Creating Policies with the Quick Configuration Wizard
Note: App Controller is no longer supported.
You can configure settings in NetScaler Gateway to enable communication with App Controller, StoreFront, or the Web Interface by using the Quick Configuration wizard. When you complete the configuration, the wizard creates the correct policies for communication between NetScaler Gateway, App Controller, StoreFront, or the Web Interface. These policies include authentication, session, and clientless access policies. When the wizard completes, the policies are bound to the virtual server that the wizard creates.
When you complete the Quick Configuration wizard, NetScaler Gateway can communicate with App Controller or StoreFront, and users can access their Windows-based applications and virtual desktops and web, SaaS, and mobile apps. Users can then connect directly to App Controller.
During the wizard, you configure the following settings:
- Virtual server name, IP address, and port
- Redirection from an unsecure to a secure port
- Certificates
- LDAP server
- RADIUS server
- Client certificate for authentication (only for two-factor authentication)
- App Controller, StoreFront, or Web Interface
You can configure certificates for NetScaler Gateway in the Quick Configuration wizard by using the following methods:
- Select a certificate that is installed on the appliance.
- Install a certificate and private key.
- Select a test certificate. Note: If you use a test certificate, you must add the fully qualified domain name (FQDN) that is in the certificate.
The Quick Configuration wizard supports LDAP, RADIUS, and client certificate authentication. You can configure two-factor authentication in the wizard by following these guidelines:
- If you select LDAP as your primary authentication type, you can configure RADIUS as the secondary authentication type.
- If you select RADIUS as your primary authentication type, you can configure LDAP as the secondary authentication type.
- If you select client certificates as your primary authentication type, you can configure LDAP or RADIUS as the secondary authentication type.
You can only configure one LDAP authentication policy by using the Quick Configuration wizard. The wizard does not allow you to configure multiple LDAP authentication policies. If you run the wizard more than one time and want to use a different LDAP policy, you must configure the additional policies manually. For example, you want to configure one policy that uses sAMAccountName in the Server Logon Name Attribute field and a second LDAP policy that uses the User Principal Name (UPN) in the Server Logon Name Attribute field. To configure these separate policies, use the configuration utility to create the authentication policies. For more information about configuring NetScaler Gateway to authenticate user access with one or more LDAP servers, see Configuring LDAP Authentication.
When you create a virtual server by using the Quick Configuration wizard, if you want to remove the virtual server at a later time, Citrix recommends removing it by using the Home tab. When you use this method to remove the virtual server, the policies and profiles configured through the wizard are removed. If you remove the virtual server by using the Configuration tab, the policies and profiles are not removed. The wizard does not remove the following items:
- Certificate key pair created during the wizard are not removed, even if the certificate is not bound to a virtual server
- LDAP authentication policy and profile remains if the policy is bound to another virtual server. NetScaler Gateway removes the LDAP policy only if the policy is not bound to a virtual server.
The following tables describe the policies and profiles that the Quick Configuration wizard creates. As described in the tables, the policies and profiles that are configured depend on how users connect - with either the NetScaler Gateway Plug-in, Citrix Receiver, or Worx Home. The policies that are enforced depend on the XenMobile Universal or Platform license that is used when users connect. When you purchased NetScaler Gateway, you also purchased a set number of Universal licenses; for example, 100. If users connect with the NetScaler Gateway Plug-in, the session uses one Universal license. If users connect with Receiver to access Windows-based applications or XenDesktop, the session uses the Platform license. If users connect from a mobile device by using micro VPN, and connect with Worx Home, or start apps, such as WorxMail or WorxWeb, the session uses a Universal license.
Session Policies, Expressions, and Profiles for the Universal License
The Quick Configuration wizard creates the following session policies and expressions that are enforced when the session uses the Universal license.
| Policy type | Expression |
|---|---|
| Session - Worx Home or Receiver | REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS |
| Session - Receiver for Web | REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver |
| Session - NetScaler Gateway | REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS |
The following table shows the session profile settings that the Quick Configuration wizard creates for each session policy type in the preceding table. The first column describes where to find the profile setting or the tab in the session profile in the configuration utility.
