the left.
  4. On the left, in the Login Page section, change the two Password fields to your desired text.
  5. Click OK to close the Login Page section.
  6. If you are using the RfWebUI theme, the default text size for the form field labels is 17px. However, the Portal Themes editor defaults to 12px. You can change it back to 16px or 18px by doing the following:
    1. In the Look and Feel section, click the pencil icon.
    2. Scroll down to the Common Attributes section.
    3. Change the Form Font Size drop-down to 16px or 18px.
    4. Click OK to close the Look and Feel section.
  7. In the Portal Theme section at the top of the page, you can Click to Bind and View Configured Theme to Preview your changes.
  8. You might have to invalidate the loginstaticobjects Integrated Caching Content Group (Optimization > Integrated Caching > Content Groups) before the changes appear. This seems to be true even if Integrated Caching is disabled.

 Logon Security Message (Disclaimer, EULA)

You can force users to agree to a EULA before they are allowed to login.

Clicking the Terms & Conditions link allows the user to view the EULA text that you have entered.

Do the following to configure the EULA:

  1. Go to NetScaler Gateway > Resources > EULA.
  2. On the right, click Add.
  3. Give the EULA a name, and enter some text. You can even enter HTML code. See the example posted by Chris Doran at Citrix Discussions.
  4. Scroll down, and click Create.
  5. Edit a Gateway Virtual Server.
  6. On the right, in the Advanced Settings column, click EULA.
  7. On the left, in the EULA section, click where it says No EULA.
  8. Click where it says Click to select.
  9. Click the radio button next to the previously created EULA, and click Select.
  10. Click Bind.
  11. Mike Roselli at Automatic EULA Acceptance by Cookie Rewrite Guide at Citrix Discussions details Rewrite policies that change the behavior so that users only have to accept the EULA once. It records acceptance in a cookie.
  12. Sam Jacobs Adding an EULA for AAA Login at CUGC explains how to enable the EULA on the AAA logon page.

Theme File Customization

The original themes (Default, Green Bubble, and X1) use files from /netscaler/ns_gui/vpn/js and /var/netscaler/logon/themes. A commonly edited file is /netscaler/ns_gui/vpn/js/gateway_login_form_view.js since this file is responsible for rendering the logon form.

The new RfWebUI theme is different than the original themes, because it pulls files from¬†/var/netscaler/logon/LogonPoint/receiver. This means the customizations for NetScaler 11.0 won’t work with the new RfWebUI theme.¬†When reviewing customization guides for NetScaler 11, be aware that most of them won’t work for the RfWebUI theme.

Citrix CTX202444 How to Customize NetScaler Gateway 11 logon Page with Links shows how to add links to the NetScaler Gateway 11 logon page. This only works in the Default, Green Bubble, and X1 themes (no RfWebUI theme).

Other Customizations

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page РPart 2 at CUGC explains how to add text to the RfWebUI theme logon page. The process for RfWebUI is quite different than the older themes:

  • Text is stored in /var/netscaler/logon/themes/<theme>/strings.<language code>.json
  • Custom CSS is stored in /var/netscaler/logon/themes/<theme>/css/theme.css
  • Sample Logon Page:
    Logon screen with footer.jpg

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page РPart 1 at CUGC explains how to modify custom.css and en.xml to add text below the logon box on the Logon Page. No Rewrite policies or source code modifications needed.

Citrix CTX215817 NetScaler : How to Customize Footer of NetScaler Gateway Login Page. This article does not work with the RfWebUI theme, but it works with the X1 theme.

Mike Roselli at Netscaler 11 Theme Customization – How to Add Links and Verbiage at Citrix Discussions has sample rewrite policies to customize the NetScaler Gateway logon page with additional HTML.

 

Craig Tolley¬†Customising the NetScaler 11 User Interface ‚Äď Adding Extra Content: add new sections to login page. These sections pull content from local HTML files.

 

Daniel Ruiz Set up a maintenance page on NetScaler Gateway: configure a Responder policy (see the blog post for sample HTML code). During maintenance, manually bind the Responder policy to the Gateway. Manually remove the policy after maintenance is complete.

 UDP Audio Through Gateway

From John Crawford at Citrix Discussions and Marius Sandbu Enabling Citrix Receiver audio over Netscaler Gateway with DTLS

Note: Enabling DTLS on the Gateway also enables the Gateway to support EDT (Adaptive Transport) and Framehawk.

Requirements for UDP Audio:

  • Citrix Receiver 4.2 or newer
  • UDP 443 allowed to NetScaler Gateway Virtual Server
  • UDP 16500-16509 allowed from NetScaler SNIP to the VDAs

To enable UDP Audio through Gateway, make changes on both the NetScaler Gateway Virtual Server, and in Receiver:

  1. Edit a NetScaler Gateway Virtual Server.
  2. In the Basic Settings section, click the pencil icon.
  3. Click More.
  4. Enable the DTLS option, and click OK.
  5. After enabling DTLS, it probably won’t work until you unbind the Gateway certificate, and rebind it.
    1. On the left, click where it says 1 Server Certificate.
    2. Click Add Binding.
    3. Click where it says Click to select.
    4. Click the radio button next to the same certificate that’s already bound. Click¬†Select.
    5. Click Bind.
    6. Click Close.
    7. Click Continue to close the Certificate section.

Client-side configuration

There are two methods of enabling RTP on the client side:

  • Edit default.ica on the StoreFront server
  • Use GPO to modify the client-side config

To edit the default.ica file on the StoreFront server (h/t Vipin Borkar): Edit the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica and add the following lines to the Application section:

EnableRtpAudio=true
EnableUDPThroughGateway=true
AudioBandwidthLimit=1

To use GPO to modify the client-side config:

  1. Copy the receiver.admx¬†(and .adml) policy template into PolicyDefinitions if you haven’t already.
  2. Edit a GPO that applies to Receiver machines. You can also edit the local GPO on a Receiver machine.
  3. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Receiver | User Experience.
  4. On the right, edit the setting Client audio settings.
  5. Do the following in the Client audio settings dialog box.
    1. Enable the setting.
    2. Set audio quality as desired. Higher quality = higher bandwidth.
    3. Check to Enable Real-Time Transport.
    4. Check to Allow Real-Time Transport through Gateway.
  6. Click OK to close the Client audio settings dialog box.
  7. Look in the client-side registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Audio to make sure the registry keys applied.
  8. When you launch the first session after enabling Real-Time Transport, you might be prompted to enable it through the client-side firewall.

To view the current UDP Audio sessions:

  1. In the NetScaler GUI, click the NetScaler Gateway node.
  2. On the right, click DTLS ICA Connections.
  3. This will show you all users that have UDP Audio connections through NetScaler Gateway. Note: this is different than EDT. To see EDT (UDP) HDX connections, click ICA Connections instead.

Citrix VPN from Mobile Devices

Links:

Citrix VPN Clients on Mobile Devices (Android, iOS) contain one of the following in their User-Agent strings. You can use this text in a Session Policy expression.

  • CitrixReceiver/NSGiOSplugin
  • CitrixReceiver/CitrixVPN

To block the Citrix VPN client connections from mobile devices, do one of the following:

  • Create an AppExpert > Responder > Policy with Action = DROP and Expression = HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/NSGiOSplugin")|| HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/CitrixVPN").¬†Either bind the Responder Policy Globally, or bind it to the Gateway vServers.
  • In your Gateway Session Policies, on the Client Experience tab, set the Plug-in Type to Java. If any of them are set to Windows/MAC OS X, then VPN for Mobile is allowed.

StoreFront – Rewrite X-Citrix-Via

When NetScaler Gateway communicates with StoreFront, it adds a header called X-Citrix-Via that contains the FQDN entered in the user’s address bar. StoreFront uses this header to find a matching Gateway object so StoreFront knows how to handle the authentication. In NetScaler 11.0 and newer, you can create a rewrite policy to change this header. This is useful when changing URLs or using DNS aliases for Gateways. See¬†CTX202442¬†FAQ: Modify HTTP Header X-Citrix-Via on NetScaler for more details.

Here’s a sample rewrite policy for this header:

enable ns feature REWRITE

add rewrite action rwact_storefront replace "HTTP.REQ.HEADER(\"X-Citrix-Via\")" "\"mystorefront.mydomain.com\""

add rewrite policy rwpol_storefront "HTTP.REQ.HEADER(\"X-Citrix-Via\").NE(\"mystorefront.mydomain.com\")" rwact_storefront

bind vpn vserver mygateway-vs -policy rwpol_storefront -priority 100 -type REQUEST

Device Certificates

NetScaler Gateway can require Device Certificates (machine based) before a user can login. The Endpoint Analysis Plug-in reads the machine certificate, and compares it to a CA certificate that is bound to the NetScaler Gateway Virtual Server.

  • Device Certificates are different from User Certificates.
  • Administrator permissions are required to access the machine certificate’s private key. NetScaler Gateway Plug-in (VPN client) can workaround this requirement.
  • OCSP is required. You can use Microsoft Online Responder.

