- Unified Gateway F.A.Q.
Unified Gateway is a new feature in the NetScaler 11.0 release, providing the ability to receive traffic on a single virtual server (called a Unified Gateway virtual server) and then internally direct that traffic, as appropriate, to virtual servers that are bound to the Unified Gateway virtual server.
The Unified Gateway feature allows end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). Administrators can free up IP addresses and simplify the configuration of the NetScaler Gateway deployment.
Each Unified Gateway virtual server can front-end one NetScaler Gateway virtual server along with zero or more load balancing virtual servers as part of a formation. Unified Gateway works by leveraging the content switching feature of the NetScaler appliance.
Some examples of Unified Gateway deployments:
Each of the load balancing virtual servers can be any standard load balancing server that a hosts a backend service, such as Microsoft Exchange or Citrix ShareFile.
The Unified Gateway feature enables end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). For administrators, the advantage is that they can free up IP addresses and simplify the configuration of the NetScaler Gateway deployment.
Yes. There can be as many Unified Gateway virtual servers as you need.
The content switching feature is required because the content switching virtual server is the one that receives traffic and internally directs it to the appropriate virtual server. The content switching virtual server is the primary component of the Unified Gateway feature.
Use of a content switching virtual server for receiving traffic for multiple virtual servers is supported in releases earlier than 11.0. However, content switching could not direct traffic to a NetScaler Gateway virtual server.
The enhancements in 11.0 enable a content switching virtual server to direct traffic to any virtual server, including a NetScaler Gateway virtual server.
1. A new command line parameter "-targetVserver" is added for the content switching action. The new parameter is used to specify the target NetScaler Gateway virtual server. Example:
> add cs action UG_CSACT_MyUG -targetVserver UG_VPN_MyUG
In the NetScaler configuration utility, the content switching action has a new option, Target Virtual Server, which can reference a NetScaler Gateway virtual server.
2. A new advanced policy expression, is_vpn_url, can be used to match NetScaler Gateway and authentication-specific requests.
All features are supported in Unified Gateway. However, a minor issue (issue ID 544325) has been reported with native logon through the VPN plugin. In this case, seamless single sign-on (SSO) does not work.
With Unified Gateway, endpoint analysis is triggered only for NetScaler Gateway access methods, not for AAA-TM access. If a user tries to access a AAA-TM virtual server even though the authentication is done on the NetScaler Gateway virtual server, the EPA scan is not triggered. However, if the user is trying to gain clientless VPN/Full VPN access, the configured EPA scan is triggered. In that case, either authentication or seamless SSO is done.
Unified Gateway is supported only for Enterprise and Platinum licenses. It will not be available for NetScaler Gateway only or Standard license editions.
For a NetScaler Gateway virtual server used with Unified Gateway virtual server, an IP/Port/SSL configuration is not needed on the NetScaler Gateway virtual server. However, for RDP proxy functionality you can bind the same SSL/TLS server certificate to the NetScaler Gateway virtual server.
You do not need to re-provision certificates that are currently bound to your NetScaler Gateway virtual server. You are free to reuse any existing SSL certificate(s) and to bind those to the Unified Gateway virtual server.
Single URL refers to the ability of the Unified Gateway virtual server handle traffic for one fully qualified domain name (FQDN). This restriction exists when Unified Gateway uses an SSL/TLS server certificate that has the certificate subject populated with the FQDN. For example: ug.citrix.com
If, however, Unified Gateway is using a wildcard server certificate, it can handle traffic for multiple sub-domains. For example: *.citrix.com
Another option is SSL/TLS configuration with Server Name Indicator (SNI) functionality to allow binding of multiple SSL/TLS server certificates. Examples: auth.citrix.com, auth.citrix.de, auth.citrix.co.uk, auth.citrix.co.jp
Single host versus multiple hosts is analogous to the way websites are typically hosted on a webserver (for example Apache HTTP server or Microsoft Internet Information Services (IIS)). If there is a single host, you can use site path to switch traffic the same way you use alias or "virtual directory" in Apache. If there are multiple hosts, you use a host header to switch traffic similarly to the way you use Virtual Hosts in Apache.
All existing authentication mechanisms that work with NetScaler Gateway work with Unified Gateway.
