Session Policies for StoreFront – NetScaler Gateway 11.1

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

This page details creation of session profiles and session policies for NetScaler Gateway 11.1 where ICA Only is checked.

Partly based on Citrix Knowledgebase Article CTX139963 – How to Configure NetScaler Gateway with StoreFront

Session Profiles/Policies CLI Commands

The CLI commands are shown below:

add vpn sessionAction "Receiver Self-Service" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com" -ntDomain Corp -clientlessVpnMode OFF -storefronturl "https://storefront.corp.com"

add vpn sessionAction "Receiver for Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com/Citrix/StoreWeb" -ntDomain Corp -clientlessVpnMode OFF

add vpn sessionPolicy "Receiver Self-Service" "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" "Receiver Self-Service"

add vpn sessionPolicy "Receiver for Web" "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" "Receiver for Web"

Session Profiles

Or use the GUI to create the policies/profiles:

  1. On the left, expand NetScaler Gateway, expand Policies and click Session.
  2. On the right, switch to the Session Profiles tab, and click Add.
  3. Name the first one ReceiverSelfService or similar. This is for Receiver Self-Service (not in a web browser).
  4. Switch to the Client Experience tab.
  5. On the Client Experience tab, check the Override Global box next to Clientless Access and set it to Allow. Scroll down.
  6. Check the Override Global box next to Plug-in Type and set it to Java.
  7. Check the Override Global box next to Single Sign-on to Web Applications and enable it. Scroll up.
  8. If you need two-factor authentication, the session policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to PRIMARY.
  9. On the Security tab, check the Override Global box next to Default Authorization Action and set it to Allow.
  10. On the Published Applications tab, check the Override Global box next to ICA Proxy and set it to ON.
  11. Check the Override Global box next to Web Interface Address and enter the load balanced URL to the StoreFront servers. You can use an IP address. Don’t add any path to the end of the URL.
  12. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. StoreFront needs to accept this domain name (Configure Trusted Domains).
  13. If you have multiple domains, then leave Single Sign-on Domain field blank, and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
  14. For Account Services Address, enter the Base URL for StoreFront. NetScaler needs to be able to resolve this DNS name.
  15. Click Create.
  16. Click the ellipsis next to the existing session profile and click Add. This copies the settings from the existing profile into the new one.
  17. Change the name of the second Session Profile to ReceiverForWeb or similar.
  18. On the Client Experience tab, Clientless Access should be set to Allow. Scroll down.
  19. Plug-in Type should still be set to Java.
  20. Single Sign-on to Web Applications should be enabled.
  21. If you need two-factor authentication, the session policy for Receiver for Web needs Credential Index set to PRIMARY. Only the Receiver Self-Service policy needs SECONDARY as detailed earlier.
  22. On the Security tab, the Default Authorization Action should still be Allow.
  23. On the Published Applications page, for the Web Interface Address field, add the path to your Receiver for Web site (e.g. /Citrix/StoreWeb).
  24. Everything else should be the same. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. If you have multiple domains, then leave this field blank and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
  25. Account Services Address is not needed in this profile but there’s no harm in leaving it.
  26. Click Create.

Session Policies

  1. On the right, switch to the Session Policies tab, and click Add.
  2. Name the Policy ReceiverSelfService or similar.
  3. Change the Request Profile to ReceiverSelfService.
  4. In the Expression box, either type in the following, or use the Expression Editor link to build the following expression:
    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

  5. Then click Create.
  6. Add another policy, and name it ReceiverForWeb or similar.
  7. Change the Action to ReceiverForWeb.
  8. In the Expression box, either type in the following, or use the Expression Editor. It’s the same as the previous expression, except it’s NOTCONTAINS instead of CONTAINS.
    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
  9. Click Create.

Next Step

18 thoughts on “Session Policies for StoreFront – NetScaler Gateway 11.1”

  1. Hi Carl,

    In command line, clientless is shown as this:
    -clientlessVpnMode OFF

    and your screenshot set clientless as Allow.

    Is it a mistake or i missunderstand ?

    1. In older NetScaler, I think the options are: On, Allow, and Disabled. I think Allow is what the GUI shows for Off in the CLI. In newer NetScaler, in the GUI they renamed Allow to Off to match the CLI.

  2. Hi Carl, great article.
    I have a question, in case it is necessary to configure Always On profile name?
    Regards,
    Eduardo

      1. Thanks for answering. The platform we have is XenApp 7.12 and NetScaler 11.1.55.10. My question was because we have it configured in the company for vpn issues, but it is having a rather erratic behavior. Sometimes it works and sometimes it does not. Would you have an article where you explain or comment the steps for its correct configuration? Thanks in advance.

  3. Hi Carl,

    Is NetProfile settings working on Access Gateway vServer? I’ve got a second NetScaler to load balance the StoreFront. But my primary DMZ NetScaler not communicate over the Net Profile IP to the StoreFront LB. Do Net Profiles just work with TM Load Balance vServer?

    1. I’m not aware of any issues with Net Profile. Nstcpdump.sh doesn’t show it using the correct IP?

  4. It seems that in build 51.26, theses policies and actions are auto created with the wizzard bindind with “Xenapp and XenDesktop”.
    They are called :
    PL_OS_x.x.x.x
    PL_WB_x.x.x.x
    AC_OS_x.x.x.x
    AC_WB_x.x.x.x

    Am I wrong ?

    1. I never use the wizard but those look correct. What are you asking? Is something not working?

        1. You don’t need to do both. If the wizard works for you, great. If not, my manual instructions always work.

  5. Hi Carl,

    Is there a way to limit the client selection screen to display Clientless and VPN access options only but still have the XenApp published apps show up under Clientless Access?

    The goal is to have our support folks choose either Clientless access providing both XenApp and Gateway apps or use the full VPN.

    Thank You

    Joe

  6. I’ve created a bookmark and bind it to the Netscaler gateway virtual server. The virtual server is configured with storefront. The bookmark never displays and I don’t have an option to create personal bookmarks. I’ve also tried binding the bookmark globally without success. The bookmark never displays when I logon. Is there another configuration that I might be missing? I’m running Netscaler 11.1 and storefront 3.6

    1. What do you see? Is Clientless Access enabled? If you enabled Client Choices, did you click the correct box to display the portal page? Did you avoid changing the Home Page in the Session Policy/Profile?

      What Portal Theme? RfWebUI?

      1. I see favorites, Desktop, and Apps at the top. Clientless access is configured to allow and I’ve tried changing it to on and still was unable to see the bookmark. Client choices is not enabled. I have no home page configured. I’m using a custom portal theme. I did switch it over to RfWebUI and still have the same results.

        Thanks.

  7. Hi Carl,

    Great article.

    I’ve been testing the Receiver across various devices, but seem to run into problems on the Android and Windows Mobile with the above setup. If I use the above setup I can login to Andriod but not Windows

    I can however get both working if I specify the remoteaddress/citrix/storeweb, but with the the Android App it goes to the Storefront Web Address.

    Have you experienced this before?

    Also with the Android receiver when I click on the log off button and I try to log back in I get HTTP 1.1/ Object not found.

    Another weird one is when opening multiple applications it doesn’t open the active application, but the previous applications.

    This work on iPad, but on all other mobile devices it doesn’t.

    Regards,
    Shaun

Leave a Reply to Carl Stalhood Cancel reply

Your email address will not be published. Required fields are marked *