Product documentation
Citrix Secure Private Access Hybrid Deployment
2507-Current Release 2503 2411 2408 2407 2405 2402
View PDF

Update existing NetScaler Gateway configuration

February 6, 2025
Contributed by: 
C

If you are updating an existing NetScaler Gateway configuration, it is recommended that you update the configuration manually. For details, see the following sections:

NetScaler Gateway virtual server settings

When you add or update the existing NetScaler Gateway virtual server, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration.

Add a virtual server:

  • tcpProfileName: nstcp_default_XA_XD_profile
  • deploymentType: ICA_STOREFRONT (available only with the add vpn vserver command)
  • icaOnly: OFF
  • dtls: OFF

Update a virtual server:

  • tcpProfileName: nstcp_default_XA_XD_profile
  • icaOnly: OFF
  • dtls: OFF

For details on the virtual server parameters, see vpn-sessionAction.

Update existing NetScaler Gateway configuration for Web and SaaS apps

You can use the ns_gateway_secure_access_update.shscript on an existing NetScaler Gateway to update the configuration for Web and SaaS apps. However, if you want to update the existing configuration (NetScaler Gateway version 14.1–4.42 and later) manually, use the Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.

You can also use the scripts on an existing NetScaler Gateway to support Secure Private Access. However, the script does not update the following:

  • Existing NetScaler Gateway virtual server
  • Existing session actions and session policies bound to NetScaler Gateway

Ensure that you review each command before execution and create backups of the gateway configuration.

NetScaler Gateway session actions settings

Session action is bound to a gateway virtual server with session policies. When you create or update a session action, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration.

  • transparentInterception: OFF
  • SSO: ON
  • ssoCredential: PRIMARY
  • useMIP: NS
  • useIIP: OFF
  • icaProxy: ON
  • wihome: "https://storefront.mydomain.com/Citrix/MyStoreWeb" - replace with real store URL. Path to Store /Citrix/MyStoreWeb is optional.
  • ClientChoices: OFF
  • ntDomain: mydomain.com - used for SSO (optional)
  • defaultAuthorizationAction: ALLOW
  • authorizationGroup: SecureAccessGroup (Make sure that this group is created, it’s used to bind Secure Private Access specific authorization policies)
  • clientlessVpnMode: OFF
  • clientlessModeUrlEncoding: TRANSPARENT
  • SecureBrowse: ENABLED
  • Storefronturl: "https://storefront.mydomain.com"
  • sfGatewayAuthType: domain

Note:

Starting from NetScaler Gateway release 14.1 build 43.x and later, ICA Proxy mode is supported for Web/SaaS apps.

Example commands when ICA Proxy is disabled

Add/update a virtual server.

add vpn vserver SecureAccess_Gateway SSL 999.999.999.999 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn gateway.mydomain.com -authnProfile auth_prof_name -icaOnly OFF -dtls OFF

Add a session action.

add vpn sessionAction AC_OSspahybrid -transparentInterception OFF -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy ON -wihome "https://storefront.example.corp/Citrix/SPAWeb" -ClientChoices OFF -ntDomain example.corp -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://storefront.example.corp" -sfGatewayAuthType domain

Add a session policy.

add vpn sessionPolicy PL_OSspahybrid "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OSspahybrid

Bind the session policy to the VPN virtual server.

bind vpn vserver SecureAccess_Gateway -policy PL_OSspahybrid -priority 100 -gotoPriorityExpression NEXT -type REQUEST

Bind the Secure Private Access provider to the VPN virtual server.

bind vpn vserver spahybrid -securePrivateAccessUrl "https://spa.example.corp"

For details on session action parameters, vpn-sessionAction.

Example commands when ICA Proxy is enabled

Add/update a virtual server.

add vpn vserver SecureAccessGroup SSL 999.999.999.999 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn gateway.mydomain.com -authnProfile auth_prof_name -icaOnly OFF -dtls OFF

Add a session action.

add vpn sessionAction AC_OSspaonprem -transparentInterception OFF -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy ON -wihome "https://storefront.example.corp/Citrix/SPAWeb" -ClientChoices OFF -ntDomain gwonprem.corp -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://storefront.example.corp" -sfGatewayAuthType domain

Add authorization policies.