These include LDAP, RADIUS, SAML, Kerberos, Certificate based Authentication, and so on.
Whatever authentication mechanism is configured on NetScaler Gateway virtual server before the upgrade is used automatically used when the NetScaler Gateway virtual server is placed behind the Unified Gateway virtual server. There are no additional configuration steps involved, other than assigning a non-addressable IP address (0.0.0.0) to NetScaler Gateway virtual server.
SelfAuth is not an authentication type per se. SelfAuth describes how a URL is created. A new command line parameter, ssotype, is available for VPN URL configuration. Example:
> add vpn url RGB RGB "http://blue.citrix.lab/" -vServerName Blue -ssotype selfauth
SelfAuth is one of the values of the ssotype parameter. This type of URL can be used to access resources that are not in the same domain as the Unified Gateway virtual server. The setting can be seen in the configuration utility when configuring a Bookmark.
When additional, more secure levels of authentication are required for accessing a AAA-TM resource, you can use StepUp authentication. On the command line, use an authnProfile command to set the authenticationLevel parameter. Example:
> add authentication authnProfile AuthProfile -authnVsName AAATMVserver -AuthenticationHost auth.citrix.lab -AuthenticationDomain citrix.lab -AuthenticationLevel 100
This authentication profile is bound to the load balancing virtual server.
Yes, it is supported.
Login Once: VPN users login once to either a AAA-TM or a NetScaler Gateway virtual server. And from then on, VPN users have seamless access to all the Enterprise/Cloud/Web Applications. The user need not be reauthenticated. However, reauthentication is done for special cases, such as AAA-TM StepUp.
Logout Once: After the first AAA-TM or NetScaler Gateway session is created, it is used to create subsequent AAA-TM or NetScaler Gateway sessions for that user. If any of those sessions are logged out, the NetScaler appliance also logs out the user’s other applications or sessions.
If you need to specify separate authentication policies for AAA-TM virtual server behind Unified Gateway, you will need to have a separate, independently addressable authentication virtual server (similar to ordinary AAA-TM configuration). The authentication host setting on load balancing virtual server has to point to this authentication virtual server.
In this scenario, the load balancing server must have the authentication FQDN option set to point to the AAA-TM virtual server. The AAA-TM virtual server must have an independent IP address and be reachable from NetScaler and clients.
No. The NetScaler Gateway virtual server will authentication even the AAA-TM users.
Authentication policies are to be bound to NetScaler Gateway virtual server.
Enable authentication on AAA-TM and point the authentication host to the Unified Gateway content switching FQDN.
There is no difference between adding AAA-TM virtual servers for a single URL and adding it for multiple hosts. In either case, the virtual server is added as a target in a content switching action. The difference between single URL vs multi-host is implemented by content-switching policy rules.
Authentication policies are bound to authentication virtual server, and the authentication virtual server is bound to the load balancing virtual server. For the Unified Gateway virtual server, Citrix recommends having the NetScaler Gateway virtual server as the single authentication point, which negates the need to perform authentication on an authentication virtual server (or even the need for a specific authentication virtual server). Pointing the authentication host to the Unified Gateway virtual server FQDN ensures that authentication is done by NetScaler Gateway virtual server. If you point the authentication host to content switching for Unified Gateway and still have an authentication virtual server bound, the authentication policies bound to the authentication virtual server are ignored. However, if you point an authentication host to an independent addressable authentication virtual server, the bound authentication policies bound take effect.
If, in Unified Gateway, no authentication virtual server is specified for the AAA-TM virtual server, the AAA-TM sessions inherit the NetScaler Gateway session policies. If the authentication virtual server is specified, the AAA-TM session policies bound to that virtual server are applied.
In NetScaler releases earlier than 11.0, a single portal customization can be set up at the global level. Every gateway virtual server in a given NetScaler appliance uses the global portal customization.
In NetScaler 11.0, with the portal themes feature, you can set up multiple portal themes. Themes can be bound globally or to specific virtual servers.
Using the configuration utility, you can use the new portal themes feature to customize and create the new portal themes completely. You can upload different images, set color schemes, change text labels and so on.
The portal pages that can be customized are:
Yes. Portal Themes are supported in NetScaler high availability and cluster deployments.
