NetScaler Gateway 12 – ICA Proxy (StoreFront)

Last Modified: May 19, 2018 @ 2:28 pm


ūüí° = Recently Updated

Change Log


When you use a web browser and/or Receiver to connect to StoreFront and Published Applications or Published Desktops, there are always two connections:

  • HTTP – communication to Citrix StoreFront, from either a web browser, or from Receiver Self-Service (Receiver’s native user interface).
  • ICA – display protocol communication from Receiver to Citrix Virtual Delivery Agents (VDAs)

NetScaler Gateway can proxy both HTTP traffic and ICA connections.

  • When proxied through NetScaler Gateway, both HTTP and ICA are wrapped in SSL. Due to SSL, both protocols use the same port number (TCP 443). However, it’s two different protocols inside the SSL traffic.
  • HTTP (SSL-encrypted) handles authentication and icon enumeration from StoreFront. After authentication, NetScaler Gateway simply forwards the HTTP traffic to the StoreFront URL configured in a Session Profile > Published Applications > Web Interface Address.
    • The HTTP connection between NetScaler Gateway and StoreFront can be encrypted using SSL.
  • For ICA (SSL-encrypted) from Receiver to NetScaler Gateway, the SSL encryption is removed, and then the ICA traffic is forwarded to an internal VDA.
    • NetScaler Gateway uses a Security Ticket Authority server to authenticate the ICA session before it allows the ICA communication.
    • You can optionally enable internal SSL encryption of ICA traffic by installing certificates on each VDA machine.

In a standard ICA Proxy configuration, NetScaler Gateway essentially does the following:

  • Authenticates the user
  • After authentication, Session Policies/Policies dictate what happens next:
    • Proxy HTTP to Citrix StoreFront
    • Proxy ICA to VDAs

CTX227054 NetScaler Gateway, StoreFront and XenDesktop Integration Communication Workflow contains packet traces of the ICA Proxy, StoreFront, and XenDesktop communication flows.

Session Profiles

Partly based on Citrix Knowledgebase Article CTX139963 –¬†How to Configure NetScaler Gateway Session Policies for StoreFront

To create Session Profiles/Policies for ICA Proxy (StoreFront):

  1. On the left, expand NetScaler Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab, and click Add.

    1. Name the first one Receiver Self Service or similar. This is for Receiver Self-Service (not in a web browser).
    2. Switch to the Client Experience tab.
    3. On the Client Experience tab, check the Override Global box next to Clientless Access, and set it to Off. Scroll down.
    4. Check the Override Global box next to Plug-in Type, and set it to Java.
    5. Check the Override Global box next to Single Sign-on to Web Applications and enable it. Scroll up.

      • If you need two-factor authentication (RADIUS), the Session Policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is¬†Credential Index. This needs to be changed to SECONDARY. Only change this in the Receiver Self-Service profile; leave the session profile for Web Browsers set to PRIMARY.
    6. Scroll up. On the Security tab, check the Override Global box next to Default Authorization Action, and set it to Allow.
    7. On the Published Applications tab, check the Override Global box next to ICA Proxy, and set it to ON.
    8. Check the Override Global box next to Web Interface Address, and enter the load balanced URL (FQDN) to the StoreFront servers. You can use an IP address instead of FQDN. Don’t add any path to the end of the URL.
    9. If you only have one domain, then check the Override Global box next to Single Sign-on Domain, and enter the name of your Active Directory domain. Enter the same domain name that’s configured in StoreFront Configure Trusted Domains.

    10. For Account Services Address, enter the Base URL for StoreFront. NetScaler needs to be able to resolve this FQDN DNS name.
    11. Click Create.
  3. Right-click the just-added session profile, and click Add. This copies the settings from the existing profile into the new one.

    1. Change the name of the second Session Profile to Receiver For Web or similar.
    2. On the Client Experience tab, Clientless Access should be set to Off. Scroll down.
    3. Plug-in Type should still be set to Java.
    4. Single Sign-on to Web Applications should be enabled.

      • If you need two-factor authentication, the session profile for Receiver for Web¬†needs Credential Index¬†set to PRIMARY.¬†Only the Receiver Self-Service policy needs SECONDARY¬†as detailed earlier.
    5. On the Security tab, the Default Authorization Action should still be Allow.
    6. On the Published Applications page, for the Web Interface Address field, add the path to your Receiver for Web site (e.g. /Citrix/StoreWeb).
    7. Everything else should be the same. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. If you have multiple domains, then leave this field blank and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
    8. Account Services Address is not needed in this profile but there’s no harm in leaving it.
    9. Click Create.
  4. On the right, switch to the Session Policies tab, and click Add.

