Configure IP addresses on NetScaler Gateway

You can configure IP addresses to log on to the configuration utility and for user connections. NetScaler Gateway is configured with a default IP address of 192.168.100.1 and subnet mask of 255.255.0.0 for management access. The default IP address is used whenever a user-configured value for the system IP (NSIP) address is absent.

• NSIP address. The management IP address for NetScaler Gateway that is used for all management-related access to the appliance. NetScaler Gateway also uses the NSIP address for authentication.
• Default gateway. The router that forwards traffic from outside the secure network to NetScaler Gateway.
• Subnet IP (SNIP) address. The IP address that represents the user device by communicating with a server on a secondary network.

The SNIP address uses ports 1024 through 64000.

How NetScaler Gateway uses IP addresses

NetScaler Gateway sources traffic from IP addresses based on the function that is occurring. The following list describes several functions and the way NetScaler Gateway uses IP addresses for each, as a general guideline:

• Authentication. The IP address that NetScaler Gateway uses depends on the authentication server type.
  • LDAP/RADIUS/TACACS servers. If AAAD directly communicates with the authentication virtual server, then the NSIP address is used.
  • If a load balancer is used as proxy, then the load balancer uses the SNIP address for authentication. AAAD uses the NSIP address to communicate with the load balancer. The IP address that the NetScaler uses depends on the entity that is communicating with the authentication virtual server.
  • SAML/OAUTH/WEBAUTH servers: These servers communicate using the SNIP address.
• File transfers from the home page. NetScaler Gateway uses the SNIP address.
• DNS and WINS queries. NetScaler Gateway uses the SNIP address.
• Network traffic to resources in the secure network. NetScaler Gateway uses the SNIP address or IP pooling, depending on the configuration on NetScaler Gateway.
• ICA proxy setting. NetScaler Gateway uses the SNIP address.

Subnet IP addresses

The subnet IP address allows the user to connect to NetScaler Gateway from an external host that resides on another subnet. When you add a subnet IP address, a corresponding route entry is made in the route table. Only one entry is made per subnet. The route entry corresponds to the first IP address added in the subnet.

Unlike the system IP address and the mapped IP address, it is not mandatory to specify the subnet IP address during the initial configuration of NetScaler Gateway.

The mapped IP address and subnet IP addresses use ports 1024 through 64000.

To add a subnet IP address

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand System \ > Network, and then click IPs.
2. In the details pane, click Add.
3. In the Create IP dialog box, in IP Address, type the IP address.
4. In Netmask, type the subnet mask.
5. Under IP Type, select Subnet IP, click Close, and then click Create.

Configure IPv6 for user connections

You can configure NetScaler Gateway to listen for user connections by using Internet Protocol version 6 (IPv6). When you configure one of the following settings, you can select the IPv6 check box and then enter the IPv6 address in the dialog box:

• Global Settings - Published Applications - ICA Proxy
• Global Authentication - RADIUS
• Global Authentication - LDAP
• Global Authentication - TACACS
• Session Profile - Published Applications - ICA Proxy
• NetScaler Gateway Virtual Servers
• Create Authentication Server - RADIUS
• Create Authentication Server - LDAP
• Create Authentication Server - TACACS
• Create Auditing Server
• High Availability Setup
• Bind / Unbind Route Monitors for High Availability
• Virtual server (Load Balancing)

When you configure the NetScaler Gateway virtual server to listen on an IPv6 address, users can connect only with Citrix Workspace app. User connections with the Citrix Secure Access client are not supported with IPv6.

You can use the following guidelines for configuring IPv6 on NetScaler Gateway:

• Citrix Virtual Apps and Web Interface. When you configure IPv6 for user connections and if there is a mapped IP address that uses IPv6, Citrix Virtual Apps and Web Interface servers can also use IPv6. The Web Interface must be installed behind NetScaler Gateway. When users connect through NetScaler Gateway, the IPv6 address is translated to IPv4. When the connection returns, the IPv4 address is translated to IPv6.
• Virtual servers. You can configure IPv6 for a virtual server when you run the NetScaler Gateway wizard. In the NetScaler Gateway wizard on the Virtual Servers page, click IPv6 and enter the IP address. You can only use configure an IPv6 address for a virtual server by using the NetScaler Gateway wizard.
• Other. To configure IPv6 for ICA Proxy, authentication, auditing, and high availability, select the IPv6 check box in the dialog box and then type the IP address.