Citrix Gateway and Endpoint Management

When integrated with Endpoint Management, Citrix Gateway provides remote device access to your internal network and resources. Endpoint Management creates a micro VPN from the apps on the device to Citrix Gateway.

You can use the Citrix Gateway service or on-premises Citrix Gateway, also known as NetScaler Gateway. For an overview of the two Citrix Gateway solutions, see Configure Citrix Gateway use with Endpoint Management.

Configure authentication for remote device access to the internal network

  1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Under Server, click Citrix Gateway. The Citrix Gateway page appears. In the following example, a Citrix Gateway instance exists.

    Citrix Gateway configuration screen

  3. Configure these settings:

    • Authentication: Select whether to enable authentication. The default is ON.
    • Deliver user certificate for authentication: Select whether you want Endpoint Management to share the authentication certificate with Secure Hub. Sharing the certificate enables Citrix Gateway to handle the client certificate authentication. The default is OFF.
    • Credential Provider: In the list, click the credential provider to use. For more information, see Credential providers.
  4. Click Save.

Add a Citrix Gateway instance

After you save the authentication settings, you add a Citrix Gateway instance to Endpoint Management.

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page opens.

  2. Under Server, click Citrix Gateway. The Citrix Gateway page appears.

  3. You can add Citrix Gateway service or an on-premises Citrix Gateway. To add an on-premises gateway, skip to the next step. To add the Gateway service, click Add and then choose Add Gateway service. The Add Citrix Gateway service page appears. Complete these settings.

    Citrix Gateway configuration screen

    • External URL: Type the publicly accessible URL for Citrix Gateway. For example, https://url.com.
    • Set as Default: Select whether to use this Citrix Gateway as the default. The default is ON.
    • Resource Location: is required if you use Secure Mail. Specify the resource location for the STA service. The resource location must include a configured Citrix Gateway. If you later want to remove a resource location that’s configured for Gateway service, update this setting.

    When you complete those settings, click Save. The new Citrix Gateway is added and appears in the table. To edit or delete an instance, click the name in the list.

  4. To add an on-premises gateway, click Add and then choose Add On-Premises Gateway. The Add New Citrix Gateway page appears.

    Citrix Gateway configuration screen

    Configure these settings:

    • Name: Type a name for the Citrix Gateway instance.
    • Alias: Optionally include an alias name for the Citrix Gateway.
    • External URL: Type the publicly accessible URL for Citrix Gateway. For example, https://receiver.com.
    • Logon Type: Choose a logon type. Types include Domain and security token, Certificate and domain, and Certificate and security token. The default setting for the Password Required field changes based on the Logon Type you select. The default is Domain only.

    If you have multiple domains, use Certificate and domain. For more information, see Configure authentication for multiple domains.

    Certificate-based authentication at the Citrix Gateway requires extra configuration. For example, you must upload your root CA certificate to your Citrix ADC Appliance. See Create and Use SSL Certificates on a Citrix ADC Appliance.

    For more information, see Authentication in the Deployment Handbook.

    • Password Required: Select whether you want to require password authentication. The default varies based on the Logon Type chosen.
    • Set as Default: Select whether to use this Citrix Gateway as the default. The default is OFF.
    • Export Configuration Script: Click the button to export a configuration bundle that you upload to Citrix Gateway to configure it with Endpoint Management settings. For information, see “Configure an on-premises Citrix Gateway for use with Endpoint Management” after these steps.
  5. Click Save.

    The new Citrix Gateway is added and appears in the table. To edit or delete an instance, click the name in the list.

Configure on-premises Citrix Gateway for use with Endpoint Management

To configure an on-premises Citrix Gateway for use with Endpoint Management, you perform the following general steps as detailed in the following sections.

  1. Verify that your environment meets the prerequisites.

  2. Export the script bundle from the Endpoint Management console.

  3. Run the script on the Citrix Gateway. See the readme file provided with the script for the latest detailed instructions.

  4. Test the configuration.

The script configures these Citrix Gateway settings required by Endpoint Management:

  • Citrix Gateway virtual servers needed for MDM and MAM
  • Session policies for the Citrix Gateway virtual servers
  • Endpoint Management server details
  • Proxy load balancer for certificate validation
  • Authentication Policies and Actions for the NSG virtual server. The script describes the LDAP configuration settings.
  • Traffic actions and policies for the proxy server
  • Clientless access profile
  • Static local DNS record on Citrix Gateway
  • Other bindings: Service policy, CA certificate

The script doesn’t handle the following configuration:

  • Exchange load balancing
  • Citrix Files load balancing
  • ICA Proxy configuration
  • SSL Offload

Prerequisites for using the Citrix Gateway configuration script

Endpoint Management requirements:

  • Complete the LDAP and Citrix Gateway configuration in Endpoint Management before exporting the script. If you change the settings, export the script again.

