Gateway

Unified Gateway FAQ

What is Unified Gateway?

Unified Gateway is a new feature in the NetScaler 11.0 release, providing the ability to receive traffic on a single virtual server (called a Unified Gateway virtual server) and then internally direct that traffic, as appropriate, to virtual servers that are bound to the Unified Gateway virtual server.

The Unified Gateway feature allows end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). Administrators can free up IP addresses and simplify the configuration of the NetScaler Gateway deployment.

Each Unified Gateway virtual server can front-end one NetScaler Gateway virtual server along with zero or more load balancing virtual servers as part of a formation. Unified Gateway works by using the content switching feature of the NetScaler appliance.

Some examples of Unified Gateway deployments:

  • Unified Gateway Virtual server -> [one NetScaler Gateway virtual server]
  • Unified Gateway Virtual server -> [one NetScaler Gateway virtual server, one load balancing virtual server]
  • Unified Gateway Virtual server -> [one NetScaler Gateway virtual server, two load balancing virtual servers]
  • Unified Gateway Virtual server -> [one NetScaler Gateway virtual server, three load balancing virtual servers]

Each of the load balancing virtual servers can be any standard load balancing server that a hosts a back-end service, such as Microsoft Exchange or Citrix ShareFile.

Why use Unified Gateway?

The Unified Gateway feature enables end users to access multiple services by using a single IP address or URL (associated with the Unified Gateway virtual server). For administrators, the advantage is that they can free up IP addresses and simplify the configuration of the NetScaler Gateway deployment.

Can there be more than one Unified Gateway virtual server?

Yes. There can be as many Unified Gateway virtual servers as you need.

Why is content switching needed for Unified Gateway?

The content switching feature is required because the content switching virtual server is the one that receives traffic and internally directs it to the appropriate virtual server. The content switching virtual server is the primary component of the Unified Gateway feature.

In releases previous to 11.0, content switching can be used to receive traffic for multiple virtual servers. Is that use also called Unified Gateway?

Use of a content switching virtual server for receiving traffic for multiple virtual servers is supported in releases earlier than 11.0. However, content switching cannot direct traffic to a NetScaler Gateway virtual server.

The enhancements in 11.0 enable a content switching virtual server to direct traffic to any virtual server, including a NetScaler Gateway virtual server.

What has changed with content switching policies in Unified Gateway?

  1. A new command line parameter “-targetVserver” is added for the content switching action. The new parameter is used to specify the target NetScaler Gateway virtual server. Example:

    add cs action UG_CSACT_MyUG -targetVserver UG_VPN_MyUG

    In the NetScaler Gateway configuration utility, the content switching action has a new option, Target Virtual Server, which can reference a NetScaler Gateway virtual server.

  2. A new advanced policy expression, is_vpn_url, can be used to match NetScaler Gateway and authentication-specific requests.

What NetScaler Gateway features are not currently supported in Unified Gateway?

All features are supported in Unified Gateway. However, a minor issue (issue ID 544325) has been reported with native logon through the VPN plug-in. In this case, seamless single sign-on (SSO) does not work.

With Unified Gateway, what is the behavior of EPA scans?

With Unified Gateway, endpoint analysis is triggered only for the NetScaler Gateway access methods, not for NetScaler AAA TM access. If a user tries to access a NetScaler AAA TM virtual server even though the authentication is done on the NetScaler Gateway virtual server, the EPA scan is not triggered. However, if the user is trying to gain clientless VPN/Full VPN access, the configured EPA scan is triggered. In that case, either authentication or seamless SSO is done.

What are the license requirements for Unified Gateway?

Unified Gateway is supported only for Advanced and Premium licenses. It is not available for NetScaler Gateway only or Standard license editions.

Does the NetScaler Gateway virtual server used with Unified Gateway need an IP/Port/SSL configuration?

For a NetScaler Gateway virtual server used with the Unified Gateway virtual server, an IP/Port/SSL configuration is not needed on the NetScaler Gateway virtual server. However, for RDP proxy functionality you can bind the same SSL/TLS server certificate to the NetScaler Gateway virtual server.

Do I need to reprovision SSL/TLS certificates that are on the NetScaler Gateway virtual server for use with a Unified Gateway virtual server?

You do not need to reprovision certificates that are currently bound to your NetScaler Gateway virtual server. You are free to reuse any existing SSL certificates and to bind those to the Unified Gateway virtual server.