To enable Device Certificates

  1. Create a OCSP Responder on NetScaler, and bind it to the CA Certificate. See CTX200290 How to Configure Device Certificate on NetScaler Gateway for details. At Traffic Management > SSL > Certificates > OCSP Responder.

    1. The URL for Microsoft Online Responder is http://ocsp_server_FQDN:80/ocsp.
    2. Misja Geuskens at¬†Netscaler Device certificate checks fails with W2K12R2 Online responder says don’t check the Nonce box.
  2. Import CA certificates for Root and Intermediate. At Traffic Management > SSL > Certificates > CA Certificates.
  3. Right-click each CA certificate, and click OCSP Bindings.

    1. Select the OCSP Responder you created earlier.
  4. Bind the CA certificates to the Gateway Virtual Server in the CA certificates section.

  5. Enable Device Certificates in the NetScaler Gateway Virtual Server > Basic Settings > More section. Move the same CA certificates to the right.

User Experience

Users will be prompted to install the Endpoint Analysis plugin.

Click Yes to run the scan. Note: if the user is not an administrator of the local machine, then you must also install the NetScaler Gateway Plug-in (VPN client) to handle the security restrictions.

If there are multiple certificates on the client machine, the user will be prompted to select one.

The chosen machine certificate is stored in %localappdata%\Citrix\AGEE\config.js. The user won’t be prompted for certificate selection again unless you delete this file.

This same folder contains nsepa.txt, which lets you troubleshoot device certificate checking. The most common issue is lack of permissions, which is handled by installing the NetScaler Gateway VPN Plug-in. The Gateway VPN Plug-in version must match the firmware version.

NetScaler Gateway 12 – LDAP Authentication

Last Modified: Oct 2, 2017 @ 7:03 am

Navigation

ūüí° = Recently Updated

LDAP Load Balancing

Before you create an LDAP authentication policy, load balance the Domain Controllers. If you don’t load balance your Domain Controllers, then when users enter an incorrect password, the user account will be prematurely locked out.

If you have multiple domains, create different Load Balancing Virtual Servers for each domain. These multiple Load Balancing Virtual Servers can share the same VIP if their port numbers are different. Or you can use a different VIP for each domain.

Verify LDAPS

Use the tool ldp.exe to verify that the Domain Controllers have valid certificates installed, and the LDAP service account is able to bind to the LDAP tree.

  1. ldp.exe is included with the Remote Server Administration Tools (AD DS Snap-Ins and Command-Line Tools). On Windows Servers, install it from Server Manager > Add Roles and Features > Features > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools.
  2. Run ldp.exe.
  3. Open the Connection menu, and click Connect.
  4. In the Connect box:
    1. Enter the FQDN of a Domain Controller.
    2. Check the box next to SSL.
    3. Change the port to 636.
  5. Click OK.
  6. If it connected successfully, you can then attempt a bind. If the connection was unsuccessful, then there’s probably an issue with the certificate installed on the Domain Controller.
  7. Open the Connection menu, and click Bind.
  8. In the Bind box:
    1. Change the Bind type to Simple bind.
    2. Enter the service account credentials. You can enter DOMAIN\Username, or you can enter Username@Domain.com.
  9. Click OK.
  10. Look in the right pane to verify a successful bind. If not, fix the credentials and try again.
  11. Once you have successfully binded, you can view the directory tree by opening the View menu, and click Tree.
  12. Click the drop-down to view the directory partitions.
  13. Repeat these steps to verify each Domain Controller, and any load balanced LDAPS.

LDAP Authentication Server

You can configure StoreFrontAuth as an alternative to LDAP. StoreFrontAuth delegates authentication to StoreFront servers, instead of performing authentication on NetScaler.

To create the LDAP Authentication Server, do the following:

  1. On the left, expand Authentication, and click Dashboard.
  2. On the right, click Add.
  3. Change the Choose Server Type drop-down to LDAP.
  4. In the Name field, enter LDAP-Corp or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain. so make sure you include the domain name.
  5. Change the selection to Server IP. Enter the VIP of the load balancing vServer for LDAP.
  6. Change the Security Type drop-down to SSL.
  7. Enter 636 as the Port. Scroll down.

  8. In the Connection Settings section, in the Base DN field, enter your Active Directory DNS domain name in LDAP format.
  9. In the Administrator Bind DN field, enter the credentials of the LDAP bind account in userPrincipalName format. Domain\Username also works.
  10. Enter the Administrator Password.
  11. Click Test Connection. NetScaler will attempt to login to the LDAP IP. Scroll down.
  12. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
  13. On the right side of the Other Settings section, check the box next to Allow Password Change.

  14. If you want to restrict NetScaler Gateway access to only members of a specific AD group, in the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    memberOf=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local
    You can add :1.2.840.113556.1.4.1941: to the Search Filter so it searches through nested groups. Without this, users will need to be direct members of the filtered group.
    memberOf:1.2.840.113556.1.4.1941:=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local

    1. An easy way to get the full distinguished name of the group is through Active Directory Users and Computers.
    2. Open the View menu, and enable Advanced Features. The Attribute Editor is only present if this feature is enabled.
    3. Browse to the group object, right-click it, and click Properties. Note: you cannot use Find. Instead, you must navigate through the tree to find the object.
    4. Switch to the Extensions page. On the right, switch to the Attribute Editor tab. This tab is only visible if Advanced Features are enabled, and you didn’t use the Find feature.
    5. Scroll down to distinguishedName, double-click it, and then copy it to the clipboard.
    6. Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
  15. For another LDAP Search Filter expression, see¬†CTX226808¬†Expression to exclude multiple domains by using search filter in LDAP on NetScaler¬† ūüí°
    !(|(userprincipalname=*@aa.lab.com)(userprincipalname=*@ns.lab.com)
  16. Scroll down, and click More.
  17. For Nested Group Extraction, if desired, change the selection to Enabled. Configuring Nested Group Extraction allows the Nested Groups to be used for AAA Groups.
    1. Set Group Name Identifier to samAccountName.
    2. Set Group Search Attribute to memberOf. Select << New >> first.
    3. Set Group Search Sub-Attribute to CN. Select << New >> first.
    4. For the Group Search Filter field, see CTX123795 Example of LDAP Nested Group Search Filter Syntax.
  18. Scroll down, and click Create.

    add authentication ldapAction Corp-Gateway -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=Citrix Remote,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  19. The status of the LDAP Server should be Up.

LDAP Policy Expression

The Authentication Dashboard doesn’t allow you to create the LDAP Policy, so you must create it elsewhere.

You can create the LDAP policy now. Or you can wait and create it later when you bind the LDAP Server to the NetScaler Gateway vServer.

To create it now:

  1. You can use the menu Search box to find one of the nodes that lets you create Basic Authentication Policies.

    1. Or, navigate to NetScaler Gateway > Policies > Authentication > LDAP.
  2. On the right, in the Policies tab, click Add.
  3. Change the Server drop-down to the LDAP Server you created earlier.
  4. Give the LDAP Policy a name (one for each domain).
  5. In the Expression box, enter ns_true.
    • NetScaler Gateway 12 does not support Advanced Authentication policies directly on the Gateway vServer. If you prefer Advanced Authentication Policies, then you’ll instead need to configure nFactor.
  6. Click Create.

     add authentication ldapPolicy LDAP-Corp ns_true LDAP-Corp
  7. If you see a message about deprecation, click OK and ignore it.

Gateway Authentication Feedback

  1. On the left, under NetScaler Gateway, click Global Settings.
  2. On the right, in the right column, click Change authentication AAA settings.
  3. If desired, check the box for Enable Enhanced Authentication Feedback. This feature provides a message to users if authentication fails. The message users receive include password errors, account disabled or locked, or the user is not found, to name a few. This setting might not be advisable in a secure environment.
  4. Click OK.

    set aaa parameter -enableEnhancedAuthFeedback YES

Next Step

Multiple Domains – UPN Method

Cascade – To support multiple Active Directory domains on a NetScaler Gateway, you create multiple LDAP authentication policies, one for each Active Directory domain, and bind all of the LDAP policies to the NetScaler Gateway Virtual Server. When the user logs into NetScaler Gateway, only the username and password are entered. The NetScaler will then loop through each of the LDAP policies in priority order until it finds one that contains the entered username/password.

Same user/password in multiple domains РWhat if the same username is present in multiple domains? As NetScaler loops through the LDAP policies, as soon as it finds one with the specified username, it will try to authenticate with that particular LDAP policy. If the password doesn’t match the user account for the attempted domain, then a failed logon attempt will be logged in that domain, and NetScaler will try the next domain.

Unfortunately, the only way to enter a realm/domain name during user authentication is to require users to login using userPrincipalNames. To use userPrincipalName, set the LDAP Policy/Server with the Server Logon Name Attribute set to userPrincipalName.

You can even do a combination of policies: some with samAccountName, and some with userPrincipalName. The samAccountName policies would be searched in priority order, and the userPrincipalName policies can be used to override the search order. Bind the userPrincipalName policies higher (lower priority number) than the samAccountName policies.

