Gateway

Unified Gateway FAQ

What is Unified Gateway?

Unified Gateway is a new feature in the Citrix ADC 11.0 release, providing the ability to receive traffic on a single virtual server (called a Unified Gateway virtual server) and then internally direct that traffic, as appropriate, to virtual servers that are bound to the Unified Gateway virtual server.

The Unified Gateway feature allows end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). Administrators can free up IP addresses and simplify the configuration of the Citrix Gateway deployment.

Each Unified Gateway virtual server can front-end one Citrix Gateway virtual server along with zero or more load balancing virtual servers as part of a formation. Unified Gateway works by using the content switching feature of the Citrix ADC appliance.

Some examples of Unified Gateway deployments:

  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server]
  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server, one load balancing virtual server]
  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server, two load balancing virtual servers]
  • Unified Gateway Virtual server -> [one Citrix Gateway virtual server, three load balancing virtual servers]

Each of the load balancing virtual servers can be any standard load balancing server that a hosts a back-end service, such as Microsoft Exchange or Citrix ShareFile.

Why use Unified Gateway?

The Unified Gateway feature enables end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). For administrators, the advantage is that they can free up IP addresses and simplify the configuration of the Citrix Gateway deployment.  

Can there be more than one Unified Gateway virtual server?

Yes. There can be as many Unified Gateway virtual servers as you need.

Why is content switching needed for Unified Gateway?

The content switching feature is required because the content switching virtual server is the one that receives traffic and internally directs it to the appropriate virtual server. The content switching virtual server is the primary component of the Unified Gateway feature.

In releases previous to 11.0, content switching can be used to receive traffic for multiple virtual servers. Is that use also called Unified Gateway?

Use of a content switching virtual server for receiving traffic for multiple virtual servers is supported in releases earlier than 11.0. However, content switching cannot direct traffic to a Citrix Gateway virtual server.

The enhancements in 11.0 enable a content switching virtual server to direct traffic to any virtual server, including a Citrix Gateway virtual server.

What has changed with content switching policies in Unified Gateway?

  1. A new command line parameter “-targetVserver” is added for the content switching action. The new parameter is used to specify the target Citrix Gateway virtual server. Example:

    add cs action UG_CSACT_MyUG -targetVserver UG_VPN_MyUG

    In the Citrix Gateway configuration utility, the content switching action has a new option, Target Virtual Server, which can reference a Citrix Gateway virtual server.

  2. A new advanced policy expression, is_vpn_url, can be used to match Citrix Gateway and authentication-specific requests.

What Citrix Gateway features are not currently supported in Unified Gateway?

All features are supported in Unified Gateway. However, a minor issue (issue ID 544325) has been reported with native logon through the VPN plug-in. In this case, seamless single sign-on (SSO) does not work.

With Unified Gateway, what is the behavior of EPA scans?

With Unified Gateway, endpoint analysis is triggered only for the Citrix Gateway access methods, not for Citrix ADC AAA TM access. If a user tries to access a Citrix ADC AAA TM virtual server even though the authentication is done on the Citrix Gateway virtual server, the EPA scan is not triggered. However, if the user is trying to gain clientless VPN/Full VPN access, the configured EPA scan is triggered. In that case, either authentication or seamless SSO is done.

What are the license requirements for Unified Gateway?

Unified Gateway is supported only for Advanced and Premium licenses. It is not available for Citrix Gateway only or Standard license editions.

Does the Citrix Gateway virtual server used with Unified Gateway need an IP/Port/SSL configuration?

For a Citrix Gateway virtual server used with the Unified Gateway virtual server, an IP/Port/SSL configuration is not needed on the Citrix Gateway virtual server. However, for RDP proxy functionality you can bind the same SSL/TLS server certificate to the Citrix Gateway virtual server.

Do I need to reprovision SSL/TLS certificates that are on the Citrix Gateway virtual server for use with a Unified Gateway virtual server?

You do not need to reprovision certificates that are currently bound to your Citrix Gateway virtual server. You are free to reuse any existing SSL certificates and to bind those to the Unified Gateway virtual server.

What is the difference between a single URL and a multi-host deployment? Which one do I need?

