Application Delivery Management

Gateway Insight

In a NetScaler Gateway deployment, visibility into a user’s access details is essential for troubleshooting access failure issues. As a network administrator, you want to know when a user is not able to log on to NetScaler Gateway, and you want to know the user activity and the reasons for logon failure. This information is typically not available unless the user sends a request for resolution.

Gateway Insight provides visibility into the failures encountered by all users, regardless of the access mode, at the time of logging on to NetScaler Gateway. You can view a list of all available users, number of active users, number of active sessions, and bytes and licenses used by all users at any given time. You can view the end-point analysis (EPA), authentication, single sign-on (SSO), and application launch failures for a user. You can also view the details of active and terminated sessions for a user.

Gateway Insight also provides visibility into the reasons for application launch failure for virtual applications. This enhances your ability to troubleshoot any kind of logon or application launch failure issues. You can view the number of applications launched, the number of total and active sessions, the number of total bytes, and the bandwidth consumed by the applications. You can view details of the users, sessions, bandwidth, and launch errors for an application.

You can view the number of gateways, number of active sessions, total bytes, and bandwidth used by all gateways associated with a NetScaler Gateway appliance at any given time. You can view the EPA, authentication, single sign-on, and application launch failures for a gateway. You can also view the details of all users associated with a gateway and their logon activity.

All log messages are stored in the NetScaler ADM database, so you can view error details for any time period. You can also view a summary of the logon failures and determine at what stage of the logon process a failure has occurred.

Points to note

  • Gateway Insight is supported on the following deployments:
    • Access Gateway
    • Unified Gateway
  • The NetScaler ADM release and build must be the same or later than that of the NetScaler Gateway appliance.

  • One hour of Gateway Insight reports can be viewed for NetScaler instances with Advanced license. A Premium license is a must view Gateway Insight reports beyond one hour.

Limitations

  • NetScaler Gateway does not support Gateway Insight when the authentication method is configured as certificate-based authentication.

  • For Gateway Insight reporting, geo location information is not provided from the NetScaler appliance.

  • Successful user logons, latency, and application-level details for virtual ICA applications and desktops are visible only on the HDX Insight Users dashboard.

  • In a double-hop mode, visibility into failures on the NetScaler Gateway appliance in the second DMZ is not available.

  • Remote Desktop Protocol (RDP) desktop access issues are not reported.

  • Gateway Insight is supported for the following authentication types. If other authentication type is used other than these, you might see some discrepancies in Gateway Insight.

    • Local
    • LDAP
    • RADIUS
    • TACACS
    • SAML
    • Native OTP
    • OAuth-OpenID Connect

      For the OAuth-OpenID Connect authentication, NetScaler can act as an OAuth-OpenID connect relying party (RP) or OAuth-OpenID connect identity provider (IdP). When the authentication succeeds, the user name is reported under the Users tab in the Gateway Insight report. However, you cannot identify whether the session was created at IdP or RP.

      Note: OAuth-OpenID Connect authentication is supported from NetScaler ADM release 13.1 build 4.xx and later.

Enable Gateway Insight

To enable Gateway Insight for your NetScaler Gateway appliance, you must first add the NetScaler Gateway appliance to NetScaler ADM. You must then enable AppFlow for the virtual server representing the VPN application. For information about adding device to NetScaler ADM, see Adding Devices.

Note

To view end-point analysis (EPA) failures in NetScaler ADM, you must enable AppFlow authentication, authorization, and auditing user name logging on the NetScaler Gateway appliance.

The following procedure to enable gateway insight is applicable if your NetScaler ADM is 13.0 Build 36.27:

  1. Navigate to Infrastructure > Instances, and select the instance for which you want to enable AppFlow.

  2. From the Select Action list, select Configure Analytics.

  3. In the Configure Insight page, under Configure Analytics, select NetScaler Gateway.

  4. Select the virtual server and then click Enable AppFlow.

  5. On the Enable AppFlow screen, in the Select Expression list, click true.

  6. Next to Transport Mode, select the Logstream check box.

    Note

    You can choose either IPFIX or Logstream as transport mode.

    For more information about IPFIX and Logstream, see Logstream overview.

