In the NetScaler Gateway GUI, in the navigation pane, click XenApp and XenDesktop and then on the Dashboard, click Create New Gateway.
In the StoreFront properties, set the Site Path to /Citrix/SecureBrowserWeb and set the Store name to SecureBrowser as the new store in StoreFront server.
Continue the wizard and save the new virtual server.
On the NetScaler Gateway node, expand Policies and go to Session.
Select the Actions tab, edit the newly created action for the second virtual server, and then edit the AC_WB_ policy action.
On the Published Applications tab, paste the App Shortcuts URL that you saved previously in the Web Interface Address field and then click OK.
In the navigation pane, click the AppExpert node, expand the Responder section and then click Actions.
Add a new Action, name it Internal Connections, and set the type to Redirect.
In the Expression field, add the URL of the internal site to connect in quotes, such as "https://mysite.acme.com"
Click Create to save the action.
Add a new action, name it External Connections, and set the type to Redirect.
In the Expression field, add the URL of the second NetScaler Gateway virtual server surrounded by quotes, such as "https://gateway.acme.com"
Click Create to save the action.
Go to the Responder Policies node.
Add a new policy, name it Detect Browser Compliance, in the Action drop-down, select the External Connections action that you created previously.
Set Undefined-Result Action to NOOP.
In the Expression field, add the following text:
HTTP.REQ.HEADER("User-Agent").CONTAINS("AppleWebKit") || HTTP.REQ.HEADER("User-Agent").CONTAINS("Chrome") || HTTP.REQ.HEADER("User-Agent").CONTAINS("Firefox")
The expressions above detect browsers that are non-compliant, or in this use case not Internet Explorer.
Click Create to save the changes.
Add a new policy, name it Detect Client Source, set the Action to Internal Connections action previously created.
Set Undefined-Result Action to NOOP.
In the Expression field, add the following text:
(CLIENT.IP.SRC.IN_SUBNET(172.17.0.0/23) || CLIENT.IP.SRC.IN_SUBNET(192.168.52.0/24)) && HTTP.REQ.HEADER("User-Agent").CONTAINS("Trident")
Replace or add each subnet above to match your internal network environment. The user agent, in this case, matches the configured version of Internet Explorer and that the client is connecting from the internal network.
Click Create to save the changes.
In the navigation pane, expand Traffic Management > Load Balancing, and then select Servers. Add the server used for hosting the internal site.
In the navigation pane, click Service Groups under Load Balancing, add a new service group, set the Protocol to SSL and bind the Server created in the previous step to the Service Group Members list.
Click Done.
In the navigation pane, click Virtual Servers in the Load Balancing node, click Add and name the server Intranet Site.
Set the Protocol to SSL, and type the IP address of the load balancer.
Bind the Service Group Internal Web Server created in the previous step and configure certificates for external access. Bind the internal root CA certificate to CA certificates so that the load balancer can offload SSL to the internal web server.
In the details pane, in Advanced settings, click + Policies. Click on the plus (+) sign to bind a new policy.
Select Responder for Choose Policy and click Continue. Select Detect Client Source and set the priority to 100.
Click Bind.
Click on the Responder policy section, click Add Binding, select Detect Browser Compliance and set the priority to 110. Click Bind.
Click Close and then click Done.
Save the NetScaler Gateway configuration.