NetScaler GatewayMARIUS SANDBU 1

Revision:Version 1.03 (07.04/2016)About the author:Marius Sandbu works as a Cloud Architect for Exclusive Networks in Norway, wherehe focuses on software-defined datacenter, end-user computing and cloudtechnologies. He is a Microsoft Azure MVP, Veeam Vanguard and Vmware vExpertand the author of, Implementing NetScaler VPX and Mastering NetScaler VPX.He can be contacted on twitter @msandbu or on his email [email protected]’s blogs at http://msandbu.wordpress.comInformation about this eBookThis short eBook is to cover the most the different configuration options that arepossible with NetScaler Gateway and also dig into Unified Gateway which is part ofNetScaler version 11. This is intended for consultants or work with NetScalerGateway and want to use this as a reference guide for troubleshooting or checkingconfiguration.The book is split into different sections, for instance there are separate section forICA-proxy setup and another for Clientless Access and Full VPN. Some sections arealso just grouped together because of my inability to group properly.This book is not by any means a full guide to NetScaler Gateway, but I amdependent on feedback to make it even better. If you have any feedback, pleasesend it toSpecial thanks to my reviewers! Daniel WedelCarl StalhoodCarl BehrentDave BrettAny feedback can be directed to my email [email protected]: that the information presented in this eBook is based on NetScaler version11.0, XenDesktop 7.8 and Storefront 3.5, unless stated otherwise.2

ContentNetScaler Gateway basics . 6Licensing and editions . 8When to use what? .11NetScaler and traffic flow . 12General settings for NetScaler . 14External authentication for administrators . 14Setting up ICA-proxy . 16ICA-proxy traffic Flow . 16Virtual Server setup . 18Certificates . 20Authentication. 22SSL Settings . 25Profiles. 26TCP Profiles . 27Published Applications . 32Policies . 32Citrix Receiver policy . 33Citrix Receiver for Web Policy . 34Storefront . 35Summary ICA-proxy . 38ICA Proxy with two armed . 38Double-hop configuration . 41Framehawk and Audio over DTLS. 43RDP Proxy . 45GSLB and Zone feature. 50GSLB Basics . 50Authoritative DNS . 52Zone based GSLB deployment . 53VPN and Endpoint analysis . 53Full VPN with endpoint scanning . 54Preauthentication policy . 54Session policy . 603

Split tunneling. 61Client IP pools. 62Clientless Access . 62Adding resources . 65Binding the features together . 67Unified Gateway . 68Smart Access – Access Policy . 73Smart Control – ICA Policies . 75Group Based Access . 77High availability . 79Cross-subnet High-availability . 83Failsafe mode . 83VMAC . 84Upgrading . 86Portal customization . 88Binding an EULA to the Portal. 90Security settings . 90Authentication and Authorization. 99SAML Authentication . 99Allow password change from NetScaler Gateway . 104Allow password change from Storefront . 106Multifactor authentication .107Authorization. 112Troubleshooting. 115Endpoint Access . 115Name resolution not working . 115ICA-proxy . 116Cannot complete your request . 116Your logon has expired . 117Unknown Client error 1110. 117Cannot Start Desktop “COMPUTERNAME”. 118Error: Login exceeds maximum allowed users . 118Http/1.1 Internal Server Error 43531. 1194

403 - Forbidden: Access is denied . 119Authentication. 119Other design examples . 121Multitenant ICA-Proxy . 121Monitoring . 125Insight Center . 125Command Center .127Goliath IT analytics for NetScaler . 128System Center Operations Manager . 1305

NetScaler Gateway basicsNetScaler Gateway is a feature, which delivers remote access for end users. It can either bein form of remote access using Citrix Receiver, where we have the NetScaler gateway toproxy connections to backend XenDesktop servers. It can also be in form of clientlessaccess meaning that we can use a regular web browser to get access to for instanceinternal web resources or even files. We can also use it for full VPN access meaning thatour endpoint becomes part of an internal network and allows access to communicatedirectly with internal resources over a secure VPN tunnel.NOTE: NetScaler Gateway is one of the more common used features within CitrixNetScaler. Either it can be used as a feature on the NetScaler VPX/MPX or we can buy theNetScaler Gateway VPX/MPX, which only licensed to do NetScaler Gateway.So for instance if we are using Citrix Receiver for remote access, it will connect directly tothe Gateway virtual server which will then establish a connection with the backendXenDesktop farm. If we use the full VPN client, either we can be using the NetScaler as asource IP to browse internal resources, or we can be given an IP from a DHCP scope. Wecan also use the clientless access, which gives us SSL VPN over a regular Internet Browserand allows us to browse internal web resources and file servers.In NetScaler 11, Citrix introduced something called Unified Gateway, which allowed us toaggregate load balanced web services, cloud services and internal Citrix applications in aunified app portal.Unified Gateway leverages two additional features, content switching and AAA. The AAAmodule is used to deliver SSO against different resource such as internal load balancedresource and to cloud applications like Salesforce or Office365. Therefore, it is importantto remember that Unified Gateway is not a feature available in NetScaler GatewayMPX/VPX6