  7. Click OK.

For NetScaler ADM version 13.0 Build 41.x or later

  1. Navigate to Infrastructure > Instances, and select the instance.

  2. From the Select Action list, select Configure Analytics.

  3. Select the virtual server and click Enable Analytics.

  4. Under Advanced Options:

    1. Select Logstream

    2. Select NetScaler Gateway

  5. Click OK.

Enable AppFlow authentication, authorization, and auditing user name logging on a NetScaler Gateway appliance by using the GUI

  1. Navigate to Configuration > System > AppFlow > Settings, and then click Change AppFlow Settings.

  2. In the Configure AppFlow Settings screen, select AAA Username, and then click OK.

Viewing Gateway Insight reports

In NetScaler ADM, you can view reports for all users, applications, and gateways associated with the NetScaler Gateway appliances, and you can view details for a particular user, application, or gateway. In the Overview section, you can view the EPA, SSO, Authentication, and Application Launch failures. You can also view a summary of the different session modes used by users to log on, the types of clients, and the number of users logged on every hour.

Note

When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. NetScaler ADM analytics now supports virtual IP address based authorization. Your users can now see reports for all Insights for only the applications (virtual servers) that they are authorized to. For more information on groups and assigning users to the group, see Configure Groups.

To view EPA, SSO, authentication, authorization, and application launch failures

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight.

  2. Select the time period for which you want to view the user details. You can use the time slider to further customize the selected period. Click Go.

  3. Click the EPA (End Point Analysis), Authentication, Authorization, SSO (Single Sign On), or Application Launch tabs to display the failure details.

    Click EPA to see failure details

To view a summary of session modes, clients, and the number of users

In NetScaler ADM, navigate to Gateway > Gateway Insight, scroll down to view the reports.

Gateway Insight page

Activity graph

Viewing Gateway Insight reports for users

You can view the reports for:

  • All users associated with the NetScaler Gateway appliances.

  • The EPA, authentication, SSO, and application launch failures for a user.

  • The details of active and terminated sessions for a user.

  • The types of session modes such as Full Tunnel, clientless VPN, and ICA Proxy.

To view user details

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight > Users.

  2. Select the time period for which you want to view the user details. You can use the time slider to further customize the selected period. Click Go.

  3. You can view the number of active users, number of active sessions, bytes, and licenses used by all users during the time period.

    Gateway insight user report

Scroll down to view a list of available users and active users.

Active users

On the Users or Active Users tab, click a user to view the following user details:

  • User details - You can view insights for each user associated with the ADC Gateway appliances. Navigate to Gateway > Gateway Insight > Users and click a user to view insights for the selected user such as Session Mode, Operating System, and Browsers.

    User details

  • Users and applications for the selected gateway - Navigate to Gateway > Gateway Insight > Gateway and click a gateway domain name to view the top 10 applications and top 10 users that are associated with the selected gateway.

    User and application

  • View more option for applications and users – For more than 10 applications and users, you can click the more icon in Applications and Users to view all users and applications details that are associated with the selected gateway.

  • View details by clicking the bar graph – When you click a bar graph, you can view the relevant details. For example, navigate to Gateway > Gateway Insight > Gateway and click the gateway bar graph to view the gateway details.

    Bar graph

  • The user Active Sessions and Terminated Sessions.

    Gateway Insight active and terminated sessions

  • The gateway domain name and gateway IP address in Active Sessions.

  • The user login duration.

    Gateway Insight login duration

  • The reason for the user logout session. The logout reasons can be:

    • Session timed out
    • Logged out because of internal error
    • Logged out because of inactive session timed out
    • User has logged out
    • Administrator has stopped the session

Viewing Gateway Insight reports for applications

You can view the number of applications launched, the number of total and active sessions, the number of total bytes and bandwidth consumed by the applications. You can view details of the users, sessions, bandwidth, and launch errors for an application.

To view application details

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight > Applications.

  2. Select the time period for which you want to view the application details. You can use the time slider to further customize the selected time period. Click Go.

You can now view the number of applications launched, the number of total and active sessions, the number of total bytes and bandwidth consumed by the applications.

Application details

Scroll down to view the numbers of sessions, bandwidth, and total bytes consumed by ICA and other applications.

Other application details

On the Other Applications tab, you can click an application in the Name column to display details of that application.