NetScaler supports adding a domain name drop-down list to the logon page. Then use Cookie expressions in the auth policies and session policies. However, this probably doesn’t work for Receivers. See¬†CTX203873¬†How to Add Drop-Down Menu with Domain Names on Logon Page for NetScaler Gateway 11.0 64.x and later releases for details.
User-added image

Another option for a domain drop-down is nFactor Authentication for Gateway. This also doesn’t fully work with Receiver Self-service.

After authentication is complete, a Session Policy will be applied that has the StoreFront URL. The NetScaler Gateway will attempt to log into StoreFront using Single Sign-on so the user doesn’t have to login again. When logging into NetScaler Gateway, only two fields are required: username and password. However, when logging in to StoreFront, a third field is required: domain name. So how does NetScaler specify the domain name while logging in to StoreFront?

There are two methods of specifying the domain:

  • AAA Group – Configure multiple session policies with unique¬†Single Sign-on Domains. ¬†Inside the Session Policy is a field called Single Sign-on Domain for specifying the domain name. If there is only one Active Directory domain, then you can use the same Session Policy for all users. However, if there are multiple domains, then you would need multiple Session Policies, one for each Active Directory domain. But as the NetScaler loops through the LDAP policies during authentication, once a successful LDAP policy is found,¬†you need a method¬†of linking an LDAP policy with a Session Policy that has the corresponding SSO Domain. This is typically done using AAA groups. To use this method, see Multiple Domains – AAA Group Method.
  • userPrincipalName – Alternatively, configure the LDAP policy/server to extract the user‚Äôs UPN, and then authenticate to StoreFront using UPN. This is the easiest method, but some domains don‚Äôt have userPrincipalNames configured correctly.

The userPrincipalName method is detailed below:

  1. In each of your NetScaler LDAP policies/servers, in the Other Settings section, in the SSO Name Attribute field, enter userPrincipalName¬†(select –<< New >>– first). Make sure there are no spaces after this attribute name. NetScaler will pull this attribute from AD, and use it to Single Sign-on¬†the user to¬†StoreFront.
  2. In StoreFront Console, in the middle, right-click your Store, and click Manage Authentication Methods.
  3. On the right, click the gear icon, and then click Configure Trusted Domains.
  4. In the Trusted domains box, select Any domain.
  5. Or add your UPN domain suffixes in DNS format. The advantage of entering domain names is that you can select a default domain. The DNS format is required for UPN logins (e.g. SSO from NetScaler Gateway).
  6. On the NetScaler Gateway Virtual Server, bind LDAP authentication polices in priority order. It will search them in order until it finds a match.
  7. In your Session Policies/Profiles, in the Published Applications tab, make sure Single Sign-on Domain is not configured. Since NetScaler is using the userPrincipalName, there’s no need to specify a domain. If the Single Sign-on Domain field is configured, then Single Sign-on authentication will fail.

Multiple Domains – AAA Groups Method

Another method of specifying the domain name when performing Single Sign-on to StoreFront is to use a unique session policy/profile for each domain. Use AAA Groups to distinguish one domain from another.

  1. Go to NetScaler Gateway > Policies > Authentication > LDAP.
  2. On the right, switch to the Servers tab.
  3. Make sure all domains are in the list. Edit one of the domains.
  4. Scroll down to the Other Settings section,
  5. In the Default Authentication Group field, enter a new, unique group name. Each domain must a different group name. This group is only locally significant and does not need to be added to AD. Click OK.
  6. Edit another domain, and specify a new unique group name. Each domain has a different group name.
  7. Go to NetScaler Gateway > User Administration > AAA Groups.
  8. On the right, click Add.
  9. Name the group so it exactly matches the group name you specified in the LDAP server. Click OK.
  10. On the right, in the Advanced Settings section, add the Policies section.
  11. On the left, in the Policies section, click the Plus icon.

    1. Select Session, and click Continue.
    2. Click the plus icon to create a new policy.
    3. Give the Policy a name that indicates the domain. You will have a separate policy for each domain.
    4. Click the plus icon to create a new profile.
    5. Give the Profile a name that indicates the domain. You will have a separate profile for each domain.
    6. Switch to the Published Applications tab.
    7. Check the Override Global box next to Single Sign-on Domain. Enter the domain name that StoreFront is expecting. Click Create.
    8. Give the policy a ns_true expression, and click Create.
    9. In the Priority field, give it a number that is lower than any other Session Policy that has Single Sign-on Domain configured. Click OK.
    10. Click Done.
  12. Create another AAA Group.
  13. Give it a name that matches the Default Authorization Group configured for the next domain.
  14. Create another Session Policy for the next domain.
  15. Create another profile for the next domain. On the Published Applications tab, specify the domain name of the next domain.
  16. Bind the new policy with a low Priority number.
  17. When a user logs in, NetScaler loops through LDAP policies until one of them works. NetScaler adds the user to the Default Authentication Group specified in the LDAP Server. NetScaler finds a matching AAA Group and applies the Session Policy that has SSON Domain configured. Since the policy is bound with a low priority number, it overrides any other policy that also has SSON Domain configured.

NetScaler Gateway 12 – ICA Proxy (StoreFront)

Last Modified: May 19, 2018 @ 2:28 pm

Navigation

ūüí° = Recently Updated

Change Log

Overview

When you use a web browser and/or Receiver to connect to StoreFront and Published Applications or Published Desktops, there are always two connections:

  • HTTP – communication to Citrix StoreFront, from either a web browser, or from Receiver Self-Service (Receiver’s native user interface).
  • ICA – display protocol communication from Receiver to Citrix Virtual Delivery Agents (VDAs)

NetScaler Gateway can proxy both HTTP traffic and ICA connections.

  • When proxied through NetScaler Gateway, both HTTP and ICA are wrapped in SSL. Due to SSL, both protocols use the same port number (TCP 443). However, it’s two different protocols inside the SSL traffic.
  • HTTP (SSL-encrypted) handles authentication and icon enumeration from StoreFront. After authentication, NetScaler Gateway simply forwards the HTTP traffic to the StoreFront URL configured in a Session Profile > Published Applications > Web Interface Address.
    • The HTTP connection between NetScaler Gateway and StoreFront can be encrypted using SSL.
  • For ICA (SSL-encrypted) from Receiver to NetScaler Gateway, the SSL encryption is removed, and then the ICA traffic is forwarded to an internal VDA.
    • NetScaler Gateway uses a Security Ticket Authority server to authenticate the ICA session before it allows the ICA communication.
    • You can optionally enable internal SSL encryption of ICA traffic by installing certificates on each VDA machine.

In a standard ICA Proxy configuration, NetScaler Gateway essentially does the following:

  • Authenticates the user
  • After authentication, Session Policies/Policies dictate what happens next:
    • Proxy HTTP to Citrix StoreFront
    • Proxy ICA to VDAs

CTX227054 NetScaler Gateway, StoreFront and XenDesktop Integration Communication Workflow contains packet traces of the ICA Proxy, StoreFront, and XenDesktop communication flows.

Session Profiles

Partly based on Citrix Knowledgebase Article CTX139963 –¬†How to Configure NetScaler Gateway Session Policies for StoreFront

To create Session Profiles/Policies for ICA Proxy (StoreFront):

  1. On the left, expand NetScaler Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab, and click Add.

    1. Name the first one Receiver Self Service or similar. This is for Receiver Self-Service (not in a web browser).
    2. Switch to the Client Experience tab.
    3. On the Client Experience tab, check the Override Global box next to Clientless Access, and set it to Off. Scroll down.
    4. Check the Override Global box next to Plug-in Type, and set it to Java.
    5. Check the Override Global box next to Single Sign-on to Web Applications and enable it. Scroll up.

      • If you need two-factor authentication (RADIUS), the Session Policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is¬†Credential Index. This needs to be changed to SECONDARY. Only change this in the Receiver Self-Service profile; leave the session profile for Web Browsers set to PRIMARY.
    6. Scroll up. On the Security tab, check the Override Global box next to Default Authorization Action, and set it to Allow.
    7. On the Published Applications tab, check the Override Global box next to ICA Proxy, and set it to ON.
    8. Check the Override Global box next to Web Interface Address, and enter the load balanced URL (FQDN) to the StoreFront servers. You can use an IP address instead of FQDN. Don’t add any path to the end of the URL.
    9. If you only have one domain, then check the Override Global box next to Single Sign-on Domain, and enter the name of your Active Directory domain. Enter the same domain name that’s configured in StoreFront Configure Trusted Domains.

    10. For Account Services Address, enter the Base URL for StoreFront. NetScaler needs to be able to resolve this FQDN DNS name.
    11. Click Create.
  3. Right-click the just-added session profile, and click Add. This copies the settings from the existing profile into the new one.

    1. Change the name of the second Session Profile to Receiver For Web or similar.
    2. On the Client Experience tab, Clientless Access should be set to Off. Scroll down.
    3. Plug-in Type should still be set to Java.
    4. Single Sign-on to Web Applications should be enabled.

