-
Install and configure the Citrix Gateway appliance
-
Deploy Citrix Gateway in a double-hop DMZ
-
Maintain and monitor Citrix Gateway systems
-
VPN configuration on a Citrix Gateway appliance
-
Integrate the Citrix Gateway plug-in with Citrix Workspace app
-
Configure DTLS VPN virtual server using SSL VPN virtual server
-
Integrate Citrix Gateway with Citrix products
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configure settings for your Citrix Endpoint Management Environment
-
Configure load balancing servers for Citrix Endpoint Management
-
Configure load balancing servers for Microsoft Exchange with Email Security Filtering
-
Configure Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allow Access from mobile devices with Citrix Mobile Productivity Apps
-
Configure domain and security token authentication for Citrix Endpoint Management
-
Configure client certificate or client certificate and domain authentication
-
-
-
Configuring a Citrix Gateway application on the Azure portal
-
Configuring Citrix Gateway Virtual Server for MSAL Token Authentication
-
Set up Citrix Gateway for using micro VPN with Microsoft Endpoint Manager
-
Citrix Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Proxy Auto Configuration for Outbound Proxy support for Citrix Gateway
-
Access Citrix Virtual Apps and Desktops resources with the Web Interface
-
Configuring Additional Web Interface Settings on Citrix Gateway
-
Configuring Access to Applications and Virtual Desktops in the Web Interface
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Set up Citrix Gateway for using micro VPN with Microsoft Endpoint Manager
Citrix micro VPN integration with Microsoft Endpoint Management enables your apps to access on-premises resources. For details see, Citrix micro VPN integration with Microsoft Endpoint Manager.
System requirements
- Citrix Gateway versions
- 13.0
- 12.1.50.x or later
- 12.0.59.x or later
You can download the latest version of Citrix Gateway from the Citrix Gateway download page.
-
A Windows desktop running Windows 7 or later (for Android app wrapping only)
- Microsoft
- Microsoft Entra ID access (with Tenant Admin privileges)
- Intune-enabled tenant
- Firewall rules
- Enable a firewall rule to SSL traffic from a Citrix Gateway subnet IP to
*.manage.microsoft.com
,https://login.microsoftonline.com
, andhttps://graph.microsoft.com
(port 443) - Citrix Gateway must be able to externally resolve the preceding URLs.
- Enable a firewall rule to SSL traffic from a Citrix Gateway subnet IP to
Prerequisites
-
Intune environment: If you don’t have an Intune environment, set up one. For instructions see the Get started with Microsoft Intune page.
-
Edge Browser App: The Micro VPN SDK is integrated within the Microsoft Edge app and Intune Managed Browser app for iOS and Android. For more information about the Managed Browser, see the Manage Microsoft Edge on iOS and Android with Intune page.
-
Citrix Endpoint Management entitlement: Ensure to have an active Citrix Endpoint Management entitlement for continued support to the micro VPN SDK on a Microsoft Edge mobile browser (iOS and Android). For more information, contact your Sales, Account, or Partner representative.
Grant Microsoft Entra ID application permissions
-
Consent to Citrix multitenant integration with the Microsoft Entra ID application to allow Citrix Gateway to authenticate with the Microsoft Entra domain. The Azure Global Administrator must visit the following URL and consent:
-
Consent to Citrix multitenant integration with the Microsoft Entra ID application to allow mobile applications to authenticate with the Citrix Gateway micro VPN. This link is only required if the Azure Global Admin has changed the default value for Users can register applications from Yes to No. This setting can be found in the Azure portal under Microsoft Entra ID > Users > User Settings. The Azure global administrator must visit the following URL and consent (add your Tenant ID) https://login.microsoftonline.com/[tenant_id]/adminconsent?client_id=9215b80e-186b-43a1-8aed-9902264a5af7.
Configure Citrix Gateway for micro VPN
To use micro VPN with Intune, you must configure Citrix Gateway to authenticate to Microsoft Entra ID.
-
Download the setup script file from the NetScaler downloads page.
-
In the script file, update the following values:
-
<NSG_IP>
: Virtual IP address to be assigned to the Citrix Gateway virtual server. This IP address must be reachable from your devices either directly or through a NAT device. You cannot use an existing Citrix Gateway virtual server. -
<ENV_NAME>
: Display name for Citrix Gateway virtual server. -
<SERVER_CERT_NAME>
: Name of the server certificate that will be bound to the new Citrix Gateway virtual server. -
<AAD_CLIENT_SECRET>
: Client secret value generated using theNsgCreateSecret.ps1
PowerShell script (included in setup script). -
<AAD_TENANT_ID>
: Microsoft Entra tenant ID of where the customer’s Microsoft Entra ID is stored. You can get it from your Microsoft Entra ID admin console or generate using theNsgCreateSecret.ps1
PowerShell script.
-
-
After you replace all the placeholders with real values, run the whole script by running the following command in the CLI:
/netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/<NsgCreateScriptFileName>" <!--NeedCopy-->
Note:
Ensure that the value
Done
is returned after you run the script. -
An existing Citrix Gateway virtual server does not work for this use case. Create a Citrix Gateway virtual server and ensure that the status of the virtual server is UP. For more information, see Create virtual servers.
Validate Citrix Gateway communication with Microsoft services
-
Access your new Citrix Gateway virtual server from the internet using online tools like SSL Checker. This confirms if the server certificate is installed correctly and verifies the connectivity between the internet and the Citrix Gateway virtual server hosted in your DMZ network.
