-
Pre-installation checklist
-
Install and configure the NetScaler Gateway appliance
-
Maintain and monitor NetScaler Gateway systems
-
Configure DTLS VPN virtual server using SSL VPN virtual server
-
Integrate NetScaler Gateway with Citrix products
-
Integrate NetScaler Gateway with Citrix Virtual Apps and Desktops
-
Configure settings for your Citrix Endpoint Management Environment
-
Configure load balancing servers for Citrix Endpoint Management
-
Configure load balancing servers for Microsoft Exchange with Email Security Filtering
-
Configure Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allow Access from mobile devices with Citrix Mobile Productivity Apps
-
Configure domain and security token authentication for Citrix Endpoint Management
-
Configure client certificate or client certificate and domain authentication
-
-
NetScaler Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Proxy Auto Configuration for Outbound Proxy support for NetScaler Gateway
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Gateway pre-installation checklist
The checklist consists of a list of tasks and planning information you must complete before you install NetScaler Gateway.
Space is provided so that you can check off each task as you complete it and make notes. Citrix recommends that you make note of the configuration values that you need to enter during the installation process and while configuring NetScaler Gateway.
For steps to install and configure NetScaler Gateway, see Installing NetScaler Gateway.
User devices
- Ensure that user devices meet the installation prerequisites described in Citrix Secure Access System Requirements
- Identify the mobile devices with which users connect. Note: If users connect with an iOS device, you must enable Secure Browse in a session profile.
NetScaler Gateway basic network connectivity
Citrix recommends that you obtain licenses and signed server certificates before you start to configure the appliance.
- Identify and write down the NetScaler Gateway host name. Note: This is not the fully qualified domain name (FQDN). The FQDN is contained in the signed server certificate that is bound to the virtual server.
- Obtain Universal licenses from the Citrix Website
- Generate a Certificate Signing Request (CSR) and send to a Certificate Authority (CA). Enter the date you send the CSR to the Certificate Authority.
- Write down the system IP address and subnet mask.
- Write down the subnet IP address and subnet mask.
- Write down the administrator password. The default password that comes with NetScaler Gateway is
nsroot
. - Write down the port number on which NetScaler Gateway listens for secure user connections. The default is TCP port 443. This port must be open on the firewall between the unsecured network (Internet) and the DMZ.
- Write down the default gateway IP address.
- Write down the DNS server IP address and port number. The default port number is 53. In addition, if you are adding the DNS server directly, you must also configure ICMP (ping) on the appliance.
- Write down the first virtual server IP address and host name.
- Write down the second virtual server IP address and host name (if applicable).
- Write down the WINS server IP address (if applicable).
Internal networks accessible through NetScaler Gateway
- Write down the internal networks that users can access through NetScaler Gateway. Example: 10.10.0.0/24
- Enter all internal networks and network segments that users need access to when they connect through NetScaler Gateway by using the Citrix Secure Access client.
High availability
If you have two NetScaler Gateway appliances, you can deploy them in a high availability configuration in which one NetScaler Gateway accepts and manages connections, while a second NetScaler Gateway monitors the first appliance. If the first NetScaler Gateway stops accepting connections for any reason, the second NetScaler Gateway takes over and begins actively accepting connections.
- Write down the NetScaler Gateway software version number.
- The version number must be the same on both NetScaler Gateway appliances.
- Write down the administrator password (
nsroot
). The password must be the same on both appliances. - Write down the primary NetScaler Gateway IP address and ID. The maximum ID number is 64.
- Write down the secondary NetScaler Gateway IP address and ID.
- Obtain and install the Universal license on both appliances.
- Install the same Universal license on both appliances.
- Write down the RPC node password.
Authentication and Authorization
NetScaler Gateway supports several different authentication and authorization types that can be used in various combinations. For detailed information about authentication and authorization, see Authentication and Authorization.
LDAP authentication
If your environment includes an LDAP server, you can use LDAP for authentication.
-
Write down the LDAP server IP address and port.
If you allow unsecure connections to the LDAP server, the default port is 389. If you encrypt connections to the LDAP server with SSL, the default port is 636.
-
Write down the security type.
You can configure security with or without encryption.
-
Write down the administrator bind DN.
If your LDAP server requires authentication, enter the administrator DN that NetScaler Gateway must use to authenticate when making queries to the LDAP directory. An example is cn=administrator,cn=Users,dc=ace, dc=com.
-
Write down the administrator password.
The password is associated with the administrator bind DN.
-
Write down the Base DN.
DN (or directory level) under which users are located; for example, ou=users,dc=ace,dc=com.
-
Write down the server logon name attribute.
Enter the LDAP directory person object attribute that specifies a user’s logon name. The default is sAMAccountName. If you are not using Active Directory, the common values for this setting are cn or uid. For more information about LDAP directory settings, see Configuring LDAP Authentication
- Write down the group attribute. Enter the LDAP directory person object attribute that specifies the groups to which a user belongs. The default is memberOf. This attribute enables NetScaler Gateway to identify the directory groups to which a user belongs.
- Write down the subattribute name.
RADIUS authentication and authorization
If your environment includes a RADIUS server, you can use RADIUS for authentication. RADIUS authentication includes RSA SecurID, SafeWord, and Gemalto Protiva products.
- Write down the primary RADIUS server IP address and port. The default port is 1812.