    1. Name the Policy Receiver Self Service or similar.
    2. Change the Profile to Receiver Self Service.
    3. Click the blue link to Switch to Default Syntax.
    4. In the Expression box, type in the following expression:
    5. Then click Create.
  5. Right-click on the just-added Session Policy, and click Add.

    1. Change the name to Receiver For Web or similar.
    2. Change the Action to Receiver For Web.
    3. In the Expression box, either type in the following, or use the Expression Editor. It’s the same as the Receiver Self-Service expression, except it¬†has .NOT on the end.
    4. Click Create.

The CLI commands for these Session Policies/Profiles are shown below:

add vpn sessionAction "Receiver Self-Service" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "" -ntDomain Corp.local -clientlessVpnMode OFF -storefronturl ""

add vpn sessionAction "Receiver for Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "" -ntDomain Corp.local -clientlessVpnMode OFF

add vpn sessionPolicy "Receiver Self-Service" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" "Receiver Self-Service"

add vpn sessionPolicy "Receiver for Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver for Web"

NetScaler Gateway Virtual Server

This section assumes LDAP authentication, with optional RADIUS for two-factor.

  • You can configure StoreFrontAuth as an alternative to LDAP. StoreFrontAuth delegates authentication to StoreFront servers, instead of performing authentication on NetScaler.
  • For other forms of authentication, see the¬†NetScaler 12 Authentication section in the NetScaler 12 menu page.

To create the NetScaler Gateway Virtual Server for ICA Proxy and StoreFront:

  1. Create a Server Certificate for the NetScaler Gateway Virtual Server. The certificate must match the name users will enter to access the NetScaler Gateway.

    • For email discovery in Citrix Receiver, the certificate must have subject alternative names (SAN) for¬† (use your email suffix domain name). If you have multiple email domains then you‚Äôll need a Subject Alternative Name for each suffix.
  2. On the left, right-click NetScaler Gateway, and click Enable Feature.
  3. On the left, expand NetScaler Gateway, and click Virtual Servers.
  4. On the right, click Add.
  5. Name it or similar.
  6. Enter a new VIP that will be exposed to the Internet (typically through NAT).
  7. Click More.

    1. If you don’t have enough NetScaler Gateway Universal licenses installed for all of your Gateway users, then check the box next to¬†ICA Only. This option disables SmartAccess and VPN features but¬†does not require any additional licenses. ¬†Note: most NetScaler Editions come with built-in Universal Licenses.
    2. Note: it’s also possible to disable authentication on Gateway and make StoreFront do it instead as described in Citrix CTX200066 How to Log On to StoreFront When Authentication is Disabled on NetScaler Gateway VIP. However, it’s more secure to require Gateway to authenticate the users before the user can communicate with StoreFront.
    3. Check the box next to DTLS.
      • DTLS enables¬†EDT¬†protocol,¬†UDP Audio, and¬†Framehawk.
      • EDT¬†requires UDP 443 on client side, and UDP 1494/2598 on the server side.
      • If this NetScaler is in Azure, then you might have to reduce the MTU/MSS. See EDT-Adaptive Transport with Azure Netscaler at Citrix Discussions.¬† ūüí°
    4. Click OK to close the Basic Settings section.
  8. In the Certificates section, click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the radio button next to a previously created certificate that matches the NetScaler Gateway DNS name, and click Select.
    3. Click Bind.
  9. Click Continue to close the Certificates section.
  10. In the¬†Basic Authentication¬†section, click the plus icon in the top right. Note: NetScaler Gateway 12 seems to only support Basic Authentication policies, and not Advanced Authentication policies. For Advanced Authentication Policies, you’ll instead need to configure nFactor.

    1. Change the Choose Policy drop-down to LDAP,
    2. Leave the Choose Type drop-down set to  Primary, and click Continue.
    3. If you’ve already created an LDAP Policy, then click where it says¬†Click to select, and select the policy.

    4. If you used the Authentication Dashboard to create an LDAP Server, then you probably haven’t created the corresponding LDAP Policy yet. Click the plus icon to create a new policy.