Single URL refers to the ability of the Unified Gateway virtual server handle traffic for one fully qualified domain name (FQDN). This restriction exists when Unified Gateway uses an SSL/TLS server certificate that has the certificate subject populated with the FQDN. For example: ug.citrix.com

If Unified Gateway is using a wildcard server certificate, it can handle traffic for multiple subdomains. For example: *.citrix.com

Another option is SSL/TLS configuration with Server Name Indicator (SNI) functionality to allow binding of multiple SSL/TLS server certificates. Examples: auth.citrix.com, auth.citrix.de, auth.citrix.co.uk, auth.citrix.co.jp

Single host versus multiple hosts is analogous to the way websites are typically hosted on a webserver (for example the Apache HTTP server or Microsoft Internet Information Services (IIS)). If there is a single host, you can use a site path to switch traffic the same way you use alias or “virtual directory” in Apache. If there are multiple hosts, you use a host header to switch traffic similarly to the way you use Virtual Hosts in Apache.

What authentication mechanisms can be used with Unified Gateway?

All existing authentication mechanisms that are compatible with Citrix Gateway are also compatible with Unified Gateway.

These include LDAP, RADIUS, SAML, Kerberos, Certificate based Authentication, and so on.

Whatever authentication mechanism is configured on the Citrix Gateway virtual server before the upgrade is automatically used when the Citrix Gateway virtual server is placed behind the Unified Gateway virtual server. There are no additional configuration steps involved, other than assigning a non-addressable IP address (0.0.0.0) to th Citrix Gateway virtual server.

What is ”SelfAuth”’ Authentication?

SelfAuth is not an authentication type by itself. SelfAuth describes how a URL is created. A new command line parameter, ssotype, is available for VPN URL configuration. Example:

> add vpn url RGB RGB "http://blue.citrix.lab/" -vServerName Blue -ssotype selfauth

SelfAuth is one of the values of the ssotype parameter. This type of URL can be used to access resources that are not in the same domain as the Unified Gateway virtual server. The setting can be seen in the configuration utility when configuring a Bookmark.

What is ”StepUp” Authentication’?

When extra, more secure levels of authentication are required for accessing a Citrix ADC AAA TM resource, you can use StepUp authentication. On the command line, use an authnProfile command to set the authenticationLevel parameter. Example:

add authentication authnProfile AuthProfile -authnVsName AAATMVserver -AuthenticationHost auth.citrix.lab -AuthenticationDomain citrix.lab **-**AuthenticationLevel 100
<!--NeedCopy-->

This authentication profile is bound to the load balancing virtual server.

Is StepUp authentication supported for Citrix ADC AAA TM virtual servers?

Yes, it is supported.

What is login once/logout once?

Login Once: VPN users log in once to either a Citrix ADC AAA TM or a Citrix Gateway virtual server. And from then on, VPN users have seamless access to all the Enterprise/Cloud/Web Applications. The user need not be reauthenticated. However, reauthentication is done for special cases, such as Citrix ADC AAA TM StepUp.

Logout Once: After the first Citrix ADC AAA TM or Citrix Gateway session is created, it is used to create subsequent Citrix ADC AAA TM or Citrix Gateway sessions for that user. If any of those sessions are logged out, the Citrix ADC appliance also logs out the user’s other applications or sessions.

Can common authentication policies be specified at the Unified Gateway level with Citrix ADC AAA TM load balancing virtual server specific authenticated bound at the load balancing virtual server level? What are the configuration steps to support this use case?

If you need to specify separate authentication policies for the Citrix ADC AAA TM virtual server behind Unified Gateway, you need to have a separate, independently addressable authentication virtual server (similar to ordinary Citrix ADC AAA TM configuration). The authentication host setting on the load balancing virtual server has to point to this authentication virtual server.

How do you configure Unified Gateway so that bound Citrix ADC AAA TM virtual servers have their own authentication policies?

In this scenario, the load balancing server must have the authentication FQDN option set to point to the Citrix ADC AAA TM virtual server. The Citrix ADC AAA TM virtual server must have an independent IP address and be reachable from Citrix ADC and clients.

Is a Citrix ADC AAA TM Authentication Virtual server required for authenticating users coming through a Unified Gateway virtual server?

No. The Citrix Gateway virtual server authenticates even the Citrix ADC AAA TM users.

Where do you specify Citrix Gateway Authentication policies—at the Unified Gateway virtual server or at the Citrix Gateway virtual server?

