-
Configuring the VPN User Experience
-
How to Configure Full VPN Setup on a Citrix Gateway Appliance
-
AlwaysOn VPN before Windows logon (Formally AlwaysOn service)
-
Maintaining and Monitoring the System
-
Deploying with Citrix Endpoint Management, Citrix Virtual Apps, and Citrix Virtual Desktops
-
Accessing Citrix Virtual Apps and Desktops Resources with the Web Interface
-
Integrating Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configuring Additional Web Interface Settings on Citrix Gateway
-
Configuring Access to Applications and Virtual Desktops in the Web Interface
-
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configuring Settings for Your Citrix Endpoint Management Environment
-
Configuring Load Balancing Servers for Citrix Endpoint Management
-
Configuring Load Balancing Servers for Microsoft Exchange with Email Security Filtering
-
Configuring Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allowing Access from Mobile Devices with Citrix Mobile Productivity Apps
-
Configuring Domain and Security Token Authentication for Citrix Endpoint Management
-
Configuring Client Certificate or Client Certificate and Domain Authentication
-
-
Citrix Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
-
Configuring Network Access Control device check for Citrix Gateway virtual server for single factor authentication deployment
-
Configuring a Citrix Gateway application on the Azure portal
-
Configuring Citrix Gateway Virtual Server for Microsoft ADAL Token Authentication
-
Proxy Auto Configuration for Outbound Proxy support for Citrix Gateway
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Configure Network Access Control device check for Citrix Gateway virtual server for single factor authentication deployment
This topic provides information on configuring the Citrix Gateway to connect to an internal network from a mobile device (iOS and Android) with the Network Access Compliance (NAC) security offered by Microsoft Intune. When a user tries to connect to Citrix Gateway from an iOS or Android VPN client, the gateway first checks with the Intune service if the device is a managed and a compliant device.
- Managed: The device is enrolled using the Intune Company Portal client.
- Compliant: Required policies pushed from the Intune MDM server are applied.
Only if the device is both managed and compliant, the VPN session is established and the user is provided access to the internal resources.
Note:
In this setup, Citrix Gateway at the back-end talks to the Intune service. The SSL profiles handle the incoming connections to the Citrix Gateway. The Citrix Gateway back-end communication handles any SNI requirements of the back-end cloud services (Intune).
Intune NAC check, for the per-app VPN or even device wide VPN, is supported only when the VPN profile is provisioned by the Intune management portal (now known as, Microsoft Endpoint Manager). These features are not supported for end-user added VPN profiles. The end user device must have the VPN profile deployed to their device from Microsoft Endpoint Manager by their Intune administrator to use the NAC check.
Licensing
Citrix Enterprise Edition license is required for this functionality.
System requirements
- Citrix Gateway release 11.1 build 51.21 or later
- iOS VPN – 10.6 or later
- Android VPN – 2.0.13 or later
- Microsoft
- Azure AD access (having tenant and admin privileges)
- Intune enabled tenant
- Firewall
Enable firewall rules to all DNS and SSL traffic from subnet IP address to
https://login.microsoftonline.com
andhttps://graph.windows.net
(port 53 and port 443)
Prerequisites
-
All existing authentication policies must be converted from classic to advanced policies. For information on how to convert from classic policies to advanced policies, see https://support.citrix.com/article/CTX131024.
-
Create a Citrix Gateway application on the Azure portal. For details, see Configuring a Citrix Gateway application on the Azure portal.
-
Configure the OAuth policy on the Citrix Gateway application that you created using the following application specific information.
- Client ID / Application ID
- Client secret / Application key
- Azure tenant ID
References
-
This document captures the Citrix Gateway setup configuration. Most of the Citrix SSO client (iOS/Android) configuration is done on the Intune side. For details on Intune VPN configuration for NAC, see https://docs.microsoft.com/en-us/mem/intune/protect/network-access-control-integrate.
-
To configure the VPN profile for an iOS app, see https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-ios.
-
To set up the Citrix Gateway application on the Azure portal, see Configuring a Citrix Gateway application on the Azure portal.
To add a Citrix Gateway Virtual Server with nFactor for Gateway deployment
-
Navigate to Virtual Servers under the Citrix Gateway tree node.
-
Provide the required information in the Basic Settings area and click OK.
-
Select Server Certificate.
-
Select required server certificate and click Bind.
-
Click Continue.
-
Click Continue.
-
Click Continue.
-
Click the plus icon [+] next to Policies and select Session from the Choose Policy list and select Request from the Choose Type list and click Continue.
-
Click the plus icon [+] next to Select Policy.
-
On the Create Citrix Gateway Session Policy page, provide a name for the Session policy.
-
Click the plus icon [+] next to Profile and on the Create Citrix Gateway Session Profile page, provide a name for the Session profile.
-
On the Client Experience tab, click the check box next to Clientless Access and select Off from the list.
-
Click the check box next to Plug-in Type and select Windows/macOS from the list.