      • If you need two-factor authentication, the session profile for Receiver for Web¬†needs Credential Index¬†set to PRIMARY.¬†Only the Receiver Self-Service policy needs SECONDARY¬†as detailed earlier.
    5. On the Security tab, the Default Authorization Action should still be Allow.
    6. On the Published Applications page, for the Web Interface Address field, add the path to your Receiver for Web site (e.g. /Citrix/StoreWeb).
    7. Everything else should be the same. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. If you have multiple domains, then leave this field blank and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
    8. Account Services Address is not needed in this profile but there’s no harm in leaving it.
    9. Click Create.
  4. On the right, switch to the Session Policies tab, and click Add.

    1. Name the Policy Receiver Self Service or similar.
    2. Change the Profile to Receiver Self Service.
    3. Click the blue link to Switch to Default Syntax.
    4. In the Expression box, type in the following expression:
      HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
    5. Then click Create.
  5. Right-click on the just-added Session Policy, and click Add.

    1. Change the name to Receiver For Web or similar.
    2. Change the Action to Receiver For Web.
    3. In the Expression box, either type in the following, or use the Expression Editor. It’s the same as the Receiver Self-Service expression, except it¬†has .NOT on the end.
      HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT
    4. Click Create.

The CLI commands for these Session Policies/Profiles are shown below:

add vpn sessionAction "Receiver Self-Service" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com" -ntDomain Corp.local -clientlessVpnMode OFF -storefronturl "https://storefront.corp.com"

add vpn sessionAction "Receiver for Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com/Citrix/StoreWeb" -ntDomain Corp.local -clientlessVpnMode OFF

add vpn sessionPolicy "Receiver Self-Service" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" "Receiver Self-Service"

add vpn sessionPolicy "Receiver for Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver for Web"

NetScaler Gateway Virtual Server

This section assumes LDAP authentication, with optional RADIUS for two-factor.

  • You can configure StoreFrontAuth as an alternative to LDAP. StoreFrontAuth delegates authentication to StoreFront servers, instead of performing authentication on NetScaler.
  • For other forms of authentication, see the¬†NetScaler 12 Authentication section in the NetScaler 12 menu page.

To create the NetScaler Gateway Virtual Server for ICA Proxy and StoreFront:

  1. Create a Server Certificate for the NetScaler Gateway Virtual Server. The certificate must match the name users will enter to access the NetScaler Gateway.

    • For email discovery in Citrix Receiver, the certificate must have subject alternative names (SAN) for¬†discoverReceiver.email.suffix (use your email suffix domain name). If you have multiple email domains then you‚Äôll need a Subject Alternative Name for each suffix.
  2. On the left, right-click NetScaler Gateway, and click Enable Feature.
  3. On the left, expand NetScaler Gateway, and click Virtual Servers.
  4. On the right, click Add.
  5. Name it gateway.corp.com or similar.
  6. Enter a new VIP that will be exposed to the Internet (typically through NAT).
  7. Click More.

    1. If you don’t have enough NetScaler Gateway Universal licenses installed for all of your Gateway users, then check the box next to¬†ICA Only. This option disables SmartAccess and VPN features but¬†does not require any additional licenses. ¬†Note: most NetScaler Editions come with built-in Universal Licenses.
    2. Note: it’s also possible to disable authentication on Gateway and make StoreFront do it instead as described in Citrix CTX200066 How to Log On to StoreFront When Authentication is Disabled on NetScaler Gateway VIP. However, it’s more secure to require Gateway to authenticate the users before the user can communicate with StoreFront.
    3. Check the box next to DTLS.
      • DTLS enables¬†EDT¬†protocol,¬†UDP Audio, and¬†Framehawk.
      • EDT¬†requires UDP 443 on client side, and UDP 1494/2598 on the server side.
      • If this NetScaler is in Azure, then you might have to reduce the MTU/MSS. See EDT-Adaptive Transport with Azure Netscaler at Citrix Discussions.¬† ūüí°
    4. Click OK to close the Basic Settings section.
  8. In the Certificates section, click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the radio button next to a previously created certificate that matches the NetScaler Gateway DNS name, and click Select.
    3. Click Bind.
  9. Click Continue to close the Certificates section.
  10. In the¬†Basic Authentication¬†section, click the plus icon in the top right. Note: NetScaler Gateway 12 seems to only support Basic Authentication policies, and not Advanced Authentication policies. For Advanced Authentication Policies, you’ll instead need to configure nFactor.

    1. Change the Choose Policy drop-down to LDAP,
    2. Leave the Choose Type drop-down set to  Primary, and click Continue.
    3. If you’ve already created an LDAP Policy, then click where it says¬†Click to select, and select the policy.

    4. If you used the Authentication Dashboard to create an LDAP Server, then you probably haven’t created the corresponding LDAP Policy yet. Click the plus icon to create a new policy.

      1. Use the Server drop-down to select the previously created LDAP Server.
      2. Give the policy a name. The Policy name can match the Server name.
      3. In the Expression box, enter ns_true (a Basic or Classic expression), or select it from the Saved Policy Expressions drop-down. Click Create.
    5. Click Bind.
    6. Or for two-factor authentication, you will need to bind two Basic authentication policies to Primary and two Basic authentication polices to Secondary:
      • Primary = LDAP for Browsers (User-Agent does not contain CitrixReceiver)
      • Primary = RADIUS for Receiver Self-Service (User-Agent contains CitrixReceiver)
      • Secondary = RADIUS for Browsers (User-Agent does not contain CitrixReceiver)
      • Secondary = LDAP for Receiver Self-Service (User-Agent contains CitrixReceiver)
  11. Click Continue to close the Basic Authentication section.
  12. In the Advanced Authentication section, click Continue.
  13. Scroll down to the Profiles section, and click the pencil icon.
  14. In the TCP Profile drop-down, do one of the following:
    1. Follow the instructions at¬†Citrix¬†CTX232321¬†Recommended TCP Profile Settings for Full Tunnel VPN/ICAProxy from NetScaler Gateway 11.1 Onwards. In this case, there’s no need to change the TCP Profile.¬† ūüí°
    2. Or, select nstcp_default_XA_XD_profile, and click OK to close the Profiles section.
  15. To bind the Session Policies, scroll down to the Policies section, and click the plus icon near the top right.

    1. Select Session, select Request, and click Continue.
    2. Click where it says Click to select.
    3. Click the radio button next to one of the Receiver Session Policies, and click Select. It doesn’t matter in which order you bind them.
    4. There’s no need to change the priority number. Click Bind.
  16. Repeat these steps to bind the second policy. In the Policies section, click the plus icon near the top right.

    1. Select Session, select Request, and click Continue.
    2. Click Add Binding.
    3. Click where it says Click to select.
    4. Click the radio button next to the other Receiver session policy, and click Select.
    5. There’s no need to change the priority number. Click Bind.
    6. The two policies are mutually exclusive so there’s no need to adjust priority. Click Close.
  17. To bind STAs, on the right, in the Advanced Settings section, click Published Applications.
  18. On the left, in the Published Applications section, click where it says No STA Server.

    1. Enter a Delivery Controller in the https://<Controller_FQDN> or http://<Controller_FQDN> format, depending on if SSL is enabled on the Delivery Controller or not. This must be a FQDN or IP address. Short names don’t work.
    2. Click Bind.
  19. To bind another Secure Ticket Authority server, on the left, in the Published Applications section, click where it says 1 STA Server.

    1. In the VPN Virtual Server STA Server Binding section, click Add Binding.
    2. Enter the URL for the second Controller, and click Bind.
    3. This view shows if the STAs are reachable or not. To refresh the view, close the STA Server Bindings list, and reopen it.
  20. On the right, in the Advanced Settings column, click Portal Themes.
  21. On the left, in the Portal Theme section, change the drop-down to RfWebUI. You can also click the plus icon to create a theme.
  22. Click OK to close the Portal Theme section.
  23. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind an A+ Cipher Group, and enable Strict Transport Security.
  24. Click Done when done.
  25. Configure SSL Redirect for the NetScaler Gateway DNS name and VIP.
  26. Configure StoreFront to use NetScaler Gateway.

The CLI commands to create a NetScaler Gateway vServer for ICA Proxy are shown below:

add vpn vserver gateway.corp.com SSL 10.2.2.200 443 -icaOnly ON -dtls ON -tcpProfileName nstcp_default_XA_XD_profile
bind vpn vserver gateway.corp.com -policy "Receiver Self-Service" -priority 100
bind vpn vserver gateway.corp.com -policy "Receiver for Web" -priority 110
bind vpn vserver gateway.corp.com -policy Corp-Gateway -priority 100
bind vpn vserver gateway.corp.com -staServer "http://xdc01.corp.local"
bind vpn vserver gateway.corp.com -staServer "http://xdc02.corp.local"
bind vpn vserver gateway.corp.com -portaltheme RfWebUI

Verify SSL Settings

After you’ve created the NetScaler Gateway Virtual Server, run the following tests to verify SSL:

  1. Citrix CTX200890 ‚ÄstError: “Failed with status 1110” When Launching Desktops or Apps Through NetScaler Gateway: You can use OpenSSL to verify the certificate. Run the command:¬†openssl s_client -connect gateway.corp.com:443.¬†Replace the FQDN with your FQDN. OpenSSL is installed on the NetScaler, or you can download and install it on any machine.
  2. Go to¬†https://www.ssllabs.com/ssltest/¬†and check the security settings of the website.¬†Citrix Blogs ‚ÄstScoring an A+ at SSLlabs.com with Citrix NetScaler ‚Äď Q2 2018 update.