Citrix Gateway requirements:

  • When using certificate-based authentication at the Citrix Gateway, you must create SSL certificates on a Citrix ADC Appliance. See Create and Use SSL Certificates on a Citrix ADC Appliance.
  • Citrix Gateway (minimum version 11.0, Build 70.12).
  • Citrix Gateway IP address is configured and has connectivity to the LDAP server, unless LDAP is load balanced.
  • Citrix Gateway Subnet (SNIP) IP address is configured, has connectivity to the necessary back end servers, and has public network access over port 8443/TCP.
  • DNS can resolve public domains.
  • Citrix Gateway is licensed with Platform/Universal or Trial licenses. For information, see https://support.citrix.com/article/CTX126049.

Install the script in your environment

The script bundle includes a:

  • Readme file with detailed instructions
  • Script that contains the NetScaler CLI commands used to configure the required components in NetScaler
  • Public Root CA certificate and the Intermediate CA certificate
  • Script that contains the NetScaler CLI commands used to remove the NetScaler configuration
  1. Upload and install the certificate files (provided in the script bundle) on the Citrix ADC appliance in the /nsconfig/ssl/ directory. See Create and Use SSL Certificates on a Citrix ADC Appliance.

    Citrix Gateway configuration screen

    The following examples show how to install the root certificate.

    Citrix Gateway configuration screen

    Citrix Gateway configuration screen

    Citrix Gateway configuration screen

    Citrix Gateway configuration screen

    Ensure that you install both the root and intermediate certificates.

  2. Edit the script (OfflineNSGConfigtBundle_CREATESCRIPT) to replace all placeholders with details from your environment.

    Citrix Gateway configuration screen

  3. Run your edited script in the NetScaler bash shell, as described in the readme file included in the script bundle. For example:

    /netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/OfflineNSGConfigtBundle_CREATESCRIPT.txt"

    Citrix Gateway configuration screen

    When the script completes, the following lines appear.

    Citrix Gateway success screen

Test the configuration

To validate the configuration:

  1. Validate that Citrix Gateway Virtual Server shows a state of UP.

    Citrix Gateway status screen

  2. Validate that the Proxy Load Balancing Virtual Server shows a state of UP.

    Citrix Gateway status screen

  3. Open a web browser, connect to the Citrix Gateway URL, and attempt to authenticate. If the authentication succeeds, you are redirected to an “HTTP Status 404 - Not Found” message.

  4. Enroll a device and ensure it gets both MDM and MAM enrollment.

Configure authentication for multiple domains

If you have multiple Endpoint Management instances, such as for test, development, and production environments, you configure Citrix Gateway for the additional environments manually. (You can use the NetScaler for XenMobile wizard only one time.)

Citrix Gateway configuration

To configure Citrix Gateway authentication policies and a session policy for a multi-domain environment:

  1. In the Citrix Gateway configuration utility, on the Configuration tab, expand Citrix Gateway > Policies > Authentication.
  2. In the navigation pane, click LDAP.
  3. Click to edit the LDAP profile. Change the Server Logon Name Attribute to userPrincipalName or the attribute you want to use for searches. Make a note of the attribute that you specify. You provide it when configuring LDAP settings in the Endpoint Management console.

    Citrix Gateway configuration screen

  4. Repeat those steps for each LDAP policy. A separate LDAP policy is required for each domain.
  5. In the session policy bound to the Citrix Gateway virtual server, navigate to Edit session profile > Published Applications. Make sure that Single Sign-On Domain is blank.

Endpoint Management configuration

To configure Endpoint Management LDAP for a multi-domain environment:

  1. In the Endpoint Management console, go to Settings > LDAP and add or edit a directory.

    Endpoint Management LDAP settings screen

  2. Provide the information.

    • In Domain Alias, specify each domain to use for user authentication. Separate the domains with a comma and don’t use spaces between the domains. For example: domain1.com,domain2.com,domain3.com

    • Ensure that the User search by field matches the Server Logon Name Attribute specified in the Citrix Gateway LDAP policy.

    Endpoint Management LDAP settings screen

Drop inbound connection requests to specific URLs

If the Citrix Gateway in your environment is configured for SSL offload, you might prefer that the gateway drop inbound connection requests for specific URLs. If you prefer that extra security, contact Citrix Cloud Operations and request that they whitelist your IP to your on-premises data centers.