Gateway

Configure address pools

In some situations, users who connect with the Citrix Secure Access client need a unique IP address for NetScaler Gateway. For example, in a Samba environment, each user connecting to a mapped network drive needs to appear to originate from a different IP address. When you enable address pools (also known as IP pooling) for a group, NetScaler Gateway can assign a unique IP address alias to each user.

You configure address pools by using intranet IP addresses. The following types of applications might need to use a unique IP address that is drawn from the IP pool:

  • Voice over IP
  • Active FTP
  • Instant messaging
  • Secure shell (SSH)
  • Virtual network computing (VNC) to connect to a computer desktop
  • Remote desktop (RDP) to connect to a client desktop

You can configure NetScaler Gateway to assign an internal IP address to users that connect to NetScaler Gateway. Static IP addresses can be assigned to users or a range of IP addresses can be assigned to a group, virtual server, or to the system globally.

NetScaler Gateway allows you to assign IP addresses from your internal network to your remote users. An IP address on the internal network can address a remote user. If you choose to use a range of IP addresses, the system dynamically assigns an IP address from that range to a remote user on demand.

When you configure address pools, be aware of the following:

  • Assigned IP addresses must be routed correctly. To ensure the correct routing, consider the following:
    • If you do not enable split tunneling, make sure that the IP addresses can be routed through network address translation (NAT) devices.
    • Any servers accessed by user connections with intranet IP addresses must have the proper gateways configured to reach those networks.
    • Configure gateways or a static route on NetScaler Gateway so that network traffic from user software is routed to the internal network.
  • Only contiguous subnet masks can be used when assigning IP address ranges. A subset of a range can be assigned to a lower-level entity. For example, if an IP address range is bound to a virtual server, bind a subset of the range to a group.
  • IP address ranges cannot be bound to multiple entities within a binding level. For example, a subset of an address range that is bound to a group cannot be bound to a second group.
  • NetScaler Gateway does not allow you to remove or unbind IP addresses while they are actively in use by a user session.
  • Internal network IP addresses are assigned to users by using the following hierarchy:
    • User’s direct binding
    • Group assigned address pool
    • Virtual server assigned address pool
    • Global range of addresses
  • Only contiguous subnet masks can be used in assigning address ranges. However, a subset of an assigned range might be further assigned to a lower-level entity. A bound global address range can have a range bound to the following:
    • Virtual server
    • Group
    • User
  • A bound virtual server address range can have a subset bound to the following:
    • Group
    • User

A bound group address range can have a subset bound to a user.

When an IP address is assigned to a user, the address is reserved for the user’s next logon until the address pool range is exhausted. When the addresses are exhausted, NetScaler Gateway reclaims the IP address from the user who is logged off from NetScaler Gateway the longest.

If an address cannot be reclaimed and all addresses are actively in use, NetScaler Gateway does not allow the user to log on. You can prevent this situation by allowing NetScaler Gateway to use the mapped IP address as an intranet IP address when all other IP addresses are unavailable.

Intranet IP DNS registration

If an intranet IP is allotted to a client machine and after VIP tunnel establishment, the VPN plug-in checks if that client machine is domain joined. If the client machine is a domain-joined machine, the VPN plug-in initiates the DNS registration process to tie the machine’s host name intranet with the allotted intranet IP address. This registration is reverted before tunnel de-establishment.

For successful DNS registration, make sure that the following nsapimgr knobs are set. Also make sure that the authoritative DNS server is set to allow “non-secure” DNS updates.

  • nsapimgr -ys enable_vpn_dns_override=1: This flag is sent to the NetScaler Gateway VPN client along with the other configuration parameters. If this flag is unset and when the VPN client intercepts a DNS/WINS request, it sends a corresponding “GET /DNS” HTTP request to the NetScaler Gateway virtual server over the tunnel to get the resolved IP address. However, if the ‘enable_vpn_dnstruncate_fix’ flag is set, the VPN client forwards the DNS/WINS requests transparently to the NetScaler Gateway virtual server. In this case, the DNS packet is sent as is to the NetScaler Gateway virtual server over the VPN tunnel. This helps in cases when the DNS records coming back from the name servers configured in the NetScaler Gateway are huge and do not fit in the UPD response packet. In this case, when the client falls back to using TCP-DNS, this TCP-DNS packet reaches the NetScaler Gateway server as is, and hence the NetScaler Gateway server makes a TCP-DNS query to a DNS server.

  • nsapimgr -ys enable_vpn_dnstruncate_fix=1: This flag is used by the NetScaler Gateway server itself. If this flag is set, NetScaler Gateway overrides the destination for the “TCP-connections on DNS-port” to the DNS servers configured on NetScaler Gateway (instead of trying to send them to the DNS-server-IP originally present in the incoming TCP-DNS packet). For UDP DNS requests, the default is to use the configured DNS servers for DNS resolution. NetScaler Gateway plug-in for Windows supports both secure and non-secure DNS updates. Secure DNS update supports exists by default in 21.7.1.1 or higher builds.

    Secure DNS update on the Windows plug-in is disabled by default. To enable it, create a value of type REG_DWORD in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access and set it to 1.

    • When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.
    • To try only the secure DNS update, you can set the value to 2.

For more information on setting these knobs, see https://support.citrix.com/article/CTX200243.

