Update existing NetScaler Gateway configuration
If you are updating an existing NetScaler Gateway configuration, it is recommended that you update the configuration manually. For details, see the following sections:
- Update existing NetScaler Gateway configuration for Web and SaaS apps
- Update existing NetScaler Gateway configuration for TCP/UDP apps
NetScaler Gateway virtual server settings
When you add or update the existing NetScaler Gateway virtual server, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration.
Add a virtual server:
- tcpProfileName: nstcp_default_XA_XD_profile
- deploymentType: ICA_STOREFRONT (available only with the
add vpn vserver
command) - icaOnly: OFF
- dtls: OFF
Update a virtual server:
- tcpProfileName: nstcp_default_XA_XD_profile
- icaOnly: OFF
- dtls: OFF
For details on the virtual server parameters, see vpn-sessionAction.
Update existing NetScaler Gateway configuration for Web and SaaS apps
You can use the ns_gateway_secure_access_update.sh
script on an existing NetScaler Gateway to update the configuration for Web and SaaS apps. However, if you want to update the existing configuration (NetScaler Gateway version 14.1–4.42 and later) manually, use the Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.
You can also use the scripts on an existing NetScaler Gateway to support Secure Private Access. However, the script does not update the following:
- Existing NetScaler Gateway virtual server
- Existing session actions and session policies bound to NetScaler Gateway
Ensure that you review each command before execution and create backups of the gateway configuration.
NetScaler Gateway session actions settings
Session action is bound to a gateway virtual server with session policies. When you create or update a session action, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration.
-
transparentInterception
: OFF -
SSO
: ON -
ssoCredential
: PRIMARY -
useMIP
: NS -
useIIP
: OFF -
icaProxy
: OFF -
wihome
:"https://storefront.mydomain.com/Citrix/MyStoreWeb"
- replace with real store URL. Path to Store/Citrix/MyStoreWeb
is optional. -
ClientChoices
: OFF -
ntDomain
: mydomain.com - used for SSO (optional) -
defaultAuthorizationAction
: ALLOW -
authorizationGroup
: SecureAccessGroup (Make sure that this group is created, it’s used to bind Secure Private Access specific authorization policies) -
clientlessVpnMode
: ON -
clientlessModeUrlEncoding
: TRANSPARENT -
SecureBrowse
: ENABLED -
Storefronturl
:"https://storefront.mydomain.com"
-
sfGatewayAuthType
: domain
Example commands to update an existing NetScaler Gateway configuration
Add/update a virtual server.
add vpn vserver SecureAccess_Gateway SSL 999.999.999.999 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn gateway.mydomain.com -authnProfile auth_prof_name -icaOnly OFF -dtls OFF
Add a session action.
add vpn sessionAction AC_OSspahybrid -transparentInterception OFF -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://storefront.example.corp/Citrix/SPAWeb" -ClientChoices OFF -ntDomain example.corp -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://storefront.example.corp" -sfGatewayAuthType domain
add vpn sessionAction AC_WBspahybrid -transparentInterception OFF -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://storefront.example.corp/Citrix/SPAWeb" -ClientChoices OFF -ntDomain example.corp -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://storefront.example.corp" -sfGatewayAuthType domain
Add a session policy.
add vpn sessionPolicy PL_OSspahybrid "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OSspahybrid
add vpn sessionPolicy PL_WBspahybrid "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"plugin\").NOT" AC_WBspahybrid
Bind the session policy to the VPN virtual server.
bind vpn vserver SecureAccess_Gateway -policy PL_OSspahybrid -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver SecureAccess_Gateway -policy PL_WBspahybrid -priority 110 -gotoPriorityExpression NEXT -type REQUEST
Bind the Secure Private Access provider to the VPN virtual server.
bind vpn vserver spahybrid -securePrivateAccessUrl "https://spa.example.corp"
For details on session action parameters, vpn-sessionAction.
Update existing NetScaler Gateway configuration for TCP/UDP apps
Support for TCP/UDP apps in addition to Web/SaaS apps is available starting from NetScaler Gateway version 14.1–25.56. For hybrid deployments, it is recommended to use version 14.1-34.42 to fully leverage TCP/UDP features. If you are updating earlier versions, it is recommended that you update the configuration manually. For details, see Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.
NetScaler Gateway session policy settings
Session action is bound to a gateway virtual server with session policies. When you create or update a session action, ensure that the following parameters are set to the defined values. For sample commands, see Example commands to update an existing NetScaler Gateway configuration. Also, you must update the NetScaler Gateway virtual server and session action settings.
-
transparentInterception
: ON -
SSO
: ON -
ssoCredential
: PRIMARY -
useMIP
: NS -
useIIP
: OFF -
icaProxy
: OFF -
ClientChoices
: ON -
ntDomain
: mydomain.com - used for SSO (optional) -
defaultAuthorizationAction
: ALLOW -
authorizationGroup
: SecureAccessGroup -
clientlessVpnMode
: OFF -
clientlessModeUrlEncoding
: TRANSPARENT -
SecureBrowse
: ENABLED
Example commands to update an existing NetScaler Gateway configuration
-
Add a VPN session action to support Citrix Secure Access-based connections.
add vpn sessionAction AC_AG_PLGspahybrid -splitDns BOTH -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -authorizationGroup SecureAccessGroup -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -ClientChoices ON -ntDomain example.corp -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED
-
Add a VPN session policy to support Citrix Secure Access-based connections.
add vpn sessionPolicy PL_AG_PLUGINspahybrid "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT && (HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"plugin\") || HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixSecureAccess\"))" AC_AG_PLGspahybrid
-
Bind the session policy to the VPN virtual server to support Citrix Secure Access-based connections.
bind vpn vserver spahybrid -policy PL_AG_PLUGINspahybrid -priority 105 -gotoPriorityExpression NEXT -type REQUEST
-
Bind the Secure Private Access URL to the VPN virtual server.
bind vpn vserver spahybrid -securePrivateAccessUrl "https://spa.example.corp"
Note:
NetScaler Gateway release 14.1-34.42 and later does not support the App Controller server. You must instead bind the Secure Private Access URL to the VPN virtual server.