NetScaler Gateway

Creating Policies with the Quick Configuration Wizard

October 5, 2020

Contributed by:

S C

Note: App Controller is no longer supported.

You can configure settings in NetScaler Gateway to enable communication with App Controller, StoreFront, or the Web Interface by using the Quick Configuration wizard. When you complete the configuration, the wizard creates the correct policies for communication between NetScaler Gateway, App Controller, StoreFront, or the Web Interface. These policies include authentication, session, and clientless access policies. When the wizard completes, the policies are bound to the virtual server that the wizard creates.

When you complete the Quick Configuration wizard, NetScaler Gateway can communicate with App Controller or StoreFront, and users can access their Windows-based applications and virtual desktops and web, SaaS, and mobile apps. Users can then connect directly to App Controller.

During the wizard, you configure the following settings:

Virtual server name, IP address, and port
Redirection from an unsecure to a secure port
Certificates
LDAP server
RADIUS server
Client certificate for authentication (only for two-factor authentication)
App Controller, StoreFront, or Web Interface

You can configure certificates for NetScaler Gateway in the Quick Configuration wizard by using the following methods:

Select a certificate that is installed on the appliance.
Install a certificate and private key.
Select a test certificate. Note: If you use a test certificate, you must add the fully qualified domain name (FQDN) that is in the certificate.

The Quick Configuration wizard supports LDAP, RADIUS, and client certificate authentication. You can configure two-factor authentication in the wizard by following these guidelines:

If you select LDAP as your primary authentication type, you can configure RADIUS as the secondary authentication type.
If you select RADIUS as your primary authentication type, you can configure LDAP as the secondary authentication type.
If you select client certificates as your primary authentication type, you can configure LDAP or RADIUS as the secondary authentication type.

You can only configure one LDAP authentication policy by using the Quick Configuration wizard. The wizard does not allow you to configure multiple LDAP authentication policies. If you run the wizard more than one time and want to use a different LDAP policy, you must configure the additional policies manually. For example, you want to configure one policy that uses sAMAccountName in the Server Logon Name Attribute field and a second LDAP policy that uses the User Principal Name (UPN) in the Server Logon Name Attribute field. To configure these separate policies, use the configuration utility to create the authentication policies. For more information about configuring NetScaler Gateway to authenticate user access with one or more LDAP servers, see Configuring LDAP Authentication.

When you create a virtual server by using the Quick Configuration wizard, if you want to remove the virtual server at a later time, Citrix recommends removing it by using the Home tab. When you use this method to remove the virtual server, the policies and profiles configured through the wizard are removed. If you remove the virtual server by using the Configuration tab, the policies and profiles are not removed. The wizard does not remove the following items:

Certificate key pair created during the wizard are not removed, even if the certificate is not bound to a virtual server
LDAP authentication policy and profile remains if the policy is bound to another virtual server. NetScaler Gateway removes the LDAP policy only if the policy is not bound to a virtual server.

The following tables describe the policies and profiles that the Quick Configuration wizard creates. As described in the tables, the policies and profiles that are configured depend on how users connect - with either the NetScaler Gateway Plug-in, Citrix Receiver, or Worx Home. The policies that are enforced depend on the XenMobile Universal or Platform license that is used when users connect. When you purchased NetScaler Gateway, you also purchased a set number of Universal licenses; for example, 100. If users connect with the NetScaler Gateway Plug-in, the session uses one Universal license. If users connect with Receiver to access Windows-based applications or XenDesktop, the session uses the Platform license. If users connect from a mobile device by using micro VPN, and connect with Worx Home, or start apps, such as WorxMail or WorxWeb, the session uses a Universal license.

Session Policies, Expressions, and Profiles for the Universal License

The Quick Configuration wizard creates the following session policies and expressions that are enforced when the session uses the Universal license.

Policy type	Expression
Session - Worx Home or Receiver	REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS
Session - Receiver for Web	REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
Session - NetScaler Gateway	REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS

The following table shows the session profile settings that the Quick Configuration wizard creates for each session policy type in the preceding table. The first column describes where to find the profile setting or the tab in the session profile in the configuration utility.

The StoreFront URL you enter depends on how users connect. If users connect by using Receiver for Web or by using a web browser, you use the URL form https://SF-FQDN/Citrix/StoreWeb. If users connect by using Receiver on Windows, Mac, or mobile devices, you use the URL form https://SF-FQDN/Citrix/Store.

