NetScaler Gateway
NetScaler Gateway configuration is supported for both Web/SaaS and TCP/UDP applications. You can create a NetScaler Gateway or update an existing NetScaler Gateway configuration for Secure Private Access. It is recommended that you create NetScaler snapshots or save the NetScaler configuration before applying these changes.
Important:
For details on NetScaler Gateway configurations for Web/SaaS and TCP/UDP applications, see the following sections:
Compatibility with the ICA apps
NetScaler Gateway created or updated to support the Secure Private Access plug-in can also be used to enumerate and launch ICA apps. In this case, you must configure Secure Ticket Authority (STA) and bind it to the NetScaler Gateway.
Note:
STA server is usually a part of Citrix Virtual Apps and Desktops deployment.
For details, see the following topics:
- Configuring the Secure Ticket Authority on NetScaler Gateway
- FAQ: Citrix Secure Gateway/ NetScaler Gateway Secure Ticket Authority
Support for smart access tags
Note:
- The information provided in this section is applicable only if your NetScaler Gateway version is before 14.1-25.56.
- If your NetScaler Gateway version is 14.1–25.56 and later, then you can enable the Secure Private Access plug-in on NetScaler Gateway by using the CLI or GUI. For details, see Enable Secure Private Access plug-in on NetScaler Gateway.
In the following versions, NetScaler Gateway sends the tags automatically. You do not have to use the gateway callback address to retrieve the smart access tags.
- 13.1–48.47 and later
- 14.1–4.42 and later
Smart access tags are added as a header in the Secure Private Access plug-in request.
Configure Secure Private Access toggles
The following table lists the toggles that must be used to support smart access tags for on-premises deployments:
Toggle name | Description |
---|---|
nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem |
Enable Secure Private Access for on-premises deployments |
nsapimgr_wr.sh -ys call=ns_vpn_disable_spa_onprem |
Disable Secure Private Access for on-premises deployments |
nsapimgr_wr.sh -ys ns_vpn_enable_spa_tcp_udp_apps=3 |
Enable TCP/UDP apps |
nsapimgr_wr.sh -ys ns_vpn_enable_spa_tcp_udp_apps=0 |
Disable TCP/UDP apps |
nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode |
Enable SecureBrowse client mode for HTTP callout config |
nsapimgr -ys call=toggle_vpn_redirect_to_access_restricted_page_on_deny |
Enable redirection to the “Access restricted” page if access is denied. |
nsapimgr -ys call=toggle_vpn_use_cdn_for_access_restricted_page |
Use the “Access restricted” page hosted on CDN. |
Note:
- To disable the toggles that do not have separate disable commands, run the same command again. This is applicable only for commands that have “toggle” in the command.
- To verify whether the toggle is on or off run the
nsconmsg
command.- To configure smart access tags on NetScaler Gateway, see Configure contextual tags.
Persist Secure Private Access plug-in settings on NetScaler
To persist the Secure Private Access plug-in settings on NetScaler, do the following:
- Create or update the file /nsconfig/rc.netscaler.
-
Add the following commands to the file.
nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem
nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode
nsapimgr_wr.sh -ys call=toggle_vpn_redirect_to_access_restricted_page_on_deny
nsapimgr_wr.sh -ys call=toggle_vpn_use_cdn_for_access_restricted_page
- Save the file.
The Secure Private Access plug-in settings are automatically applied when NetScaler is restarted.
Enable Secure Private Access plug-in on NetScaler Gateway
Starting from NetScaler Gateway 14.1–25.56 and later, you can enable the Secure Private Access plug-in on NetScaler Gateway by using the NetScaler Gateway CLI or the GUI. This configuration replaces the nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem
knob used in versions before 2407.
CLI:
At the command prompt, type the following command:
set vpn parameter -securePrivateAccess ENABLED
GUI:
- Navigate to NetScaler Gateway > Global Settings > Change Global NetScaler Gateway Settings.
- Click the Security tab.
- In Secure Private Access, select ENABLED.
Upload public gateway certificate
If the public gateway is not reachable from the Secure Private Access machine, then you must upload a public gateway certificate to the Secure Private Access database.
Perform the following steps to upload a public gateway certificate:
- Open PowerShell or the command prompt window with the admin privileges.
- Change the directory to the Admin\AdminConfigTool folder under the Secure Private Access installation folder (for example, cd “C:\Program Files\Citrix\Citrix Access Security\Admin\AdminConfigTool”)
-
Run the following command:
\AdminConfigTool.exe /UPLOAD_PUBLIC_GATEWAY_CERTIFICATE <PublicGatewayUrl> <PublicGatewayCertificatePath>
Known limitations
- Existing NetScaler Gateway can be updated with script but there can be an infinite number of possible NetScaler configurations that can’t be covered by a single script.
- We recommend that you set ICA Proxy to OFF in the Secure Private Access enabled VPN virtual server.
- If you use NetScaler deployed in the cloud, you must make some changes in the network. For example, allow communications between NetScaler and other components on certain ports. For details on the ports, see Communication ports.
- If you enable SSO on NetScaler Gateway, make sure that NetScaler communicates to StoreFront using a private IP address. You might have to add a new StoreFront DNS record to NetScaler with a StoreFront private IP address.