- NetScaler Gateway Release Notes
- About NetScaler Gateway
- Common Deployments
- What's New
- Known Issues
- Client Software Requirements
- Compatibility with Citrix Products
- Before Getting Started
Installing the System
- Configuring NetScaler Gateway
- Using the Configuration Utility
- Policies and Profiles on NetScaler Gateway
- Viewing NetScaler Gateway Configuration Settings
- Configuring the NetScaler Gateway by Using Wizards
- Configuring the Host Name and FQDN on NetScaler Gateway
- Installing and Managing Certificates
- Testing Your NetScaler Gateway Configuration
- Creating Virtual Servers
- Configuring IP Addresses on NetScaler Gateway
- Resolving DNS Servers Located in the Secure Network
- Configuring DNS Virtual Servers
- Configuring Name Service Providers
- Configuring Server-Initiated Connections
- Configuring Routing on NetScaler Gateway
- Configuring Auto Negotiation
Authentication and Authorization
- Configuring Default Global Authentication Types
- Configuring Authentication Without Authorization
- Configuring Authorization
- Disabling Authentication
- Configuring Authentication for Specific Times
- How Authentication Policies Work
- Configuring Local Users
- Configuring Groups
- Configuring LDAP Authentication
- Configuring Client Certificate Authentication
- Configuring RADIUS Authentication
- Configuring SAML Authentication
- Configuring TACACS+ Authentication
- Configuring Multifactor Authentication
- Configuring Single Sign-On
- Configuring One-Time Password Use
- nFactor for Gateway Authentication
- Unified Gateway Visualizer
Configuring the VPN User Experience
- How User Connections Work with the NetScaler Gateway Plug-in
- Choosing the User Access Method
- Deploying NetScaler Gateway Plug-ins for User Access
- Selecting the NetScaler Gateway Plug-in for Users
Integrating the NetScaler Gateway Plug-in with Citrix Receiver
- How User Connections Work with Citrix Receiver
- Adding the NetScaler Gateway Plug-in to Citrix Receiver
- Decoupling the Citrix Receiver Icon
- Configuring IPv6 for ICA Connections
- IConfiguring the Receiver Home Page on NetScaler Gateway
- Applying the Receiver Theme to the Logon Page
- Creating a Custom Theme for the Logon Page
- Customizing the User Portal
- Configuring Clientless Access
- Configuring the Client Choices Page
- Configuring Access Scenario Fallback
Configuring Connections for the NetScaler Gateway Plug-in
- Configuring the Number of User Sessions
- Configuring Time-Out Settings
- Connecting to Internal Network Resources
- Configuring Split Tunneling
- Configuring Client Interception
- Configuring Name Service Resolution
- Enabling Proxy Support for User Connections
- Configuring Address Pools
- Supporting VoIP Phones
- Configuring Application Access for the NetScaler Gateway Plug-in for Java
- Configuring the Access Interface
- How a Traffic Policy Works
- Configuring Session Policies
Configuring Endpoint Polices
- How Endpoint Policies Work
- Evaluating User Logon Options
- Setting the Priority of Preauthentication Policies
- Configuring Preauthentication Policies and Profiles
- Configuring Post-Authentication Policies
- Configuring Security Preauthentication Expressions for User Devices
- Configuring Compound Client Security Expressions
- Advanced Endpoint Analysis Scans
- Managing User Sessions
- Configuring Unified Gateway
Deploying in a Double-Hop DMZ
- Deploying NetScaler Gateway in a Double-Hop DMZ
- How a Double-Hop Deployment Works
- Communication Flow in a Double-Hop DMZ Deployment
- Preparing for a Double-Hop DMZ Deployment
Installing and Configuring Netscaler Gateway in a Double-Hop DMZ
- Configuring Settings on the Virtual Servers on the NetScaler Gateway Proxy
- Configuring the Appliance to Communicate with the Appliance Proxy
- Configuring NetScaler Gateway to Handle the STA and ICA Traffic
- Opening the Appropriate Ports on the Firewalls
- Managing SSL Certificates in a Double-Hop DMZ Deployment
Using High Availability
- How High Availability Works
- Configuring Settings for High Availability
- Configuring Communication Intervals
- Synchronizing NetScaler Gateway Appliances
- Synchronizing Configuration Files in a High Availability Setup
- Configuring Command Propagation
- Configuring Fail-Safe Mode
- Configuring the Virtual MAC Address
- Configuring High Availability Pairs in Different Subnets
- Configuring Route Monitors
- Configuring Link Redundancy
- Understanding the Causes of Failover
- Forcing Failover from a Node
- Using Clustering
Maintaining and Monitoring the System
- Configuring Delegated Administrators
- Configuring Auditing on NetScaler Gateway
- Enabling NetScaler Gateway Plug-in Logging
- To monitor ICA connections
- Integrating with Citrix Products