Viewing Gateway Insight reports for gateways

You can view the number of gateways, number of active sessions, total bytes, and bandwidth used by all gateways associated with a NetScaler Gateway appliance at any given time. You can view the EPA, authentication, single sign-on, and application launch failures for a gateway. You can also view the details of all users associated with a gateway and their logon activity.

To view gateway details

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight > Gateways.

  2. Select the time period for which you want to view the gateway details. You can use the time slider to further customize the selected time period. Click Go.

You can now view the number of gateways, number of active sessions, total bytes, and bandwidth used by all gateways associated with a NetScaler Gateway appliance at any given time.

Gateway activity details

Scroll down to view the gateway details such as Gateway Domain Name, Virtual Server Name, NetScaler IP address, session modes, and Total Bytes.

Other gateway details

You can click a gateway in the Gateway Domain Name column to display the EPA, authentication, single sign-on, and application launch failures and other details for a gateway.

Exporting reports

You can save the Gateway Insight reports with all the details shown in the GUI in PDF, JPEG, PNG, or CSV format on your local computer. You can also schedule the export of the reports to specified email addresses at various intervals.

Note

  • Users with read only access cannot export reports.
  • Geo map reports are exported only if the NetScaler ADM has internet connectivity.

To export a report

  1. On the Dashboard tab, in the right pane, click the export button.

  2. Under Export Now, select the required format, and then click Export.

To schedule export:

  1. On the Dashboard tab, in the right pane, click the export button.

  2. Under Schedule Export, specify the details and click Schedule.

To add an email server or an email distribution list:

  1. On the Configuration tab, navigate to Settings > Notifications > Email.

  2. In the right pane, select Email Server, to add an email server, or select Email Distribution list to create an email distribution list.

  3. Specify the details and click Create.

To export the entire Gateway Insight dashboard:

  1. On the Dashboard tab, in the right pane, click the export button.

  2. Under Export Now, select PDF format, and then click Export.

Gateway Insight use cases

The following use cases show how you can use Gateway Insight to gain visibility into users’ access details, applications, and gateways on NetScaler Gateway appliances.

A user is not able to log in to the NetScaler Gateway appliance or to the internal web servers

You are a NetScaler Gateway administrator monitoring NetScaler Gateway appliances through NetScaler ADM, and you want to see why a user is unable to log in, or at what stage of the login process the failure has occurred.

NetScaler ADM enables you to view the user login error details in the following stages of the login process:

  • Authentication

  • End-point analysis (EPA)

  • Single sign-on

In NetScaler ADM, you can search for a particular user and then view all the details for that user.

To search for a user:

In NetScaler ADM, navigate to Gateway > Gateway Insight and, in the Search for Users text box, specify the user you want to search.

Authentication failures

You can view authentication errors such as incorrect credentials or no response from the authentication server. You can also see the factor at which the authentication failed.

To view the authentication failure details:

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight.

  2. In the Overview section, select the time period for which you want to view the authentication errors. You can use the time slider to further customize the selected time period. Click Go.

    Authentication errors view

  3. Click the Authentication tab. You can view the number of authentication errors at any given time in the Failures graph.

    Authentication failure graph

Scroll down to view details of each authentication error such as Username, Client IP Address, Error Time, Authentication type, Authentication Server IP Address, and more from the table on the same tab. The Error Description column in the table displays the reason for the logon failure, and the State column displays the nth factor at which the failure occurred.

Authentication failure details

You can click a user in the Username column to display the authentication errors and other details for that user. You can customize the table to add or delete columns by using the settings icon.

Important:

If OAuth-OpenID Connect authentication fails, the user name is displayed as NA in the Gateway Insight report for some of the failures, for example “Token verification failure”. In this failure, the user names are not available for authentication failure due to “Token verification failure” at the OAuth-OpenID connect relying party.

OAuth-OpenID Connect failure

EPA failures

You can view EPA failures at the pre-authentication or post-authentication stage.

Important:

  • EPA failures are reported only when classic expressions are configured.
  • EPA failures are not reported if advanced expression is configured in the pre-authentication or post-authentication policy.
  • EPA failures are not reported if EPA is configured as one of the factors in an nFactor authentication flow.

To view EPA failure details:

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight.

  2. In the Overview section, select the time period for which you want to view the EPA errors. You can use the time slider to further customize the selected time period. Click Go.

    EPA failures view

  3. Click the EPA (End Point Analysis) tab. You can view the number of EPA errors at any given time in the Failures graph.