-
Click Advanced Settings and select the check box next to Client Choices and set its value to ON.
-
On the Security tab, click the check box next to Default Authorization Action and select Allow from the list.
-
On the Published Applications tab, click the check box next to ICA Proxy and select OFF from the list.
-
Click Create.
-
Enter NS_TRUE under Expression area on the Create NetScaler Gateway Session Policy page.
-
Click Create.
-
Click Bind.
-
Select Authentication Profile in Advanced Settings.
-
Click the plus icon [+] and provide a name for the Authentication Profile.
-
Click the plus icon [+] to create an authentication virtual server.
-
Specify name and IP address type for authentication virtual server under Basic Settings area and click OK. The IP address type can be Non Addressable as well.
-
Click Authentication Policy.
-
Under the Policy Binding view, click the plus icon [+] to create an authentication policy.
-
Select OAUTH as an Action Type and click the plus icon [+] to create an OAuth action for NAC.
-
Create an OAuth action using Client ID, Client Secret, and Tenant ID.
Client ID, Client Secret, and Tenant ID are generated after configuring the NetScaler Gateway application on the Azure portal.
Ensure that you have an appropriate DNS name server configured on your appliance to resolve and reach
https://login.microsoftonline.com/
,https://graph.windows.net/
, and *.manage.microsoft.com. -
Create authentication policy for OAuth Action.
Rule:
http.req.header("User-Agent").contains("NAC/1.0")&& ((http.req.header("User-Agent").contains("iOS") && http.req.header("User-Agent").contains("NSGiOSplugin")) || (http.req.header("User-Agent").contains("Android") && http.req.header("User-Agent").contains("CitrixVPN"))) <!--NeedCopy-->
-
Click the plus icon [+] to create the nextFactor policy label.
-
Click the plus icon [+] to create a login schema.
-
Select noschema as an authentication schema and click Create.
-
After selecting the created login schema, click Continue.
-
In Select Policy, select an existing authentication policy for user login or click the plus icon + to create an authentication policy. For details on creating an authentication policy, see Configuring advanced authentication policies.
-
Click Bind.
-
Click Done.
-
Click Bind.
-
Click Continue.
-
Click Done.
-
Click Create.
-
Click OK.
-
Click Done.
To bind authentication login schema to authentication virtual server to indicate VPN plug-ins to send device ID as part of /cgi/login request
-
Navigate to Security > AAA - Application Traffic > Virtual Servers.
-
Select the previously selected virtual-server and click Edit.
-
Click Login Schemas under Advanced Settings.
-
Click Login Schemas to bind.
-
Click [>] to select and bind the existing build in login schema policies for NAC device check.
-
Select the required login schema policy appropriate for your authentication deployment and click Select.
In the explained deployment, single factor authentication (LDAP) along with the NAC OAuth Action policy is used, hence lschema_single_factor_deviceid has been selected.
-
Click Bind.
-
Click Done.
Troubleshooting
General issues
Issue | Resolution |
---|---|
The “Add Policy Required” message appears when you open an app | Add policies in the Microsoft Graph API |
There are policy conflicts | Only a single policy per app is allowed |
Your app can’t connect to internal resources | Ensure that the correct firewall ports are open, you correct tenant ID, and so on |
Citrix Gateway issues
Issue | Resolution |
---|---|
The permissions required to be configured for the gateway app on Azure are unavailable. | Check if a proper Intune license is available. Try using the manage.windowsazure.com portal to see if the permission can be added. Contact Microsoft support if the issue persists. |
Citrix Gateway cannot reach login.microsoftonline.comandgraph.windows.net . |
From NS Shell, check if you are able to reach the following Microsoft website: cURL -v -k https://login.microsoftonline.com. Then, check whether DNS is configured on Citrix Gateway. Also check that the firewall settings are correct (in case DNS requests are firewalled). |
An error appears in ns.log after you configure OAuthAction. | Check if Intune licensing is enabled and the Azure Gateway app has the proper permissions set. |
Sh OAuthAction command does not show OAuth status as complete. | Check the DNS settings and configured permissions on the Azure Gateway App. |
The Android or iOS device does not show the dual authentication prompt. | Check if the Dual Factor Device ID logonSchema is bound to the authentication virtual server. |
Citrix Gateway OAuth status and error condition
Status | Error condition |
---|---|
AADFORGRAPH | Invalid secret, URL not resolved, connection timeout |
MDMINFO |
*manage.microsoft.com is down or unreachable |
GRAPH | Graph endpoint is down unreachable |
CERTFETCH | Cannot talk to “Token Endpoint: https://login.microsoftonline.com because of a DNS error. To validate this configuration, go to the Shell prompt and type cURL https://login.microsoftonline.com. This command must validate. |
Note: When the OAuth status is successful, the status is displayed as COMPLETE.
Intune configuration check
Make sure to select the I agree check box in Base iOS VPN configuration for Citrix SSO > Enable network access control (NAC). Else, the NAC check does not work.
Share
Share
In this article
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.