Gateway

How users connect with the Citrix Secure Access client

NetScaler Gateway operates as follows:

  • When users attempt to access network resources across the VPN tunnel, the Citrix Secure Access client encrypts all network traffic destined for the organization’s internal network and forwards the packets to NetScaler Gateway.
  • NetScaler Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. NetScaler Gateway sends traffic back to the remote computer over a secure tunnel.

When users type the web address, they receive a logon page where they enter their credentials and log on. If the credentials are correct, NetScaler Gateway finishes the handshake with the user device.

If the user is behind a proxy server, the user can specify the proxy server and authentication credentials. For more information, see Enabling Proxy Support for User Connections.

The Citrix Secure Access client is installed on the user device. After the first connection, if users log on by using a Windows-based computer, they can use the icon in the notification area to establish the connection.

Establish the secure tunnel

When users connect with the Citrix Secure Access client, Secure Hub, or Citrix Workspace app, the client software establishes a secure tunnel over port 443 (or any configured port on NetScaler Gateway) and sends authentication information. When the tunnel is established, NetScaler Gateway sends configuration information to the Citrix Secure Access client, Secure Hub, or Citrix Workspace app describing the networks to be secured and containing an IP address if you enable address pools.

Tunnel private network traffic over secure connections

When the Citrix Secure Access client starts and the user is authenticated, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to NetScaler Gateway. Citrix Workspace app must support the Citrix Secure Access client to establish the connection through the secure tunnel when users log on.

Secure Hub, Secure Mail, and WorxWeb use Micro VPN to establish the secure tunnel for iOS and Android mobile devices.

NetScaler Gateway intercepts all network connections that the user device makes and multiplexes them over Secure Sockets Layer (SSL) to NetScaler Gateway, where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination.

The connections are subject to administrative security policies that apply to a single application, a subset of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs) that remote users can access through the VPN connection.

The Citrix Secure Access client intercepts and tunnels the following protocols for the defined intranet applications:

  • TCP (all ports)
  • UDP (all ports)
  • ICMP (types 8 and 0 - echo request/reply)

Connections from local applications on the user device are securely tunneled to NetScaler Gateway, which reestablishes the connections to the target server. Target servers view connections as originating from the local NetScaler Gateway on the private network, thus hiding the user device. This is also called reverse Network Address Translation (NAT). Hiding IP addresses adds security to source locations.

Locally, on the user device, all connection-related traffic, such as SYN-ACK, PUSH, ACK, and FIN packets, is recreated by the Citrix Secure Access client to appear from the private server.

Connect through firewalls and proxies

Users of the Citrix Secure Access client are sometimes located inside another organization’s firewall, as shown in the following figure:

User connection through two internal firewalls

NAT firewalls maintain a table that allows them to route secure packets from NetScaler Gateway back to the user device. For circuit-oriented connections, NetScaler Gateway maintains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables NetScaler Gateway to match connections and send packets back over the tunnel to the user device with the correct port numbers so that the packets return to the correct application.

Control upgrade of Citrix Secure Access clients

System Administrators control how the NetScaler plug-in performs when its version does not match the NetScaler Gateway revision. The new options control the plug-in upgrade behavior for Mac, and Windows or operating systems.

For VPN plug-ins, the upgrade option can be set in two places in the NetScaler appliance user interface:

  • At the Global Settings
  • At the Session Profile level

Requirements

  • Windows EPA and VPN plug-in version must be greater than 11.0.0.0

  • Mac EPA plug-in version must be greater than 3.0.0.31

  • Mac VPN plug-in version must be greater than 3.1.4 (357)

Note:

If the NetScaler appliance is upgraded to the 11.0 release, all previous VPN (and EPA) plug-ins upgrade to the latest version irrespective of upgrade control configuration. For subsequent upgrades, they respect the previous upgrade control configuration.

Plug-in behaviors

For each client type, NetScaler Gateway allows the following three options to control plug-in upgrade behavior:

  • Always

The plug-in always gets upgraded whenever the end user’s plug-in version doesn’t match with the plug-in shipped with the NetScaler appliance. This is the default behavior. Choose this option if you don’t want multiple plug-in versions running in your enterprise.

  • Essential (and security)

The plug-in only upgraded when it is deemed necessary. Upgrades are deemed necessary in the following two circumstances

  • Installed Plug-in is incompatible with the current NetScaler appliance version.

  • Installed Plug-in must be updated for the necessary security fix.

Choose this option if you want to minimize the number of plug-in upgrades, but don’t want to miss any plug-in security updates

  • Never

The plug-in does not get upgraded.

CLI parameters for controlling VPN plug-in upgrade

NetScaler Gateway supports two types of plug-ins (EPA and VPN) for Windows and Mac operating systems. To support VPN plug-in upgrade control at the session level, NetScaler Gateway supports two session profile parameters named WindowsinPluginUpgrade and MacPluginUpgrade.

These parameters are available at global, virtual server, group, and user level. Each parameter can have a value of Always, Essential or Never. For a description of these parameters see Plug-in Behaviors.

CLI parameters for controlling EPA plug-in upgrade

NetScaler Gateway supports EPA plug-ins for Windows and Mac operating systems. To support EPA plug-in upgrade control at the virtual server level, NetScaler Gateway supports two virtual server parameters named windowsEPAPluginUpgrade and macEPAPluginUpgrade.

The parameters are available at the virtual server level. Each parameter can have a value of Always, Essential or Never. For a description of these parameters see Plug-in Behaviors

VPN configuration

Follow these steps for the VPN configuration of Windows, Linux, and Mac plug-ins.

  1. Go to NetScaler > Policies > Session.

  2. Select the desired session policy, and then click Edit.

  3. Select the Client Experience tab.

  4. These dialog boxes options affect the upgrade behavior.

    • Always
    • Essential
    • Never

    The default is Always.

  5. Select the check box to the right of each option. Select the frequency to apply the upgrade behavior.

    Upgrade option

EPA configuration

Follow these steps for the EPA configuration of Windows, Linux, and Apple plug-ins.

  1. Go to NetScaler Gateway > Virtual Servers.

  2. Select a server and click the Edit button.

  3. Click the pencil icon.

    Click pencil icon

  4. Click More

  5. The dialog boxes that appear affect the upgrade behavior. The available options are:

    • Always
    • Essential
    • Never
How users connect with the Citrix Secure Access client