Gateway

Full VPN setup on Citrix Gateway

This section describes how to configure full VPN setup on a Citrix Gateway appliance. It contains networking considerations and the ideal approach for resolving issues from the networking perspective.

Prerequisites

When users connect with the Citrix Gateway plug-in, Secure Hub, or Citrix Workspace app, the client software establishes a secure tunnel over port 443 (or any configured port on Citrix Gateway) and sends authentication information. Once the tunnel has been established, Citrix Gateway sends configuration information to the Citrix Gateway plug-in, Citrix Secure Hub, or Citrix Workspace app describing the networks to be secured. That information also contains an IP address if you enable intranet IPs.

You configure user device connections by defining the resources users can access in the internal network. Configuring user device connections includes the following:

  • Split tunneling
  • IP addresses for users, including address pools (intranet IPs)
  • Connections through a proxy server
  • Defining the domains to which users are allowed access
  • Time-out settings
  • Single sign-on
  • User software that connects through Citrix Gateway
  • Access for mobile devices

You configure most user device connections by using a profile that is part of a session policy. You can also define user device connection settings by using per-authentication, traffic, and authorization policies. They can also be configured using intranet applications.

Configure a full VPN setup on a Citrix Gateway appliance

To configure a VPN setup on the Citrix Gateway appliance, complete the following procedure:

  1. Navigate to Traffic Management > DNS.

  2. Select the Name Servers node, as shown in the following screenshot. Ensure that the DNS name server is listed. If it is not available, add a DNS Name Server.

    select name server

  3. Expand Citrix Gateway > Policies.

  4. Select the Session node.

  5. In the Citrix Gateway Session Policies and Profiles page, click the Profiles tab click Add. For each component you configure in the Configure Citrix Gateway Session Profile dialog box, ensure that you select the Override Global option for the respective component.

  6. Click the Client Experience tab.

  7. Type the intranet portal URL in the Home Page field if you would like to present any URL when the user logs into the VPN. If the home page parameter is set to “nohomepage.html,” the home page is not displayed. When the plug-in starts, a browser instance starts and gets killed automatically.

  8. Ensure to select the desired setting from the Split Tunnel list.

  9. Select OFF from the Clientless Access list if you want FullVPN.

  10. Ensure that Windows/Mac OS X is selected from the plug-in Type list.

  11. Select the Single Sign-on to Web Applications option if desired.

  12. Ensure that the Client Cleanup Prompt option is selected if necessary, as shown in the following screenshot:

    client cleanup

  13. Click the Security tab.

  14. Ensure that ALLOW is selected from the Default Authorization Action list.

    set default authorization action to allow

  15. Click the Published Applications tab.

  16. Ensure that OFF is selected from the ICA Proxy list under the Published Applications option.

    set ICA Proxy to off

  17. Click Create.

  18. Click Close.

  19. Click the Policies tab of the Citrix Gateway Session Policies and Profiles page in the virtual server or activate the Session Policies at the GROUP/USER Level as required.

  20. Create a session policy with a required expression or true, as shown in the following screenshot:

    Create a session policy

  21. Bind the Session policy to the VPN virtual server. For details, see Bind session policies.

    If Split Tunnel was configured to ON, you must configure the Intranet Applications you would like the users to access when connected to the VPN. For details on Intranet Applications, see Configure intranet applications for the Citrix Secure Access client.

    1. Go to Citrix Gateway > Resources > Intranet Applications​.

    2. Create an Intranet Application. Select Transparent for FullVPN with Windows client. Select the protocol that you would like to allow (TCP, UDP, or ANY), destination type (IP address and mask, IP address range, or host name).

      create an intranet application

    3. If necessary, set a new policy for VPN on iOS and Android using the following expression: HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixVPN")&&HTTP.REQ.HEADER("User-Agent").CONTAINS("NSGiOSplugin")&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Android")

    4. Bind the Intranet Applications created at the USER/GROUP/VSERVER level as required.

Other parameters

The following are some of the parameters that you can configure and a brief description of each:

Split tunnel configuration

Split tunnel OFF

When the split tunnel is set to off, the Citrix Gateway plug-in captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to Citrix Gateway. In other words, the VPN client establishes a default route from the client PC pointing to the Citrix Gateway VIP, meaning that all the traffic needs to be sent through the tunnel to get to the destination. Since all the traffic is going to be sent through the tunnel, authorization policies must determine whether the traffic is allowed to pass through to internal network resources or be denied.

