About NetScaler Gateway
NetScaler Gateway is easy to deploy and simple to administer. The most typical deployment configuration is to locate the NetScaler Gateway appliance in the DMZ. You can install multiple NetScaler Gateway appliances in the network for more complex deployments.
The first time you start NetScaler Gateway, you can perform the initial configuration by using a serial console, the Setup Wizard in the configuration utility, or the Dynamic Host Configuration Protocol (DHCP). On the MPX appliance, you can use the LCD keypad on the front panel of the appliance to perform the initial configuration. You can configure basic settings that are specific to your internal network, such as the IP address, subnet mask, default gateway IP address, and Domain Name System (DNS) address. After you configure the basic network settings, you then configure the settings specific to the NetScaler Gateway operation, such as the options for authentication, authorization, network resources, virtual servers, session policies, and endpoint policies.
Before you install and configure NetScaler Gateway, review the topics in this section for information about planning your deployment. Deployment planning can include determining where to install the appliance, understanding how to install multiple appliances in the DMZ, and licensing requirements. You can install NetScaler Gateway in any network infrastructure without requiring changes to the existing hardware or software running in the secure network. NetScaler Gateway supports other networking products, such as server load balancers, cache engines, firewalls, routers, and IEEE 802.11 wireless devices.
You can write your settings in the Pre-Installation Checklist to have on hand before you configure NetScaler Gateway.
NetScaler Gateway Appliances | Provides information about NetScaler Gateway appliances and the appliance installation instructions. |
Pre-Installation Checklist | Provides planning information to review and a list of tasks to complete before you install NetScaler Gateway in your network. |
Common Deployments | Provides information about deploying the NetScaler Gateway in the network DMZ, in a secure network without a DMZ, and with other appliances to support load balancing and failover. Also provides information about deploying NetScaler Gateway with Citrix Virtual Apps and Desktops. |
Licensing | Provides information about installing licenses on the appliance. Also provides information about installing licenses on multiple NetScaler Gateway appliances. |
NetScaler Gateway architecture
The core components of NetScaler Gateway are:
-
Virtual servers. The NetScaler Gateway virtual server is an internal entity that is a representative of all the configured services available to users. The virtual server is also the access point through which users access these services. You can configure multiple virtual servers on a single appliance, allowing one NetScaler Gateway appliance to serve multiple user communities with differing authentication and resource access requirements.
- Authentication, authorization, and auditing. You can configure authentication, authorization, and accounting to allow users to log on to NetScaler Gateway with credentials that either NetScaler Gateway or authentication servers located in the secure network, such as LDAP or RADIUS, recognize. Authorization policies define user permissions, determining which resources a given user is authorized to access. For more information about authentication and authorization, see Configuring Authentication and Authorization. Auditing servers maintain data about NetScaler Gateway activity, including user logon events, resource access instances, and operational errors. This information is stored on NetScaler Gateway or on an external server. For more information about auditing, see Configuring Auditing on NetScaler Gateway
-
User connections. Users can log on to NetScaler Gateway by using the following access methods:
-
The Citrix Secure Access client for Windows is software that is installed on a Windows-based computer. Users log on by right-clicking an icon in the notification area on a Windows-based computer. If users are using a computer in which the Citrix Secure Access client is not installed, they can log on by using a web browser to download and install the plug-in. If users have Citrix Workspace app installed, users log on with the Citrix Secure Access client from Citrix Workspace app. When Citrix Workspace app and the Citrix Secure Access client are installed on the user device, Citrix Workspace app adds the Citrix Secure Access client automatically.
-
The Citrix Secure Access client for macOS X that allows users running macOS X to log on. It has the same features and functions as the Citrix Secure Access client for Windows. You can provide endpoint analysis support for this plug-in version by installing NetScaler Gateway 10.1, Build 120.1316.e.
-
Citrix Workspace app that allows user connections to published applications and virtual desktops in a server farm by using the Web Interface or Citrix StoreFront.
-
Citrix Workspace app, Secure Hub, WorxMail, and WorxWeb that allows users access to web and SaaS applications, iOS and Android mobile apps, and ShareFile data hosted in Citrix Endpoint Management.
-
Users can connect from an Android device that uses the NetScaler Gateway web address. When users start an app, the connection uses Micro VPN to route network traffic to the internal network. If users connect from an Android device, you must configure DNS settings on NetScaler Gateway. For more information, see Supporting DNS Queries by Using DNS Suffixes for Android Devices.
-
Users can connect from an iOS device that uses the NetScaler Gateway web address. You configure Secure Browse either globally or in a session profile. When users start an app on their iOS device, a VPN connection starts and the connection routes through NetScaler Gateway.
-
Clientless access that provides users with the access they need without installing software on the user device.
When configuring NetScaler Gateway, you can create policies to configure how users log on. You can also restrict user logon by creating session and endpoint analysis policies.
-
-
Network resources. These include all network services that users access through NetScaler Gateway, such as file servers, applications, and websites.