  • add authorization policy ALLOW_STOREFRONT "(HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"gateway.example.corp\") || HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"storefront.example.corp\")) && (HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix\") || HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/AGServices\"))" ALLOW
  • add authorization policy SECUREACCESS_AUTHORIZATION "(CLIENT.SSLVPN.MODE.EQ(\"SECURE_BROWSE\") || HTTP.REQ.HEADER(\"X-Citrix-AccessSecurity\").EXISTS || HTTP.REQ.HEADER(\"X-Citrix-Secure-Browser\").EXISTS) && sys.HTTP_CALLOUT(SecureAccess_httpCallout)" ALLOW
  • add authorization policy SECUREACCESS_AUTHORIZATION_ICAPROXY "CLIENT.SSLVPN.MODE.EQ(\"ICAPROXY\") && HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"gateway.example.corp\").NOT && HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"storefront.example.corp\").NOT && sys.HTTP_CALLOUT(SecureAccess_httpCallout)" ALLOW

Bind the secure access authorization policy to the VPN virtual server.

  • bind aaa group SecureAccessGroup -policy ALLOW_STOREFRONT -priority 100 -gotoPriorityExpression END
  • bind aaa group SecureAccessGroup -policy SECUREACCESS_AUTHORIZATION -priority 1000 -gotoPriorityExpression END
  • bind aaa group SecureAccessGroup -policy SECUREACCESS_AUTHORIZATION_ICAPROXY -priority 1100 -gotoPriorityExpression END

Bind the Secure Private Access provider to the VPN virtual server.

bind vpn vserver spahybrid -securePrivateAccessUrl "https://spa.example.corp"

For details on session action parameters, vpn-sessionAction.

Update existing NetScaler Gateway configuration for TCP/UDP apps

Support for TCP/UDP apps in addition to Web/SaaS apps is available starting from NetScaler Gateway version 14.1–25.56. For hybrid deployments, it is recommended to use version 14.1–34.42 to fully leverage TCP/UDP features. If you are updating earlier versions, it is recommended that you update the configuration manually. For details, see Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.

NetScaler Gateway session policy settings

Session action is bound to a gateway virtual server with session policies. When you create or update a session action, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.

  • transparentInterception: ON
  • SSO: ON
  • ssoCredential: PRIMARY
  • useMIP: NS
  • useIIP: OFF
  • icaProxy: OFF
  • ClientChoices: ON
  • ntDomain: mydomain.com - used for SSO (optional)
  • defaultAuthorizationAction: ALLOW
  • authorizationGroup: SecureAccessGroup
  • clientlessVpnMode: OFF
  • clientlessModeUrlEncoding: TRANSPARENT
  • SecureBrowse: ENABLED

Example commands to update an existing NetScaler Gateway configuration

  • Add a VPN session action to support Citrix Secure Access-based connections.

    add vpn sessionAction AC_AG_PLGspahybrid -splitDns BOTH -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -ClientChoices ON -ntDomain example.corp -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED

  • Add a VPN session policy to support Citrix Secure Access-based connections.

    add vpn sessionPolicy PL_AG_PLUGINspahybrid "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT && (HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"plugin\") || HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixSecureAccess\"))" AC_AG_PLGspahybrid

  • Bind the session policy to the VPN virtual server to support Citrix Secure Access-based connections.

    bind vpn vserver spahybrid -policy PL_AG_PLUGINspahybrid -priority 105 -gotoPriorityExpression NEXT -type REQUEST

  • Bind the Secure Private Access URL to the VPN virtual server.

    bind vpn vserver spahybrid -securePrivateAccessUrl "https://spa.example.corp"

    Note:

    NetScaler Gateway release 14.1–34.42 and later does not support the App Controller server. You must instead bind the Secure Private Access URL to the VPN virtual server.

Update existing NetScaler Gateway configuration
February 6, 2025
Contributed by: 
C
February 6, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.