What is the difference between a single URL and a multi-host deployment? Which one do I need?

Single URL refers to the ability of the Unified Gateway virtual server handle traffic for one fully qualified domain name (FQDN). This restriction exists when Unified Gateway uses an SSL/TLS server certificate that has the certificate subject populated with the FQDN. For example: ug.citrix.com

If Unified Gateway is using a wildcard server certificate, it can handle traffic for multiple subdomains. For example: *.citrix.com

Another option is SSL/TLS configuration with Server Name Indicator (SNI) functionality to allow binding of multiple SSL/TLS server certificates. Examples: auth.citrix.com, auth.citrix.de, auth.citrix.co.uk, auth.citrix.co.jp

Single host versus multiple hosts is analogous to the way websites are typically hosted on a webserver (for example the Apache HTTP server or Microsoft Internet Information Services (IIS)). If there is a single host, you can use a site path to switch traffic the same way you use alias or “virtual directory” in Apache. If there are multiple hosts, you use a host header to switch traffic similarly to the way you use Virtual Hosts in Apache.

What authentication mechanisms can be used with Unified Gateway?

All existing authentication mechanisms that are compatible with NetScaler Gateway are also compatible with Unified Gateway.

These include LDAP, RADIUS, SAML, Kerberos, Certificate based Authentication, and so on.

Whatever authentication mechanism is configured on the NetScaler Gateway virtual server before the upgrade is automatically used when the NetScaler Gateway virtual server is placed behind the Unified Gateway virtual server. There are no additional configuration steps involved, other than assigning a non-addressable IP address (0.0.0.0) to th NetScaler Gateway virtual server.

What is ”SelfAuth”’ Authentication?

SelfAuth is not an authentication type by itself. SelfAuth describes how a URL is created. A new command line parameter, ssotype, is available for VPN URL configuration. Example:

> add vpn url RGB RGB "http://blue.citrix.lab/" -vServerName Blue -ssotype selfauth

SelfAuth is one of the values of the ssotype parameter. This type of URL can be used to access resources that are not in the same domain as the Unified Gateway virtual server. The setting can be seen in the configuration utility when configuring a Bookmark.

What is ”StepUp” Authentication’?

When extra, more secure levels of authentication are required for accessing a NetScaler AAA TM resource, you can use StepUp authentication. On the command line, use an authnProfile command to set the authenticationLevel parameter. Example:

add authentication authnProfile AuthProfile -authnVsName AAATMVserver -AuthenticationHost auth.citrix.lab -AuthenticationDomain citrix.lab **-**AuthenticationLevel 100
<!--NeedCopy-->

This authentication profile is bound to the load balancing virtual server.

Is StepUp authentication supported for NetScaler AAA TM virtual servers?

Yes, it is supported.

What is login once/logout once?

Login Once: VPN users log in once to either a NetScaler AAA TM or a NetScaler Gateway virtual server. And from then on, VPN users have seamless access to all the Enterprise/Cloud/Web Applications. The user need not be reauthenticated. However, reauthentication is done for special cases, such as NetScaler AAA TM StepUp.

Logout Once: After the first NetScaler AAA TM or NetScaler Gateway session is created, it is used to create subsequent NetScaler AAA TM or NetScaler Gateway sessions for that user. If any of those sessions are logged out, the NetScaler appliance also logs out the user’s other applications or sessions.

Can common authentication policies be specified at the Unified Gateway level with NetScaler AAA TM load balancing virtual server specific authenticated bound at the load balancing virtual server level? What are the configuration steps to support this use case?

If you need to specify separate authentication policies for the NetScaler AAA TM virtual server behind Unified Gateway, you need to have a separate, independently addressable authentication virtual server (similar to ordinary NetScaler AAA TM configuration). The authentication host setting on the load balancing virtual server has to point to this authentication virtual server.

How do you configure Unified Gateway so that bound NetScaler AAA TM virtual servers have their own authentication policies?

In this scenario, the load balancing server must have the authentication FQDN option set to point to the NetScaler AAA TM virtual server. The NetScaler AAA TM virtual server must have an independent IP address and be reachable from NetScaler and clients.

Is a NetScaler AAA TM Authentication Virtual server required for authenticating users coming through a Unified Gateway virtual server?

