- NetScaler Gateway Release Notes
- About NetScaler Gateway
- Common Deployments
- Client Software Requirements
- Compatibility with Citrix Products
- Licensing
- FAQ
- Before Getting Started
- Upgrading
-
Installing the System
- Configuring NetScaler Gateway
- Using the Configuration Utility
- Policies and Profiles on NetScaler Gateway
- Viewing NetScaler Gateway Configuration Settings
- Configuring the NetScaler Gateway by Using Wizards
- Configuring the Host Name and FQDN on NetScaler Gateway
- Installing and Managing Certificates
- Testing Your NetScaler Gateway Configuration
- Creating Virtual Servers
- Configuring IP Addresses on NetScaler Gateway
- Resolving DNS Servers Located in the Secure Network
- Configuring DNS Virtual Servers
- Configuring Name Service Providers
- Configuring Server-Initiated Connections
- Configuring Routing on NetScaler Gateway
- Configuring Auto Negotiation
-
Authentication and Authorization
- Configuring Default Global Authentication Types
- Configuring Authentication Without Authorization
- Configuring Authorization
- Disabling Authentication
- Configuring Authentication for Specific Times
- How Authentication Policies Work
- Configuring Local Users
- Configuring Groups
- Configuring LDAP Authentication
- Configuring Client Certificate Authentication
- Configuring RADIUS Authentication
- Configuring SAML Authentication
- Configuring TACACS+ Authentication
- Configuring Multifactor Authentication
- Configuring Single Sign-On
- Configuring One-Time Password Use
- nFactor for NetScaler Gateway Authentication
- NetScaler Gateway Visualizer
-
Configuring the VPN User Experience
- How User Connections Work with the NetScaler Gateway Plug-in
- Choosing the User Access Method
- Deploying NetScaler Gateway Plug-ins for User Access
- Selecting the NetScaler Gateway Plug-in for Users
-
Integrating the NetScaler Gateway Plug-in with Citrix Receiver
- How User Connections Work with Citrix Receiver
- Adding the NetScaler Gateway Plug-in to Citrix Receiver
- Decoupling the Citrix Receiver Icon
- Configuring IPv6 for ICA Connections
- IConfiguring the Receiver Home Page on NetScaler Gateway
- Applying the Receiver Theme to the Logon Page
- Creating a Custom Theme for the Logon Page
- Customizing the User Portal
- Configuring Clientless Access
- Configuring the Client Choices Page
- Configuring Access Scenario Fallback
-
Configuring Connections for the NetScaler Gateway Plug-in
- Configuring the Number of User Sessions
- Configuring Time-Out Settings
- Connecting to Internal Network Resources
- Configuring Split Tunneling
- Configuring Client Interception
- Configuring Name Service Resolution
- Enabling Proxy Support for User Connections
- Configuring Address Pools
- Supporting VoIP Phones
- Configuring Application Access for the NetScaler Gateway Plug-in for Java
- Configuring the Access Interface
- How a Traffic Policy Works
- Configuring Session Policies
-
Configuring Endpoint Polices
- How Endpoint Policies Work
- Evaluating User Logon Options
- Setting the Priority of Preauthentication Policies
- Configuring Preauthentication Policies and Profiles
- Configuring Post-Authentication Policies
- Configuring Security Preauthentication Expressions for User Devices
- Configuring Compound Client Security Expressions
- Advanced Endpoint Analysis Scans
- Managing User Sessions
- AlwaysON
- Configuring NetScaler Gateway
-
Deploying in a Double-Hop DMZ
- Deploying NetScaler Gateway in a Double-Hop DMZ
- How a Double-Hop Deployment Works
- Communication Flow in a Double-Hop DMZ Deployment
- Preparing for a Double-Hop DMZ Deployment
-
Installing and Configuring NetScaler Gateway in a Double-Hop DMZ
- Configuring Settings on the Virtual Servers on the NetScaler Gateway Proxy
- Configuring the Appliance to Communicate with the Appliance Proxy
- Configuring NetScaler Gateway to Handle the STA and ICA Traffic
- Opening the Appropriate Ports on the Firewalls
- Managing SSL Certificates in a Double-Hop DMZ Deployment
-
Using High Availability
- How High Availability Works
- Configuring Settings for High Availability
- Configuring Communication Intervals
- Synchronizing NetScaler Gateway Appliances
- Synchronizing Configuration Files in a High Availability Setup
- Configuring Command Propagation
- Configuring Fail-Safe Mode
- Configuring the Virtual MAC Address
- Configuring High Availability Pairs in Different Subnets
- Configuring Route Monitors
- Configuring Link Redundancy
- Understanding the Causes of Failover
- Forcing Failover from a Node
- Using Clustering
- Maintaining and Monitoring the System
- Integrating with Citrix Products
- How Users Connect to Applications, Desktops, and ShareFile
- Deploying with XenMobile App Edition, XenApp, and XenDesktop
-
Accessing XenApp and XenDesktop Resources with the Web Interface
- Integrating NetScaler Gateway with XenApp or XenDesktop
- Establishing a Secure Connection to the Server Farm
- Deploying with the Web Interface
- Setting Up a Web Interface Site to Work
- Configuring Communication with the Web Interface
