Gateway

Allow access from mobile devices with Citrix Mobile Productivity Apps

The NetScaler for XenMobile wizard configures the settings required to allow users to connect from supported devices through NetScaler Gateway to mobile apps and resources in the internal network. Users connect by using Secure Hub (previously, Citrix Secure Hub), which establishes a Micro VPN tunnel. When users connect, a VPN tunnel opens to NetScaler Gateway and then is passed to XenMobile in the internal network. Users can then access their web, mobile, and SaaS apps from XenMobile.

To ensure that users consume a single Universal license when connecting to NetScaler Gateway with multiple devices simultaneously, you can enable session transfer on the virtual server. For details, see Configuring Connection Types on the Virtual Server.

If you need to change your configuration after using the NetScaler for XenMobile wizard, use the sections in this article for guidance. Before changing settings, make sure that you understand the implications of your changes. For more information, refer to the XenMobile Deployment articles.

Configure Secure Browse in NetScaler Gateway

You can change Secure Browse as part of global settings or as part of a session profile. You can bind the session policy to users, groups, or virtual servers. When you configure Secure Browse, you must also enable clientless access. However, clientless access does not require you to enable Secure Browse. When you configure clientless access, set Clientless Access URL Encoding to Clear.

To configure Secure Browse globally:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. In the Global NetScaler Gateway Settings dialog box, on the Security tab, click Secure Browse and then click OK.

To configure Secure Browse in a session policy and profile:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
  2. In the details pane, do one of the following:
    • If you are creating a new session policy, click Add.
    • If you are changing an existing policy, select a policy and then click Open.
  3. In the policy, create a profile or modify an existing profile. To do so, do one of the following:
    • Next to Request Profile, click New.
    • Next to Request Profile, click Modify.
  4. On the Security tab, next to Secure Browse, click Override Global and then select Secure Browse.
  5. Do one of the following:
    • If you are creating a new profile, click Create, set the expression in the policy dialog box, click Create, and then click Close.
    • If you are modifying an existing profile, after making the selection, click OK twice.

To configure traffic policies for Secure Web in Secure Browse mode:

Use the following steps to configure traffic policies to route Secure Web traffic through a proxy server in Secure Browse mode.

  1. In the configuration utility, on the Configuration tab, expand NetScaler Gateway > Policies and then click Traffic.
  2. In the right pane, click the Traffic Profiles tab and then click Add.
  3. In Name, enter a name for the profile, select TCP as the Protocol, and leave the rest of the settings as-is.
  4. Click Create.
  5. Click the Traffic Profiles tab and then click Add.
  6. In Name, enter a name for the profile and then select HTTP as the Protocol. This Traffic Profile is for both HTTP and SSL. Clientless VPN traffic is HTTP traffic by design, regardless of the destination port or service type. Thus, you specify both SSL and HTTP traffic as HTTP in the traffic profile.
  7. In Proxy, enter the IP address of the proxy server. In Port, enter the port number of the proxy server.
  8. Click Create.
  9. Click the Traffic Policies tab and then click Add.
  10. Enter the Name of the traffic policy and, for Request Profile, select the Traffic Profile you created in Step 3. Enter the following Expression and then click Create:

    REQ.HTTP.HEADER HOST contains ActiveSyncServer || REQ.HTTP.HEADER User-Agent CONTAINS WorxMail || REQ.HTTP.HEADER User-Agent CONTAINS com.zenprise || REQ.HTTP.HEADER User-Agent CONTAINS Citrix Secure Hub || REQ.HTTP.URL CONTAINS AGServices || REQ.HTTP.URL CONTAINS StoreWeb
    <!--NeedCopy-->
    

    That rule performs a check based on the host header. To bypass the active sync traffic from the proxy, replace ActiveSyncServer with the appropriate active sync server name.

  11. Click the Traffic Policies tab and then click Add. Enter the Name of the traffic policy and, for Request Profile, select the Traffic Profile created in Step 6. Enter the following Expression and then click Create:

    (REQ.HTTP.HEADER User-Agent CONTAINS Mozilla REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser
  12. Click the Traffic Policies tab and then click Add. Enter the Name of the Traffic Policy and, for Request Profile, select the Traffic Profile created in Step 6. Enter the following Expression and then click Create:

    (REQ.HTTP.HEADER User-Agent CONTAINS Mozilla REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser
  13. Navigate to NetScaler Gateway > Virtual Servers, select the virtual server in the right pane, and then click Edit.
  14. On the Policies row, click +.
  15. From the Choose Policy menu, select Traffic.
  16. Click Continue.
  17. Under Policy Binding, across from Select Policy, click >.
  18. Select the Policy you created in Step 10 and then click OK.
  19. Click Bind.
  20. Under Policies, click Traffic Policy.
  21. Under VPN Virtual Server Traffic Policy Binding, click Add Binding.
  22. Under Policy Binding, next to the Select Policy menu, click > to view the policy list.
  23. Select the policy you created in Step 11 and then click OK.
  24. Click Bind.
  25. Under Policies, click Traffic Policies.
  26. Under VPN Virtual Server Traffic Policy Binding, click Add Binding.
  27. Under Policy Binding, next to the Select Policy menu, click > to view the policy list.
  28. Select the policy you created in Step 12 and then click OK.
  29. Click Bind.
  30. Click Close.
  31. Click Done.

