Product documentation
Citrix Secure Private Access
2407 - Current Release 2405 2402 2311 2308 Legacy Service
View PDF

NetScaler Gateway

July 25, 2024
Contributed by: 
C C

NetScaler Gateway configuration is supported for both Web/SaaS and TCP/UDP applications. You can create a NetScaler Gateway or update an existing NetScaler Gateway configuration for Secure Private Access. It is recommended that you create NetScaler snapshots or save the NetScaler configuration before applying these changes.

For details on NetScaler Gateway configurations for Web/SaaS and TCP/UDP applications, see the following topics:

Compatibility with the ICA apps

NetScaler Gateway created or updated to support the Secure Private Access plug-in can also be used to enumerate and launch ICA apps. In this case, you must configure Secure Ticket Authority (STA) and bind it to the NetScaler Gateway.

Note:

STA server is usually a part of Citrix Virtual Apps and Desktops deployment.

For details, see the following topics:

Support for smart access tags

Note:

  • The information provided in this section is applicable only if your NetScaler Gateway version is before 14.1-25.56.
  • If your NetScaler Gateway version is 14.1–25.56 and later, then you can enable the Secure Private Access plug-in on NetScaler Gateway by using the CLI or GUI. For details, see Enable Secure Private Access plug-in on NetScaler Gateway.

In the following versions, NetScaler Gateway sends the tags automatically. You do not have to use the gateway callback address to retrieve the smart access tags.

  • 13.1–48.47 and later
  • 14.1–4.42 and later

Smart access tags are added as a header in the Secure Private Access plug-in request.

Use the toggle ns_vpn_enable_spa_onprem or ns_vpn_disable_spa_onprem to enable/disable this feature on these NetScaler versions.

  • You can toggle with command (FreeBSD shell):

    nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem

  • Enable SecureBrowse client mode for HTTP callout config by running the following command (FreeBSD shell).

    nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode

  • Enable redirection to the “Access restricted” page if access is denied.

    nsapimgr_wr.sh -ys call=toggle_vpn_redirect_to_access_restricted_page_on_deny

  • Use the “Access restricted” page hosted on CDN.

    nsapimgr_wr.sh -ys call=toggle_vpn_use_cdn_for_access_restricted_page

  • To disable, run the same command again.

  • To verify whether the toggle is on or off run the nsconmsg command.

  • To configure smart access tags on NetScaler Gateway, see Configure contextual tags.

Persist Secure Private Access plug-in settings on NetScaler

To persist the Secure Private Access plug-in settings on NetScaler, do the following:

  1. Create or update the file /nsconfig/rc.netscaler.

  2. Add the following commands to the file.

    nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem

    nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode

    nsapimgr_wr.sh -ys call=toggle_vpn_redirect_to_access_restricted_page_on_deny

    nsapimgr_wr.sh -ys call=toggle_vpn_use_cdn_for_access_restricted_page

  3. Save the file.

The Secure Private Access plug-in settings are automatically applied when NetScaler is restarted.

Enable Secure Private Access plug-in on NetScaler Gateway

Starting from NetScaler Gateway 14.1–25.56 and later, you can enable the Secure Private Access plug-in on NetScaler Gateway by using the NetScaler Gateway CLI or the GUI. This configuration replaces the nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem knob used in versions before 2407.

CLI:

At the command prompt, type the following command:

set vpn parameter -securePrivateAccess ENABLED

GUI:

  1. Navigate to NetScaler Gateway > Global Settings > Change Global NetScaler Gateway Settings.
  2. Click the Security tab.
  3. In Secure Private Access, select ENABLED.

Enable Secure Private Access

Upload public gateway certificate

If the public gateway is not reachable from the Secure Private Access machine, then you must upload a public gateway certificate to the Secure Private Access database.

Perform the following steps to upload a public gateway certificate:

  1. Open PowerShell or the command prompt window with the admin privileges.
  2. Change the directory to the Admin\AdminConfigTool folder under the Secure Private Access installation folder (for example, cd “C:\Program Files\Citrix\Citrix Access Security\Admin\AdminConfigTool”)

  3. Run the following command:

    \AdminConfigTool.exe /UPLOAD_PUBLIC_GATEWAY_CERTIFICATE <PublicGatewayUrl> <PublicGatewayCertificatePath>

Known limitations

  • Existing NetScaler Gateway can be updated with script but there can be an infinite number of possible NetScaler configurations that can’t be covered by a single script.
  • Do not use ICA Proxy on NetScaler Gateway. This feature is disabled when NetScaler Gateway is configured.
  • If you use NetScaler deployed in the cloud, you must make changes in the network. For example, allow communications between NetScaler and other components on certain ports.
  • If you enable SSO on NetScaler Gateway, make sure that NetScaler communicates to StoreFront using a private IP address. You might have to add a StoreFront DNS record to NetScaler with a StoreFront private IP address.
NetScaler Gateway
July 25, 2024
Contributed by: 
C C
July 25, 2024
Contributed by: 
C C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.