- How Users Connect to Applications, Desktops, and ShareFile
- Deploying with XenMobile App Edition, XenApp, and XenDesktop
Accessing XenApp and XenDesktop Resources with the Web Interface
- Integrating NetScaler Gateway with XenApp or XenDesktop
- Establishing a Secure Connection to the Server Farm
- Deploying with the Web Interface
- Setting Up a Web Interface Site to Work
- Configuring Communication with the Web Interface
- Configuring Additional Web Interface Settings on NetScaler Gateway
- Configuring Access to Applications and Virtual Desktops in the Web Interface
- Configuring SmartAccess
- Configuring SmartControl
Configuring Single Sign-On to the Web Interface
- To configure single sign-on to Web applications globally
- To configure single sign-on to Web applications by using a session policy
- To define the HTTP port for single sign-on to web applications
- Additional Configuration Guidelines
- To test the single sign-on connection to the Web Interface
- Configuring Single Sign-On to the Web Interface by Using a Smart Card
- To configure single sign-on for XenApp and file shares
- Allowing File Type Association
Integrating with App Controller or StoreFront
- How NetScaler Gateway and App Controller Integrate
- Creating Policies with the Quick Configuration Wizard
- Configuring NetScaler Gateway and App Controller
- Configuring Session Policies and Profiles for App Controller and StoreFront
- Configuring Custom Clientless Access Policies for Receiver
- Configuring Custom Clientless Access Policies for Receiver for Web
- Using WebFront to Integrate with StoreFront
- Integrate NetScaler Gateway with StoreFront
Configuring Settings for Your XenMobile Environment
- Configuring Load Balancing Servers for XenMobile
- Configuring Load Balancing Servers for Microsoft Exchange with Email Security Filtering
- Configuring XenMobile NetScaler Connector (XNC) ActiveSync Filtering
- Allowing Access from Mobile Devices with XenMobile Apps
- Configuring Domain and Security Token Authentication for XenMobile
- Configuring Client Certificate or Client Certificate and Domain Authentication
- Optimizing Network Traffic with CloudBridge
- RfWebUI Persona on Gateway UX Configuration
- Stateless RDP Proxy
- HDX Enlightened Data Transport Support
- Microsoft Intune Integration
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
Stateless RDP Proxy
The Stateless RDP Proxy accesses a RDP host. Access is granted through the RDPListener on Citrix Gateway when the user authenticates on a separate Citrix Gateway Authenticator. The information required by the RDPListener for Citrix Gateway is securely stored on a STA Server.
The flow and new knobs created for this functionality are described here.
This solution should meet the following conditions:
• User is authenticated on Citrix Gateway Authenticator.
• The initial /rdpproxy URL and RDP Client are connected to a different RDPListener Citrix Gateway.
• The RDPListener Gateway information is securely passed by the Authenticator Gateway using a STA Server.
Add a new rdpServer Profile. The server profile is configured on the RDPListener Gateway.
add rdpServer Profile <profilename> -rdpIP <IPV4 address of the RDP listener> -rdpPort <port for terminating RDP client connections> -psk <key to decrypt RDPTarget/RDPUser information, needed while using STA>
For stateless RDP proxy, the STA Server validates the STA ticket, which is sent by the RDP client, to obtain the RDP Target/RDPUser information.
The rdpServer Profile is configured on the ‘vpn vserver’.
add vpn vserver v1 SSL <publicIP> <portforterminatingvpnconnections> -rdpServerProfile <rdpServer Profile>
Once the rdpServerProfile is configured on the vpn vserver, it cannot be modified. Also, the same serverProfile cannot be reused on another vpn vserver.
The rdp profile command was renamed as rdpClient profile and has new parameters. The multiMonitorSupport command was added. Also, an option to configure custom params, which are not supported as part ofthe RDP client profile, has been added. The clientSSL param was removed, since the connection is always secured. The client profile is configured on the Authenticator Gateway.
add rdpClient profile <name> -rdpHost <optional FQDN that will be put in the RDP file as ‘fulladdress’> [-rdpUrlOverride ( ENABLE | DISABLE )] [-redirectClipboard ( ENABLE | DISABLE )] [-redirectDrives ( ENABLE | DISABLE )] [-redirectPrinters ( ENABLE | DISABLE )] [-keyboardHook <keyboardHook>] [-audioCaptureMode ( ENABLE | DISABLE )] [-videoPlaybackMode ( ENABLE | DISABLE )] [-rdpCookieValidity <positive_integer>][-multiMonitorSupport ( ENABLE | DISABLE )] [-rdpCustomParams <string>] The –rdpHost configuration is used in a single Gateway deployment.
