-
Install and configure the NetScaler Gateway appliance
-
Maintain and monitor NetScaler Gateway systems
-
Configure DTLS VPN virtual server using SSL VPN virtual server
-
Integrate NetScaler Gateway with Citrix products
-
Integrate NetScaler Gateway with Citrix Virtual Apps and Desktops
-
Configure settings for your Citrix Endpoint Management Environment
-
Configure load balancing servers for Citrix Endpoint Management
-
Configure load balancing servers for Microsoft Exchange with Email Security Filtering
-
Configure Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allow Access from mobile devices with Citrix Mobile Productivity Apps
-
Configure domain and security token authentication for Citrix Endpoint Management
-
Configure client certificate or client certificate and domain authentication
-
-
NetScaler Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Proxy Auto Configuration for Outbound Proxy support for NetScaler Gateway
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Allow access from mobile devices with Citrix Mobile Productivity Apps
The NetScaler for XenMobile wizard configures the settings required to allow users to connect from supported devices through NetScaler Gateway to mobile apps and resources in the internal network. Users connect by using Secure Hub (previously, Citrix Secure Hub), which establishes a Micro VPN tunnel. When users connect, a VPN tunnel opens to NetScaler Gateway and then is passed to XenMobile in the internal network. Users can then access their web, mobile, and SaaS apps from XenMobile.
To ensure that users consume a single Universal license when connecting to NetScaler Gateway with multiple devices simultaneously, you can enable session transfer on the virtual server. For details, see Configuring Connection Types on the Virtual Server.
If you need to change your configuration after using the NetScaler for XenMobile wizard, use the sections in this article for guidance. Before changing settings, make sure that you understand the implications of your changes. For more information, refer to the XenMobile Deployment articles.
Configure Secure Browse in NetScaler Gateway
You can change Secure Browse as part of global settings or as part of a session profile. You can bind the session policy to users, groups, or virtual servers. When you configure Secure Browse, you must also enable clientless access. However, clientless access does not require you to enable Secure Browse. When you configure clientless access, set Clientless Access URL Encoding to Clear.
To configure Secure Browse globally:
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
- In the details pane, under Settings, click Change global settings.
- In the Global NetScaler Gateway Settings dialog box, on the Security tab, click Secure Browse and then click OK.
To configure Secure Browse in a session policy and profile:
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
- In the details pane, do one of the following:
- If you are creating a new session policy, click Add.
- If you are changing an existing policy, select a policy and then click Open.
- In the policy, create a profile or modify an existing profile. To do so, do one of the following:
- Next to Request Profile, click New.
- Next to Request Profile, click Modify.
- On the Security tab, next to Secure Browse, click Override Global and then select Secure Browse.
- Do one of the following:
- If you are creating a new profile, click Create, set the expression in the policy dialog box, click Create, and then click Close.
- If you are modifying an existing profile, after making the selection, click OK twice.
To configure traffic policies for Secure Web in Secure Browse mode:
Use the following steps to configure traffic policies to route Secure Web traffic through a proxy server in Secure Browse mode.
- In the configuration utility, on the Configuration tab, expand NetScaler Gateway > Policies and then click Traffic.
- In the right pane, click the Traffic Profiles tab and then click Add.
- In Name, enter a name for the profile, select TCP as the Protocol, and leave the rest of the settings as-is.
- Click Create.
- Click the Traffic Profiles tab and then click Add.
- In Name, enter a name for the profile and then select HTTP as the Protocol. This Traffic Profile is for both HTTP and SSL. Clientless VPN traffic is HTTP traffic by design, regardless of the destination port or service type. Thus, you specify both SSL and HTTP traffic as HTTP in the traffic profile.
- In Proxy, enter the IP address of the proxy server. In Port, enter the port number of the proxy server.
- Click Create.
- Click the Traffic Policies tab and then click Add.
-
Enter the Name of the traffic policy and, for Request Profile, select the Traffic Profile you created in Step 3. Enter the following Expression and then click Create:
REQ.HTTP.HEADER HOST contains ActiveSyncServer || REQ.HTTP.HEADER User-Agent CONTAINS WorxMail || REQ.HTTP.HEADER User-Agent CONTAINS com.zenprise || REQ.HTTP.HEADER User-Agent CONTAINS Citrix Secure Hub || REQ.HTTP.URL CONTAINS AGServices || REQ.HTTP.URL CONTAINS StoreWeb <!--NeedCopy-->
That rule performs a check based on the host header. To bypass the active sync traffic from the proxy, replace
ActiveSyncServer
with the appropriate active sync server name. -
Click the Traffic Policies tab and then click Add. Enter the Name of the traffic policy and, for Request Profile, select the Traffic Profile created in Step 6. Enter the following Expression and then click Create:
(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser -
Click the Traffic Policies tab and then click Add. Enter the Name of the Traffic Policy and, for Request Profile, select the Traffic Profile created in Step 6. Enter the following Expression and then click Create:
(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser - Navigate to NetScaler Gateway > Virtual Servers, select the virtual server in the right pane, and then click Edit.
- On the Policies row, click +.
- From the Choose Policy menu, select Traffic.
- Click Continue.
- Under Policy Binding, across from Select Policy, click >.
- Select the Policy you created in Step 10 and then click OK.
- Click Bind.
- Under Policies, click Traffic Policy.