- Configuring Additional Web Interface Settings on NetScaler Gateway
- Configuring Access to Applications and Virtual Desktops in the Web Interface
- Configuring SmartAccess
- Configuring SmartControl
-
Configuring Single Sign-On to the Web Interface
- To configure single sign-on to Web applications globally
- To configure single sign-on to Web applications by using a session policy
- To define the HTTP port for single sign-on to web applications
- Additional Configuration Guidelines
- To test the single sign-on connection to the Web Interface
- Configuring Single Sign-On to the Web Interface by Using a Smart Card
- To configure single sign-on for XenApp and file shares
- Allowing File Type Association
-
Integrating with App Controller or StoreFront
- How NetScaler Gateway and App Controller Integrate
- Creating Policies with the Quick Configuration Wizard
- Configuring NetScaler Gateway and App Controller
- Configuring Session Policies and Profiles for App Controller and StoreFront
- Configuring Custom Clientless Access Policies for Receiver
- Configuring Custom Clientless Access Policies for Receiver for Web
- Using WebFront to Integrate with StoreFront
- Integrate NetScaler Gateway with XenApp and XenDesktop
- Integrate NetScaler Gateway with StoreFront
-
Configuring Settings for Your XenMobile Environment
- Configuring Load Balancing Servers for XenMobile or Citrix Endpoint Management
- Configuring Load Balancing Servers for Microsoft Exchange with Email Security Filtering
- Configuring XenMobile NetScaler Connector (XNC) ActiveSync Filtering
- Allowing Access from Mobile Devices with Citrix Mobile Productivity Apps
- Configuring Domain and Security Token Authentication for XenMobile
- Configuring Client Certificate or Client Certificate and Domain Authentication
- Optimizing Network Traffic with CloudBridge
- RfWebUI Persona on NetScaler Gateway UX Configuration
- RDP Proxy
- NetScaler Gateway Enabled PCoIP Proxy Support for VMware Horizon View
- HDX Enlightened Data Transport Support
-
Microsoft Intune Integration
- When to Use the Integrated Intune MDM Solution
- Understanding the NetScaler Gateway-Intune MDM Integration
- Configuring Network Access Control device check for NetScaler Gateway virtual server for single factor authentication deployment
- Understanding Azure ADAL Token Authentication
- Configuring NetScaler Gateway Virtual Server for Microsoft ADAL Token Authentication
- Type of Service Support for UDP traffic
- Proxy Auto Configuration for Outbound Proxy support for NetScaler Gateway
- Outbound ICA Proxy support
- Integrate NetScaler Gateway with XenApp and XenDesktop
- Native OTP Support
- Configuring Server Name Indication Extension
- Validating the Server Certificate During an SSL Handshake
- Using Advance Policy to Create VPN Policies
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
Translation failed!
Configuring Settings for Your XenMobile Environment
The NetScaler for XenMobile wizard guides you through the configuration of NetScaler features for your XenMobile deployment. You can use the wizard to:
-
Set up a Micro VPN. In this scenario, remote users can access apps and desktops in the internal network.
-
For XenMobile MAM-only mode, you must use NetScaler Gateway for authentication.
-
For MDM deployments, Citrix recommends NetScaler Gateway for mobile device VPN.
-
For ENT deployments, if a user opts out of MDM enrollment, the device operates in the legacy MAM mode and enrolls using the NetScaler Gateway FQDN.
-
- Configure certificate-based authentication. The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication.
- Load balance XenMobile servers. NetScaler load balancing is required for all XenMobile server device modes if you have multiple XenMobile servers or if the XenMobile server is inside your DMZ or internal network (and therefore traffic flows from devices to NetScaler to XenMobile). In this scenario, the NetScaler appliance resides in the DMZ between the user device and the XenMobile servers to load balance encrypted sent data from mobile devices to the XenMobile servers.
- Load balance Microsoft Exchange servers with email filtering. In this scenario, the NetScaler appliance is between the user device and the XenMobile NetScaler Connector (XNC), and between the user device and the Microsoft Exchange CAS servers. All requests from user devices go to the NetScaler Gateway appliance, which then communicates with the XNC to retrieve information about the device. Depending on the response from the XNC, the NetScaler appliance either forwards the request from a whitelisted device to the server in the internal network, or drops the connection from a blacklisted device.
-
Load balance ShareFile StorageZones Connectors based on the type of content requested. This scenario prompts you for basic information about your StorageZones Controller environment and then generates a configuration that does the following:
- Load balances traffic across StorageZones Controllers.
- Provides user authentication for StorageZones Connectors.
- Validates URI signatures for ShareFile uploads and downloads.
