Product Documentation

Configure full VPN setup on Citrix Gateway

This section describes how to configure full VPN setup on a Citrix Gateway appliance. It contains networking considerations and the ideal approach for resolving issues from the networking perspective.

Prerequisites

When users connect with the Citrix Gateway Plug-in, Secure Hub, or Citrix Receiver, the client software establishes a secure tunnel over port 443 (or any configured port on Citrix Gateway) and sends authentication information. Once the tunnel has been established, Citrix Gateway sends configuration information to the Citrix Gateway Plug-in, Secure Hub, or Receiver describing the networks to be secured. That information will also contain an IP address if you enable intranet IPs.

You configure user device connections by defining the resources users can access in the internal network. Configuring user device connections includes the following:

  • Split tunneling
  • IP addresses for users, including address pools (intranet IPs)
  • Connections through a proxy server
  • Defining the domains to which users are allowed access
  • Time-out settings
  • Single sign-on
  • User software that will connect through Citrix Gateway
  • Access for mobile devices

You configure most user device connections by using a profile that is part of a session policy. You can also define user device connection settings by using per-authentication, traffic, and authorization policies. They can also be configured using intranet applications.

Configure a full VPN Setup on a Citrix Gateway Appliance

To configure a VPN setup on Citrix Gateway appliance, complete the following procedure:

  1. From NetScaler configuration utility, navigate to Traffic Management > DNS.

  2. Select the Name Servers node, as shown in the following screen shot. Ensure that the DNS Name Server is listed. If it is not available, add a DNS Name Server.

    localized image

  3. Expand Citrix Gateway > Policies.

  4. Select the Session node.

  5. Activate the Profiles tab of Citrix Gateway Session Policies and Profiles page and click Add.

    For each component you configure in the Configure Citrix Gateway Session Profile dialog box, ensure that you select the Override Global option for the respective component.

  6. Activate the Client Experience tab.

  7. Type the intranet portal URL in the Home Page field if you would like to present any URL when the user login into the VPN. If homepage parameter is set to “nohomepage.html”, homepage will not be displayed. When the plug-in starts, a browser instance starts and gets killed automatically.

    localized image

  8. Ensure to select the desired setting from the Split Tunnel list (for more information about this setting, check above).

  9. Select OFF from the Clientless Access list if you want FullVPN.

    localized image

  10. Ensure that Windows/Mac OS X is selected from the Plug-in Type list.

  11. Select the Single Sign-on to Web Applications option if desired.

  12. Ensure that the Client Cleanup Prompt option is selected if required, as shown in the following screen shot:

    localized image

  13. Activate the Security tab.

  14. Ensure that ALLOW is selected from the Default Authorization Action list, as shown in the following screen shot:

    localized image

  15. Activate the Published Applications tab.

  16. Ensure that OFF is selected from the ICA Proxy list under Published Applications option.

    localized image

  17. Click Create.

  18. Click Close.

  19. Activate the Policies tab of the Citrix Gateway Session Policies and Profiles page in the Vserver or activate the Session Policies at the GROUP/USER Level as required.

  20. Create a Session policy with a required expression or ns_true, as shown in the following screenshot:

    localized image

  21. Bind the Session policy to the VPN virtual server.

    Go to Citrix Gateway virtual server > Policy. Choose the required session policy (in this example Session_Policy) from the drop-down list.

  22. If Split Tunnel was configured to ON, you should configure the Intranet Applications you would like the users to access when connected to the VPN. Go to Citrix Gateway > Resources > Intranet Applications​.

    localized image

  23. Create a new Intranet Application. Select Transparent for FullVPN with Windows client. Select the protocol you would like to allow (TCP, UDP, or ANY), Destination Type (IP address and Mask, IP address Range, or Hostname).

    localized image

    There is no full VPN support for iOS and Android apps.

  24. Set a new policy for Citrix VPN on iOS and Android using following expression: REQ. HTTP . HEADER User-Agent CONTAINS /NSGiOSplugin Il REQ.HTTP.HEADER User -Agent CONTAINS /CitrixVPN

    localized image

  25. Bind the Intranet Applications created at the USER/GROUP/VSERVER level as required.

    Additional Parameters

    The following are some of the parameters we can configure and a brief description of each:

    Split Tunnel

    localized image

Split Tunnel Off

When split tunnel is set to off, the Citrix Gateway Plug-in captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to Citrix Gateway. In other words, the VPN client establishes a default route from the client PC pointing to the Citrix Gateway VIP, meaning that all the traffic needs to be sent through the tunnel to get to the destination. Since all the traffic is going to be sent through the tunnel, authorization policies must determine whether the traffic is allowed to pass through to internal network resources or be denied.

While set to “off”, all traffic is going through the tunnel including Standard Web traffic to websites. If the goal is to monitor and control this web traffic then we should forward these requests to an external Proxy using NetScaler. User devices can connect through a proxy server for access to internal networks as well.
Citrix Gateway supports the HTTP, SSL, FTP, and SOCKS protocols. To enable proxy support for user connections, you must specify these settings on Citrix Gateway. You can specify the IP address and port used by the proxy server on Citrix Gateway. The proxy server is used as a forward proxy for all further connections to the internal network.