• Associate the RDP Profile with the vpn vserver.
This can be done either by configuring a sessionAction+sessionPolicy or by setting the global vpn parameter.
add vpn sessionaction <actname> -rdpClientprofile <rdpprofilename> add vpn sessionpolicy <polname> NS_TRUE <actname> bind vpn vserver <vservername> -policy <polname> -priority <prioritynumber> OR set vpn parameter –rdpClientprofile <name>
A new connection counter ns_rdp_tot_curr_active_conn was added, which keeps the record of number of active connections in use. It can be viewed as a part of nsconmsg command on NetScaler shell. Later, we will be providing a new CLI command to view this counters.
There are two connections involved in the RDP Proxy flow. The first connection is the user’s SSL VPN connection to the Citrix Gateway VIP, and enumeration of the RDP resources.
The second connection is the native RDP client connection to the RDP listener (configures using rdpIP and rdpPort) on the Citrix Gateway, and subsequent proxying of the RDP client to server packets securely.
• User connects to the Authenticator Gateway VIP and provides his/her credentials.
• After successful login to the Gateway, user is redirected to the homepage/external portal which enumerates the remote desktop resources that the user can access.
• Once the user selects a RDP resource, a request is received by the Authenticator Gateway VIP, in the format
https://AGVIP/rdpproxy/ip:port/rdptargetproxy indicating the published resource that the user clicked. This request has the information about the IP and port of the RDP server that the user has selected.
• The /rdpproxy/ request is processed by the Authenticator Gateway. Since the user is already authenticated, this request comes with a valid Gateway cookie.
• The RDPTarget and RDPUser information is stored on the STA server and a STA Ticket is generated. The information is stored as an XML blob which is optionally encrypted using the configured pre-shared key. If encrypted, the blob is base64 encoded and stored. The Authenticator Gateway will use one of the STA servers that is configured on the Gateway Vserver.
• The XML blob will be in this format
<Value name=”IPAddress”>ipaddr</Value>\n<Value name=”Port”>port</Value>\n
<Value name=”Username”>username</Value>\n<Value name=”Password”>pwd</Value>
• The “rdptargetproxy” obtained in the /rdpproxy/ request is put as the ‘fulladdress’ and the STA ticket (pre-pended with the STA AuthID) is put as the ‘loadbalanceinfo’ in the .rdp file.
• The .rdp file is sent back to the client end-point.
• The native RDP client launches and connects to the RDPListener Gateway. It sends the STA ticket in the initial x.224 packet.
• The RDPListener Gateway validates the STA ticket and obtains the RDPTarget and RDPUser information. The STA server to be used is retrieved using the ‘AuthID’ present in the loadbalanceinfo.
• A Gateway session is created for storing authorization/auditing policies. If a session already exists for the user, it is re-used.
• The RDPListener Gateway connects to the RDPTarget and single signs on using CREDSSP.
If the RDP file is generated using the /rdpproxy/rdptarget/rdptargetproxy URL, we will generate a STA ticket, otherwise the current method of the ‘loadbalanceinfo’ referring to the session directly will be used.
In case of a single gateway deployment, the /rdpproxy URL comes to the Authenticator Gateway itself. A STA server is not required. The authenticator gateway encodes the RDPTarget and the AAA session cookie securely and sends this as the ‘loadbalanceinfo’ in the .rdp file. When the RDP Client sends this token in the x.224 packet, the authenticator gateway decodes the RDPTarget information, looks up the session and connects to the RDPTarget.
Earlier configuration doesn’t work with this new release, since the parameters rdpIP and rdpPort, which were earlier configured on vpn vserver has been updated to be part of the rdpServerProfile and ‘rdp Profile’ has been renamed as ‘rdp ClientProfile’ and the old parameter clientSSL has been removed.
In this build the data between the Gateway and STA server is not encrypted using the preshared key, and is sent unencrypted. This will be addressed in the GA.
1. Go to Citrix Gateway > Policies > RDP.
2. Go to Server Profiles tab and click Add.
3. Enter the following information to create the RDP Server Profile.
1. Go to Citrix Gateway > Policies > RDP
2. Go to Client Profiles tab and click Add.
3. Enter the following information to configure the RDP Server Profile.
- Go to Citrix Gateway > Virtual Server.
- Click Add to create a new RDP Server.
3. Complete the data on this Basic Settings page and click OK.
4. Click the pencil to edit the page.