View ICA Connections

To view active ICA sessions, click the NetScaler Gateway node on the left, and then click ICA Connections on the right.

show vpn icaconnection

To view historical ICA sessions, search your Syslog server for ICASTART and/or LOGIN.

Or, if you don’t have Syslog server configured, then search /var/log/ns.log¬†on the local appliance. Source =¬†CTX232581¬†How to View Active Users Sessions Connected to Specific NetScaler Gateway vServers.¬† ūüí°

Related Pages

NetScaler Gateway 12 – StoreFrontAuth, and XenDesktop Wizard

Last Modified: Oct 11, 2017 @ 5:57 am

Navigation

Overview

NetScaler Gateway 12 supports a new form of authentication called StoreFrontAuth, which delegates Active Directory authentication to a StoreFront server.¬†StoreFrontAuth replaces LDAP on NetScaler Gateway. You usually don’t need both.

  • StoreFrontAuth uses nFactor, which means NetScaler must be licensed for Enterprise Edition or Platinum Edition.

The easiest method of enabling StoreFrontAuth is to use the XenApp and XenDesktop Wizard. The Wizard lets you select from several different authentication methods, including multi-factor.

Prerequisites

License – make sure the appliance is licensed for Enterprise Edition or Platinum Edition.

DNS Servers – make sure DNS Servers are configured on the NetScaler.

The Wizard creates a whole new Gateway vServer. You’ll need the following:

  • DNS name for the Gateway
  • VIP for the Gateway
  • Certificate for the Gateway

URL to the StoreFront servers – must be reachable from NetScaler SNIP

  • To retrieve the list of stores, NSIP must be able to reach the StoreFront URL
  • StoreFront must be version 3.11 or newer

RADIUS – If you are doing multi-factor authentication, then you’ll need RADIUS information, including adding NetScaler NSIP and/or SNIP as RADIUS Clients.

Also see Citrix¬†CTX223882¬†FAQ – Configuring Authentication at StoreFront using NetScaler Gateway¬† ūüí°

XenApp and XenDesktop Wizard

  1. In NetScaler, click XenApp and XenDesktop on the bottom left.
  2. On the right, click Get Started.
  3. In the NetScaler Gateway section, enter the FQDN for the new Gateway.
  4. Enter the VIP for the new Gateway.
  5. Check the box next to Redirect requests from port 80 to secure port, and click Continue.
  6. In the Server Certificate section, if you already have a certificate on this appliance that matches the new Gateway FQDN, then select it. Or, change the selection to Install Certificate, and import a .pfx file. Click Continue when done.
  7. In the StoreFront section, enter the URL to StoreFront, and click Retrieve Stores.
  8. In the Receiver for Web Path drop-down, select a RfWeb Path.
  9. Enter a Secure Ticket Authority URL, including http:// or https://.
    1. Use the plus icon to add more than one STA server. STAs are usually your XenDesktop Controllers.
  10. Check the box next to Use this StoreFront for Authentication, and click Continue.
  11. In the Authentication section, in the Choose Authentication Type drop-down, notice that there are several options. Multi-factor will be detailed later.
  12. Click the button to Retrieve Auth Enabled Stores.
  13. Use the Authentication Service URI drop-down to select a store.
  14. The Domain field can be used to enter a default domain. Note: the domain name entered here must match one of the domain names permitted by StoreFront. This will be explained below in the Multiple Domains section.
  15. Click Continue
  16. Review the summary screen, and click Done.
  17. If Default SSL Profiles are not enabled, then edit the Gateway vServer, and configure standard SSL vServer Settings.

Portal Theme and Login Schema

  1. If you point your browser to the Gateway URL, notice it’s an old theme.
  2. On the left, go to NetScaler Gateway > Virtual Servers.
  3. On the right, edit the Gateway that was created by the wizard.
  4. On the right, in the Advanced Settings column, click Portal Themes.
  5. On the left, scroll down, and change the Portal Theme selection to RfWebUI, or one of its derivatives. Click OK.
  6. Now when you visit the Gateway URL, it’s shown using a newer theme. However, there’s a “First Factor” text in the middle of the page. We can fix that.
  7. Back in your NetScaler Gateway, scroll down and find the Authentication Profile section. Click the pencil icon. This object enables nFactor.
  8. Click the pencil icon to edit the Authentication Profile.
  9. Note the name of the AAA vServer.
  10. Go back to the main NetScaler navigation, and go to Security > AAA РApplication Traffic > Virtual Servers.
  11. You’ll see a new AAA vServer in the list. It’s down because there’s no certificate bound to it, but it still works. If the red icon bothers you, you’re welcome to bind a certificate to it.
  12. Edit the AAA vServer.
  13. Scroll down, and click where it says 1 Login Schema.
  14. Right-click the Login Schema, and click Edit.
  15. Click the pencil next to the Profile field.
  16. Click the pencil in the Authentication Schema field.
  17. On the left, click the LoginSchema folder to open it.
  18. Move your mouse over the SingleAuth.xml file, and click the download icon. Save it somewhere.
  19. Edit the downloaded .xml file.
  20. Find the line containing the First factor text and delete the line. Save the file with a new name.
  21. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the edited file to upload it.
  22. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
  23. On the left, click the new file to highlight it. On the right, click the blue Select icon.
  24. Notice that the file name has now changed to the new file. Click OK.
  25. Click OK again.
  26. Click Close.
  27. If you point your browser to the Gateway FQDN again, the extra text is gone. You’re welcome to make additional changes to the .xml file.

StoreFront Configuration for Gateway

  1. In NetScaler, on the bottom left, click XenApp and XenDesktop.
  2. On the top right, click Download file.
  3. In the Download StoreFront Settings page, you can either export all virtual servers, or just one of them. Click OK.
  4. Save the GatewayConfig.zip file somewhere.
  5. In StoreFront console, on the left, right-click the Stores node, and click Manage NetScaler Gateways.
  6. At the top of the window, click the blue link imported from file.
  7. Click the Browse button, and select the GatewayConfig.zip file you saved earlier.
  8. Click the Import button next to the Gateway vServer you want to import.
  9. In the Select Logon Type page, you can optionally enter a SmartAccess Callback URL that resolves to any NetScaler Gateway on the same appliance that authenticated the user. Click Verify.
  10. Click Next.
  11. In the Secure Ticket Authorities page, review the list of STAs, and click Next.
  12. In the Review Changes page, click Import.
  13. In the Summary page, click Finish.
  14. Click Close.
  15. The new Gateway is shown in the list. Notice that the new Gateway is already¬†Used by Store, so there’s no need to enable Remote Access on the Store yourself. Click¬†Close.
  16. Edit the newly imported Gateway object.
  17. On the Secure Ticket Authority page, check the box next to Enable session reliability. EDT protocol will not work unless you check this box. Click OK.

StoreFrontAuth and Multiple Domains

The wizard configures Session Profiles with a default domain name. Multiple domains won’t work until you remove this SSON Domain.

  1. At NetScaler Gateway > Virtual Servers, edit the Gateway Virtual Server created by the wizard.
  2. Scroll down, and click where it says 2 Session Policies.
  3. Right-click each Session Policy, and click Edit Profile.
  4. On the Published Applications tab, uncheck the box next to Single Sign-on Domain. Click OK.
  5. Repeat for the other Session Profile.

StoreFrontAuth authenticates users to StoreFront using normal StoreFront username syntax:

  • username only
  • Domain\username
  • username@domain.suffix (aka userPrincipalName)

If no domain name is specified, StoreFrontAuth can be configured with a default domain name.

  1. Go to Security > AAA > Virtual Servers, right-click the AAA vServer that has StoreFrontAuth enabled, and click Edit.
  2. Scroll down, and click where it says 1 Authentication Policy.
  3. Right-click the StoreFrontAuth policy, and click¬†Edit Policy. Unfortunately, Edit Action doesn’t seem to work.
  4. Click the pencil icon next to the Action.
  5. In the Domain field, enter a default domain name that will be used if the user does not specify a domain. Click OK.

Notes on domain names:

  • The¬†domain¬†names¬†entered¬†by¬†users (domain\username, or username@domain.suffix), must be accepted by StoreFront.
  • The default domain name entered in the StoreFrontAuth Action must be accepted by StoreFront.
  • After StoreFrontAuth authenticates the user, it sends back the user’s UPN. NetScaler Gateway then uses the UPN to Single Sign-on to StoreFront. Thus, the UPN suffixes must be accepted by StoreFront.

To configure the domain names accepted by StoreFront:

  1. In StoreFront Console, right-click your store, and click Manage Authentication Methods.
  2. Click the top gear icon, and click Configure Trusted Domains.
  3. If the selection is¬†Any domain, then you’re good, and you don’t need to change anything.
  4. If it’s set to¬†Trusted domains only, then make sure that UPN domain suffixes are in the list.
  5. To make it easier for users, add the NetBIOS domain names too. However, if you checked the box for Show domains list in logon page, then internal users will see both the NetBIOS domain names, and the UPN domain suffixes.
  6. Notice that there’s a drop-down to select the Default domain. This default domain is only used if the user does not specify a domain name, and if no domain name is configured in the StoreFrontAuth action.

