Create virtual servers

A virtual server is an access point to which users log on. Each virtual server has its own IP address, certificate, and policy set. A virtual server consists of a combination of an IP address, port, and protocol that accepts incoming traffic. Virtual servers contain the connection settings for when users log on to the appliance. You can configure the following settings on virtual servers:

  • Certificates
  • Authentication
  • Policies
  • Bookmarks
  • Address pools (also known as IP pools or intranet IPs)
  • Double-hop DMZ deployment with NetScaler Gateway
  • Secure Ticket Authority
  • SmartAccess ICA Proxy Session Transfer

If you run the NetScaler Gateway wizard, you can create a virtual server during the wizard. You can configure more virtual servers in the following ways:

  • From the virtual servers node. This node is on the navigation pane in the configuration utility. You can add, edit, and remove virtual servers by using the configuration utility.
  • With the Quick Configuration wizard. If you deploy Citrix Endpoint Management, StoreFront or the Web Interface in your environment, you can use the Quick Configuration wizard to create the virtual server and all the policies needed for your deployment.

If you want users to log on and use a specific authentication type, such as RADIUS, you can configure a virtual server and assign the server a unique IP address. When users log on, they are directed to the virtual server and then prompted for their RADIUS credentials.

You can also configure the ways users log on to NetScaler Gateway. You can use a session policy to configure the type of user software, the access method, and the home page users see after logging on.

To create virtual servers

You can add, modify, enable or disable, and remove virtual servers by using the NetScaler Gateway GUI or the Quick Configuration wizard. For more information about configuring a virtual server with the Quick Configuration wizard, see Configuring Settings with the Quick Configuration Wizard.

Note:

The VPN virtual server supports DTLS version 1.0, by default. To enable DTLS version 1.2, see Configure DTLS VPN virtual server using SSL VPN virtual server.

HTTP QUIC VPN virtual server

From release 14.1 build 8.x, NetScaler Gateway supports using HTML5 on your browser to send ICA traffic using QUIC and to launch Citrix DaaS sessions. You can create a VPN virtual server of service type HTTP QUIC to launch Citrix DaaS applications over QUIC on HTML5 clients, without a client plug-in software. Previously, Citrix DaaS applications had to be launched through browsers using the Citrix Workspace app client plug-in software or HTML5 client apps using WebSockets (clientless access).

HTML5 clients support the WebTransport protocol. The WebTransport protocol uses HTTP3 over QUIC to establish communication between a client and a web server. For more information about HTTP over QUIC, see HTTP over QUIC protocol.

Configure the HTTP QUIC VPN virtual server by using the GUI

  1. Configure HTTP QUIC VPN virtual server.

    1. Navigate to Configuration > NetScaler Gateway > Virtual Servers.

    2. On the NetScaler Gateway Virtual Servers page, click Add.

    3. In Protocol, select HTTP_QUIC.

    4. Update the remaining fields as required and click OK.

  2. Enable HTTP/3 WebTransport on the HTTP profile.

    • Navigate to System > Profiles > HTTP Profiles. In the HTTP/3 section, enable the HTTP/3 WebTransport checkbox. For details about HTTP profiles, see HTTP configurations.

Configure the HTTP QUIC VPN virtual server by using the CLI

  1. Configure a VPN virtual server of service type HTTP QUIC.

    add vpn vserver <VPN server name> -service type <HTTP_QUIC> -dtls <off> -Listenpolicy <NONE> -httpProfileName <name of the HTTP QUIC profile> -deploymentType <ICA_STOREFRONT> -vserverFqdn <URL>
    <!--NeedCopy-->
    
  2. Enable HTTP/3 WebTransport on the HTTP profile.

    set httpprofile nshttp_default_http_quic_profile -http3webTransport ENABLED

The output of the following show command displays the parameter HTTP/3 WebTransport: ENABLED. This parameter indicates that the service type HTTP QUIC is being used to send WebTransport traffic between the client and the VPN virtual server.