-
Open an SSH connection to the Citrix Gateway using an SSH client, such as PuTTY.
-
Run the following commands to check the outbound connection from Citrix Gateway appliance to the Microsoft URLs:
https://login.microsoftonline.com
,*.manage.microsoft.com
, andhttps://graph.microsoft.com
.root@netscaler# curl -s -k https://login.microsoftonline.com root@netscaler# curl -s -k https://graph.windows.net root@netscaler# curl -s -k https://manage.microsoft.com <!--NeedCopy-->
-
Exit the SSH connection and run
show oauthAction
command in the CLI. TheOAuth Status
must beCOMPLETE
. If you see theOAuth Status
other thanCOMPLETE
, see the Troubleshooting section.
Configuring Microsoft Edge Browser
- Sign in to https://endpoint.microsoft.com/ and then navigate to Intune > Mobile apps.
- Publish the Edge App as you normally do and then add an app configuration policy.
- Under Manage, click App configuration policies.
- Click Add and then enter a name for the policy you want to create. In Device enrollment type, select Managed apps.
- Click Associated App.
- Select the apps to which you want to apply the policy (Microsoft Edge or Intune managed browser) and then click OK.
- Click Configuration Settings.
- In the Name field, enter the name of one of the policies listed in the following table.
- In the Value field, enter the value you want to apply for that policy. Click off the field to add the policy to the list. You can add multiple policies.
- Click OK and then click Add.
The policy is added to your list of policies.
Name (iOS/Android) | Value | Description |
---|---|---|
MvpnGatewayAddress | https://external.companyname.com |
External URL of your Citrix Gateway |
MvpnNetworkAccess | MvpnNetworkAccessTunneledWebSSOor Unrestricted | MvpnNetworkAccessTunneledWebSSO is the default for tunneling |
MvpnExcludeDomains | Comma-separated list of domain name to be excluded | Optional. Default=blank |
Note:
Web SSO is the name for Secure Browse in the settings. The behavior is the same.
-
MvpnNetworkAccess - MvpnNetworkAccessTunneledWebSSO enables HTTP/HTTPS redirection through the Citrix Gateway, also known as Tunneled-Web SSO. The gateway responds to HTTP authentication challenges inline, providing a single-sign-on (SSO) experience. To use Web SSO, set this policy to MvpnNetworkAccessTunneledWebSSO. Full tunnel redirection is not supported. Use Unrestricted to leave micro VPN tunneling off.
-
MvpnExcludeDomains - Comma-separated list of host or domain names to be excluded from being routed through the Citrix Gateway reverse web proxy. The host or domain names are excluded even though the Citrix Gateway configured split DNS settings might otherwise select the domain or host.
Note:
-
This policy is only enforced for MvpnNetworkAccessTunneledWebSSO connections. If
MvpnNetworkAccess
is Unrestricted, this policy is ignored. -
This policy applies only to the Tunneled-Web SSO mode with Citrix Gateway configured for reverse split tunneling.
-
Troubleshooting
General issues
Issue | Resolution |
---|---|
The “Add Policy Required” message appears when you open an app | Add policies in the Microsoft Graph API |
There are policy conflicts | Only a single policy per app is allowed |
The “Failed to package app”message appears when wrapping an app. For the complete message, see the following table | The app is integrated with the Intune SDK. You do not need to wrap the app with the Intune |
Your app can’t connect to internal resources | Ensure that the correct firewall ports are open, you correct tenant ID, and so on |
Failed to package app error message:
Failed to package app. com.microsoft.intune.mam.apppackager.utils.AppPackagerException: This app already has the MAM SDK integrated. com.microsoft.intune.mam.apppackager.AppPackager.packageApp(AppPackager.java:113) com.microsoft.intune.mam.apppackager.PackagerMain.mainInternal(PackagerMain.java:198) com.microsoft.intune.mam.apppackager.PackagerMain.main(PackagerMain.java:56) The application cannot be wrapped.
Citrix Gateway issues
Issue | Resolution |
---|---|
The permissions required to be configured for the gateway app on Azure are unavailable. | Check if a proper Intune license is available. Try using the manage.windowsazure.com portal to see if the permission can be added. Contact Microsoft support if the issue persists. |
Citrix Gateway cannot reach login.microsoftonline.com and graph.windows.net . |
From NS Shell, check if you are able to reach the following Microsoft website: cURL -v -k https://login.microsoftonline.com. Then, check whether DNS is configured on Citrix Gateway. Also check that the firewall settings are correct (in case DNS requests are firewalled). |
An error appears in ns.log after you configure OAuthAction. | Check if Intune licensing is enabled and the Azure Gateway app has the proper permissions set. |
Sh OAuthAction command does not show OAuth status as complete. | Check the DNS settings and configured permissions on the Azure Gateway App. |
The Android or iOS device does not show the dual authentication prompt. | Check if the Dual Factor Device ID logonSchema is bound to the authentication virtual server. |
Citrix Gateway OAuth status and error condition
Status | Error condition |
---|---|
AADFORGRAPH | Invalid secret, URL not resolved, connection timeout |
MDMINFO |
*manage.microsoft.com is down or unreachable |
GRAPH | Graph endpoint is down unreachable |
CERTFETCH | Cannot talk to “Token Endpoint: https://login.microsoftonline.com because of a DNS error. To validate this configuration, go to shell and type cURL https://login.microsoftonline.com. This command must validate. |
Note:
When the OAuth status is successful, the status is displayed as COMPLETE.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.