Depending on how you configured the StoreFront trusted domains, users have several options for logging into NetScaler Gateway:

  • Username only – the default domain name configured in the StoreFrontAuth action is used. If StoreFrontAuth default domain is not configured, then it uses the default domain name configured in StoreFront.
  • Domain\username¬†– requires the¬†short¬†domain¬†name (NetBIOS) to be included in StoreFront’s list of trusted domains.
  • UPN.suffix\username – this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.
  • username@UPN.suffix –¬†this should always work, since you always need to add UPN suffixes to the StoreFront trusted domains list.

Multi-factor authentication

The XenApp and XenDesktop Wizard supports several authentication configurations:

  1. On the bottom left, click XenApp and XenDesktop.
  2. On the top right, move your cursor over the existing Gateway, and click click the pencil icon to edit it.
  3. If you earlier removed the Single Sign-On Domain to support multiple AD domains, then the wizard will prompt you to re-enter a Default Active Directory Domain. Unfortunately, this field is not optional. After entering a domain name, and completing the steps shown in this section, you can follow the above instructions to remove it again.
  4. In the Authentication section, click the pencil icon.
  5. At the top of the Authentication section, there’s a drop-down for¬†Choose Authentication Type. There are several options. Since this article is focused on StoreFront Auth, only RSA + StoreFront Auth will be detailed below.

    1. Note: the RSA + Domain option is equivalent to NetScaler Gateway RADIUS + LDAP.¬†The RADIUS + LDAP authentication is performed directly by NetScaler Gateway, which means it doesn’t use nFactor or a AAA vServer. Unfortunately, the wizard does not configure NetScaler Gateway correctly. See my¬†NetScaler Gateway RADIUS Authentication article to fix the authentication policies and Gateway binding configuration.

The RSA + StoreFront Auth option will ask you for RADIUS authentication information.

  1. Change the Choose Authentication Type drop-down to RSA + StoreFront Auth.
  2. Enter the RADIUS information, and click Test Connection.
  3. StoreFront Auth should already be configured, so just click Continue.
  4. Note, if you see any error messages, you might have to completely delete the Gateway, and run the wizard from scratch. Unfortunately, the XenApp and XenDesktop wizard seems to be quite buggy.
  5. After changing the Gateway authentication, download the configuration file again, and import to StoreFront.
  6. When you import to StoreFront, you can select an existing Gateway to overwrite.
  7. The Gateway that it imports to StoreFront is automatically configured with¬†Domain and security token, so you don’t have to configure this yourself.

If you point your browser to the Gateway URL, you will see two password fields. You would think that the first password field is where you enter the AD Password, but that’s incorrect. Actually, it wants Passcode in the first field, and AD Password in the second field.

To swap the fields, do the following:

  1. Go to Security > AAA РApplication Traffic > Virtual Servers.
  2. Edit the AAA vServer that is linked to the Gateway vServer.
  3. Scroll down, and click where it says 1 Login Schema.
  4. Right-click the Login Schema, and click Edit.
  5. Click the pencil next to the Profile field.
  6. Notice the DualAuth.xml file selection. Click the pencil in the Authentication Schema field.
  7. On the left, click the LoginSchema folder to open it.
  8. Move your mouse over the DualAuth.xml file, and click the download icon. Save it somewhere.
  9. Edit the downloaded .xml file.
  10. Look for the two lines containing passwd. Swap the passwd1 and passwd IDs. In other words, remove the 1 from passwd in line 27, and add it to the passwd in line 22. There are two ID tags in each line. Save the file with a new name.
  11. Go back to the Login Schema dialog box. In the Authentication Schema field, click the upload icon. Select the new file to upload it.
  12. Unfortunately, uploading a new Login Schema .xml file does not actually select the uploaded file. Click the pencil icon.
  13. On the left, click the new file to highlight it. On the top right, click the blue Select icon.
  14. Notice that the file name has now changed to the new file. Click OK.
  15. Click OK again.
  16. Click Close.
  17. Now when you go to the Gateway URL, the fields should work as expected.

NetScaler Gateway 12 – PCoIP Proxy

Last Modified: Aug 22, 2017 @ 5:49 pm

Navigation

Overview

NetScaler Gateway 12.0 supports the PC-over-IP (PCoIP) protocol, which is the remote display protocol for several non-Citrix VDI solutions, including VMware Horizon View. PCoIP is analogous to Citrix HDX/ICA protocol, and Microsoft RDP protocol. PCoIP uses UDP port 4172.

  • VMware Blast is currently not supported

When PCoIP is proxied through NetScaler Gateway, NetScaler Gateway can replace the traditional PCoIP remote access solutions, like View Security Server, or VMware Access Point.

Prerequisites

  • NetScaler Version – NetScaler 12.0 or newer.
    • Build 51 and newer for NAT
  • NetScaler Edition ‚Äď PCoIP Proxy is available in all NetScaler Editions
  • Universal Licenses – PCoIP Proxy uses the Clientless Access feature of NetScaler Gateway, which means every NetScaler Gateway connection must be licensed for NetScaler Gateway Universal. On the NetScaler Gateway Virtual Server, ensure ICA Only is unchecked.
  • Horizon View infrastructure – A functioning internal Horizon View infrastructure. Ensure you can connect to Horizon View Agents internally without NetScaler Gateway.
    • Ensure that the Horizon View HTTP(S) Secure Tunnel and PCoIP Secure Gateway are not enabled on the Horizon View Connection Servers that NetScaler will proxy connections to.
    • Configure Desktop Pools and RDS Farms to use PCoIP as the default protocol.
  • Firewall Ports:
    • TCP 4172, UDP 4172, and TCP 443 open from Horizon View Clients to the NetScaler Gateway VIP.
    • TCP 4172, and UDP 4172 open from the NetScaler SNIP to all internal Horizon View Agents.
  • Certificate ‚Äď A valid certificate for the NetScaler Gateway Virtual Server.
  • Authentication ‚Äď An LDAP authentication policy/server.
  • Unified Gateway (optional) ‚Äď If Unified Gateway, create the Unified Gateway before adding PCoIP functionality.
  • RfWebUI Portal Theme ‚Äď For web browser access to Horizon View, the NetScaler Gateway Virtual Server must be configured with the RfWebUI theme.
  • Horizon View Client ‚Äď The Horizon View Client must be installed on the client device, even if accessing Horizon published icons using the NetScaler RfWebUI portal.

PCoIP Profile

To create the PCoIP Profile:

  1. In the NetScaler management GUI, navigate to Configuration> NetScaler Gateway> Policies> PCoIP.
  2. On the right, in the PCoIP Profiles and Connections pane, you will create a VServer profile and a PCoIP profile.
  3. To create a VServer profile, on the VServer Profiles tab, click Add.

    1. Enter a name for the VServer profile. The only point of the VServer Profile is to specify the Active Directory domain name so name it accordingly.
    2. Enter an Active Directory Domain Name that will be used for Single Sign-on to Horizon View Connection Server, and then click on Create.
    3. Note: only a single Active Directory domain is supported per NetScaler Gateway Virtual Server. Also, the domain name specified here is displayed in the Horizon View Client.
  4. To create a PCoIP profile, on the Profiles tab, click Add.

    1. Enter a name for the PCoIP Profile. The PCoIP Profile specifies the internal DNS name for Horizon so name it accordingly.
    2. Enter the internal connection URL for the internal VMware Horizon View Connection Servers, and then click on Create. NetScaler SNIP needs to be able to connect to this URL.

Session Policy/Profile

To create or edit a Session Policy/Profile that has PCoIP Proxy enabled:

  1. Navigate to Configuration> NetScaler Gateway> Policies> Session.
  2. On the right, select the Session Profiles tab.
  3. On the NetScaler Gateway Session Policies and Profiles page, create or edit a NetScaler Gateway Session Profile.
    1. To create a NetScaler Gateway session profile, click Add, and provide a name.
    2. To edit a NetScaler Gateway session profile, select the profile, and click Edit.
  4. On the Client Experience tab, ensure that the Clientless Access value is set to On.
  5. On the Security tab, ensure that the Default Authorization Action value is set to ALLOW.
  6. On the PCoIP tab, select the required PCoIP profile. Note: you can also create or edit PCoIP Profiles from this tab.
  7. Click Create or OK to finish creating or editing the Session Profile.
  8. If you created a new Session Profile, then you must also create a corresponding Session Policy.
    1. Navigate to Configuration> NetScaler Gateway> Policies> Session.
    2. On the right, select the Session Policies tab.
    3. Click Add.
    4. Provide a name for the Session Policy, and select the required session profile name from the Profile drop-down.
    5. If you are creating the Session Policy using Default Syntax, first click Switch to Default Syntax, in the Expression area, type true, and then click on Create.

    6. If you are creating the Session Policy using Classic Syntax. Then in the Expression area, type ns_true, and then click on Create.

