Product Documentation

Advanced Clientless VPN access with Citrix Gateway

Clientless VPN (CVPN) refers to a way of providing remote access to corporate’s intranet resources through Citrix Gateway without a VPN client application at the client machine. CVPN provides remote access to enterprise web-applications, portals, and other resources using a web browser at the client’s end. Advanced CVPN solution eliminates the following limitations pertaining to CVPN:

  • Relative URLs cannot be identified at times.

  • Relative URLs generated dynamically cannot be identified.

Advanced Clientless VPN identifies the absolute URL and hostnames and rewrites them in a new and unique manner instead of trying to rewrite relative URLs present in the HTTP-responses/Web-Pages. SharePoint no longer needs to use the default folder for rewriting URLs and a custom SharePoint access is supported.

Prerequisites

The following are the prerequisites to configure Advanced CVPN.

  1. WildCard Server Certificate - VPN virtual server requires a wildcard server certificate. If the server is currently hosted with https://vpn.com then the server certificate now should have entries for (vpn.com and *.vpn.com) as part of certificates CN or SAN (where CN=common name, SAN= Subject Alternative Name). The process of binding this certificate remains the same on Citrix Gateway.

  2. WildCard DNS entry - s The clients (web browsers) would need to resolve the Advanced CVPN app’s FQDN. While setting up the Citrix Gateway server, you would have configured a DNS entry to resolve vpn.com. You need to configure a subdomain for ‘’ so that ‘.vpn.com’ now resolves to vpn.com as well.

Configure Advanced Clientless VPN access

To configure Advanced Clientless VPN access using the command line interface, at the command prompt, type:

set vpn parameter -clientlessVpnMode ON
set vpn parameter -advancedClientlessVpnMode ENABLED

To configure Advanced Clientless VPN access using the Citrix ADC GUI:

  1. In the NetScaler GUI, navigate to Configuration> Citrix NetScaler> Global Settings.

  2. On the Global Settings page, click Change Global Settings, and then select the Client Experience tab.

  3. On the Client Experience tab, from the Clientless Access drop-down, select On.

  4. On the Client Experience tab, from the Advanced Clientless VPN Mode drop-down, select Enabled.

localized image

You can configure the Advanced CVPN feature at a session level as well.

Caveats

Advanced CVPN is aimed at providing access to Enterprise Web-Apps. Such apps have only one FQDN for every kind of resource they need (JavaScripts, css, images etc.). Since we encode the complete FQDN of internal apps into a single-octet (cvpn**), we lose out on the sub-domain relationship. As a result, whenever an Enterprise WebApp is configured with CORS, sometimes you may notice issues while accessing it over Advanced CVPN.

Advanced Clientless VPN access with Citrix Gateway