Create virtual servers

A virtual server is an access point to which users log on. Each virtual server has its own IP address, certificate, and policy set. A virtual server consists of a combination of an IP address, port, and protocol that accepts incoming traffic. Virtual servers contain the connection settings for when users log on to the appliance. You can configure the following settings on virtual servers:

  • Certificates
  • Authentication
  • Policies
  • Bookmarks
  • Address pools (also known as IP pools or intranet IPs)
  • Double-hop DMZ deployment with NetScaler Gateway
  • Secure Ticket Authority
  • SmartAccess ICA Proxy Session Transfer

If you run the NetScaler Gateway wizard, you can create a virtual server during the wizard. You can configure more virtual servers in the following ways:

  • From the virtual servers node. This node is on the navigation pane in the configuration utility. You can add, edit, and remove virtual servers by using the configuration utility.
  • With the Quick Configuration wizard. If you deploy Citrix Endpoint Management, StoreFront or the Web Interface in your environment, you can use the Quick Configuration wizard to create the virtual server and all the policies needed for your deployment.

If you want users to log on and use a specific authentication type, such as RADIUS, you can configure a virtual server and assign the server a unique IP address. When users log on, they are directed to the virtual server and then prompted for their RADIUS credentials.

You can also configure the ways users log on to NetScaler Gateway. You can use a session policy to configure the type of user software, the access method, and the home page users see after logging on.

To create virtual servers

You can add, modify, enable or disable, and remove virtual servers by using the NetScaler Gateway GUI or the Quick Configuration wizard. For more information about configuring a virtual server with the Quick Configuration wizard, see Configuring Settings with the Quick Configuration Wizard.

Note:

The VPN virtual server supports DTLS version 1.0, by default. To enable DTLS version 1.2, see Configure DTLS VPN virtual server using SSL VPN virtual server.

To create a virtual server by using the GUI

  1. Navigate to NetScaler Gateway > Virtual Servers.
  2. In the details pane, click Add.
  3. Configure the settings as per your requirement.
  4. Click Create and then click Close.

To create a virtual server by using the CLI

At the command prompt, type;

add vpn vserver <name> <serviceType> [<IPAddress> [<port>]
<!--NeedCopy-->

Example:

add vpn vserver gatewayserver SSL 1.1.1.1 443
<!--NeedCopy-->

Points to note when binding a net profile to the VPN virtual server

You can create net profiles (network profiles) to configure the appliance to use a specified source IP address and bind the net profile to the VPN virtual server. However, note the following when binding a net profile to the VPN virtual server.

  • When you bind a net profile to a NetScaler Gateway virtual server, it selects a specific SNIP for the virtual server to use when sending traffic to back-end servers.

  • In the absence of net profile binding, if there are multiple SNIPs, NetScaler Gateway uses the round robin method to select the SNIP to be used.

  • Net profile does not work for dynamically generated services (STA, SF monitor). For STA and other dynamically generated services, you can bind the net profile to those monitors directly and those monitors are used at that point. However, if you have multiple gateways on the same appliance, all gateways use the same net profile for the configured monitors.

For more details about net profile, see Use a specified source IP for back-end communication.

Current users and total connected users on the virtual server

Current users: Number of users logged on to a specific virtual server. It is recommended that you monitor the current users for tracking CCUs.

Total connected users: Number of users who have one or more active connections through the specific virtual server. The total number of connected users is mostly used in ICA Proxy.

You can use the number of total connected users counter in the following scenarios:

  • Consider that an ICA connection is established but no corresponding authentication, authorization, and auditing session are established. In this scenario, a user launches an application or a desktop and closes the browser, continues to work on the launched app or desktop. The authentication, authorization, and auditing session times out but the connection is still active. The total number of connected users can be used to identify the users that are still connected.

  • In HDX optimal routing, authentication gateway and ICA gateway can be on different appliances. The total connected users in this case can be used to identify the number of connected users on the ICA gateway.

Points to note:

  • Current users exceed total connected users when there are active sessions (not yet timed out) but there are no active connections on these sessions. For example, a user launched an application or a desktop and closed it immediately but did not log out from the authentication, authorization, and auditing session.

  • Total connected users exceed current users if authentication, authorization, and auditing sessions timeout but ICA connections are still active.

  • In a pure VPN setup (no ICA is involved), the number of current users and total connected users are equal.

Configure connection types on the virtual server

When you create and configure a virtual server, you can configure the following connection options:

  • Connections with Citrix Workspace app only to Citrix Virtual Apps and Desktops without SmartAccess, endpoint analysis, or network layer tunneling features.
  • Connections with the Citrix Secure Access client and SmartAccess, which allow the use of SmartAccess, endpoint analysis, and network layer tunneling functions.
  • Connections with Secure Hub that establishes a Micro VPN connection from mobile devices to NetScaler Gateway.
  • Parallel connections made over the ICA session protocol by a user from multiple devices. The connections are migrated to a single session to prevent the use of multiple Universal licenses.

If you want users to log on without user software, you can configure a clientless access policy and bind it to the virtual server.

To configure Basic or SmartAccess connections on a virtual server

  1. Navigate to NetScaler Gateway and then click Virtual Servers.
  2. In the details pane, click Add.
  3. In Name, type a name for the virtual server.
  4. In IP Address and Port, type the IP address and port number for the virtual server.
  5. Do one of the following:
    • To allow ICA connections only, click Basic Mode.
    • To allow user logon with Secure Hub, the Citrix Secure Access client and SmartAccess, click SmartAccess Mode.
    • To allow SmartAccess to manage ICA Proxy sessions for multiple user connections, click ICA Proxy Session Migration.
  6. Configure the other settings for the virtual server, click Create, and then click Close.

Configure a listen policy for wildcard virtual servers

You can configure NetScaler Gateway virtual servers to restrict the ability for a virtual server to listen on a specific VLAN. You can create a wildcard virtual server with a listen policy that restricts it to processing traffic on the specified VLAN.

The configuration parameters are:

Parameter Description
Name The name of the virtual server. The name is required and you cannot change it after you create the virtual server. The name cannot exceed 127 characters and the first character must be a number or letter. You can also use the following characters: at symbol (@), underscore (_), dash (-), period (.), colon (:), pound sign (#), and a space.
IP The IP address of the virtual server. For a wildcard virtual server bound to the VLAN, the value is always *.
Type The behavior of the service. Your choices are HTTP, SSL, FTP, TCP, SSL_TCP, UDP, SSL_BRIDGE, NNTP, DNS, ANY, SIP-UDP, DNS-TCP, and RTSP.
Port The port on which the virtual server listens for user connections. The port number must be between 0 and 65535. For the wildcard virtual server bound to a VLAN, the value is usually *.
Listen Priority The priority that is assigned to the listen policy. Priority is evaluated in reverse order; the lower the number, the higher the priority assigned to the listen policy.
Listen Policy Rule The policy rule is used to identify the VLAN to which the virtual server must listen. The rule is: CLIENT.VLAN.ID.EQ (<ipaddressat>) For <ipaddressat>, substitute the ID number assigned to the VLAN.

To create a wildcard virtual server with a listen policy

  1. In the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
  2. In the details pane, click Add.
  3. In Name, type a name for the virtual server.
  4. In Protocol, select the protocol.
  5. In IP Address, type the IP address for the virtual server.
  6. In Port, type the port for the virtual server.
  7. On the Advanced tab, under Listen Policy, in Listen Priority, type the priority for the listen policy.
  8. Next to Listen Policy Rule, click Configure.
  9. In the Create Expression dialog box, click Add, configure the expression, and then click OK.
  10. Click Create and then click Close.
Create virtual servers