Be sure to configure the Secure Web (WorxWeb) app in the XenMobile console. Go to Configure > Apps, select the Secure Web app, click Edit, and then make these changes:

  • On the App information page, change Initial VPN Mode to Secure Browse.
  • On the iOS page, change Initial VPN Mode to Secure Browse.
  • On the Android page, change Preferred VPN Mode to Secure Browse.

Configure application and MDX token time-outs

When users log on from an iOS or Android device, an application token or an MDX token is issued. The token is similar to the Secure Ticket Authority (STA).

You can set the number of seconds or minutes the tokens are active. If the token expires, users cannot access the requested resource, such as an application or a webpage.

Token time-outs are global settings. When you configure the setting, it applies to all users who log on to NetScaler Gateway.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. In the Global NetScaler Gateway Settings dialog box, on the Client Experience tab, click Advanced Settings.
  4. On the General tab, in Application Token Timeout (sec) enter the number of seconds before the token expires. The default is 100 seconds.
  5. In MDX Token Timeout (mins), enter the number of minutes before the token expires and then click OK. The default is 10 minutes.

Disable Endpoint Analysis for mobile devices

If you configure endpoint analysis, you need to configure the policy expressions so that the endpoint analysis scans do not run on Android or iOS mobile devices. Endpoint analysis scans are not supported on mobile devices.

If you bind an endpoint analysis policy to a virtual server, you must create a secondary virtual server for mobile devices. Do not bind preauthentication or post-authentication policies to the mobile device virtual server.

When you configure the policy expression in a preauthentication policy, you add the User-Agent string to exclude Android or iOS. When users log on from one of these devices and you exclude the device type, endpoint analysis does not run.

For example, you create the following policy expression to check if the User-Agent contains Android, if the application virus.exe does not exist, and to end the process keylogger.exe if it is running by using the preauthentication profile. The policy expression might look like this:

REQ.HTTP.HEADER User-Agent NOTCONTAINS Android && CLIENT.APPLICATION.PROCESS(keylogger.exe) contains

After you create the preauthentication policy and profile, bind the policy to the virtual server. When users log on from an Android or iOS device, the scan does not run. If users log on from a Windows-based device, the scan does run.

For more information about configuring preauthentication policies, see Configuring Endpoint Polices.

Support DNS queries by using DNS suffixes for Android devices

When users establish a Micro VPN connection from an Android device, NetScaler Gateway sends split DNS settings to the user device. NetScaler Gateway supports split DNS queries based on the split DNS settings you configure. NetScaler Gateway can also support split DNS queries based on DNS suffixes you configure on the appliance. If users connect from an Android device, you must configure DNS settings on NetScaler Gateway.

Split DNS works in the following manner:

  • If you set split DNS to Local, the Android device sends all DNS requests to the local DNS server.
  • If you set split DNS to Remote, all DNS requests are sent to the DNS servers configured on NetScaler Gateway (remote DNS server) for resolution.
  • If you set split DNS to Both, the Android device checks for the DNS request type.
    • If the DNS request type is not “A,” it sends the DNS request packet to both local and remote DNS servers.
    • If the DNS request type is “A,” the Android plug-in extracts the query FQDN and matches that FQDN against the DNS suffix list configured on the NetScaler appliance. If the DNS request’s FQDN matches, the DNS request is sent to the remote DNS server. If FQDN does not match, the DNS request is sent to local DNS servers.

The following table summarizes split DNS working based on type A record and suffix list.

Split DNS setting Is it a type A record? Is it on the suffix list? Where the DNS request is sent
Local both Yes or No both Yes or No Local
Remote both Yes or No both Yes or No Remote
Both No NA Both
Both Yes Yes Remote
Both Yes No Local

To configure a DNS suffix:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
  2. In the details pane, on the Policies tab, select a session policy and then click Open.
  3. Next to Request Profile, click Modify.
  4. On the Network Configuration tab, click Advanced.
  5. Next to Intranet IP DNS Suffix, click Override Global, type the DNS suffix and then click OK three times.

To configure split DNS globally on NetScaler Gateway:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Client Experience tab, click Advanced Settings.
  4. On the General tab, in Split DNS, select Both, Remote, or Local and then click OK.

To configure split DNS in a session policy on NetScaler Gateway:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies, and then click Session.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. On the Client Experience tab, click Advanced Settings.
  7. On the General tab, next to Split DNS, click Override Global, select Both, Remote, or Local and then click OK.
  8. In the Create Session Policy dialog box, next to Named Expressions, select General, select True, click Add Expression, click Create, and then click Close.
Allow access from mobile devices with Citrix Mobile Productivity Apps