While set to “off,” all traffic is going through the tunnel including Standard Web traffic to websites. If the goal is to monitor and control this web traffic then you must forward these requests to an external Proxy using the Citrix ADC appliance. User devices can connect through a proxy server for access to internal networks as well.
Citrix Gateway supports the HTTP, SSL, FTP, and SOCKS protocols. To enable proxy support for user connections, you must specify these settings on Citrix Gateway. You can specify the IP address and port used by the proxy server on Citrix Gateway. The proxy server is used as a forward proxy for all further connections to the internal network.

For more information, see Enabling Proxy Support for User Connections

Split tunnel ON

You can enable split tunneling to prevent the Citrix Gateway plug-in from sending unnecessary network traffic to Citrix Gateway. If the split tunnel is enabled, the Citrix Gateway plug-in sends only traffic destined for networks protected (intranet applications) by Citrix Gateway through the VPN tunnel. The Citrix Gateway plug-in does not send network traffic destined for unprotected networks to Citrix Gateway. When the Citrix Gateway plug-in starts, it obtains the list of intranet applications from Citrix Gateway and establishes a route for each subnet defined on the intranet application tab in the client PC. The Citrix Gateway plug-in examines all packets transmitted from the user device and compares the addresses within the packets to the list of intranet applications (routing table created when the VPN connection was started). If the destination address in the packet is within one of the intranet applications, the Citrix Gateway plug-in sends the packet through the VPN tunnel to Citrix Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device then routes the packet appropriately using the default routing originally defined on the client PC. “When you enable split tunneling, intranet applications define the network traffic that is intercepted and send through the tunnel”.

Reverse split tunnel

Citrix Gateway also supports reverse split tunneling, which defines the network traffic that Citrix Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that Citrix Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through Citrix Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the Citrix Gateway plug-in, Citrix Gateway does not intercept network traffic destined to a printer or another device within the wireless network.

Configure split tunneling

  1. Navigate to Configuration > Citrix Gateway > Policies > Session.

  2. In the details pane, on the Profiles tab, select a profile and then click Edit.

  3. On the Client Experience tab, next to Split Tunnel, select Global Override, select an option, and then click OK.

    Configuring Split Tunneling and Authorization

    When planning your Citrix Gateway deployment, it is important to consider split tunneling and the default authorization action and authorization policies.

    For example, you have an authorization policy that allows access to a network resource. You have split tunneling set to ON and you do not configure intranet applications to send network traffic through Citrix Gateway. When Citrix Gateway has this type of configuration, access to the resource is allowed, but users cannot access the resource.

    configure full VPN

If the authorization policy denies access to a network resource, the Citrix Gateway plug-in sends traffic to Citrix Gateway, but access to the resource is denied in the following conditions.

  • You have split tunneling set to ON.
  • Intranet applications are configured to route network traffic through Citrix Gateway

For more information about authorization policies, review the following:

To configure network access to internal network resources

  1. Navigate to Configuration > Citrix Gateway > Resources > Intranet Applications.

  2. In the details pane, click Add.

  3. Complete the parameters for allowing network access, click Create, and then click Close.

When we do not set up the intranet IPs for the VPN users, the user sends the traffic to the Citrix Gateway VIP and then from there the Citrix ADC appliance builds a new packet to the intranet application resource on the internal LAN. This new packet is going to be sourced from the SNIP toward the intranet application. From here, the intranet application gets the packet, processes it and then attempts to reply to the source of that packet (the SNIP in this case). The SNIP gets the packet and sends the reply to the client who made the request.

When an Intranet IP address is used, the user sends the traffic to the Citrix Gateway VIP and then from there the Citrix ADC appliance is going to map the client IP into one of the configured INTRANET IPs from the Pool. Be advised that the Citrix ADC appliance is going to own the Intranet IP pool and for this reason these ranges must not be used in the internal network. The Citrix ADC appliance assigns an Intranet IP for the incoming VPN connections like a DHCP server would do. The Citrix ADC appliance builds a new packet to the intranet application on the LAN that the user would access. This new packet is going to be sourced from one of the Intranet IPs toward the intranet application. From here, intranet applications get the packet, process it and then attempt to reply to the source of that packet (the INTRANET IP). In this case the reply packet needs to be routed back to the Citrix ADC appliance, where the INTRANET IPs are located (Remember, the Citrix ADC appliance owns the Intranet IPs subnets). To accomplish this task, the network administrator must have a route to the INTRANET IP, pointing to one of the SNIPs. It is recommended to point the traffic back to the SNIP that holds the route from which the packet leaves the Citrix ADC appliance the first time to avoid any asymmetric traffic.

Split tunneling options

The following are the various split tunneling options.