For more information review the following links:

Split Tunnel ON

You can enable split tunneling to prevent the Citrix Gateway Plug-in from sending unnecessary network traffic to Citrix Gateway. If split tunnel is enabled, the Citrix Gateway Plug-in sends only traffic destined for networks protected (intranet applications) by Citrix Gateway through the VPN tunnel. The Citrix Gateway Plug-in does not send network traffic destined for unprotected networks to Citrix Gateway. When the Citrix Gateway Plug-in starts, it obtains the list of intranet applications from Citrix Gateway and establishes a route for each subnet defined on the intranet application tab in the client PC. The Citrix Gateway Plug-in examines all packets transmitted from the user device and compares the addresses within the packets to the list of intranet applications (routing table created when the VPN connection was started). If the destination address in the packet is within one of the intranet applications, the Citrix Gateway Plug-in sends the packet through the VPN tunnel to Citrix Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device then routes the packet appropriately using the default routing originally defined on the client PC. “When you enable split tunneling, intranet applications define the network traffic that is intercepted and send through the tunnel”.

For more information review the following link:

Reverse Split Tunnel

Citrix Gateway also supports reverse split tunneling, which defines the network traffic that Citrix Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that Citrix Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through Citrix Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the Citrix Gateway Plug-in, Citrix Gateway does not intercept network traffic destined to a printer or another device within the wireless network.

To configure split tunneling

  1. From the Configuration Utility navigate to Configuration tab > Citrix Gateway > Policies > Session.

  2. In the details pane, on the Profiles tab, select a profile and then click Open.

  3. On the Client Experience tab, next to Split Tunnel, select Global Override, select an option and then click OK twice.

    Configuring Split Tunneling and Authorization

    When planning your Citrix Gateway deployment, it is important to consider split tunneling and the default authorization action and authorization policies.

    For example, you have an authorization policy that allows access to a network resource. You have split tunneling set to ON and you do not configure intranet applications to send network traffic through Citrix Gateway. When Citrix Gateway has this type of configuration, access to the resource is allowed, but users cannot access the resource.

    localized image

If the authorization policy denies access to a network resource, you have split tunneling set to ON, and intranet applications are configured to route network traffic through Citrix Gateway, the Citrix Gateway Plug-in sends traffic to Citrix Gateway, but access to the resource is denied.

For more information about authorization policies, review the following:

To configure network access to internal network resources

  1. In the configuration utility, on the Configuration tab > Citrix Gateway > Resources > Intranet Applications.

  2. In the details pane, click Add.

  3. Complete the parameters for allowing network access, click Create and then click Close.

When we do not setup intranet IPs for the VPN users, the user sends the traffic to the Citrix Gateway VIP and then from there the NetScaler builds a new packet to the intranet application resource located on the internal LAN. This new packet is going to be sourced from the SNIP toward the intranet application. From here, the intranet application gets the packet, processes it and then attempts to reply back to the source of that packet (the SNIP in this case). The SNIP get the packet and send the reply back to the client who made the request. For more information review the following link:

No Intranet IPs

When Intranet IP are being used, the user sends the traffic to the Citrix Gateway VIP and then from there the NetScaler is going to map the client IP into one of the configured INTRANET IPs from the Pool. Be advised that the NetScaler is going to own the Intranet IP pool and for this reason these ranges shouldn’t be used in the internal network. The NetScaler will assign an Intranet IP for the incoming VPN connections like a DHCP server would do. The NetScaler builds a new packet to the intranet application located on the LAN the user would access. This new packet is going to be sourced from one of the Intranet IPs toward the intranet application. From here, intranet applications gets the packet, process it and then attempt to reply back to the source of that packet (the INTRANET IP). In this case the reply packet needs to be routed back to the NetScaler, where the INTRANET IPs are located (Remember, the NetScaler owns the Intranet IPs subnets). To accomplish this task, the network administrator should have a route to the INTRANET IP, pointing to one of the SNIPs (it would be recommended to point the traffic back to the SNIP that holds the route from which the packet leaves the NetScaler the first time to avoid any asymmetric traffic).

For more information, review the following link:

Intranet IPs

Configuring Name Service Resolution

During installation of Citrix Gateway, you can use the Citrix Gateway wizard to configure additional settings, including name service providers. The name service providers translate the fully qualified domain name (FQDN) to an IP address. In the Citrix Gateway wizard, you can configure a DNS or WINS server, set the priority of the DNS lookup, and the number of times to retry the connection to the server.

When you run the Citrix Gateway wizard, you can add a DNS server at that time. You can add additional DNS servers and a WINS server to Citrix Gateway by using a session profile. You can then direct users and groups to connect to a name resolution server that is different from the one you originally used the wizard to configure.

Before configuring an additional DNS server on Citrix Gateway, create a virtual server that acts as a DNS server for name resolution.

To add a DNS or WINS server within a session profile

  1. In the configuration utility, configuration tab > Citrix Gateway > Policies > Session.

  2. In the details pane, on the Profiles tab, select a profile and then click Open.

  3. On the Network Configuration tab, do one of the following:

    • To configure a DNS server, next to DNS Virtual Server, click Override Global, select the server and then click OK.

    • To configure a WINS server, next to WINS Server IP, click Override Global, type the IP address and then click OK.

Configure full VPN setup on Citrix Gateway