sh httpprofile <name>

HTTP/2 Strict Cipher: ENABLED
        HTTP/3: ENABLED
        HTTP/3 maximum header field section size: 24576
        HTTP/3 maximum header table size: 4096
        HTTP/3 maximum header blocked streams: 100
        HTTP/3 WebTransport: ENABLED
        gRPC Buffer Limit: 131072
        gRPC Buffer Timeout: 1000
        gRPC Length Delimited Message: ENABLED
        Apdex Client Response Threshold: 500
        HTTP pipeline req buffer size: 131072
        Reference count: 2

<!--NeedCopy-->

Notes:

  • The IP address and port number must be the same for the SSL and HTTP QUIC VPN virtual servers. However, DTLS must be disabled on the SSL VPN virtual server because you cannot run both DTLS and HTTP_QUIC on a common IP address and port number. For details about the DTLS VPN virtual server, see Configure DTLS VPN virtual server using SSL VPN virtual server.
  • The HTTP profile configured with the alternative service value set to Altsvc=h3=":port number" must be bound to the SSL VPN virtual server. For details about the Alternative Service parameter, see HTTP/2 for HTTP load balancing configuration.

To create a virtual server by using the GUI

  1. Navigate to NetScaler Gateway > Virtual Servers.
  2. In the details pane, click Add.
  3. Configure the settings as per your requirement.
  4. Click Create and then click Close.

To create a virtual server by using the CLI

At the command prompt, type;

add vpn vserver <name> <serviceType> [<IPAddress> <port>]
<!--NeedCopy-->

Example:

add vpn vserver gatewayserver SSL 1.1.1.1 443
<!--NeedCopy-->

Points to note when binding a net profile to the VPN virtual server

You can create net profiles (network profiles) to configure the appliance to use a specified source IP address and bind the net profile to the VPN virtual server. However, note the following when binding a net profile to the VPN virtual server.

  • When you bind a net profile to a NetScaler Gateway virtual server, the net profile does not select a specific SNIP to be used by the virtual server or service for the traffic to back-end servers. Instead, the gateway appliance ignores the net profile binding and uses the round robin method for selecting the SNIPs.

  • Net profile does not work for dynamically generated services (STA, SF monitor). For STA and other dynamically generated services, you can bind the net profile to those monitors directly and those monitors are used at that point. However, if you have multiple gateways on the same appliance, all gateways use the same net profile for the configured monitors.

    For more details about net profile, see Use a specified source IP for back-end communication.

Net profile source IP address in a DTLS VPN virtual server configuration for UDP launch

Starting from release 14.1 build 17.38, NetScaler Gateway configured with DTLS Listener chooses the source IP address from the net profile to establish a UDP connection with the Virtual Delivery Agent (VDA). Ensure that the net profile is bound to the SSL VPN virtual server.

Run the following CLI commands to configure a net profile in the VPN virtual server:

add ip <IPAddress><netmask> -type SNIP
add netprofile net1 -srcIP <IPAddress>
set vpn vserver <name> -netProfile net1
<!--NeedCopy-->

To verify if the chosen source IP address is used, run the show connectiontable CLI command.

Current users and total connected users on the virtual server

Current users: Number of users logged on to a specific virtual server. It is recommended that you monitor the current users for tracking CCUs.

Total connected users: Number of users who have one or more active connections through the specific virtual server. The total number of connected users is mostly used in ICA Proxy.

You can use the number of total connected users counter in the following scenarios:

  • Consider that an ICA connection is established but no corresponding authentication, authorization, and auditing session are established. In this scenario, a user launches an application or a desktop and closes the browser, continues to work on the launched app or desktop. The authentication, authorization, and auditing session times out but the connection is still active. Total number of connected users can be used to identify the users that are still connected.