No. The NetScaler Gateway virtual server authenticates even the NetScaler AAA TM users.

Where do you specify NetScaler Gateway Authentication policies—at the Unified Gateway virtual server or at the NetScaler Gateway virtual server?

Authentication policies are to be bound to the NetScaler Gateway virtual server.

How do you enable authentication on the NetScaler AAA TM Virtual servers behind a Unified Gateway content switching virtual server?

Enable authentication on the NetScaler AAA TM and point the authentication host to the Unified Gateway content switching FQDN.

How do I add TM Virtual servers behind content switching (single URL versus multi-host)?

There is no difference between adding the NetScaler AAA TM virtual servers for a single URL and adding it for multiple hosts. In either case, the virtual server is added as a target in a content switching action. The difference between single URL vs multi-host is implemented by content-switching policy rules.

What happens to the authentication policies bound to a NetScaler AAA TM load balancing virtual server if that virtual server is moved behind a Unified Gateway virtual server?

Authentication policies are bound to the authentication virtual server, and the authentication virtual server is bound to the load balancing virtual server. For the Unified Gateway virtual server, Citrix recommends having the NetScaler Gateway virtual server as the single authentication point, which negates the need to perform authentication on an authentication virtual server (or even the need for a specific authentication virtual server). Pointing the authentication host to the Unified Gateway virtual server FQDN ensures that authentication is done by the NetScaler Gateway virtual server. If you point the authentication host to content switching for Unified Gateway and still have an authentication virtual server bound, the authentication policies bound to the authentication virtual server are ignored. However, if you point an authentication host to an independent addressable authentication virtual server, the bound authentication policies bound take effect.

How do you configure session policies for NetScaler AAA TM sessions?

If, in Unified Gateway, no authentication virtual server is specified for the NetScaler AAA TM virtual server, the NetScaler AAA TM sessions inherit the NetScaler Gateway session policies. If the authentication virtual server is specified, the NetScaler AAA TM session policies bound to that virtual server are applied.

What are the changes to the NetScaler Gateway portal in NetScaler 11.0?

In NetScaler releases earlier than 11.0, a single portal customization can be set up at the global level. Every gateway virtual server in a given NetScaler appliance uses the global portal customization.

In NetScaler 11.0, with the portal themes feature, you can set up multiple portal themes. Themes can be bound globally or to specific virtual servers.

Does NetScaler 11.0 support NetScaler Gateway portal customization?

Using the configuration utility, you can use the new portal themes feature to customize and create the portal themes completely. You can upload different images, set color schemes, change text labels and so on.

The portal pages that can be customized are:

  • Login Page
  • Endpoint Analysis Page
  • Endpoint Analysis Error Page
  • Post Endpoint Analysis Page
  • VPN Connection Page
  • Portal Home Page

With this release, you can customize NetScaler Gateway virtual servers with unique portal designs.

Are portal themes supported in NetScaler high availability or cluster deployments?

Yes. Portal Themes are supported in NetScaler high availability and cluster deployments.

Do my customizations be migrated as part of the NetScaler 11.0 upgrade process?

No. Existing customizations to the NetScaler Gateway portal page that are invoked through rc.conf/rc.netscaler file modification or by using custom theme functionality in 10.1/10.5 is not be automatically migrated upon upgrade to NetScaler 11.0.

Are there any pre-upgrade steps to follow to be ready for portal themes in NetScaler 11.0?

Any existing customizations must be removed from the rc.conf or rc.netscaler files.

The other option is that if custom themes are used, they have to be assigned the Default setting:

  1. Navigate to Configuration > NetScaler Gateway > Global Settings

  2. Click Change Global Settings.

  3. Click Client Experience and select Default from the UI Theme list.

I have customizations that are stored on the NetScaler instance, invoked by rc.conf or rc.netscaler. How do I move to portal themes?

Citrix Knowledge Center article CTX126206 details such a configuration for NetScaler 9.3 and 10.0 releases up to 10.0 build 73.5001.e. Since NetScaler 10.0 build 10.0 73.5002.e (including 10.1 and 10.5), the UITHEME CUSTOM parameter has been available to help customers retain their customizations across reboots. If the customizations are stored on the NetScaler hard drive and you would like to continue using these customizations, back up the 11.0 GUI files and insert them into the existing custom theme file. If you want to move to portal themes, you must first unset the UITHEME parameter in the Global Settings or the Session profile, under Client Experience. Or, you can set it to DEFAULT or GREENBUBBLE. Then you are able to start to create and bind a Portal Theme.