    EPA failure graph

Scroll down to view details of each EPA error such as Username, NetScaler IP Address, Gateway IP Address, VPN, Error Time, Policy Name, Gateway Domain Name and more from the table on the same tab. The Error Description column in the table displays the reason for the EPA failure, and the Policy Name column displays the policy that resulted in the failure.

Other EPA failure details

You can click a user in the Username column to display the EPA errors and other details for that user. You can customize the table to add or delete columns by using the downward arrow.

Note

NetScaler Gateway doesn’t report the EPA failures when the “clientSecurity” expression is configured as a VPN session policy rule.

SSO failures

You can view the all the SSO failures at any stage for a user accessing any applications through the NetScaler Gateway appliance.

To view the SSO failure details:

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight.

  2. In the Overview section, select the time period for which you want to view the SSO errors. You can use the time slider to further customize the selected time period. Click Go.

    SSO failure view

  3. Click the SSO (Single Sign On) tab. You can view the number of SSO errors at any given time in the Failures graph.

    SSO failure graph

Scroll down to view details of each SSO error such as Username, NetScaler IP Address, Error Time, Error Description, Resource Name and more from the table on the same tab.

Other SSO failure details

You can click a user in the Username column to display the SSO errors and other details for that user. You can customize the table to add or delete columns by using the downward arrow.

After successfully logging on to NetScaler Gateway, a user is not able to launch any virtual application

For an application-launch failure, you can gain visibility into the reasons, such as inaccessible Secure Ticket Authority (STA) or Citrix Virtual App server, or invalid STA ticket. You can view the time the error occurred, details of the error, and the resource for which STA validation failed.

To view the application launch failure details:

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight.

  2. In the Overview section, select the time period for which you want to view the SSO errors. You can use the time slider to further customize the selected time period. Click Go.

    Application launch failure view

  3. Click the Application Launch tab. You can view the number of application launch failures at any given time in the Failures graph.

    Application launch failure graph

Scroll down to view details of each application launch error, such as NetScaler IP Address, Error Time, Error Description, Resource Name, Gateway Domain Name, and more, from the table on the same tab. The Error Description column in the table displays the IP address of the STA server and the Resource Name column displays the details of the resource for which the STA validation has failed.

Other application launch failure details

You can click a user in the Username column to display the application launch errors and other details for that user. You can customize the table to add or delete columns by using the downward arrow.

After successfully launching a new application, a user wants to view the total bytes and bandwidth consumed by that application

After you have successfully launched a new application, in NetScaler ADM, you can view the total bytes and bandwidth consumed by that application.

To view total bytes and bandwidth consumed by an application:

In NetScaler ADM, navigate to Gateway > Gateway Insight > Applications, scroll down and, on the Other Applications tab, click the application for which you want to view the details.

Byte and bandwidth consumption view

You can view the number of sessions and the total number of bytes consumed by that application.

Total number of sessions and bytes view

You can also view the bandwidth consumed by that application.

Bytes consumed by application view

A user has logged on to NetScaler Gateway successfully, but is unable to access certain network resources in the internal network

With Gateway Insight, you can determine whether the user has access to the network resources or not. You can also view the name of the policy that resulted in the failure.

To view user access for resources:

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight > Applications.

  2. On the screen that appears, scroll down, and on the Other Applications tab, select the application to which the user was unable to log on.

    User access details

  3. Scroll down and in the Users table, all the users that have access to that application are displayed.

Different users might be using different NetScaler Gateway deployments or might log on to NetScaler Gateway through different access modes. The administrator must be able to view details about the deployment types and access modes

With Gateway Insight, you can view a summary of the different session modes used by users to log on, the types of clients, and the number of users logged on every hour. You can also determine whether a user’s deployment is a unified gateway or classic NetScaler Gateway deployment. For unified gateway deployments, you can view the content switching virtual server name and IP address and the VPN virtual server name.

To view the summary of session modes, type of clients, and number of users logged on:

  1. In NetScaler ADM, navigate to Gateway > Gateway Insight.

  2. In the Overview section, scroll down to view the Session Mode, Operating Systems, Browsers, and User Logon Activity charts display the different session modes used by users to log on, the types of clients, and the number of users logged on every hour.

    Gateway Insight summary

    Gateway Insight summary graph

Gateway Insight