Product Documentation

Gateway Insight

Jun 04, 2017

In a NetScaler Gateway deployment, visibility into a user's access details is essential for troubleshooting access failure issues. As the network administrator, you want to know when a user is not able to log on to NetScaler Gateway, and you want to know the user activity and the reasons for logon failure, but that information is typically not available unless the user sends a request for resolution.

Gateway Insight provides visibility into the failures that users encounter when logging on, regardless of the access mode. You can view a list of users logged on at a given time, along with the number of active users, number of active sessions, and bytes and licenses used by all users at any given time. You can view the end-point analysis (EPA), authentication, single sign-on (SSO), and application launch failures for a user. You can also view the details of active and terminated sessions for a user.  

Gateway Insight also provides visibility into the reasons for application launch failure for virtual applications. This enhances your ability to troubleshoot any kind of logon or application launch failure issues. You can view the number of applications launched, number of total and active sessions, and the number of total bytes and bandwidth consumed by the applications. You can view details of the users, sessions, bandwidth, and launch errors for an application.

You can view the number of gateways, number of active sessions, and total bytes and bandwidth used by all gateways associated with a NetScaler Gateway appliance at any given time. You can view the EPA, authentication, single sign-on, and application launch failures for a gateway. You can also view the details of all users associated with a gateway and their logon activity. 

All log messages are stored in the NetScaler Insight Center database, so you can view error details for any time period. You can also view a summary of the logon failures and determine at what stage of the logon process a failure has occurred.

Points To Note

  • Gateway Insight is supported in the following deployments:
    • High Availability
    • Unified Gateway
  • The NetScaler Insight Center release and build must be same or later than that of the NetScaler Gateway appliance.
  • One hour of Gateway Insight reports can be viewed for NetScaler instances with Enterprise license. A Platinum license is needed to view Gateway Insight reports beyond one hour.

Limitations

  • Successful user logons, latency, and application-level details for virtual ICA applications and desktops are visible only on the HDX Insight Users dashboard.
  • In a double-hop mode, visibility into failures on the NetScaler Gateway appliance in the second DMZ is not available.
  • Remote Desktop Protocol (RDP) desktop access issues are not reported.
  • Gateway Insight does not report DNS lookup failures.
This document includes the following sections:

Enabling Gateway Insight

To enable Gateway Insight for your NetScaler Gateway appliance, you must first add the NetScaler Gateway appliance to NetScaler Insight Center. You then enable AppFlow for the virtual server representing the VPN application. For information about a adding device to NetScaler Insight Center, see Adding Devices.

Note: On the NetScaler Gateway appliance, you must enable AppFlow AAA Username logging to view end-point analysis (EPA) failures and you must also enable Enhanced Authentication feedback to view enhanced authentication errors such as password mismatch.

To enable AppFlow for a virtual server in NetScaler Insight Center

  1. In the NetScaler Insight Center GUI, on the Configuration tab, navigate to Inventory and click the device for which you want to enable AppFlow.
  2. Under Application List, in the View list, select VPN.
  3. Select the virtual server for which you want to enable AppFlow, and in the Action list, click Enable AppFlow.
  4. On the Enable AppFlow screen, in the Select Expression list, click true.
  5. Next to Export Option, select the HTTP check box. (ICA is selected by default.)
  6. Click OK
localized image

To enable AppFlow AAA Username logging on a NetScaler Gateway appliance by using the CLI

At the command prompt, type:

set appflow param -AAAUserName ENABLED

To enable AppFlow AAA Username logging on a NetScaler Gateway appliance by using the GUI

  1. Navigate to Configuration > System > AppFlow > Settings, and then click Change AppFlow Settings.
  2. In the Configure AppFlow Settings screen, select AAA Username, and then click OK.

To enable Enhanced Authentication Feedback on a NetScaler Gateway appliance by using the CLI

At the command prompt, type:

set aaa parameter -enableEnhancedAuthFeedback YES

To enable Enhanced Authentication Feedback on a NetScaler Gateway appliance by using the GUI

  1. Navigate to Configuration > Security > AAA - Application Traffic > Authentication Settings, and then click Change authentication AAA settings.
  2. In the Configure AAA Parameter screen, select Enable Enhanced Authentication Feedback, and then click OK.

Viewing Gateway Insight Reports

In NetScaler Insight Center, you can view reports for all users, applications, and gateways associated with the NetScaler Gateway appliances, and you can view details for a particular user, application, or gateway. When you open Gateway Insight, the landing page includes tabs on which you can view overview reports. You can navigate to reports about users, applications, and gateways.

This section includes the following details:

Overview Reports

In the Overview section, you can view the EPA, SSO, authentication, and application launch failures. You can also view a summary of the different session modes used by users to log on, the types of clients, and the number of users logged on every hour.

To view EPA, SSO, Authentication, and Application Launch Failures

  1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway.
  2. Select the time period for which you want to view the details. You can use the time slider to further customize the selected period. Click Go.
  3. Click the EPA (End Point Analysis), Authentication, SSO (Single Sign On), or Application Launch tabs to display the failure details.
localized image

To view a summary of session modes, clients, and the number of users

In the NetScaler Insight GUI, navigate to Dashboard > Gateway Insight, scroll down and, under General Summary, view the reports.

localized image
localized image

User Reports

You can view reports for all users associated with the NetScaler Gateway appliances. You can view the EPA, authentication, SSO, and application launch failures for a user. You can also view the details of active and terminated sessions for a user. 

To view user details

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight > Users.

2. Select the time period for which you want to view the user details. You can use the time slider to further customize the selected period. Click Go.

