Gateway

Configure client interception

You configure interception rules for user connections on NetScaler Gateway by using Intranet Applications. By default, when you configure the system IP address, a mapped IP address, or a subnet IP address on the appliance, subnet routes are created based on these IP addresses. Intranet applications are created automatically based on these routes and can be bound to a virtual server. If you enable split tunneling, you must define intranet applications for client interception to occur.

You can configure intranet applications by using the GUI. You can bind intranet applications to users, groups, or virtual servers.

If you enable split tunneling and users connect by using WorxWeb or WorxMail, when you configure client interception, you must add the IP addresses for Citrix Endpoint Management and your Exchange server. If you do not enable split tunneling, you do not need to configure the Endpoint Management and Exchange IP addresses in Intranet Applications.

For information about split tunneling configuration, see Configure split tunneling.

Configure intranet applications for the Citrix Secure Access client

You create intranet applications for user access to resources by defining the following:

  • One IP address
  • A range of IP addresses
  • A host name

When you define an intranet application on NetScaler Gateway, the Citrix Secure Access client for Windows intercepts user traffic that is destined to the resource and sends the traffic through NetScaler Gateway.

When configuring intranet applications, consider the following:

  • When Split Tunnel is ON,
    • Configure the intranet applications.
    • Assign intranet applications to every authentication, authorization, and auditing group.
  • When Split Tunnel is OFF,
    • All traffic intercepts through the VPN tunnel.
    • Intranet applications need not be configured.
  • When Split Tunnel is REVERSE,
    • Configure the intranet applications. The traffic that is not specified by the intranet applications pass through the VPN tunnel.
    • Assign the intranet applications to be excluded from VPN to every authentication, authorization, and auditing group.

    Important:

    Interception must be set to TRANSPARENT irrespective of the split tunnel configuration.

Note:

  • When configuring an intranet application, you must select an interception mode that corresponds to the type of plug-in software used to make connections.
  • You cannot configure an intranet application for both proxy and transparent interception.

To create an intranet application for one IP address

  1. On the Configuration tab, in the navigation pane, expand NetScaler Gateway Resources and then click Intranet Applications.
  2. In the details pane, click Add.
  3. In Name, type a name for the profile.
  4. In the Create Intranet Application dialog box, select TRANSPARENT.
  5. In Destination Type, select IP Address and Netmask.
  6. In Protocol, select the protocol that applies to the network resource.
  7. In IP Address, type the IP address.
  8. In Netmask, type subnet mask, click Create and then click Close.

To configure an IP address range

If you have multiple servers in your network, such as web, email, and file shares, you can configure a network resource that includes the IP range for network resources. This setting allows users access to the network resources contained in the IP address range.

  1. On the Configuration tab, in the navigation pane, expand NetScaler Gateway Resources and then click Intranet Applications.
  2. In the details pane, click Add.
  3. In Name, type a name for the profile.
  4. In Protocol, select the protocol that applies to the network resource.
  5. In the Create Intranet Application dialog box, select TRANSPARENT.
  6. In Destination Type, select IP Address Range.
  7. In IP Start, type the starting IP address and in IP End, type the ending IP address, click Create and then click Close.

To create an intranet application for a host name

  1. On the Configuration tab, in the navigation pane, expand NetScaler Gateway Resources and then click Intranet Applications.
  2. In the details pane, click Add.
  3. In Name, type a name for the profile.
  4. In the Create Intranet Application dialog box, select TRANSPARENT.
  5. In Destination Type, select hostname.
  6. In Protocol, select ANY, click Create, and then click Close.

Important:

  • From release 13.0 build 36.27 and later, the Windows VPN plug-in supports host name (FQDN) based rules for split tunneling. You must upgrade both the NetScaler appliance and the Windows VPN plug-in to release 13.0 build 36.27 or later.
  • Wildcard host names are also supported. For example, if an intranet application with the host name “*.example.com” is configured, a1.example.com, b2.example.com, and so on gets tunneled.
  • Host name-based intranet application works only when you have split tunneling set to ON or REVERSE.
Configure client interception