- Under VPN Virtual Server Traffic Policy Binding, click Add Binding.
- Under Policy Binding, next to the Select Policy menu, click > to view the policy list.
- Select the policy you created in Step 11 and then click OK.
- Click Bind.
- Under Policies, click Traffic Policies.
- Under VPN Virtual Server Traffic Policy Binding, click Add Binding.
- Under Policy Binding, next to the Select Policy menu, click > to view the policy list.
- Select the policy you created in Step 12 and then click OK.
- Click Bind.
- Click Close.
- Click Done.
Be sure to configure the Secure Web (WorxWeb) app in the XenMobile console. Go to Configure > Apps, select the Secure Web app, click Edit, and then make these changes:
- On the App information page, change Initial VPN Mode to Secure Browse.
- On the iOS page, change Initial VPN Mode to Secure Browse.
- On the Android page, change Preferred VPN Mode to Secure Browse.
Configure application and MDX token time-outs
When users log on from an iOS or Android device, an application token or an MDX token is issued. The token is similar to the Secure Ticket Authority (STA).
You can set the number of seconds or minutes the tokens are active. If the token expires, users cannot access the requested resource, such as an application or a webpage.
Token time-outs are global settings. When you configure the setting, it applies to all users who log on to NetScaler Gateway.
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
- In the details pane, under Settings, click Change global settings.
- In the Global NetScaler Gateway Settings dialog box, on the Client Experience tab, click Advanced Settings.
- On the General tab, in Application Token Timeout (sec) enter the number of seconds before the token expires. The default is 100 seconds.
- In MDX Token Timeout (mins), enter the number of minutes before the token expires and then click OK. The default is 10 minutes.
Disable Endpoint Analysis for mobile devices
If you configure endpoint analysis, you need to configure the policy expressions so that the endpoint analysis scans do not run on Android or iOS mobile devices. Endpoint analysis scans are not supported on mobile devices.
If you bind an endpoint analysis policy to a virtual server, you must create a secondary virtual server for mobile devices. Do not bind preauthentication or post-authentication policies to the mobile device virtual server.
When you configure the policy expression in a preauthentication policy, you add the User-Agent string to exclude Android or iOS. When users log on from one of these devices and you exclude the device type, endpoint analysis does not run.
For example, you create the following policy expression to check if the User-Agent contains Android, if the application virus.exe does not exist, and to end the process keylogger.exe if it is running by using the preauthentication profile. The policy expression might look like this:
REQ.HTTP.HEADER User-Agent NOTCONTAINS Android && CLIENT.APPLICATION.PROCESS(keylogger.exe) contains |
After you create the preauthentication policy and profile, bind the policy to the virtual server. When users log on from an Android or iOS device, the scan does not run. If users log on from a Windows-based device, the scan does run.
For more information about configuring preauthentication policies, see Configuring Endpoint Polices.
Support DNS queries by using DNS suffixes for Android devices
When users establish a Micro VPN connection from an Android device, NetScaler Gateway sends split DNS settings to the user device. NetScaler Gateway supports split DNS queries based on the split DNS settings you configure. NetScaler Gateway can also support split DNS queries based on DNS suffixes you configure on the appliance. If users connect from an Android device, you must configure DNS settings on NetScaler Gateway.
Split DNS works in the following manner:
- If you set split DNS to Local, the Android device sends all DNS requests to the local DNS server.
- If you set split DNS to Remote, all DNS requests are sent to the DNS servers configured on NetScaler Gateway (remote DNS server) for resolution.
- If you set split DNS to Both, the Android device checks for the DNS request type.
- If the DNS request type is not “A,” it sends the DNS request packet to both local and remote DNS servers.
- If the DNS request type is “A,” the Android plug-in extracts the query FQDN and matches that FQDN against the DNS suffix list configured on the NetScaler appliance. If the DNS request’s FQDN matches, the DNS request is sent to the remote DNS server. If FQDN does not match, the DNS request is sent to local DNS servers.
The following table summarizes split DNS working based on type A record and suffix list.
Split DNS setting | Is it a type A record? | Is it on the suffix list? | Where the DNS request is sent |
---|---|---|---|
Local | both Yes or No | both Yes or No | Local |
Remote | both Yes or No | both Yes or No | Remote |
Both | No | NA | Both |
Both | Yes | Yes | Remote |
Both | Yes | No | Local |
To configure a DNS suffix:
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
- In the details pane, on the Policies tab, select a session policy and then click Open.
- Next to Request Profile, click Modify.
- On the Network Configuration tab, click Advanced.
- Next to Intranet IP DNS Suffix, click Override Global, type the DNS suffix and then click OK three times.
To configure split DNS globally on NetScaler Gateway:
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
- In the details pane, under Settings, click Change global settings.
- On the Client Experience tab, click Advanced Settings.
- On the General tab, in Split DNS, select Both, Remote, or Local and then click OK.
To configure split DNS in a session policy on NetScaler Gateway:
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies, and then click Session.
- In the details pane, on the Policies tab, click Add.
- In Name, type a name for the policy.
- Next to Request Profile, click New.
- In Name, type a name for the profile.
- On the Client Experience tab, click Advanced Settings.
- On the General tab, next to Split DNS, click Override Global, select Both, Remote, or Local and then click OK.
- In the Create Session Policy dialog box, next to Named Expressions, select General, select True, click Add Expression, click Create, and then click Close.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.