Gateway

Before Getting Started

Before you install NetScaler Gateway, you must evaluate your infrastructure and collect information to plan an access strategy that meets the specific needs of your organization. When you define your access strategy, you need to consider the security implications and complete a risk analysis. You also need to determine the networks to which users are allowed to connect and decide on policies that enable user connections.

In addition to planning for the resources available for users, you also need to plan your deployment scenario. NetScaler Gateway is compatible the following NetScaler products:

  • Citrix Endpoint Management
  • Citrix Virtual Apps
  • Citrix Virtual Desktops
  • StoreFront
  • Web Interface
  • Citrix SD-WAN

For more information about deploying NetScaler Gateway, see Common Deployments and Integrating With NetScaler products

As you prepare your access strategy, take the following preliminary steps:

  • Identify resources. List the network resources for which you want to provide access, such as Web, SaaS, mobile or published applications, virtual desktops, services, and data that you defined in your risk analysis.
  • Develop access scenarios. Create access scenarios that describe how users access network resources. An access scenario is defined by the virtual server used to access the network, endpoint analysis scan results, authentication type, or a combination thereof. You can also define how users log on to the network.
  • Identify client software. You can provide full VPN access with the Citrix Secure Access client, requiring users to log on with Citrix Workspace app, Secure Hub, or by using clientless access. You can also restrict email access to Outlook Web App or WorxMail. These access scenarios also determine the actions users can perform when they gain access. For example, you can specify whether users can modify documents by using a published application or by connecting to a file share.
  • Associate policies with users, groups, or virtual servers. The policies you create on NetScaler Gateway enforce when the individual or set of users meets specified conditions. You determine the conditions based on the access scenarios that you create. You then create policies that extend the security of your network by controlling the resources users can access and the actions users can perform on those resources. You associate the policies with appropriate users, groups, virtual servers, or globally.

This section includes the following topics to help you plan your access strategy:

  • Planning for Security includes information about authentication and certificates.
  • Prerequisites that define network hardware and software you might need.
  • The Pre-Installation Checklist that you can use to write down your settings before you configure NetScaler Gateway.

Prerequisites for installing NetScaler Gateway

Before you configure settings on NetScaler Gateway, review the following prerequisites:

  • NetScaler Gateway is physically installed in your network and has access to the network. NetScaler Gateway is deployed in the DMZ or internal network behind a firewall. You can also configure NetScaler Gateway in a double-hop DMZ and configure connections to a server farm. Citrix recommends deploying the appliance in the DMZ.
  • You configure NetScaler Gateway with a default gateway or with static routes to the internal network so users can access resources in the network. NetScaler Gateway is configured to use static routes by default.
  • The external servers used for authentication and authorization are configured and running. For more information, see Authentication and Authorization.
  • The network has a domain name server (DNS) or Windows Internet Naming Service (WINS) server for name resolution to provide correct NetScaler Gateway user functionality.
  • You downloaded the Universal licenses for user connections with the Citrix Secure Access client from the Citrix website and the licenses are ready to be installed on NetScaler Gateway.
  • NetScaler Gateway has a certificate that is signed by a trusted Certificate Authority (CA). For more information, see Installing and Managing Certificates.

Before you install NetScaler Gateway, use the Pre-Installation Checklist to write down your settings.

Planning for security

When planning your NetScaler Gateway deployment, you must understand the basic security issues associated with certificates, and with authentication and authorization.

Configure secure certificate management

By default, NetScaler Gateway includes a self-signed Secure Sockets Layer (SSL) server certificate that enables the appliance to complete SSL handshakes. Self-signed certificates are adequate for testing or for sample deployments, but NetScaler does not recommend using them for production environments. Before you deploy NetScaler Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority (CA) and upload it to NetScaler Gateway.

If you deploy NetScaler Gateway in any environment where NetScaler Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on NetScaler Gateway. For example, if you deploy NetScaler Gateway with Citrix Virtual Apps and the Web Interface, you can encrypt connections from NetScaler Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on NetScaler Gateway.

Authentication support

You can configure NetScaler Gateway to authenticate users and to control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying NetScaler Gateway, your network environment must have the directories and authentication servers in place to support one of the following authentication types:

  • LDAP
  • RADIUS
  • TACACS+
  • Client certificate with auditing and smart card support
  • RSA with RADIUS configuration
  • SAML authentication

If your environment does not support any of these authentication types, or you have a small population of remote users, you can create a list of local users on NetScaler Gateway. You can then configure NetScaler Gateway to authenticate users against this local list. With this configuration, you do not need to maintain user accounts in a separate, external directory.

Secure your NetScaler Gateway deployment

Different deployments might require different security considerations. The NetScaler secure deployment guidelines provide general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.

For details, see NetScaler secure deployment guidelines.

Before Getting Started