-
Selecting the Citrix Gateway plug-in for Users
-
-
How Clientless Access Policies Work
-
Advanced Clientless VPN access with Citrix Gateway
-
Configuring Clientless Access for SharePoint 2003, SharePoint 2007, and SharePoint 2013
-
Saving User Settings for Clientless Access Through Web Interface
-
AlwaysOn VPN before Windows logon (Formally AlwaysOn service)
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Advanced Clientless VPN access with Citrix Gateway
Clientless VPN sees a way of providing remote access to the corporate’s intranet resources through Citrix Gateway without a VPN client application at the client machine. Clientless VPN provides remote access to enterprise web-applications, portals, and other resources using a web browser at the client’s end. Advanced clientless VPN solution eliminates the following limitations pertaining to the clientless VPN:
-
Relative URLs cannot be identified at times.
-
Relative URLs generated dynamically cannot be identified.
Advanced Clientless VPN identifies the absolute URL and host names and rewrites them in a new and unique manner instead of trying to rewrite relative URLs present in the HTTP-responses/Web-Pages. SharePoint no longer needs to use the default folder for rewriting URLs and a custom SharePoint access is supported.
Prerequisites
The following are the prerequisites to configure the advanced clientless VPN.
-
Wildcard server certificate - The advanced clientless VPN rewrites URLs in a unique manner. This uniqueness is maintained for every URL per user. For example, if the web-application is hosted on
https://webapp.customer.com
, and the VPN virtual server is hosted onhttps://vpn.customer.com
, then the advanced clientless VPN rewrites it ashttps://cvpneqwerty.vpn.customer.com
. This means, every URL is rewritten as a subdomain of the VPN virtual server. In this new URL,cvpneqwerty
can be decrypted back tohttps://webapp.customer.com
. The stringcvpneqwerty
is dynamic and therefore for SSL, you must bind the VPN virtual server with a wildcard certificate.If the server is hosted with
https://vpn.customer.com
, then the server certificate must now have entries for (vpn.customer.com and .vpn.customer.com) as part of certificates CN or SAN (where CN=common name, SAN= Subject Alternative Name). The process of binding this certificate remains the same on Citrix Gateway. Note: Wildcard certificates only support one-level (that is ..customer.com is not allowed). If you are already using a Wildcard certificate (for *.customer.com) and hostinghttps://vpn.customer.com
, this does not work for the advanced clientless VPN. You must get a new certificate with*.vpn.customer.com
. -
WildCard DNS entry - The clients (web browsers) must resolve the advanced clientless VPN app’s FQDN. While setting up the Citrix Gateway server, you must have configured a DNS entry to resolve vpn.customer.com. This allows the browser to resolve vpn.customer.com to your VPN virtual server’s IP address. To resolve URLs like
https://cvpnqwerty.vpn.customer.com
to the same IP (VPN virtual server’s IP address, you must add a new record for the domain ofvpn.customer.com
. Find the domain setting in your DNS server, and add a host record for “*” with the same IP address as before. After adding the host record, you must see successful ping responses forhttps://cpvnanything.vpn.customer.com
.
Configure Advanced Clientless VPN access
To configure advanced clientless VPN access using the command line interface, at the command prompt, type:
set vpn parameter -clientlessVpnMode ON
set vpn parameter -advancedClientlessVpnMode ENABLED
<!--NeedCopy-->
If a session action is bound to the virtual server, you must enable the advanced clientless VPN Mode option for that session action as well.
Example:
set vpn sessionaction SessionActionName -advancedclientlessvpn ENABLED
<!--NeedCopy-->
To configure Advanced Clientless VPN access using the Citrix ADC GUI:
-
In the NetScaler GUI, navigate to Configuration> Citrix NetScaler> Global Settings.
-
On the Global Settings page, click Change Global Settings, and then select the Client Experience tab.
-
On the Client Experience tab, from the Clientless Access list, click On.
-
On the Client Experience tab, from the Advanced Clientless VPN Mode list, click Enabled.
If you select STRICT from the Advanced Clientless VPN Mode list, the Citrix ADC appliance responds only to StoreFront URLs in classic clientless VPN form and blocks all other classic clientless VPN requests. This option provides a more secure configuration on the appliance for delivering internal web-resources.
Note:
- If a session action is bound to the virtual server, you must enable the Advanced Clientless VPN Mode option for that session action as well from the Client Experience tab in the Configure Citrix Gateway Session Profile page.
- You can select the Override Global option to override the global settings.
- You can configure the advanced clientless VPN feature at a session level as well.
Caveats
Advanced clientless VPN is aimed at providing access to Enterprise Web apps. Such apps have only one FQDN for every kind of resource they need (JavaScript, css, images, and so on). Since we encode the complete FQDN of internal apps into a single-octet (clientless VPN), we lose out on the subdomain relationship. As a result, whenever an Enterprise WebApp is configured with CORS, sometimes you might notice issues while accessing it over the advanced clientless VPN.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.