The StoreFront URL you enter depends on how users connect. If users connect by using Receiver for Web or by using a web browser, you use the URL form https://SF-FQDN/Citrix/StoreWeb. If users connect by using Receiver on Windows, Mac, or mobile devices, you use the URL form https://SF-FQDN/Citrix/Store.
| Profile location | Profile setting | Receiver | Receiver for Web | NetScaler Gateway |
|---|---|---|---|---|
| Resources > Intranet Applications | Transparent interception | N/A | Off | On |
| Session >Client Experience tab | Clientless access | On | On | Off |
| Session >Published Applications tab | ICA Proxy | Off | Off | Off |
| Session >Client Experience tab | Single sign-on to Web applications | On | On | On |
| Session >Published Applications tab | Single sign-on domain | App Controller StoreWeb URL | App Controller StoreWeb URL | App Controller StoreWeb URL |
| Session >Published Applications tab | Web Interface Address | App Controller StoreWeb URL | App Controller StoreWeb URL | App Controller StoreWeb URL |
| Session >Published Applications tab | Account Services Address | StoreFront URL | N/A | StoreFront URL |
| Session >Client Experiences tab | Split Tunnel | Off | N/A | Off |
| Session >Client Experiences tab | Clientless Access URL Encoding | Clear | N/A | Clear |
| Session >Client Experiences tab | Home Page | N/A | App Controller StoreWeb URL | App Controller StoreWeb URL |
| Session >Client Experiences tab and then click the Advanced Settings > General tab | Client Choices | Off | Off | Off |
| Session >Security tab | Default Authorization Action | Allow | Allow | Allow |
| Session >Client Experiences tab | Session Time-out (mins) | 24 hours | N/A | N/A |
| Session >Client Experiences tab | Client Idle Time-out (mins) | (0) disabled | N/A | N/A |
| Session >Network Configuration tab and then click Advanced Settings | Forced Time-out (mins) | 24 hours | N/A | N/A |
Clientless Access Profile Settings for the Universal License
The Quick Configuration wizard creates the following clientless access profile settings for the Universal license:
- Configure Domains for Clientless Access to allow access. Configures the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
- App Controller URL. Configures the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
- ShareFile. Allows for up to five bindings. Configure the pattern set ns_cvpn_default_inet_domains <App Controller FQDN>. For example, ns_cvpn_default_inet_domainsAppController_domain_com
Clientless Access Settings and Rules for the Universal License
The following table lists the clientless access policy settings that are enforced when the session uses the Universal license.
| Policy name | Rule | Profile | URL rewrite label | Javascript rewrite label | Pattern set | Comments |
|---|---|---|---|---|---|---|
| CLT_LESS_VIP | Receiver_NoRewrite | NO_RW_VIP | Default | Default | Default | Receiver_NoRewrite |
| CLT_LESS_RF_VIPCLT_LESS_RF_VIP | True | ST_WB_RW_VIP | ns_cvpn_default_inet_url_label | Default | STORE_WEB_COOKIES<VIP> | RfWeb_Rewrite |
The pattern set STORE_WEB_COOKIES for Receiver for Web appends the NetScaler Gateway virtual IP address to the name, as shown in the next figure:
Figure 1. Pattern Set for Receiver for Web
Session Policies, Rules, and Profiles for the Platform License
The Platform license with NetScaler Gateway allows for an unlimited number of ICA connections to Windows-based applications and desktops hosted by XenApp and XenDesktop. The following tables show the session rules and session policy settings for users who connect with Citrix Receiver.
| Policy type | Rule | ||
|---|---|---|---|
| Session - Operating System and NetScaler Gateway | REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver | REQ.HTTP.HEADER Referer NOTEXISTS | |
| Session - Receiver for Web | ns_true |
| Profile location | Profile setting | Operating system/NetScaler Gateway | Web |
|---|---|---|---|
| Resources > Intranet Applications | Transparent interception | N/A | Off |
| Session >Client Experience tab | Clientless Access | Off | Off |
| Session >Published Applications tab | ICA Proxy | On | On |
| Session >Client Experience tab | Single Sign-on to Web Applications | On | On |
| Session >Published Applications tab | Single Sign-on Domain | Set | Set |
| Session >Published Applications tab | Web Interface Address | config.xml if Web Interface | |
| StoreFront URL with StoreWeb | StoreFront URL | ||
| Session >Published Applications tab | Account Services Address | StoreFront URL with StoreWeb | N/A |
| Session >Client Experiences tab | Split Tunnel | Off | N/A |
| Session >Client Experiences tab | Clientless Access URL Encoding | N/A | N/A |
| Session >Client Experiences tab | Home Page | N/A | N/A |
| Session >Client Experiences tab and then click the Advanced Settings > General tab | Client Choices | Off | Off |
| Session >Security tab | Default Authorization Action | Allow | Allow |
| Session >Client Experiences tab | Session Time-out (mins) | N/A | N/A |
| Session >Client Experiences tab | Client Idle Time-out (mins) | N/A | N/A |
| Session >Network Configuration tab and then click Advanced Settings | Forced Time-out (mins) | N/A | N/A |