Citrix NetScaler Gateway 11.1 Configure ICA Only Remote Access

Remote access to Citrix XenApp and/or XenDesktop environment can be accomplished using the Citrix NetScaler Gateway. NetScaler Gateway is a feature that comes on the NetScaler appliance. All ICA connections are encrypted over SSL/TLS allowing secure access to the users desktops and applications. The following article goes through the steps of setting up remote access on the NetScaler appliance for ICA only connections.

Open a web browser and connect to the primary NetScaler appliance or the Subnet IP (SNIP), if it's been configured for management access. The SNIP will always take you to the primary appliance.

Expand System > Settings.

Click Configure Basic Features.

Select NetScaler Gateway and click OK.

We are going to be configuring authentication, namely LDAP, but we need to make sure that NetScaler's time is in sync with the domain controllers. Expand System > NTP Servers and click Add.

Enter a domain controller's IP address in NTP Server and click Create.

Expand System > Authentication > LDAP.

Click Servers tab.

Click Add.

Enter Name and select Security Type. Security Type can be PLAINTEXT, TLS or SSL, but in order for NetScaler Gateway to allow users to change an expired password in Active Directory TLS or SSL must be used. If the user password has expired and PLAINTEXT is used the user will receive an access denied error message when they logon. To use TLS or SSL the domain controller must have an SSL certificate. The Port will be configured with 389 for PLAINTEXT and TLS or 636 for SSL.

Scroll down the page.

Enter the Base DN (where it can find the users), Administrator Bind DN (an ordinary user account that allows the NetScaler to query LDAP for user authentication) and Administrator Password. Click Test Connection to make sure the LDAP connection works.

Choose sAMAccountName from the Server Logon Name Attribute drop-down box, Group Attribute should be set to memberOf, Sub Attribute Name is cn and select --<< New >>-- from the SSO Name Attribute and type sAMAccountName in the box below.

To allow users to change their passwords when they expire check the box Allow Password Change. This option isn't available if PLAINTEXT was selected for the LDAP Security Type.

Click Create.

You can repeat these steps to add more servers for redundancy or for additional Active Directory domains.

Click Policies tab and click Add.

Enter a description in Name, select the server you just created in the Server drop-down box and in the expression type ns_true, so LDAP authentication is always used.

If you added any further servers in then you also need to create the policies to go with them.

In the this particular case the NetScaler is connected to two networks, LAN and DMZ. Currently it only has IP addresses on the LAN. This step goes through added a Subnet IP (SNIP), so it has internal communication with the DMZ network.

Expand System > Networks > IPs.

Click Add.

Enter the IP Address and Netmask.

Scroll down the page and deselect Enable Management Access control to support the below listed applications to prevent the NetScaler from being managed via the DMZ network.

Click Yes.

Click Create.

The new IP address should appear in the list. Now NetScaler has direct access to the DMZ network.

To make sure that NetScaler knows which NIC is connected to which network we will create a VLAN and assign the SNIP for the DMZ to that VLAN.

Expand System > Network > VLANs.

By default VLAN 1 is present and all interfaces are bound to it. Click Add.

Enter the VLAN ID, Alias Name (to easily identify the VLAN) and select the interface that is connected to the network under Interface Bindings. Click IP Bindings tab.

Select the IP address that was created earlier. Only SNIP's will be listed in this table.

Click Create.

The VLAN should appear in the list with the interface bound to it and longer assigned to VLAN 1. We will leave the other interface on the default VLAN.

All my Internet traffic is routed through the DMZ. Now that the NetScaler is directly connected to the DMZ all Internet bound traffic can just go direct through this interface. I am therefore going to change the default gateway on the appliance.

Expand System > Network > Routes.

Click Add.

Enter 0.0.0.0 for the Network and Netmask and enter the default gateway IP address in Gateway.

Click Create.

You should have two default routes listed.

Select the old default route and click Delete.

Click Yes.

A single default route should be listed now.

Expand Traffic Management > SSL and click Import PKCS#12.

Enter the PEM filename that will be created on the applaince from the PFX file in Output File Name. Click on Choose File for PKCS12 File.

Browse to locate the PFX certificate file and click Open.

Enter the password used to encrypt the PFX file in Import Password, select either DES or DES3 in Encoding Format and enter a password to encrypt the PEM file on the NetScaler into PEM Passphrase and Confirm PEM Passphrase.

Expand Traffic Management > SSL > Certificates > Server Certificates and click Install.

Enter a certificate name in Certificate-Key Pair Name, click Choose File for Certificate File Name and browse the appliance for the certificate file that was imported in earlier and enter the password used to encrypt it in Password. Click Install.

The certificate should now be listed.

Expand Traffic Management > SSL > CA Certificates and click Install.

Enter the certificate name in Certificate-Key Pair Name. For Certificate File Name click on the down arrow for Choose File and select Local. Browse to locate the root certificate used to sign the SSL certficate imported earlier.