Authentication policies are to be bound to the Citrix Gateway virtual server.

How do you enable authentication on the Citrix ADC AAA TM Virtual servers behind a Unified Gateway content switching virtual server?

Enable authentication on the Citrix ADC AAA TM and point the authentication host to the Unified Gateway content switching FQDN.

How do I add TM Virtual servers behind content switching (single URL versus multi-host)?

There is no difference between adding the Citrix ADC AAA TM virtual servers for a single URL and adding it for multiple hosts. In either case, the virtual server is added as a target in a content switching action. The difference between single URL vs multi-host is implemented by content-switching policy rules.

What happens to the authentication policies bound to a Citrix ADC AAA TM load balancing virtual server if that virtual server is moved behind a Unified Gateway virtual server?

Authentication policies are bound to the authentication virtual server, and the authentication virtual server is bound to the load balancing virtual server. For the Unified Gateway virtual server, Citrix recommends having the Citrix Gateway virtual server as the single authentication point, which negates the need to perform authentication on an authentication virtual server (or even the need for a specific authentication virtual server). Pointing the authentication host to the Unified Gateway virtual server FQDN ensures that authentication is done by the Citrix Gateway virtual server. If you point the authentication host to content switching for Unified Gateway and still have an authentication virtual server bound, the authentication policies bound to the authentication virtual server are ignored. However, if you point an authentication host to an independent addressable authentication virtual server, the bound authentication policies bound take effect.

How do you configure session policies for Citrix ADC AAA TM sessions?

If, in Unified Gateway, no authentication virtual server is specified for the Citrix ADC AAA TM virtual server, the Citrix ADC AAA TM sessions inherit the Citrix Gateway session policies. If the authentication virtual server is specified, the Citrix ADC AAA TM session policies bound to that virtual server are applied.

What are the changes to the Citrix Gateway portal in Citrix ADC 11.0?

In Citrix ADC releases earlier than 11.0, a single portal customization can be set up at the global level. Every gateway virtual server in a given Citrix ADC appliance uses the global portal customization.

In Citrix ADC 11.0, with the portal themes feature, you can set up multiple portal themes. Themes can be bound globally or to specific virtual servers.

Does Citrix ADC 11.0 support Citrix Gateway portal customization?

Using the configuration utility, you can use the new portal themes feature to customize and create the portal themes completely. You can upload different images, set color schemes, change text labels and so on.

The portal pages that can be customized are:

  • Login Page
  • Endpoint Analysis Page
  • Endpoint Analysis Error Page
  • Post Endpoint Analysis Page
  • VPN Connection Page
  • Portal Home Page

With this release, you can customize Citrix Gateway virtual servers with unique portal designs.

Are portal themes supported in Citrix ADC high availability or cluster deployments?

Yes. Portal Themes are supported in Citrix ADC high availability and cluster deployments.

Do my customizations be migrated as part of the Citrix ADC 11.0 upgrade process?

No. Existing customizations to the Citrix Gateway portal page that are invoked through rc.conf/rc.netscaler file modification or by using custom theme functionality in 10.1/10.5 is not be automatically migrated upon upgrade to Citrix ADC 11.0.

Are there any pre-upgrade steps to follow to be ready for portal themes in Citrix ADC 11.0?

Any existing customizations must be removed from the rc.conf or rc.netscaler files.

The other option is that if custom themes are used, they have to be assigned the Default setting:

  1. Navigate to Configuration > Citrix Gateway > Global Settings

  2. Click Change Global Settings.

  3. Click Client Experience and select Default from the UI Theme list.

I have customizations that are stored on the Citrix ADC instance, invoked by rc.conf or rc.netscaler. How do I move to portal themes?

Citrix Knowledge Center article CTX126206 details such a configuration for Citrix ADC 9.3 and 10.0 releases up to 10.0 build 73.5001.e. Since Citrix ADC 10.0 build 10.0 73.5002.e (including 10.1 and 10.5), the UITHEME CUSTOM parameter has been available to help customers retain their customizations across reboots. If the customizations are stored on the Citrix ADC hard drive and you would like to continue using these customizations, back up the 11.0 GUI files and insert them into the existing custom theme file. If you want to move to portal themes, you must first unset the UITHEME parameter in the Global Settings or the Session profile, under Client Experience. Or, you can set it to DEFAULT or GREENBUBBLE. Then you are able to start to create and bind a Portal Theme.

