Product Documentation

How User Connections Work

Users can connect to their emails, file shares, and other network resources from a remote location. Users can connect to internal network resources with the following software:

  • Citrix Gateway Plug-in
  • Citrix Receiver
  • WorxMail and WorxWeb
  • Android and iOS mobile devices

Connecting with the Citrix Gateway Plug-in

The Citrix Gateway Plug-in allows user access to resources in the internal network through the following steps:

  1. A user connects to Citrix Gateway for the first time by typing the web address in a web browser. The logon page appears and the user is prompted to enter a user name and password. If external authentication servers are configured, Citrix Gateway contacts the server and the authentication servers verify the user’s credentials. If local authentication is configured, Citrix Gateway performs the user authentication.
  2. If you configure a preauthentication policy, when the user types the Citrix Gateway web address in a web browser on a Windows-based computer or a Mac OS X computer, Citrix Gateway checks to see if any client-based security policies are in place before the logon page appears. The security checks verify that the user device meets the security-related conditions, such as operating system updates, antivirus protection, and a properly configured firewall. If the user device fails the security check, Citrix Gateway blocks the user from logging on. A user who cannot log on needs to download the necessary updates or packages and install them on the user device. When the user device passes the preauthentication policy, the logon page appears and the user can enter his or her credentials. You can use Advanced Endpoint Analysis on a Mac OS X computer if you install Citrix Gateway 10.1, Build 120.1316.e.
  3. When Citrix Gateway successfully authenticates the user, Citrix Gateway initiates the VPN tunnel. Citrix Gateway prompts the user to download and install the Citrix Gateway Plug-in for Windows or Citrix Gateway Plug-in for Mac OS X. If you are using the Network Gateway Plug-in for Java, the user device is also initialized with a list of preconfigured resource IP addresses and port numbers.
  4. If you configure a post-authentication scan, after a user successfully logs on, Citrix Gateway scans the user device for the required client security policies. You can require the same security-related conditions as for a preauthentication policy. If the user device fails the scan, either the policy is not applied or the user is placed in a quarantine group and the user’s access to network resources is limited.
  5. When the session is established, the user is directed to a Citrix Gateway home page where the user can select resources to access. The home page that is included with Citrix Gateway is called the Access Interface. If the user logs on by using the Citrix Gateway Plug-in for Windows, an icon in the notification area on the Windows desktop shows that the user device is connected and the user receives a message that the connection is established. The user can also access resources in the network without using the Access Interface, such as opening Microsoft Outlook and retrieving email.
  6. If the user request passes both preauthentication and post-authentication security checks, Citrix Gateway then contacts the requested resource and initiates a secure connection between the user device and that resource.
  7. The user can close an active session by right-clicking the NetScaler Gateway icon in the notification area on a Windows-based computer and then clicking Logoff. The session can also time out due to inactivity. When the session is closed, the tunnel is shut down and the user no longer has access to internal resources. The user can also type the Citrix Gateway web address in a browser. When the user presses Enter, the Access Interface appears from which users can log off.

Note: If you deploy XenMobile App Edition in your internal network, a user who connects from outside the internal network must connect to Citrix Gateway first. When the user establishes the connection, the user can access web and SaaS applications, Android and iOS mobile apps, and ShareFile data hosted on App Controller. A user can connect with the Citrix Gateway Plug-in through clientless access, or by using Citrix Receiver or WorxHome.

Connecting with Citrix Receiver

Users can connect with Receiver to access their Windows-based applications and virtual desktops. Users can also access applications from App Controller. To connect from a remote location, users also install the Citrix Gateway Plug-in on their device. Receiver automatically adds the Citrix Gateway Plug-in to its list of plug-ins. When users log on to Receiver, they can also log on to the Citrix Gateway Plug-in. You can also configure Citrix Gateway to perform single sign-on to the Citrix Gateway Plug-in when users log on to Receiver.

Connecting with iOS and Android Devices

Users can connect from an iOS or Android device by using Worx Home. Users can access their email by using WorxMail and connect to web sites with WorxWeb.

When users connect from the mobile device, the connections route through Citrix Gateway to access internal resources. If users connect with iOS, you enable Secure Browse as part of the session profile. If users connect with Android, the connection uses Micro VPN automatically. In addition, WorxMail and WorxWeb use Micro VPN to establish connections through Citrix Gateway. You do not have to configure Micro VPN on Citrix Gateway.