Split tunnel configuration

Split tunnel OFF

When the split tunnel is set to off, the Citrix Secure Access client captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to Citrix Gateway. In other words, the VPN client establishes a default route from the client PC pointing to the Citrix Gateway VIP, meaning that all the traffic needs to be sent through the tunnel to get to the destination. Since all the traffic is going to be sent through the tunnel, authorization policies must determine whether the traffic is allowed to pass through to internal network resources or be denied.

While set to “off,” all traffic is going through the tunnel including Standard Web traffic to websites. If the goal is to monitor and control this web traffic then you must forward these requests to an external Proxy using the Citrix Gateway appliance. User devices can connect through a proxy server for access to internal networks as well.
Citrix Gateway supports the HTTP, SSL, FTP, and SOCKS protocols. To enable proxy support for user connections, you must specify these settings on Citrix Gateway. You can specify the IP address and port used by the proxy server on Citrix Gateway. The proxy server is used as a forward proxy for all further connections to the internal network.

For more information review the following links:

Split tunnel ON

You can enable split tunneling to prevent the Citrix Secure Access client from sending unnecessary network traffic to Citrix Gateway. If the split tunnel is enabled, the Citrix Secure Access client sends only traffic destined for networks protected (intranet applications) by Citrix Gateway through the VPN tunnel. The Citrix Secure Access client does not send network traffic destined for unprotected networks to Citrix Gateway. When the Citrix Secure Access client starts, it obtains the list of intranet applications from Citrix Gateway and establishes a route for each subnet defined on the intranet application tab in the client PC. The Citrix Secure Access client examines all packets transmitted from the user device and compares the addresses within the packets to the list of intranet applications (routing table created when the VPN connection was started). If the destination address in the packet is within one of the intranet applications, the Citrix Secure Access client sends the packet through the VPN tunnel to Citrix Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device then routes the packet appropriately using the default routing originally defined on the client PC. “When you enable split tunneling, intranet applications define the network traffic that is intercepted and send through the tunnel”.

Reverse split tunnel

Citrix Gateway also supports reverse split tunneling, which defines the network traffic that Citrix Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that Citrix Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through Citrix Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the Citrix Secure Access client, Citrix Gateway does not intercept network traffic destined to a printer or another device within the wireless network.

Note:

Citrix Secure Access client for Windows, macOS, iOS, and Android supports FQDN-based reverse split tunneling. For Windows clients, starting from Citrix Secure Access 22.6.1.5, this feature works only if the WFP driver is enabled.

Points to note

IP-based reverse split-tunneling:

  • Number of IP address-based rules is limited to 1024.
  • Supported with both DNE and WFP drivers.

Host name-based reverse split-tunneling:

  • The number of host names that can be accessed during a VPN session is restricted by the number of usable IP addresses specified in the FQDN spoofing range. This is because every host name takes up one IP address from the FQDN spoofing range. Once the IP range is exhausted, the least recently assigned IP address is reused for the next new host name.
  • DNS suffixes must be configured.

    Note:

    For Windows clients, host name-based reverse split-tunneling is supported only with the WFP driver. Enable the WFP driver mode and set “EnableWFP” as the registry value. For more information, see Windows Citrix Secure Access client using Windows Filtering Platform.

IP-based and host name-based reverse split-tunneling:

  • Supported only with the WFP driver. All the other guidelines mentioned in IP-based reverse split-tunneling and host name-based reverse split-tunneling are applicable.

Configure name service resolution

During installation of Citrix Gateway, you can use the Citrix Gateway wizard to configure other settings, including name service providers. The name service providers translate the fully qualified domain name (FQDN) to an IP address. In the Citrix Gateway wizard, you can also perform the following:

  • Configure a DNS or WINS server
  • Set the priority of the DNS lookup
  • Set the number of times to retry the connection to the server.

When you run the Citrix Gateway wizard, you can add a DNS server then. You can add another DNS servers and a WINS server to Citrix Gateway by using a session profile. You can then direct users and groups to connect to a name resolution server that is different from the one you originally used the wizard to configure.

Before configuring another DNS server on Citrix Gateway, create a virtual server that acts as a DNS server for name resolution.

To add a DNS or WINS server within a session profile

  1. In the configuration utility, configuration tab > Citrix Gateway > Policies > Session.

  2. In the details pane, on the Profiles tab, select a profile and then click Open.

  3. On the Network Configuration tab, do one of the following:

    • To configure a DNS server, next to DNS Virtual Server, click Override Global, select the server, and then click OK.

    • To configure a WINS server, next to WINS Server IP, click Override Global, type the IP address and then click OK.

References

Full VPN setup on Citrix Gateway