You can now view the number of active users, number of active sessions, bytes and licenses used by all users during the time period

localized image

Scroll down to view the historical data for all the users logged on in the selected time period.

localized image

On the Users or Active Users tab, you can click on a user in the User Name column to display the EPA, authentication, SSO, and application launch failures and other details for that user.

Application Reports

You can view the number of applications launched, number of total and active sessions, the number of total bytes and bandwidth consumed by the applications. You can view details of the users, sessions, bandwidth, and launch errors for an application.

To view application details

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight > Applications.

2. Select the time period for which you want to view the application details. You can use the time slider to further customize the selected time period. Click Go.

You can now view the number of applications launched, number of total and active sessions, the number of total bytes and bandwidth consumed by the applications.

localized image

Scroll down to view the numbers of sessions, bandwidth, and total bytes consumed by ICA and other applications.

localized image

On the Other Applications tab, you can click an application in the Name column to display details of that application.

Gateway Reports

You can view the number of gateways, number of active sessions, total bytes and bandwidth used by all gateways associated with a NetScaler Gateway appliance at any given time. You can view the EPA, authentication, single sign-on, and application launch failures for a gateway. You can also view the details of all users associated with a gateway and their logon activity. 

To view gateway details

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight > Gateways.

2. Select the time period for which you want to view the gateway details. You can use the time slider to further customize the selected time period. Click Go.

You can now view the number of gateways, number of active sessions, total bytes and bandwidth used by all gateways associated with a NetScaler Gateway appliance at any given time.

localized image

Scroll down to view the gateway details such as Gateway Domain Name, Virtual Server Name, NetScaler IP address, session modes, and so on.

localized image

You can click on a gateway in the Gateway Domain Name column to display the EPA, authentication, single sign-on, and application launch failures and other details for a gateway.

Use Cases

A user is not able to log on to the NetScaler Gateway appliance or to the internal web servers.

You are a NetScaler Gateway administrator monitoring NetScaler Gateway appliances through NetScaler Insight Center, and you want to see why a user is unable to log on, or at what stage of the logon process the failure has occurred.

NetScaler Insight Center enables you to view the user logon error details in the following stages of the logon process:

Authentication Failures

You can view authentication errors such as incorrect credentials or no response from the authentication server. If you have set up two-stage authentication, you can see whether the primary, secondary, or both stages of the authentication have failed.

To view the authentication failure details

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight and, in the Search for Users text box, type the name of the user for whom you want to view the error details.

2. In the list that appears, click the user’s name in the User Name column.

3. Click the Authentication tab. You can view the number of authentication errors at any given time in the Failures graph.

localized image

EPA Failures

You can view EPA failures at pre- or post-authentication stage.

To view EPA failure details

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight.

2. In the Overview section, select the time period for which you want to view the EPA errors. You can use the time slider to further customize the selected time period. Click Go.

3. Click the EPA (End Point Analysis) tab. You can view the number of EPA errors at any given time in the Failures graph.

localized image

Scroll down to view details of each EPA error such as Username, NetScaler IP Address, Gateway IP Address, VPN, Error Time, Policy Name, Gateway Domain Name and more from the table on the same tab. The Error Description column in the table displays the reason for the EPA failure, and the Policy Name column displays the policy that resulted in the failure.

localized image

You can click on a user in the Username column to display the EPA errors and other details for that user.

SSO Failures

You can view all the SSO failures at any stage for a user accessing any applications through the NetScaler Gateway appliance.

To view the SSO failure details

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight and, in the Search for Users text box, type the user for whom you want to view the error details.

2. In the list that appears, click the user's name in the User Name column.

3. Click the SSO (Single Sign On) tab. You can view the number of SSO errors at any given time in the Failures graph.

localized image

After successfully logging on to NetScaler Gateway, a user is not able to launch any virtual application.

For an application-launch failure, you can gain visibility into the reasons, such as inaccessible Secure Ticket Authority (STA) or XenApp server, or invalid STA ticket. You can view the time at which the error occurred, details of the error, and the resource for which STA validation failed.

To view the application launch failure details

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight and, in the Search for Users text box, type the name of the user for whom you want to view the error details.

2. In the list that appears, click the user's name in the User Name column.

3. Click the Application Launch tab. You can view the number of application launch failures that occurred at any given time in the Failures graph.

localized image

After successfully installing a new web application in an enterprise network, the administrator wants to view the total bytes and bandwidth consumed by that web application.

After you have successfully launched a new application, in NetScaler Insight Center, you can view the total bytes and bandwidth consumed by that application.

To view total bytes and bandwidth consumed by an application

In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight > Applications, scroll down and, on the Other Applications tab, click the application for which you want to view the details.

localized image

You can view the number of sessions and the total number of bytes consumed by that application.

localized image

You can also view the bandwidth consumed by that application.

localized image

Different users might be using different NetScaler Gateway deployments or might log on to NetScaler Gateway through different access modes. The administrator should be able to view details about the deployment types and access modes.

With Gateway Insight, you can view a summary of the different session modes used by users to log on, including the types of clients and the number of users logged on every hour. You can also determine whether a user’s deployment is a unified gateway or classic NetScaler Gateway deployment. For unified gateway deployments, you can view the content switching virtual server name and IP address and the VPN virtual server name.

 

To view the summary of session modes, types of clients, and number of users logged on

1. In the NetScaler Insight Center GUI, navigate to Dashboard > Gateway Insight.

2. In the screen that appears, scroll down. Under General Summary, the Session Mode, Operating Systems, Browsers, and User Logon Activity charts display the different session modes used by users to log on, the types of clients, and the number of users logged on every hour.

localized image
localized image