-
Virtual adapter. The NetScaler Gateway virtual adapter supports applications that require IP spoofing. The virtual adapter is installed on the user device when the Citrix Secure Access client is installed. When users connect to the internal network, the outbound connection between NetScaler Gateway and internal servers uses the intranet IP address as the source IP address. The Citrix Secure Access client receives this IP address from the server as part of the configuration.
If you enable split tunneling on NetScaler Gateway, all intranet traffic is routed through the virtual adapter. When intercepting intranet bound traffic, the virtual adapter will intercept A and AAAA record type DNS queries while leaving all other DNS queries intact. Network traffic that is not bound for the internal network is routed through the network adapter installed on the user device. Internet and private LAN (LAN) connections remain open and connected. If you disable split tunneling, all connections are routed through the virtual adapter. Any existing connections are disconnected and the user must reestablish the session.
If you configure an intranet IP address, traffic to the internal network is spoofed with the intranet IP address through the virtual adapter.
How user connections work
Users can connect to their emails, file shares, and other network resources from a remote location. Users can connect to internal network resources with the following software:
- Citrix Secure Access client
- Citrix Workspace app
- WorxMail and WorxWeb
- Android and iOS mobile devices
Connect with the Citrix Secure Access client
The Citrix Secure Access client allows user access to resources in the internal network through the following steps:
- A user connects to NetScaler Gateway for the first time by typing the web address in a web browser. The logon page appears and the user is prompted to enter a user name and password. If external authentication servers are configured, NetScaler Gateway contacts the server and the authentication servers verify the user’s credentials. If local authentication is configured, NetScaler Gateway performs the user authentication.
- If you configure a preauthentication policy, when the user types the NetScaler Gateway web address in a web browser on a Windows-based computer or a macOS X computer, NetScaler Gateway checks to see if any client-based security policies are in place before the logon page appears. The security checks verify that the user device meets the security-related conditions, such as operating system updates, antivirus protection, and a properly configured firewall. If the user device fails the security check, NetScaler Gateway blocks the user from logging on. A user who cannot log on must download the necessary updates or packages and install them on the user device. When the user device passes the preauthentication policy, the logon page appears and the user can enter the logon credentials. You can use Advanced Endpoint Analysis on a macOS X computer if you install NetScaler Gateway 10.1, Build 120.1316.e.
- When NetScaler Gateway successfully authenticates the user, NetScaler Gateway initiates the VPN tunnel. NetScaler Gateway prompts the user to download and install the Citrix Secure Access client for Windows or the Citrix Secure Access client for macOS X.
- If you configure a post-authentication scan, after a user successfully logs on, NetScaler Gateway scans the user device for the required client security policies. You can require the same security-related conditions as for a preauthentication policy. If the user device fails the scan, either the policy is not applied or the user is placed in a quarantine group and the user’s access to network resources is limited.
- When the session is established, the user is directed to a NetScaler Gateway home page where the user can select resources to access. The home page that is included with NetScaler Gateway is called the Access Interface. If the user logs on by using the Citrix Secure Access client for Windows, an icon in the notification area on the Windows desktop shows that the user device is connected and the user receives a message that the connection is established. The user can also access resources in the network without using the Access Interface, such as opening Microsoft Outlook and retrieving email.
- If the user request passes both preauthentication and post-authentication security checks, NetScaler Gateway then contacts the requested resource and initiates a secure connection between the user device and that resource.
- The user can close an active session by right-clicking the NetScaler Gateway icon in the notification area on a Windows-based computer and then clicking Logoff. The session can also time out due to inactivity. When the session is closed, the tunnel is shut down and the user no longer has access to internal resources. The user can also type the NetScaler Gateway web address in a browser. When the user presses Enter, the Access Interface appears from which users can log off.
Note: If you deploy Citrix Endpoint Management in your internal network, a user who connects from outside the internal network must connect to NetScaler Gateway first. When the user establishes the connection, the user can access web and SaaS applications, Android and iOS mobile apps, and ShareFile data hosted on Citrix Endpoint Management. A user can connect with the Citrix Secure Access client through clientless access, or by using Citrix Workspace app or Secure Hub.
Connect with Citrix Workspace app
Users can connect with Citrix Workspace app to access their Windows-based applications and virtual desktops. Users can also access applications from Endpoint Management. To connect from a remote location, users also install the Citrix Secure Access client on their device. Citrix Workspace app automatically adds the Citrix Secure Access client to its list of plug-ins. When users log on to Citrix Workspace app, they can also log on to the Citrix Secure Access client. You can also configure NetScaler Gateway to perform single sign-on to the Citrix Secure Access client when users log on to Citrix Workspace app.
Connect with iOS and Android devices
Users can connect from an iOS or Android device by using Secure Hub. Users can access their email by using Secure Mail and connect to websites with WorxWeb.
When users connect from the mobile device, the connections route through NetScaler Gateway to access internal resources. If users connect with iOS, you enable Secure Browse as part of the session profile. If users connect with Android, the connection uses the Micro VPN automatically. In addition, Secure Mail and WorxWeb use Micro VPN to establish connections through NetScaler Gateway. You do not have to configure Micro VPN on NetScaler Gateway.