Gateway Virtual Server

Bind the created PCoIP VServer profile and Session Policy to a NetScaler Gateway Virtual Server:

  1. Go to NetScaler Gateway > Virtual Servers.
  2. On the right, either Add a new NetScaler Gateway Virtual Server, or Edit an existing NetScaler Gateway Virtual Server.
  3. If you are editing an existing NetScaler Gateway Virtual Server, in the Basic Settings section, click the pencil icon.
  4. For both adding and editing, in the Basic Settings section, click More.
  5. Use the PCoIP VServer Profile drop-down to select the required PCoIP VServer Profile.
  6. Scroll down and ensure that ICA Only is unchecked. Then click OK to close the Basic Settings section.
  7. If you are creating a new NetScaler Gateway Virtual Server, bind a certificate, and bind an LDAP authentication policy.
  8. Scroll down to the Policies section and click the plus icon.
  9. The Choose Type page defaults to Session and Request. Click Continue.
  10. In the Policy Binding section, click on Click to select.
  11. Click the radio button next to the required Session Policy that has the PCoIP Profile configured, and click on Select.
  12. Back in the Policy Binding page, click Bind.
  13. If you want to use a web browser to connect to VMware Horizon View, then on the right, under Advanced Settings, add the Portal Themes section. If you are only using Horizon View Client to connect to NetScaler Gateway, then you don’t need to perform this step.

    1. Use the Portal Theme drop-down to select RfWebUI, and click OK.
    2. Horizon View published icons are added to the RfWebUI portal.
  14. To enable support for NAT, SSH to the NetScaler to access the CLI.
    1. Run the command set vpn vserver MyVserverName -vserverFqdn MyFQDN. This causes NetScaler to send the FQDN back to the Horizon Client, which enables it to connect to the public IP instead of the DMZ private IP address. Unfortunately, this setting is not available in the NetScaler GUI.

Horizon Configuration

  1. In Horizon Administrator, go to View Configuration > Servers. Edit the Horizon View Connection Server that NetScaler Gateway connects to.

    1. On the General tab, uncheck the HTTP(S) Secure Tunnel and PCoIP Secure Gateway.
  2. At Resources > Farms, edit your RDS Farms.

    1. Set the Default display protocol to PCoIP.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the PCoIP URL paths.

  1. In the NetScaler GUI, navigate to Configuration> Traffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || http.req.url.path.eq("/broker/xml") || http.req.url.path.eq("/broker/resources") || http.req.url.path.eq("/pcoip-client")

Use NetScaler Gateway PCoIP Proxy

  1. To connect, you must have Horizon View Client installed on the client device. Once installed, you can either use the Horizon View Client’s User Interface to connect to NetScaler Gateway, or you can use the NetScaler Gateway RfWebUI portal page to view the icons published from Horizon.
  2. To view the active PCoIP connections, in NetScaler, go to NetScaler Gateway > Policies > PCoIP.
  3. On the right, switch to the Connections tab. The active sessions are displayed with the following data: user name, Horizon View Client IP, and Horizon View Agent Destination IP.
  4. To terminate a connection, right-click the connection, and click Kill Connection. Or click Kill All Connnections to terminate all PCoIP connections.

CLI Commands

Here are CLI Commands for the configuration shown above.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"

add authentication ldapAction AD01 -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL
add authentication ldapPolicy AD01 ns_true AD01

add vpn pcoipVserverProfile corp -loginDomain corp
add vpn pcoipProfile vcs01 -conServerUrl "https://vcs01.corp.local"

add vpn sessionAction VPN -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -pcoipProfileName vcs01
add vpn sessionPolicy VPN true VPN

add vpn vserver VPN SSL 10.3.3.13 443 -downStateFlush DISABLED -Listenpolicy NONE -vserverFqdn vpn.corp.com -pcoipVserverProfileName corp

bind vpn vserver VPN -portaltheme RfWebUI
bind vpn vserver VPN -policy AD01 -priority 100
bind vpn vserver VPN -policy VPN -priority 100 -gotoPriorityExpression NEXT -type REQUEST -urlName RDP
bind ssl vserver VPN -certkeyName WildcardCorpCom

NetScaler Gateway 12 Native One Time Passwords (OTP)

Last Modified: Jun 15, 2018 @ 1:21 pm

Navigation

Change Log

Overview

NetScaler 12 Native OTP lets you enable two-factor authentication without purchasing any other authentication product. A typical configuration uses Google Authenticator to generate Passcodes. See the following for an overview:

Here are some notes:

  • NetScaler Native OTP is part of nFactor, and thus requires NetScaler Enterprise Edition or NetScaler Platinum Edition licensing.
    • Receiver currently does not support nFactor authentication. Thus only web browsers can authenticate using Native OTP.
  • nFactor¬†requires¬†a¬†AAA¬†vServer,¬†which¬†can¬†be¬†non-addressable – you don’t need any additional public IPs.
  • OTP stores device enrollment secrets in an Active Directory attribute that accepts Strings. Citrix’s documentation uses the userParameters¬†Active Directory attribute.
    • The LDAP bind account must have permission to modify this attribute on every user.
  • Users can enroll multiple devices. There’s no way to prevent this.
  • The¬†manageotp website is usually only protected by single factor authentication. Since users can add multiple devices, the¬†manageotp website must be protected from external access.
  • Christian in the comments indicated that Microsoft Authenticator also works.¬†Click on plus sign -> other (Google,‚Ķ).

Here are the OTP configuration objects:

  • Make sure NTP is configured on the NetScaler. Accurate time is required.
  • An LDAP Policy/Server with authentication disabled and OTP Secret configured.¬†This one OTP-specific LDAP Policy/Server can be used for two scenarios:
    • manageotp¬†device enrollment
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled. This LDAP Policy/Server verifies that the entered passcode.
  • An LDAP Policy/Server with authentication enabled. This one policy is used for two scenarios:
    • Single-factor authentication to the manageotp authenticator/device enrollment website.
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled.
  • A single non-addressable AAA vServer with two Login Schemas for the following scenarios:
    • A single-factor Login Schema for manageotp.
    • A dual-factor Login Schema for NetScaler Gateway authentication.
  • An Authentication Profile to link the AAA vServer to the NetScaler Gateway vServer.

LDAP Policies/Actions

  1. Go to Security > AAA РApplication Traffic > Polices > Authentication > Advanced Policies > Actions > LDAP.
  2. On the right, click Add.

    1. Create a normal LDAP Server if you don’t have one already. This one has Authentication enabled. This LDAP Policy/Server will be used for single-factor authentication to the¬†manageotp website, and for first factor of dual-factor authentication to NetScaler Gateway (second factor is OTP). There are no special instructions for this LDAP Server.
  3. Create another LDAP Action.

    1. This one is used by the manageotp site to set the OTP authenticator, so name it accordingly.
    2. On the right, uncheck the box next to¬†Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to modify the OTP Secret Active Directory attribute for all users.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
    5. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the¬†Other Settings section, on the bottom right, find the¬†OTP Secret field. Enter the name of the Active Directory attribute where NetScaler will store the user’s OTP secret. You can use the¬†userParameters attribute if that attribute isn’t being used for anything else.
    7. Thomas Rolfs in the comments advises not to enable Nested Group Extraction in this LDAP Action.
    8. Click Create when done.
  4. Create another LDAP Action.
    1. This one will verify the OTP code entered by the user, so name it accordingly. The only difference from the prior one is the addition of an LDAP Search Filter.
    2. On the right, uncheck the box next to¬†Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to read the OTP Secret Active Directory attribute.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
    5. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the Search Filter field, enter the text userParameters>=#@. This syntax ensures that only users with enrolled authenticators can login. See George Spiers NetScaler native OTP for more info.
    7. In the¬†Other Settings section, on the bottom right, find the¬†OTP Secret field. Enter the name of the Active Directory attribute containing the user’s OTP secret.
    8. Click Create when done.
  5. Go to Security > AAA РApplication Traffic > Policies > Authentication > Advanced Policies > Policy.
  6. On the right, click Add.

    1. You probably don’t already have an Advanced Authentication Policy for your normal LDAP server.
    2. Change the Action Type to LDAP.
    3. Select your normal LDAP server, which is the one that has Authentication enabled.
    4. Enter true as the expression. This uses Default Syntax instead of Classic Syntax.
    5. Click Create.
  7. Create another Authentication Policy.

    1. This policy is for OTP management so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the Manage OTP LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should not have the Search Filter configured.
    4. Enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) in the Expression box, and click Create.
  8. Create another Authentication Policy.

    1. This policy is for OTP verification so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the OTP Verification LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should have the Search Filter configured to prevent unenrolled users from authenticating.
    4. Enter true in the Expression box, and click Create.

Login Schemas

  1. Go to Security > AAA РApplication Traffic > Login Schema.
  2. On the right, switch to the Profiles tab, and click Add.

    1. This is the single factor Login Schema for manageotp so name the Schema accordingly.
    2. Click the Edit icon.
    3. On the left, click the LoginSchema folder to open it.
    4. Scroll down, and click SingleAuthManageOTP.xml to highlight it.
    5. On the top right, click Select.
    6. Click Create.
  3. Add another Login Schema profile.

