Gateway

Configure the Client Choices page

You can configure NetScaler Gateway to provide users with multiple logon options. By configuring the client choices page, users have the option of logging on from one location with the following choices:

  • Citrix Secure Access client for Windows
  • Citrix Secure Access client for macOS X
  • StoreFront
  • Web Interface
  • Clientless access

Users log on to NetScaler Gateway by using the web address in the certificate bound to NetScaler Gateway or the virtual server. By creating a session policy and profile, you can determine the logon choices users receive. Depending on how you configure NetScaler Gateway, the client choices page displays up to three icons representing the following logon choices:

  • Network Access. When users log on to NetScaler Gateway for the first time by using a web browser and then select Network Access, the download page appears. When users click Download, the plug-in downloads and installs on the user device. When the download and installation is complete, the Access Interface appears. If you install a newer or revert to an older version of NetScaler Gateway, the Citrix Secure Access client for Windows silently upgrades or downgrades to the version on the appliance. If users connect by using the Citrix Secure Access client for Mac, the plug-in silently upgrades if a new appliance version is detected when users log on. This version of the plug-in does not silently downgrade.
  • Web Interface or StoreFront. If users select the Web Interface to log on, the Web Interface page appears. Users can then access their published applications or virtual desktops. If users select StoreFront to log on, Receiver opens, and users can access applications and desktops. Note: If you configure StoreFront as a client choice, applications and desktops do not appear in the left pane of the Access Interface.
  • Clientless access. If users select clientless access to log on, the Access Interface or your customized home page appears. In the Access Interface, users can navigate to file shares, websites, and use Outlook Web Access.

Secure Browse allows users to connect through NetScaler Gateway from an iOS device. If you enable Secure Browse, when users log on by using Secure Hub, Secure Browse disables the client choices page.

Display the Client Choices page at the logon

When you enable the client choices option, users can log on with the Citrix Secure Access client, the Web Interface, Receiver, or clientless access from one webpage after successful authentication to NetScaler Gateway. When the logon is successful, icons appear in the webpage from which users can choose the method to establish a connection.

You can enable client choices without using endpoint analysis or implementing access scenario fallback. If you do not define a client security expression, users receive connection options for the settings that are configured on NetScaler Gateway. If a client security expression exists for the user session and the user device fails the endpoint analysis scan, the choices page offers only the option to use the Web Interface if it is configured. Otherwise, users can use clientless access to log on.

You configure client choices either globally or by using a session profile and policy.

Important:

When configuring client choices, do not configure quarantine groups. User devices that fail the endpoint analysis scan and are quarantined and treated the same as user devices that pass the endpoint scan.

Enable client choices options globally

  1. In the GUI, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Client Experience tab, click Advanced Settings.
  4. On the General tab, click Client Choices, and then click OK.

Enable client choices as part of a session policy

You can also configure client choices as part of a session policy and then bind it to users, groups, and virtual servers.

  1. In the GUI, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies, and then click Session.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. On the Client Experience tab, click Advanced.
  7. On the General tab, next to Client Choices, click Override Global, click Client Choices, click OK,, and then click Create.
  8. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and then click Close.

Configure Client Choices options

In addition to enabling client choices by using a session profile and policy, you need to configure the settings for the user software. For example, you want users to log on using either the Citrix Secure Access client, StoreFront or the Web Interface, or clientless access. You create one session profile that enables all three options and client choices. Then, you create a session policy with the expression set to True value with the profile attached. Next, you bind the session policy to a virtual server.

Before creating the session policy and profile, you need to create an authorization group for users.

Create an authorization group

  1. In the configuration utility, on the Configuration tab, in the navigation pane, NetScaler Gateway > User Administration, and then click AAA Groups.
  2. In the details pane, click Add.
  3. In Group Name, type the name of the group.
  4. On the Users tab, select the users, click Add for each one, click Create, and then click Close.

The following procedure is an example session profile for client choices with the Citrix Secure Access client, StoreFront, and clientless access.

Create a session profile for client choices

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies > Session.
  2. In the details pane, click the Profiles, tab and then click Add.
  3. In Name, type a name for the profile.
  4. On the Client Experience tab, do the following:
    1. Next to Home Page, click Override Global and then clear Display Home Page. This disables the Access Interface.
    2. Next to Clientless Access, click Override Global, and then select OFF.
    3. Next to Plug-in Type, click Override Global, and then select Windows/Mac OS X.
    4. Click Advanced Settings and next to Client Choices, click Override Global, click Client Choices.
  5. On the Security tab, next to Default Authorization Action, click Override Global and then select ALLOW.
  6. On the Security tab, click Advanced Settings.
  7. Under Authorization Groups, click Override Global, click Add, and then select the group.
  8. On the Published Applications tab, do the following:
    1. Next to ICA Proxy, click Override Global, and then select OFF.
    2. Next to Web Interface Address, click Override Global, and then type the Web address of StoreFront, such as http://ipAddress/Citrix/.
    3. Next to Web Interface Portal Mode, click Override Global and then select COMPACT.
    4. Next to Single Sign-On Domain, click Override Global, and then type the name of the domain.
  9. Click Create, and then click Close.

If you want to use the Citrix Secure Access client for Java as a client choice, on the Client Experience tab, in plug-in Type, select Java. If you select this choice, you must configure an intranet application and set the interception mode to Proxy.

After creating the session profile, create a session policy. Within the policy, select the profile, and set the expression to True value.

To use StoreFront as a client choice, you must also configure the Secure Ticket Authority (STA) on the NetScaler Gateway. The STA is bound to the virtual server.

Note:

If the server running the StoreFront is not available, the Citrix Virtual Apps choice does not appear on the choices page.

Configure the STA server globally

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway, and then click Global Settings.
  2. In the details pane, under Servers, click Bind/Unbind STA Servers to be used by the Secure Ticket Authority.
  3. In the Bind/Unbind STA Servers dialog box, click Add.
  4. In the Configure STA Server dialog box, in URL, type the web address of the STA server, and then click Create.
  5. Repeat Steps 3 and 4 to add more STA servers and then click OK.

Bind the STA to a virtual server

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
  2. In the details pane, click a virtual server, and then click Open.
  3. On the Published Applications tab, under Secure Ticket Authority, under Active, select the STA servers and then click OK.

You can also add STA servers on the Published Applications tab.

Configure the Client Choices page