How can I export my current customizations and save them before upgrading to Citrix ADC 11.0? Can I move the exported files to a different Citrix ADC appliance?

The customized files that were uploaded to the ns_gui_custom folder are on the disk and persist across upgrades. However, these files might not be entirely compatible with the new Citrix ADC 11.0 kernel and other GUI files that are part of the kernel. Therefore, Citrix recommends backing up the 11.0 GUI files and customizing the backups.

Moreover, there is no utility in the configuration utility to export the ns_custom_gui folder to another Citrix ADC appliance. Use SSH or a file transfer utility such as WinSCP to take the files off the Citrix ADC instance.

Are portal themes supported for Citrix ADC AAA TM virtual servers?

Yes. Portal Themes are supported for Citrix ADC AAA TM virtual servers.

What changed in the RDP Proxy feature for Citrix Gateway 11.0?

Many enhancements have been made to RDP Proxy since the Citrix ADC 10.5.e enhancement release. In Citrix ADC 11.0 this feature is available from the first released build.

Licensing changes

The RDP Proxy feature in Citrix ADC 11.0 can be used only with Premium and Advanced editions. Citrix Concurrent User (CCU) licenses must be obtained for each user.

Enable Command

In Citrix ADC 10.5.e there was no command to enable RDP Proxy. In Citrix ADC 11.0, the enable command has been added:

enable feature rdpproxy
<!--NeedCopy-->

The feature must be licensed to run this command.

Other RDP Proxy Changes

A Pre-shared Key (PSK) attribute on the server profile has been made mandatory.

To migrate existing Citrix ADC 10.5.e configurations for RDP proxy to Citrix ADC 11.0, the following details must be understood and addressed.

If an administrator wants to add an existing RDP proxy configuration to a chosen Unified Gateway deployment:

  • The Citrix Gateway virtual server’s IP address must be edited and set to a non-addressable IP address (0.0.0.0).
  • Any SSL/TLS server certificates, authentication policies must be bound to the Citrix Gateway virtual server that is part of the chosen Unified Gateway formation.

How do you migrate a Remote Desktop Protocol (RDP) Proxy configuration based on Citrix ADC 10.5.e to Citrix ADC 11.0?

Option 1: Keep the existing Citrix Gateway virtual server with RDP Proxy configuration as is, with a Premium or Advanced license.

Option 2: Move the existing Citrix Gateway virtual server with RDP Proxy configuration, placing it behind a Unified Gateway virtual server.

Option 3: Add a standalone Citrix Gateway virtual server with RDP Proxy configuration to an existing Standard Edition appliance.

How do you set up Citrix Gateway for RDP proxy configuration using the Citrix ADC 11.0 release?

There are two options for deploying RDP proxy using the NS 11.0 release:

  1. Using an externally facing Citrix Gateway virtual server. This requires one externally visible IP address/FQDN for the Citrix Gateway virtual server.  This option is what is available in Citrix ADC 10.5.e.

  2. Using a Unified Gateway virtual server front-ending the Citrix Gateway virtual server.

With Option 2 the Citrix Gateway virtual server does not require its own IP address/FQDN, because it uses a non-addressable IP address (0.0.0.0).

Is HDX Insight compatible with Unified Gateway?

When Citrix Gateway is deployed with Unified Gateway, the following conditions must be met:

  • The Citrix Gateway virtual server must have a valid SSL certificate bound to it.

  • The Citrix Gateway virtual server must be in an UP state to generate AppFlow records on Citrix ADM, for HDX Insight reporting.

How do I migrate my existing HDX Insight configuration?

No migration is needed. AppFlow policies bound to a Citrix Gateway virtual server carry over if that Citrix Gateway virtual server is put behind a Unified Gateway virtual server.

For existing data on Citrix ADM for the Citrix Gateway virtual server, there are two possibilities:

  • If the IP Address of the Citrix Gateway virtual server is assigned to a Unified Gateway virtual server as part of migration to Unified Gateway, the data remains linked to the Citrix Gateway virtual server
  • If the Unified Gateway virtual server is assigned a separate IP address, AppFlow data from the Citrix Gateway virtual server is linked to that new IP address. Therefore, existing data is not part of new data.
Unified Gateway FAQ

In this article