Gateway

Configure clientless VPN access with NetScaler Gateway

Clientless access allows users the access they need without requiring them to install user software, such as the Citrix Secure Access client or Receiver. Users can use their web browser to connect to web applications, such as Outlook Web Access.

You use the following steps to configure clientless access:

  • Enabling clientless access either globally or by using a session policy bound to a user, group, or virtual server.
  • Selecting the web address encoding method.

To enable clientless access for only a specific virtual server, disable clientless access globally, and then create a session policy to enable it.

If you use the NetScaler Gateway wizard to configure the appliance, you have the choice of configuring clientless access within the wizard. The settings in the wizard are applied globally. Within the NetScaler Gateway wizard, you can configure the following client connection methods:

  • Citrix Secure Access client. Users are allowed to log on by using the Citrix Secure Access client only.
  • Use the Citrix Secure Access client and allow access scenario fallback. Users log on to NetScaler Gateway with the Citrix Secure Access client. If the user device fails an endpoint analysis scan, users are permitted to log on using clientless access. When this occurs, users have limited access to network resources.
  • Allow users to log on using a Web browser and clientless access. Users can log on only by using clientless access and receive limited access to network resources.

How clientless VPN access policies Work

You configure clientless access to web applications by creating policies. You can configure the settings for a clientless access policy in the configuration utility. A clientless access policy is composed of a rule and a profile. You can use the preconfigured clientless access policies that come with NetScaler Gateway. You can also create your own custom clientless access policies.

NetScaler Gateway provides preconfigured policies for the following:

  • Outlook Web Access and Outlook Web App
  • SharePoint 2007
  • All other Web applications

Note:

OWA 2016 and SharePoint 2016 are supported only using advanced clientless access.

Keep in mind the following characteristics of the preconfigured clientless access policies:

  • They are configured automatically and cannot be changed.
  • Each policy is bound at the global level.
  • Each policy is not enforced unless you enable clientless access either globally or by creating a session policy.
  • You cannot remove or modify global bindings, even if you do not enable clientless access.

Support for other web applications depends on the rewrite policies you configure on NetScaler Gateway. Citrix recommends testing any custom policies that you create to ensure that all components of the application rewrite successfully.

If you allow connections from Receiver for Android, Receiver for iOS, or Citrix Secure Hub, you must enable clientless access. For Citrix Secure Hub that runs on an iOS device, you must also enable Secure Browse within the session profile. Secure Browse and clientless access work together to allow connections from iOS devices. You do not have to enable Secure Browse if users do not connect with iOS devices.

The Quick Configuration wizard configures the correct clientless access policies and settings for mobile devices. Citrix recommends running the Quick Configuration wizard to configure the correct policies for connections to StoreFront and Citrix Endpoint Management.

You can bind custom clientless access policies either globally or to a virtual server. If you want to bind clientless access policies to a virtual server, you need to create a custom policy and then bind it. To enforce different policies for clientless access either globally or for a virtual server, change the priority number of the custom policy so it has a lower number than the preconfigured policies, thus giving the custom policy higher priority. If no other clientless access policies are bound to the virtual server, the preconfigured global policies take precedence.

Note:

You cannot change the priority numbers of the preconfigured clientless access policies.

Enable clientless VPN access

When you enable clientless access on a global level, all users receive the settings for clientless access. You can use the NetScaler Gateway wizard, a global policy, or a session policy to enable clientless access.

In a global setting or a session profile, clientless access has the following settings:

  • On. Enables clientless access. If you disable client choices and you do not configure or disable StoreFront, users log on by using clientless access.
  • Off. Clientless access is not enabled by default. Clientless access is enabled after users log on with the Citrix Secure Access client. If you disable client choices and you do not configure or disable StoreFront, users log on with the Citrix Secure Access client. If endpoint analysis fails when users log on, users receive the choices page with clientless access available.
  • Disabled. Clientless access is disabled. When you select Disabled, users cannot log on by using clientless access and the icon for clientless access does not appear on the choices page.

If you do not enable clientless access by using the NetScaler Gateway wizard, you can enable it globally or in a session policy by using the configuration utility.

To enable clientless access globally

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Client Experience tab, next to Clientless Access, select ON, and then click OK.

To enable clientless access by using a session policy

If you want only a select group of users, groups, or virtual servers to use clientless access, disable or clear clientless access globally. Then, using a session policy, enable clientless access and bind it to users, groups, or virtual servers.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies > Session.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. On the Client Experience tab, next to Clientless Access, click Override Global, select On, and then click Create.
  7. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and then click Close.
  8. Click Create, and then click Close.

After you create the session policy that enables clientless access, you bind it to a user, group, or virtual server.

Encode the web address

When you enable clientless access, you can choose to encode the addresses of internal web applications or to leave the address as clear text. The settings are:

  • Obscure. This uses standard encoding mechanisms to obscure the domain and protocol part of the resource.
  • Clear. The web address is not encoded and is visible to users.
  • Encrypt. The domain and protocol are encrypted by using a session key. When the web address is encrypted, the URL is different for each user session for the same web resource. If users bookmark the encoded web address, save it in the web browser and then log off, when users log on and try to connect to the web address again using the bookmark, they cannot connect to the web address. Note: If users save the encrypted bookmark in the Access Interface during their session, the bookmark works each time the user logs on.

You can configure this setting either globally or as part of a session policy. If you configure encoding as part of session policy, you can bind it to the users, groups, or a virtual server.

Configure web address encoding globally

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Client Experience tab, next to Clientless Access URL Encoding, select the encoding level and then click OK.

Configure web address encoding by creating a session policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. On the Client Experience tab, next to Clientless Access URL Encoding, click Override Global, select the encoding level, and then click OK.
  7. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and then click Close.

Create clientless access policies

If you want to use the same settings as for the default clientless access policies but you want to bind the policy to a virtual server, you can copy the default policies, providing a new name for the policy. You can use the configuration utility to copy the default policies.

After you bind the new policy to the virtual server, you can set the priority of the policy so that it runs first when a user logs on.

Create a clientless access policy using default settings

  1. In the configuration utility, on the navigation pane, expand NetScaler Gateway > Policies and then click Clientless Access.
  2. In the details pane, on the Policies tab, click a default policy and then click Add.
  3. In Name, type a new name for the policy, click Create, and then click Close.

Bind a clientless access policy to a virtual server

After you create the policy, bind it to the virtual server.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
  2. In the details pane, select a virtual server and then click Open.
  3. In the configure NetScaler Gateway Virtual Server dialog box, click the Policies tab, and then click Clientless.
  4. Click Insert Policy, select a policy from the list, and then click OK.

Create and evaluate clientless access policy expressions

When you create a policy for clientless access, you can create your own expression for the policy. When you are finished creating the expression, you can then evaluate the expression for accuracy.

  1. In the configuration utility, on the navigation pane, expand NetScaler Gateway > Policies and then click Clientless Access.
  2. In the details pane, on the Policies tab, click a default policy and then click Add.
  3. In Name, type a name for the policy.
  4. Next to Profile, click New.
  5. In Name, type a name for the profile.
  6. Configure the rewrite settings and then click Create.
  7. In the Create Clientless Access Policy dialog box, under Expression, click Add.
  8. In the Add Expression dialog box, create the expression, and then click OK.
  9. In the Create Clientless Access Policy dialog box, click Evaluate, and if the expression tests as correct, click Create.
Configure clientless VPN access with NetScaler Gateway