How can I export my current customizations and save them before upgrading to NetScaler 11.0? Can I move the exported files to a different NetScaler appliance?

The customized files that were uploaded to the ns_gui_custom folder are on the disk and persist across upgrades. However, these files might not be entirely compatible with the new NetScaler 11.0 kernel and other GUI files that are part of the kernel. Therefore, Citrix recommends backing up the 11.0 GUI files and customizing the backups.

Moreover, there is no utility in the configuration utility to export the ns_custom_gui folder to another NetScaler appliance. Use SSH or a file transfer utility such as WinSCP to take the files off the NetScaler instance.

Are portal themes supported for NetScaler AAA TM virtual servers?

Yes. Portal Themes are supported for NetScaler AAA TM virtual servers.

What changed in the RDP Proxy feature for NetScaler Gateway 11.0?

Many enhancements have been made to RDP Proxy since the NetScaler 10.5.e enhancement release. In NetScaler 11.0 this feature is available from the first released build.

Licensing changes

The RDP Proxy feature in NetScaler 11.0 can be used only with Premium and Advanced editions. Citrix Concurrent User (CCU) licenses must be obtained for each user.

Enable Command

In NetScaler 10.5.e there was no command to enable RDP Proxy. In NetScaler 11.0, the enable command has been added:

enable feature rdpproxy
<!--NeedCopy-->

The feature must be licensed to run this command.

Other RDP Proxy Changes

A Pre-shared Key (PSK) attribute on the server profile has been made mandatory.

To migrate existing NetScaler 10.5.e configurations for RDP proxy to NetScaler 11.0, the following details must be understood and addressed.

If an administrator wants to add an existing RDP proxy configuration to a chosen Unified Gateway deployment:

  • The NetScaler Gateway virtual server’s IP address must be edited and set to a non-addressable IP address (0.0.0.0).
  • Any SSL/TLS server certificates, authentication policies must be bound to the NetScaler Gateway virtual server that is part of the chosen Unified Gateway formation.

How do you migrate a Remote Desktop Protocol (RDP) Proxy configuration based on NetScaler 10.5.e to NetScaler 11.0?

Option 1: Keep the existing NetScaler Gateway virtual server with RDP Proxy configuration as is, with a Premium or Advanced license.

Option 2: Move the existing NetScaler Gateway virtual server with RDP Proxy configuration, placing it behind a Unified Gateway virtual server.

Option 3: Add a standalone NetScaler Gateway virtual server with RDP Proxy configuration to an existing Standard Edition appliance.

How do you set up NetScaler Gateway for RDP proxy configuration using the NetScaler 11.0 release?

There are two options for deploying RDP proxy using the NS 11.0 release:

  1. Using an externally facing NetScaler Gateway virtual server. This requires one externally visible IP address/FQDN for the NetScaler Gateway virtual server.  This option is what is available in NetScaler 10.5.e.

  2. Using a Unified Gateway virtual server front-ending the NetScaler Gateway virtual server.

With Option 2 the NetScaler Gateway virtual server does not require its own IP address/FQDN, because it uses a non-addressable IP address (0.0.0.0).

Is HDX Insight compatible with Unified Gateway?

When NetScaler Gateway is deployed with Unified Gateway, the following conditions must be met:

  • The NetScaler Gateway virtual server must have a valid SSL certificate bound to it.

  • The NetScaler Gateway virtual server must be in an UP state to generate AppFlow records on NetScaler ADM, for HDX Insight reporting.

How do I migrate my existing HDX Insight configuration?

No migration is needed. AppFlow policies bound to a NetScaler Gateway virtual server carry over if that NetScaler Gateway virtual server is put behind a Unified Gateway virtual server.

For existing data on NetScaler ADM for the NetScaler Gateway virtual server, there are two possibilities:

  • If the IP Address of the NetScaler Gateway virtual server is assigned to a Unified Gateway virtual server as part of migration to Unified Gateway, the data remains linked to the NetScaler Gateway virtual server
  • If the Unified Gateway virtual server is assigned a separate IP address, AppFlow data from the NetScaler Gateway virtual server is linked to that new IP address. Therefore, existing data is not part of new data.
Unified Gateway FAQ

In this article