    1. This Login Schema is for two-factor authentication to NetScaler Gateway so name it accordingly.
    2. Click the edit icon. Follow the same procedure as above, but this time select /LoginSchema/DualAuth.xml.
    3. Click More to reveal more options.
    4. Scroll down. In the¬†Password Credential Index field, enter¬†1. This causes nFactor to save the user’s password into Attribute #1, which we’ll use later in a Traffic Policy to Single Sign-on to StoreFront. If you don’t do this, then NetScaler Gateway will try to use the Passcode to authenticate to StoreFront, which obviously won’t work.
    5. Check the box next to Enable Single Sign On Credentials. Mark in the comments indicates that this checkbox is needed to Single Sign On to RDP Hosts.
    6. Click Create.
  4. On the right, switch to the Policies tab.
  5. Click Add to add a Login Schema policy.
    1. In the Profile field, select the Single Factor Manage OTP Login Schema Profile.
    2. Name the Login Schema Policy for OTP management.
    3. In the Rule field, enter the following. This ensures that this single factor Login Schema is only used if the user enters¬†/manageotp, and if the user is on the internal network. You don’t want¬†manageotp to be accessible externally, because it’s only protected by single factor authentication, and it’s too easy to add multiple devices.
      http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)
    4. Click Create.
  6. Create another Login Schema Policy.

    1. In the Profile field, select the dual factor Login Schema.
    2. Name the Login Schema to indicate dual factor authentication.
    3. In the Rule box, enter true.
    4. Click Create.

Authentication PolicyLabel

  1. Go to Security > AAA РApplication Traffic > Policies > Authentication > Advanced Policies > PolicyLabel.
  2. On the right, click Add.
  3. This PolicyLabel is for OTP management, and OTP verification, so name it accordingly.
  4. In the Login Schema field, select LSCHEMA_INT, which means noschema.
  5. Click Continue.
  6. In the Policy Binding section, Click to select.
  7. Click the radio button button next to the Manage OTP LDAP Policy that has authentication disabled, and OTP Secret configured. This one should have a policy expression that limits it to manageotp only. Click Select.
  8. Click Bind.
  9. Click Add Binding to add another one.
  10. Click to select.
  11. Click the radio button next to the LDAP Policy that verifies OTP. Click Select.
  12. Click Bind.
  13. Make sure the manageotp policy is higher in the list than the OTP Verification policy. To adjust priorities, right-click on the policies, and click Edit Binding. Click Done.

AAA vServer

  1. Go to Security > AAA РApplication Traffic.
  2. If the AAA feature is not enabled, then right-click the AAA node, and click Enable Feature.
  3. Go to Security > AAA РApplication Traffic > Virtual Servers.
  4. On the right, click Add.
  5. This AAA vServer is for OTP so name it accordingly.
  6. Change the IP Address Type to Non Addressable.
  7. Click OK.
  8. Click where it says No Server Certificate.
  9. Click to Select.
  10. Click the radio button next to a certificate, and click Select. You can use the same certificate as NetScaler Gateway.
  11. Click Bind.
  12. Click Continue.
  13. Click where it says No Authentication Policy.
  14. Click to select.
  15. Click the radio button next to the normal LDAP Policy that has authentication enabled. Then click Select.
  16. In the Select Next Factor field, Click to select.
  17. Click the radio button next to the OTP PolicyLabel, and click Select.
  18. Click Bind.
  19. In the Advanced Authentication Policies section, click Continue.
  20. On the right, in the Advanced Settings column, click Login Schemas.
  21. On the left, scroll down, and click where it says No Login Schema.
  22. Click to select.
  23. Click the radio button next to the Manage OTP Login Schema, and click Select.
  24. Click Bind.
  25. Click where it says 1 Login Schema.
  26. Click Add Binding.
  27. Click to select.
  28. Click the radio button next to the dual factor Login Schema, and click Select.
  29. Click Bind.
  30. Make sure the single factor Manage OTP Login Schema is higher in the list than the dual factor Login Schema. Click Close.
  31. On the right, in the Advanced Settings column, click Portal Themes.
  32. On the left, scroll down, select RfWebUI as the Portal Theme, and click OK.
  33. Click Done.

Traffic Policy for Single Sign-on

  1. On the left, go to NetScaler Gateway > Policies > Traffic.
  2. On the right, switch to the Traffic Profiles tab, and click Add.
  3. This Traffic Profile is for OTP and/or nFactor. Name it accordingly.
  4. Scroll down.
  5. In the SSO Password Expression box, enter the following. This is where we use the Login Schema Password Attribute specified earlier.
    http.REQ.USER.ATTRIBUTE(1)
  6. Click Create.
  7. On the right, switch to the Traffic Policies tab, and click Add.
  8. Click the blue link to Switch to Default Syntax.
  9. In the Request Profile field, select the Traffic Profile you just created.
  10. Name the Traffic Policy.
  11. In the Expression box, enter true.
    • If your NetScaler Gateway Virtual Server allows full VPN, change the expression to the following. Source = Julien Mooren at¬†NetScaler ‚Äď Native OTP is breaking SSL VPN.¬† ūüí°
      http.req.method.eq(post)||http.req.method.eq(get) && false
  12. Click Create.

NetScaler Gateway and Authentication Profile

  1. Go to NetScaler Gateway > Virtual Servers.
  2. Edit an existing Gateway vServer. If you don’t have one, see the other NetScaler Gateway topics on this site.
  3. Scroll down to the Policies section, and click the plus icon.
  4. Change the Choose Policy drop-down to Traffic, and click Continue.
  5. Click to select.
  6. Click the radio button next to the Traffic Policy you created earlier, and click Select.
  7. Click Bind.
  8. On the right, in the Advanced Settings column, click Authentication Profile.
  9. On the left, scroll down to the Authentication Profile section.
  10. Click the plus icon to create one.
  11. Authentication Profile links the NetScaler Gateway vServer with the OTP AAA vServer, so name it accordingly.
  12. In the Authentication Virtual Server section, Click to select.
  13. Click the radio button next to the OTP AAA vServer, and click Select.
  14. Click Create.
  15. Scroll down again to the Authentication Profile section, and click OK.
  16. The Portal Theme bound to the Gateway vServer should be RfWebUI, or a derivative.
  17. Go to System > Profiles.
  18. On the right, switch to the SSL Profile tab.
  19. Edit the ns_default_ssl_profile_frontend profile.
  20. Make sure¬†HSTS is not enabled in the profile, or RfWebUI, and manageotp won’t work correctly. This is probably a bug. Note: the Rewrite method of enabling HSTS should work.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the manageotp paths.

  1. In the NetScaler GUI, navigate to Configuration> Traffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || HTTP.REQ.URL.CONTAINS("/manageotp")

Manageotp

  1. Point your browser to https://mygateway.corp.com/manageotp or similar. Simply add /manageotp to the end of your Gateway URL.
  2. Notice it’s only single-factor authentication. Login using normal LDAP credentials.
  3. Click Add Device.
  4. Enter a device name, and click Go.
  5. Launch the Google Authenticator application on your phone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
  6. Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
  7. Click Test.
  8. Enter the passcode shown in your Authenticator, and click Go.
  9. If you logoff of¬†manageotp, and access your Gateway URL normally, you’ll be prompted for two-factor authentication. Use the passcodes shown in your Google Authenticator application.
  10. It should Single Sign-on into StoreFront.

CLI Commands

Here’s a complete CLI configuration.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute2 userParameters
add authentication ldapAction LDAP_OTP_mgmt_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication ldapAction LDAP_OTP_verify_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication Policy Corp-Adv -rule true -action LDAP-Corp
add authentication Policy LDAP_Manage_OTP-pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_OTP_mgmt_no_auth
add authentication Policy LDAP_Confirm_OTP-pol -rule true -action LDAP_OTP_verify_no_auth

add authentication loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex 1
add authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.3.0.0/16)" -action Single_Manage_OTP-lschema
add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -action Dual_OTP-lschema

add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT
bind authentication policylabel OTP_pollabel -policyName LDAP_Manage_OTP-pol -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel OTP_pollabel -policyName LDAP_verify_OTP-pol -priority 110 -gotoPriorityExpression NEXT 

add authentication vserver OTP-AAA SSL 0.0.0.0
bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom

bind authentication vserver OTP-AAA -portaltheme RfWebUI
bind authentication vserver OTP-AAA -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Corp-Adv -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT

add vpn trafficAction OTP-trafficprofile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile

add authentication authnProfile OTP-authnprofile -authnVsName OTP-AAA

add vpn vserver Gateway.corp.com SSL 10.2.5.220 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile
set ssl vserver Gateway.corp.com -sslProfile ns_default_ssl_profile_frontend
add vpn sessionAction "Receiver For Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront2.corp.com/Citrix/StoreWeb" -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://storefront2.corp.com"
add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver For Web"
bind vpn vserver Gateway.corp.com -portaltheme RfWebUI
bind vpn vserver Gateway.corp.com -policy "Receiver For Web" -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver Gateway.corp.com -policy OTP-trafficpol -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver Gateway.corp.com -certkeyName WildcardCorpCom