-
Install and configure the Citrix Gateway appliance
-
Deploy Citrix Gateway in a double-hop DMZ
-
Maintain and monitor Citrix Gateway systems
-
VPN configuration on a Citrix Gateway appliance
-
Integrate the Citrix Gateway plug-in with Citrix Workspace app
-
Configure DTLS VPN virtual server using SSL VPN virtual server
-
Integrate Citrix Gateway with Citrix products
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configure settings for your Citrix Endpoint Management Environment
-
Configure load balancing servers for Citrix Endpoint Management
-
Configure load balancing servers for Microsoft Exchange with Email Security Filtering
-
Configure Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allow Access from mobile devices with Citrix Mobile Productivity Apps
-
Configure domain and security token authentication for Citrix Endpoint Management
-
Configure client certificate or client certificate and domain authentication
-
-
Citrix Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Proxy Auto Configuration for Outbound Proxy support for Citrix Gateway
-
Access Citrix Virtual Apps and Desktops resources with the Web Interface
-
Configuring Additional Web Interface Settings on Citrix Gateway
-
Configuring Access to Applications and Virtual Desktops in the Web Interface
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Creating Policies with the Quick Configuration Wizard
Note: Citrix Endpoint Management is no longer supported.
You can configure settings in Citrix Gateway to enable communication with Endpoint Management, StoreFront, or the Web Interface by using the Quick Configuration wizard. When you complete the configuration, the wizard creates the correct policies for communication between Citrix Gateway, Endpoint Management, StoreFront, or the Web Interface. These policies include authentication, session, and clientless access policies. When the wizard completes, the policies are bound to the virtual server that the wizard creates.
When you complete the Quick Configuration wizard, Citrix Gateway can communicate with Endpoint Management or StoreFront, and users can access their Windows-based applications and virtual desktops and web, SaaS, and mobile apps. Users can then connect directly to Endpoint Management.
During the wizard, you configure the following settings:
- Virtual server name, IP address, and port
- Redirection from an unsecure to a secure port
- Certificates
- LDAP server
- RADIUS server
- Client certificate for authentication (only for two-factor authentication)
- Endpoint Management, StoreFront, or Web Interface
You can configure certificates for Citrix Gateway in the Quick Configuration wizard by using the following methods:
- Select a certificate that is installed on the appliance.
- Install a certificate and private key.
- Select a test certificate. Note: If you use a test certificate, you must add the fully qualified domain name (FQDN) that is in the certificate.
The Quick Configuration wizard supports LDAP, RADIUS, and client certificate authentication. You can configure two-factor authentication in the wizard by following these guidelines:
- If you select LDAP as your primary authentication type, you can configure RADIUS as the secondary authentication type.
- If you select RADIUS as your primary authentication type, you can configure LDAP as the secondary authentication type.
- If you select client certificates as your primary authentication type, you can configure LDAP or RADIUS as the secondary authentication type.
You can only configure one LDAP authentication policy by using the Quick Configuration wizard. The wizard does not allow you to configure multiple LDAP authentication policies. If you run the wizard more than one time and want to use a different LDAP policy, you must configure the additional policies manually. For example, you want to configure one policy that uses sAMAccountName in the Server Logon Name Attribute field and a second LDAP policy that uses the User Principal Name (UPN) in the Server Logon Name Attribute field. To configure these separate policies, use the configuration utility to create the authentication policies. For more information about configuring Citrix Gateway to authenticate user access with one or more LDAP servers, see Configuring LDAP Authentication.
When you create a virtual server by using the Quick Configuration wizard, if you want to remove the virtual server later, Citrix recommends removing it by using the Home tab. When you use this method to remove the virtual server, the policies and profiles configured through the wizard are removed. If you remove the virtual server by using the Configuration tab, the policies and profiles are not removed. The wizard does not remove the following items:
- Certificate key pair created during the wizard is not removed, even if the certificate is not bound to a virtual server
- LDAP authentication policy and profile remain if the policy is bound to another virtual server. Citrix Gateway removes the LDAP policy only if the policy is not bound to a virtual server.
The following tables describe the policies and profiles that the Quick Configuration wizard creates. As described in the tables, the policies, and profiles that are configured depend on how users connect - with either the Citrix Gateway plug-in, Citrix Workspace app, or Secure Hub. The policies that are enforced depend on the Citrix Endpoint Management Universal or Platform license that is used when users connect. When you purchased Citrix Gateway, you also purchased a set number of Universal licenses; for example, 100. If users connect with the Citrix Gateway plug-in, the session uses one Universal license. If users connect with the Citrix Workspace app to access Windows-based applications and Desktops, the session uses the Platform license. If users connect from a mobile device by using micro VPN, and connect with Secure Hub, or start apps, such as WorxMail or WorxWeb, the session uses a Universal license.
Session Policies, Expressions, and Profiles for the Universal License
The Quick Configuration wizard creates the following session policies and expressions that are enforced when the session uses the Universal license.
Policy type | Expression |
---|---|
Session - Citrix Secure Hub or Citrix Workspace app | REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS |
Session - Citrix Workspace app for Web | REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
|
Session - Citrix Gateway | REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS |
The following table shows the session profile settings that the Quick Configuration wizard creates for each session policy type in the preceding table. The first column describes where to find the profile setting or the tab in the session profile in the configuration utility.
