Gateway

How users connect to applications, desktops, and ShareFile

If you have Citrix Endpoint Management in your deployment, users can connect in the following ways:

  • Citrix Secure Access client that establishes a full VPN tunnel to resources in the internal network. You create a session profile to select the Citrix Secure Access client for Windows or the Citrix Secure Access client for Mac. When users log on by using the plug-in, endpoint analysis scans can run on the user device.

Note: To allow endpoint analysis scans to run on Mac computers, you must install NetScaler Gateway 10.1, Build 120.1316.e or newer.

  • Citrix Workspace app to connect to web, SaaS, and Enterprise applications, web links, and documents from ShareFile through Endpoint Management. When users log on with Citrix Workspace app, NetScaler Gateway routes the connection to Endpoint Management. When Citrix Workspace app establishes the connection, users’ applications and documents appear in Citrix Workspace app. If users log on with Citrix Workspace app and connect to Endpoint Management directly, you must enable clientless access in NetScaler Gateway. This deployment does not require StoreFront.
  • Citrix Workspace app to connect to published applications and virtual desktops through StoreFront or the Web Interface. When users log on with Citrix Workspace app, NetScaler Gateway routes the connection to StoreFront or the Web Interface. When Citrix Workspace app establishes the connection, user applications and desktops appear in Citrix Workspace app.
  • Secure Hub to connect to iOS and Android apps, including WorxMail and WorxWeb, from mobile devices through Endpoint Management. When users log on to Secure Hub, they have access to the mobile apps that you configure in Endpoint Management, When NetScaler Gateway establishes the Micro VPN connection, users mobile apps appear in the Secure Hub window. Users can start the apps from Secure Hub. Some apps require users to download and install the app on the mobile device.

In any of the preceding scenarios, if users want to connect through NetScaler Gateway, they do the following:

  • Users log on by using the Citrix Secure Access client or Citrix Workspace app. To log on for the first time, users open a web browser and type the fully qualified domain name (FQDN) of NetScaler Gateway or Citrix Workspace app. Users with mobile devices log on with Secure Hub.
  • On the logon page, users enter their credentials and are authenticated.
  • After authentication, the user session redirects to StoreFront or Endpoint Management depending on your deployment.
  • If you deploy both StoreFront and Endpoint Management, NetScaler Gateway contacts the first server in the deployment. For example, if you configure MDX mobile apps in Endpoint Management, you deploy StoreFront behind Endpoint Management. If you are not providing access to MDX mobile apps, you deploy Endpoint Management behind StoreFront.
  • All of the users’ desktops, documents, and web, SaaS, and Windows-based applications appear in Citrix Workspace app or Secure Hub.

If users need to access other resources in the internal network, such as Exchange, file shares, or internal websites, they can also log on with the Citrix Secure Access client. For example, if users want to connect to a Microsoft Exchange server in the network, they start Microsoft Outlook on their computer. The secure connection is made with the Citrix Secure Access client which connects to NetScaler Gateway. The SSL VPN tunnel is created to the Exchange Server and users can access their email.

Important: Citrix recommends configuring authentication on the NetScaler Gateway virtual server. When you disable authentication in NetScaler Gateway, unauthenticated HTTP requests are sent directly to the servers running the Web Interface, StoreFront, or Endpoint Management in the internal network.

How users connect to applications, desktops, and ShareFile