- Terminates SSL connections at the NetScaler appliance.
For more information about configuring ShareFile, see Configure NetScaler for StorageZones Controller.
Important
Before you use the XenMobile wizard, be sure to refer to these XenMobile Deployment articles for design and deployment information and recommendations:
Integrating with NetScaler Gateway and NetScaler
SSO and Proxy Considerations for MDX Apps
You can use the NetScaler for XenMobile wizard only once. If you want multiple XenMobile instances, such as for test, development, and production environments, you must configure NetScaler for the additional environments manually. The following support articles list the commands run by the wizard and provides instructions for running them to create a new NetScaler instance:
Commands Generated by XenMobile Wizard on NetScaler - SSL Bridge
Commands Generated by XenMobile Wizard on NetScaler - SSL Offload
License Requirements for NetScaler Features
You must install licenses to enable the following NetScaler features:
- XenMobile MDM load balancing requires a NetScaler standard license.
- ShareFile load balancing with StorageZones requires a NetScaler standard license.
- Exchange load balancing requires a NetScaler license or a Enterprise license with the addition of an Integrated Caching license.
NetScaler for XenMobile Wizard
This section provides an example of using the NetScaler for XenMobile wizard to:
- Set up micro VPN access for remote user connections to XenMobile-managed resources in your internal network
- Configure certificate-based authentication. For information about obtaining and installing a public SSL certificate, see Installing and Managing Certificates.
- Configure load balancing for XenMobile servers.
To use the wizard:
- In the configuration utility, click the Configuration tab and then click XenMobile.
- Select your XenMobile version and then click Get Started.
- Select the checkboxes for the features you want to configure. Keep in mind that you can use this wizard only once, so you’ll need to perform subsequent configuration manually. These instructions assume that you select the following settings:
Access through NetScaler Gateway (for XenMobile Server running in ENT or MAM modes) Load Balance XenMobile Servers
4. On the NetScaler Gateway Settings page, enter values for the external facing NetScaler Gateway IP Address, Port, and Virtual Server Name.
- On the Server Certificate for NetScaler Gateway page, from the Certificate File drop-down menu, choose the certificate file from Local or Appliance.
If your certificate is on a local machine:
If your certificate is on the appliance:
- In the Authentication Settings page, in the Primary authentication method field, select Client Certificate.
This will automatically select Use existing certificate policy and Cert Auth in the next two fields. The following steps assume that you already have a certificate policy.
If you need to create a certificate policy, click Create certificate policy and complete the settings. On the XenMobile Server Certificate screen, choose an existing server certificate or install a new certificate. If you’re running multiple XenMobile servers, you will add a certificate for each one. For Server Logon Name Attribute, specify userPrincipalName or samAccountName, per your requirements.
a. Select Click here to change the CA certificate and then in the Browse list, navigate to the CA certificate you want.
b. With client certificate as your primary authentication type, you have the option of configuring LDPA (or RADIUS) as the secondary authentication type.
To use client certificate authentication only, leave Second authentication method as None and then click Continue.
To use client certificate + domain (LDAP) authentication, change Second authentication method to LDAP and configure the authentication server settings.
c. On the Device certificate screen, if the certificate is not already installed, you must export this certificate from the XenMobile console: From the console, click the gear icon in the upper-right corner to open the Settings screen.
d. Click Certificate and then choose the CA certificate from the list.
e. Click Export.
f. Return to the NetScaler wizard and select the certificate you exported (downloaded) to install it.
g. Click Continue.
The XenMobile server IP addresses that you’ve configured will appear.
7. Configure the XenMobile App Management Settings.
- Enter the XenMobile Server FQDN. This is the load balancing FQDN for MAM.
- Enter a MAM-only Internal Load Balancing IP Address for the virtual server that load balances XenMobile servers. NetScaler Gateway communicates with the XenMobile server through this MAM load balancing virtual IP.
- This is an SSL offload deployment, so select HTTP in **Communication with XenMobile Server **.
- The Split DNS mode for MicroVPN field automatically sets to BOTH.
If your deployment requires split tunneling, select Enable split tunneling. You must configure Intranet Application Binding, next, if you enable split tunneling.
By default, Secure Web access is tunneled to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and the NetScaler appliance uses split tunnel settings.
8. To configure interception rules for user connections on NetScaler Gateway, you must configure Intranet Application Binding. Click + to add a binding.
- Complete the parameters for allowing network access and then click Create.
10. Add the XenMobile server certificate. This will be used for the MAM load balancing virtual server.
- Under XenMobile Servers, click Add Server to add the XenMobile Server IP Address to bind to the load balancing virtual IP.
12. On the NetScaler dashboard, confirm that NetScaler Gateway and XenMobile load balancing are configured as follows.
If you will use sAMAccount attributes in the user certificates as an alternative to User Principal Name (UPN), configure the certificate profile as described in Manually Configuring NetScaler Gateway for Client Certificate Authentication.