Browse to locate the root certificate file and click Open.

Click Install.

Click Install to add the intermediate certificate.

Enter the certificate name in Certificate-Key Pair Name. For Certificate File Name click on the down arrow for Choose File and select Local. Browse to locate the intermediate certificate used to sign the SSL certficate imported earlier.

Browse to locate the intermediate certificate file and click Open.

Click Install.

Both the root and intermediate certificates should be installed.

Select the intermediate certificate click on Action > Link.

The root certificate should automatically appear in the CA Certificate Name drop-down box. Click OK.

Expand Traffic Management > SSL > Certificates > Server Certificates.

Click the ... icon.

Click Link.

The intermediate certificate should automatically apear in the CA Certificate Name drop-down box. Click OK.

All certificates in the chain are now all linked together. It isn't strictly necessary to link the root certificate to the intermediate only the SSL certificate to the intermediate.

Expand NetScaler Gateway.

Expand Policies > Session.

Click Session Profiles tab.

Click Add.

Enter Name and click Client Experience tab.

Scroll down the page.

Enable Single Sign-on to Web Application and select PRIMARY in the Credential Index and click Security tab.

Set Default Authorization Action to ALLOW and click Published Applications tab.

Set ICA Proxy to ON and enter the full URL address, in this case https://storefront.cloudedskies.local/Citrix/DesktopsWeb, in Web Interface Address. Enter the Active Directory domain name in Single Sign-on Domain. Click Create.

Click Add.

Enter Name and click on Client Experience.

Scroll down the page, enable Single Sign-on to Web Application and select PRIMARY in the Credential Index and click Security tab.

Set Default Authorization Action to ALLOW and click Published Applications tab.

Set ICA Proxy to ON and enter the full URL address, in this case https://storefront.cloudedskies.local/Citrix/Desktops, in Web Interface Address. Enter the Active Directory domain name in Single Sign-on Domain and set Account Services Address to the StoreFront URL, https://storefront.cloudedskies.local. Click Create.

Click Add.

Enter Name and click on Client Experience.

Scroll down the page.

Enable Single Sign-on to Web Application and select PRIMARY in the Credential Index and click Security tab.

Set Default Authorization Action to ALLOW and click Published Applications tab.

Set ICA Proxy to ON and enter the full URL address, in this case https://storefront.cloudedskies.local/Citrix/Desktops/PNAgent/config.xml, in Web Interface Address. Enter the Active Directory domain name in Single Sign-on Domain and click Create.

Click Session Policies.

Click Add.

Enter Name, select the profile created earlier in Profile and enter Expression used to identify a web browser. Click Create.

Click Add.

Enter Name, select the profile created earlier in Profile and enter Expression used to identify the Citrix Receiver client. Click Create.

Click Add.

Enter Name, select the profile created earlier in Profile and enter Expression used to identify the older Citrix Receiver Enterprise (PNAgent) client. Click Create.

All three policies should be listed for web browser, Receiver and PNAgent.

Expand Network Gateway > Virtual Servers and click Add.

Enter Name, IPAddress and Port and click More to expand it.

Select ICA Only and click OK.

Click No Server Certificate.

Click > icon.

Select the SSL certificate that was imported in earlier and lcik Select.

Click Bind.

Click Continue.

In Basic Authentication click on To add, please click on the + icon.

Select LDAP in Choose Policy and Primary for Choose Type and click Continue.

Click > for Select Policy.

Select the LDAP policy created in earlier steps and click Select.

Click Bind.

Click Continue.

Click Continue.

Locate the SSL Parameters section and click the pen icon.

Deselect SSLv3 to make it more secure and click OK.

Locate the Profiles section and click the pen icon.

Choose nstcp_default_XA_XD_profile in the TCP Profile drop-down box and click OK.

In the Policies section click + icon.

Set Choose Policy to Session and Choose Type to Request and click Continue.

Click > for Select Policy.

Select the PNAgent policy from the list and click Select.

Click Bind.

Click on 1 Session Policy.

Click Add Binding.

Click > for Select Policy.

Select the Receiver policy from the list and click Select.

Click Bind.

Click Add Binding.

Click > for Select Policy.

Select the web browser policy from the list and click Select.

Click Bind.

Click Close.

Click on + Portal Themes.

Select X1 in Portal Theme or whatever your preferred theme and click OK.

Click + Published Applications.

Click No STA Server.

Enter the URL for the first XenApp/XenDesktop Delivery Controller in Secure Ticket Authority Server and select IPv4 in Secure Ticket Authority Address Type and click Bind.

Click 1 STA Server.

Click Add Binding.

Enter the URL for the second XenApp/XenDesktop Delivery Controller in Secure Ticket Authority Server and select IPv4 in Secure Ticket Authority Address Type and click Bind.