- Write down the primary RADIUS server secret (shared secret).
- Write down the secondary RADIUS server IP address and port. The default port is 1812.
- Write down the secondary RADIUS server secret (shared secret).
- Write down the type of password encoding (PAP, CHAP, MS-CHAP v1, MSCHAP v2).
SAML Authentication
The Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization between Identity Providers (IdP) and Service Providers.
- Obtain and install on NetScaler Gateway a secure IdP certificate.
- Write down the redirect URL.
- Write down the user field.
- Write down the signing certificate name.
- Write down the SAML issuer name.
- Write down the default authentication group.
Opening ports through the firewalls (single-hop DMZ)
If your organization protects the internal network with a single DMZ and you deploy the NetScaler Gateway in the DMZ, open the following ports through the firewalls. If you are installing two NetScaler Gateway appliances in a double-hop DMZ deployment, see Opening the Appropriate Ports on the Firewalls.
On the firewall between the unsecured network and the DMZ
- Open a TCP/SSL port (default 443) on the firewall between the Internet and NetScaler Gateway. User devices connect to NetScaler Gateway on this port.
On the firewall between the secured network
- Open one or more appropriate ports on the firewall between the DMZ and the secured network. NetScaler Gateway connects to one or more authentication servers or to computers running Citrix Virtual Apps and Desktops in the secured network on these ports.
-
Write down the authentication ports.
Open only the port appropriate for your NetScaler Gateway configuration.
- For LDAP connections, the default is TCP port 389.
- For a RADIUS connection, the default is UDP port 1812. Write down the Citrix Virtual Apps and Desktops ports.
- If you are using NetScaler Gateway with Citrix Virtual Apps and Desktops, open TCP port 1494. If you enable session reliability, open TCP port 2598 instead of 1494. Citrix recommends keeping both of these ports open.
Citrix Virtual Desktops, Citrix Virtual Apps, the Web Interface, or StoreFront
Complete the following tasks if you are deploying NetScaler Gateway to provide access to Citrix Virtual Apps and Desktops through the Web Interface or StoreFront. The Citrix Secure Access client is not required for this deployment. Users access published applications and desktops through NetScaler Gateway by using only web browsers and Citrix Receiver.
- Write down the FQDN or IP address of the server running the Web Interface or StoreFront.
- Write down the FQDN or IP address of the server running the Secure Ticket Authority (STA) (for Web Interface only).
Citrix Endpoint Management
Complete the following tasks if you deploy Citrix Endpoint Management in your internal network. If users connect to Endpoint Management from an external network, such as the Internet, users must connect to NetScaler Gateway before accessing mobile, web, and SaaS apps.
- Write down the FQDN or IP address of Endpoint Management.
- Identify web, SaaS, and mobile iOS or Android applications users can access.
Double-Hop DMZ deployment with Citrix Virtual Apps
Complete the following tasks if you are deploying two NetScaler Gateway appliances in a double-hop DMZ configuration to support access to servers running Citrix Virtual Apps.
NetScaler Gateway in the first DMZ
The first DMZ is the DMZ at the outermost edge of your internal network (closest to the Internet or unsecure network). Clients connect to NetScaler Gateway in the first DMZ through the firewall separating the Internet from the DMZ. Collect this information before installing NetScaler Gateway in the first DMZ.
-
Complete the items in the NetScaler Gateway Basic Network Connectivity section of this checklist for this NetScaler Gateway.
When completing those items, Interface 0 connects this NetScaler Gateway to the Internet and Interface 1 connects this NetScaler Gateway to NetScaler Gateway in the second DMZ.
-
Configure the second DMZ appliance information on the primary appliance.
To configure NetScaler Gateway as the first hop in the double-hop DMZ, you must specify the host name or IP address of NetScaler Gateway in the second DMZ on the appliance in the first DMZ. After specifying when the NetScaler Gateway proxy is configured on the appliance in the first hop, bind it to NetScaler Gateway globally or to a virtual server.
-
Write down the connection protocol and port between appliances.
To configure NetScaler Gateway as the first hop in the double DMZ, you must specify the connection protocol and the port on which NetScaler Gateway in the second DMZ listens for connections. The connection protocol and port is SOCKS with SSL (default port 443). The protocol and port must be open through the firewall that separates the first DMZ and the second DMZ.
NetScaler Gateway in the second DMZ
The second DMZ is the DMZ closest to your internal, secure network. NetScaler Gateway deployed in the second DMZ serves as a proxy for ICA traffic, traversing the second DMZ between the external user devices and the servers on the internal network.
-
Complete the tasks in the NetScaler Gateway Basic Network Connectivity section of this checklist for this NetScaler Gateway.
When completing those items, Interface 0 connects this NetScaler Gateway to NetScaler Gateway in the first DMZ. Interface 1 connects this NetScaler Gateway to the secured network.
Share
Share
In this article
- User devices
- NetScaler Gateway basic network connectivity
- Internal networks accessible through NetScaler Gateway
- High availability
- Authentication and Authorization
- SAML Authentication
- Opening ports through the firewalls (single-hop DMZ)
- Citrix Virtual Desktops, Citrix Virtual Apps, the Web Interface, or StoreFront
- Citrix Endpoint Management
- Double-Hop DMZ deployment with Citrix Virtual Apps
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.