The StoreFront URL you enter depends on how users connect. If users connect by using the Citrix Workspace app for Web or by using a web browser, you use the URL form https://SF-FQDN/Citrix/StoreWeb
. If users connect by using Citrix Workspace app on Windows, Mac, or mobile devices, you use the URL form https://SF-FQDN/Citrix/Store
.
Profile location | Profile setting | Citrix Workspace app | Citrix Workspace app for Web | Citrix Gateway |
---|---|---|---|---|
Resources > Intranet Applications | Transparent interception | N/A | Off | On |
Session >Client Experience tab | Clientless access | On | On | Off |
Session > Published Applications tab | ICA Proxy | Off | Off | Off |
Session > Client Experience tab | Single sign-on to Web applications | On | On | On |
Session > Published Applications tab | Single sign-on domain | Endpoint Management StoreWeb URL | Endpoint Management StoreWeb URL | Endpoint Management StoreWeb URL |
Session > Published Applications tab | Web Interface Address | Endpoint Management StoreWeb URL | Endpoint Management StoreWeb URL | Endpoint Management StoreWeb URL |
Session > Published Applications tab | Account Services Address | StoreFront URL | N/A | StoreFront URL |
Session > Client Experiences tab | Split Tunnel | Off | N/A | Off |
Session > Client Experiences tab | Clientless Access URL Encoding | Clear | N/A | Clear |
Session > Client Experiences tab | Home Page | N/A | Endpoint Management StoreWeb URL | Endpoint Management StoreWeb URL |
Session > Client Experiences tab and then click the Advanced Settings > General tab | Client Choices | Off | Off | Off |
Session > Security tab | Default Authorization Action | Allow | Allow | Allow |
Session > Client Experiences tab | Session Time-out (mins) | 24 hours | N/A | N/A |
Session > Client Experiences tab | Client Idle Time-out (mins) | (0) disabled | N/A | N/A |
Session > Network Configuration tab and then click Advanced Settings | Forced Time-out (mins) | 24 hours | N/A | N/A |
Clientless Access Profile Settings for the Universal License
The Quick Configuration wizard creates the following clientless access profile settings for the Universal license:
- Configure Domains for Clientless Access to allow access. Configures the pattern set ns_cvpn_default_inet_domains <
App Controller
FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com -
App Controller
URL. Configures the pattern set ns_cvpn_default_inet_domains <App Controller
FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com - ShareFile. Allows for up to five bindings. Configure the pattern set ns_cvpn_default_inet_domains <
App Controller
FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
Clientless Access Settings and Rules for the Universal License
The following table lists the clientless access policy settings that are enforced when the session uses the Universal license.
Policy name | Rule | Profile |
URLs rewrite label |
Javascript rewrite label |
Pattern set | Comments |
---|---|---|---|---|---|---|
CLT_LESS_VIP | Receiver_NoRewrite | NO_RW_VIP | Default | Default | Default | Receiver_NoRewrite |
CLT_LESS_RF_VIPCLT_LESS_RF_VIP | True | ST_WB_RW_VIP | ns_cvpn_default_inet_url_label | Default | STORE_WEB_COOKIES |
RfWeb_Rewrite |
The pattern set STORE_WEB_COOKIES for Citrix Workspace app for Web appends the Citrix Gateway virtual IP address to the name, as shown in the next figure:
Figure 1. Pattern Set for Citrix Workspace app for Web
Session Policies, Rules, and Profiles for the Platform License
The Platform license with Citrix Gateway allows for an unlimited number of ICA connections to Windows-based applications and desktops hosted by Citrix Virtual Apps and Desktops. The following tables show the session rules and session policy settings for users who connect with Citrix Workspace app.
Policy type | Rule | |
---|---|---|
Session - Operating System and Citrix Gateway | REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
|
|
Session - Receiver for Web | ns_true |
Profile location | Profile setting | Operating system/Citrix Gateway | Web |
---|---|---|---|
Resources > Intranet Applications | Transparent interception | N/A | Off |
Session >Client Experience tab | Clientless Access | Off | Off |
Session > Published Applications tab | ICA Proxy | On | On |
Session > Client Experience tab |
Single Sign-on to Web Applications |
On | On |
Session > Published Applications tab |
Single Sign-on Domain |
Set | Set |
Session > Published Applications tab | Web Interface Address | config.xml if Web Interface | |
StoreFront URL with StoreWeb | StoreFront URL | ||
Session > Published Applications tab | Account Services Address | StoreFront URL with StoreWeb | N/A |
Session > Client Experiences tab | Split Tunnel | Off | N/A |
Session > Client Experiences tab | Clientless Access URL Encoding | N/A | N/A |
Session > Client Experiences tab | Home Page | N/A | N/A |
Session > Client Experiences tab and then click the Advanced Settings > General tab | Client Choices | Off | Off |
Session > Security tab | Default Authorization Action | Allow | Allow |
Session > Client Experiences tab | Session Time-out (mins) | N/A | N/A |
Session > Client Experiences tab | Client Idle Time-out (mins) | N/A | N/A |
Session > Network Configuration tab and then click Advanced Settings | Forced Time-out (mins) | N/A | N/A |
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.