No. Existing customizations to the NetScaler Gateway portal page that are invoked through rc.conf/rc.netscaler file modification or by using custom theme functionality in 10.1/10.5 will not be automatically migrated upon upgrade to NetScaler 11.0.
Any existing customizations have to be removed from the rc.conf or rc.netscaler file(s).
The other option is that if custom themes are used, they have to be assigned the Default setting:
Navigate to Configuration > NetScaler Gateway > Global Settings
Click Change Global Settings. Click Client Experience and select Default from UI Theme drop-down list.
Citrix Knowledge Center article CTX126206 details such a configuration for NetScaler 9.3 and 10.0 releases up to 10.0 build 73.5001.e. Since NetScaler 10.0 build 10.0 73.5002.e (including 10.1 and 10.5), the UITHEME CUSTOM parameter has been available to help customers retain their customizations across reboots. If customizations are stored on the NetScaler hard drive and you would like to continue using these customizations, back up the 11.0 GUI files and insert them into the existing custom theme file. If you want to move to portal themes, you must first unset the UITHEME parameter in the Global Settings or the Session profile, under Client Experience. Or, you can set it to DEFAULT or GREENBUBBLE. Then you are able to start to create and bind a Portal Theme.
The customized files that were uploaded to the ns_gui_custom folder are on the disk and persist across upgrades. However, these files might not be entirely compatible with the new NetScaler 11.0 kernel and other GUI files that are part of the kernel. Therefore, Citrix recommends backing up the 11.0 GUI files and customizing the backups.
Moreover, there is no utility in the configuration utility to export the ns_custom_gui folder to another NetScaler appliance. You have to use SSH or a file transfer utility such as WinSCP to take the files off of the NetScaler instance.
No. Portal Themes are not supported for AAA-TM virtual servers at this time.
Many enhancements have been made to RDP Proxy since the NetScaler 10.5.e enhancement release. In NetScaler 11.0 this feature is available from the first released build.
The RDP Proxy feature in NetScaler 11.0 can be used only with Platinum and Enterprise editions. For Standard NetScaler Gateway license holders, an add-on license for RDP Proxy may be purchased. This license must be added to the appliance before enabling the RDP proxy feature. Citrix Concurrent User (CCU) licenses must be obtained for each user.
In NetScaler 10.5.e there was no command to enable RDP Proxy. In NetScaler 11.0, the enable command has been added:
> enable feature rdpproxy
The feature must be licensed to run this command.
Other RDP Proxy Changes
A Pre-shared Key (PSK) attribute on the server profile has been made mandatory.
To migrate existing NetScaler 10.5.e configurations for RDP proxy to NetScaler 11.0, the following details should be understood and addressed.
If an administrator wants to add an existing RDP proxy configuration to a chosen Unified Gateway deployment:
Option 1: Keep the existing NetScaler Gateway virtual server with RDP Proxy configuration as is, with a Platinum or Enterprise license.
Option 2: Move the existing NetScaler Gateway virtual server with RDP Proxy configuration, placing it behind a Unified Gateway virtual server.
Option 3: Add a standalone NetScaler Gateway virtual server with RDP Proxy configuration to an existing Standard Edition appliance.
There are two options for deploying RDP proxy using the NS 11.0 release:
1) Using an externally facing NetScaler Gateway virtual server. This requires one externally visible IP address/FQDN for the NetScaler Gateway virtual server. This option is what is available in NetScaler 10.5.e.
2) Using a Unified Gateway virtual server front-ending the NetScaler Gateway virtual server.
With Option 2 the NetScaler Gateway virtual server does not require its own IP address/FQDN, because it uses a non-addressable IP address (0.0.0.0).
When NetScaler Gateway is deployed with Unified Gateway, the NetScaler Gateway virtual server must have a valid SSL certificate bound to it, and it must be in an UP state in order to generate AppFlow records for NetScaler Insight Center for the purposes of HDX Insight reporting.
No migration is needed. AppFlow policies bound to a NetScaler Gateway virtual server carry over if that NetScaler Gateway virtual server is put behind a Unified Gateway virtual server.
For existing data in NetScaler Insight Center for the NetScaler Gateway virtual server, there are two possibilities: