Citrix Gateway and Endpoint Management
When you configure Citrix Endpoint Management to use Citrix Gateway, you establish the authentication mechanism for remote device access to the internal network. That setup enables apps on a mobile device to access corporate servers located in the intranet. Endpoint Management creates a micro VPN from the apps on the device to Citrix Gateway.
You configure Citrix Gateway for use with Endpoint Management by exporting a script from Endpoint Management that you run on Citrix Gateway.
Prerequisites for using the Citrix Gateway configuration script
Citrix Gateway requirements:
- Citrix Gateway (minimum version 11.0, Build 70.12).
- Citrix Gateway IP address is configured and has connectivity to the LDAP server, unless LDAP is load balanced.
- Citrix Gateway Subnet (SNIP) IP address is configured, has connectivity to the necessary back end servers, and has public network access over port 8443/TCP.
- DNS can resolve public domains.
- Citrix Gateway is licensed with Platform/Universal or Trial licenses. For information, see https://support.citrix.com/article/CTX126049.
- A Citrix Gateway SSL certificate is uploaded and installed on the Citrix Gateway. For information see, https://support.citrix.com/article/CTX136023.
Endpoint Management requirements:
- LDAP server is configured.
Configure authentication for remote device access to the internal network
In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.
Under Server, click NetScaler Gateway. The NetScaler Gateway page appears. In the following example, a Citrix Gateway instance exists.
Configure these settings:
- Authentication: Select whether to enable authentication. The default is ON.
- Deliver user certificate for authentication: Select whether you want Endpoint Management to share the authentication certificate with Secure Hub so that the Citrix Gateway handles client certificate authentication. The default is OFF.
- Credential Provider: In the list, click the credential provider to use. For more information, see Credential providers.
Add a Citrix Gateway instance
After you save the authentication settings, you add a Citrix Gateway instance to Endpoint Management.
In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page opens.
Under Server, click NetScaler Gateway. The NetScaler Gateway page appears.
Click Add. The Add New NetScaler Gateway page appears.
Configure these settings:
- Name: Type a name for the Citrix Gateway instance.
- Alias: Optionally include an alias name for the Citrix Gateway.
External URL: Type the publicly accessible URL for Citrix Gateway. For example,
- Logon Type: Choose a logon type. Types include Domain only, Security token only, Domain and security token, Certificate, Certificate and domain, and Certificate and security token. The default setting for the Password Required field changes based on the Logon Type you select. The default is Domain only.
If you have multiple domains, use Certificate and domain. For more information about configuring multiple-domain authentication with Citrix Endpoint Management and Citrix Gateway, see Configure authentication for multiple domains.
If you use Certificate and security token, some additional configuration is required on Citrix Gateway to support Secure Hub. For information, see Configuring Endpoint Management for Certificate and Security Token Authentication.
For more information, see Authentication in the Deployment Handbook.
- Password Required: Select whether you want to require password authentication. The default varies based on the Logon Type chosen.
- Set as Default: Select whether to use this Citrix Gateway as the default. The default is OFF.
- Export Configuration Script: Click the button to export a configuration bundle that you upload to Citrix Gateway to configure it with Endpoint Management settings. For information, see “Configure an on-premises Citrix Gateway for use with Endpoint Management” after these steps.
The new Citrix Gateway is added and appears in the table. To edit or delete an instance, click the name in the list.
Configure Citrix Gateway for use with Endpoint Management
To configure an on-premises Citrix Gateway for use with Endpoint Management, you perform the following general steps, detailed in this article:
Download a script and related files from Endpoint Management server. See the readme file provided with the script for the latest detailed instructions.
Verify that your environment meets the prerequisites.
Update the script for your environment.
Run the script on Citrix Gateway.
Test the configuration.
The script configures these Citrix Gateway settings required by Endpoint Management:
- Citrix Gateway virtual servers needed for MDM and MAM
- Session policies for the Citrix Gateway virtual servers
- Endpoint Management server details
- Authentication Policies and Actions for the NSG virtual server. The script describes the LDAP configuration settings.
- Traffic actions and policies for the proxy server
- Clientless access profile
- Static local DNS record on Citrix Gateway
- Other bindings: Service policy, CA certificate
The script doesn’t handle the following configuration:
- Exchange load balancing
- Citrix Files load balancing
- ICA Proxy configuration
- SSL Offload
To download, update, and run the script
If you’re adding a Citrix Gateway, click Export Configuration Script on the Add New NetScaler Gateway page.
Or, if you add a Citrix Gateway instance and click Save before you export the script: Return to Settings > NetScaler Gateway, select the Citrix Gateway, click Export Configuration Script, and then click Download.
After you click Export Configuration Script, Endpoint Management creates a .tar.gz script bundle. The script bundle includes:
- Readme file with detailed instructions
- Script that contains the Citrix Gateway CLI commands used to configure the required components in Citrix Gateway
- Public Root CA certificate and the Intermediate CA certificate of Endpoint Management server (these certificates, for SSL offload, are not needed for the current release)
- Script that contains the Citrix Gateway CLI commands used to remove the Citrix Gateway configuration
Edit the script (NSGConfigBundle_CREATESCRIPT.txt) to replace all placeholders with details from your environment.
Run your edited script in the Citrix Gateway bash shell, as described in the readme file included in the script bundle. For example:
/netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f "/var/NSGConfigBundle_CREATESCRIPT.txt"
When the script completes, the following lines appear.
Test the configuration
Validate that the Citrix Gateway Virtual Server shows a state of UP.
Validate that the Proxy Load Balancing Virtual Server shows a state of UP.
Open a web browser, connect to the Citrix Gateway URL, and attempt to authenticate. If the authentication fails, this message appears: HTTP Status 404 - Not Found
Enroll a device and ensure it gets both MDM and MAM enrollment.
Configure authentication for multiple domains
If you have multiple Endpoint Management instances, such as for test, development, and production environments, you configure Citrix Gateway for the additional environments manually. (You can use the NetScaler for XenMobile wizard only one time.)
Citrix Gateway configuration
To configure Citrix Gateway authentication policies and a session policy for a multi-domain environment:
- In the Citrix Gateway configuration utility, on the Configuration tab, expand NetScaler Gateway > Policies > Authentication.
- In the navigation pane, click LDAP.
Click to edit the LDAP profile. Change the Server Logon Name Attribute to userPrincipalName or the attribute you want to use for searches. Make a note of the attribute that you specify. You must provide it when configuring LDAP settings in the Endpoint Management console.
- Repeat those steps for each LDAP policy. A separate LDAP policy is required for each domain.
- In the session policy bound to the Citrix Gateway virtual server, navigate to Edit session profile > Published Applications. Make sure that Single Sign-On Domain is blank.
Endpoint Management configuration
To configure Endpoint Management LDAP for a multi-domain environment:
In the Endpoint Management console, go to Settings > LDAP and add or edit a directory.
Provide the information.
In Domain Alias, specify each domain to use for user authentication. Separate the domains with a comma and don’t use spaces between the domains. For example: domain1.com,domain2.com,domain3.com
Ensure that the User search by field matches the Server Logon Name Attribute specified in the Citrix Gateway LDAP policy.