There will be more about Unified Gateway later in the eBook.NetScaler Gateway is essentially a virtual server, which listens to requests on port 443 bydefault, and depending on the configuration can act as an ICA Proxy only virtual server oras multiple purpose remote access solution. When a user tries to connect to the virtualserver, they will be asked to authenticate against the authentication policy which triggered,after successful authentication, the user will be processed against different policies andwhich case might allow them to setup an ICA proxy session with a backend XenDesktopserver or full VPN access.All of the ICA proxy and most of the VPN setup and configuration is mostly done usingSession policies, where we define the address of Storefront and how the client shouldbehave. Here we can also specify some of the particular VPN settings as well, some of theVPN settings are also done at the virtual server level, for instance if a virtual server shouldonly be configured as an ICA proxy server or if it can be used for more of the advancedfeatures like SSL VPN and or full VPN. We also have traffic policies, which are using todefine for instance SSO properties to backend resources, enforce network traffic rules anddisabling certain features as such. Therefore, this is pretty much the essence in howNetScaler Gateway looks like and behaves.7

Licensing and editionsNetScaler Gateway can be used as a feature on a regular NetScaler appliance (runningeither Standard, Enterprise or Datacenter edition) or it can be used as a separateappliance either NetScaler Gateway MPX which is a physical appliance or NetScalerGateway VPX which is a virtual appliance. The difference between the NetScaler Gatewayappliance and the regular NetScaler is that the Gateway appliance ONLY has the Gatewayfeature.Now we have two different licenses for use with NetScaler gateway, first thing we need isthe platform license to be able to use the NetScaler platform and activate the gatewayfeature and the other is called Universal licenses, which enables additional features.Important thing to remember is that the universal license in optional depending if we needthe features, the platform license is mandatory.The regular NetScaler appliance physical or virtual platform is licensed using hostID, andthe Gateway feature is included as a sub feature. The hostID of the appliance can beretrieved from the CLI using the show hardware command, which then needs to beentered using the Citrix licensing portal. If we use a NetScaler Gateway appliance, it needsto be licensed using hostname, which can be configured and retrieved form the CLI, usingthe command set and show hostname.Both these options will give us a platform license. Now if we just use the platform license,we get the following features: 8ICA ProxyNetScaler (High-availability)Central administration using Command CenterUnlimited virtual servers

Note that there is no user limit with the platform license, meaning that if we allocate aplatform license to a NetScaler it is bound to the appliance. Which also means that wehave no licensing user limit to the ICA proxy solution, it is only based upon the amount ofusers the NetScaler can handle.Universal licenseBy default, all NetScaler appliances (NetScaler Gateway/NetScaler Standard/NetScalerEnterprise) comes with five Universal licenses. NetScaler platinum comes with 100 Universallicenses. If they want more users, they need to buy additional Universal licenses, whichcomes at a concurrent user license.A Universal license is required if we want to use a NetScaler Gateway with the followingfeatures SSL VPNFull VPN AccessMicroVPN for XenMobileCloudbridge integrationEndpoint analysisSmartAccessSecure Access to ShareFile / XenMobileUniversal licenses are also licensed using hostname when defining this in the Citrixlicensing portal. Licenses can be simply added using the GUI by going into themanagement portal, System Licenses Manage licenses Add New LicenseAfter a license has been added we can see which features we have access to (dependingon the platform license) and the Maximum amount of NetScaler Gateway Users Allowed,which specifies the amount of concurrent universal licenses we have.How a NetScaler chooses from the different license is defined at the virtual server level. Avirtual server can be either in Basic mode or Smart Access mode. If a virtual server is inbasic mode, it uses the platform licenses and we are given access to the ICA proxy feature.In version 11 this is defined as ICA only mode which can be enabled/disabled under