NetScaler with Unified Gateway: One URL
NetScaler with Unified Gateway enables simplified secure access to any application through a single URL for desktop and mobile users. Behind this single URL, administrators have a single point for configuration, security, and control of remote access to applications. And remote users have an improved experience with seamless single sign-on to all the applications they need along with login/logout once ease of use.
To accomplish this, NetScaler with Unified Gateway, along with NetScaler’s Content Switching capacities and extensive authentication infrastructure, provides access to organizational sites and apps through this single URL. Additionally, remote users can use iOS or Android mobile devices and Linux, PC or Mac systems with the NetScaler Gateway client plug-ins for uniform access to the Unified Gateway URL, wherever they may be.
A Unified Gateway deployment allows single URL access to the following categories of applications:
- Intranet applications.
- Clientless applications
- Software as a Service applications
- Preconfigured applications served by NetScaler
- Citrix XenApp or XenDesktop published applications
Intranet applications may be any web-based application that resides inside the secure enterprise network. These are internal resources such as an organizational intranet site, a bug tracking application, or a wiki.
Typically also residing inside the secure enterprise network, the clientless applications Unified Gateway provides single URL access to are Outlook Web Access and SharePoint. These applications provide access to Exchange email and team resources without dedicated client software which need to be available to remote users.
SaaS applications, also commonly know as Cloud Apps, are external, cloud-based applications that organizations depend on such as Sharefile, SalesForce, or NetSuite. SAML based single sign-on is supported with those SaaS applications that offer it.
Some organizations may have preconfigured NetScaler served applications deployed in an NetScaler ADC load balanced configuration; often times this is also referred as a ‘reverse-proxy’ application. Unified Gateway supports these applications when a virtual server for the deployment resides on the same NetScaler Unified Gateway instance or appliance. These applications may have their own authentication configuration which is independent of that for the Unified Gateway configuration.
Any published Citrix XenApp and XenDesktop published applications can be made available through a Unified Gateway URL. SmartAccess and SmartControl policies can optionally be applied to granular policy and access control to these resources.
The Unified Gateway Configuration Wizard
The recommended method to configuring a NetScaler with Unified Gateway deployment is to use the Unified Gateway configuration wizard. The wizard walks you through configuration and creates all the necessary virtual servers, policies, and expressions, and applies settings based on the details provided. After initial setup, the wizard can be used to manage your deployment and monitor its operation.
The Unified Gateway configuration wizard does not perform an initial systems configuration. Your NetScaler Gateway appliance or VPX instance must have basic installation completed before configuring Unified Gateway. Refer to the installation instructions for Configuring NetScaler Gateway with the First-time Setup Wizard to complete basic configuration.
The Unified Gateway elements configured by the wizard are:
- The Unified Gateway primary virtual server
- An SSL Server Certificate for the Unified Gateway virtual server
- A primary and any optional secondary authentication configuration
- A portal theme selection and optional customization
- The user applications that are to be accessed through the Unified Gateway portal
For each of these elements, you need to provide configuration information. For a basic Unified Gateway deployment, the following information is needed.
- For the primary Unified Gateway virtual server, the public IP address and IP port number for the deployment. This will be the IP address that resolves in DNS to the Unified Gateway URL’s hostname. For example, if your Unified Gateway deployment’s URL is https://mycompany.com/, the IP address must to resolve to mycompany.com.
- The signed SSL Server Certificate for the deployment. NetScaler Gateway supports PEM or PFX formatted certificates.
- Primary authentication server information. The authentication systems supported for this authentication configuration are LDAP/Active Directory, RADIUS, and Certificate based. A secondary LDAP or RADIUS authentication configuration may be created as well. The authentication server IP address(es) must be provided along with any relevant administrator credentials or directory attributes. For Certificate authentication, the device certificate attributes and a CA certificate must be provided.
- A portal theme may be selected. If a customized or branded portal design is desired, custom graphics may be uploaded to the system with the wizard.
- For web-based user applications, the URLs for the individual applications must be specified. For web applications that are to utilize SAML single sign-on authentication, the utility collects the Assertion Consumer Service URL along with other optional SAML parameters. Gather the configuration details in advance for the applications that use a SAML authentication system.
- For XenDesktop and XenApp published resources to be made available through the Unified Gateway deployment, you need to specify the integration point (StoreFront, the Web Interface, or Web Interface on NetScaler). The utility requires the integration point’s fully qualified domain name, the site path, the single sign-on domain, the Secure Ticket Authority (STA) server URL, and others depending on the type of integration point.
Additional Configuration Management
For site specific settings not available in the Unified Gateway configuration utility, such as alternative SSL settings or session policies, you can manage the needed settings in the NetScaler configuration utility. You can modify these settings on the Content Switching or VPN virtual servers once they are created by the Unified Gateway configuration utility.
Content Switching Virtual Server
This is the NetScaler configuration entity behind the deployment’s main IP address and URL. The SSL Server Certificates and parameters are managed on this virtual server. As this virtual server is the responding network host for the deployment, the ICMP server response and RHI state can be modified on this virtual server, if necessary. The Content Switching virtual server can be found under the Configuration tab at Traffic Management > Content Switching > Virtual Servers.
VPN Virtual Server
All of the other VPN parameters, profiles, and policy bindings for the Unified Gateway configuration are managed on this virtual server, including the main authentication configuration. This entity is managed under the Configuration tab at NetScaler Gateway > Virtual Servers. The relevant VPN virtual server’s name will include the name given to the Content Switching virtual server during initial Unified Gateway configuration.
The VPN virtual servers created for a Unified Gateway deployment are non-addressable and assigned the 0.0.0.0 IP address.