Profile location	Profile setting	Receiver	Receiver for Web	NetScaler Gateway
Resources > Intranet Applications	Transparent interception	N/A	Off	On
Session >Client Experience tab	Clientless access	On	On	Off
Session >Published Applications tab	ICA Proxy	Off	Off	Off
Session >Client Experience tab	Single sign-on to Web applications	On	On	On
Session >Published Applications tab	Single sign-on domain	App Controller StoreWeb URL	App Controller StoreWeb URL	App Controller StoreWeb URL
Session >Published Applications tab	Web Interface Address	App Controller StoreWeb URL	App Controller StoreWeb URL	App Controller StoreWeb URL
Session >Published Applications tab	Account Services Address	StoreFront URL	N/A	StoreFront URL
Session >Client Experiences tab	Split Tunnel	Off	N/A	Off
Session >Client Experiences tab	Clientless Access URL Encoding	Clear	N/A	Clear
Session >Client Experiences tab	Home Page	N/A	App Controller StoreWeb URL	App Controller StoreWeb URL
Session >Client Experiences tab and then click the Advanced Settings > General tab	Client Choices	Off	Off	Off
Session >Security tab	Default Authorization Action	Allow	Allow	Allow
Session >Client Experiences tab	Session Time-out (mins)	24 hours	N/A	N/A
Session >Client Experiences tab	Client Idle Time-out (mins)	(0) disabled	N/A	N/A
Session >Network Configuration tab and then click Advanced Settings	Forced Time-out (mins)	24 hours	N/A	N/A

Clientless Access Profile Settings for the Universal License

The Quick Configuration wizard creates the following clientless access profile settings for the Universal license:

Configure Domains for Clientless Access to allow access. Configures the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
App Controller URL. Configures the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
ShareFile. Allows for up to five bindings. Configure the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com

Clientless Access Settings and Rules for the Universal License

The following table lists the clientless access policy settings that are enforced when the session uses the Universal license.

Policy name	Rule	Profile	URL rewrite label	Javascript rewrite label	Pattern set	Comments
CLT_LESS_VIP	Receiver_NoRewrite	NO_RW_VIP	Default	Default	Default	Receiver_NoRewrite
CLT_LESS_RF_VIPCLT_LESS_RF_VIP	True	ST_WB_RW_VIP	ns_cvpn_default_inet_url_label	Default	STORE_WEB_COOKIES<VIP>	RfWeb_Rewrite

The pattern set STORE_WEB_COOKIES for Receiver for Web appends the NetScaler Gateway virtual IP address to the name, as shown in the next figure:

Figure 1. Pattern Set for Receiver for Web

Cookie pattern set

Session Policies, Rules, and Profiles for the Platform License

The Platform license with NetScaler Gateway allows for an unlimited number of ICA connections to Windows-based applications and desktops hosted by XenApp and XenDesktop. The following tables show the session rules and session policy settings for users who connect with Citrix Receiver.

Policy type	Rule
Session - Operating System and NetScaler Gateway	REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver		REQ.HTTP.HEADER Referer NOTEXISTS
Session - Receiver for Web	ns_true

Profile location	Profile setting	Operating system/NetScaler Gateway	Web
Resources > Intranet Applications	Transparent interception	N/A	Off
Session >Client Experience tab	Clientless Access	Off	Off
Session >Published Applications tab	ICA Proxy	On	On
Session >Client Experience tab	Single Sign-on to Web Applications	On	On
Session >Published Applications tab	Single Sign-on Domain	Set	Set
Session >Published Applications tab	Web Interface Address	config.xml if Web Interface
StoreFront URL with StoreWeb	StoreFront URL
Session >Published Applications tab	Account Services Address	StoreFront URL with StoreWeb	N/A
Session >Client Experiences tab	Split Tunnel	Off	N/A
Session >Client Experiences tab	Clientless Access URL Encoding	N/A	N/A
Session >Client Experiences tab	Home Page	N/A	N/A
Session >Client Experiences tab and then click the Advanced Settings > General tab	Client Choices	Off	Off
Session >Security tab	Default Authorization Action	Allow	Allow
Session >Client Experiences tab	Session Time-out (mins)	N/A	N/A
Session >Client Experiences tab	Client Idle Time-out (mins)	N/A	N/A
Session >Network Configuration tab and then click Advanced Settings	Forced Time-out (mins)	N/A	N/A

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Creating Policies with the Quick Configuration Wizard

October 5, 2020

Contributed by:

S C

October 5, 2020

Contributed by:

S C

Creating Policies with the Quick Configuration Wizard

Session Policies, Expressions, and Profiles for the Universal License

Clientless Access Profile Settings for the Universal License

Clientless Access Settings and Rules for the Universal License

Session Policies, Rules, and Profiles for the Platform License

Creating Policies with the Quick Configuration Wizard

In this article