Configure address pools for a user, group, or virtual server by using the GUI

  1. Navigate to Configuration > NetScaler Gateway and do one of the following:
    • Navigate to NetScaler Gateway > User Administration and then click AAA Users.
    • Navigate to NetScaler Gateway > User Administration and then click AAA Groups.
    • Expand NetScaler Gateway and then click Virtual Servers.
  2. In the details pane, click a user, group, or virtual server and then click Open.
  3. In IP Address and Netmask textboxes on the Intranet IPs tab, type the IP address and subnet mask and then click Add.
  4. Repeat step 3 for each IP address that you want to add to the pool and then click OK.

Configure address pools globally by using the GUI

  1. Navigate to Configuration > NetScaler Gateway > Global Settings.
  2. In the details pane, under Intranet IPs, click To assign a unique, static IP Address or pool of IP Addresses for use by all client NetScaler Gateway sessions, configure Intranet IPs.
  3. In the Bind Intranet IPs dialog box, click Action, and then click Insert.
  4. In IP Address and Netmask textboxes, type the IP address and subnet mask and then click Add.
  5. Repeat steps 3 and 4 for each IP address that you want to add to the pool and then click OK.

Configure address pools by using the CLI

  1. Run one of the following commands to configure the address pools:

    • For a AAA user: bind aaa user <username> -intranetIP <ip_address> <netmask>

    • For a AAA group: bind aaa group <groupname> -intranetIP <ip_address> <netmask>

    • For a VPN virtual server: bind vpn vserver <vservername> -intranetIP <ip_address> -netmask <netmask>

    • For VPN global: bind vpn global -intranetIP <ip_address> -netmask <netmask>

  2. Run the following command to set the limit on the maximum number of intranet IP addresses that can be assigned to a user:

    set vpn parameter -maxIIPperUser <number>

    Note:

    • The minimum value for the maxIIPperUser is 1 and the maximum is 10.

    • If the maxIIPperUser parameter is not set, by default the number of intranet IP addresses that are assigned to the user is 1.

    • maxIIPperUser configuration is only applicable for intranet IP addresses configured at AAA group, VPN virtual server, or VPN global level. Intranet IP addresses configured at AAA user level remains unaffected by this configuration.

    • Increasing or decreasing the maxIIPPerUser limit does not affect the existing sessions or the number of intranet IP addresses assigned. The existing sessions remain active until the session/idle timeout or admin intervention. However, the configuration takes effect immediately for new sessions.

Define address pool options

You can use a session policy or the global NetScaler Gateway settings to control whether intranet IP addresses are assigned during a user session. Defining address pool options allows you to assign intranet IP addresses to NetScaler Gateway, while disabling the use of intranet IP addresses for a particular group of users.

You can configure address pools by using a session policy in one of the following three ways:

  • Nospillover - When you configure address pools for an intranet IP address, you get a session with an available IP from the pool. For users who have used all available intranet IP addresses, the Transfer Logon page appears.
  • Spillover - When you configure address pools and the mapped IP is used as an intranet IP address, the mapped IP address is used for users who have used all available intranet IP addresses.
  • Off - Address pools are not configured.

Note:

If the mapped IP address is not configured then SNIP is used.

To define address pools

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies, and then click Session.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. On the Network Configuration tab, click Advanced.
  7. Next to Intranet IP, click Override Global and then select an option.
  8. If you select SPILLOVER in Step 9, next to Mapped IP, click Override Global, select the host name of the appliance, click OK, and then click Create.
  9. In the Create Session Policy dialog box, create an expression. Click Create, and then click Close.

Configure the Transfer Logon page

If a user does not have an intranet IP address available and then tries to establish another session with NetScaler Gateway, the Transfer Logon page appears. The Transfer Logon page allows users to replace their existing NetScaler Gateway session with a new session.

The Transfer Logon page can also be used if the logoff request is lost or if the user does not perform a clean logoff. For example:

  • A user is assigned a static intranet IP address and has an existing NetScaler Gateway session. If the user tries to establish a second session from a different device, the Transfer Logon page appears and the user can transfer the session to the new device.
  • A user is assigned five intranet IP addresses and has five sessions through NetScaler Gateway. If the user tries to establish a sixth session, the Transfer Logon page appears and the user can choose to replace an existing session with a new session.

Notes:

  • If the user does not have an assigned IP address available because of which a new session cannot be established, an error message appears.

  • Citrix Secure Access for Android 23.12.1 and later versions support the Transfer Logon functionality of NetScaler Gateway in the Always On VPN mode.

The Transfer Logon page appears only if you configure address pools and disable spillover.

Configure a DNS suffix

When a user logs on to NetScaler Gateway and is assigned an IP address, a DNS record for the user name and IP address combination is added to the NetScaler Gateway DNS cache. You can configure a DNS suffix to append to the user name when the DNS record is added to the cache. This allows users to be referenced by the DNS name, which can be easier to remember than an IP address. When the user logs off from NetScaler Gateway, the record is removed from the DNS cache.

To configure a DNS suffix

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies, and then click Session.
  2. In the details pane, on the Policies tab, select a session policy and then click Open.
  3. Next to Request Profile, click Modify.
  4. On the Network Configuration tab, click Advanced.
  5. Next to Intranet IP DNS Suffix, click Override Global, type the DNS suffix and then click OK three times.