  • In HDX optimal routing, authentication gateway and ICA gateway can be on different appliances. The total connected users in this case can be used to identify the number of connected users on the ICA gateway.

Points to note:

  • Current users exceed total connected users when there are active sessions (not yet timed out) but there are no active connections on these sessions. For example, a user launched an application or a desktop and closed it immediately but did not log out from the authentication, authorization, and auditing session.

  • Total connected users exceed current users if authentication, authorization, and auditing sessions timeout but ICA connections are still active.

  • In a pure VPN setup (no ICA is involved), the number of current users and total connected users are equal.

Configure connection types on the virtual server

When you create and configure a virtual server, you can configure the following connection options:

  • Connections with Citrix Workspace app only to Citrix Virtual Apps and Desktops without SmartAccess, endpoint analysis, or network layer tunneling features.
  • Connections with the Citrix Secure Access client and SmartAccess, which allow the use of SmartAccess, endpoint analysis, and network layer tunneling functions.
  • Connections with Secure Hub that establishes a Micro VPN connection from mobile devices to NetScaler Gateway.
  • Parallel connections made over the ICA session protocol by a user from multiple devices. The connections are migrated to a single session to prevent the use of multiple Universal licenses.

If you want users to log on without user software, you can configure a clientless access policy and bind it to the virtual server.

To configure Basic or SmartAccess connections on a virtual server

  1. Navigate to NetScaler Gateway and then click Virtual Servers.
  2. In the details pane, click Add.
  3. In Name, type a name for the virtual server.
  4. In IP Address and Port, type the IP address and port number for the virtual server.
  5. Do one of the following:
    • To allow ICA connections only, click Basic Mode.
    • To allow user logon with Secure Hub, the Citrix Secure Access client and SmartAccess, click SmartAccess Mode.
    • To allow SmartAccess to manage ICA Proxy sessions for multiple user connections, click ICA Proxy Session Migration.
  6. Configure the other settings for the virtual server, click Create, and then click Close.

Configure a listen policy for wildcard virtual servers

You can configure NetScaler Gateway virtual servers to restrict the ability for a virtual server to listen on a specific VLAN. You can create a wildcard virtual server with a listen policy that restricts it to processing traffic on the specified VLAN.

The configuration parameters are:

Parameter Description
Name The name of the virtual server. The name is required and you cannot change it after you create the virtual server. The name cannot exceed 127 characters and the first character must be a number or letter. You can also use the following characters: at symbol (@), underscore (_), dash (-), period (.), colon (:), pound sign (#), and a space.
IP The IP address of the virtual server. For a wildcard virtual server bound to the VLAN, the value is always *.
Type The behavior of the service. Your choices are HTTP, SSL, FTP, TCP, SSL_TCP, UDP, SSL_BRIDGE, NNTP, DNS, ANY, SIP-UDP, DNS-TCP, and RTSP.
Port The port on which the virtual server listens for user connections. The port number must be between 0 and 65535. For the wildcard virtual server bound to a VLAN, the value is usually *.
Listen Priority The priority that is assigned to the listening policy. Priority is evaluated in reverse order; the lower the number, the higher the priority assigned to the listen policy.
Listen Policy Rule The policy rule to use to identify the VLAN to which the virtual server must listen. The rule is CLIENT.VLAN.ID.EQ (<ipaddressat>). Replace <ipaddressat> with the ID assigned to the VLAN.

To create a wildcard virtual server with a listen policy

  1. In the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
  2. In the details pane, click Add.
  3. In Name, type a name for the virtual server.
  4. In Protocol, select the protocol.
  5. In IP Address, type the IP address for the virtual server.
  6. In Port, type the port for the virtual server.
  7. On the Advanced tab, under Listen Policy, in Listen Priority, type the priority for the listen policy.
  8. Next to Listen Policy Rule, click Configure.
  9. In the Create Expression dialog box, click Add, configure the expression, and then click OK.
  10. Click Create and then click Close.