      1. Use the Server drop-down to select the previously created LDAP Server.
      2. Give the policy a name. The Policy name can match the Server name.
      3. In the Expression box, enter ns_true (a Basic or Classic expression), or select it from the Saved Policy Expressions drop-down. Click Create.
    5. Click Bind.
    6. Or for two-factor authentication, you will need to bind two Basic authentication policies to Primary and two Basic authentication polices to Secondary:
      • Primary = LDAP for Browsers (User-Agent does not contain CitrixReceiver)
      • Primary = RADIUS for Receiver Self-Service (User-Agent contains CitrixReceiver)
      • Secondary = RADIUS for Browsers (User-Agent does not contain CitrixReceiver)
      • Secondary = LDAP for Receiver Self-Service (User-Agent contains CitrixReceiver)
  11. Click Continue to close the Basic Authentication section.
  12. In the Advanced Authentication section, click Continue.
  13. Scroll down to the Profiles section, and click the pencil icon.
  14. In the TCP Profile drop-down, do one of the following:
    1. Follow the instructions at¬†Citrix¬†CTX232321¬†Recommended TCP Profile Settings for Full Tunnel VPN/ICAProxy from NetScaler Gateway 11.1 Onwards. In this case, there’s no need to change the TCP Profile.¬† ūüí°
    2. Or, select nstcp_default_XA_XD_profile, and click OK to close the Profiles section.
  15. To bind the Session Policies, scroll down to the Policies section, and click the plus icon near the top right.

    1. Select Session, select Request, and click Continue.
    2. Click where it says Click to select.
    3. Click the radio button next to one of the Receiver Session Policies, and click Select. It doesn’t matter in which order you bind them.
    4. There’s no need to change the priority number. Click Bind.
  16. Repeat these steps to bind the second policy. In the Policies section, click the plus icon near the top right.

    1. Select Session, select Request, and click Continue.
    2. Click Add Binding.
    3. Click where it says Click to select.
    4. Click the radio button next to the other Receiver session policy, and click Select.
    5. There’s no need to change the priority number. Click Bind.
    6. The two policies are mutually exclusive so there’s no need to adjust priority. Click Close.
  17. To bind STAs, on the right, in the Advanced Settings section, click Published Applications.
  18. On the left, in the Published Applications section, click where it says No STA Server.

    1. Enter a Delivery Controller in the https://<Controller_FQDN> or http://<Controller_FQDN> format, depending on if SSL is enabled on the Delivery Controller or not. This must be a FQDN or IP address. Short names don’t work.
    2. Click Bind.
  19. To bind another Secure Ticket Authority server, on the left, in the Published Applications section, click where it says 1 STA Server.

    1. In the VPN Virtual Server STA Server Binding section, click Add Binding.
    2. Enter the URL for the second Controller, and click Bind.
    3. This view shows if the STAs are reachable or not. To refresh the view, close the STA Server Bindings list, and reopen it.
  20. On the right, in the Advanced Settings column, click Portal Themes.
  21. On the left, in the Portal Theme section, change the drop-down to RfWebUI. You can also click the plus icon to create a theme.
  22. Click OK to close the Portal Theme section.
  23. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind an A+ Cipher Group, and enable Strict Transport Security.
  24. Click Done when done.
  25. Configure SSL Redirect for the NetScaler Gateway DNS name and VIP.
  26. Configure StoreFront to use NetScaler Gateway.

The CLI commands to create a NetScaler Gateway vServer for ICA Proxy are shown below:

add vpn vserver SSL 443 -icaOnly ON -dtls ON -tcpProfileName nstcp_default_XA_XD_profile
bind vpn vserver -policy "Receiver Self-Service" -priority 100
bind vpn vserver -policy "Receiver for Web" -priority 110
bind vpn vserver -policy Corp-Gateway -priority 100
bind vpn vserver -staServer "http://xdc01.corp.local"
bind vpn vserver -staServer "http://xdc02.corp.local"
bind vpn vserver -portaltheme RfWebUI

Verify SSL Settings

After you’ve created the NetScaler Gateway Virtual Server, run the following tests to verify SSL:

  1. Citrix CTX200890 ‚ÄstError: “Failed with status 1110” When Launching Desktops or Apps Through NetScaler Gateway: You can use OpenSSL to verify the certificate. Run the command:¬†openssl s_client -connect¬†Replace the FQDN with your FQDN. OpenSSL is installed on the NetScaler, or you can download and install it on any machine.
  2. Go to¬†¬†and check the security settings of the website.¬†Citrix Blogs ‚ÄstScoring an A+ at with Citrix NetScaler ‚Äď Q2 2018 update.

View ICA Connections

To view active ICA sessions, click the NetScaler Gateway node on the left, and then click ICA Connections on the right.

show vpn icaconnection

To view historical ICA sessions, search your Syslog server for ICASTART and/or LOGIN.

Or, if you don’t have Syslog server configured, then search /var/log/ns.log¬†on the local appliance. Source =¬†CTX232581¬†How to View Active Users Sessions Connected to Specific NetScaler Gateway vServers.¬† ūüí°

Related Pages

Leave a Reply